Packages changed: cloud-init-config-MicroOS flac (1.4.2 -> 1.4.3) irqbalance (1.9.2 -> 1.9.2.24.git+184c950) kdump (1.0.3 -> 1.9.2) libcontainers-common libdb-4_8 libjcat (0.1.13 -> 0.1.14) libjpeg-turbo libnettle libzip (1.9.2 -> 1.10.0) lockdev lvm2 lvm2-device-mapper mozjs102 (102.11.0 -> 102.12.0) openssl-3 openssl patterns-containers perl-Bootloader (1.2 -> 1.5) pipewire (0.3.71 -> 0.3.72) policycoreutils publicsuffix (20230613 -> 20230616) python-Twisted python-cryptography (40.0.2 -> 41.0.1) python-service_identity (21.1.0 -> 23.1.0) python311 python311-core rtkit sddm (0.19.0 -> 0.20.0) snapper (0.10.4 -> 0.10.5) strace (6.3 -> 6.4) systemd transactional-update (4.2.1 -> 4.3.0) yast2-kdump (4.6.0 -> 4.6.1) zlib-ng-compat === Details === ==== cloud-init-config-MicroOS ==== - set distro to opensuse-microos in cloud.cfg ==== flac ==== Version update (1.4.2 -> 1.4.3) - Update to version 1.4.3: + General * All PowerPC-specific code has been removed, as it turned out those improvements didn't actually improve anything * Large improvements in encoder speed for all presets. The largest change is for the fastest presets and for 24-bit and 32-bit inputs. * Small improvement in decoder speed for BMI2-capable CPUs * Various documentation fixes and cleanups * Various fixes * Fix building on Universal Windows Platform + flac * A lot of small fixes for bugs found by fuzzing * Various improvements to the --keep-foreign-metadata and - -keep-foreign-metadata-if-present options on decoding + The output format (WAV/AIFF/RF64 etc.) is now automatically selected based on what kind of foreign metadata is stored + Decoded file is checked afterwards, to see whether stored foreign format data agrees with FLAC audio properties + AIFF-C sowt data can now be restored * Add --force-legacy-wave-format option, to decode to WAV with WAVEFORMATPCM where WAVE_FORMAT_EXTENSIBLE would be more appropriate * Add --force-aiff-c-none-format and --force-aiff-c-sowt-format to decode to AIFF-C * The storage of WAVEFORMATEXTENSIBLE_CHANNEL_MASK is no longer restricted to known channel orderings * Throw an error when WAV or AIFF files are over 4GiB in length and the --ignore-chunk-sizes option is not set * Warn on testing files when ID3v2 tags are found * Warn when data trails the audio data of a WAV/AIFF/RF64/W64 file * Fix output file not being deleted after error on Windows * Removal of the --sector--align option + metaflac * A lot of small fixes for bugs found by fuzzing * Added options --append and --data-format, which makes it possible to copy metadata blocks from one FLAC file to another * Added option --remove-all-tags-except * Added option --show-all-tags + libFLAC * No longer write seektables to Ogg, even when specifically asked for. Seektables in Ogg are not defined * Add functions FLAC__metadata_object_set_raw and FLAC__metadata_object_get_raw to convert between blob and FLAC__StreamMetadata + Build system * Autoconf (configure): The option --enable-64-bit-words is now on by default * CMake: The option ENABLE_64_BIT_WORDS is now on by default + Testing/validation * Fuzzers were added for the flac and metaflac command line tools * Fuzzer coverage was improved - Changed source to github link since it wasn't released in the xiph page. ==== irqbalance ==== Version update (1.9.2 -> 1.9.2.24.git+184c950) Subpackages: irqbalance-ui - Resurrect _service file and old git patch no versioning A _service A _servicedata A irqbalance.obsinfo - Update to version 1.9.2.24.git+184c950: * procinterrupts: fix initialisation of regex_t struct * Fix it so we actually stop when we hit an interrupt condition * Fix signedness of error handling * Revert "Fix CPU number condition in service file" * Issue 259: select NL_SKIP / NL_STOP based on error * fix CPU number condition in service file - Already included upstream: D irqbalance-systemd-netlink.patch ==== kdump ==== Version update (1.0.3 -> 1.9.2) - upgrade to version 1.9.2 * adapt kdumptool to work with YaST * wait for SMTP server to become reachable - upgrade to version 1.9.1 * reimplement e-mail notifications - upgrade to version 1.9 * complete rewrite of kdump-save and parts of initrd generation * mounts are now entirely handled by dracut * deprecated: split dumps (saving to more than one targets at once) * deprecated: KDUMPTOOL_FLAGS option removed; original XENALLDOMAINS is now the default, disable with MAKEDUMPFILE_OPTIONS=-X * deprecated: notification e-mails * deprecated: copying of the kernel image (KDUMP_COPY_KERNEL) * FTP and SFTP are now handled by lftp, added to the spec file as Recommends: * SSH and SFTP now support passwords provided in the URL * fixed KDUMP_SSH_HOST_KEY, now needs to include the key type * new KDUMP_DUMPFORMAT=raw, will save an unmodified /proc/vmcore * the output directory name is now YYYY-MM-DD-HH-MM, i.e. the separator between HH and MM changed * unified default KDUMP_SAVEDIR across config, code and man to /var/crash * ping is now used to detect network is up; disable with KDUMP_NET_TIMEOUT=0 * all the yes/no options changed to true/false; yes/no/1/0 still accepted * put the kdump initrd in /var/lib/kdump/initrd * use default kernel symlink (/boot/vmlinuz) instead of kernel autodetection * KDUMP_KERNELVER can specify an absolute path to a kernel image * improved mkdumprd detection of changed settings * removed all of kdumptool except the calibrate subcommand * cleaned up dependencies (ssh now only Recommended) ==== libcontainers-common ==== Subpackages: libcontainers-default-policy - Remove unused grep requirement - Resolve choice on openSUSE distributions for libcontainer-policy by suggesting the libcontainers-openSUSE-policy explicitly. ==== libdb-4_8 ==== - Fix incomplete license tag. [bsc#1099695] ==== libjcat ==== Version update (0.1.13 -> 0.1.14) - update to 0.1.14: * Fix header includes (Daisuke Fujimura) * Fix prefix of LIBJCAT_CHECK_VERSION (Richard Hughes) * Use project_source_root to fix building as a subproject ==== libjpeg-turbo ==== - merge two spec files into one ==== libnettle ==== Subpackages: libhogweed6 libnettle8 - Add the architecture specific READMEs as provided by upstream. ==== libzip ==== Version update (1.9.2 -> 1.10.0) - version update to 1.10.0 * Make support for layered sources public. * Add `zip_source_zip_file` and `zip_source_zip_file_create`, deprecate `zip_source_zip` and `zip_source_zip_create`. * Allow reading changed file data. * Fix handling of files of size 4294967295. * `zipmerge`: copy extra fields. * `zipmerge`: add option to keep files uncompressed. * Switch test framework to use nihtest instead of Perl. * Fix reading/writing compressed data with buffers > 4GiB. * Restore support for torrentzip. * Add warnings when using deprecated functions. * Allow keeping files for empty archives. * Support mbedTLS>=3.3.0. * Support OpenSSL 3. * Use ISO C secure library functions, if available. ==== lockdev ==== Subpackages: liblockdev1 - lock group is created by system-group-hardware - use sysusers mechanism to create lock group and tmpfiles for /{var/,}run (boo#1078466) - add lockdev-debug.diff ==== lvm2 ==== Subpackages: liblvm2cmd2_03 - multipath_component_detection = 0 in lvm.conf does not have any effect (bsc#1212613) - bug-1212613_apply-multipath_component_detection-0-to-duplicate-P.patch ==== lvm2-device-mapper ==== Subpackages: device-mapper libdevmapper-event1_03 libdevmapper1_03 - multipath_component_detection = 0 in lvm.conf does not have any effect (bsc#1212613) - bug-1212613_apply-multipath_component_detection-0-to-duplicate-P.patch ==== mozjs102 ==== Version update (102.11.0 -> 102.12.0) - Update to version 102.12.0: + Various security fixes. + CVE-2023-34414: Click-jacking certificate exceptions through rendering lag. ==== openssl-3 ==== Subpackages: libopenssl3 - Improve cross-package provides/conflicts [boo#1210313] * Add Provides/Conflicts: ssl-devel * Remove explicit conflicts with other devel-libraries * Remove Provides: openssl(cli) - it's managed by meta package ==== openssl ==== - Improve cross-package provides/conflicts [boo#1210313] * Add Conflicts: openssl(cli) for mutual exclusion between openssl, openssl-1_0_0 and libressl. ==== patterns-containers ==== - Remove unused podman-cni-config package ==== perl-Bootloader ==== Version update (1.2 -> 1.5) - merge gh#openSUSE/perl-bootloader#153 - check whether grub2-install supports --suse-force-signed option - 1.5 - merge gh#openSUSE/perl-bootloader#151 - default-settings: support non-x86 architectures - add man pages for all commands - 1.4 - merge gh#openSUSE/perl-bootloader#149 - use signed grub EFI binary when updating grub in default EFI location (bsc#1210799) - 1.3 ==== pipewire ==== Version update (0.3.71 -> 0.3.72) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-jack pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 0.3.72: * Highlights - Fix a critical bug that would refuse to update the samplerate or buffersize in JACK clients. - A new module-netjack2-driver and module-netjack2-manager were added that are compatible with NETJACK2. This allows PipeWire to become a NETJACK2 manager or a driver between JACK2 or PipeWire servers. - Support was added for firewire devices with FFADO. This is untested for now and MIDI is not implemented yet. - The node scheduling was optimized some more. External drivers are now as efficient as in-server ones. This should improve performance of various drivers such as bluetooth and JACK based drivers. - Many, many bug fixes and a ton of improvements. * PipeWire - pw-filter can now be used to write sinks and sources. - The node activation for drivers was changed. The driver now does not need to go to the server to start the processing cycle. This makes out-of-server drivers as efficient as in-server drivers. - Don't try to use drivers with 0 priority as fallback drivers. This avoids making the screencast driver a driver for audio. - Improve xrun count reporting in pw-top and the profiler. Now each node has their own xrun counter updated when it fails to complete processing during the cycle. - pw-filter now also has support for TRIGGER. - A potential fd leak was found when fds were send to a zombie client. - Fix a bug where monitor or capture streams were logged twice in the profiler. - Remove stream hooks safely. - A bug in serialization of container properties was fixed. This could result in truncated property values. - The PIPEWIRE_AUTOCONNECT environment variable now always overrides the autoconnect settings of streams. - Node, port and link destroy now avoids some useless work. - Port will now try to renegotiate a new format when idle. * Modules - The module-sap now is more compatible with AES67. - A new FFADO driver module was added. This is completely untested because of lack of hardware. Please test and report issues. - A new NETJACK2 driver and a NETJACK2 manager module were added. These should be drop in replacements for the JACK2 parts. - The RAOP discover module now tries harder to only list devices once. - The zeroconf discover module now tries harder to only list devices once. - The RAOP sink module now handles latency better and is compatible with some more devices. - The loopback and filter-chain modules now always dequeue the last input buffer to avoid stuttering in some cases. - The SPA node factory module can now also export nodes. This is used to export the PTP clock from the AES67 config file. - A bug in module-jack-tunnel was fixed that would cause stuttering and corrupted output in some cases. - The resampler is now disabled in module-loopback and filter-chain when the samplerate is set to follow the graph rate. - The way the mixer peer is sent to clients was improved. It is now also possible to let a remote node know about mixer port removes, which can avoid memory leaks and some code simplifications. * SPA - Monitor ports now report latency correctly. - The ALSA plugin now uses htimestamp to get a more accurate ringbuffer position to estimate the clock skew. - The channelmixer now has min/max-volume settings to limit or fix the volume. - The ALSA plugin can now control the playback and capture rate of USB gadgets. This can avoid resampling and instead use the USB feedback to control the rate. - The ALSA output to multiple devices has been improved, some lockups are avoided when the device ringbuffer is full. - The compress-offload sink has improved negotiation. * pulse-server - Only try to use GSettings when the schema exists. - @DEFAULT_SOURCE@, @DEFAULT_SINK@ and @DEFAULT_MONITOR@ are now correctly handled as targets in playback and capture streams. - 2 new quirks are added to disable volume updates on sinks/sources. - The virtual-sink and virtual-source modules were added. These are really example modules but actually also work and are useful on PulseAudio so implement them as well. - Fix initial stream volumes. * Bluetooth - Only register A2DP or BAP when we have codecs. - Include codec into the media.name * JACK - Fix a critical bug that would refuse to update the samplerate or buffersize. - Improve updates of samplerate/buffersize, delay the updates until the client is activated. - Use the new mix-info updates to simplify the mixer setup and peer detection. * GStreamer ... changelog too long, skipping 5 lines ... the ld.so.conf.d file). ==== policycoreutils ==== Subpackages: policycoreutils-python-utils python3-policycoreutils - Recommend setools-console as these cli tools compliment policycoreutils for analysis and debugging of policy issues - Add requires for policycoreutils-devel for selinux-policy-devel as policycoreutils-devel requires this - Adjust python requirement for newer SLES versions - Add Leap compatibility symlinks between /usr/sbin and /sbin (bsc#1210482) - Refresh GPG keyring ==== publicsuffix ==== Version update (20230613 -> 20230616) - Update to version 20230616: * Add 63 geographical domains for .vn ccTLD (#1776) * util: gTLD data autopull updates for 2023-06-16T15:12:40 UTC (#1778) * util: gTLD data autopull updates for 2023-06-14T15:13:06 UTC (#1777) ==== python-Twisted ==== Subpackages: python311-Twisted python311-Twisted-tls - add regenerate-cert-to-work-with-latest-service-identity.patch remove-pynacl-optional-dependency.patch: backports from main git to fix tests with newer dependency versions ==== python-cryptography ==== Version update (40.0.2 -> 41.0.1) - update to 41.0.1 (bsc#1212568): * Temporarily allow invalid ECDSA signature algorithm parameters in X.509 certificates, which are generated by older versions of Java. * Allow null bytes in pass phrases when serializing private keys. * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1d has been removed. Users on older version of OpenSSL will need to upgrade. * **BACKWARDS INCOMPATIBLE:** Support for Python 3.6 has been removed. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.6. * Updated the minimum supported Rust version (MSRV) to 1.56.0, from 1.48.0. * Added support for the :class:`~cryptography.x509.OCSPAcceptableResponses` OCSP extension. * Added support for the :class:`~cryptography.x509.MSCertificateTemplate` proprietary Microsoft certificate extension. * Implemented support for equality checks on all asymmetric public key types. * Added support for ``aes256-gcm@openssh.com`` encrypted keys in :func:`~cryptography.hazmat.primitives.serialization.load_ssh _private_key`. * Added support for obtaining X.509 certificate signature algorithm parameters (including PSS) ==== python-service_identity ==== Version update (21.1.0 -> 23.1.0) - Update to 23.1.0 * Removed - All Python versions up to and including 3.7 have been dropped. - Support for commonName in certificates has been dropped. It has been deprecated since 2017 and isn't supported by any major browser. - The oldest supported pyOpenSSL version (when using the pyopenssl backend) is now 17.0.0. When using such an old pyOpenSSL version, you have to pin cryptography yourself to ensure compatibility between them. Please check out contraints/oldest-pyopenssl.txt to verify what we are testing against. * Deprecated - If you've used service_identity.(cryptography|pyopenssl).extract_ids(), please switch to the new names extract_patterns(). #56 * Added - service_identity.(cryptography|pyopenssl).extract_patterns() are now public APIs (FKA extract_ids()). You can use them to extract the patterns from a certificate without verifying anything. #55 - service-identity is now fully typed. #57 ==== python311 ==== Subpackages: python311-curses python311-dbm - Remove obsolete_python_versioned macro again. This mechanism has no business to be in Python 3.11, because we have abolished with it whole interpreter+setuptools+pip product. Python 3.11 should not be replaced by later versions anymore. ==== python311-core ==== Subpackages: libpython3_11-1_0 python311-base - Remove obsolete_python_versioned macro again. This mechanism has no business to be in Python 3.11, because we have abolished with it whole interpreter+setuptools+pip product. Python 3.11 should not be replaced by later versions anymore. ==== rtkit ==== - rtkit-daemon: Don't log debug messages by default (bsc#1206745). Added patch(es): * rtkit-silent-debug-messages-by-default.patch ==== sddm ==== Version update (0.19.0 -> 0.20.0) Subpackages: sddm-branding-openSUSE - Add patch to fix parsing some session .desktop files: * 0001-Session-Parse-.desktop-files-manually-again.patch - Update to 0.20.0: + Initial Qt6 support (Will break themes which rely on Qt 5) + **Experimental** support for running the greeter with Wayland + Enable HiDPI scaling by default + Support for running X11 display server without root privileges + Greeter: Support setting environment variables + Allow additional env vars to be defined in session files (#1370) + Make accountsservice data directory overridable via CMake + Add support for X11 cursor size configuration + Search XDG Base Directories for session files + Display information and errors from PAM in the greeter (#1486) * Remove the Passwd backend, make PAM mandatory * Bump minimum CMake version to 3.4 * Introduce SDDM_INITIAL_VT as the TTY to reach out to * Set XCURSOR_SIZE in XorgDisplayServer::start * Make it possible to start ConsoleKit D-Bus service during SDDM startup * pam: Do not use tally2 if faillock is present * Bump to Qt 5.15, port away from deprecated APIs * remove `-logfile` arg that causes server to fail - Set RUNTIME_DIR to /run/sddm when using systemd to follow FHS 3.0 - Use avatars in FacesDir first and if not found search other locations - Switch to using libxau with `FamilyWild` (#1230) - New interface to access config values from themes (#1097) - Session names are translated now (#1645) - Many more bugfixes - Important change: SDDM now uses the first free VT, it no longer prefers tty7 (the InitialVT option in 00-general.conf has no effect anymore) - Remove patches, now upstream: * 0001-Use-PAM-s-username.patch * 0001-Add-fish-etc-profile-and-HOME-.profile-sourcing-1331.patch * 0004-Retry-starting-the-display-server.patch * 0001-disable-automatic-portal-launching.patch * 0001-Remove-suffix-for-Wayland-session.patch * 0001-Redesign-Xauth-handling.patch * 0002-Use-QTemporaryFile-with-xauth_XXXXXX-ih-XAuth.patch * 0001-Process-all-available-auth-messages-in-a-loop.patch * 0001-Avoid-starting-a-new-session-on-exit.patch - Remove files, now upstream: * sddm-tmpfiles.conf * system-user-sddm.conf - Rebased patches: * 0001-Redesign-Xauth-handling.patch * 0001-Write-the-daemon-s-PID-to-a-file-on-startup.patch * 0001-Set-XAUTHLOCALHOSTNAME-in-sessions.patch * 0001-Read-the-DISPLAYMANAGER_AUTOLOGIN-value-from-sysconf.patch * sddm-service-handle-plymouth.patch * 0003-Leave-duplicate-symlinks-out-of-the-SessionModel.patch - Drop patches, not applicable anymore: * 0001-Systemd-service-unit-Use-tty7-by-default.patch - Add 11-kwin_wayland.conf to use kwin_wayland as wayland compositor ==== snapper ==== Version update (0.10.4 -> 0.10.5) Subpackages: libsnapper7 snapper-zypp-plugin - improved responsiveness of snapperd when a btrfs quota rescan is running (see bsc#1211459) - update qgroup in config info in snapperd when running setup-quota - improved waiting for btrfs quota rescan (see bsc #1211459) ==== strace ==== Version update (6.3 -> 6.4) - Update to strace 6.4 * Implemented decoding of IFLA_BRPORT_NEIGH_VLAN_SUPPRESS netlink attribute. * Implemented decoding of IP_PROTOCOL type control messages and socket option. * Updated lists of BPF_*, IP_*, KVM_*, MDBA_*, PACKET_*, PR_*, PTRACE_*, UFFD_*, and V4L2_PIX_FMT_* constants. * Updated lists of ioctl commands from Linux 6.4. * Turn --seccomp-bpf off when --syscall-limit option is specified. * Fixed --trace-fds filtering support of syscalls taking file descriptor arguments that do not normally have a path associated with them. ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-coredump systemd-doc udev - Change the group owner of /run/lock from "lock" to "root" (bsc#1212674) This allows to drop the dependency "Requires: group(lock)" that was introduced previously to make sure that the "lock" group will be kept around. This dependency introduced a dependency cycle. - file-triggers: fix a typo that sneaked in the script dealing with tmpfiles (bsc#1212733) ==== transactional-update ==== Version update (4.2.1 -> 4.3.0) Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit - Version 4.3.0 - Replace custom tu-rebuild-kdump-initrd with call to mkdumprd [gh#openSUSE/transactional-update#107]. - Add support for libmount 2.39. The behaviour change was not intended and will be changed in 2.39.1 (see [gh#util-linux/util-linux#2326], but it was easy to fix it anyway. - Honor LIBMOUNT_DEBUG variable for additional output. ==== yast2-kdump ==== Version update (4.6.0 -> 4.6.1) - adapt for version kdump versions 1.9+ (bsc#1212646) - call mkdumprd directly, not through tu-rebuild-kdump-initrd - update initrd even in non-fadump case - remove KDUMP_COPY_KERNEL and KDUMPTOOL_FLAGS options - update default config values according to kdump defaults - unify config boolean variables to "true" or "false" - support the snappy, zstd and raw dump formats - 4.6.1 ==== zlib-ng-compat ==== - Add patch to fix boo#1212735: * 1526.patch