Packages changed: 7zip Mesa (23.3.3 -> 23.3.4) Mesa-drivers (23.3.3 -> 23.3.4) MozillaFirefox (121.0.1 -> 122.0) aardvark-dns (1.9.0 -> 1.10.0) btrfsprogs (6.6.2 -> 6.7) cockpit containerd gcc13 (13.2.1+git8205 -> 13.2.1+git8250) gpg2 (2.4.3 -> 2.4.4) grub2 gstreamer-plugins-bad inih (57 -> 58) installation-images-MicroOS (17.111 -> 17.112) kernel-source lftp libmaxminddb (1.8.0 -> 1.9.1) libqmi libsolv (0.7.27 -> 0.7.28) libstorage-ng (4.5.175 -> 4.5.176) man mozilla-nss (3.95 -> 3.96.1) mutter perl-Bootloader (1.10 -> 1.11) podman (4.8.3 -> 4.9.0) postfix (3.8.4 -> 3.8.5) publicsuffix (20240107 -> 20240123) raspberrypi-firmware-dt rootlesskit (1.1.1 -> 2.0.0) ruby (3.2 -> 3.3) ruby3.2 rubygem-gem2rpm thin-provisioning-tools (1.0.9 -> 1.0.10) tiff transactional-update webkit2gtk3 webkit2gtk4 yast2 (5.0.3 -> 5.0.4) yast2-bootloader (5.0.2 -> 5.0.4) yast2-installation (5.0.3 -> 5.0.4) zbar === Details === ==== 7zip ==== - Fix build on SLE-15-SP6 * fix-avx-sle.patch ==== Mesa ==== Version update (23.3.3 -> 23.3.4) Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - Update to bugfix release 23.3.4 - -> https://docs.mesa3d.org/relnotes/23.3.4.html ==== Mesa-drivers ==== Version update (23.3.3 -> 23.3.4) Subpackages: Mesa-dri Mesa-gallium Mesa-libva - Update to bugfix release 23.3.4 - -> https://docs.mesa3d.org/relnotes/23.3.4.html ==== MozillaFirefox ==== Version update (121.0.1 -> 122.0) - Mozilla Firefox 122.0 https://www.mozilla.org/en-US/firefox/122.0/releasenotes/ MFSA 2024-01 (bsc#1218955) * CVE-2024-0741 (bmo#1864587) Out of bounds write in ANGLE * CVE-2024-0742 (bmo#1867152) Failure to update user input timestamp * CVE-2024-0743 (bmo#1867408) Crash in NSS TLS method * CVE-2024-0744 (bmo#1871089) Wild pointer dereference in JavaScript * CVE-2024-0745 (bmo#1871838) Stack buffer overflow in WebAudio * CVE-2024-0746 (bmo#1660223) Crash when listing printers on Linux * CVE-2024-0747 (bmo#1764343) Bypass of Content Security Policy when directive unsafe-inline was set * CVE-2024-0748 (bmo#1783504) Compromised content process could modify document URI * CVE-2024-0749 (bmo#1813463) Phishing site popup could show local origin in address bar * CVE-2024-0750 (bmo#1863083) Potential permissions request bypass via clickjacking * CVE-2024-0751 (bmo#1865689) Privilege escalation through devtools * CVE-2024-0752 (bmo#1866840) Use-after-free could occur when applying update on macOS * CVE-2024-0753 (bmo#1870262) HSTS policy on subdomain could bypass policy of upper domain * CVE-2024-0754 (bmo#1871605) Crash when using some WASM files in devtools * CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701) Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7 - requires NSS 3.96.1 - rebased patches ==== aardvark-dns ==== Version update (1.9.0 -> 1.10.0) - Update to version 1.10.0: * Release 1.10.0 * Release notes for 1.10.0 * chore(deps): update rust crate chrono to 0.4.32 * chore(deps): update dependency containers/automation_images to v20240102 * fix(deps): update rust crate futures-util to 0.3.30 * fix(deps): update rust crate anyhow to 1.0.79 * fix(deps): update rust crate tokio to 1.35.1 * chore(deps): update dependency containers/automation_images to v20231208 * fix(deps): update rust crate tokio to 1.35.0 * fix duplicated IP CI flake * server: remove unused kill switch * fix(deps): update rust crate clap to ~4.4.10 * Bump working version to v1.10.0-dev ==== btrfsprogs ==== Version update (6.6.2 -> 6.7) Subpackages: btrfsprogs-bash-completion btrfsprogs-udev-rules libbtrfs0 libbtrfsutil1 - update to 6.7 * mkfs: make 4k sectorsize default, recommended minimum kernel for that is 6.1 and requires subpage support on architectures with page size > 4k * subvolume create: return correct error code when a target already exists * tree-checker: dump tree block on error (btrfs-convert, ...) * scrub limit: fix reporting of a limit set while there's none * fi usage: fix reporting of unallocated data or raid56 profile without root privs due to lack of that information * convert: * align data block group lengths to 64K * fix conversion of a large filesystem when there are partial inode items present due to caching * other: * build fixes * updated documentation * new and updated tests - update to 6.6.3 * subvol create: accept multiple arguments * subvol delete: print the subvolume id in the output * subvol sync: check if the filesystems is still writeable so it does not wait indefinitely * device delete: add a timeout and warning when deleting multiple devices * scrub status: report limit if set in sysfs/../scrub_speed_max * scrub limit: new command to show or set the per-device scrub limits * scrub start: report the limit if set * build: * fix CPU feature detection on aarch64 * support Botan and OpenSSL (3.2+) as crypto backends * other: * documentation updates, RTD config update * new and updated tests * CI updates ==== cockpit ==== Subpackages: cockpit-bridge cockpit-packagekit cockpit-system - suse_docs.patch: replace with suse docs and move docs with out eqiv to docs-rh (bsc#1219088) - hide-docs.patch: obsolete by above, removed - Provide users/groups cockpit-wsinstance and cockpit-ws: they are generated by cockpit-ws %pre script. - hide-docs.patch: hide RHEL docs in shell/manifest.json ==== containerd ==== - Enable manpage generation - Make devel package noarch - adjust rpmlint filters ==== gcc13 ==== Version update (13.2.1+git8205 -> 13.2.1+git8250) Subpackages: cpp13 libgcc_s1 libgfortran5 libgomp1 libobjc4 libstdc++6 libstdc++6-pp libubsan1 - Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250 * Includes fix for building TVM. [boo#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [boo#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [boo#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. ==== gpg2 ==== Version update (2.4.3 -> 2.4.4) Subpackages: dirmngr - Update to 2.4.4: [bsc#1219191] * gpg: Do not keep an unprotected smartcard backup key on disk. See https://gnupg.org/blog/20240125-smartcard-backup-key.html for a security advisory. [T6944] * gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit platforms. [T6736] * gpg: Fix expiration time when Creation-Date is specified. [T5252] * gpg: Add support for Subkey-Expire-Date. [rG96b69c1866] * gpg: Add option --with-v5-fingerprint. [T6705] * gpg: Add sub-option ignore-attributes to --import-options. * gpg: Add --list-filter properties sig_expires/sig_expires_d. * gpg: Fix validity of re-imported keys. [T6399] * gpg: Report BEGIN_ status before examining the input. [T6481] * gpg: Don't try to compress a read-only keybox. [T6811] * gpg: Choose key from inserted card over a non-inserted card. [T6831] * gpg: Allow to create revocations even with non-compliant algos. [T6929] * gpg: Fix regression in the Revoker keyword of the parameter file. [T6923] * gpg: Improve error message for expired default keys. [T4704] * gpgsm: Add --always-trust feature. [T6559] * gpgsm: Support ECC certificates in de-vs mode. [T6802] * gpgsm: Major rewrite of the PKCS#12 parser. [T6536] * gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654] * keyboxd: Timeout on failure to get the database lock. [T6838] * agent: Update the key stubs only if really modified. [T6829] * scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080] * scd: Add support for CardOS 5.4 cards. [rG812f988059] * scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09] * scd: Add support for Smartcafe Expert 7.0 cards. [T6919] * scd: Add a length check for a new PIN. [T6843] * tpm: Fix keytotpm handling in the agent. [rG9909f622f6] * tpm: Fixes for the TPM test suite. [T6052] * dirmngr: New option --ignore-crl-extensions. [T6545] * dirmngr: Support config value "none" to disable the default keyserver. [T6708] * dirmngr: Fix handling of the HTTP Content-Length. [rGa5e33618f4] * gpgconf: Add commands --lock and --unlock. [rG93b5ba38dc] * gpgconf: Add keyword socketdir to gpgconf.ctl. [rG239c1fdc28] * gpgconf: Adjust the -X command for the new VERSION file format. [T6918] * wkd: Use export-clean for gpg-wks-client's --mirror and --create commands. [rG2c7f7a5a278c] * wkd: Make --add-revocs the default in gpg-wks-client. New option - -no-add-revocs. [rG10c937ee68] * Remove duplicated backslashes when setting the homedir. [T6833] * Ignore attempts to remove the /dev/null device. [T6556] * Improve advisory file lock retry strategy. [T3380] * Release-info: https://dev.gnupg.org/T6578 * Remove patch upstream: - gnupg-Report-BEGIN_-status-before-examining-the-input.patch ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-snapper-plugin grub2-systemd-sleep-plugin - Reinstate the verification for a non-zero total entry count to skip unmapped data blocks (bsc#1218864) * 0001-fs-xfs-always-verify-the-total-number-of-entries-is-.patch - Removed temporary fix as reverting it will cause a different XFS parser bug * 0001-Revert-fs-xfs-Fix-XFS-directory-extent-parsing.patch ==== gstreamer-plugins-bad ==== Subpackages: libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Disable zxing in Leap15 * Leap 15 can not provide zxing >= 1.4.0, zxing is inherited from SLE15 but SLE15 do provide zxing version 1.2.0 only, Factory do have zxing-cpp 2.0.0 however it's not an API compatible version. ==== inih ==== Version update (57 -> 58) - Update to version 58 * Add ini_ prefix even to static names so inih can be used as an [#]include. ==== installation-images-MicroOS ==== Version update (17.111 -> 17.112) - merge gh#openSUSE/installation-images#686 - Remove more binaries appearing with Ruby 3.3 - 17.112 ==== kernel-source ==== - rpm/constraints.in: add static multibuild packages Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for constraints on multibuild) added "kernel-source:" prefix to the dynamically generated kernels. But there are also static ones like kernel-docs. Those fail to build as the constraints are still not applied. So add the prefix also to the static ones. Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it will ever be multibuilt... - commit c2e0681 - Revert "Limit kernel-source build to architectures for which the kernel binary" This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132. The fix for bsc#1108281 directly causes bsc#1218768, revert. - commit 2943b8a - mkspec: Include constraints for both multibuild and plain package always There is no need to check for multibuild flag, the constraints can be always generated for both cases. - commit 308ea09 - rpm/mkspec: use kernel-source: prefix for constraints on multibuild Otherwise the constraints are not applied with multibuild enabled. - commit 841012b - rpm/kernel-source.rpmlintrc: add action-ebpf Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf plugin) added this precompiled binary blob. Adapt rpmlintrc for kernel-source. - commit b5ccb33 - scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old The previous change added the manual entry from kernel-sources.change.old to old_changelog.txt unnecessarily. Let's fix it. - commit fb033e8 - rpm/kernel-docs.spec.in: fix build with 6.8 Since upstream commit f061c9f7d058 (Documentation: Document each netlink family), the build needs python yaml. - commit 6a7ece3 - futex: Prevent the reuse of stale pi_state (bsc#1218841). Update upstream status (Queued in subsystem maintainer repository). - commit a3ee207 - Refresh patches.rpmify/media-solo6x10-replace-max-a-min-b-c-by-clamp-b-a-c.patch. Update usptream status. - commit 589bdfa - Update config files, enable CONFIG_IMA_DISABLE_HTABLE in all archs for Tumbleweed as SLE15-SP6 kernel does (bsc#1218400). - commit 020caa6 ==== lftp ==== - Apply "0001-lftp_ssl-deinitialize-the-lftp_ssl_openssl_instance.patch" to fix a crash that ocurred when lftp is run on s390x with an IBM crypto card installed. The issue has been reported to upstream at https://github.com/lavv17/lftp/issues/716. [bsc#1213984] ==== libmaxminddb ==== Version update (1.8.0 -> 1.9.1) - libmaxminddb 1.9.1: * On very large databases, the calculation to determine the search tree size could overflow. This was fixed and several additional guards against overflows were added * build system tweaks ==== libqmi ==== Subpackages: libqmi-glib5 libqmi-tools - Add patch: * 0001-message-fix-16bit-service-on-big-endian.patch - Fixes 16-bit service indications on big endian architectures. Cherry-picked from upstream qmi-1-34 branch ==== libsolv ==== Version update (0.7.27 -> 0.7.28) Subpackages: libsolv-tools ruby-solv - build for multiple python versions [jsc#PED-6218] - bump version to 0.7.28 ==== libstorage-ng ==== Version update (4.5.175 -> 4.5.176) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Swedish) (bsc#1149754) - 4.5.176 ==== man ==== - Skip posttrans dependency on systemd to support container without systemd (boo#1215538) - Use %(trans)filetriggerin and %(trans)filetriggerpostun to get an uptodate man database for installed manual pages ==== mozilla-nss ==== Version update (3.95 -> 3.96.1) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs - update to NSS 3.96.1 * bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh * bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups) * bmo#1867408 - add a defensive check for large ssl_DefSend return values * bmo#1869378 - Add dependency to the taskcluster script for Darwin * bmo#1869378 - Upgrade version of the MacOS worker for the CI ==== mutter ==== - Rebase mutter-disable-cvt-s390x.patch for mutter 45.x. ==== perl-Bootloader ==== Version update (1.10 -> 1.11) - merge gh#openSUSE/perl-bootloader#162 - handle script exit codes properly (bsc#1218847) - 1.11 ==== podman ==== Version update (4.8.3 -> 4.9.0) - Update to version 4.9.0: * Bump to v4.9.0 * Fix a small grammar error in RELEASE_NOTES.md * Fix push endpoint stream * Finalized release notes for v4.9.0 * farm build: push built images to registry * Move the --farm flag to farm build command * Clean up farm-build miscommit * [CI:DOCS] Add podman farm build doc * Add release notes for v4.9.0 * gvproxy: Update to 0.7.2 release * [v4.9] Bump Buildah to v1.33.3, c/common to v0.57.2, c/image to v5.29.1 * Add a net health recovery service to Qemu machines * Set up podman machine remote user correctly * Remove Libpod special-init conditions * Fix `podman system reset` with external containers * [v4.8] podman kube play: fix broken annotation parsing * feat: disable pid max in the podman machine * systests: cp: add wait_for_ready * System tests: fixes for RHEL8 gating failures * Add API forwarding support for HyperV * bump to v4.8.4-dev ==== postfix ==== Version update (3.8.4 -> 3.8.5) - update to 3.8.5 * Security: this release improves support to defend against an email spoofing attack (SMTP smuggling) on recipients at a Postfix server. For background, see https://www.postfix.org/smtp-smuggling.html. ==== publicsuffix ==== Version update (20240107 -> 20240123) - Update to version 20240123: * util: gTLD data autopull updates for 2024-01-23T15:14:10 UTC (#1921) ==== raspberrypi-firmware-dt ==== - Extend "ARM: dts: bcm27xx: Use better name for spidev" patch coverage. Change compatible "spidev" to "rohm,dh2228fv" in overlay files too. Fixes bsc#1219094. ==== rootlesskit ==== Version update (1.1.1 -> 2.0.0) - Update to version 2.0.0: * v2.0.0 * v2.0.0-beta.0+dev * v2.0.0-beta.0 * CI: update Docker to v24.0.7 * CI: update pasta (2023_12_30.f091893) * Write `$ROOTLESSKIT_STATE_DIR/resolv.conf` * Build(deps): Bump golang.org/x/sys from 0.15.0 to 0.16.0 * fix typo * Build(deps): Bump github.com/urfave/cli/v2 from 2.26.0 to 2.27.1 * Build(deps): Bump github.com/google/uuid from 1.4.0 to 1.5.0 * Build(deps): Bump github.com/containernetworking/plugins * Build(deps): Bump github.com/urfave/cli/v2 from 2.25.7 to 2.26.0 * v2.0.0-alpha.2+dev * v2.0.0-alpha.2 * CI: update pasta (2023_12_04.b86afe3) * pasta: add debug logs * Build(deps): Bump golang.org/x/sys from 0.14.0 to 0.15.0 * Build(deps): Bump github.com/moby/sys/mountinfo from 0.6.2 to 0.7.1 * Build(deps): Bump github.com/gorilla/mux from 1.8.0 to 1.8.1 * Build(deps): Bump golang.org/x/sys from 0.13.0 to 0.14.0 * Build(deps): Bump github.com/google/uuid from 1.3.1 to 1.4.0 * Build(deps): Bump golang.org/x/net from 0.10.0 to 0.17.0 * v2.0.0-alpha.1+dev * v2.0.0-alpha.1 * release.yaml: migrate from `hub` to `gh` * Build(deps): Bump golang.org/x/sys from 0.12.0 to 0.13.0 * Build(deps): Bump gotest.tools/v3 from 3.5.0 to 3.5.1 * Build(deps): Bump golang.org/x/sys from 0.11.0 to 0.12.0 * Build(deps): Bump github.com/google/uuid from 1.3.0 to 1.3.1 * lxc-user-nic: support detach-netns * Build(deps): Bump golang.org/x/sys from 0.10.0 to 0.11.0 * Build(deps): Bump golang.org/x/sys from 0.9.0 to 0.10.0 * Build(deps): Bump gotest.tools/v3 from 3.4.0 to 3.5.0 * v2.0.0-alpha.0+dev * v2.0.0-alpha.0; add --print-semver=(major|minor|patch) * new network driver: `pasta` (with port driver `implicit`) * [Carry 362] support detach-netns * pkg/port: ChildContext: remove unused PID field * cmd/rootlesskit: format logs * Refactor parent-child communication (Add message union) * Refactor parent-child communication (Remove "stages") * pkg/api: split pkg/httputil * Build(deps): Bump github.com/urfave/cli/v2 from 2.25.6 to 2.25.7 * Build(deps): Bump golang.org/x/sys from 0.8.0 to 0.9.0 * Build(deps): Bump github.com/urfave/cli/v2 from 2.25.5 to 2.25.6 * Build(deps): Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 * v1.1.1+dev ==== ruby ==== Version update (3.2 -> 3.3) - switch the default ruby to 3.3 ==== ruby3.2 ==== Subpackages: libruby3_2-3_2 - Omit test_session_reuse_but_expire if OpenSSL 3.2.0 Add Omit-test_session_reuse_but_expire-if-OpenSSL-3.2.0.patch ==== rubygem-gem2rpm ==== - Update the ruby ABI version in the 3.3.0 paths to the final string. - enable building for ruby 3.3 ==== thin-provisioning-tools ==== Version update (1.0.9 -> 1.0.10) - Update to version 1.0.10: * Bump version to 1.0.10 * [build] Update dependencies * [all] Fix clippy lints and typos * [space_map] Allow non-zero values in unused index block entries * [thin_repair] Fix child keys checking on the node with a zero key * [thin_check] Tweak the logs to avoid confusion with node errors * [thin_check] Support overriding the details tree root * [tests] Update expected help text for _pack and _unpack * [all] Fix clippy lints on optional targets * [build] Simplify the pre-commit hooks by checking all the targets at once * [thin_metadata_unpack] Allow long format for input and output * [space map] Fix incorrect index_entry.nr_free while expansion * thin_metadata_pack: Allow long format for input and output ==== tiff ==== - security update: * CVE-2023-52356 [bsc#1219213] Fix segfault in TIFFReadRGBATileExt() + tiff-CVE-2023-52356.patch ==== transactional-update ==== Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit - Use "up" instead of "dup" by default on ALP [bsc#1218861] ==== webkit2gtk3 ==== Subpackages: libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue (bsc#1219113 CVE-2024-23222). ==== webkit2gtk4 ==== Subpackages: libjavascriptcoregtk6_0-1 libwebkitgtk6_0-4 webkitgtk-6_0-injected-bundles - Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue (bsc#1219113 CVE-2024-23222). ==== yast2 ==== Version update (5.0.3 -> 5.0.4) Subpackages: yast2-logs - Reading Kernel Params: Use kernel cmdline when install.inf is not available (bsc#1216408) - 5.0.4 ==== yast2-bootloader ==== Version update (5.0.2 -> 5.0.4) - Persist s390 cio_ignore kernel argument always when given (bsc#1210525). - 5.0.4 - Do not try finding undefined bootloader name to avoid error in logs (bsc#1218700) - 5.0.3 ==== yast2-installation ==== Version update (5.0.3 -> 5.0.4) - Keep cio_ignore kernel argument when present in the parmfile or use the cio_ignore -k output if not and write it always even in zVM and KVM (bsc#1210525). - 5.0.4 ==== zbar ==== - Fix building for Leap