Packages changed: MicroOS-release (20240916 -> 20240918) ffmpeg-4 gnome-online-accounts (3.50.4 -> 3.50.5) gnome-shell (46.4 -> 46.5) gnome-software (46.4 -> 46.5) gtk4 (4.16.0 -> 4.16.1) gvfs (1.54.2 -> 1.54.3) kernel-firmware (20240912 -> 20240913) kexec-tools kwallet libadwaita (1.5.3 -> 1.5.4) libcbor librsvg (2.58.3 -> 2.58.4) mutter (46.4 -> 46.5) pam pam-config (2.11+git.20240906 -> 2.11+git.20240911) poppler poppler-qt6 python-cryptography python311 (3.11.9 -> 3.11.10) python311-core (3.11.9 -> 3.11.10) rootlesskit (2.2.0 -> 2.3.1) rpm-config-SUSE shim transactional-update (4.8.1 -> 4.8.2) wayland (1.23.0 -> 1.23.1) === Details === ==== MicroOS-release ==== Version update (20240916 -> 20240918) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== ffmpeg-4 ==== Subpackages: libavcodec58_134 libavformat58_76 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9 - Add ffmpeg-4-CVE-2024-7055.patch: Backporting 3faadbe2 from upstream, Use 64bit for input size check, Fixes: out of array read, Fixes: poc3. (CVE-2024-7055, bsc#1229026) ==== gnome-online-accounts ==== Version update (3.50.4 -> 3.50.5) Subpackages: libgoa-1_0-0 libgoa-backend-1_0-2 - Update to version 3.50.5: + goaimapsmtpprovider: quick fix for yahoo auto-detect + Updated translations. ==== gnome-shell ==== Version update (46.4 -> 46.5) Subpackages: gnome-shell-calendar - Update to version 46.5: + Fix smartcard logins + Fix glitch when quick settings menu animation is interrupted + Fix new wifi connections for restricted users + Do not disable required animations + Fix showing pending PAM messages on login screen + Plugged leak + Misc. bug fixes and cleanups + Updated translations. - Drop gnome-shell-private-connection.patch: Should not be needed anymore after changes upstream. ==== gnome-software ==== Version update (46.4 -> 46.5) - Update to version 46.5: + Reduce power usage when the main window is closed. + Updated translations. ==== gtk4 ==== Version update (4.16.0 -> 4.16.1) Subpackages: gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0 - Update to version 4.16.1: + GtkFileChooser: Plug a memory leak + GtkCalendar: Avoid ending up with invalid dates + Printing: Fix initial printer selection in the print dialog + Gsk: - Fix shadows for opaque textures - Fix a crash in a corner case + Css: Make relative paths work again in theme files + Accessibility: Fix detection of the Flatpak portal + Updated translations. ==== gvfs ==== Version update (1.54.2 -> 1.54.3) Subpackages: gvfs-backend-afc gvfs-backend-goa gvfs-backend-samba gvfs-backends gvfs-fuse - Update to version 1.54.3: + onedrive: - Set name of drive root - Handle multiple drives with same IDs - Guess mime type locally if not set by the server + Updated translations. ==== kernel-firmware ==== Version update (20240912 -> 20240913) Subpackages: kernel-firmware-all kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-ath11k kernel-firmware-ath12k kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-prestera kernel-firmware-qcom kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network - Update to version 20240913 (git commit bcbdd1670bc3): * amdgpu: update DMCUB to v0.0.233.0 DCN351 * copy-firmware: Handle links to uncompressed files * WHENCE: Fix battmgr.jsn entry type - Drop obsoleted workaround patch: copy-firmware-fix-symlink-without-compress.patch - Temporary revert for ath12k firmware (bsc#1230596) ==== kexec-tools ==== - To create rckexec-reload, the service binary is required at build time. This binary is provided by aaa_base. Make sure this package is available during build. ==== kwallet ==== - Use the %lang_package macro for kwallet-tools-lang (boo#1230570) ==== libadwaita ==== Version update (1.5.3 -> 1.5.4) Subpackages: libadwaita-1-0 typelib-1_0-Adw-1 - Update to version 1.5.4: + AdwAboutDialog/Window: Support non-deprecated GPL-2/3.0-only SPDX IDs + AdwHeaderBar: Fix back button menu picking up phantom pages in some situations + AdwTabBar/Overview: Fix 2 crashes with drag-n-drop + Stylesheet: Fix scroll undershoot in dropdowns and emoji picker + Updated translations. ==== libcbor ==== - The doc fails to build with an assert in sphinx in 15sp6 also. ==== librsvg ==== Version update (2.58.3 -> 2.58.4) Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 rsvg-thumbnailer typelib-1_0-Rsvg-2_0 - Update to version 2.58.4: + Fix regression when using an SVG inside a feImage element. ==== mutter ==== Version update (46.4 -> 46.5) - Update to version 45.5: + Fix drag and drop between X11 and wayland clients + Fix drag and drop from grabbing popups + Fix EGLDevice support + Fix frozen cursor on some hybrid machines + Fix touch window dragging with pointer lock enabled + Fix propagating tablet device removals to clients + Fix tablet input in maximized windows + Reduce damage on window movement + Fix frozen cursor after suspend + Fix using modifiers on multi-GPU setups + Fixed crashes + Misc. bug fixes and cleanups + Updated translations. ==== pam ==== - baselibs.conf: add pam-userdb - pam_limits-systemd.patch: update to final PR - Add systemd-logind support to pam_limits (pam_limits-systemd.patch) - Remove /usr/etc/pam.d, everything should be migrated - Remove pam_limits from default common-sessions* files. pam_limits is now part of pam-extra and not in our default generated config. - pam_issue-systemd.patch: only count class user sessions ==== pam-config ==== Version update (2.11+git.20240906 -> 2.11+git.20240911) - Add PreRequires for pam-extra, several other packages depend on that pam_limits is installed and enabled by default - Update to version 2.11+git.20240911: * Only add pam_limits if available ==== poppler ==== Subpackages: libpoppler-cpp1 libpoppler-glib8 libpoppler139 - Poppler can load ghostscript fonts (n022003l.pfb and the like) so the package now recommends the ghostscript-fonts-std package (boo#1230636). ==== poppler-qt6 ==== - Poppler can load ghostscript fonts (n022003l.pfb and the like) so the package now recommends the ghostscript-fonts-std package (boo#1230636). ==== python-cryptography ==== - Fix building on SLE based distributions ==== python311 ==== Version update (3.11.9 -> 3.11.10) - Update to 3.11.10: - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith and Seth Larson . Reported by Ellie - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts * mode* of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` causing infinite loops (gh-122905) without breaking contents using legitimate characters (bsc#1229704, CVE-2024-8088). - gh-123067: Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592). - gh-122905: :class:`zipfile.Path` objects now sanitize names from the zipfile. - gh-121650: :mod:`email` headers with embedded newlines are now quoted on output. The :mod:`~email.generator` will now refuse to serialize (write) headers that are unsafely folded or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`; CVE-2024-6923, bsc#1228780). - gh-119506: Fix :meth:`!io.TextIOWrapper.write` method breaks internal buffer when the method is called again during flushing internal buffer. - gh-118643: Fix an AttributeError in the :mod:`email` module when re-fold a long address list. Also fix more cases of incorrect encoding of the address separator in the address list. - gh-113171: Fixed various false positives and false negatives in * :attr:`ipaddress.IPv4Address.is_private` (see these docs for details) * :attr:`ipaddress.IPv4Address.is_global` * :attr:`ipaddress.IPv6Address.is_private` * :attr:`ipaddress.IPv6Address.is_global` Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network` attributes. Fixes bsc#1226448 (CVE-2024-4032). - gh-102988: :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return ``('', '')`` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use ``strict=False`` to get the old behavior, accept malformed inputs. ``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check if the *strict* paramater is available. Patch by Thomas Dwyer and Victor Stinner to improve the CVE-2023-27043 fix (bsc#1210638). - gh-67693: Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple slashes and no authority. Based on patch by Ashwin Ramaswami. - Core and Builtins - gh-112275: A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now fixed. Patch by ChuBoning based on previous Python 3.12 fix by Victor Stinner. - gh-109120: Added handle of incorrect star expressions, e.g ``f(3, *)``. Patch by Grigoryev Semyon - Removed upstreamed patches: - CVE-2023-27043-email-parsing-errors.patch - CVE-2024-4032-private-IP-addrs.patch - CVE-2024-6923-email-hdr-inject.patch - CVE-2024-8088-inf-loop-zipfile_Path.patch - Add gh120226-fix-sendfile-test-kernel-610.patch to avoid failing test_sendfile_close_peer_in_the_middle_of_receiving tests on Linux >= 6.10 (GH-120227). ==== python311-core ==== Version update (3.11.9 -> 3.11.10) Subpackages: libpython3_11-1_0 python311-base - Update to 3.11.10: - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith and Seth Larson . Reported by Ellie - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts * mode* of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` causing infinite loops (gh-122905) without breaking contents using legitimate characters (bsc#1229704, CVE-2024-8088). - gh-123067: Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592). - gh-122905: :class:`zipfile.Path` objects now sanitize names from the zipfile. - gh-121650: :mod:`email` headers with embedded newlines are now quoted on output. The :mod:`~email.generator` will now refuse to serialize (write) headers that are unsafely folded or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`; CVE-2024-6923, bsc#1228780). - gh-119506: Fix :meth:`!io.TextIOWrapper.write` method breaks internal buffer when the method is called again during flushing internal buffer. - gh-118643: Fix an AttributeError in the :mod:`email` module when re-fold a long address list. Also fix more cases of incorrect encoding of the address separator in the address list. - gh-113171: Fixed various false positives and false negatives in * :attr:`ipaddress.IPv4Address.is_private` (see these docs for details) * :attr:`ipaddress.IPv4Address.is_global` * :attr:`ipaddress.IPv6Address.is_private` * :attr:`ipaddress.IPv6Address.is_global` Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network` attributes. Fixes bsc#1226448 (CVE-2024-4032). - gh-102988: :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return ``('', '')`` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use ``strict=False`` to get the old behavior, accept malformed inputs. ``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check if the *strict* paramater is available. Patch by Thomas Dwyer and Victor Stinner to improve the CVE-2023-27043 fix (bsc#1210638). - gh-67693: Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple slashes and no authority. Based on patch by Ashwin Ramaswami. - Core and Builtins - gh-112275: A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now fixed. Patch by ChuBoning based on previous Python 3.12 fix by Victor Stinner. - gh-109120: Added handle of incorrect star expressions, e.g ``f(3, *)``. Patch by Grigoryev Semyon - Removed upstreamed patches: - CVE-2023-27043-email-parsing-errors.patch - CVE-2024-4032-private-IP-addrs.patch - CVE-2024-6923-email-hdr-inject.patch - CVE-2024-8088-inf-loop-zipfile_Path.patch - Add gh120226-fix-sendfile-test-kernel-610.patch to avoid failing test_sendfile_close_peer_in_the_middle_of_receiving tests on Linux >= 6.10 (GH-120227). ==== rootlesskit ==== Version update (2.2.0 -> 2.3.1) - Update to version 2.3.1: * v2.3.1 * CI: attest-build-provenance: fix a subject-path issue (461) * v2.3.0+dev * v2.3.0 * Enable actions/attest-build-provenance * CI: update Docker (27.1.2) * CI: update pasta (2024_08_14.61c0b0d) * go.mod: golang.org/x/net v0.28.0 * go.mod: github.com/insomniacslk/dhcp v0.0.0-20240812123929-b105c29bd1b5 * Deprecate rootlesskit-docker-proxy (no longer needed since Docker v28) * child, pasta: Allow drivers to configure their own interface, let pasta do that * pasta: Let it run in background, and wait until it forks * CI: update Go to 1.23 * Build(deps): Bump github.com/urfave/cli/v2 from 2.27.3 to 2.27.4 * Build(deps): Bump golang.org/x/sys from 0.22.0 to 0.24.0 * Build(deps): Bump github.com/urfave/cli/v2 from 2.27.2 to 2.27.3 * Build(deps): Bump github.com/gofrs/flock from 0.12.0 to 0.12.1 * Build(deps): Bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2 * v2.2.0+dev ==== rpm-config-SUSE ==== - Use a deterministic binarychangelogtrim based on build times of BuildRequires (boo#1047218) ==== shim ==== - Update shim-install to apply the missing fix for openSUSE Leap (bsc#1210382) * 86b73d1 Fix that bootx64.efi is not updated on Leap - Update shim-install to use the 'removable' way for SL-Micro (bsc#1230316) * 433cc4e Always use the removable way for SL-Micro ==== transactional-update ==== Version update (4.8.1 -> 4.8.2) Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit tukitd - Version 4.8.2 - Allow specifying only low value with setup-kdump [bsc#1230537] ==== wayland ==== Version update (1.23.0 -> 1.23.1) Subpackages: libwayland-client0 libwayland-cursor0 libwayland-egl1 libwayland-server0 - Update to release 1.23.1: * meson: Fix use of install_data() without specifying install_dir * Put WL_DEPRECATED in front of the function declarations * client: Handle proxies with no queue * scanner: extract validator function emission to helper function * scanner: fix validator for bitfields * tests: add enum bitfield test