Packages changed:
389-ds (2.4.0~git113.84a845c -> 2.4.0~git126.5936946)
7zip
Mesa (23.3.3 -> 23.3.4)
Mesa-drivers (23.3.3 -> 23.3.4)
MozillaFirefox (121.0.1 -> 122.0)
btrfsprogs (6.6.2 -> 6.7)
ceph
corosync
gcc13 (13.2.1+git8205 -> 13.2.1+git8250)
gpg2 (2.4.3 -> 2.4.4)
grub2
gstreamer-plugins-bad
inih (57 -> 58)
kernel-source
lftp
libmaxminddb (1.8.0 -> 1.9.1)
libqmi
libsolv (0.7.27 -> 0.7.28)
libstorage-ng (4.5.175 -> 4.5.176)
libvirt
man
mozilla-nss (3.95 -> 3.96.1)
mutter
nvidia-open-driver-G06-signed
openssl-1_1
perl-Bootloader (1.10 -> 1.11)
postfix (3.8.4 -> 3.8.5)
publicsuffix (20240107 -> 20240123)
python-lxml
raspberrypi-firmware-dt
ruby (3.2 -> 3.3)
ruby3.2
rubygem-gem2rpm
spice-gtk
thin-provisioning-tools (1.0.9 -> 1.0.10)
tiff
transactional-update
virt-manager
webkit2gtk3
webkit2gtk3-soup2
yast2 (5.0.3 -> 5.0.4)
yast2-bootloader (5.0.2 -> 5.0.4)
yast2-installation (5.0.3 -> 5.0.4)
zbar
=== Details ===
==== 389-ds ====
Version update (2.4.0~git113.84a845c -> 2.4.0~git126.5936946)
Subpackages: lib389 libsvrcore0
- Update to version 2.4.0~git126.5936946:
* Issue 6028 - vlv index keys inconsistencies (#6031)
* Issue 5989 - RFE support of inChain Matching Rule (#5990)
* Issue 6022 - lmdb inconsistency between vlv index and vlv cache names (#6026)
* Issue 6015 - Fix typo remeber (#6014)
* Issue 6016 - Pin upload/download artifacts action to v3
* Issue 5939 - During an update, if the target entry is reverted in the entry cache, the server should not retry to lock it (#6007)
* Issue 4673 - Update Rust crates
* Issue 6004 - idletimeout may be ignored (#6005)
* Issue 5954 - Disable Transparent Huge Pages
* Issue 5997 - test_inactivty_and_expiration CI testcase is wrong (#5999)
* Issue 5993 - Fix several race condition around CI tests (#5996)
* Issue 5944 - Reversion of the entry cache should be limited to BETXN plugin failures (#5994)
* Bump openssl from 0.10.55 to 0.10.60 in /src (#5995)
==== 7zip ====
- Fix build on SLE-15-SP6
* fix-avx-sle.patch
==== Mesa ====
Version update (23.3.3 -> 23.3.4)
Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libOSMesa8 libgbm1
- Update to bugfix release 23.3.4
- -> https://docs.mesa3d.org/relnotes/23.3.4.html
==== Mesa-drivers ====
Version update (23.3.3 -> 23.3.4)
Subpackages: Mesa-dri Mesa-gallium Mesa-libva
- Update to bugfix release 23.3.4
- -> https://docs.mesa3d.org/relnotes/23.3.4.html
==== MozillaFirefox ====
Version update (121.0.1 -> 122.0)
- Mozilla Firefox 122.0
https://www.mozilla.org/en-US/firefox/122.0/releasenotes/
MFSA 2024-01 (bsc#1218955)
* CVE-2024-0741 (bmo#1864587)
Out of bounds write in ANGLE
* CVE-2024-0742 (bmo#1867152)
Failure to update user input timestamp
* CVE-2024-0743 (bmo#1867408)
Crash in NSS TLS method
* CVE-2024-0744 (bmo#1871089)
Wild pointer dereference in JavaScript
* CVE-2024-0745 (bmo#1871838)
Stack buffer overflow in WebAudio
* CVE-2024-0746 (bmo#1660223)
Crash when listing printers on Linux
* CVE-2024-0747 (bmo#1764343)
Bypass of Content Security Policy when directive unsafe-inline was set
* CVE-2024-0748 (bmo#1783504)
Compromised content process could modify document URI
* CVE-2024-0749 (bmo#1813463)
Phishing site popup could show local origin in address bar
* CVE-2024-0750 (bmo#1863083)
Potential permissions request bypass via clickjacking
* CVE-2024-0751 (bmo#1865689)
Privilege escalation through devtools
* CVE-2024-0752 (bmo#1866840)
Use-after-free could occur when applying update on macOS
* CVE-2024-0753 (bmo#1870262)
HSTS policy on subdomain could bypass policy of upper domain
* CVE-2024-0754 (bmo#1871605)
Crash when using some WASM files in devtools
* CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701)
Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7,
and Thunderbird 115.7
- requires NSS 3.96.1
- rebased patches
==== btrfsprogs ====
Version update (6.6.2 -> 6.7)
Subpackages: btrfsprogs-bash-completion btrfsprogs-udev-rules libbtrfs0 libbtrfsutil1
- update to 6.7
* mkfs: make 4k sectorsize default, recommended minimum kernel for that is
6.1 and requires subpage support on architectures with page size > 4k
* subvolume create: return correct error code when a target already exists
* tree-checker: dump tree block on error (btrfs-convert, ...)
* scrub limit: fix reporting of a limit set while there's none
* fi usage: fix reporting of unallocated data or raid56 profile without root
privs due to lack of that information
* convert:
* align data block group lengths to 64K
* fix conversion of a large filesystem when there are partial inode items
present due to caching
* other:
* build fixes
* updated documentation
* new and updated tests
- update to 6.6.3
* subvol create: accept multiple arguments
* subvol delete: print the subvolume id in the output
* subvol sync: check if the filesystems is still writeable so it does not
wait indefinitely
* device delete: add a timeout and warning when deleting multiple devices
* scrub status: report limit if set in sysfs/../scrub_speed_max
* scrub limit: new command to show or set the per-device scrub limits
* scrub start: report the limit if set
* build:
* fix CPU feature detection on aarch64
* support Botan and OpenSSL (3.2+) as crypto backends
* other:
* documentation updates, RTD config update
* new and updated tests
* CI updates
==== ceph ====
Subpackages: librados2 librbd1
- Advertised user/groups that are generated by the pre scripts:
* package cephadm generates user/group cephadm
* package ceph-common generates user/group ceph
==== corosync ====
Subpackages: libcfg6 libcmap4 libcorosync_common4 libcpg4 libquorum5
- Provide user(coroqnetd) and group(coroqnetd) in the -qnetd
package: user and group are generated by the pre script.
==== gcc13 ====
Version update (13.2.1+git8205 -> 13.2.1+git8250)
Subpackages: cpp13 libasan8 libatomic1 libgcc_s1 libgccjit0 libgfortran5 libgomp1 libhwasan0 libitm1 liblsan0 libobjc4 libstdc++6 libstdc++6-locale libstdc++6-pp libtsan2 libubsan1
- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250
* Includes fix for building TVM. [boo#1218492]
- Add cross-X-newlib-devel requires to newlib cross compilers.
[boo#1219031]
- Package m2rte.so plugin in the gcc13-m2 sub-package rather than
in gcc13-devel. [boo#1210959]
- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs
are linked against libstdc++6.
==== gpg2 ====
Version update (2.4.3 -> 2.4.4)
Subpackages: dirmngr
- Update to 2.4.4: [bsc#1219191]
* gpg: Do not keep an unprotected smartcard backup key on disk.
See https://gnupg.org/blog/20240125-smartcard-backup-key.html
for a security advisory. [T6944]
* gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit
platforms. [T6736]
* gpg: Fix expiration time when Creation-Date is specified. [T5252]
* gpg: Add support for Subkey-Expire-Date. [rG96b69c1866]
* gpg: Add option --with-v5-fingerprint. [T6705]
* gpg: Add sub-option ignore-attributes to --import-options.
* gpg: Add --list-filter properties sig_expires/sig_expires_d.
* gpg: Fix validity of re-imported keys. [T6399]
* gpg: Report BEGIN_ status before examining the input. [T6481]
* gpg: Don't try to compress a read-only keybox. [T6811]
* gpg: Choose key from inserted card over a non-inserted card. [T6831]
* gpg: Allow to create revocations even with non-compliant algos. [T6929]
* gpg: Fix regression in the Revoker keyword of the parameter file. [T6923]
* gpg: Improve error message for expired default keys. [T4704]
* gpgsm: Add --always-trust feature. [T6559]
* gpgsm: Support ECC certificates in de-vs mode. [T6802]
* gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
* gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654]
* keyboxd: Timeout on failure to get the database lock. [T6838]
* agent: Update the key stubs only if really modified. [T6829]
* scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080]
* scd: Add support for CardOS 5.4 cards. [rG812f988059]
* scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09]
* scd: Add support for Smartcafe Expert 7.0 cards. [T6919]
* scd: Add a length check for a new PIN. [T6843]
* tpm: Fix keytotpm handling in the agent. [rG9909f622f6]
* tpm: Fixes for the TPM test suite. [T6052]
* dirmngr: New option --ignore-crl-extensions. [T6545]
* dirmngr: Support config value "none" to disable the default
keyserver. [T6708]
* dirmngr: Fix handling of the HTTP Content-Length. [rGa5e33618f4]
* gpgconf: Add commands --lock and --unlock. [rG93b5ba38dc]
* gpgconf: Add keyword socketdir to gpgconf.ctl. [rG239c1fdc28]
* gpgconf: Adjust the -X command for the new VERSION file format. [T6918]
* wkd: Use export-clean for gpg-wks-client's --mirror and --create
commands. [rG2c7f7a5a278c]
* wkd: Make --add-revocs the default in gpg-wks-client. New option
- -no-add-revocs. [rG10c937ee68]
* Remove duplicated backslashes when setting the homedir. [T6833]
* Ignore attempts to remove the /dev/null device. [T6556]
* Improve advisory file lock retry strategy. [T3380]
* Release-info: https://dev.gnupg.org/T6578
* Remove patch upstream:
- gnupg-Report-BEGIN_-status-before-examining-the-input.patch
==== grub2 ====
Subpackages: grub2-arm64-efi grub2-snapper-plugin grub2-systemd-sleep-plugin
- Reinstate the verification for a non-zero total entry count to skip unmapped
data blocks (bsc#1218864)
* 0001-fs-xfs-always-verify-the-total-number-of-entries-is-.patch
- Removed temporary fix as reverting it will cause a different XFS parser bug
* 0001-Revert-fs-xfs-Fix-XFS-directory-extent-parsing.patch
==== gstreamer-plugins-bad ====
Subpackages: libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0
- Disable zxing in Leap15
* Leap 15 can not provide zxing >= 1.4.0, zxing is inherited from
SLE15 but SLE15 do provide zxing version 1.2.0 only, Factory do
have zxing-cpp 2.0.0 however it's not an API compatible version.
==== inih ====
Version update (57 -> 58)
- Update to version 58
* Add ini_ prefix even to static names so inih can be used as an
[#]include.
==== kernel-source ====
- rpm/constraints.in: add static multibuild packages
Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for
constraints on multibuild) added "kernel-source:" prefix to the
dynamically generated kernels. But there are also static ones like
kernel-docs. Those fail to build as the constraints are still not
applied.
So add the prefix also to the static ones.
Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it
will ever be multibuilt...
- commit c2e0681
- Revert "Limit kernel-source build to architectures for which the kernel binary"
This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132.
The fix for bsc#1108281 directly causes bsc#1218768, revert.
- commit 2943b8a
- mkspec: Include constraints for both multibuild and plain package always
There is no need to check for multibuild flag, the constraints can be
always generated for both cases.
- commit 308ea09
- rpm/mkspec: use kernel-source: prefix for constraints on multibuild
Otherwise the constraints are not applied with multibuild enabled.
- commit 841012b
- rpm/kernel-source.rpmlintrc: add action-ebpf
Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf
plugin) added this precompiled binary blob. Adapt rpmlintrc for
kernel-source.
- commit b5ccb33
- scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old
The previous change added the manual entry from kernel-sources.change.old
to old_changelog.txt unnecessarily. Let's fix it.
- commit fb033e8
- rpm/kernel-docs.spec.in: fix build with 6.8
Since upstream commit f061c9f7d058 (Documentation: Document each netlink
family), the build needs python yaml.
- commit 6a7ece3
- futex: Prevent the reuse of stale pi_state (bsc#1218841).
Update upstream status (Queued in subsystem maintainer repository).
- commit a3ee207
- Refresh
patches.rpmify/media-solo6x10-replace-max-a-min-b-c-by-clamp-b-a-c.patch.
Update usptream status.
- commit 589bdfa
- Update config files, enable CONFIG_IMA_DISABLE_HTABLE in all archs for
Tumbleweed as SLE15-SP6 kernel does (bsc#1218400).
- commit 020caa6
==== lftp ====
- Apply "0001-lftp_ssl-deinitialize-the-lftp_ssl_openssl_instance.patch"
to fix a crash that ocurred when lftp is run on s390x with an IBM
crypto card installed. The issue has been reported to upstream at
https://github.com/lavv17/lftp/issues/716. [bsc#1213984]
==== libmaxminddb ====
Version update (1.8.0 -> 1.9.1)
- libmaxminddb 1.9.1:
* On very large databases, the calculation to determine the search
tree size could overflow. This was fixed and several additional
guards against overflows were added
* build system tweaks
==== libqmi ====
Subpackages: libqmi-glib5 libqmi-tools
- Add patch:
* 0001-message-fix-16bit-service-on-big-endian.patch
- Fixes 16-bit service indications on big endian architectures.
Cherry-picked from upstream qmi-1-34 branch
==== libsolv ====
Version update (0.7.27 -> 0.7.28)
Subpackages: libsolv-tools ruby-solv
- build for multiple python versions [jsc#PED-6218]
- bump version to 0.7.28
==== libstorage-ng ====
Version update (4.5.175 -> 4.5.176)
Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1
- Translated using Weblate (Swedish) (bsc#1149754)
- 4.5.176
==== libvirt ====
Subpackages: libvirt-client libvirt-daemon-common libvirt-daemon-config-network libvirt-daemon-driver-interface libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lock libvirt-daemon-log libvirt-daemon-plugin-lockd libvirt-daemon-qemu libvirt-libs
- Replace temporary build fix with upstream equivalent
bsc#1218823
==== man ====
- Skip posttrans dependency on systemd to support container without
systemd (boo#1215538)
- Use %(trans)filetriggerin and %(trans)filetriggerpostun to get
an uptodate man database for installed manual pages
==== mozilla-nss ====
Version update (3.95 -> 3.96.1)
Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-tools
- update to NSS 3.96.1
* bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh
* bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups)
* bmo#1867408 - add a defensive check for large ssl_DefSend return values
* bmo#1869378 - Add dependency to the taskcluster script for Darwin
* bmo#1869378 - Upgrade version of the MacOS worker for the CI
==== mutter ====
- Rebase mutter-disable-cvt-s390x.patch for mutter 45.x.
==== nvidia-open-driver-G06-signed ====
- splitted up 61-nvidia-$flavor.conf to 59-nvidia-$flavor.conf
and 61-nvidia-$flavor.conf, because 'install' line cannot be
overwritten with higher config number ...
- mistakenly moved dracut config file from 60-nvidia-%1.conf to
61-nvidia-%1.conf --> reverted!
- switched from 60-nvidia-$flavor.conf to 61-nvidia-$flavor.conf in
modprobe.d to resolve conflict with older package, which can be
installed in parallel
==== openssl-1_1 ====
Subpackages: libopenssl1_1
- Because OpenSSL 1.1.1 is no longer default, let's rename engine
directories to contain version of OpenSSL and let unversioned for
the default OpenSSL. [bsc#1194187, bsc#1207472, bsc#1218933]
* /etc/ssl/engines.d -> /etc/ssl/engines1_1.d
* /etc/ssl/engdef.d -> /etc/ssl/engdef1_1.d
* Update patches:
- openssl-1_1-ossl-sli-002-ran-make-update.patch
- openssl-1_1-use-include-directive.patch
==== perl-Bootloader ====
Version update (1.10 -> 1.11)
- merge gh#openSUSE/perl-bootloader#162
- handle script exit codes properly (bsc#1218847)
- 1.11
==== postfix ====
Version update (3.8.4 -> 3.8.5)
- update to 3.8.5
* Security: this release improves support to defend against an email
spoofing attack (SMTP smuggling) on recipients at a Postfix server.
For background, see https://www.postfix.org/smtp-smuggling.html.
==== publicsuffix ====
Version update (20240107 -> 20240123)
- Update to version 20240123:
* util: gTLD data autopull updates for 2024-01-23T15:14:10 UTC (#1921)
==== python-lxml ====
- Fix build error for Leap.
Use build and test as descriped on upstream.
==== raspberrypi-firmware-dt ====
- Extend "ARM: dts: bcm27xx: Use better name for spidev" patch coverage.
Change compatible "spidev" to "rohm,dh2228fv" in overlay files too.
Fixes bsc#1219094.
==== ruby ====
Version update (3.2 -> 3.3)
- switch the default ruby to 3.3
==== ruby3.2 ====
Subpackages: libruby3_2-3_2
- Omit test_session_reuse_but_expire if OpenSSL 3.2.0
Add Omit-test_session_reuse_but_expire-if-OpenSSL-3.2.0.patch
==== rubygem-gem2rpm ====
- Update the ruby ABI version in the 3.3.0 paths to the final
string.
- enable building for ruby 3.3
==== spice-gtk ====
Subpackages: libspice-client-glib-2_0-8 libspice-client-glib-helper libspice-client-gtk-3_0-5 typelib-1_0-SpiceClientGlib-2_0 typelib-1_0-SpiceClientGtk-3_0
- Use libphotodav-3.0 on SLE/Leap 15.6+ (boo#1219083).
==== thin-provisioning-tools ====
Version update (1.0.9 -> 1.0.10)
- Update to version 1.0.10:
* Bump version to 1.0.10
* [build] Update dependencies
* [all] Fix clippy lints and typos
* [space_map] Allow non-zero values in unused index block entries
* [thin_repair] Fix child keys checking on the node with a zero key
* [thin_check] Tweak the logs to avoid confusion with node errors
* [thin_check] Support overriding the details tree root
* [tests] Update expected help text for _pack and _unpack
* [all] Fix clippy lints on optional targets
* [build] Simplify the pre-commit hooks by checking all the targets at once
* [thin_metadata_unpack] Allow long format for input and output
* [space map] Fix incorrect index_entry.nr_free while expansion
* thin_metadata_pack: Allow long format for input and output
==== tiff ====
- security update:
* CVE-2023-52356 [bsc#1219213]
Fix segfault in TIFFReadRGBATileExt()
+ tiff-CVE-2023-52356.patch
==== transactional-update ====
Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit tukitd
- Use "up" instead of "dup" by default on ALP [bsc#1218861]
==== virt-manager ====
Subpackages: virt-install virt-manager-common
- Upstream bug fixes (bsc#1027942) (jsc#PED-6305)
058-uri-Mock-domcaps-returning-NO_SUPPORT.patch
059-tests-cli-Adjust-hotplug-test-for-latest-libvirt.patch
060-Fix-some-pylint.patch
061-tests-ui-make-newvm-test-start-less-flakey.patch
062-tests-ui-make-creatnet-test-start-less-flakey.patch
- Cleanup now working or non-existant %check tests
==== webkit2gtk3 ====
Subpackages: libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles
- Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue
(bsc#1219113 CVE-2024-23222).
==== webkit2gtk3-soup2 ====
Subpackages: libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 webkit2gtk-4_0-injected-bundles
- Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue
(bsc#1219113 CVE-2024-23222).
==== yast2 ====
Version update (5.0.3 -> 5.0.4)
Subpackages: yast2-logs
- Reading Kernel Params: Use kernel cmdline when install.inf is not
available (bsc#1216408)
- 5.0.4
==== yast2-bootloader ====
Version update (5.0.2 -> 5.0.4)
- Persist s390 cio_ignore kernel argument always when given
(bsc#1210525).
- 5.0.4
- Do not try finding undefined bootloader name to avoid error
in logs (bsc#1218700)
- 5.0.3
==== yast2-installation ====
Version update (5.0.3 -> 5.0.4)
- Keep cio_ignore kernel argument when present in the parmfile or
use the cio_ignore -k output if not and write it always even
in zVM and KVM (bsc#1210525).
- 5.0.4
==== zbar ====
- Fix building for Leap