Removed rpms ============ Added rpms ========== - oxygen5-sounds Package Source Changes ====================== ImageMagick + fix CVE-2023-1289 [bsc#1209141], segmentation fault and possible DoS via specially crafted SVG + + ImageMagick-CVE-2023-1289.patch + +- security update +- added patches MozillaThunderbird +- Mozilla Thunderbird 102.9.1 + * fixed: Thunderbird was unable to open file URLs from command + line (URLs beginning with "file://") (bmo#1816343) + * fixed: Source strings for localized builds not uploaded to + FTP as expected (bmo#1817086) + * fixed: Visual and theme improvements + (bmo#1821358,bmo#1822286) + * fixed: Security fixes + MFSA 2023-12 (bsc#1209953) + * CVE-2023-28427 (bmo#1822595) + Matrix SDK bundled with Thunderbird vulnerable to denial-of- + service attack + +- Mozilla Thunderbird 102.9 + * fixed: Notification about a sender's changed OpenPGP key was + not immediately visible (bmo#1814003) + * fixed: TLS Certificate Override dialog did not appear when + retrieving messages via IMAP using "Get Messages" context + menu (bmo#1816596) + * fixed: Spellcheck dictionaries were missing from localized + Thunderbird builds that should have included them + (bmo#1818257) + * fixed: Tooltips for "Show/Hide" calendar toggle did not + display (bmo#1809557) + * fixed: Various security fixes + MFSA 2023-11 (bsc#1209173) + * CVE-2023-25751 (bmo#1814899) + Incorrect code generation during JIT compilation + * CVE-2023-28164 (bmo#1809122) + URL being dragged from a removed cross-origin iframe into the + same tab triggered navigation + * CVE-2023-28162 (bmo#1811327) + Invalid downcast in Worklets + * CVE-2023-25752 (bmo#1811627) + Potential out-of-bounds when accessing throttled streams + * CVE-2023-28163 (bmo#1817768) + Windows Save As dialog resolved environment variables + * CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904, + bmo#1817442, bmo#1818674) + Memory safety bugs fixed in Thunderbird 102.9 + bind +- Update to release 9.16.38 + Bug Fixes: + * A constant stream of zone additions and deletions via rndc + reconfig could cause increased memory consumption due to + delayed cleaning of view memory. This has been fixed. + * The speed of the message digest algorithms (MD5, SHA-1, SHA-2), + and of NSEC3 hashing, has been improved. + * Building BIND 9 failed when the --enable-dnsrps switch for + ./configure was used. This has been fixed. + [jsc#SLE-24600] +- Updated keyring and signature + bluedevil5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + blueman +- Update to version 2.3.5: + * Right click menu was pointing to the wrong list row + * Double click to connect +- Changes from version 2.3.4: + * Errors when connected to a device with the DisconnectItems plugin enabled +- Changes from version 2.3.3: + * Issues with NM PANU connections of equally named devices + * Submenus in KDE Plasma tray + * Avoid using StatusNotifierItem and GtkStatusIcon icons in parallel + * Do not re-use dbusmenu item identifiers; avoids issues at least with + gnome-shell-extension-appindicator +- Changes from version 2.3.2: + * StatusNotifierItem submenus did not work in lxqt-panel (@niknah) + * StatusNotifierItem vanished on panel restarts + * StatusNotifierItem compatibility issues with libdbusmenu used at least + by xfce4-panel and Waybar + * StatusNotifierItem showed the menu on left click in xfce4-panel +- Changes from version 2.3.1: + * StatusNotifierItem sent an incomplete NewStatus signal. + * Avoid statusbar resize when showing progressbar +- Changes from version 2.3.0: + * Blocked emblem was not visible for scales other than 1 + * Audio profile switcher in applet menu (@abhijeetviswa) + * Symbolic tray icon option (GSettings switch symbolic-status-icons in + org.blueman.general) + * Replace AppIndicator with DBus StatusNotifierItem + * Use a GtkTreeModelFilter to show/hide unnamed devices + * Replace sigint hack with GLib to catch it + * Port meson from deprecated python3 module + * Rework battery handling + * Merge Battery applet plugin into ConnectionNotifier + * Symbolic icons and small UI improvements +- Changes from version 2.2.5: + * Fix network interface iteration on 32 bit systems + * Manager: Fix cancel button in send-note dialog + * Fix battery and signals bars +- Removed blueman-2.2.4-ayatana-appindicator.patch as Appindicator + has been replaced with DBus StatusNotifierItem +- Dependencies.md file is no longer packaged + +- Do not recommend -lang package: the auto-generated -lang package + already contains relevant supplements. + +- Added iproute2 build dependency to satisfy ip requirement + +- Update to version 2.2.4: + * Dropped the PIN database. + * Fix that blueman-mechanism accepted arbitrary file paths and + returned the errors from trying to open them, + see https://github.com/blueman-project/blueman/security/advisories/GHSA-3r9p-m5c8-8mw8 +- Add blueman-2.2.4-ayatana-appindicator.patch: Support + Ayatana AppIndicators. +- Require dbus(org.freedesktop.Notifications) instead of + notification-daemon. + +- Disable agent startup on Pantheon desktop + +- Update to version 2.2.3 + * Recent connections disabled after suspend and resume + * Service authorization notifications did not respond + * Passkeys did not get displayed +- Updates from version 2.2.2 + * Issues with power level bars + * Error message in blueman-mechanism + +- Update to version 2.2.1 + * New Desktop notifications on connect / disconnect + * New notifications with battery level for connecting devices + * Allow cancelling device connection attempts + * Allow opening device menus via keyboard (Shift+F10 or menu key) + * Add Ctrl+Q and Ctrl+W accelerators for closing blueman-manager + * Stop discovery and retry connection for broken adapter drivers + * Improved passkey handling + * Auto-connect settings for supported services + * Fix hide devices with no name + * Fix disconnecting NMDevice + * Fix DiscvManager plugin showed its icon unreliably + * Drop blueman-report, and blueman-assistant +- Add subpackages for caja, nautilus, and nemo sendto extensions + - * Security Release for CVE-2020-15238 (boo#1178196) + * Security Release for CVE-2020-15238 (bsc#1178196) breeze +- Add patches to make the window outline configurable (kde#465948): + * 0001-Outline-intensity-setting.patch + * 0002-Undo-some-string-changes-from-the-preceding-commit.patch + +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * Setting height before adding margins + * Calling expandSize in flat comboboxes too + breeze-gtk +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * gtk3, gtk4: apply searchbar styles to the box inside the revealer inside the searchbar + * gtk3, gtk4: Make image-buttons have min-height + * Remove margins between linked buttons + discover +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * rpm-ostree/notifier: Setup a watcher to trigger reboot check + * rpm-ostree/notifier: Fix update/reboot notification logic + * ApplicationPage: Allow main app info column to grow with window + * ApplicationPage: off-by-one in stackedLayout calc + * ApplicationResouceButton: place icon side-by-side to the title + * ApplicationResourceButton: attribute the left/right padding + * ApplicationPage: drop the ternary operator for buttonWidth + * flatpak: Use Downloading as the status for Flatpak transactions + * pk: Finish porting away from runservices (kde#466742) + * pk: Don't forget to finish streams (kde#466765) + * Flatpak: Fix spacing in permissions view + * fwupd: Mark the backend as invalid if fwupd_client_connect() fails +- Drop patches, now upstream: + * 0001-pk-Don-t-forget-to-finish-streams.patch + drkonqi5 +- Replace '%service_del_postun -n' with '%service_del_postun_without_restart' + +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * Add emoji picker to mappings + firewalld +- Fix firewall-offline-cmd fails with ERROR: Calling pre func + Added following patch (bsc#1206928) + [+ 0003-firewall-offline-cmd-fail-fix.patch] + gdm +- Update gdm-fingerprint.pamd and gdm-smartcard.pamd: Before this + they do not really support fingerprint and smartcard, just put + correct configuration to make them work (bsc#1205664). +- Enable split authentication because we have correct + gdm-fingerprint.pamd and gdm-smartcard.pamd. + +- Update gdm-disable-gnome-initial-setup.patch: Refactoring to + disable it on SLE runtime, so with the same executable it is + still possible to run on Leap (jsc#PED-1719). + glibc +- amd-cacheinfo.patch: x86: Cache computation for AMD architecture + (bsc#1207957) + +- gmon-hash-table-size.patch: gmon: Fix allocated buffer overflow + (CVE-2023-0687, bsc#1207975, BZ #29444) + +- strncmp-avx2-boundary.patch: Fix avx2 strncmp offset compare condition + check (bsc#1208358, BZ #25933) + +- dlopen-filter-object.patch: elf: Allow dlopen of filter object to work + (bsc#1207571, BZ #16272) +- powerpc-tst-ucontext.patch: powerpc: Fix unrecognized instruction errors + with recent GCC + google-noto-sans-cjk-fonts +- Fix bsc#1203741: Add _constraint file to make it build (taken from Factory) +- Use %license to store OFL license text + kactivitymanagerd +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + kcm_sddm +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + kde-cli-tools5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + kde-gtk-config5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + kernel-64kb +- net: tls: fix possible race condition between + do_tls_getsockopt_conf() and do_tls_setsockopt_conf() + (bsc#1209366 CVE-2023-28466). +- commit 3a1702c + +- mm: memcontrol: deprecate charge moving (bsc#1209801). +- commit a953603 + +- netdevice: add the case if dev is NULL (bsc#1208628). +- Refresh + patches.suse/net-add-net-device-refcount-tracker-infrastructure.patch. +- commit 726a950 + +- Rename + patches.suse/locking-rwsem-Disable-preemption-in-all-down_write-a.patch. +- commit 37a8307 + +- Rename + patches.suse/locking-rwsem-Disable-preemption-in-all-down_read-an.patch. +- commit f080340 + +- Refresh + patches.suse/locking-rwsem-Prevent-non-first-waiter-from-spinning.patch. +- commit af52be6 + +- Delete patches.suse/iwlwifi-module-firmware-ucode-fix.patch (bsc#1209681) + linux-firmware tree finally provides iwlwifi-*-72.ucode, and more badly, + they dropped *-71.ucode, hence the workaround leads to the firmware load + failure. Drop the old workaround now. +- commit dc4368f + +- net/sched: tcindex: update imperfect hash filters respecting + rcu (CVE-2023-1281 bsc#1209634). +- commit aced962 + +- Update + patches.suse/Revert-block-freeze-the-queue-earlier-in-del_gendisk-4c66.patch + (git-fixes bsc#1208921). +- commit b2c9582 + +- prlimit: do_prlimit needs to have a speculation check + (bsc#1209256 CVE-2017-5753). +- commit b7234d1 + +- Revert "block: freeze the queue earlier in del_gendisk" + (git-fixes). +- commit 6b26f6b + kernel-default +- net: tls: fix possible race condition between + do_tls_getsockopt_conf() and do_tls_setsockopt_conf() + (bsc#1209366 CVE-2023-28466). +- commit 3a1702c + +- mm: memcontrol: deprecate charge moving (bsc#1209801). +- commit a953603 + +- netdevice: add the case if dev is NULL (bsc#1208628). +- Refresh + patches.suse/net-add-net-device-refcount-tracker-infrastructure.patch. +- commit 726a950 + +- Rename + patches.suse/locking-rwsem-Disable-preemption-in-all-down_write-a.patch. +- commit 37a8307 + +- Rename + patches.suse/locking-rwsem-Disable-preemption-in-all-down_read-an.patch. +- commit f080340 + +- Refresh + patches.suse/locking-rwsem-Prevent-non-first-waiter-from-spinning.patch. +- commit af52be6 + +- Delete patches.suse/iwlwifi-module-firmware-ucode-fix.patch (bsc#1209681) + linux-firmware tree finally provides iwlwifi-*-72.ucode, and more badly, + they dropped *-71.ucode, hence the workaround leads to the firmware load + failure. Drop the old workaround now. +- commit dc4368f + +- net/sched: tcindex: update imperfect hash filters respecting + rcu (CVE-2023-1281 bsc#1209634). +- commit aced962 + +- Update + patches.suse/Revert-block-freeze-the-queue-earlier-in-del_gendisk-4c66.patch + (git-fixes bsc#1208921). +- commit b2c9582 + +- prlimit: do_prlimit needs to have a speculation check + (bsc#1209256 CVE-2017-5753). +- commit b7234d1 + +- Revert "block: freeze the queue earlier in del_gendisk" + (git-fixes). +- commit 6b26f6b + kgamma5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + khotkeys5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + kmenuedit5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + kpipewire +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * Guard m_producer + * stream: better fallback for BGR formats when downloading into a QImage + * stream: Fix support of SPA_VIDEO_FORMAT_RGB + * recording: Drop unnecessary conditional + * recording: use "good" deadline rather than quality that is deprecated upstream + * recording: Make bitrate depend on the stream size + kscreen5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * kded/output: with duplicate edid hashes, use different global config files (kde#452614,kde#448599) + kscreenlocker +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + ksshaskpass5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + ksystemstats5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + kwayland-integration +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + kwin5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * colordevice: default the simple transformations to 1 + * backends/drm: fail commits if nonexistent properties would be set + * backends/drm: ignore opaque formats for the cursor plane + * Forward keymap and modifier change to input method keyboard grab when changed. + * inputmethod: Show the input method even if it was dismissed (kde#466969) + * backends/drm: support CTM for simple color transformations (kde#455720) + * xwayland: Prevent potential file descriptor leak + * wayland: Prevent leaking --wayland-fd and --xwayland-fd to child processes + * helper: Don't leak lock file to kwin_wayland + * backends/wayland: Don't leak renderD128 fd + * backends/wayland: Don't leak WaylandEventThread's pipe fds + * Fix text-input-v1 compatibility with 111.0.5563.64-1 + * input: Make sure input backends are initialised when the workspace is set up (kde#466721) + * Tabbox: Fix grouping windows by application + * scene: Use correct scale when computing world transform + * wayland: Fix interactive resize of debug console + * kscreenintegration: read global output data + * workspace: move kscreen integration into separate files + * screencast: Try harder to be compatible with the pipewire buffer format + * screencasting: on memfd, skip the QImage step (kde#466655) + * TabBox: Avoid unnecesary resets of the client model (kde#466660) + * wayland: Cancel selections if set without focus + * windowitem: properly handle sub-subsurfaces (kde#466747) + * tabletmodemanager: properly export properties + * Enable GLSL for Mali (Lima) / PinePhone devices + kwrited5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + layer-shell-qt +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + libheif +- security update +- added patches + fix CVE-2023-0996 [bsc#1208640], buffer overflow in heif_js_decode_image in libheif + + libheif-CVE-2023-0996.patch + +- fixed CVE-2020-23109 [bsc#1192382] + (bca0162018df9a32d21c05aad1fa203881fa7813) libkdecoration2 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + libkscreen2 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * libdpms/wayland: Do not create dpms interfaces for placeholder QScreens (kde#466674) + * dpms/xcb: Make sure we are setting it as unsupported when it is (kde#466181) + * backends/wayland: Round passed scale + libksysguard5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + liblouis +- Add liblouis-CVE-2023-26769.patch: Check the path length before + copying into tableFile(CVE-2023-26769 bsc#1209432). + +- Add liblouis-CVE-2023-26767.patch: Check the length of path before + copying into dataPath(CVE-2023-26767 bsc#1209429). + - compilePassOpcode (boo#1197085 CVE-2022-26981). + compilePassOpcode (bsc#1197085 CVE-2022-26981). - write in compileRule (boo#1200120 CVE-2022-31783). + write in compileRule (bsc#1200120 CVE-2022-31783). libqt5-qtbase +- Update to version 5.15.8+kde185: + * QFSFileEngine: fix overflow bug when using lseek64 + * Add QImage null check when QOpenGLTexture converts +- Add patch to fix return key handling in QGroupBox on GNOME (bsc#1209364): + * 0001-Revert-QGnomeTheme-Allow-Space-Return-Enter-and-Sele.patch +- Add patch to fix XInput2 events in big-endian X11 clients (bsc#1204883, QTBUG-105157): + * big-endian-scroll.patch + libstorage-ng +- Translated using Weblate (Portuguese (Brazil)) (bsc#1149754) +- 4.5.92 + +- merge gh#openSUSE/libstorage-ng#922 +- add PCIe as disk transport +- 4.5.91 + +- merge gh#openSUSE/libstorage-ng#921 +- fixed setting sysfs-name for partitions on nvme disks +- 4.5.90 + +- Translated using Weblate (Georgian) (bsc#1149754) +- 4.5.89 + +- Translated using Weblate (Polish) (bsc#1149754) +- 4.5.88 + mdadm +- sysconfig.mdadm: Remove ServiceRestart line to mdadm since there + is not such systemd service. (bsc#1203491) + milou5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + openssl-1_1 +- Security Fix: [CVE-2023-0465, bsc#1209878] + * Invalid certificate policies in leaf certificates are silently ignored + * Add openssl-CVE-2023-0465.patch +- Security Fix: [CVE-2023-0466, bsc#1209873] + * Certificate policy check not enabled + * Add openssl-CVE-2023-0466.patch + +- Security Fix: [CVE-2023-0464, bsc#1209624] + * Excessive Resource Usage Verifying X.509 Policy Constraints + * Add openssl-CVE-2023-0464.patch + +- FIPS: Service-level indicator [bsc#1208998] + * Add additional check required by FIPS 140-3. Minimum values for + PBKDF2 are: 112 bits for key, 128 bits for salt, 1000 for + iteration count and 20 characters for password. + * Add openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch + openvpn +- bsc#1202792: --enable-iproute2 added back as default option. + pam_kwallet +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + patterns-gnome +- Require xorg-x11-fonts to fix gnome-shell starting failure (bsc#1203966) + pkcs11-helper +- Added pkcs11-helper_support-RSA_NO_PADDING-padding.patch + * Fixes bsc#1175219 + * Adds support for openssl's RSA_NO_PADDING padding + * Sourced from https://github.com/OpenSC/pkcs11-helper/commit/c192bb48 + -- remove static libraries and "la" files -- fix -devel package dependencies and pkgconfig file - plasma-browser-integration +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + plasma-nm5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * Don't crash when importing VPN config with missing NetworkManager plugin (kde#465484) + * [kcm] Show VPN import error in the UI + plasma5-addons +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + plasma5-desktop +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * Partly revert "make sure screen numbers are consecutive" (kde#464873) + plasma5-disks +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + plasma5-integration +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * Revert "extend kio with portal-based open-with implementation" (kde#460741) + plasma5-openSUSE +- Update to 5.27.3 + plasma5-pa +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * kcm: Fix visuals when testing non-standard channel names + * kcm: Fix missing id and implicit parameter signal handler (kde#466075) + plasma5-systemmonitor +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + plasma5-thunderbolt +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + plasma5-workspace +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * klipper: remove duplicate items when loading from history (kde#466236) + * kcms/region_language: set LC_PAPER, not LC_PAGE (kde#467269) + * Screenpool: avoid uniqueConnection with lambda + * kcms/fonts: Enable change notifications for base fonts settings (forceFontDPI) + * sddm-theme: Transfer the focus to the text field as we show the OSK (kde#466969) + * appstreamtest: fix test failure + * wallpapers/image: improve efficiency of ImageFinder + * klipper: Make action menu Frameless (kde#466406) + * dataengines/mpris2: tolerate non-standards compliant players like mpris-proxy (kde#466288) + * klipper: History test passes now + * klipper: Insert items before remove (kde#466041) + * sddm: Focus something useful when switching between alternative login screens + polkit-kde-agent-5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + powerdevil5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * Suspend by default on AC profile + * Use correct tablet mode function to determine mobile-ness + shim -- Update the SLE signatures +- Updated shim signature after shim 15.7 be signed back: + signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458) + +- Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to + disable the NX compatibility flag when using post-process-pe because + grub2 is not ready. (bsc#1205588) + - Kernel can boot with the NX compatibility flag since 82e0d6d76a2a7 + be merged to v5.19. On the other hand, upstream is working on + improve compressed kernel stage for NX: + [PATCH v3 00/24] x86_64: Improvements at compressed kernel stage + https://www.spinics.net/lists/kernel/msg4599636.html + +- Add shim-Enable-the-NX-compatibility-flag-by-default.patch to + enable the NX compatibility flag by default. (jsc#PED-127) + +- Drop upstreamed patch: + - shim-Enable-TDX-measurement-to-RTMR-register.patch + - Enable TDX measurement to RTMR register (jsc#PED-1273) + - 4fd484e4c2 15.7 + +- Update to 15.7 (bsc#1198458)(jsc#PED-127) + - Patches (git log --oneline --reverse 15.6..15.7) + 0eb07e1 Make SBAT variable payload introspectable + 092c2b2 Reference MokListRT instead of MokList + 8b59b69 Add a link to the test plan in the readme. + 4fd484e Enable TDX measurement to RTMR register + 14d6339 Discard load-options that start with a NUL + 5c537b3 shim: Flush the memory region from i-cache before execution + 2d4ebb5 load_cert_file: Fix stack issue + ea4911c load_cert_file: Use EFI RT memory function + 0cf43ac Add -malign-double to IA32 compiler flags + 17f0233 pe: Fix image section entry-point validation + 5169769 make-archive: Build reproducible tarball + aa1b289 mok: remove MokListTrusted from PCR 7 + 53509ea CryptoPkg/BaseCryptLib: fix NULL dereference + 616c566 More coverity modeling + ea0d0a5 Update shim's .sbat to sbat,3 + dd8be98 Bump grub's sbat requirement to grub,3 + 1149161 (HEAD -> main, tag: 15.7, origin/main, origin/HEAD) Update version to 15.7 + - 15.7 release note https://github.com/rhboot/shim/releases + Make SBAT variable payload introspectable by @chrisccoulson in #483 + Reference MokListRT instead of MokList by @esnowberg in #488 + Add a link to the test plan in the readme. by @vathpela in #494 + [V3] Enable TDX measurement to RTMR register by @kenplusplus in #485 + Discard load-options that start with a NUL by @frozencemetery in #505 + load_cert_file bugs by @esnowberg in #523 + Add -malign-double to IA32 compiler flags by @nicholasbishop in #516 + pe: Fix image section entry-point validation by @iokomin in #518 + make-archive: Build reproducible tarball by @julian-klode in #527 + mok: remove MokListTrusted from PCR 7 by @baloo in #519 + - Drop upstreamed patch: + - shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch + - Cryptlib/CryptAuthenticode: fix NULL pointer dereference in AuthenticodeVerify() + - 53509eaf22 15.7 + - shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch + - For backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127) + - The following patches are merged to 15.7 + aa1b289a1a mok: remove MokListTrusted from PCR 7 + 0cf43ac6d7 Add -malign-double to IA32 compiler flags + ea4911c2f3 load_cert_file: Use EFI RT memory function + 2d4ebb5a79 load_cert_file: Fix stack issue + 5c537b3d0c shim: Flush the memory region from i-cache before execution + 14d6339829 Discard load-options that start with a NUL + 092c2b2bbe Reference MokListRT instead of MokList + 0eb07e11b2 Make SBAT variable payload introspectable + +- Update shim.changes, added missed shim 15.6-rc1 and 15.6 changelog to + the item in Update to 15.6. (bsc#1198458) + +- Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the following + patches between 15.6 with aa1b289a1a (jsc#PED-127): + aa1b289a1a16774afc3143b8948d97261f0872d0 mok: remove MokListTrusted from PCR 7 + 0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Add -malign-double to IA32 compiler flags + ea4911c2f3ce8f8f703a1476febac86bb16b00fd load_cert_file: Use EFI RT memory function + 2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef load_cert_file: Fix stack issue + 5c537b3d0cf8c393dad2e61d49aade68f3af1401 shim: Flush the memory region from i-cache before execution + 14d63398298c8de23036a4cf61594108b7345863 Discard load-options that start with a NUL + 092c2b2bbed950727e41cf450b61c794881c33e7 Reference MokListRT instead of MokList + 0eb07e11b20680200d3ce9c5bc59299121a75388 Make SBAT variable payload introspectable + +- Add shim-Enable-TDX-measurement-to-RTMR-register.patch to support + enhance shim measurement to TD RTMR. (jsc#PED-1273) + +- For pushing openSUSE:Factory/shim to SLE15-SP5, sync the shim.spec + and shim.changes: (jsc#PED-127) + - Add some change log from SLE shim.changes to Factory shim.changes + Those messages are added "(sync shim.changes from SLE)" tag. + - Add the following changes to shim.spec + - only apply Patch100, the shim-bsc1198101-opensuse-cert-prompt.patch + on openSUSE. + - Enable the AArch64 signature check for SLE: + [#] AArch64 signature + signature=%{SOURCE13} + +- shim-install: ensure grub.cfg created is not overwritten after + installing grub related files + +- Add logic to shim.spec to only set sbat policy when efivarfs is writeable. + (bsc#1201066) + +- Add logic to shim.spec for detecting --set-sbat-policy option before + using mokutil to set sbat policy. (bsc#1202120) + +- Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282) + +- Revoked the change in shim.spec for "use common SBAT values (boo#1193282)" + - we need to build openSUSE Tumbleweed's shim on Leap 15.4 because Factory + is unstable for building out a stable shim binary for signing. (bsc#1198458) + - But the rpm-config-suse package in Leap 15.4 is direct copied from SLE 15.4 + because closing-the-leap-gap. So sbat_distro_* variables are SLE version, + not for openSUSE. (bsc#1198458) + +- Update to 15.6 (bsc#1198458) + - shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76 + which is from upstream grub2.cve_2021_3695.ms keybase channel. + - For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to + support efi-app-aarch64 target. So we need the following patches in bintuils: + - binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch + b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-*-aarch64). + - binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch + 32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-*-aarch64) + - binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch + d91c67e873 Re: Add support for AArch64 EFI (efi-*-aarch64) + - Patches (git log --oneline --reverse 15.5~..77144e5a4) + 448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458) + a2da05f shim: implement SBAT verification for the shim_lock protocol + bda03b8 post-process-pe: Fix a missing return code check + af18810 CI: don't cancel testing when one fails + ba580f9 CI: remove EOL Fedoras from github actions + bfeb4b3 Remove aarch64 build tests before f35 + 38cc646 CI: Add f36 and centos9 CI build tests. + b5185cb post-process-pe: Fix format string warnings on 32-bit platforms + 31094e5 tests: also look for system headers in multi-arch directories + 4df989a mock-variables.c: fix gcc warning + 6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled + 2670c6a Allow MokListTrusted to be enabled by default + 5c44aaf Add code of conduct + d6eb9c6 Modernize aarch64 + 9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail + de87985 make: don't treat cert.S specially + 803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode + 6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry. + bb4b60e Add verify_image + acfd48f Abstract out image reading + 35d7378 Load additional certs from a signed binary + 8ce2832 post-process-pe: there is no 's' argument. + 465663e Add some missing PE image flag definitions + 226fee2 PE Loader: support and require NX + df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX + b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT + f81a7cc SBAT revocation management + abe41ab make: unbreak scan-build again for gnu-efi + 610a1ac sbat.h: minor reformatting for legibility + f28833f peimage.h: make our signature macros force the type + 5d789ca Always initialize data/datasize before calling read_image() + a50d364 sbat policy: make our policy change actions symbolic + 5868789 load_certs: trust dir->Read() slightly less. + a78673b mok.c: fix a trivial dead assignment + 759f061 Fix preserve_sbat_uefi_variable() logic + aa61fdf Give the Coverity scanner some more GCC blinders... + 0214cd9 load_cert_file(): don't defererence NULL + 1eca363 mok import: handle OOM case + 75449bc sbat: Make nth_sbat_field() honor the size limit + c0bcd04 shim-15.6~rc1 + 77144e5 SBAT Policy latest should be a one-shot + - 15.5 release note https://github.com/rhboot/shim/releases + Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357 + mok: allocate MOK config table as BootServicesData by @lcp in #361 + Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364 + Relax the check for import_mok_state() by @lcp in #372 + SBAT.md: trivial changes by @hallyn in #389 + shim: another attempt to fix load options handling by @chrisccoulson in #379 + Add tests for our load options parsing. by @vathpela in #390 + arm/aa64: fix the size of .rela* sections by @lcp in #383 + mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365 + mok: relax the maximum variable size check by @lcp in #369 + Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378 + fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396 + httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403 + Fallback allocation errors by @vathpela in #402 + shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406 + str: remove duplicate parameter check by @xypron in #408 + fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359 + Test mok mirror by @vathpela in #394 + Modify sbat.md to help with readability. by @eshiman in #398 + csv: detect end of csv file correctly by @xypron in #404 + Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413 + tests: add "include-fixed" GCC directory to include directories by @diabonas in #415 + pe: simplify generate_hash() by @xypron in #411 + Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414 + Fallback to default loader if parsed one does not exist by @julian-klode in #393 + fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422 + Better console checks by @vathpela in #416 + docs: update SBAT UEFI variable name by @nicholasbishop in #421 + Don't parse load options if invoked from removable media path by @julian-klode in #399 + fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433 + shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438 + Shim 15.5 coverity by @vathpela in #439 + Allocate mokvar table in runtime memory. by @vathpela in #447 + Remove post-process-pe on 'make clean' by @vathpela in #448 + pe: missing perror argument by @xypron in #443 + - 15.6-rc1 release note https://github.com/rhboot/shim/releases + MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 + shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 + post-process-pe: Fix a missing return code check by @vathpela in #462 + Update github actions matrix to be more useful by @frozencemetery in #469 + Add f36 and centos9 CI builds by @vathpela in #470 + post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 + tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 + tests: fix gcc warnings by @akodanev in #463 + Allow MokListTrusted to be enabled by default by @esnowberg in #455 + Add code of conduct by @frozencemetery in #427 + Re-add ARM AArch64 support by @vathpela in #468 + Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428 + make: don't treat cert.S specially by @vathpela in #475 + shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474 + Break out of the inner sbat loop if we find the entry. by @vathpela in #476 + Support loading additional certificates by @esnowberg in #446 + Add support for NX (W^X) mitigations. by @vathpela in #459 + Misc fixups from scan-build. by @vathpela in #477 + Fix preserve_sbat_uefi_variable() logic by @jsetje in #478 + - 15.6 release note https://github.com/rhboot/shim/releases + MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 + shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 + post-process-pe: Fix a missing return code check by @vathpela in #462 + Update github actions matrix to be more useful by @frozencemetery in #469 + Add f36 and centos9 CI builds by @vathpela in #470 + post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 + tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 + tests: fix gcc warnings by @akodanev in #463 + Allow MokListTrusted to be enabled by default by @esnowberg in #455 + Add code of conduct by @frozencemetery in #427 + Re-add ARM AArch64 support by @vathpela in #468 + Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428 + make: don't treat cert.S specially by @vathpela in #475 + shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474 + Break out of the inner sbat loop if we find the entry. by @vathpela in #476 + Support loading additional certificates by @esnowberg in #446 + Add support for NX (W^X) mitigations. by @vathpela in #459 + Misc fixups from scan-build. by @vathpela in #477 + Fix preserve_sbat_uefi_variable() logic by @jsetje in #478 + SBAT Policy latest should be a one-shot by @jsetje in #481 + pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson + pe: Perform image verification earlier when loading grub by @chriscoulson + Update advertised sbat generation number for shim by @jsetje + Update SBAT generation requirements for 05/24/22 by @jsetje + Also avoid CVE-2022-28737 in verify_image() by @vathpela + - Drop upstreamed patch: + - shim-bsc1184454-allocate-mok-config-table-BS.patch + - Allocate MOK config table as BootServicesData to avoid the error message + from linux kernel + - 4068fd42c8 15.5-rc1~70 + - shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch + - Handle ignore_db and user_insecure_mode correctly + - 822d07ad4f07 15.5-rc1~73 + - shim-bsc1185621-relax-max-var-sz-check.patch + - Relax the maximum variable size check for u-boot + - 3f327f546c219634b2 15.5-rc1~49 + - shim-bsc1185261-relax-import_mok_state-check.patch + - Relax the check for import_mok_state() when Secure Boot is off + - 9f973e4e95b113 15.5-rc1~67 + - shim-bsc1185232-relax-loadoptions-length-check.patch + - Relax the check for the LoadOptions length + - ada7ff69bd8a95 15.5-rc1~52 + - shim-fix-aa64-relsz.patch + - Fix the size of rela* sections for AArch64 + - 34e3ef205c5d65 15.5-rc1~51 + - shim-bsc1187260-fix-efi-1.10-machines.patch + - Don't call QueryVariableInfo() on EFI 1.10 machines + - 493bd940e5 15.5-rc1~69 + - shim-bsc1185232-fix-config-table-copying.patch + - Avoid buffer overflow when copying the MOK config table + - 7501b6bb44 15.5-rc1~50 + - shim-bsc1187696-avoid-deleting-rt-variables.patch + - Avoid deleting the mirrored RT variables + - b1fead0f7c9 15.5-rc1~37 + - Add "rm -f *.o" after building MokManager/fallback in shim.spec + to make sure all object files gets rebuilt + - reference: https://github.com/rhboot/shim/pull/461 +- The following fix-CVE-2022-28737-v6 patches against bsc#1198458 are included + in shim-15.6.tar.bz2 + - shim-bsc1198458-pe-Fix-a-buffer-overflow-when-SizeOfRawData-VirtualS.patch + pe: Fix a buffer overflow when SizeOfRawData VirtualSize + - shim-bsc1198458-pe-Perform-image-verification-earlier-when-loading-g.patch + pe: Perform image verification earlier when loading grub + - shim-bsc1198458-Update-advertised-sbat-generation-number-for-shim.patch + Update advertised sbat generation number for shim + - shim-bsc1198458-Update-SBAT-generation-requirements-for-05-24-22.patch + Update SBAT generation requirements for 05/24/22 + - shim-bsc1198458-Also-avoid-CVE-2022-28737-in-verify_image.patch + Also avoid CVE-2022-28737 in verify_image() + - 0006-shim-15.6-rc2.patch + - 0007-sbat-add-the-parsed-SBAT-variable-entries-to-the-deb.patch + sbat: add the parsed SBAT variable entries to the debug log + - 0008-bump-version-to-shim-15.6.patch +- Add mokutil command to post script for setting sbat policy to latest mode + when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created. + (bsc#1198458) +- Add shim-bsc1198101-opensuse-cert-prompt.patch back to openSUSE shim to + show the prompt to ask whether the user trusts openSUSE certificate or not + (bsc#1198101) +- Updated vendor dbx binary and script (bsc#1198458) + - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding + SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. + - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding + openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. + - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt + and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment. + - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin + file which includes all .der for testing environment. + +- use common SBAT values (boo#1193282) + +- Update the SLE signatures (sync shim.changes from SLE) +(sync shim.changes from SLE) +- Add shim-bsc1185232-fix-config-table-copying.patch to avoid + buffer overflow when copying data to the MOK config table + (bsc#1185232) + +- Add shim-disable-export-vendor-dbx.patch to disable exporting + vendor-dbx to MokListXRT since writing a large RT variable + could crash some machines (bsc#1185261) +- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the + potential crash when calling QueryVariableInfo in EFI 1.10 + machines (bsc#1187260) + +- Add shim-fix-aa64-relsz.patch to fix the size of rela sections + for AArch64 + Fix: https://github.com/rhboot/shim/issues/371 + +- Add shim-bsc1185232-relax-loadoptions-length-check.patch to + ignore the odd LoadOptions length (bsc#1185232) + +- shim-install: reset def_shim_efi to "shim.efi" if the given + file doesn't exist + +- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax + the check for import_mok_state() when Secure Boot is off. + (bsc#1185261) + + (sync shim.changes from SLE) + +- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the + maximum variable size check for u-boot (bsc#1185621) + +- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch + to handle ignore_db and user_insecure_mode correctly + (bsc#1185441, bsc#1187071) + +- Split the keys in vendor-dbx.bin to vendor-dbx-sles and + vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce + the size of MokListXRT (bsc#1185261) + + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz -- Enable the AArch64 signature check for SLE +- Enable the AArch64 signature check for SLE (sync shim.changes from SLE) -- Update the SLE signatures +- Update the SLE signatures (sync shim.changes from SLE) smartmontools +- fix smartctl crash for an NVMe on big endian systems [bsc#1208905] +- added patches + fix https://www.smartmontools.org/changeset/5448 + + smartmontools-smartctl-NVMe-big-endian.patch + systemd +- Import commit dad0071f15341be2b24c2c9d073e62617e0b46733 (merge of v249.16) + +- Fix return non-zero value when disabling SysVinit service (bsc#1208432) + +- Drop build requirement on libpci, it's not more needed since udev hwdb was + introduced 11 years ago. + +- Move systemd-boot and all components managing (secure) UEFI boot into udev + sub-package: they may deserve a dedicated sub-package in the future but for + now move them to udev so they aren't installed in systemd based containers. + systemsettings5 +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- No code changes since 5.27.2 + tigervnc +- Fixes for bsc#1209283 + * Drop chown vnc:vnc calls in with-vnc-key.sh + * Add TLSNone to -securitytypes to increase security in xvnc@.service + xdg-desktop-portal-kde +- Update to 5.27.3 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.3 +- Changes since 5.27.2: + * Fix cursor and borders selectors in screenshot dialog + xorg-x11-server +- U_xserver-composite-Fix-use-after-free-of-the-COW.patch + * overlay window use-after-free (CVE-2023-1393, ZDI-CAN-19866, + bsc#1209543) + xwayland +- U_xserver-composite-Fix-use-after-free-of-the-COW.patch + * overlay window use-after-free (CVE-2023-1393, ZDI-CAN-19866, + bsc#1209543) + yast2-snapper +- Fixed translations: Moved variable message part out of _(...) + (bsc#1209956) +- 4.5.1 + yast2-storage-ng +- Fix the translation of widgets titles in the dialog to select + a partitioning scheme (bsc#1209697). +- 4.5.19 + yast2-users +- Stop mangling the value of "Create as Btrfs Subvolume" for new + users when clicking on "Edit -> Details" (bsc#1209377). +- 4.5.4 + +- AutoYaST: Fix creation of home for system users (bsc#1202974). + zstd +- Fix CVE-2022-4899, bsc#1209533 + * Fix buffer underflow when dir1 == "" + * Disallow empty string as an argument for --output-dir-flat="" + and --output-dir-mirror="". +- Added patches: + * Disallow-empty-output-directory.patch + * Fix-buffer-underflow-for-null-dir1.patch +