Removed rpms ============ Added rpms ========== Package Source Changes ====================== MozillaFirefox +- Firefox Extended Support Release 102.11.0 ESR + Placeholder changelog-entry (bsc#1211175) + - Placeholder changelog-entry (bsc#1210212) + * Fixed: Various security fixes. + MFSA 2023-14 (bsc#1210212) + * CVE-2023-29531 (bmo#1794292) + Out-of-bound memory access in WebGL on macOS + * CVE-2023-29532 (bmo#1806394) + Mozilla Maintenance Service Write-lock bypass + * CVE-2023-29533 (bmo#1798219, bmo#1814597) + Fullscreen notification obscured + * CVE-2023-1999 (bmo#1819244) + Double-free in libwebp + * CVE-2023-29535 (bmo#1820543) + Potential Memory Corruption following Garbage Collector + compaction + * CVE-2023-29536 (bmo#1821959) + Invalid free from JavaScript code + * CVE-2023-29539 (bmo#1784348) + Content-Disposition filename truncation leads to Reflected + File Download + * CVE-2023-29541 (bmo#1810191) + Files with malicious extensions could have been downloaded + unsafely on Linux + * CVE-2023-29542 (bmo#1810793, bmo#1815062) + Bypass of file download extension restrictions + * CVE-2023-29545 (bmo#1823077) + Windows Save As dialog resolved environment variables + * CVE-2023-1945 (bmo#1777588) + Memory Corruption in Safe Browsing Code + * CVE-2023-29548 (bmo#1822754) + Incorrect optimization result on ARM64 + * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, + bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493, + bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413, + bmo#1824828) + Memory safety bugs fixed in Firefox 112 and Firefox ESR + 102.10 MozillaThunderbird +- Mozilla Thunderbird 102.10.1 + * fixed: Messages with missing or corrupt "From:" header did + not display message header buttons (bmo#1793918) + * fixed: Composer repeatedly prompted for S/MIME smartcard + signing/encryption password (bmo#1828366) + * fixed: Address Book integration did not work with macOS 11.4 + Bug Sur (bmo#1720257) + * fixed: Mexico City DST fix in Thunderbird 102.10.0 (bug + 1826146) was incomplete (bmo#1827503) +- Mozilla Thunderbird 102.10 + * changed: New messages will automatically select S/MIME if + configured and OpenPGP is not (bmo#1793278) + * fixed: Calendar events with timezone America/Mexico_City + incorrectly applied Daylight Savings Time (bmo#1826146) + * fixed: Security fixes + MFSA 2023-15 (bsc#1210212) + * CVE-2023-29531 (bmo#1794292) + Out-of-bound memory access in WebGL on macOS + * CVE-2023-29532 (bmo#1806394) + Mozilla Maintenance Service Write-lock bypass + * CVE-2023-29533 (bmo#1798219, bmo#1814597) + Fullscreen notification obscured + * CVE-2023-1999 (bmo#1819244) + Double-free in libwebp + * CVE-2023-29535 (bmo#1820543) + Potential Memory Corruption following Garbage Collector + compaction + * CVE-2023-29536 (bmo#1821959) + Invalid free from JavaScript code + * CVE-2023-0547 (bmo#1811298) + Revocation status of S/Mime recipient certificates was not + checked + * CVE-2023-29479 (bmo#1824978) + Hang when processing certain OpenPGP messages + * CVE-2023-29539 (bmo#1784348) + Content-Disposition filename truncation leads to Reflected + File Download + * CVE-2023-29541 (bmo#1810191) + Files with malicious extensions could have been downloaded + unsafely on Linux + * CVE-2023-29542 (bmo#1810793, bmo#1815062) + Bypass of file download extension restrictions + * CVE-2023-29545 (bmo#1823077) + Windows Save As dialog resolved environment variables + * CVE-2023-1945 (bmo#1777588) + Memory Corruption in Safe Browsing Code + * CVE-2023-29548 (bmo#1822754) + Incorrect optimization result on ARM64 + * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, + bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493, + bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413, + bmo#1824828) + Memory safety bugs fixed in Thunderbird 102.10 + autofs +- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch + Fix off-by-one error in recursive map handling. (bsc#1209653) + chromium +- Chromium 113.0.5672.126 (boo#1211442): + * CVE-2023-2721: Use after free in Navigation + * CVE-2023-2722: Use after free in Autofill UI + * CVE-2023-2723: Use after free in DevTools + * CVE-2023-2724: Type Confusion in V8 + * CVE-2023-2725: Use after free in Guest View + * CVE-2023-2726: Inappropriate implementation in WebApp Installs + * Various fixes from internal audits, fuzzing and other initiatives + +- Chromium 113.0.5672.92 (boo#1211211) +- Multiple security fixes (boo#1211036): + * CVE-2023-2459: Inappropriate implementation in Prompts + * CVE-2023-2460: Insufficient validation of untrusted input in Extensions + * CVE-2023-2461: Use after free in OS Inputs + * CVE-2023-2462: Inappropriate implementation in Prompts + * CVE-2023-2463: Inappropriate implementation in Full Screen Mode + * CVE-2023-2464: Inappropriate implementation in PictureInPicture + * CVE-2023-2465: Inappropriate implementation in CORS + * CVE-2023-2466: Inappropriate implementation in Prompts + * CVE-2023-2467: Inappropriate implementation in Prompts + * CVE-2023-2468: Inappropriate implementation in PictureInPicture +- drop chromium-94-sql-no-assert.patch +- drop no-location-leap151.patch +- add chromium-113-webview-namespace.patch +- add chromium-113-webauth-include-variant.patch +- add chromium-113-typename.patch +- add chromium-113-workaround_clang_bug-structured_binding.patch + cronie +- Allow to define the logger info and warning priority, fixes + jsc#PED-2551 + * run-crons + * sysconfig.cron + ffmpeg +- Add ffmpeg-CVE-2022-48434.patch: Backport from upstream to fix + use after free in libavcodec/pthread_frame.c (bsc#1209934). + ffmpeg-4 +- Add ffmpeg-CVE-2022-48434.patch: Backport from upstream to fix + use after free in libavcodec/pthread_frame.c (bsc#1209934). + grantlee5 +- Add patch to fix test failures on Leap 15: + * 0001-Add-a-call-to-registerComparators-in-testbuiltins.patch + highway +- Add memory-constraints to build + +- Add no-forced-inline.diff [boo#1211093] + +- Update to release 1.0.4 + * Add PPC8..10, SSE2, AVX3_ZEN4, NEON_WITHOUT_AES targets + * Add Expand, LoadExpand, integer AbsDiff, SumsOf8AbsDiff + * Improved Half/Twice support, codegen for Shift*Same + * Faster KV128 sorting + * Update RISC-V V intrinsics for 1.0-draft +- Remove arm-disable-runtime-dispatch.patch (appears merged) + kernel-default +- x86: don't use REP_GOOD or ERMS for small memory clearing + (bsc#1211140). +- x86/cpufeatures: Add macros for Intel's new fast rep string + features (bsc#1211140). +- commit ff3ce03 + +- wifi: brcmfmac: slab-out-of-bounds read in + brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380). +- commit 39854dd + kernel-kvmsmall +- x86: don't use REP_GOOD or ERMS for small memory clearing + (bsc#1211140). +- x86/cpufeatures: Add macros for Intel's new fast rep string + features (bsc#1211140). +- commit ff3ce03 + +- wifi: brcmfmac: slab-out-of-bounds read in + brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380). +- commit 39854dd + ldb +- Update to version 2.6.2 + + CVE-2023-0614: Not-secret but access controlled LDAP attributes + can be discovered; (bso#15270); (bsc#1209485). + libfastjson +- fix CVE-2020-12762 integer overflow and out-of-bounds write via a + large JSON file (bsc#1171479) + add 0001-Fix-CVE-2020-12762.patch + libqt5-qtbase +- Amend patch to fix mouse grabbing as well (bsc#1211024): + * big-endian-scroll.patch + ncurses +- Modify patch ncurses-6.1.dif + * Secure writing terminfo entries by setfs[gu]id in s[gu]id + (boo#1210434, CVE-2023-29491) + * Reading is done since 2000/01/17 + open-iscsi +- Remove "--strip" in SPEC file for meson build, so that + debuginfo is generated. (from mwilck) (bsc#1210536) + +- Build system: meson builds were ignoring optflags, and other + passed in compiler options. + +- Update iscsid.service so it starts iscsid.socket, if needed + (bsc#1206132). + open-vm-tools +- As per jsc-PED-1344, update spec file to only build the containerinfo + plugin for TW/SLES 15 SP5 and newer. + +- Update to 12.2.0 (build 21223074) (boo#1209128) + - There are no new features in the open-vm-tools 12.2.0 release. This is + primarily a maintenance release that addresses a few critical problems, + including: + - Linux quiesced snapshots have been updated to avoid intermittent hangs of + the vmtoolsd process. + - Updated the guestOps to handle some edge cases when File_GetSize() fails + or returns -1. + - A number of Coverity reported issues have been addressed. + - Detect the proto files for the containerd grpc client in alternate + locations. Pull request #626 + - FreeBSD: Support newer releases and code clean-up for earlier versions. + Pull request #584 + - Please refer to the release notes at + https://github.com/vmware/open-vm-tools/blob/stable-12.2.0/ReleaseNotes.md + - The granular changes that have gone into the 12.2.0 release are in the + ChangeLog at https://github.com/vmware/open-vm-tools/blob/stable-12.2.0/ + open-vm-tools/ChangeLog +- Update detect-suse-location.patch to remove upstream accepted portion of the + patch (jsc-PED-1344). + +- Migration of PAM settings to /usr/lib/pam.d. + +- Don't list libgrpc++, libgrpc, and libprotobuf in the containerinfo Requires + section. The dependencies will be added automatically. + +- Don't use new LDFLAGS, -labsl_synchronization -lgpr, when building for SLE. + +- Add containerInfo plugin (jsc-PED-1344) + - Add dependencies on grpc, protobuf, and containerd for container + introspection +- Added patches (jsc-PED-1344) + + detect-suse-location.patch + +- Add _service to handle open-vm-tools sources +- Update to 12.1.5 (build 20735119) (boo#1205962) + - A number of Coverity reported issues have been addressed. + - The deployPkg plugin may prematurely reboot the guest VM before cloud-init + has completed user data setup. If both the Perl based Linux customization + script and cloud-init run when the guest VM boots, the deployPkg plugin + may reboot the guest before cloud-init has finished. The deployPkg + plugin has been updated to wait for a running cloud-init process to + finish before the guest VM reboot is initiated. This issue is fixed in + this release. + - A SIGSEGV may be encountered when a non-quiesing snapshot times out. + This issue is fixed in this release. + - Unwanted vmtoolsd service error message if not on a VMware hypervisor. + When open-vm-tools comes preinstalled in a base Linux release, the vmtoolsd + services are started automatically at system start and desktop login. + If running on physical hardware or in a non-VMware hypervisor, the services + will emit an error message to the Systemd's logging service before stopping. + This issue is fixed in this release. + openssh +- Revert addition of openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish: + This caused invalid and irrelevant environment assignments (bsc#1207014). + procps +- Add patch bsc1209122-a6c0795d.patch + * Fix for bsc#1209122 to allow `-ยด as leading character to ignore + possible errors on systctl entries + protobuf-c +- ec3d9000.patch: fixes unsigned integer overflow + (bsc#1210323, CVE-2022-48468) + -- update to 0.15 - - make protobuf_c_message_init() into a function (Issue #49, daveb) - - Fix for freeing memory after unpacking bytes w/o a default-value. - (Andrei Nigmatulin) - - minor windows portability issues (use ProtobufC_FD) (Pop Stelian) - - --with-endianness={little,big} (Pop Stelian) - - bug setting up values of has_idle in public dispatch, - make protobuf_c_dispatch_run() use only public members (daveb) - - provide cmake support and some Windows compatibility (Nikita Manovich) - samba +- Update to 4.17.7 + * CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords + in cleartext; (bso#15315); (bsc#1209481). + * CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be + deleted by unprivileged authenticated users; (bso#15276); + (bsc#1209483). + * CVE-2023-0614: samba: Access controlled AD LDAP attributes can + be discovered; (bso#15270); (bsc#1209485). + * large_ldap test is inefficient; (bso#15332). + * CVE-2020-25720 [SECURITY] Create Child permission should not + allow full write to all attributes (additional changes); + (bso#14810). +- Update to 4.17.6 + * streams_xattr is creating unexpected locks on folders; + (bso#15314). + * Use of the Azure AD Connect cloud sync tool is now supported + for password hash synchronisation, allowing Samba AD Domains + to synchronise passwords with this popular cloud environment; + (bso#10635). + * Spotlight doesn't work with latest macOS Ventura; + (bso#15299). + * New samba-dcerpc architecture does not scale gracefully; + (bso#15310). + * vfs_ceph incorrectly uses fsp_get_io_fd() instead of + fsp_get_pathref_fd() in close and fstat; (bso#15307). + * With clustering enabled samba-bgqd can core dump due to use + after free; (bso#15293). + * fd_load() function implicitly closes the fd where it should + not; (bso#15311). +- Update to 4.17.5 + * smbc_getxattr() return value is incorrect; (bso#14808). + * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not + handled correctly; (bso#15172). + * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210). + * samba-tool gpo listall fails IPv6 only - finddcs() fails to + find DC when there is only an AAAA record for the DC in DNS; + (bso#15226). + * smbd crashes if an FSCTL request is done on a stream handle; + (bso#15236). + * DFS links don't work anymore on Mac clients since 4.17; + (bso#15277). + * vfs_virusfilter segfault on access, directory edgecase + (accessing NULL value); (bso#15283). + * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) + based SChannel on NETLOGON (additional changes); (bso#15240). + * %U for include directive doesn't work for share listing + (netshareenum); (bso#15243). + * Shares missing from netshareenum response in samba 4.17.4; + (bso#15266). + * ctdb: use-after-free in run_proc; (bso#15269). + * irpc_destructor may crash during shutdown; (bso#15280). + * auth3_generate_session_info_pac leaks wbcAuthUserInfo; + (bso#15286). + * smbclient segfaults with use after free on an optimized + build; (bso#15268). + * smbstatus leaking files in msg.sock and msg.lock; + (bso#15282). + * Leak in wbcCtxPingDc2; (bso#15164). + * Access based share enum does not work in Samba 4.16+; + (bso#15265). + * Crash during share enumeration; (bso#15267). + * rep_listxattr on FreeBSD does not properly check for reads + off end of returned buffer; (bso#15271). + * Avoid relying on C89 features in a few places; (bso#15281). + shadow +- bsc#1210507 (CVE-2023-29383): + Check for control characters +- Add shadow-CVE-2023-29383.patch + shim +- Updated shim.changes to add CVE-2022-28737 number for bsc#1198458. + The issue be fixed by upgrade to shim 15.7. (bsc#1198458, CVE-2022-28737) + +- Sometimes SLE shim signature be Microsoft updated before openSUSE shim + signature. When submit request on IBS for updating SLE shim, the submitreq + project be generated, but it always be blocked by checking the signature + of openSUSE shim. + It doesn't make sense checking openSUSE shim signature when building + SLE shim on SLE platform, and vice versa. So the following change adds the + logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse). + When and only when hash mismatch and distro_id match with suffix, stop + building. + [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse) + [#] when hash mismatch and distro_id match with suffix, stop building + +- Upgrade shim-install for bsc#1210382 + After closing Leap-gap project since Leap 15.3, openSUSE Leap direct + uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot + CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no, + so all files in /boot/efi/EFI/boot are not updated. + The 86b73d1 patch added the logic that using ID field in os-release for + checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure + Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated. +- https://github.com/SUSE/shim-resources (git log --oneline) + 86b73d1 Fix that bootx64.efi is not updated on Leap + f2e8143 Use the long name to specify the grub2 key protector + 7283012 cryptodisk: support TPM authorized policies + 49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst + 26c6bd5 Have grub take a snapshot of "relevant" TPM PCRs + 5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot + a5c5734 Introduce --no-grub-install option + - signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458) + signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458, CVE-2022-28737) snapper +- avoid stale btrfs qgroups on transactional systems (bsc#1210151) + * added pr805.patch +- wait for existing btrfs quota rescans to finish (bsc#1210150) + * added pr790.patch + vim +- Fixing bsc#1211144 - [Build 96.1] openQA test fails in zypper_migration - conflict between xxd and vim + * Revert the creation standalone xxd packages + +- Updated to version 9.0 with patch level 1443, fixes the following security problems + * Fixing bsc#1209042 (CVE-2023-1264) - VUL-0: CVE-2023-1264: vim: NULL Pointer Dereference vim prior to 9.0.1392 + * Fixing bsc#1209187 (CVE-2023-1355) - VUL-0: CVE-2023-1355: vim: NULL Pointer Dereference prior to 9.0.1402. + * Fixing bsc#1208828 (CVE-2023-1127) - VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown() +- drop vim-8.0-ttytype-test.patch as it changes test_options.vim which we + remove during %prep anyway. And this breaks quilt setup. +- for the complete list of changes see + https://github.com/vim/vim/compare/v9.0.1386...v9.0.1443 + webkit2gtk3 +- Update to version 2.38.6 (boo#1210295 boo#1210731): + + Enable the Asynchronous Clipboard API to make certain pages + work (e.g. GithHub started recently requiring it). + + Support :has() CSS selectors in content filters. + + Apply basic font properties as font variation settings. + + The Bubblewrap sandbox no longer requires setting an + application identifier via GApplication to operate correctly. + Using GApplication is still recommended, but optional. + + Improvements to the GStreamer multimedia playback, in + particular around MSE, WebRTC, and seeking. + + Fix the build with journald support enabled when using elogind + instead of the systemd libraries. + + Fix the build with Link-Time Optimization enabled (-flto=auto). + + Fix context menus not working in the remote Web Inspector. + + Fix usage of the remote Web Inspector over HTTP. + + Fix debug logs not being emitted in release builds. + + Fix several crashes and rendering issues. + + Security fixes: CVE-2022-0108, CVE-2023-28205, CVE-2022-32885, + CVE-2023-27932, CVE-2023-27954. + - + Security fixes: CVE-2022-32886, CVE-2022-32912. + + Security fixes: CVE-2022-32886, CVE-2022-32912, CVE-2023-25358, + CVE-2023-25360, CVE-2023-25361, CVE-2023-25362, CVE-2023-25363. yast2-network +- Do not write the EAP auth attribute when writing a wireless + wicked configuration using the EAP mode as TLS (bsc#1211026) +- 4.5.20 + +- Fix summary crash when there is no interface available + (bsc#1209589, bsc#1211161). +- 4.5.19 + zlib +- Fix deflateBound() before deflateInit(), bsc#1210593, bsc#1211005 + bsc1210593.patch +