Packages changed: Mesa Mesa-drivers apache2 (2.4.54 -> 2.4.55) apache2-manual (2.4.54 -> 2.4.55) apache2-prefork (2.4.54 -> 2.4.55) apache2-utils (2.4.54 -> 2.4.55) bind (9.18.10 -> 9.18.11) binutils dracut (057+suse.353.g6dab83eb -> 059+suse.360.g2e0ed5f7) ell (0.55 -> 0.56) fetchmail ffmpeg-4 ffmpeg-5 gdm gdm-branding-openSUSE gedit (44.1 -> 44.2) glib2 (2.74.4 -> 2.74.5) gnome-desktop (43 -> 43.1) gnome-sudoku (43.0 -> 43.1) gnutls gpgme gpgmeqt hidapi (0.13.0 -> 0.13.1) hylafax+ (7.0.6 -> 7.0.7) icewm (3.3.0 -> 3.3.1) kernel-source (6.1.7 -> 6.1.8) kpipewire libgit2 (1.5.0 -> 1.5.1) libheif libpcap (1.10.1 -> 1.10.3) libraw (0.21.0 -> 0.21.1) libstorage-ng (4.5.64 -> 4.5.65) liburing (2.2 -> 2.3) libvirt (8.10.0 -> 9.0.0) live555 (2022.12.01 -> 2023.01.19) logrotate (3.20.1 -> 3.21.0) lsof (4.96.5 -> 4.97.0) microos-tools (2.17 -> 2.18) miniupnpc (2.2.2 -> 2.2.4) multipath-tools (0.9.2+59+suse.ac8942d -> 0.9.4+68+suse.98559ea) nano (7.1 -> 7.2) nautilus (43.1 -> 43.2) patterns-media postfix python-future (0.18.2 -> 0.18.3) python-libvirt-python (8.10.0 -> 9.0.0) python-numpy python-pbr (5.11.0 -> 5.11.1) python-requests (2.28.1 -> 2.28.2) python-urllib3 (1.26.13 -> 1.26.14) rubygem-rack-2.2 (2.2.4 -> 2.2.6.2) rubygem-rack (3.0.2 -> 3.0.4.1) samba (4.17.4+git.303.89e23854eb7 -> 4.17.4+git.314.7b07e3c51a6) scout (0.2.6+20211130.022a45c -> 0.2.7+20230124.b4e3468) sendmail soundtouch (2.3.1 -> 2.3.2) squid sudo (1.9.12p1 -> 1.9.12p2) systemd thunar transactional-update (4.1.0 -> 4.1.2) urlview vim (9.0.1188 -> 9.0.1234) vte wicked (0.6.71 -> 0.6.72) xf86-video-qxl (0.1.5 -> 0.1.6) xfce4-notifyd (0.7.1 -> 0.7.2) xorg-x11-server yast2-installation (4.5.13 -> 4.5.15) yast2-network (4.5.12 -> 4.5.15) yast2-ntp-client (4.5.2 -> 4.5.3) yast2-trans (84.87.20230116.80083546af -> 84.87.20230123.08c503a922) zeromq === Details === ==== Mesa ==== Subpackages: Mesa-dri-devel Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - force usage of gcc 12 only on Leap 15.5; there is no gcc12 on Leap 15.4 - Add BuildRequires for x264 and x265 in case video_codecs should be built. - re-enable build on Leap, but only for 15.5; there is no gcc12 on Leap 15.4, which is now officially required by Mesa 22.3 ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-gallium Mesa-libva - force usage of gcc 12 only on Leap 15.5; there is no gcc12 on Leap 15.4 - Add BuildRequires for x264 and x265 in case video_codecs should be built. - re-enable build on Leap, but only for 15.5; there is no gcc12 on Leap 15.4, which is now officially required by Mesa 22.3 ==== apache2 ==== Version update (2.4.54 -> 2.4.55) - This update fixes the following security issues: * fix CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting * fix CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling * fix CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte - Update to 2.4.55: * ) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer) * ) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group * ) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier. * ) mod_dav: Open the lock database read-only when possible. PR 36636 [Wilson Felipe , manu] * ) mod_proxy_http2: apply the standard httpd content type handling to responses from the backend, as other proxy modules do. Fixes PR 66391. Thanks to Jérôme Billiras for providing the patch. [Stefan Eissing] * ) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981 [Basant Kumar Kukreja , Alejandro Alvarez ] * ) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic] * ) mod_http2: version 2.0.10 of the module, synchronizing changes with the gitgub version. This is a partial rewrite of how connections and streams are handled. - an APR pollset and pipes (where supported) are used to monitor the main connection and react to IO for request/response handling. This replaces the stuttered timed waits of earlier versions. - H2SerializeHeaders directive still exists, but has no longer an effect. - Clients that seemingly misbehave still get less resources allocated, but ongoing requests are no longer disrupted. - Fixed an issue since 1.15.24 that "Server" headers in proxied requests were overwritten instead of preserved. [PR by @daum3ns] - A regression in v1.15.24 was fixed that could lead to httpd child processes not being terminated on a graceful reload or when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. See #212. - Improved information displayed in 'server-status' for H2 connections when Extended Status is enabled. Now one can see the last request that IO operations happened on and transferred IO stats are updated as well. - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client failing the request. See PR65731 at . The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced. - :scheme pseudo-header values, not matching the connection scheme, are forwarded via absolute uris to the http protocol processing to preserve semantics of the request. Checks on combinations of pseudo-headers values/absence have been added as described in RFC 7540. Fixes #230. - A bug that prevented trailers (e.g. HEADER frame at the end) to be generated in certain cases was fixed. See #233 where it prevented gRPC responses to be properly generated. - Request and response header values are automatically stripped of leading and trialing space/tab characters. This is equivalent behaviour to what Apache httpd's http/1.1 parser does. The checks for this in nghttp2 v1.50.0+ are disabled. - Extensive testing in production done by Alessandro Bianchi (@alexskynet) on the v2.0.x versions for stability. Many thanks! * ) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when request ':authority' is known. Improved test case that did not catch that the previous 'fix' was incorrect. * ) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski] * ) mod_proxy: The AH03408 warning for a forcibly closed backend connection is now logged at INFO level. [Yann Ylavic] * ) mod_ssl: When dumping the configuration, the existence of certificate/key files is no longer tested. [Joe Orton] * ) mod_authn_core: Add expression support to AuthName and AuthType. [Graham Leggett] * ) mod_ssl: when a proxy connection had handled a request using SSL, an error was logged when "SSLProxyEngine" was only configured in the location/proxy section and not the overall server. The connection continued to work, the error log was in error. Fixed PR66190. [Stefan Eissing] * ) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302. [Alessandro Cavaliere ] * ) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300. [Alessandro Cavaliere ] ... changelog too long, skipping 16 lines ... PR 66313. [Emmanuel Dreyfus] ==== apache2-manual ==== Version update (2.4.54 -> 2.4.55) - This update fixes the following security issues: * fix CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting * fix CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling * fix CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte - Update to 2.4.55: * ) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer) * ) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group * ) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier. * ) mod_dav: Open the lock database read-only when possible. PR 36636 [Wilson Felipe , manu] * ) mod_proxy_http2: apply the standard httpd content type handling to responses from the backend, as other proxy modules do. Fixes PR 66391. Thanks to Jérôme Billiras for providing the patch. [Stefan Eissing] * ) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981 [Basant Kumar Kukreja , Alejandro Alvarez ] * ) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic] * ) mod_http2: version 2.0.10 of the module, synchronizing changes with the gitgub version. This is a partial rewrite of how connections and streams are handled. - an APR pollset and pipes (where supported) are used to monitor the main connection and react to IO for request/response handling. This replaces the stuttered timed waits of earlier versions. - H2SerializeHeaders directive still exists, but has no longer an effect. - Clients that seemingly misbehave still get less resources allocated, but ongoing requests are no longer disrupted. - Fixed an issue since 1.15.24 that "Server" headers in proxied requests were overwritten instead of preserved. [PR by @daum3ns] - A regression in v1.15.24 was fixed that could lead to httpd child processes not being terminated on a graceful reload or when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. See #212. - Improved information displayed in 'server-status' for H2 connections when Extended Status is enabled. Now one can see the last request that IO operations happened on and transferred IO stats are updated as well. - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client failing the request. See PR65731 at . The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced. - :scheme pseudo-header values, not matching the connection scheme, are forwarded via absolute uris to the http protocol processing to preserve semantics of the request. Checks on combinations of pseudo-headers values/absence have been added as described in RFC 7540. Fixes #230. - A bug that prevented trailers (e.g. HEADER frame at the end) to be generated in certain cases was fixed. See #233 where it prevented gRPC responses to be properly generated. - Request and response header values are automatically stripped of leading and trialing space/tab characters. This is equivalent behaviour to what Apache httpd's http/1.1 parser does. The checks for this in nghttp2 v1.50.0+ are disabled. - Extensive testing in production done by Alessandro Bianchi (@alexskynet) on the v2.0.x versions for stability. Many thanks! * ) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when request ':authority' is known. Improved test case that did not catch that the previous 'fix' was incorrect. * ) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski] * ) mod_proxy: The AH03408 warning for a forcibly closed backend connection is now logged at INFO level. [Yann Ylavic] * ) mod_ssl: When dumping the configuration, the existence of certificate/key files is no longer tested. [Joe Orton] * ) mod_authn_core: Add expression support to AuthName and AuthType. [Graham Leggett] * ) mod_ssl: when a proxy connection had handled a request using SSL, an error was logged when "SSLProxyEngine" was only configured in the location/proxy section and not the overall server. The connection continued to work, the error log was in error. Fixed PR66190. [Stefan Eissing] * ) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302. [Alessandro Cavaliere ] * ) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300. [Alessandro Cavaliere ] ... changelog too long, skipping 16 lines ... PR 66313. [Emmanuel Dreyfus] ==== apache2-prefork ==== Version update (2.4.54 -> 2.4.55) - This update fixes the following security issues: * fix CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting * fix CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling * fix CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte - Update to 2.4.55: * ) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer) * ) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group * ) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier. * ) mod_dav: Open the lock database read-only when possible. PR 36636 [Wilson Felipe , manu] * ) mod_proxy_http2: apply the standard httpd content type handling to responses from the backend, as other proxy modules do. Fixes PR 66391. Thanks to Jérôme Billiras for providing the patch. [Stefan Eissing] * ) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981 [Basant Kumar Kukreja , Alejandro Alvarez ] * ) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic] * ) mod_http2: version 2.0.10 of the module, synchronizing changes with the gitgub version. This is a partial rewrite of how connections and streams are handled. - an APR pollset and pipes (where supported) are used to monitor the main connection and react to IO for request/response handling. This replaces the stuttered timed waits of earlier versions. - H2SerializeHeaders directive still exists, but has no longer an effect. - Clients that seemingly misbehave still get less resources allocated, but ongoing requests are no longer disrupted. - Fixed an issue since 1.15.24 that "Server" headers in proxied requests were overwritten instead of preserved. [PR by @daum3ns] - A regression in v1.15.24 was fixed that could lead to httpd child processes not being terminated on a graceful reload or when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. See #212. - Improved information displayed in 'server-status' for H2 connections when Extended Status is enabled. Now one can see the last request that IO operations happened on and transferred IO stats are updated as well. - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client failing the request. See PR65731 at . The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced. - :scheme pseudo-header values, not matching the connection scheme, are forwarded via absolute uris to the http protocol processing to preserve semantics of the request. Checks on combinations of pseudo-headers values/absence have been added as described in RFC 7540. Fixes #230. - A bug that prevented trailers (e.g. HEADER frame at the end) to be generated in certain cases was fixed. See #233 where it prevented gRPC responses to be properly generated. - Request and response header values are automatically stripped of leading and trialing space/tab characters. This is equivalent behaviour to what Apache httpd's http/1.1 parser does. The checks for this in nghttp2 v1.50.0+ are disabled. - Extensive testing in production done by Alessandro Bianchi (@alexskynet) on the v2.0.x versions for stability. Many thanks! * ) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when request ':authority' is known. Improved test case that did not catch that the previous 'fix' was incorrect. * ) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski] * ) mod_proxy: The AH03408 warning for a forcibly closed backend connection is now logged at INFO level. [Yann Ylavic] * ) mod_ssl: When dumping the configuration, the existence of certificate/key files is no longer tested. [Joe Orton] * ) mod_authn_core: Add expression support to AuthName and AuthType. [Graham Leggett] * ) mod_ssl: when a proxy connection had handled a request using SSL, an error was logged when "SSLProxyEngine" was only configured in the location/proxy section and not the overall server. The connection continued to work, the error log was in error. Fixed PR66190. [Stefan Eissing] * ) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302. [Alessandro Cavaliere ] * ) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300. [Alessandro Cavaliere ] ... changelog too long, skipping 16 lines ... PR 66313. [Emmanuel Dreyfus] ==== apache2-utils ==== Version update (2.4.54 -> 2.4.55) - This update fixes the following security issues: * fix CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting * fix CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling * fix CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte - Update to 2.4.55: * ) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer) * ) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group * ) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier. * ) mod_dav: Open the lock database read-only when possible. PR 36636 [Wilson Felipe , manu] * ) mod_proxy_http2: apply the standard httpd content type handling to responses from the backend, as other proxy modules do. Fixes PR 66391. Thanks to Jérôme Billiras for providing the patch. [Stefan Eissing] * ) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981 [Basant Kumar Kukreja , Alejandro Alvarez ] * ) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic] * ) mod_http2: version 2.0.10 of the module, synchronizing changes with the gitgub version. This is a partial rewrite of how connections and streams are handled. - an APR pollset and pipes (where supported) are used to monitor the main connection and react to IO for request/response handling. This replaces the stuttered timed waits of earlier versions. - H2SerializeHeaders directive still exists, but has no longer an effect. - Clients that seemingly misbehave still get less resources allocated, but ongoing requests are no longer disrupted. - Fixed an issue since 1.15.24 that "Server" headers in proxied requests were overwritten instead of preserved. [PR by @daum3ns] - A regression in v1.15.24 was fixed that could lead to httpd child processes not being terminated on a graceful reload or when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. See #212. - Improved information displayed in 'server-status' for H2 connections when Extended Status is enabled. Now one can see the last request that IO operations happened on and transferred IO stats are updated as well. - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client failing the request. See PR65731 at . The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced. - :scheme pseudo-header values, not matching the connection scheme, are forwarded via absolute uris to the http protocol processing to preserve semantics of the request. Checks on combinations of pseudo-headers values/absence have been added as described in RFC 7540. Fixes #230. - A bug that prevented trailers (e.g. HEADER frame at the end) to be generated in certain cases was fixed. See #233 where it prevented gRPC responses to be properly generated. - Request and response header values are automatically stripped of leading and trialing space/tab characters. This is equivalent behaviour to what Apache httpd's http/1.1 parser does. The checks for this in nghttp2 v1.50.0+ are disabled. - Extensive testing in production done by Alessandro Bianchi (@alexskynet) on the v2.0.x versions for stability. Many thanks! * ) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when request ':authority' is known. Improved test case that did not catch that the previous 'fix' was incorrect. * ) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski] * ) mod_proxy: The AH03408 warning for a forcibly closed backend connection is now logged at INFO level. [Yann Ylavic] * ) mod_ssl: When dumping the configuration, the existence of certificate/key files is no longer tested. [Joe Orton] * ) mod_authn_core: Add expression support to AuthName and AuthType. [Graham Leggett] * ) mod_ssl: when a proxy connection had handled a request using SSL, an error was logged when "SSLProxyEngine" was only configured in the location/proxy section and not the overall server. The connection continued to work, the error log was in error. Fixed PR66190. [Stefan Eissing] * ) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302. [Alessandro Cavaliere ] * ) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300. [Alessandro Cavaliere ] ... changelog too long, skipping 16 lines ... PR 66313. [Emmanuel Dreyfus] ==== bind ==== Version update (9.18.10 -> 9.18.11) Subpackages: bind-doc bind-utils - Update to release 9.18.11 Security Fixes: * An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new update-quota option that controls the maximum number of outstanding DNS UPDATE messages that named can hold in a queue at any given time (default: 100). (CVE-2022-3094) * named could crash with an assertion failure when an RRSIG query was received and stale-answer-client-timeout was set to a non-zero value. This has been fixed. (CVE-2022-3736) * named running as a resolver with the stale-answer-client-timeout option set to any value greater than 0 could crash with an assertion failure, when the recursive-clients soft quota was reached. This has been fixed. (CVE-2022-3924) New Features: * The new update-quota option can be used to control the number of simultaneous DNS UPDATE messages that can be processed to update an authoritative zone on a primary server, or forwarded to the primary server by a secondary server. The default is 100. A new statistics counter has also been added to record events when this quota is exceeded, and the version numbers for the XML and JSON statistics schemas have been updated. Removed Features: * The Differentiated Services Code Point (DSCP) feature in BIND has been non-operational since the new Network Manager was introduced in BIND 9.16. It is now marked as obsolete, and vestigial code implementing it has been removed. Configuring DSCP values in named.conf now causes a warning to be logged. Feature Changes: * The catalog zone implementation has been optimized to work with hundreds of thousands of member zones. Bug Fixes: * A rare assertion failure was fixed in outgoing TCP DNS connection handling. * Large zone transfers over TLS (XoT) could fail. This has been fixed. * In addition to a previously fixed bug, another similar issue was discovered where quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. * In certain query resolution scenarios (e.g. when following CNAME records), named configured to answer from stale cache could return a SERVFAIL response despite a usable, non-stale answer being present in the cache. This has been fixed. * When an outgoing request timed out, named would retry up to three times with the same server instead of trying the next available name server. This has been fixed. * Recently used ADB names and ADB entries (IP addresses) could get cleaned when ADB was under memory pressure. To mitigate this, only actual ADB names and ADB entries are now counted (excluding internal memory structures used for “housekeeping”) and recently used (<= 10 seconds) ADB names and entries are excluded from the overmem memory cleaner. * The “Prohibited” Extended DNS Error was inadvertently set in some NOERROR responses. This has been fixed. * Previously, TLS session resumption could have led to handshake failures when client certificates were used for authentication (Mutual TLS). This has been fixed. [bsc#1207471, bsc#1207473, bsc#1207475] ==== binutils ==== Subpackages: gprofng libctf-nobfd0 libctf0 - Remove broken arm32-avoid-copyreloc.patch to fix [gcc#108515] - fix build on x86_64_vX platforms - Add binutils-maxpagesize.diff for a problem on old code streams, where we would generate too large binaries. - s390-pic-dso.diff: use %pB instead of %B - SLE toolchain update of binutils. Update to 2.39 from 2.37, which means obsoleting and hence removing these patches: binutils-add-efi-aarch64-1.diff, binutils-add-efi-aarch64-2.diff, binutils-add-efi-aarch64-3.diff, binutils-fix-keepdebug.diff, binutils-add-z16-name.diff. Implements [jsc#SLE-25046, jsc#PED-2029, jsc#PED-2035, jsc#PED-2033, jsc#PED-2030, jsc#PED-2038, jsc#PED-2032, jsc#PED-2034, jsc#PED-2031, jsc#SLE-25047] - This fixes these CVEs relative to 2.37: [bsc#1188374, bsc#1185597] aka (GCC) PR99935 aka CVE-2021-3648 [bsc#1193929] aka PR28694 aka CVE-2021-45078 [bsc#1194783] aka (GCC) PR98886 aka CVE-2021-46195 [bsc#1197592] aka (GCC) PR105039 aka CVE-2022-27943 [bsc#1202966] aka PR29289 aka CVE-2022-38126 [bsc#1202967] aka PR29290 aka CVE-2022-38127 [bsc#1202969] aka CVE-2021-3826 - add arm32-avoid-copyreloc.patch for PR16177 (bsc#1200962) - Add binutils-pr29482.diff for PR29482, aka CVE-2022-38533 [bsc#1202816] ==== dracut ==== Version update (057+suse.353.g6dab83eb -> 059+suse.360.g2e0ed5f7) Subpackages: dracut-mkinitrd-deprecated - Update to version 059+suse.360.g2e0ed5f7: * revert(multipath): install multipathd.socket (bsc#1207524) - Update to version 059+suse.358.g8ecd6e83: See https://github.com/dracutdevs/dracut/releases/tag/058 for details (059 just adds missing entries in NEWS.md). Additional changes: * chore(suse): add execute permission to all scripts * chore(suse): update spec - Update to version 057+suse.355.g1b722fda: * fix(dracut.spec): require libopenssl1_1-hmac for dracut-fips (bsc#1206439) ==== ell ==== Version update (0.55 -> 0.56) - update to 0.56: * Add support for TLS session resume interfaces. ==== fetchmail ==== Subpackages: fetchmailconf - disable opie support ==== ffmpeg-4 ==== Subpackages: libavcodec58_134 libavformat58_76 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9 - Add ffmpeg-CVE-2022-3341.patch: Backport from upstream to fix null pointer dereference in decode_main_header() in libavformat/nutdec.c (bsc#1206778). ==== ffmpeg-5 ==== Subpackages: libavcodec59 libavdevice59 libavfilter8 libavformat59 libavutil57 libpostproc56 libswresample4 libswscale6 - Provide a ffmpeg-5-mini-devel build recipe to help split anticipated build cycles. - Reenable SDL2 for ffmpeg-5.spec. ffplay and -vf sdl should be back. [boo#1206505] ==== gdm ==== Subpackages: gdm-schema gdmflexiserver libgdm1 typelib-1_0-Gdm-1_0 - Update gdm-disable-gnome-initial-setup.patch: Refactoring to disable it on SLE runtime, so with the same executable it is still possible to run on Leap (jsc#PED-1719). ==== gdm-branding-openSUSE ==== - Bring back gnome-initial-setup for Leap 15.5 while keep it disabled on SLE 15 SP5 (jsc#PED-1719). ==== gedit ==== Version update (44.1 -> 44.2) Subpackages: python3-gedit - Update to version 44.2: + File Browser plugin: bug fix. + Updated translations. ==== glib2 ==== Version update (2.74.4 -> 2.74.5) Subpackages: glib2-tools libgio-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0 libgthread-2_0-0 - Update to version 2.74.5: + Bugs fixed: glgo#GNOME/GLib#2843, glgo#GNOME/GLib#2881, glgo#GNOME/GLib#2883, glgo#GNOME/GLib!3165, glgo#GNOME/GLib!3166, glgo#GNOME/GLib!3182, glgo#GNOME/GLib!3197, glgo#GNOME/GLib!3204, glgo#GNOME/GLib!3214. + Updated translations. - Drop 1539540.patch: Fixed upstream. ==== gnome-desktop ==== Version update (43 -> 43.1) Subpackages: libgnome-desktop-3-20 libgnome-desktop-3_0-common libgnome-desktop-4-2 typelib-1_0-GnomeDesktop-3_0 typelib-1_0-GnomeDesktop-4_0 - Update to version 43.1: + Fix gnome_parse_locale returning NULL for the C locale + Use more sensible default keyboard for es_US + Delete failed thumbnail if successfully savings thumbnail + Skip territory if no translation available + Updated translations. ==== gnome-sudoku ==== Version update (43.0 -> 43.1) - Update to version 43.1: + Revert "Fix redundant undo stack entries for earmarks". + Warnings when solution to puzzle is violated no longer consider earmarks. + Updated translations. ==== gnutls ==== Subpackages: libgnutls-dane0 libgnutls30 libgnutls30-hmac - FIPS: Change all the 140-2 references to FIPS 140-3 in order to account for the new FIPS certification [bsc#1207346] * Add gnutls-FIPS-140-3-references.patch - FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183] * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch ==== gpgme ==== Subpackages: libgpgme11 libgpgmepp6 - Update upstream keyring: https://gnupg.org/signature_key.asc - add python311.patch to build language bindings for python 3.11 ==== gpgmeqt ==== - Update upstream keyring: https://gnupg.org/signature_key.asc - add python311.patch to build language bindings for python 3.11 ==== hidapi ==== Version update (0.13.0 -> 0.13.1) - update to 0.13.1: * hidraw: fix invalid read past the UDEV buffer ==== hylafax+ ==== Version update (7.0.6 -> 7.0.7) Subpackages: hylafax+-client - version 7.0.7 * tiff_450.diff removed * constrain job priority to 0-255 (20 Jan 2023) * add support for libtiff v4.5.0 (4-5 Jan 2023) * add some Si2435 configuration considerations (27 Dec 2022, 20 Jan 2023) * if Class1RecvAbortOK is 0 then don't bother with the CAN byte at all (31 Oct 2022) * check that the modem isn't trying to deliver a message when we're trying to send binary data to it (16-17 Oct 2022) * prevent inherited values from creeping into subsequent xferfaxlog data (26 Aug 2022) * add external reference feature in dialrules (18 Aug 2022) ==== icewm ==== Version update (3.3.0 -> 3.3.1) Subpackages: icewm-config-upstream icewm-default icewm-lang icewm-lite - Update to 3.3.1: * Fully support nanosvg as an alternative to librsvg. * Rolled up windows can now be moved vertically with icesh. * Fix multi-monitor when primary monitor is right-below of secondary. * Don't resize when a client adjusts its WM_NORMAL_HINTS increments. * Report the audio interface in the configure summary. * Consider that the keyboard may have been changed externally. * Increase the timeout for the dynamic menu generator to 2 seconds. * Don't reactivate a focused window when RaiseOnClick is guaranteed. * Let the winoption "ignorePositionHint" also ignore the USPosition. * Fix the "ignoreOverrideRedirect" winoption. * Let icesh also spy on RandR monitor configuration events. ==== kernel-source ==== Version update (6.1.7 -> 6.1.8) Subpackages: kernel-64kb kernel-default - Linux 6.1.8 (bsc#1012628). - dma-buf: fix dma_buf_export init order v2 (bsc#1012628). - btrfs: fix trace event name typo for FLUSH_DELAYED_REFS (bsc#1012628). - wifi: iwlwifi: fw: skip PPAG for JF (bsc#1012628). - pNFS/filelayout: Fix coalescing test for single DS (bsc#1012628). - selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID (bsc#1012628). - net: ethernet: marvell: octeontx2: Fix uninitialized variable warning (bsc#1012628). - tools/virtio: initialize spinlocks in vring_test.c (bsc#1012628). - vdpa/mlx5: Return error on vlan ctrl commands if not supported (bsc#1012628). - vdpa/mlx5: Avoid using reslock in event_handler (bsc#1012628). - vdpa/mlx5: Avoid overwriting CVQ iotlb (bsc#1012628). - virtio_pci: modify ENOENT to EINVAL (bsc#1012628). - vduse: Validate vq_num in vduse_validate_config() (bsc#1012628). - vdpa_sim_net: should not drop the multicast/broadcast packet (bsc#1012628). - net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats (bsc#1012628). - r8169: move rtl_wol_enable_rx() and rtl_prepare_power_down() (bsc#1012628). - r8169: fix dmar pte write access is not set error (bsc#1012628). - bpf: keep a reference to the mm, in case the task is dead (bsc#1012628). - RDMA/srp: Move large values to a new enum for gcc13 (bsc#1012628). - selftests: net: fix cmsg_so_mark.sh test hang (bsc#1012628). - btrfs: always report error in run_one_delayed_ref() (bsc#1012628). - x86/asm: Fix an assembler warning with current binutils (bsc#1012628). - f2fs: let's avoid panic if extent_tree is not created (bsc#1012628). - perf/x86/rapl: Treat Tigerlake like Icelake (bsc#1012628). - cifs: fix race in assemble_neg_contexts() (bsc#1012628). - memblock tests: Fix compilation error (bsc#1012628). - perf/x86/rapl: Add support for Intel Meteor Lake (bsc#1012628). - perf/x86/rapl: Add support for Intel Emerald Rapids (bsc#1012628). - of: fdt: Honor CONFIG_CMDLINE* even without /chosen node, take 2 (bsc#1012628). - fbdev: omapfb: avoid stack overflow warning (bsc#1012628). - Bluetooth: hci_sync: Fix use HCI_OP_LE_READ_BUFFER_SIZE_V2 (bsc#1012628). - Bluetooth: hci_qca: Fix driver shutdown on closed serdev (bsc#1012628). - wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices (bsc#1012628). - wifi: mac80211: fix MLO + AP_VLAN check (bsc#1012628). - wifi: mac80211: reset multiple BSSID options in stop_ap() (bsc#1012628). - wifi: mac80211: sdata can be NULL during AMPDU start (bsc#1012628). - nommu: fix memory leak in do_mmap() error path (bsc#1012628). - nommu: fix do_munmap() error path (bsc#1012628). - nommu: fix split_vma() map_count error (bsc#1012628). - proc: fix PIE proc-empty-vm, proc-pid-vm tests (bsc#1012628). - Add exception protection processing for vd in axi_chan_handle_err function (bsc#1012628). - LoongArch: Add HWCAP_LOONGARCH_CPUCFG to elf_hwcap (bsc#1012628). - zonefs: Detect append writes at invalid locations (bsc#1012628). - nilfs2: fix general protection fault in nilfs_btree_insert() (bsc#1012628). - mm/shmem: restore SHMEM_HUGE_DENY precedence over MADV_COLLAPSE (bsc#1012628). - hugetlb: unshare some PMDs when splitting VMAs (bsc#1012628). - mm/khugepaged: fix collapse_pte_mapped_thp() to allow anon_vma (bsc#1012628). - serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler (bsc#1012628). - Revert "serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler" (bsc#1012628). - xhci-pci: set the dma max_seg_size (bsc#1012628). - usb: xhci: Check endpoint is valid before dereferencing it (bsc#1012628). - xhci: Fix null pointer dereference when host dies (bsc#1012628). - xhci: Add update_hub_device override for PCI xHCI hosts (bsc#1012628). - xhci: Add a flag to disable USB3 lpm on a xhci root port level (bsc#1012628). - usb: acpi: add helper to check port lpm capability using acpi _DSM (bsc#1012628). - xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables (bsc#1012628). - prlimit: do_prlimit needs to have a speculation check (bsc#1012628). - USB: serial: option: add Quectel EM05-G (GR) modem (bsc#1012628). - USB: serial: option: add Quectel EM05-G (CS) modem (bsc#1012628). - USB: serial: option: add Quectel EM05-G (RS) modem (bsc#1012628). - USB: serial: option: add Quectel EC200U modem (bsc#1012628). - USB: serial: option: add Quectel EM05CN (SG) modem ... changelog too long, skipping 227 lines ... - commit 2ebd33f ==== kpipewire ==== Subpackages: kpipewire-imports libKPipeWire5 libKPipeWireRecord5 - Require pipewire-devel for the -devel package ==== libgit2 ==== Version update (1.5.0 -> 1.5.1) - update to 1.5.1: * This is a security release to address CVE-2023-22742: when compiled using the optional, included libssh2 backend, libgit2 fails to verify SSH keys by default. boo#1207364 * When using an SSH remote with the optional, included libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. ==== libheif ==== Subpackages: gdk-pixbuf-loader-libheif libheif1 - Add missing BuildRequires for SVT-AV1 support for Tumbleweed (only for x86_64) - Disable dynamic plugin interface and build plugins statically instead (boo#1206945) ==== libpcap ==== Version update (1.10.1 -> 1.10.3) - update to 1.10.3: * Sort the PUBHDR variable in Makefile.in in "ls" order. * Fix typo in comment in pflog.h. * Remove two no-longer-present files from .gitignore. * Update code and comments for handling failure to set promiscuous mode based on new information. - update to 1.10.2: * Build system updates * Developer visible fixes * Fix some formatting string issues found by cppcheck * "Dead" pcap_ts from pcap_open_dead() and ..._with_tstamp_precision(): Don't crash if pcap_breakloop() is called. * Savefiles: multiple bug fixes handling files * Capture: Never process more than INT_MAX packets in a pcap_dispatch() call, to avoid integer overflow * Packet filtering: PFLOG bug fixes and improvements * Fix memory leak in capture device open * Fix detection of CAN/CAN FD packets in direction check * Fix double-free crashes on errors such as running on a kernel with CONFIG_PACKET_MMAP not configured * Multiple CANbus bug fixes * Fix pcap_findalldevs() to find usbmon devices * Fix handling of VLAN tagged packets if the link-layer type is changed from DLT_LINUX_SLL to DLT_LINUX_SLL2 * Always turn on PACKET_AUXDATA * Correctly compute the "real" length for isochronous USB transfers ==== libraw ==== Version update (0.21.0 -> 0.21.1) - update to 0.21.1: * fixed typo in panasonic metadata parser * Multiple fixes inspired by oss-fuzz project * Phase One/Leaf IIQ-S v2 support * Canon CR3 filmrolls * Canon CRM (movie) files * Tiled bit-packed (and 16-bit unpacked) DNGs * (non-standard) Deflate-compressed integer DNG files are allowed * Canon EOS R3, R7 and R10 * Fujifilm X-H2S, X-T30 II * OM System OM-1 * Leica M11 * Sony A7-IV (ILCE-7M4) * DJI Mavic 3 * Nikon Z9: standard compression formats only ==== libstorage-ng ==== Version update (4.5.64 -> 4.5.65) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Macedonian) (bsc#1149754) - 4.5.65 ==== liburing ==== Version update (2.2 -> 2.3) - add 0001-test-helpers-fix-socket-length-type.patch fixes tests on big endian - update to 2.3: * Support non-libc build for aarch64. * Add io_uring_{enter,enter2,register,setup} syscall functions. * Add sync cancel interface, io_uring_register_sync_cancel(). * Fix return value of io_uring_submit_and_wait_timeout() to match the man page. * Improvements to the regression tests * Add support and test case for passthrough IO * Add recv and recvmsg multishot helpers and support * Add documentation and support for IORING_SETUP_DEFER_TASKRUN * Fix potential missing kernel entry with IORING_SETUP_IOPOLL * Add support and documentation for zero-copy network transmit * Various optimizations * Many cleanups * Many man page additions and updates - drop handle-eintr.patch, test-xattr-don-t-rely-on-NUL-termination.patch: upstream ==== libvirt ==== Version update (8.10.0 -> 9.0.0) Subpackages: libvirt-client libvirt-daemon libvirt-daemon-config-network libvirt-daemon-driver-interface libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-qemu libvirt-libs - Update to libvirt 9.0.0 - jsc#PED-620 - Many incremental improvements and bug fixes, see https://libvirt.org/news.html#v9-0-0-2023-01-16 - Added patches: ef482951-apparmor-Allow-umount-dev.patch, d6a8b9ee-qemu-Fix-managed-no-when-creating-ethdev.patch ==== live555 ==== Version update (2022.12.01 -> 2023.01.19) Subpackages: libUsageEnvironment3 libgroupsock30 libliveMedia107 - update to 2023.01.19: - By default, we no longer compile "groupsock/NetAddress.cpp" for Windows to use "gethostbyname()", because of a report that this breaks IPv6 name resolution. - update to 2023.01.11: * Updated the "BasicTaskScheduler"/"DelayQueue" implementation to make the 'token counter' a field of the task scheduler object, rather than having it be a static variable. This avoids potential problems if an application uses more than one thread (with each thread having its own task scheduler). ==== logrotate ==== Version update (3.20.1 -> 3.21.0) - Update to 3.21.0: * add ignoreduplicates directive to allow duplicate file matches * add --wait-for-state-lock option to wait for lock on the state file * avoid failure when an anonymous non-privileged user runs logrotate * support home dir expansion in olddir * reduce unnecessary rename operations with start N where N > 1 * unify handling of log levels * do not print error: when exit code is unaffected - Replace the vendor config logic: * Remove logrotate-vendor-dir.patch and the code from logrotate.service (also addresses boo#1202406) * Add a wrapper script which collects all config files in the right order - Create logrotate.keyring with kdudka's public key - Drop logrotate-rpmlintrc: rpmlint doesn't look at /usr/etc/logrotate.d/, so the false positive doesn't trigger. ==== lsof ==== Version update (4.96.5 -> 4.97.0) - update to 4.97.0: * Remove support because the os is no longer updated for more than 10 years * Remove support because the os is no longer updated for more than 20 years * Add experimental build system based on Autotools * Fixed LTsock testing on darwin * Remove NEW and OLD folders * Fix FreeBSD testcases * Rewrite documentation and publish at https://lsof.readthedocs.io/ ==== microos-tools ==== Version update (2.17 -> 2.18) - Update to version 2.18: - Add TMPDIR to tukit binddirs for Salt - 98selinux-microos: Add chroot as dependency - Fix spelling error in warning ==== miniupnpc ==== Version update (2.2.2 -> 2.2.4) - update to 2.2.4: * upnpc: use of @ to replace local lan address * python module : Allow to specify the root description url * Change directory structure : include/ and src/ directories. - drop makefile-deps-fix.patch (upstream) ==== multipath-tools ==== Version update (0.9.2+59+suse.ac8942d -> 0.9.4+68+suse.98559ea) Subpackages: kpartx libmpath0 - Update to version 0.9.4+68+suse.98559ea: * libmultipath: bump ABI version to 18.0.0 * libmultipath: pathinfo: don't fail for devices lacking INQUIRY properties (gh#opensvc/multipath-tools#56) * libmpathpersist: use conf->timeout for updating persistent reservations (gh#opensvc/multipath-tools#45) * libmultipath: is_path_valid(): check if device is in use (bsc#1203141) (added libmount dependency) * libmultipath: orphan paths if coalesce_paths frees newmp (bsc#1207546) * multipathd: handle no active paths in update_map_pr (bsc#1207546) * multipathd: make pr registration consistent (bsc#1207546) * libmultipath: don't leak memory on invalid strings (bsc#1207546) * multipath.conf(5): improve documentation of dev_loss_tmo (bsc#1207546) * libmpathpersist: fix command keyword ordering (bsc#1207546) * libmultipath: fix 'show paths format' failure * minor bugfixes * hwtable fixes * Build system rework * spec file: adapt make command line to changes in build system * spec file: use make -Orecurse (better readable output) * spec file: use verbose build ==== nano ==== Version update (7.1 -> 7.2) - update to 7.2: * is prevented from pasting in view mode. ==== nautilus ==== Version update (43.1 -> 43.2) Subpackages: gnome-shell-search-provider-nautilus libnautilus-extension4 - Update to version 43.2: + Regressions addressed: - Launch search from shell correctly - Make nautilus-autorun-software work again - Restore 2-dimensional navigation from sushi - Resolve stuttering scrolling - Reintroduce 64px icon size for grid view - Show full filename again in grid, using tooltips + Other bugfixes: - Avoid a many crashes - Stop showing � in the type on Properties - Show rename error dialogs again - Handle X11-only drag-and-drop quirks - Allow autorun.sh without executable bit - Improve selection-setting - Restrict DND actions over drag source - Focus replaces files - Improve keyboard focus navigation on the new views - Stop blocking on the tracker connection - Don't add missing emblems + Updated translations. ==== patterns-media ==== Subpackages: patterns-media-rest_cd_core patterns-media-rest_dvd - Remove NIS utilities, they are deprecated and will be removed ==== postfix ==== - Fix SELinux labeling issue caused by /usr/sbin/config.postfix (bsc#1207227). ==== python-future ==== Version update (0.18.2 -> 0.18.3) - update to 0.18.3: * Backport fix for bpo-38804 (c91d70b) * Fix bug in fix_print.py fixer (dffc579) * Fix bug in fix_raise.py fixer (3401099) * Fix newint bool in py3 (fe645ba) * Fix bug in super() with metaclasses (6e27aac) * docs: fix simple typo, reqest -> request (974eb1f) * Correct eq (c780bf5) * Pass if lint fails (2abe00d) * fix order (f96a219) * Add flake8 to image (046ff18) * Make lint.sh executable (58cc984) * Add docker push to optimize CI (01e8440) * Build System (42b3025) * Add docs build status badge to README.md (3f40bd7) * Use same docs requirements in tox (18ecc5a) * Add docs/requirements.txt (5f9893f) * Add PY37_PLUS, PY38_PLUS, and PY39_PLUS (bee0247) * fix 2.6 test, better comment (ddedcb9) * fix 2.6 test (3f1ff7e) * remove nan test (4dbded1) * include list test values (e3f1a12) * fix other python2 test issues (c051026) * fix missing subTest (f006cad) * import from old imp library on older python versions (fc84fa8) * replace fstrings with format for python 3.4,3.5 (4a687ea) * minor style/spelling fixes (8302d8c) * improve cmp function, add unittest (0d95a40) * Pin typing==3.7.4.1 for Python 3.3 compatiblity (1a48f1b) * Fix various py26 unit test failures (9ca5a14) * Add initial contributing guide with docs build instruction (e55f915) * Add docs building to tox.ini (3ee9e7f) * Support NumPy's specialized int types in builtins.round (b4b54f0) * Added r""" to the docstring to avoid warnings in python3 (5f94572) * Add subclasscheck for past.types.basestring (c9bc0ff) * Correct example in README (681e78c) * Add simple documentation (6c6e3ae) * Add pre-commit hooks (a9c6a37) * Handling of next and next by future.utils.get_next was reversed (52b0ff9) * Add a test for our fix (461d77e) * Compare headers to correct definition of str (3eaa8fd) * Add support for negative ndigits in round; additionally, fixing a bug so that it handles passing in Decimal properly (a4911b9) * Add tkFileDialog to future.movers.tkinter (f6a6549) * Sort before comparing dicts in TestChainMap (6126997) * Fix typo (4dfa099) * Fix formatting in "What's new" (1663dfa) * Fix typo (4236061) * Avoid DeprecationWarning caused by invalid escape (e4b7fa1) * Fixup broken link to external django documentation re: porting to Python 3 and unicode_literals (d87713e) * Fixed newdict checking version every time (99030ec) * Add count from 2.7 to 2.6 (1b8ef51) - drop CVE-2022-40899.patch (upstream) ==== python-libvirt-python ==== Version update (8.10.0 -> 9.0.0) - Update to 9.0.0 - Add all new APIs and constants in libvirt 9.0.0 - jsc#PED-620 ==== python-numpy ==== - Slightly reformat the specfile condition blocks: The %python_subpackages generator misses " %if" lines with a preceding whitespace. Relevant for d:l:p:backports not having libalternatives. ==== python-pbr ==== Version update (5.11.0 -> 5.11.1) - update to 5.11.1: * Run PBR integration on Ubuntu Focal too * Remove numpy dependencies * Tie recursion calls to Dist object, not module * Update tox.ini to work with tox 4 ==== python-requests ==== Version update (2.28.1 -> 2.28.2) - update to 2.28.2: - Requests now supports charset\_normalizer 3.x. - Updated MissingSchema exception to suggest https scheme rather than http. - drop requests-allow-charset-normalizer-3.patch (upstream) ==== python-urllib3 ==== Version update (1.26.13 -> 1.26.14) - update to 1.26.14: * Fixed parsing of port 0 (zero) returning None, instead of 0. * Removed deprecated getheaders() calls in contrib module. ==== rubygem-rack-2.2 ==== Version update (2.2.4 -> 2.2.6.2) - updated to version 2.2.6.2 [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser [CVE-2022-44572] Forbid control characters in attributes (also ReDoS) See installed CHANGELOG.md for more changes ==== rubygem-rack ==== Version update (3.0.2 -> 3.0.4.1) updated to version 3.0.4.1 [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges [CVE-2022-44572] Forbid control characters in attributes (also ReDoS) For more detailed information see the installed CHANGELOG.md ==== samba ==== Version update (4.17.4+git.303.89e23854eb7 -> 4.17.4+git.314.7b07e3c51a6) Subpackages: libsamba-policy0-python3 samba-ad-dc-libs samba-client samba-client-libs samba-gpupdate samba-ldb-ldap samba-libs samba-libs-python3 samba-python3 samba-winbind samba-winbind-libs - libdsdb-module-samba4 should be packaged as part of samba-libs and not samba-ad-dc-libs. Additionally no need for it to be removed conditionally. - Clean up logic for PAM migration settings in spec file. ==== scout ==== Version update (0.2.6+20211130.022a45c -> 0.2.7+20230124.b4e3468) Subpackages: scout-command-not-found - Update to version 0.2.7+20230124.b4e3468: * Bump version to v0.2.7 * allow multiple baseurls in repo file * remove deprecated class * Translated using Weblate (Macedonian, German, Ukrainian) ==== sendmail ==== Subpackages: libmilter1_0 - Fix source URLs: ftp.sendmail.com was restructured and the pub/sendmail directory is now the root directory. - Switch over to https URLs - Fix wrong "without sysvinit", don't require sysvinit in that case ==== soundtouch ==== Version update (2.3.1 -> 2.3.2) - update to 2.3.2: * autotools improvements ==== squid ==== - Disable NIS auth module (NIS is deprecated and get's currently removed) ==== sudo ==== Version update (1.9.12p1 -> 1.9.12p2) Subpackages: sudo-plugin-python - Update to 1.9.12p2: * Fixes bsc#1207082 * Changes in 1.9.12p2: Fixed a compilation error on Linux/aarch64. GitHub issue #197. Fixed a potential crash introduced in the fix GitHub issue #134. If a user’s sudoers entry did not have any RunAs user’s set, running sudo -U otheruser -l would dereference a NULL pointer. Fixed a bug introduced in sudo 1.9.12 that could prevent sudo from creating a I/O files when the iolog_file sudoers setting contains six or more Xs. Fixed a compilation issue on AIX with the native compiler. GitHub issue #231. Fixed CVE-2023-22809, a flaw in sudo’s -e option (aka sudoedit) that could allow a malicious user with sudoedit privileges to edit arbitrary files. For more information, see Sudoedit can edit arbitrary files. ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-container systemd-devel udev - Drop 1000-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch It's no more necessary since util-linux 2.38 has been released in Factory. - Make sure we apply the presets on units shipped by systemd package ==== thunar ==== Subpackages: libthunarx-3-0 thunar-lang - Add switch_pane_shortcut.patch Backport upstream fix for gxo#xfce/thunar#1005 - Add differentiate_zoom_levels_between_view_modes.patch Backport upstream fix for gxo#xfce/thunar#832 ==== transactional-update ==== Version update (4.1.0 -> 4.1.2) Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit tukitd - Version 4.1.2 - Don't try to mount user mounts if they don't exist [boo#1207366] - Version 4.1.1 - Mount user specific binddirs last: Prevously the internal mounts would potentially overwrite user bind mounts [boo#1205011] - selinux: Relabel shadowed /var files during update to make sure they don't interfere with the update [boo#1205937] - Clean up /var/lib/overlay more aggressively [boo#1206947] - tukit: Merge /etc overlay into parent if --discard is used together with --continue - previously the files were incorrectly always merged with the currently running system - status: do not execute the status command if experimental - Don't delete created mount point dirs any more - Small code optimizations ==== urlview ==== - Update to latest URL ==== vim ==== Version update (9.0.1188 -> 9.0.1234) Subpackages: gvim vim-data vim-data-common - Updated to version 9.0.1234, fixes the following problems * Return value of type() for class and object unclear. * Invalid memory access with folding and using "L". * Some Bazel files are not recognized. * No error when class function argument shadows a member. * Cannot map when using the Kitty key protocol. * Compiler warning for comparing pointer with int. * Restoring KeyTyped when building statusline not tested. * Code is indented more than necessary. * Dump file missing from patch. * Abstract class not supported yet. * Crash when using kitty and using a mapping with . * AppVeyor builds with an old Python version. * Assignment with operator doesn't work in object method. * Crash when iterating over list of objects. * Return type of values() is always list. * Expression compiled the wrong way after using an object. * Crash when handling class that extends another class with more than one object members. * Testing with Python on AppVeyor does not work properly. * Error when object type is expected but getting "any". * Code is indented more than necessary. * Getting interface member does not always work. * Compiler complains about declaration after label. * Storing value in interface member does not always work. * Cannot read back what setcellwidths() has done. * Adding a line below the last one does not expand fold. * File left behind after running tests. * Using isalpha() adds dependency on current locale. * Coverity warns for ignoring return value. * Using an object member in a closure doesn't work. * Completion includes functions that don't work. * Handling of FORTIFY_SOURCE flags doesn't match Fedora usage. * Termcap/terminfo entries do not indicate where modifiers might appear. * Code is indented more than necessary. * Cannot use setcellwidths() below 0x100. * Cannot call a :def function with a number for a float argument. * Reading past the end of a line when formatting text. ==== vte ==== Subpackages: libvte-2_91-0 typelib-1_0-Vte-2_91 - Add ddb2c8a.patch: widget: Use correct end row for getting the selected text. The range is end-exclusive, so use end_row() instead of last_row(). Fixes glgo#GNOME/vte#2584 ==== wicked ==== Version update (0.6.71 -> 0.6.72) Subpackages: wicked-service - version 0.6.72 - nbft: introduced new wicked-nbft sub-package to setup network interfaces using NBFT firmware configuration according to the NVM Express Boot Specification 1.0 (jsc#PED-3132) - client: add `wicked firmware extensions|interfaces|enable|disable` command to improve `ibft`,`nbft`,`redfish` firmware extension and interface handling (jsc#PED-3132) - client: improve error handling in netif firmware discovery extension execution - appconfig: improved to handle extension definition overrides in the wicked-config - nanny: fix use-after-free in debug mode (bsc#1206447) - spec: replace transitional `%usrmerged` macro with regular version check (boo#1206798) - client: improve to show `no-carrier` in ifstatus output - linux: cleanup inclusions and update uapi header to 6.0 - ethtool: link mode nwords cleanup and new advertise link mode map names ==== xf86-video-qxl ==== Version update (0.1.5 -> 0.1.6) - Update to version 0.1.6 * This release flushes out the last [checks calendar] ~6 years of patches that have been sitting on the master branch. Please see the git shortlog below for details. - supersedes the following patches * Xspice-python3.patch * n_disable-surfaces-on-kms.patch * n_hardcode_libdrm_cflags.patch * u_fix-build-against-xserver-21_1.patch ==== xfce4-notifyd ==== Version update (0.7.1 -> 0.7.2) Subpackages: xfce4-notifyd-lang - Update to 0.7.2: * Fix sound proplist memleak when notification isn't shown * Improve sorting in known apps list of settings * Add extra margin in the known app settings * Fix word casing in known app settings * Add ability to exclude specific applications from log * Better, non-quadratic algo for xfce_notify_count_apps_in_log() * Plug memleak in notify_get_from_desktop_file() * Redesign the known apps panel a bit * Remove a few more GTK_CHECK_VERSION call sites * Avoid use-after-free when deleting known app * Improve algo for finding desktop file for known app name * Improve icon loading for known apps list * Don't set invalid icon name in known apps list * Translation Updates ==== xorg-x11-server ==== Subpackages: xorg-x11-server-Xvfb xorg-x11-server-extra xorg-x11-server-sdk - rename u_xorg-server-oob-read-enqueue-event.patch to U_xorg-server-oob-read-enqueue-event.patch since it's already upstream - Add u_xorg-server-oob-read-enqueue-event.patch: fix an out-of-bounds read in EnqueueEvent. ==== yast2-installation ==== Version update (4.5.13 -> 4.5.15) - Connect only NBFT when linuxrc sets UseNBFT (jsc#PED-967) - 4.5.15 - Discover and connect to all NVMe-over-Fabrics subsystems in case that linuxrc sets UseNBFT (jsc#PED-967). - 4.5.14 ==== yast2-network ==== Version update (4.5.12 -> 4.5.15) - During installation, do not configure DHCP if there is some active interface configured by firmware (jsc#PED-967). - 4.5.15 - Fix the return of packages needed by the selected backend when running an autoinstallation (bsc#1207221) - 4.5.14 - Fixed dirname evaluation when creating the directory for the configuration files to be copied to the target system (bsc#1206723, bsc#1207382) - 4.5.13 ==== yast2-ntp-client ==== Version update (4.5.2 -> 4.5.3) - bsc#1188980 - ntp dialog allows to manually set ntp source - ntp source can be selected as pool or server - ntp sources are written into /etc/chrony.d/pools.conf - 4.5.3 ==== yast2-trans ==== Version update (84.87.20230116.80083546af -> 84.87.20230123.08c503a922) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20230123.08c503a922: * Translated using Weblate (Macedonian) * Translated using Weblate (Macedonian) * Translated using Weblate (Portuguese) * Translated using Weblate (Portuguese) * Translated using Weblate (Portuguese) * Translated using Weblate (Portuguese) ==== zeromq ==== Subpackages: libzmq5 zeromq-tools - qemu-user.patch: Fix build with qemu linux-user emulation