Packages changed: 389-ds (2.4.0~git113.84a845c -> 2.4.0~git126.5936946) 7zip Mesa (23.3.3 -> 23.3.4) Mesa-drivers (23.3.3 -> 23.3.4) MozillaFirefox (121.0.1 -> 122.0) btrfsprogs (6.6.2 -> 6.7) ceph corosync gcc13 (13.2.1+git8205 -> 13.2.1+git8250) gpg2 (2.4.3 -> 2.4.4) grub2 gstreamer-plugins-bad inih (57 -> 58) kernel-source lftp libmaxminddb (1.8.0 -> 1.9.1) libqmi libsolv (0.7.27 -> 0.7.28) libstorage-ng (4.5.175 -> 4.5.176) libvirt man mozilla-nss (3.95 -> 3.96.1) mutter nvidia-open-driver-G06-signed openssl-1_1 perl-Bootloader (1.10 -> 1.11) postfix (3.8.4 -> 3.8.5) publicsuffix (20240107 -> 20240123) python-lxml raspberrypi-firmware-dt ruby (3.2 -> 3.3) ruby3.2 rubygem-gem2rpm spice-gtk thin-provisioning-tools (1.0.9 -> 1.0.10) tiff transactional-update virt-manager webkit2gtk3 webkit2gtk3-soup2 yast2 (5.0.3 -> 5.0.4) yast2-bootloader (5.0.2 -> 5.0.4) yast2-installation (5.0.3 -> 5.0.4) zbar === Details === ==== 389-ds ==== Version update (2.4.0~git113.84a845c -> 2.4.0~git126.5936946) Subpackages: lib389 libsvrcore0 - Update to version 2.4.0~git126.5936946: * Issue 6028 - vlv index keys inconsistencies (#6031) * Issue 5989 - RFE support of inChain Matching Rule (#5990) * Issue 6022 - lmdb inconsistency between vlv index and vlv cache names (#6026) * Issue 6015 - Fix typo remeber (#6014) * Issue 6016 - Pin upload/download artifacts action to v3 * Issue 5939 - During an update, if the target entry is reverted in the entry cache, the server should not retry to lock it (#6007) * Issue 4673 - Update Rust crates * Issue 6004 - idletimeout may be ignored (#6005) * Issue 5954 - Disable Transparent Huge Pages * Issue 5997 - test_inactivty_and_expiration CI testcase is wrong (#5999) * Issue 5993 - Fix several race condition around CI tests (#5996) * Issue 5944 - Reversion of the entry cache should be limited to BETXN plugin failures (#5994) * Bump openssl from 0.10.55 to 0.10.60 in /src (#5995) ==== 7zip ==== - Fix build on SLE-15-SP6 * fix-avx-sle.patch ==== Mesa ==== Version update (23.3.3 -> 23.3.4) Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libOSMesa8 libgbm1 - Update to bugfix release 23.3.4 - -> https://docs.mesa3d.org/relnotes/23.3.4.html ==== Mesa-drivers ==== Version update (23.3.3 -> 23.3.4) Subpackages: Mesa-dri Mesa-gallium Mesa-libva - Update to bugfix release 23.3.4 - -> https://docs.mesa3d.org/relnotes/23.3.4.html ==== MozillaFirefox ==== Version update (121.0.1 -> 122.0) - Mozilla Firefox 122.0 https://www.mozilla.org/en-US/firefox/122.0/releasenotes/ MFSA 2024-01 (bsc#1218955) * CVE-2024-0741 (bmo#1864587) Out of bounds write in ANGLE * CVE-2024-0742 (bmo#1867152) Failure to update user input timestamp * CVE-2024-0743 (bmo#1867408) Crash in NSS TLS method * CVE-2024-0744 (bmo#1871089) Wild pointer dereference in JavaScript * CVE-2024-0745 (bmo#1871838) Stack buffer overflow in WebAudio * CVE-2024-0746 (bmo#1660223) Crash when listing printers on Linux * CVE-2024-0747 (bmo#1764343) Bypass of Content Security Policy when directive unsafe-inline was set * CVE-2024-0748 (bmo#1783504) Compromised content process could modify document URI * CVE-2024-0749 (bmo#1813463) Phishing site popup could show local origin in address bar * CVE-2024-0750 (bmo#1863083) Potential permissions request bypass via clickjacking * CVE-2024-0751 (bmo#1865689) Privilege escalation through devtools * CVE-2024-0752 (bmo#1866840) Use-after-free could occur when applying update on macOS * CVE-2024-0753 (bmo#1870262) HSTS policy on subdomain could bypass policy of upper domain * CVE-2024-0754 (bmo#1871605) Crash when using some WASM files in devtools * CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701) Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7 - requires NSS 3.96.1 - rebased patches ==== btrfsprogs ==== Version update (6.6.2 -> 6.7) Subpackages: btrfsprogs-bash-completion btrfsprogs-udev-rules libbtrfs0 libbtrfsutil1 - update to 6.7 * mkfs: make 4k sectorsize default, recommended minimum kernel for that is 6.1 and requires subpage support on architectures with page size > 4k * subvolume create: return correct error code when a target already exists * tree-checker: dump tree block on error (btrfs-convert, ...) * scrub limit: fix reporting of a limit set while there's none * fi usage: fix reporting of unallocated data or raid56 profile without root privs due to lack of that information * convert: * align data block group lengths to 64K * fix conversion of a large filesystem when there are partial inode items present due to caching * other: * build fixes * updated documentation * new and updated tests - update to 6.6.3 * subvol create: accept multiple arguments * subvol delete: print the subvolume id in the output * subvol sync: check if the filesystems is still writeable so it does not wait indefinitely * device delete: add a timeout and warning when deleting multiple devices * scrub status: report limit if set in sysfs/../scrub_speed_max * scrub limit: new command to show or set the per-device scrub limits * scrub start: report the limit if set * build: * fix CPU feature detection on aarch64 * support Botan and OpenSSL (3.2+) as crypto backends * other: * documentation updates, RTD config update * new and updated tests * CI updates ==== ceph ==== Subpackages: librados2 librbd1 - Advertised user/groups that are generated by the pre scripts: * package cephadm generates user/group cephadm * package ceph-common generates user/group ceph ==== corosync ==== Subpackages: libcfg6 libcmap4 libcorosync_common4 libcpg4 libquorum5 - Provide user(coroqnetd) and group(coroqnetd) in the -qnetd package: user and group are generated by the pre script. ==== gcc13 ==== Version update (13.2.1+git8205 -> 13.2.1+git8250) Subpackages: cpp13 libasan8 libatomic1 libgcc_s1 libgccjit0 libgfortran5 libgomp1 libhwasan0 libitm1 liblsan0 libobjc4 libstdc++6 libstdc++6-locale libstdc++6-pp libtsan2 libubsan1 - Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250 * Includes fix for building TVM. [boo#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [boo#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [boo#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. ==== gpg2 ==== Version update (2.4.3 -> 2.4.4) Subpackages: dirmngr - Update to 2.4.4: [bsc#1219191] * gpg: Do not keep an unprotected smartcard backup key on disk. See https://gnupg.org/blog/20240125-smartcard-backup-key.html for a security advisory. [T6944] * gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit platforms. [T6736] * gpg: Fix expiration time when Creation-Date is specified. [T5252] * gpg: Add support for Subkey-Expire-Date. [rG96b69c1866] * gpg: Add option --with-v5-fingerprint. [T6705] * gpg: Add sub-option ignore-attributes to --import-options. * gpg: Add --list-filter properties sig_expires/sig_expires_d. * gpg: Fix validity of re-imported keys. [T6399] * gpg: Report BEGIN_ status before examining the input. [T6481] * gpg: Don't try to compress a read-only keybox. [T6811] * gpg: Choose key from inserted card over a non-inserted card. [T6831] * gpg: Allow to create revocations even with non-compliant algos. [T6929] * gpg: Fix regression in the Revoker keyword of the parameter file. [T6923] * gpg: Improve error message for expired default keys. [T4704] * gpgsm: Add --always-trust feature. [T6559] * gpgsm: Support ECC certificates in de-vs mode. [T6802] * gpgsm: Major rewrite of the PKCS#12 parser. [T6536] * gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654] * keyboxd: Timeout on failure to get the database lock. [T6838] * agent: Update the key stubs only if really modified. [T6829] * scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080] * scd: Add support for CardOS 5.4 cards. [rG812f988059] * scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09] * scd: Add support for Smartcafe Expert 7.0 cards. [T6919] * scd: Add a length check for a new PIN. [T6843] * tpm: Fix keytotpm handling in the agent. [rG9909f622f6] * tpm: Fixes for the TPM test suite. [T6052] * dirmngr: New option --ignore-crl-extensions. [T6545] * dirmngr: Support config value "none" to disable the default keyserver. [T6708] * dirmngr: Fix handling of the HTTP Content-Length. [rGa5e33618f4] * gpgconf: Add commands --lock and --unlock. [rG93b5ba38dc] * gpgconf: Add keyword socketdir to gpgconf.ctl. [rG239c1fdc28] * gpgconf: Adjust the -X command for the new VERSION file format. [T6918] * wkd: Use export-clean for gpg-wks-client's --mirror and --create commands. [rG2c7f7a5a278c] * wkd: Make --add-revocs the default in gpg-wks-client. New option - -no-add-revocs. [rG10c937ee68] * Remove duplicated backslashes when setting the homedir. [T6833] * Ignore attempts to remove the /dev/null device. [T6556] * Improve advisory file lock retry strategy. [T3380] * Release-info: https://dev.gnupg.org/T6578 * Remove patch upstream: - gnupg-Report-BEGIN_-status-before-examining-the-input.patch ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-snapper-plugin grub2-systemd-sleep-plugin - Reinstate the verification for a non-zero total entry count to skip unmapped data blocks (bsc#1218864) * 0001-fs-xfs-always-verify-the-total-number-of-entries-is-.patch - Removed temporary fix as reverting it will cause a different XFS parser bug * 0001-Revert-fs-xfs-Fix-XFS-directory-extent-parsing.patch ==== gstreamer-plugins-bad ==== Subpackages: libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Disable zxing in Leap15 * Leap 15 can not provide zxing >= 1.4.0, zxing is inherited from SLE15 but SLE15 do provide zxing version 1.2.0 only, Factory do have zxing-cpp 2.0.0 however it's not an API compatible version. ==== inih ==== Version update (57 -> 58) - Update to version 58 * Add ini_ prefix even to static names so inih can be used as an [#]include. ==== kernel-source ==== - rpm/constraints.in: add static multibuild packages Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for constraints on multibuild) added "kernel-source:" prefix to the dynamically generated kernels. But there are also static ones like kernel-docs. Those fail to build as the constraints are still not applied. So add the prefix also to the static ones. Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it will ever be multibuilt... - commit c2e0681 - Revert "Limit kernel-source build to architectures for which the kernel binary" This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132. The fix for bsc#1108281 directly causes bsc#1218768, revert. - commit 2943b8a - mkspec: Include constraints for both multibuild and plain package always There is no need to check for multibuild flag, the constraints can be always generated for both cases. - commit 308ea09 - rpm/mkspec: use kernel-source: prefix for constraints on multibuild Otherwise the constraints are not applied with multibuild enabled. - commit 841012b - rpm/kernel-source.rpmlintrc: add action-ebpf Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf plugin) added this precompiled binary blob. Adapt rpmlintrc for kernel-source. - commit b5ccb33 - scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old The previous change added the manual entry from kernel-sources.change.old to old_changelog.txt unnecessarily. Let's fix it. - commit fb033e8 - rpm/kernel-docs.spec.in: fix build with 6.8 Since upstream commit f061c9f7d058 (Documentation: Document each netlink family), the build needs python yaml. - commit 6a7ece3 - futex: Prevent the reuse of stale pi_state (bsc#1218841). Update upstream status (Queued in subsystem maintainer repository). - commit a3ee207 - Refresh patches.rpmify/media-solo6x10-replace-max-a-min-b-c-by-clamp-b-a-c.patch. Update usptream status. - commit 589bdfa - Update config files, enable CONFIG_IMA_DISABLE_HTABLE in all archs for Tumbleweed as SLE15-SP6 kernel does (bsc#1218400). - commit 020caa6 ==== lftp ==== - Apply "0001-lftp_ssl-deinitialize-the-lftp_ssl_openssl_instance.patch" to fix a crash that ocurred when lftp is run on s390x with an IBM crypto card installed. The issue has been reported to upstream at https://github.com/lavv17/lftp/issues/716. [bsc#1213984] ==== libmaxminddb ==== Version update (1.8.0 -> 1.9.1) - libmaxminddb 1.9.1: * On very large databases, the calculation to determine the search tree size could overflow. This was fixed and several additional guards against overflows were added * build system tweaks ==== libqmi ==== Subpackages: libqmi-glib5 libqmi-tools - Add patch: * 0001-message-fix-16bit-service-on-big-endian.patch - Fixes 16-bit service indications on big endian architectures. Cherry-picked from upstream qmi-1-34 branch ==== libsolv ==== Version update (0.7.27 -> 0.7.28) Subpackages: libsolv-tools ruby-solv - build for multiple python versions [jsc#PED-6218] - bump version to 0.7.28 ==== libstorage-ng ==== Version update (4.5.175 -> 4.5.176) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Swedish) (bsc#1149754) - 4.5.176 ==== libvirt ==== Subpackages: libvirt-client libvirt-daemon-common libvirt-daemon-config-network libvirt-daemon-driver-interface libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lock libvirt-daemon-log libvirt-daemon-plugin-lockd libvirt-daemon-qemu libvirt-libs - Replace temporary build fix with upstream equivalent bsc#1218823 ==== man ==== - Skip posttrans dependency on systemd to support container without systemd (boo#1215538) - Use %(trans)filetriggerin and %(trans)filetriggerpostun to get an uptodate man database for installed manual pages ==== mozilla-nss ==== Version update (3.95 -> 3.96.1) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-tools - update to NSS 3.96.1 * bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh * bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups) * bmo#1867408 - add a defensive check for large ssl_DefSend return values * bmo#1869378 - Add dependency to the taskcluster script for Darwin * bmo#1869378 - Upgrade version of the MacOS worker for the CI ==== mutter ==== - Rebase mutter-disable-cvt-s390x.patch for mutter 45.x. ==== nvidia-open-driver-G06-signed ==== - splitted up 61-nvidia-$flavor.conf to 59-nvidia-$flavor.conf and 61-nvidia-$flavor.conf, because 'install' line cannot be overwritten with higher config number ... - mistakenly moved dracut config file from 60-nvidia-%1.conf to 61-nvidia-%1.conf --> reverted! - switched from 60-nvidia-$flavor.conf to 61-nvidia-$flavor.conf in modprobe.d to resolve conflict with older package, which can be installed in parallel ==== openssl-1_1 ==== Subpackages: libopenssl1_1 - Because OpenSSL 1.1.1 is no longer default, let's rename engine directories to contain version of OpenSSL and let unversioned for the default OpenSSL. [bsc#1194187, bsc#1207472, bsc#1218933] * /etc/ssl/engines.d -> /etc/ssl/engines1_1.d * /etc/ssl/engdef.d -> /etc/ssl/engdef1_1.d * Update patches: - openssl-1_1-ossl-sli-002-ran-make-update.patch - openssl-1_1-use-include-directive.patch ==== perl-Bootloader ==== Version update (1.10 -> 1.11) - merge gh#openSUSE/perl-bootloader#162 - handle script exit codes properly (bsc#1218847) - 1.11 ==== postfix ==== Version update (3.8.4 -> 3.8.5) - update to 3.8.5 * Security: this release improves support to defend against an email spoofing attack (SMTP smuggling) on recipients at a Postfix server. For background, see https://www.postfix.org/smtp-smuggling.html. ==== publicsuffix ==== Version update (20240107 -> 20240123) - Update to version 20240123: * util: gTLD data autopull updates for 2024-01-23T15:14:10 UTC (#1921) ==== python-lxml ==== - Fix build error for Leap. Use build and test as descriped on upstream. ==== raspberrypi-firmware-dt ==== - Extend "ARM: dts: bcm27xx: Use better name for spidev" patch coverage. Change compatible "spidev" to "rohm,dh2228fv" in overlay files too. Fixes bsc#1219094. ==== ruby ==== Version update (3.2 -> 3.3) - switch the default ruby to 3.3 ==== ruby3.2 ==== Subpackages: libruby3_2-3_2 - Omit test_session_reuse_but_expire if OpenSSL 3.2.0 Add Omit-test_session_reuse_but_expire-if-OpenSSL-3.2.0.patch ==== rubygem-gem2rpm ==== - Update the ruby ABI version in the 3.3.0 paths to the final string. - enable building for ruby 3.3 ==== spice-gtk ==== Subpackages: libspice-client-glib-2_0-8 libspice-client-glib-helper libspice-client-gtk-3_0-5 typelib-1_0-SpiceClientGlib-2_0 typelib-1_0-SpiceClientGtk-3_0 - Use libphotodav-3.0 on SLE/Leap 15.6+ (boo#1219083). ==== thin-provisioning-tools ==== Version update (1.0.9 -> 1.0.10) - Update to version 1.0.10: * Bump version to 1.0.10 * [build] Update dependencies * [all] Fix clippy lints and typos * [space_map] Allow non-zero values in unused index block entries * [thin_repair] Fix child keys checking on the node with a zero key * [thin_check] Tweak the logs to avoid confusion with node errors * [thin_check] Support overriding the details tree root * [tests] Update expected help text for _pack and _unpack * [all] Fix clippy lints on optional targets * [build] Simplify the pre-commit hooks by checking all the targets at once * [thin_metadata_unpack] Allow long format for input and output * [space map] Fix incorrect index_entry.nr_free while expansion * thin_metadata_pack: Allow long format for input and output ==== tiff ==== - security update: * CVE-2023-52356 [bsc#1219213] Fix segfault in TIFFReadRGBATileExt() + tiff-CVE-2023-52356.patch ==== transactional-update ==== Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit tukitd - Use "up" instead of "dup" by default on ALP [bsc#1218861] ==== virt-manager ==== Subpackages: virt-install virt-manager-common - Upstream bug fixes (bsc#1027942) (jsc#PED-6305) 058-uri-Mock-domcaps-returning-NO_SUPPORT.patch 059-tests-cli-Adjust-hotplug-test-for-latest-libvirt.patch 060-Fix-some-pylint.patch 061-tests-ui-make-newvm-test-start-less-flakey.patch 062-tests-ui-make-creatnet-test-start-less-flakey.patch - Cleanup now working or non-existant %check tests ==== webkit2gtk3 ==== Subpackages: libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue (bsc#1219113 CVE-2024-23222). ==== webkit2gtk3-soup2 ==== Subpackages: libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 webkit2gtk-4_0-injected-bundles - Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue (bsc#1219113 CVE-2024-23222). ==== yast2 ==== Version update (5.0.3 -> 5.0.4) Subpackages: yast2-logs - Reading Kernel Params: Use kernel cmdline when install.inf is not available (bsc#1216408) - 5.0.4 ==== yast2-bootloader ==== Version update (5.0.2 -> 5.0.4) - Persist s390 cio_ignore kernel argument always when given (bsc#1210525). - 5.0.4 - Do not try finding undefined bootloader name to avoid error in logs (bsc#1218700) - 5.0.3 ==== yast2-installation ==== Version update (5.0.3 -> 5.0.4) - Keep cio_ignore kernel argument when present in the parmfile or use the cio_ignore -k output if not and write it always even in zVM and KVM (bsc#1210525). - 5.0.4 ==== zbar ==== - Fix building for Leap