Packages changed: Mesa (23.3.3 -> 23.3.4) Mesa-drivers (23.3.3 -> 23.3.4) MozillaFirefox (121.0.1 -> 122.0) aardvark-dns (1.9.0 -> 1.10.0) btrfsprogs (6.6.2 -> 6.7) cockpit containerd gcc13 (13.2.1+git8205 -> 13.2.1+git8250) gpg2 (2.4.3 -> 2.4.4) inih (57 -> 58) kernel-source libmaxminddb (1.8.0 -> 1.9.1) libqmi libsolv (0.7.27 -> 0.7.28) man perl-Bootloader (1.10 -> 1.11) postfix (3.8.4 -> 3.8.5) publicsuffix (20240107 -> 20240123) tiff transactional-update webkit2gtk3 webkit2gtk4 yast2-installation (5.0.3 -> 5.0.4) zbar === Details === ==== Mesa ==== Version update (23.3.3 -> 23.3.4) Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - Update to bugfix release 23.3.4 - -> https://docs.mesa3d.org/relnotes/23.3.4.html ==== Mesa-drivers ==== Version update (23.3.3 -> 23.3.4) Subpackages: Mesa-dri Mesa-gallium Mesa-libva - Update to bugfix release 23.3.4 - -> https://docs.mesa3d.org/relnotes/23.3.4.html ==== MozillaFirefox ==== Version update (121.0.1 -> 122.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 122.0 https://www.mozilla.org/en-US/firefox/122.0/releasenotes/ MFSA 2024-01 (bsc#1218955) * CVE-2024-0741 (bmo#1864587) Out of bounds write in ANGLE * CVE-2024-0742 (bmo#1867152) Failure to update user input timestamp * CVE-2024-0743 (bmo#1867408) Crash in NSS TLS method * CVE-2024-0744 (bmo#1871089) Wild pointer dereference in JavaScript * CVE-2024-0745 (bmo#1871838) Stack buffer overflow in WebAudio * CVE-2024-0746 (bmo#1660223) Crash when listing printers on Linux * CVE-2024-0747 (bmo#1764343) Bypass of Content Security Policy when directive unsafe-inline was set * CVE-2024-0748 (bmo#1783504) Compromised content process could modify document URI * CVE-2024-0749 (bmo#1813463) Phishing site popup could show local origin in address bar * CVE-2024-0750 (bmo#1863083) Potential permissions request bypass via clickjacking * CVE-2024-0751 (bmo#1865689) Privilege escalation through devtools * CVE-2024-0752 (bmo#1866840) Use-after-free could occur when applying update on macOS * CVE-2024-0753 (bmo#1870262) HSTS policy on subdomain could bypass policy of upper domain * CVE-2024-0754 (bmo#1871605) Crash when using some WASM files in devtools * CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701) Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7 - requires NSS 3.96.1 - rebased patches ==== aardvark-dns ==== Version update (1.9.0 -> 1.10.0) - Update to version 1.10.0: * Release 1.10.0 * Release notes for 1.10.0 * chore(deps): update rust crate chrono to 0.4.32 * chore(deps): update dependency containers/automation_images to v20240102 * fix(deps): update rust crate futures-util to 0.3.30 * fix(deps): update rust crate anyhow to 1.0.79 * fix(deps): update rust crate tokio to 1.35.1 * chore(deps): update dependency containers/automation_images to v20231208 * fix(deps): update rust crate tokio to 1.35.0 * fix duplicated IP CI flake * server: remove unused kill switch * fix(deps): update rust crate clap to ~4.4.10 * Bump working version to v1.10.0-dev ==== btrfsprogs ==== Version update (6.6.2 -> 6.7) Subpackages: btrfsprogs-bash-completion btrfsprogs-udev-rules libbtrfs0 libbtrfsutil1 - update to 6.7 * mkfs: make 4k sectorsize default, recommended minimum kernel for that is 6.1 and requires subpage support on architectures with page size > 4k * subvolume create: return correct error code when a target already exists * tree-checker: dump tree block on error (btrfs-convert, ...) * scrub limit: fix reporting of a limit set while there's none * fi usage: fix reporting of unallocated data or raid56 profile without root privs due to lack of that information * convert: * align data block group lengths to 64K * fix conversion of a large filesystem when there are partial inode items present due to caching * other: * build fixes * updated documentation * new and updated tests - update to 6.6.3 * subvol create: accept multiple arguments * subvol delete: print the subvolume id in the output * subvol sync: check if the filesystems is still writeable so it does not wait indefinitely * device delete: add a timeout and warning when deleting multiple devices * scrub status: report limit if set in sysfs/../scrub_speed_max * scrub limit: new command to show or set the per-device scrub limits * scrub start: report the limit if set * build: * fix CPU feature detection on aarch64 * support Botan and OpenSSL (3.2+) as crypto backends * other: * documentation updates, RTD config update * new and updated tests * CI updates ==== cockpit ==== Subpackages: cockpit-bridge cockpit-packagekit cockpit-system - suse_docs.patch: replace with suse docs and move docs with out eqiv to docs-rh (bsc#1219088) - hide-docs.patch: obsolete by above, removed - Provide users/groups cockpit-wsinstance and cockpit-ws: they are generated by cockpit-ws %pre script. - hide-docs.patch: hide RHEL docs in shell/manifest.json ==== containerd ==== - Enable manpage generation - Make devel package noarch - adjust rpmlint filters ==== gcc13 ==== Version update (13.2.1+git8205 -> 13.2.1+git8250) Subpackages: cpp13 libatomic1 libgcc_s1 libgfortran5 libgomp1 libobjc4 libquadmath0 libstdc++6 libstdc++6-locale libstdc++6-pp libubsan1 - Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250 * Includes fix for building TVM. [boo#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [boo#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [boo#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. ==== gpg2 ==== Version update (2.4.3 -> 2.4.4) Subpackages: dirmngr gpg2-lang - Update to 2.4.4: [bsc#1219191] * gpg: Do not keep an unprotected smartcard backup key on disk. See https://gnupg.org/blog/20240125-smartcard-backup-key.html for a security advisory. [T6944] * gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit platforms. [T6736] * gpg: Fix expiration time when Creation-Date is specified. [T5252] * gpg: Add support for Subkey-Expire-Date. [rG96b69c1866] * gpg: Add option --with-v5-fingerprint. [T6705] * gpg: Add sub-option ignore-attributes to --import-options. * gpg: Add --list-filter properties sig_expires/sig_expires_d. * gpg: Fix validity of re-imported keys. [T6399] * gpg: Report BEGIN_ status before examining the input. [T6481] * gpg: Don't try to compress a read-only keybox. [T6811] * gpg: Choose key from inserted card over a non-inserted card. [T6831] * gpg: Allow to create revocations even with non-compliant algos. [T6929] * gpg: Fix regression in the Revoker keyword of the parameter file. [T6923] * gpg: Improve error message for expired default keys. [T4704] * gpgsm: Add --always-trust feature. [T6559] * gpgsm: Support ECC certificates in de-vs mode. [T6802] * gpgsm: Major rewrite of the PKCS#12 parser. [T6536] * gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654] * keyboxd: Timeout on failure to get the database lock. [T6838] * agent: Update the key stubs only if really modified. [T6829] * scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080] * scd: Add support for CardOS 5.4 cards. [rG812f988059] * scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09] * scd: Add support for Smartcafe Expert 7.0 cards. [T6919] * scd: Add a length check for a new PIN. [T6843] * tpm: Fix keytotpm handling in the agent. [rG9909f622f6] * tpm: Fixes for the TPM test suite. [T6052] * dirmngr: New option --ignore-crl-extensions. [T6545] * dirmngr: Support config value "none" to disable the default keyserver. [T6708] * dirmngr: Fix handling of the HTTP Content-Length. [rGa5e33618f4] * gpgconf: Add commands --lock and --unlock. [rG93b5ba38dc] * gpgconf: Add keyword socketdir to gpgconf.ctl. [rG239c1fdc28] * gpgconf: Adjust the -X command for the new VERSION file format. [T6918] * wkd: Use export-clean for gpg-wks-client's --mirror and --create commands. [rG2c7f7a5a278c] * wkd: Make --add-revocs the default in gpg-wks-client. New option - -no-add-revocs. [rG10c937ee68] * Remove duplicated backslashes when setting the homedir. [T6833] * Ignore attempts to remove the /dev/null device. [T6556] * Improve advisory file lock retry strategy. [T3380] * Release-info: https://dev.gnupg.org/T6578 * Remove patch upstream: - gnupg-Report-BEGIN_-status-before-examining-the-input.patch ==== inih ==== Version update (57 -> 58) - Update to version 58 * Add ini_ prefix even to static names so inih can be used as an [#]include. ==== kernel-source ==== - rpm/constraints.in: add static multibuild packages Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for constraints on multibuild) added "kernel-source:" prefix to the dynamically generated kernels. But there are also static ones like kernel-docs. Those fail to build as the constraints are still not applied. So add the prefix also to the static ones. Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it will ever be multibuilt... - commit c2e0681 - Revert "Limit kernel-source build to architectures for which the kernel binary" This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132. The fix for bsc#1108281 directly causes bsc#1218768, revert. - commit 2943b8a - mkspec: Include constraints for both multibuild and plain package always There is no need to check for multibuild flag, the constraints can be always generated for both cases. - commit 308ea09 - rpm/mkspec: use kernel-source: prefix for constraints on multibuild Otherwise the constraints are not applied with multibuild enabled. - commit 841012b - rpm/kernel-source.rpmlintrc: add action-ebpf Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf plugin) added this precompiled binary blob. Adapt rpmlintrc for kernel-source. - commit b5ccb33 - scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old The previous change added the manual entry from kernel-sources.change.old to old_changelog.txt unnecessarily. Let's fix it. - commit fb033e8 - rpm/kernel-docs.spec.in: fix build with 6.8 Since upstream commit f061c9f7d058 (Documentation: Document each netlink family), the build needs python yaml. - commit 6a7ece3 - futex: Prevent the reuse of stale pi_state (bsc#1218841). Update upstream status (Queued in subsystem maintainer repository). - commit a3ee207 - Refresh patches.rpmify/media-solo6x10-replace-max-a-min-b-c-by-clamp-b-a-c.patch. Update usptream status. - commit 589bdfa - Update config files, enable CONFIG_IMA_DISABLE_HTABLE in all archs for Tumbleweed as SLE15-SP6 kernel does (bsc#1218400). - commit 020caa6 ==== libmaxminddb ==== Version update (1.8.0 -> 1.9.1) - libmaxminddb 1.9.1: * On very large databases, the calculation to determine the search tree size could overflow. This was fixed and several additional guards against overflows were added * build system tweaks ==== libqmi ==== Subpackages: libqmi-glib5 libqmi-tools - Add patch: * 0001-message-fix-16bit-service-on-big-endian.patch - Fixes 16-bit service indications on big endian architectures. Cherry-picked from upstream qmi-1-34 branch ==== libsolv ==== Version update (0.7.27 -> 0.7.28) Subpackages: libsolv-tools ruby-solv - build for multiple python versions [jsc#PED-6218] - bump version to 0.7.28 ==== man ==== - Skip posttrans dependency on systemd to support container without systemd (boo#1215538) - Use %(trans)filetriggerin and %(trans)filetriggerpostun to get an uptodate man database for installed manual pages ==== perl-Bootloader ==== Version update (1.10 -> 1.11) - merge gh#openSUSE/perl-bootloader#162 - handle script exit codes properly (bsc#1218847) - 1.11 ==== postfix ==== Version update (3.8.4 -> 3.8.5) - update to 3.8.5 * Security: this release improves support to defend against an email spoofing attack (SMTP smuggling) on recipients at a Postfix server. For background, see https://www.postfix.org/smtp-smuggling.html. ==== publicsuffix ==== Version update (20240107 -> 20240123) - Update to version 20240123: * util: gTLD data autopull updates for 2024-01-23T15:14:10 UTC (#1921) ==== tiff ==== - security update: * CVE-2023-52356 [bsc#1219213] Fix segfault in TIFFReadRGBATileExt() + tiff-CVE-2023-52356.patch ==== transactional-update ==== Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit - Use "up" instead of "dup" by default on ALP [bsc#1218861] ==== webkit2gtk3 ==== Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue (bsc#1219113 CVE-2024-23222). ==== webkit2gtk4 ==== Subpackages: WebKitGTK-6.0-lang libjavascriptcoregtk6_0-1 libwebkitgtk6_0-4 webkitgtk-6_0-injected-bundles - Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue (bsc#1219113 CVE-2024-23222). ==== yast2-installation ==== Version update (5.0.3 -> 5.0.4) - Keep cio_ignore kernel argument when present in the parmfile or use the cio_ignore -k output if not and write it always even in zVM and KVM (bsc#1210525). - 5.0.4 ==== zbar ==== - Fix building for Leap