Removed rpms ============ Added rpms ========== - libhwy1 - libjxl0_8 Package Source Changes ====================== MozillaFirefox +- Firefox Extended Support Release 102.11.0 ESR + Placeholder changelog-entry (bsc#1211175) + - Placeholder changelog-entry (bsc#1210212) + * Fixed: Various security fixes. + MFSA 2023-14 (bsc#1210212) + * CVE-2023-29531 (bmo#1794292) + Out-of-bound memory access in WebGL on macOS + * CVE-2023-29532 (bmo#1806394) + Mozilla Maintenance Service Write-lock bypass + * CVE-2023-29533 (bmo#1798219, bmo#1814597) + Fullscreen notification obscured + * CVE-2023-1999 (bmo#1819244) + Double-free in libwebp + * CVE-2023-29535 (bmo#1820543) + Potential Memory Corruption following Garbage Collector + compaction + * CVE-2023-29536 (bmo#1821959) + Invalid free from JavaScript code + * CVE-2023-29539 (bmo#1784348) + Content-Disposition filename truncation leads to Reflected + File Download + * CVE-2023-29541 (bmo#1810191) + Files with malicious extensions could have been downloaded + unsafely on Linux + * CVE-2023-29542 (bmo#1810793, bmo#1815062) + Bypass of file download extension restrictions + * CVE-2023-29545 (bmo#1823077) + Windows Save As dialog resolved environment variables + * CVE-2023-1945 (bmo#1777588) + Memory Corruption in Safe Browsing Code + * CVE-2023-29548 (bmo#1822754) + Incorrect optimization result on ARM64 + * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, + bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493, + bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413, + bmo#1824828) + Memory safety bugs fixed in Firefox 112 and Firefox ESR + 102.10 MozillaThunderbird +- Mozilla Thunderbird 102.10.1 + * fixed: Messages with missing or corrupt "From:" header did + not display message header buttons (bmo#1793918) + * fixed: Composer repeatedly prompted for S/MIME smartcard + signing/encryption password (bmo#1828366) + * fixed: Address Book integration did not work with macOS 11.4 + Bug Sur (bmo#1720257) + * fixed: Mexico City DST fix in Thunderbird 102.10.0 (bug + 1826146) was incomplete (bmo#1827503) +- Mozilla Thunderbird 102.10 + * changed: New messages will automatically select S/MIME if + configured and OpenPGP is not (bmo#1793278) + * fixed: Calendar events with timezone America/Mexico_City + incorrectly applied Daylight Savings Time (bmo#1826146) + * fixed: Security fixes + MFSA 2023-15 (bsc#1210212) + * CVE-2023-29531 (bmo#1794292) + Out-of-bound memory access in WebGL on macOS + * CVE-2023-29532 (bmo#1806394) + Mozilla Maintenance Service Write-lock bypass + * CVE-2023-29533 (bmo#1798219, bmo#1814597) + Fullscreen notification obscured + * CVE-2023-1999 (bmo#1819244) + Double-free in libwebp + * CVE-2023-29535 (bmo#1820543) + Potential Memory Corruption following Garbage Collector + compaction + * CVE-2023-29536 (bmo#1821959) + Invalid free from JavaScript code + * CVE-2023-0547 (bmo#1811298) + Revocation status of S/Mime recipient certificates was not + checked + * CVE-2023-29479 (bmo#1824978) + Hang when processing certain OpenPGP messages + * CVE-2023-29539 (bmo#1784348) + Content-Disposition filename truncation leads to Reflected + File Download + * CVE-2023-29541 (bmo#1810191) + Files with malicious extensions could have been downloaded + unsafely on Linux + * CVE-2023-29542 (bmo#1810793, bmo#1815062) + Bypass of file download extension restrictions + * CVE-2023-29545 (bmo#1823077) + Windows Save As dialog resolved environment variables + * CVE-2023-1945 (bmo#1777588) + Memory Corruption in Safe Browsing Code + * CVE-2023-29548 (bmo#1822754) + Incorrect optimization result on ARM64 + * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, + bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493, + bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413, + bmo#1824828) + Memory safety bugs fixed in Thunderbird 102.10 + autofs +- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch + Fix off-by-one error in recursive map handling. (bsc#1209653) + cronie +- Allow to define the logger info and warning priority, fixes + jsc#PED-2551 + * run-crons + * sysconfig.cron + editorconfig-core-c +- editorconfig-core-c 0.12.6: + * CVE-2023-0341: A buffer overflow in ec_blob (boo#1211032) + * Update property key, value length limits per spec change + ffmpeg +- Add ffmpeg-CVE-2022-48434.patch: Backport from upstream to fix + use after free in libavcodec/pthread_frame.c (bsc#1209934). + ffmpeg-4 +- Add ffmpeg-CVE-2022-48434.patch: Backport from upstream to fix + use after free in libavcodec/pthread_frame.c (bsc#1209934). + grantlee5 +- Add patch to fix test failures on Leap 15: + * 0001-Add-a-call-to-registerComparators-in-testbuiltins.patch + kernel-64kb +- x86: don't use REP_GOOD or ERMS for small memory clearing + (bsc#1211140). +- x86/cpufeatures: Add macros for Intel's new fast rep string + features (bsc#1211140). +- commit ff3ce03 + +- wifi: brcmfmac: slab-out-of-bounds read in + brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380). +- commit 39854dd + kernel-default +- x86: don't use REP_GOOD or ERMS for small memory clearing + (bsc#1211140). +- x86/cpufeatures: Add macros for Intel's new fast rep string + features (bsc#1211140). +- commit ff3ce03 + +- wifi: brcmfmac: slab-out-of-bounds read in + brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380). +- commit 39854dd + kimageformats +- Add support for RAW image formats + +- Update to 5.102.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.102.0 +- Changes since 5.101.0: + * raw: tweak seek implementation + * heif: fix error handling + * heif: rewrite plugin to use only libheif C API + +- Update to 5.101.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.101.0 +- Changes since 5.100.0: + * Fix missing DCI-P3 color space set + * minor tweaks in HEIF and AVIF plugins + * raw: LibRaw_QIODevice::read: fixed possible partial reading of an item + * PSD multichannel testcases + * Support to MCH with 4+ channels (treat as CMYK) + * avif: Check if encoder/decoder is available in capabilities() + * Fix condition for installing desktop files + +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Don't install desktop files for image formats when building against Qt6 + * raw: Don't seek back if we were asked to read too much + * jxl: indicate when all frames have been read + * avif: minor fixes + * avif: indicate when all frames have been read + * avif: always indicate endless loop + * avif: return `false` in `canRead()` when `imageIndex >= imageCount` (kde#460085) + * Add JXL test files corresponding to 8 EXIF orientation values + * Add AVIF test files with rotation and mirror operations + * Auto-rotate input images in readtest + * jxl: remove C-style casts + * avif: Use reinterpret_cast instead C cast + * avif: revert 9ac923a commit + * heif: replace C cast with static_cast + * heif: use heif_init/heif_deinit with libheif 1.13.0+ + * FindLibRaw: fix include dir, should not contain prefix libraw/ (kde#460105) + * Fix duplicated tests + * ANI partial test and PIC test added + * PSD: impreved support to sequential access device + * Fix messages + * CMakeLists: enable EXR test + * Added EXR test image + * Fixes for sequential devices +- Drop patches, merged upstream: + * 0001-avif-return-false-in-canRead-when-imageIndex-imageCo.patch + * 0001-avif-always-indicate-endless-loop.patch + * 0001-avif-revert-9ac923ad09316dcca0fc11e0be6b3dfc6cce6ca0.patch + +- Add upstream changes: + * 0001-avif-return-false-in-canRead-when-imageIndex-imageCo.patch (kde#460085) + * 0001-avif-always-indicate-endless-loop.patch + * 0001-avif-revert-9ac923ad09316dcca0fc11e0be6b3dfc6cce6ca0.patch + +- Enable JPEG-XL plugin + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Add Qt6 windows CI support + * pcx: Do not support sequential devices (kde#459541) + * Fix maximum number of channels (testcase added) + * LibRaw_QIODevice::seek() avoid seek on a sequential device + * LibRaw_QIODevice::seek() bounding checks + * Camera RAW images plugin + * .gitlab-ci.yml: enable static builds + * Enables opening of XCF files with Width and/or Height greater than 32K + * Replace C cast with reinterpret_cast + * avif: adjust for libavif breaking change in YUV<->RGB conversion + * Fix image allocation with Qt 6 + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + * Protect against too big resize for a QByteArray + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Use right type on enums + * PSD: Improve alpha detection (kde#182496) + * PSD: LAB support + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * PSD header checks according to specifications + * Improved detection of alpha channel on CMYK images + * Minor code optimization + * Minor code improvements (tested on all my MCYK PSD/PSB files) + * Fix Alpha + testcase images + * Fix regression + * Basic support to CMYK 8/16 bits (not fully tested) + * Require passing tests for the CI to pass + * jxl: support both old 0.6.1 and new 0.7.0 libjxl API + * Remove extra ';' + * avif: read performance improvements + +- Enable AVIF plugin also on Leap 15.4 + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * psd: Fix segfault on architectures where char is unsigned (like ARM) + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * avif: prepare for breaking change in libavif + * XCF: Support to QImageIOHandler::Size option + * Support to QImageIOHandler::Size option + * QByteArray resize removal + * psd: Fix crash on broken files + * psd: duotone read + * psd: Don't crash with broken images + * psd: Header depth has to be 8 for CM_INDEXED color_mode + * psd: Protect against broken images + * psd: Don't abort on broken images + * avif: lossless support + * psd: Don't assert on broken files + * Add windows CI + * PSD: Performance improvements and support to missing common formats + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Fix XCF parasites metadata in QImage and support to ICC profile + * avif: encoder speed 7->6 + * avif: fix jumpToImage + * avif: warn about non-recommended libavif configuration + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Add write tests for heif/avif/jxl + * jxl: encoding improvements + * avif: adjust dimension and memory limits + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Check executables exist in PATH before passing them to QProcess + * Fix handling of null terminated ANI metadata with Qt6 + * Add CI qt6 support + ldb +- Update to version 2.6.2 + + CVE-2023-0614: Not-secret but access controlled LDAP attributes + can be discovered; (bso#15270); (bsc#1209485). + libfastjson +- fix CVE-2020-12762 integer overflow and out-of-bounds write via a + large JSON file (bsc#1171479) + add 0001-Fix-CVE-2020-12762.patch + libqt5-qtbase +- Amend patch to fix mouse grabbing as well (bsc#1211024): + * big-endian-scroll.patch + ncurses +- Modify patch ncurses-6.1.dif + * Secure writing terminfo entries by setfs[gu]id in s[gu]id + (boo#1210434, CVE-2023-29491) + * Reading is done since 2000/01/17 + open-iscsi +- Remove "--strip" in SPEC file for meson build, so that + debuginfo is generated. (from mwilck) (bsc#1210536) + +- Build system: meson builds were ignoring optflags, and other + passed in compiler options. + +- Update iscsid.service so it starts iscsid.socket, if needed + (bsc#1206132). + openssh +- Revert addition of openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish: + This caused invalid and irrelevant environment assignments (bsc#1207014). + procps +- Add patch bsc1209122-a6c0795d.patch + * Fix for bsc#1209122 to allow `-ยด as leading character to ignore + possible errors on systctl entries + protobuf-c +- ec3d9000.patch: fixes unsigned integer overflow + (bsc#1210323, CVE-2022-48468) + -- update to 0.15 - - make protobuf_c_message_init() into a function (Issue #49, daveb) - - Fix for freeing memory after unpacking bytes w/o a default-value. - (Andrei Nigmatulin) - - minor windows portability issues (use ProtobufC_FD) (Pop Stelian) - - --with-endianness={little,big} (Pop Stelian) - - bug setting up values of has_idle in public dispatch, - make protobuf_c_dispatch_run() use only public members (daveb) - - provide cmake support and some Windows compatibility (Nikita Manovich) - samba +- Update to 4.17.7 + * CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords + in cleartext; (bso#15315); (bsc#1209481). + * CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be + deleted by unprivileged authenticated users; (bso#15276); + (bsc#1209483). + * CVE-2023-0614: samba: Access controlled AD LDAP attributes can + be discovered; (bso#15270); (bsc#1209485). + * large_ldap test is inefficient; (bso#15332). + * CVE-2020-25720 [SECURITY] Create Child permission should not + allow full write to all attributes (additional changes); + (bso#14810). +- Update to 4.17.6 + * streams_xattr is creating unexpected locks on folders; + (bso#15314). + * Use of the Azure AD Connect cloud sync tool is now supported + for password hash synchronisation, allowing Samba AD Domains + to synchronise passwords with this popular cloud environment; + (bso#10635). + * Spotlight doesn't work with latest macOS Ventura; + (bso#15299). + * New samba-dcerpc architecture does not scale gracefully; + (bso#15310). + * vfs_ceph incorrectly uses fsp_get_io_fd() instead of + fsp_get_pathref_fd() in close and fstat; (bso#15307). + * With clustering enabled samba-bgqd can core dump due to use + after free; (bso#15293). + * fd_load() function implicitly closes the fd where it should + not; (bso#15311). +- Update to 4.17.5 + * smbc_getxattr() return value is incorrect; (bso#14808). + * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not + handled correctly; (bso#15172). + * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210). + * samba-tool gpo listall fails IPv6 only - finddcs() fails to + find DC when there is only an AAAA record for the DC in DNS; + (bso#15226). + * smbd crashes if an FSCTL request is done on a stream handle; + (bso#15236). + * DFS links don't work anymore on Mac clients since 4.17; + (bso#15277). + * vfs_virusfilter segfault on access, directory edgecase + (accessing NULL value); (bso#15283). + * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) + based SChannel on NETLOGON (additional changes); (bso#15240). + * %U for include directive doesn't work for share listing + (netshareenum); (bso#15243). + * Shares missing from netshareenum response in samba 4.17.4; + (bso#15266). + * ctdb: use-after-free in run_proc; (bso#15269). + * irpc_destructor may crash during shutdown; (bso#15280). + * auth3_generate_session_info_pac leaks wbcAuthUserInfo; + (bso#15286). + * smbclient segfaults with use after free on an optimized + build; (bso#15268). + * smbstatus leaking files in msg.sock and msg.lock; + (bso#15282). + * Leak in wbcCtxPingDc2; (bso#15164). + * Access based share enum does not work in Samba 4.16+; + (bso#15265). + * Crash during share enumeration; (bso#15267). + * rep_listxattr on FreeBSD does not properly check for reads + off end of returned buffer; (bso#15271). + * Avoid relying on C89 features in a few places; (bso#15281). + shadow +- bsc#1210507 (CVE-2023-29383): + Check for control characters +- Add shadow-CVE-2023-29383.patch + shim +- Updated shim.changes to add CVE-2022-28737 number for bsc#1198458. + The issue be fixed by upgrade to shim 15.7. (bsc#1198458, CVE-2022-28737) + +- Sometimes SLE shim signature be Microsoft updated before openSUSE shim + signature. When submit request on IBS for updating SLE shim, the submitreq + project be generated, but it always be blocked by checking the signature + of openSUSE shim. + It doesn't make sense checking openSUSE shim signature when building + SLE shim on SLE platform, and vice versa. So the following change adds the + logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse). + When and only when hash mismatch and distro_id match with suffix, stop + building. + [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse) + [#] when hash mismatch and distro_id match with suffix, stop building + +- Upgrade shim-install for bsc#1210382 + After closing Leap-gap project since Leap 15.3, openSUSE Leap direct + uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot + CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no, + so all files in /boot/efi/EFI/boot are not updated. + The 86b73d1 patch added the logic that using ID field in os-release for + checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure + Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated. +- https://github.com/SUSE/shim-resources (git log --oneline) + 86b73d1 Fix that bootx64.efi is not updated on Leap + f2e8143 Use the long name to specify the grub2 key protector + 7283012 cryptodisk: support TPM authorized policies + 49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst + 26c6bd5 Have grub take a snapshot of "relevant" TPM PCRs + 5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot + a5c5734 Introduce --no-grub-install option + - signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458) + signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458, CVE-2022-28737) snapper +- avoid stale btrfs qgroups on transactional systems (bsc#1210151) + * added pr805.patch +- wait for existing btrfs quota rescans to finish (bsc#1210150) + * added pr790.patch + vim +- Fixing bsc#1211144 - [Build 96.1] openQA test fails in zypper_migration - conflict between xxd and vim + * Revert the creation standalone xxd packages + +- Updated to version 9.0 with patch level 1443, fixes the following security problems + * Fixing bsc#1209042 (CVE-2023-1264) - VUL-0: CVE-2023-1264: vim: NULL Pointer Dereference vim prior to 9.0.1392 + * Fixing bsc#1209187 (CVE-2023-1355) - VUL-0: CVE-2023-1355: vim: NULL Pointer Dereference prior to 9.0.1402. + * Fixing bsc#1208828 (CVE-2023-1127) - VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown() +- drop vim-8.0-ttytype-test.patch as it changes test_options.vim which we + remove during %prep anyway. And this breaks quilt setup. +- for the complete list of changes see + https://github.com/vim/vim/compare/v9.0.1386...v9.0.1443 + webkit2gtk3 +- Update to version 2.38.6 (boo#1210295 boo#1210731): + + Enable the Asynchronous Clipboard API to make certain pages + work (e.g. GithHub started recently requiring it). + + Support :has() CSS selectors in content filters. + + Apply basic font properties as font variation settings. + + The Bubblewrap sandbox no longer requires setting an + application identifier via GApplication to operate correctly. + Using GApplication is still recommended, but optional. + + Improvements to the GStreamer multimedia playback, in + particular around MSE, WebRTC, and seeking. + + Fix the build with journald support enabled when using elogind + instead of the systemd libraries. + + Fix the build with Link-Time Optimization enabled (-flto=auto). + + Fix context menus not working in the remote Web Inspector. + + Fix usage of the remote Web Inspector over HTTP. + + Fix debug logs not being emitted in release builds. + + Fix several crashes and rendering issues. + + Security fixes: CVE-2022-0108, CVE-2023-28205, CVE-2022-32885, + CVE-2023-27932, CVE-2023-27954. + - + Security fixes: CVE-2022-32886, CVE-2022-32912. + + Security fixes: CVE-2022-32886, CVE-2022-32912, CVE-2023-25358, + CVE-2023-25360, CVE-2023-25361, CVE-2023-25362, CVE-2023-25363. yast2-network +- Do not write the EAP auth attribute when writing a wireless + wicked configuration using the EAP mode as TLS (bsc#1211026) +- 4.5.20 + +- Fix summary crash when there is no interface available + (bsc#1209589, bsc#1211161). +- 4.5.19 + zlib +- Fix deflateBound() before deflateInit(), bsc#1210593, bsc#1211005 + bsc1210593.patch +