Removed rpms ============ - aaa_base-malloccheck - python3-fixtures - python3-linecache2 - python3-pbr - python3-python-mimeparse - python3-testtools - python3-traceback2 - python3-unittest2 Added rpms ========== Package Source Changes ====================== avahi +- Add avahi-CVE-2023-1981.patch: emit error if requested service + is not found (boo#1210328 CVE-2023-1981). + +- switch to use _multibuild +- delete _avahi_spec-prepare.sh, pre_checkin.sh: obsolete +- use https urls + chromium +- Chromium 112.0.5615.165 (boo#1210618): + * CVE-2023-2133: Out of bounds memory access in Service Worker API + * CVE-2023-2134: Out of bounds memory access in Service Worker API + * CVE-2023-2135: Use after free in DevTools + * CVE-2023-2136: Integer overflow in Skia + * CVE-2023-2137: Heap buffer overflow in sqlite +- drop chromium-112-feed_protos.patch + +- Fix Leap 15.4 build failures from default comparison operators + defined outside of the class definition, a C++20 feature + adding chromium-112-default-comparison-operators.patch + dmidecode +- use-read_file-to-read-from-dump.patch: Fix an old harmless bug + which would prevent root from using the --from-dump option since + the latest security fixes (bsc#1210418). + +Security fixes (CVE-2023-30630) +- dmidecode-split-table-fetching-from-decoding.patch: dmidecode: + Clean up function dmi_table so that it does only one thing + (bsc#1210418). +- dmidecode-write-the-whole-dump-file-at-once.patch: When option + - -dump-bin is used, write the whole dump file at once, instead of + opening and closing the file separately for the table and then + for the entry point (bsc#1210418). +- dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch: + Make sure that the file passed to option --dump-bin does not + already exist (bsc#1210418). +- ensure-dev-mem-is-a-character-device-file.patch: Add a safety + check on the type of the mem device file we are asked to read + from, if we are root (bsc#1210418). + 3 recommended fixes from upstream: +- dmioem-typo-fix-virutal-virtual.patch: Simple typo fix in a + user-visible string. +- dmidecode-fortify-entry-point-length-checks.patch: Ensure that + the SMBIOS entry point is long enough to include all the fields + we need. +- dmioem-hpe-oem-record-237-firmware-change.patch: Properly decode + the last field of HPE OEM record type 237. + grub2 +- Fix PowerVS deployment fails to boot with 90 cores (bsc#1208581) + * 0001-kern-ieee1275-init-Convert-plain-numbers-to-constant.patch + * 0002-kern-ieee1275-init-Extended-support-in-Vec5.patch + kernel-default +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + kernel-kvmsmall +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + libxml2 +- Security update: + * [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings + isn't deterministic + - Added patch libxml2-CVE-2023-29469.patch + * [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in + xmlSchemaFixupComplexType + - Added patch libxml2-CVE-2023-28484-1.patch + - Added patch libxml2-CVE-2023-28484-2.patch + +- Remove unneeded dependency (bsc#1209918). + libxml2:python +- Security update: + * [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings + isn't deterministic + - Added patch libxml2-CVE-2023-29469.patch + * [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in + xmlSchemaFixupComplexType + - Added patch libxml2-CVE-2023-28484-1.patch + - Added patch libxml2-CVE-2023-28484-2.patch + +- Remove unneeded dependency (bsc#1209918). + mariadb +- Update to 10.6.12: + https://mariadb.com/kb/en/library/mariadb-10612-release-notes + https://mariadb.com/kb/en/library/mariadb-10612-changelog + https://mariadb.com/kb/en/library/mariadb-10611-release-notes + https://mariadb.com/kb/en/library/mariadb-10611-changelog + * fixes for the following security vulnerabilities: + 10.6.12: none + 10.6.11: none +- Update mariadb.keyring +- Update list of skipped tests + mozilla-nss +- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) with + fixes to PBKDF2 parameter validation. + +- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) to + validate extra PBKDF2 parameters according to FIPS 140-3. + +- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546) to + update session->lastOpWasFIPS before destroying the key after + derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE, + CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, + CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases. +- Update nss-fips-pct-pubkeys.patch (bsc#1207209) to remove some + excess code. + +- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546). + +- Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency + checks. Thanks to Martin for the DHKey parts. + +- Add manpages to mozilla-nss-tools (bsc#1208242) + newt -- Make it build with latest TeXLive 2012 with new package layout - -- update to 0.52.14: - + fix returning strings in whiptail and whiptcl (rh#752818) - + fix configure to work with multiple python versions (rh#737998) -- removed newt-0.52.13-python_version.patch : fixed upstream -- compile with fPIC - fixes problems with _snackmodule.so - thanks to Joerg Steffens (bnc#734171) -- newt-doc recommends the main package as the examples need it -- added newt-0.52.14-incorrect-fsf-address.patch - -- Remove redundant tags/sections per specfile guideline suggestions - -- update to 0.52.13: - + add support for changing colors in individual labels, scrollbars, entries, - textboxes and scales, add custom colorsets - + add support for NEWT_COLORS and NEWT_COLORS_FILE variables (rh#689903) - + allow resizing of form - + fix errors found by coverity - + fix va_list usage (Gwenole Beauchesne) - + fix building and installing on Mac OS X (rh#652479) - + check for slang.h header, support DESTDIR variable, add --without-python - option (Otavio Salvador) - + add Persian, Low German translations -- added newt-0.52.13-python_version.patch to fix detection of - python version in configure script - -- add comment to keep static lib - -- fix baselibs.conf - o newt > libnewt0_52 -- fix naming - o define libname libnewt - o define libsoname {libname}0_52 -- fix deps - o add pkg-config - o move {py_requires} to subpkg python-newt -- remove Author from description - -- update to 0.52.12: - + fix whiptail --gauge and its description in man page (#620083) - + remove space after \n in whiptail texts (#620083) - + remove NLS code from snack (#599608) - + expose more keys to python as shortcuts in dialogs (Jakob Kemi) - + release python global-thread-lock during dialog displays (Jakob Kemi) - + fix warnings in whiptcl.c and include Tcl_PkgProvide() call (Mikhail T.) - + don't NULL deref when an invalid array is specified in checkboxtree - (Arnaldo Carvalho de Melo) -- build on older distributions by owning locale/as - -- package baselibs.conf - -- update to 0.52.11 - * fix buffer overflow in textbox when reflowing (#523955, CVE-2009-2905) - * use full textbox width when reflowing and allow minimal width 1 - * fix writing lines longer than width in textbox - * don't use va_list in newtvwindow more than once (#523696) - * bind \E[Z to back-tab in built-in keymap (#468046) - * terminate string after reading file in whiptail - * add newtRadioSetCurrent function (Thomas Jarosch) - * add pkgconfig support (Thomas Jarosch) - * add Malay, Malayalam, Assamese, Gujarati, Bengali India, Kannada, Telugu - translations - * include tutorial in txt format - * include debian patches - - fix crash in textbox SetText when topLines != 0 - - don't link modules with libraries already linked with libnewt - - add Asturian and Marathi translations -- cleanup spec - * sorted TAGS - * macros __make, __install, ... - name -> {name} - version -> {version} - buildroot -> {buildroot} - _defaultdocdir -> {_defaultdocdir} - .... -- removed obsolete newt-CVE-2009-2905.patch - -- fix heap-based buffer overflow in function doReflow in textbox.c - (fix bnc#540930 and CVE-2009-2905 : newt-CVE-2009-2905.patch) - ovmf +- Add ovmf-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch + to check result of GetEfiGlobalVariable2 (CVE-2019-14560, bsc#1174246) + +- Add ovmf-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch + for MdeModulePkg/PiSmmCore: SmmEntryPoint underflow (CVE-2021-38578) + (bsc#1196741) + sddm +- Add patch to fix delays on shutdown (boo#1210391): + * 0001-Avoid-starting-a-new-session-on-exit.patch + +- Replace proper_pam.diff with installation of source files: + * sddm.pam, sddm-autologin.pam, sddm-greeter.pam +- PAM services: + * Make use of substack for common-* + * Include postlogin-* + * Run pam_keyinit before common-session + * Deny password in sddm-greeter +- /run/sddm is owned by root:root +- Add patch to fix possible deadlock: + * 0001-Process-all-available-auth-messages-in-a-loop.patch +- Add missing dependencies on update-alternatives + +- Migration of PAM settings to /usr/lib/pam.d. + +- Honor /etc/nologin like login, sshd, xdm and gdm do + * added: auth requisite pam_nologin.so to proper_pam.diff + * see: man 5 nologin + slang -- add automake as buildrequire to avoid implicit dependency - -- fix baselibs.conf - -- disabled parallel build again, still broken - -- updated to version 2.2.2 - + new languag features - * ternary expressions - * break and condition statements can now work on several levels - of loops - * multiline strings - * List_Type objects can now also be indexed using an array of - indices - + new modules: zlib, fork, sysconf - + new intrinsic functions: sumsq, expm1, log1p, list_to_array, - string_matches, _close, _fileno, dup2, getsid, killpg, - getpriority, setpriority, ldexp, frexp - + provides pkg-info file - + many bugfixes -- split package to conform to library naming policy -- rebased patches, removed obsolete slang-2.2.1-format.patch -- added patch slang-2.2.2-makefile.patch from Fedora which fixes - shared libs permissions, the slang shared library symlink, and - parallel build dependency issues and removes rpath -- build pcre, png, and zlib modules -- removed incorrect license information -- more accurate summary and description -- further cleanup - -- unbreak occasional build failures by disabling parallel make. - -- fixed better - -- include headers to fix build - -- add baselibs.conf as a source -- enable parallel build -