Packages changed: MozillaFirefox (62.0.3 -> 63.0.3) adwaita-icon-theme (3.30.0 -> 3.30.1) autogen (5.18.14 -> 5.18.16) edict (20180305 -> 20181125) elilo git (2.19.1 -> 2.19.2) grub2 kde-l10n libpipeline (1.4.1 -> 1.5.0) libpt2 lirc mariadb (10.2.18 -> 10.2.19) metis mokutil nut open-iscsi openldap2 openssh (7.8p1 -> 7.9p1) plymouth (0.9.4+git20181111.118c5ca -> 0.9.4+git20181122.aaa140b) postfix (3.3.1 -> 3.3.2) python-requests (2.20.0 -> 2.20.1) rubygem-parallel_tests (2.22.1 -> 2.27.0) rubygem-yast-rake (0.2.28 -> 0.2.29) tmux valgrind (3.13.0 -> 3.14.0) virt-manager wayland yast2-apparmor (4.1.0 -> 4.1.1) yast2-network (4.1.17 -> 4.1.18) yast2-nfs-server (4.0.1 -> 4.0.2) === Details === ==== MozillaFirefox ==== Version update (62.0.3 -> 63.0.3) Subpackages: MozillaFirefox-translations-common - Clean-up %arm build - update to Firefox 63.0.3 * Games using WebGL (created in Unity) get stuck after very short time of gameplay (bmo#1502748) * Slow page loading for some users with specific proxy configurations (bmo#1495024) * Disable HTTP response throttling by default for causing bugs with videos in background tabs (bmo#1503354) * Opening magnet links no longer works (bmo#1498934) * Crash fixes (bmo#1498510, bmo#1503424) - removed mozilla-newer-cbindgen.patch; no longer needed - update to Firefox 63.0.1 * Snippets are not loaded due to missing element (bmo#1503047) * Print preview always shows 30& scale when it is actually Shrink To Fit (bmo#1501952) * Dialog displayed when closing multiple windows shows unreplaced %1$S placeholder in Japanese and potentially other locales (bmo#1500823) - update to Firefox 63.0 * WebExtensions now run in their own process on Linux * The Ctrl+Tab shortcut now displays thumbnail previews of your tabs and cycles through tabs in recently used order. This new default behavior is activated only in new profiles and can be changed in preferences. * Added support for Web Components custom elements and shadow DOM MFSA 2018-26 (bsc#1112852) * CVE-2018-12391 (bmo#1478843) (Android-only) HTTP Live Stream audio data is accessible cross-origin * CVE-2018-12392 (bmo#1492823) Crash with nested event loops * CVE-2018-12393 (bmo#1495011) (only affects non-64-bit archs) Integer overflow during Unicode conversion while loading JavaScript * CVE-2018-12395 (bmo#1467523) WebExtension bypass of domain restrictions through header rewriting * CVE-2018-12396 (bmo#1483602) WebExtension content scripts can execute in disallowed contexts * CVE-2018-12397 (bmo#1487478) Missing warning prompt when WebExtension requests local file access * CVE-2018-12398 (bmo#1460538, bmo#1488061) CSP bypass through stylesheet injection in resource URIs * CVE-2018-12399 (bmo#1490276) Spoofing of protocol registration notification bar * CVE-2018-12400 (bmo#1448305) (Android only) Favicons are cached in private browsing mode on Firefox for Android * CVE-2018-12401 (bmo#1422456) DOS attack through special resource URI parsing * CVE-2018-12402 (bmo#1469916) SameSite cookies leak when pages are explicitly saved * CVE-2018-12403 (bmo#1484753) Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP * CVE-2018-12388 (bmo#1472639, bmo#1485698, bmo#1301547, bmo#1471427, bmo#1379411, bmo#1482122, bmo#1486314, bmo#1487167) Memory safety bugs fixed in Firefox 63 * CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159, bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803, bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699, bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844) Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 - requires NSPR 4.20, NSS 3.39 and Rust 1.28 - latest rust does not provide rust-std so stop requiring it - requires rust-cbindgen >= 0.6.2 to build - requires nodejs >= 8.11 to build - added mozilla-bmo1491289.patch to fix system NSS build (bmo#1491289) - added mozilla-cubeb-noreturn.patch to fix non-return function - added mozilla-newer-cbindgen.patch to fix build with cbindgen 0.6.7 - disable elfhack for TW and newer due to build errors - removed obsolete patches * mozilla-no-return.patch * mozilla-no-stdcxx-check.patch - Update _constraints for armv6/7 - Add patch to fix build on armv7: * mozilla-bmo1463035.patch ==== adwaita-icon-theme ==== Version update (3.30.0 -> 3.30.1) - Update to version 3.30.1: + Fix nasty misrendering of inode-directory-symbolic. ==== autogen ==== Version update (5.18.14 -> 5.18.16) Subpackages: libopts25 - Remove invalid signature file and keyring - BuildRequire guile-devel to make transistion to Guile 2.2 smooth - Update to version 5.8.16 - Enable compiling with Guile 2.2 - autogen-guile-2.2.patch: removed - installable-programs.patch: don't make programs uninstallable - Rediff remaining patches ==== edict ==== Version update (20180305 -> 20181125) - Update to snapshot 20181125 * No changelog recorded. - Split package into: edict, edict2, jmdict. This way, one need not install the rather large XML variant (jmdict) if not needed. - Added JIS X 0213-2012 Kanji dictionary ("kanjd213"). - Remove the computer terminology dictionary "compdic", as it is already included in the word dictionary. ==== elilo ==== - elilo.efi * Try to properly allocate high_base_mem. (bsc#1000769) (elilo-high_base_mem.diff) - elilo.spec * Work around glitches introduced by gnu-efi. * Add '-mno-red-zone' to work around Microsoft/SystemV AMD64 ABI discrepancies. (bsc#953502) - elilo.pl * Support 'ucode=' for XEN. (bsc#1102567) * SecureBoot: Support detached configuration template. * Add support for 'UUID='/'LABEL=' to specify EFI system partition and fix bug introduced by NVMe device handling. (bsc#917195) * Handle NVMe device names. (fate#317591) * Don't abort, when "skip" is announced. (bsc#917130) - elilo.efi * Remove special handling for '?' in textmenu-mode. (bsc#928546) (elilo-textmenu-disable-print-devices.diff) ==== git ==== Version update (2.19.1 -> 2.19.2) Subpackages: git-core git-cvs git-daemon git-email git-gui git-svn git-web gitk - git 2.19.2: * various bug fixes for multiple subcommands and operations ==== grub2 ==== Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-xen - Change default tsc calibration method to pmtimer on EFI (bsc#1114754) * 0001-tsc-Change-default-tsc-calibration-method-to-pmtimer.patch - ieee1275: Fix double free in CAS reboot (bsc#1111955) * grub2-ppc64-cas-fix-double-free.patch ==== kde-l10n ==== Subpackages: kde-l10n-cs kde-l10n-da kde-l10n-da-data kde-l10n-da-doc kde-l10n-de kde-l10n-de-data kde-l10n-de-doc kde-l10n-el kde-l10n-en_GB kde-l10n-en_GB-data kde-l10n-en_GB-doc kde-l10n-es kde-l10n-es-data kde-l10n-es-doc kde-l10n-fr kde-l10n-fr-data kde-l10n-hu kde-l10n-it kde-l10n-it-data kde-l10n-it-doc kde-l10n-ja kde-l10n-pl kde-l10n-pl-data kde-l10n-pt kde-l10n-pt_BR kde-l10n-pt_BR-data kde-l10n-ru kde-l10n-ru-data kde-l10n-zh_CN kde-l10n-zh_TW - Fix "Summary: summary" ==== libpipeline ==== Version update (1.4.1 -> 1.5.0) - Update to version 1.5.0 * Add `pipecmd_pre_exec' to install a pre-exec handler for a single command. * Fix EOF detection in get_line. ==== libpt2 ==== - Add reproducible.patch to not store build system kernel version (boo#1101107) ==== lirc ==== - Add reproducible.patch to drop build date, kernel version, sort python glob to make build reproducible (boo#1047218, boo#1101107) ==== mariadb ==== Version update (10.2.18 -> 10.2.19) Subpackages: libmysqld19 mariadb-client mariadb-errormessages - update to 10.2.19 GA [bsc#1116686] * notable changes: * innodb_safe_truncate system variable for a backup-safe TRUNCATE TABLE implementation that is based on RENAME, CREATE, DROP (MDEV-14717, MDEV-14585, MDEV-13564). Default value for this variable is ON. If you absolutely must use XtraBackup instead of Mariabackup, you can set it to OFF and restart the server * MDEV-17289: Multi-pass recovery fails to apply some redo log records * MDEV-17073: INSERT?ON DUPLICATE KEY UPDATE became more deadlock-prone * MDEV-17491: micro optimize page_id_t * MDEV-13671: InnoDB should use case-insensitive column name comparisons like the rest of the server * Fixes for indexed virtual columns: MDEV-17215, MDEV-16980 * MDEV-17433: Allow InnoDB start up with empty ib_logfile0 from mariabackup --prepare * MDEV-12547: InnoDB FULLTEXT index has too strict innodb_ft_result_cache_limit max limit * MDEV-17541: KILL QUERY during lock wait in FOREIGN KEY check causes hang * MDEV-17531: Crash in RENAME TABLE with FOREIGN KEY and FULLTEXT INDEX * MDEV-17532: Performance_schema reports wrong directory for the temporary files of ALTER TABLE?ALGORITHM=INPLACE * MDEV-17545: Predicate lock for SPATIAL INDEX should lock non-matching record * MDEV-17546: SPATIAL INDEX should not be allowed for FOREIGN KEY * MDEV-17548: Incorrect access to off-page column for indexed virtual column * MDEV-12023: Assertion failure sym_node->table != NULL on startup * MDEV-17230: encryption_key_id from alter is ignored by encryption threads * fixes for the following security vulnerabilities: CVE-2018-3282 [bsc#1112432], CVE-2016-9843 [bsc#1013882], CVE-2018-3174 [bsc#1112368], CVE-2018-3143 [bsc#1112421], CVE-2018-3156 [bsc#1112417], CVE-2018-3251 [bsc#1112397], CVE-2018-3185 [bsc#1112384], CVE-2018-3277 [bsc#1112391], CVE-2018-3162 [bsc#1112415], CVE-2018-3173 [bsc#1112386], CVE-2018-3200 [bsc#1112404], CVE-2018-3284 [bsc#1112377] * release notes and changelog: https://mariadb.com/kb/en/library/mariadb-10219-release-notes https://mariadb.com/kb/en/library/mariadb-10219-changelog - do not pack libmariadb.pc (packed in mariadb-connector-c) - add "Requires: libmariadb_plugins" to the mariadb-test subpackage in order to be able to test client plugins successfuly [bsc#1111859] - don't remove debug_key_management.so anymore [bsc#1111858] ==== metis ==== - Edit description to put time-sensitive wording into context. - General spec file clean up. - Touch-up to the HPC build. - Implemented suse-hpc packaging - Added metis-makefile-c-directives.patch - Provides cflags option to help provide metis native build process ==== mokutil ==== - Enable AArch64 build (fate#326541) ==== nut ==== Subpackages: libupsclient1 nut-cgi - Give up on packaging the tex docu as it fails to build with latest texlive - Add missing tex dependencies so we can generate the pdf with newer releases of texlive - Drop patch docs-destination-dir.patch which is quite pointless - Remove invalid option 'destination-dir' when generating PDF files (docs-destination-dir.patch) ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0_2_0 - Updated to latest upstream, with fixes: * Use pkg-config in Makefiles for newer libraries. * Merge pull request #145 from gonzoleeman/fix-i586-build-warnings * Fix i586 build issues with string length overflow. * iscsistart is not installed * iscsiuio: Do not flush tx queue on each uio interrupt. updating: * open-iscsi-SUSE-latest.diff.bz2 Also, update the SPEC file: no more need to specify libkmod or libsystemd, since upstream handles that now. ==== openldap2 ==== Subpackages: libldap-2_4-2 libldap-2_4-2-32bit libldap-data openldap2-client openldap2-devel - Replace old $RPM_* shell vars - Fix CVE-2017-17740: when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack * patch: 0017-Fix-segfault-in-nops.patch (bsc#1073313) ==== openssh ==== Version update (7.8p1 -> 7.9p1) Subpackages: openssh-helpers - Fix build with openssl < 1.1.0 * add openssh-openssl-1_0_0-compatibility.patch - openssh-7.7p1-audit.patch: fix sshd fatal error in mm_answer_keyverify: buffer error: incomplete message [bnc#1114008] - Version update to 7.9p1 * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option (see below) bans the use of DSA keys as certificate authorities. * sshd(8): the authentication success/failure log message has changed format slightly. It now includes the certificate fingerprint (previously it included only key ID and CA key fingerprint). * ssh(1), sshd(8): allow most port numbers to be specified using service names from getservbyname(3) (typically /etc/services). * sshd(8): support signalling sessions via the SSH protocol. A limited subset of signals is supported and only for login or command sessions (i.e. not subsystems) that were not subject to a forced command via authorized_keys or sshd_config. bz#1424 * ssh(1): support "ssh -Q sig" to list supported signature options. Also "ssh -Q help" to show the full set of supported queries. * ssh(1), sshd(8): add a CASignatureAlgorithms option for the client and server configs to allow control over which signature formats are allowed for CAs to sign certificates. For example, this allows banning CAs that sign certificates using the RSA-SHA1 signature algorithm. * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to revoke keys specified by SHA256 hash. * ssh-keygen(1): allow creation of key revocation lists directly from base64-encoded SHA256 fingerprints. This supports revoking keys using only the information contained in sshd(8) authentication log messages. - Removed obsolete configuration option --with-tcp-wrappers, and - -with-opensc for s390 and s390x. - Removed patch merged upstream * openssh-7.7p1-openssl_1.1.0.patch - Refreshed patches * openssh-7.7p1-audit.patch * openssh-7.7p1-disable_short_DH_parameters.patch * openssh-7.7p1-fips.patch * openssh-7.7p1-gssapi_key_exchange.patch * openssh-7.7p1-seccomp_ipc_flock.patch * openssh-7.7p1-cavstest-ctr.patch * openssh-7.7p1-ldap.patch - Mention upstream bugs on multiple local patches - Adjust service to not spam restart and reload only on fails - Update openssh-7.7p1-sftp_force_permissions.patch from the upstream bug, and mention the bug in the spec - Drop patch openssh-7.7p1-allow_root_password_login.patch * There is no reason to set less secure default value, if users need the behaviour they can still set it up themselves - Drop patch openssh-7.7p1-blocksigalrm.patch * We had a bug way in past about this but it was never reproduced or even confirmed in the ticket, thus rather drop the patch ==== plymouth ==== Version update (0.9.4+git20181111.118c5ca -> 0.9.4+git20181122.aaa140b) Subpackages: libply-boot-client4 libply-splash-core4 libply-splash-graphics4 libply4 plymouth-dracut plymouth-plugin-label plymouth-plugin-label-ft plymouth-plugin-script plymouth-plugin-two-step plymouth-scripts - Update to version 0.9.4+git20181122.aaa140b: Add a separator between different boot logs Fix race causing undesired creation of non-gfx devs Fix animation not starting on later added heads ==== postfix ==== Version update (3.3.1 -> 3.3.2) Subpackages: postfix-doc - Update to 3.3.2 * Support for OpenSSL 1.1.1 and TLSv1.3. * Bugfixes: - smtpd_discard_ehlo_keywords could not disable "SMTPUTF8", because some lookup table was using "EHLO_MASK_SMTPUTF8" instead. - minor memory leak in DANE support when minting issuer certs. - The Postfix build did not abort if the m4 command was not installed, resulting in a broken postconf command. - add POSTFIX_RELAY_DOMAINS * more flexibility to add to relay_domains without breaking config.postfix * rework restriction examples in sysconf.postfix based on postfix-buch.com (2. edtion by Hildebrandt, Koetter) - disable weak cipher: RC4 after check with https://ssl-tools.net/mailservers ==== python-requests ==== Version update (2.20.0 -> 2.20.1) Subpackages: python2-requests python3-requests - update to version 2.20.1: * Bugfixes + Fixed bug with unintended Authorization header stripping for redirects using default ports (http/80, https/443). ==== rubygem-parallel_tests ==== Version update (2.22.1 -> 2.27.0) - updated to version 2.27.0 no changelog found ==== rubygem-yast-rake ==== Version update (0.2.28 -> 0.2.29) - Fix base dir for icons (boo#1109378) - 0.2.29 ==== tmux ==== - add fix-cve201819387.patch fixes CVE-2018-19387 boo#1116887 ==== valgrind ==== Version update (3.13.0 -> 3.14.0) - update valgrind.xen.patch to branch bug390553-20181125-ddfc274b2 - build against Toolchain module for SLE12 - add 0001-Bug-397187-s390x-Add-vector-register-support-for-vgd.patch 0001-Bug-400490-s390x-Fix-register-allocation-for-VRs-vs-.patch, 0001-Bug-400491-s390x-Sign-extend-immediate-operand-of-LO.patch, 0001-s390x-more-fixes.patch, Implement-emulated-system-registers.-Fixes-392146.patch (FATE#326355) - enable check (poo#36751) - update to 3.14.0 (bsc#1114575, FATE#326355): see http://www.valgrind.org/docs/manual/dist.news.html * The new option --keep-debuginfo=no|yes (default no) can be used to retain debug info for unloaded code. This allows saved stack traces (e.g. for memory leaks) to include file/line info for code that has been dlclose'd (or similar). See the user manual for more information and known limitations. * Ability to specify suppressions based on source file name and line number. * Majorly overhauled register allocator. No end-user changes, but the JIT generates code a bit more quickly now. * Preliminary support for macOS 10.13 has been added. * mips: support for MIPS32/MIPS64 Revision 6 has been added. * mips: support for MIPS SIMD architecture (MSA) has been added. * mips: support for MIPS N32 ABI has been added. * s390: partial support for vector instructions (integer and string) has been added. * Helgrind: Addition of a flag - -delta-stacktrace=no|yes [yes on linux amd64/x86] which specifies how full history stack traces should be computed. Setting this to =yes can speed up Helgrind by 25% when using - -history-level=full. * Memcheck: reduced false positive rate for optimised code created by Clang 6 / LLVM 6 on x86, amd64 and arm64. In particular, Memcheck analyses code blocks more carefully to determine where it can avoid expensive definedness checks without loss of precision. This is controlled by the flag - -expensive-definedness-checks=no|auto|yes [auto]. * Valgrind is now buildable with link-time optimisation (LTO). A new configure option --enable-lto=yes allows building Valgrind with LTO. If the toolchain supports it, this produces a smaller/faster Valgrind (up to 10%). Note that if you are doing Valgrind development, --enable-lto=yes massively slows down the build process. - remove epoll-wait-fix.patch, Fix-access-to-time-base-register-to-return-64-bits.patch, 0001-Accept-read-only-PT_LOAD-segments-and-.rodata.patch (upstream), ==== virt-manager ==== Subpackages: virt-install virt-manager-common - bsc#1116990 - [virt-install] internal error: libxenlight failed to create new domain 'sles-11-sp4-64-pv-def-net'. Fix reversed logic when testing for i386. virtinst-use-xenpae-kernel-for-32bit.patch ==== wayland ==== Subpackages: libwayland-client0 libwayland-cursor0 libwayland-egl1 libwayland-server0 - Downgrades do not work in SLES service packs, because the SP0 repo remains enabled for SP1. (This is unlike Leap, where a 15.1 system will have no 15.0 directories.) As such, to force the upgrade from Mesa:libwayland-egl1 to wayland:libwayland-egl1, the number in wayland is bumped to >18 for those distros. ==== yast2-apparmor ==== Version update (4.1.0 -> 4.1.1) - Provide icon with module (boo#1109310) - Added license file to spec. ==== yast2-network ==== Version update (4.1.17 -> 4.1.18) - bnc#709176 - keep original hostnames untouched in /etc/hosts when only IP changed - 4.1.18 - bnc#1107470 - this bug is fixed since 4.0.14 (3.2.47) ==== yast2-nfs-server ==== Version update (4.0.1 -> 4.0.2) Subpackages: yast2-nfs-common - Use the real name for nfs-server service instead an alias (bsc#1116779). - 4.0.2 - Added license file to spec. - Switched license in spec file from SPDX2 to SPDX3 format.