Packages changed: Mesa (22.2.1 -> 22.2.2) Mesa-drivers (22.2.1 -> 22.2.2) MozillaFirefox (105.0.3 -> 106.0) SVT-AV1 (1.2.0 -> 1.3.0) cpupower (5.17.9 -> 6.0.2) evolution-data-server (3.46.0 -> 3.46.1) glib2-branding-openSUSE harfbuzz (5.3.0 -> 5.3.1) imlib2 installation-images-MicroOS (17.63 -> 17.64) keylime libstorage-ng (4.5.46 -> 4.5.47) patterns-gnome patterns-microos rsync (3.2.6 -> 3.2.7) samba (4.17.0+git.257.5f0ed03584a -> 4.17.1+git.270.17afe7cb6b) selinux-policy (20220714 -> 20221019) systemd (251.5 -> 251.6) wicked (0.6.69 -> 0.6.70) xkeyboard-config (2.36 -> 2.37) yast2-country (4.5.1 -> 4.5.2) yast2-installation (4.5.7 -> 4.5.8) yast2-storage-ng (4.5.9 -> 4.5.10) === Details === ==== Mesa ==== Version update (22.2.1 -> 22.2.2) Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - Add patch to fix LLVM optimization to avoid failure on armv7 (https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/19217, boo#1204267): * u_0001-gallivm-Fix-LLVM-optimization-with-the-new-pass-mana.patch - update to 22.2.2 * This is the second bug fix release, back on the regular schedule. There's a lot here: nir, panfrost, gallium video, freedreno, nouveau, turnip, r300, gallium core, r600, virgl, core vulkan, anv, clover, d3d12, utils, radv, and plenty of zink. ==== Mesa-drivers ==== Version update (22.2.1 -> 22.2.2) Subpackages: Mesa-dri Mesa-gallium Mesa-libva - Add patch to fix LLVM optimization to avoid failure on armv7 (https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/19217, boo#1204267): * u_0001-gallivm-Fix-LLVM-optimization-with-the-new-pass-mana.patch - update to 22.2.2 * This is the second bug fix release, back on the regular schedule. There's a lot here: nir, panfrost, gallium video, freedreno, nouveau, turnip, r300, gallium core, r600, virgl, core vulkan, anv, clover, d3d12, utils, radv, and plenty of zink. ==== MozillaFirefox ==== Version update (105.0.3 -> 106.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 106.0 * support editing of PDFs * introduced Firefox View * major WebRTC update - Better screen sharing for Windows and Linux Wayland users - RTP performance and reliability improvements - Richer statistics - Cross-browser and service compatibility improvements * detailed releasenotes https://www.mozilla.org/en-US/firefox/106.0/releasenotes MFSA 2022-44 (bsc#1204421) * CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have leaked cross-origin URLs * CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine * CVE-2022-42929 (bmo#1789439) Denial of Service via window.print * CVE-2022-42930 (bmo#1789503) Race condition in DOM Workers * CVE-2022-42931 (bmo#1780571) Username saved to a plaintext file on disk * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety bugs fixed in Firefox - added -msse2 flag to fix i386 build and workaround bmo#1795993 - fixed used buildflags - renamed mozilla-i686-build.patch to mozilla-buildfixes.patch as it was extended with changes for other archs ==== SVT-AV1 ==== Version update (1.2.0 -> 1.3.0) - Update to release 1.3.0: * Encoder: - Port SIMD optimizations from libDav1D making the conformant path (Inv. Transform) faster - Enabling smaller mini-GOP size configurations and tuning it for the low delay mode - Tuning the low-latency mode in random access targeting latencies from 250ms to 1s - Adding GOP-constrained Rate Control targeting low-latency streaming applications - Optimize mode decision features levels for depth partitioning, RDOQ, MD stage0 pruning in-loop filtering temporal filtering and TPL adding more granularity and gaining further quality - Preset tuning M0-M13 to smooth the spacing and utilize the quality improvements towards better tradeoffs * Build, Cleanup and Documentation: - Update preset and API documentation - Various functional bug fixes - Remove the use of GLOB in cmake and use file names - Changes from release 1.2.1: * Encoder: Fix a crash at the end of the encode that may occur when an invalid metadata packet is sent with the EOS packet * Build, Cleanup: - y4m header pasring code cleanup - API cleanup and enhancements adding string options for RC mode - Added option to build without app / dec / enc using the build.sh / build.bat scripts ==== cpupower ==== Version update (5.17.9 -> 6.0.2) Subpackages: cpupower-lang libcpupower0 - clean up sources: drop rapl_monitor.patch and cpupower_rapl.patch. - Move bash-completion to subpackage so it isn't installed when not needed - Remove powercap capabilities to patch againt latest kernel sources - > still keep the patches, will be removed after trying to get this mainline - Add netlink (libnl-devel) requires ==== evolution-data-server ==== Version update (3.46.0 -> 3.46.1) Subpackages: evolution-data-server-lang libcamel-1_2-64 libebackend-1_2-11 libebook-1_2-21 libebook-contacts-1_2-4 libecal-2_0-2 libedata-book-1_2-27 libedata-cal-2_0-2 libedataserver-1_2-27 libedataserverui-1_2-4 - Update to version 3.46.1: + po: Merge .source files back to the POTFILES.in + IMAPX: Hide complete requests in debug logs for some sensitive commands + Handle negative value for GUri's port + CamelDB: Fix an uninitialized variable warning + Bugs Fixed: - LDAP: . Possible memory leak in build_mods_from_contacts() . Use valid values for error paths of contact create/remove - Serialize OAuth2 token refresh for an account - IMAP: Does not forget renamed folders on the server - Tautology in e_named_parameters_equal() - camel-db.c: Rearrange transaction handling + Updated translations. ==== glib2-branding-openSUSE ==== - Fix default openSUSE wallpaper is not present in dark mode (boo#1204138). ==== harfbuzz ==== Version update (5.3.0 -> 5.3.1) Subpackages: libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz-subset0 libharfbuzz0 typelib-1_0-HarfBuzz-0_0 - Update to version 5.3.1: + Subsetter repacker fixes + Adjust Grapheme clusters for Katakana voiced sound marks + New hb-subset option --preprocess-face - Add harfbuzz-5.3.1-Fix_check-symbols_failure.patch: Fix failing tests. ==== imlib2 ==== Subpackages: imlib2-loaders libImlib2-1 - enable loaders for JPEG2000, HEIF, Postscript, SVG, JPEG-XL ==== installation-images-MicroOS ==== Version update (17.63 -> 17.64) - merge gh#openSUSE/installation-images#613 - remove reiserfs support (bsc#1204551) - 17.64 ==== keylime ==== Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tenant keylime-tpm_cert_store keylime-verifier python310-keylime - Update requirement name to python-lark ==== libstorage-ng ==== Version update (4.5.46 -> 4.5.47) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#900 - make result of ParitionTable::is_partition_id_supported() depend on parted version - 4.5.47 ==== patterns-gnome ==== Subpackages: patterns-gnome-gnome_basic patterns-gnome-gnome_basis patterns-gnome-gnome_basis_opt patterns-gnome-sw_management_gnome - Require at-spi2-core else risk major performance issues (boo#1204564) - Delete some abandoned packages. - Replace gnome-tweak-tool to gnome-tweaks. - Add gnome-backgrounds Recommends to gnome-x11 pattern. ==== patterns-microos ==== Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-base-microdnf patterns-microos-base-packagekit patterns-microos-base-zypper patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-desktop-common patterns-microos-desktop-gnome patterns-microos-desktop-kde patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-ra_agent patterns-microos-ra_verifier patterns-microos-selinux patterns-microos-sssd_ldap - Require at-spi2-core else risk major performance issues (boo#1204564) - Do not require kdump on 32-bit arm - boo#1203888 - Replace tftpboot-installation-openSUSE-MicroOS-%{_arch} with tftpboot-installation-openSUSE-MicroOS-%{_target_cpu} to match what installation-images:MicroOS produces ==== rsync ==== Version update (3.2.6 -> 3.2.7) - New version fixes bug (boo#1203727): implicit containing directory sometimes rejected as unrequested - update to 3.2.7 * BUG FIXES: - Fixed the client-side validating of the remote sender's filtering behavior. - More fixes for the "unrequested file-list name" name, including a copy of "/" with `--relative` enabled and a copy with a lot of related paths with `--relative` enabled (often derived from a `--files-from` list). - When rsync gets an unpack error on an ACL, mention the filename. - Avoid over-setting sanitize_paths when a daemon is serving "/" (even if "use chroot" is false). * ENHANCEMENTS: - Added negotiated daemon-auth support that allows a stronger checksum digest to be used to validate a user's login to the daemon. Added SHA512, SHA256, and SHA1 digests to MD5 & MD4. These new digests are at the highest priority in the new daemon-auth negotiation list. - Added support for the SHA1 digest in file checksums. While this tends to be overkill, it is available if someone really needs it. This overly-long checksum is at the lowest priority in the normal checksum negotiation list. See [`--checksum-choice`](rsync.1#opt) (`--cc`) and the `RSYNC_CHECKSUM_LIST` environment var for how to customize this. - Improved the xattr hash table to use a 64-bit key without slowing down the key's computation. This should make extra sure that a hash collision doesn't happen. - If the `--version` option is repeated (e.g. `-VV`) then the information is output in a (still readable) JSON format. Client side only. - The script `support/json-rsync-version` is available to get the JSON style version output from any rsync. The script accepts either text on stdin * *or** an arg that specifies an rsync executable to run with a doubled `--version` option. If the text we get isn't already in JSON format, it is converted. Newer rsync versions will provide more complete json info than older rsync versions. Various tweaks are made to keep the flag names consistent across versions. - The [`use chroot`](rsyncd.conf.5#) daemon parameter now defaults to "unset" so that rsync can use chroot when it works and a sanitized copy when chroot is not supported (e.g., for a non-root daemon). Explicitly setting the parameter to true or false (on or off) behaves the same way as before. - The `--fuzzy` option was optimized a bit to try to cut down on the amount of computations when considering a big pool of files. The simple heuristic from Kenneth Finnegan resuled in about a 2x speedup. - If rsync is forced to use protocol 29 or before (perhaps due to talking to an rsync before 3.0.0), the modify time of a file is limited to 4-bytes. Rsync now interprets this value as an unsigned integer so that a current year past 2038 can continue to be represented. This does mean that years prior to 1970 cannot be represented in an older protocol, but this trade-off seems like the right choice given that (1) 2038 is very rapidly approaching, and (2) newer protocols support a much wider range of old and new dates. - The rsync client now treats an empty destination arg as an error, just like it does for an empty source arg. This doesn't affect a `host:` arg (which is treated the same as `host:.`) since the arg is not completely empty. The use of [`--old-args`](rsync.1#opt) (including via `RSYNC_OLD_ARGS`) allows the prior behavior of treating an empty destination arg as a ".". * PACKAGING RELATED: - The checksum code now uses openssl's EVP methods, which gets rid of various deprecation warnings and makes it easy to support more digest methods. On newer systems, the MD4 digest is marked as legacy in the openssl code, which makes openssl refuse to support it via EVP. You can choose to ignore this and allow rsync's MD4 code to be used for older rsync connections (when talking to an rsync prior to 3.0.0) or you can choose to configure rsync to tell openssl to enable legacy algorithms (see below). - A simple openssl config file is supplied that can be installed for rsync to use. If you install packaging/openssl-rsync.cnf to a public spot (such as `/etc/ssl/openssl-rsync.cnf`) and then run configure with the option `--with-openssl-conf=/path/name.cnf`, this will cause rsync to export the configured path in the OPENSSL_CONF environment variable (when the variable is not already set). This will enable openssl's MD4 code for rsync to use. - The packager may wish to include an explicit "use chroot = true" in the top section of their supplied /etc/rsyncd.conf file if the daemon is being installed to run as the root user (though rsync should behave the same even with the value unset, a little extra paranoia doesn't hurt). - I've noticed that some packagers haven't installed support/nameconvert for users to use in their chrooted rsync configs. Even if it is not installed as an executable script (to avoid a python3 dependency) it would be good to install it with the other rsync-related support scripts. - It would be good to add support/json-rsync-version to the list of installed support scripts. ==== samba ==== Version update (4.17.0+git.257.5f0ed03584a -> 4.17.1+git.270.17afe7cb6b) Subpackages: libsamba-policy0-python3 samba-ad-dc-libs samba-client samba-client-libs samba-libs samba-libs-python3 samba-python3 - Update to 4.17.1 * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Flush on a named stream never completes; (bso#15182). * Permission denied calling SMBC_getatr when file not exists; (bso#15195). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * pytest: add file removal helpers for TestCaseInTempDir; (bso#15191). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * Flush on a named stream never completes; (bso#15182). * vfs_gpfs silently garbles timestamps > year 2106; (bso#15151). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * multi-channel socket passing may hit a race if one of the involved processes already existed; (bso#15200). * memory leak on temporary of struct imessaging_post_state and struct tevent_immediate on struct imessaging_context (in rpcd_spoolss and maybe others); (bso#15201). * Since popt1.19 various use after free errors using result of poptGetArg are now exposed; (bso#15205); (boo#1204279). * Remove special case for O_CREAT in SMB_VFS_OPENAT from vfs_glusterfs; (bso#15192). * GETPWSID in memory cache grows indefinetly with each NTLM auth; (bso#15169). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). - Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689); - Fix use after free errors resulting from using return of poptGetArg exposed since popt-1.19; (boo#1204279); (bso#15205). ==== selinux-policy ==== Version update (20220714 -> 20221019) Subpackages: selinux-policy-targeted - Update to version 20221019. Refreshed: * distro_suse_to_distro_redhat.patch * fix_apache.patch * fix_chronyd.patch * fix_cron.patch * fix_init.patch * fix_kernel_sysctl.patch * fix_networkmanager.patch * fix_rpm.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_xserver.patch - Dropped fix_cockpit.patch as this is now packaged with cockpit itself - Remove the ipa module, freeip ships their own module - Added fix_alsa.patch to allow reading of config files in home directories - Extended fix_networkmanager.patch and fix_postfix.patch to account for SUSE systems - Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc queries the running processes - Updated fix_snapper.patch to allow snapper to talk to rpm via dbus ==== systemd ==== Version update (251.5 -> 251.6) Subpackages: libsystemd0 libudev1 systemd-doc systemd-lang udev - Import commit f78bba8d037cc26c09bbdd167625b2d7fe1f5a30 (merge of v251.6) Beside the merge of v251.6, it also includes the following backport: - 07aaa898bd pstore: do not try to load all known pstore modules For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/07aa29e3942fb46b0aed5405c88e8d3179ca958f...f78bba8d037cc26c09bbdd167625b2d7fe1f5a30 - Don't create /var/lib/systemd/random-seed in %post (bsc#1181458) To make sure that the same seed is not replicated when installing from a 'golden' image. For regular installations the random seed file is initialized by the installer itself (bsc#1174964). Even if it didn't, the random seed file would be created on first boot anyway. - Avoid expanding of macro in comment which leads to an error on installation (workaround for bsc#1203847) ==== wicked ==== Version update (0.6.69 -> 0.6.70) Subpackages: wicked-service - version 0.6.70 - build: Link as Position Independent Executable (bsc#1184124) - dhcp4: Fix issues in reuse of last lease (bsc#1187655) - dhcp6: Add option to refresh lease (jsc#SLE-9492,jsc#SLE-24307) - dhcp6: Remove address before release (USGv6 DHCPv6_1_2_07b) - dhcp6: Ignore lease release status (USGv6 DHCPv6_1_2_07e,1_3_03) - dhcp6: Consider ppp interfaces supported (gh#openSUSE/wicked#924) - team: Fix to configure port priority in teamd (bsc#1200505) - firewall-ext: No config change on ifdown (bsc#1201053,bsc#118950) - wireless: Fix SEGV on supplicant restart (gh#openSUSE/wicked#931) - wireless: Add support for WPA3 and PMF (bsc#1198894) - wireless: Remove libiw dependencies (gh#openSUSE/wicked#910) - client: Fix SEGV on empty xpath results (gh#openSUSE/wicked#919) - client: Add release options to ifdown/ifreload (jsc#SLE-10249) - dbus: Clear string array before append (gh#openSUSE/wicked#913) - socket: Fix SEGV on heavy socket restart errors (bsc#1192508) - systemd: Remove systemd-udev-settle dependency (bsc#1186787) ==== xkeyboard-config ==== Version update (2.36 -> 2.37) Subpackages: xkeyboard-config-lang - Update to version 2.37 * bugfixes - supersedes U_Fixes-regression-from-c3c5d02-were-mistakenly-replac.patch - Reduce python3 to python3-base ==== yast2-country ==== Version update (4.5.1 -> 4.5.2) Subpackages: yast2-country-data - Use Canadian (CSA) instead of Canadian (Multilingual) keyboard layout, adapting to xkeyboard-config-2.37 (bsc#1204573) - 4.5.2 ==== yast2-installation ==== Version update (4.5.7 -> 4.5.8) - add 'repo', 'cd', 'dvd', 'hd', and 'label' schemes to Yast::Transfer::FileFromUrl (jsc#SLE-22578, jsc#SLE-24584) - 4.5.8 ==== yast2-storage-ng ==== Version update (4.5.9 -> 4.5.10) - Unit tests adapted to a recent behavior change in libstorage-ng (gh#openSUSE/libstorage-ng#900). - 4.5.10