Packages changed: ImageMagick (7.1.0.50 -> 7.1.0.51) alsa (1.2.7.2 -> 1.2.8) alsa-ucm-conf (1.2.7.2 -> 1.2.8) alsa-utils (1.2.7 -> 1.2.8) bluez curl (7.85.0 -> 7.86.0) dbus-1 (1.14.0 -> 1.14.4) dbus-1-x11 (1.14.0 -> 1.14.4) expat (2.4.9 -> 2.5.0) gdb gettext-runtime (0.21 -> 0.21.1) gtk4 (4.8.1 -> 4.8.2) irqbalance kernel-firmware (20220930 -> 20221017) keylime (6.5.1 -> 6.5.2) libidn2 (2.3.3 -> 2.3.4) libreoffice (7.4.1.2 -> 7.4.2.3) libxshmfence (1.3 -> 1.3.1) multipath-tools (0.9.2+57+suse.cf3c1e9 -> 0.9.2+59+suse.ac8942d) openSUSE-build-key pkcs11-helper (1.28.0 -> 1.29.0) python-SQLAlchemy (1.4.41 -> 1.4.42) python-oauthlib (3.2.1 -> 3.2.2) python-typing_extensions (4.3.0 -> 4.4.0) rust-keylime (0.1.0+git.1664480840.0ea0492 -> 0.1.0+git.1666019359.f5de47b) samba (4.17.1+git.270.17afe7cb6b -> 4.17.2+git.273.a55a83528b9) sddm syslogd (1.4.1 -> 1.5.1) systemd (251.6 -> 251.7) transactional-update (4.0.1 -> 4.1.0) vulkan-loader (1.3.224.0 -> 1.3.231.0) vulkan-tools (1.3.224.0 -> 1.3.231) webkit2gtk3 (2.38.0 -> 2.38.1) webkit2gtk4 (2.38.0 -> 2.38.1) xcb-util-cursor (0.1.3 -> 0.1.4) xdg-user-dirs (0.17 -> 0.18) yast2 (4.5.17 -> 4.5.18) yast2-add-on (4.5.1 -> 4.5.2) yast2-ruby-bindings (4.5.3 -> 4.5.4) === Details === ==== ImageMagick ==== Version update (7.1.0.50 -> 7.1.0.51) Subpackages: ImageMagick-config-7-SUSE libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - update to 7.1.0.51: * obtain scene from image structure * prevent undefined shift * Added private api to go through a linked list without using semaphores. * Fixed build. * latest automake configuration * fix undefined-shift in ReadTGAImage @ https://oss-fuzz.com/testcase?key=5129864151957504 * prevent divide by zero exception ==== alsa ==== Version update (1.2.7.2 -> 1.2.8) Subpackages: libasound2 libatopology2 - Update to version 1.2.8: add FreeBSD/NetBD/OpenBSD build support, fixes in control namehint, various PCM plugins and UCM. For details, see: https://www.alsa-project.org/wiki/Changes_v1.2.7.2_v1.2.8 - Add keyring ==== alsa-ucm-conf ==== Version update (1.2.7.2 -> 1.2.8) - Update to version 1.2.8: lots of new profiles for USB-audio, SOF and others: https://www.alsa-project.org/wiki/Changes_v1.2.7.2_v1.2.8 - Add keyring ==== alsa-utils ==== Version update (1.2.7 -> 1.2.8) - Update to alsa-utils 1.2.8: automake update, minor alsactl, amixer and aplay fixes. https://www.alsa-project.org/wiki/Changes_v1.2.7.2_v1.2.8 - Add keyring ==== bluez ==== Subpackages: bluez-auto-enable-devices bluez-cups libbluetooth3 - For pushing bluez 5.65 to 15-SP5 (bluez-5.62), sync more change log: (jsc#PED-1407) - The hcidump-Fix-set_ext_ctrl-global-buffer-overflow.patch be merged to bluez-5.51 in 2018. (bsc#1013732)(CVE-2016-9801) - The following btmon patches are merged to bluez-5.51 and later: 0001-btmon-fix-segfault-caused-by-buffer-over-read.patch 0002-btmon-fix-segfault-caused-by-buffer-over-read.patch 0003-btmon-fix-segfault-caused-by-buffer-over-read.patch 0004-btmon-Fix-crash-caused-by-integer-underflow.patch 0005-btmon-fix-stack-buffer-overflow.patch 0006-btmon-fix-multiple-segfaults.patch 0007-btmon-fix-segfault-caused-by-integer-underflow.patch 0008-btmon-fix-segfault-caused-by-integer-undeflow.patch 0009-btmon-fix-segfault-caused-by-buffer-over-read.patch 0010-btmon-fix-segfault-caused-by-buffer-overflow.patch 0011-btmon-fix-segfault-caused-by-integer-underflow.patch 0012-btmon-fix-segfault-caused-by-buffer-over-read.patch (bsc#1015173)(CVE-2016-9918)(bsc#1013893)(CVE-2016-9802) - The shared-gatt-server-Fix-not-properly-checking-for-sec.patch be merged to bluez-5.57 in 2021. (bsc#1186463 CVE-2021-0129 CVE-2020-26558) - The gatt-Fix-potential-buffer-out-of-bound.patch be merged to bluez-5.56 in 2021. (bsc#1187165 CVE-2021-3588) - The shared-gatt-db-Introduce-gatt_db_attribute_set_fixed.patch be merged to bluez-5.56 in 2021. (bsc#1187165 CVE-2021-3588) - The gatt-Make-use-of-gatt_db_attribute_set_fixed_length.patch be merged to bluez-5.56 in 2021. (bsc#1187165 CVE-2021-3588) - Add JIRA-SLE-18497 number to 5.60, 5.61 and 5.62 update log to sync with bluez.changes in SLE15-SP5. - Install modprobe.conf files to %_modprobedir This change already in bluez.sepc in openSUSE:Factory/bluez. Sync the change log here. (bsc#1196275, jsc#SLE-20639) ==== curl ==== Version update (7.85.0 -> 7.86.0) Subpackages: libcurl4 - Update to 7.86.0: * Security fixes: - POST following PUT confusion [bsc#1204383, CVE-2022-32221] - .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260] - HTTP proxy double-free [bsc#1204385, CVE-2022-42915] - HSTS bypass via IDN [bsc#1204386, CVE-2022-42916] * Changes: - NPN: remove support for and use of - Websockets: initial support * Bugfixes: - altsvc: reject bad port numbers - autotools: reduce brute-force when detecting recv/send arg list - aws_sigv4: fix header computation - cli tool: do not use disabled protocols - connect: change verbose IPv6 address:port to [address]:port - connect: fix builds without AF_INET6 - connect: fix Curl_updateconninfo for TRNSPRT_UNIX - connect: fix the wrong error message on connect failures - content_encoding: use writer struct subclasses for different encodings - cookie: reject cookie names or content with TAB characters - curl/add_file_name_to_url: use the libcurl URL parser - curl/get_url_file_name: use libcurl URL parser - curl: warn for --ssl use, considered insecure - docs/libcurl/symbols-in-versions: add several missing symbols - ftp: ignore a 550 response to MDTM - functypes: provide the recv and send arg and return types - getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled - header: define public API functions as extern c - headers: reset the requests counter at transfer start - hostip: guard PF_INET6 use - hostip: lazily wait to figure out if IPv6 works until needed - http, vauth: always provide Curl_allow_auth_to_host() functionality - http2: make nghttp2 less picky about field whitespace - http: try parsing Retry-After: as a number first - http_proxy: restore the protocol pointer on error - lib: add missing limits.h includes - lib: prepare the incoming of additional protocols - lib: sanitize conditional exclusion around MIME - libssh: if sftp_init fails, don't get the sftp error code - mprintf: reject two kinds of precision for the same argument - mqtt: return error for too long topic - netrc: compare user name case sensitively - netrc: replace fgets with Curl_get_line - netrc: use the URL-decoded user - ngtcp2: fix build errors due to changes in ngtcp2 library - noproxy: support proxies specified using cidr notation - openssl: make certinfo available for QUIC - resolve: make forced IPv4 resolve only use A queries - schannel: ban server ALPN change during recv renegotiation - schannel: don't reset recv/send function pointers on renegotiation - schannel: when importing PFX, disable key persistence - setopt: use the handler table for protocol name to number conversions - setopt: when POST is set, reset the 'upload' field - single_transfer: use the libcurl URL parser when appending query parts - smb: replace CURL_WIN32 with WIN32 - tool: avoid generating ambiguous escaped characters in --libcurl - tool_main: exit at once if out of file descriptors - tool_operate: more transfer cleanup after parallel transfer fail - tool_operate: prevent over-queuing in parallel mode - tool_paramhelp: asserts verify maximum sizes for string loading - tool_xattr: save the original URL, not the final redirected one - url: a zero-length userinfo part in the URL is still a (blank) user - url: allow non-HTTPS HSTS-matching for debug builds - url: rename function due to name-clash in Watt-32 - url: use IDN decoded names for HSTS checks - urlapi: detect scheme better when not guessing - urlapi: fix parsing URL without slash with CURLU_URLENCODE - urlapi: reject more bad characters from the host name field * Remove patch upstream: - connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch ==== dbus-1 ==== Version update (1.14.0 -> 1.14.4) Subpackages: dbus-1-common dbus-1-daemon dbus-1-tools libdbus-1-3 - update to 1.14.4 (bsc#1204111, CVE-2022-42010, bsc#1204112, CVE-2022-42011, bsc#1204113, CVE-2022-42012): This is a security update for the dbus 1.14.x stable branch, fixing denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying security hardening (dbus#416). Behaviour changes: * On Linux, dbus-daemon and other uses of DBusServer now create a path-based Unix socket, unix:path=..., when asked to listen on a unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to unix:dir=... on all platforms. Previous versions would have created an abstract socket, unix:abstract=..., in this situation. This change primarily affects the well-known session bus when run via dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring dbus with --enable-user-session and running it on a systemd system, already used path-based Unix sockets and is unaffected by this change. This behaviour change prevents a sandbox escape via the session bus socket in sandboxing frameworks that can share the network namespace with the host system, such as Flatpak. This change might cause a regression in situations where the abstract socket is intentionally shared between the host system and a chroot or container, such as some use-cases of schroot(1). That regression can be resolved by using a bind-mount to share either the D-Bus socket, or the whole /tmp directory, with the chroot or container. (dbus#416, Simon McVittie) * Denial of service fixes: - Evgeny Vereshchagin discovered several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations these could potentially be carried out by an authenticated remote attacker. - An invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element would cause an assertion failure in debug builds or an out-of-bounds read in production builds. This was a regression in version 1.3.0. (dbus#413, CVE-2022-42011; Simon McVittie) - A syntactically invalid type signature with incorrectly nested parentheses and curly brackets would cause an assertion failure in debug builds. Similar messages could potentially result in a crash or incorrect message processing in a production build, although we are not aware of a practical example. (dbus#418, CVE-2022-42010; Simon McVittie) - A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption in production builds, or an assertion failure in debug builds. This was a regression in version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie) - Preserve errno on failure to open /proc/self/oom_score_adj (dbus!285, Gentoo#834725; Mike Gilbert) - On Linux, don't log warnings if oom_score_adj is read-only but does not need to be changed (dbus!291, Simon McVittie) - Slightly improve error-handling for inotify (dbus!235, Simon McVittie) - Don't crash if dbus-daemon is asked to watch more than 128 directories for changes (dbus!302, Jan Tojnar) ==== dbus-1-x11 ==== Version update (1.14.0 -> 1.14.4) - update to 1.14.4 (bsc#1204111, CVE-2022-42010, bsc#1204112, CVE-2022-42011, bsc#1204113, CVE-2022-42012): This is a security update for the dbus 1.14.x stable branch, fixing denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying security hardening (dbus#416). Behaviour changes: * On Linux, dbus-daemon and other uses of DBusServer now create a path-based Unix socket, unix:path=..., when asked to listen on a unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to unix:dir=... on all platforms. Previous versions would have created an abstract socket, unix:abstract=..., in this situation. This change primarily affects the well-known session bus when run via dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring dbus with --enable-user-session and running it on a systemd system, already used path-based Unix sockets and is unaffected by this change. This behaviour change prevents a sandbox escape via the session bus socket in sandboxing frameworks that can share the network namespace with the host system, such as Flatpak. This change might cause a regression in situations where the abstract socket is intentionally shared between the host system and a chroot or container, such as some use-cases of schroot(1). That regression can be resolved by using a bind-mount to share either the D-Bus socket, or the whole /tmp directory, with the chroot or container. (dbus#416, Simon McVittie) * Denial of service fixes: - Evgeny Vereshchagin discovered several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations these could potentially be carried out by an authenticated remote attacker. - An invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element would cause an assertion failure in debug builds or an out-of-bounds read in production builds. This was a regression in version 1.3.0. (dbus#413, CVE-2022-42011; Simon McVittie) - A syntactically invalid type signature with incorrectly nested parentheses and curly brackets would cause an assertion failure in debug builds. Similar messages could potentially result in a crash or incorrect message processing in a production build, although we are not aware of a practical example. (dbus#418, CVE-2022-42010; Simon McVittie) - A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption in production builds, or an assertion failure in debug builds. This was a regression in version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie) - Preserve errno on failure to open /proc/self/oom_score_adj (dbus!285, Gentoo#834725; Mike Gilbert) - On Linux, don't log warnings if oom_score_adj is read-only but does not need to be changed (dbus!291, Simon McVittie) - Slightly improve error-handling for inotify (dbus!235, Simon McVittie) - Don't crash if dbus-daemon is asked to watch more than 128 directories for changes (dbus!302, Jan Tojnar) ==== expat ==== Version update (2.4.9 -> 2.5.0) Subpackages: libexpat1 - Update to 2.5.0: (bsc#1204708) * Security fixes: - CVE-2022-43680 -- Fix heap use-after-free after overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate in out-of-memory situations. Expected impact is denial of service or potentially arbitrary code execution. * Bug fixes: - Fix curruption from undefined entities - Fix case when parsing was suspended while processing nested entities - Stop leaking opening tag bindings after a closing tag mismatch error where a parser is reset through XML_ParserReset and then reused to parse - CMake: Fix generation of pkg-config file - MinGW|CMake: Fix static library name * Other changes: - Protect header expat_config.h from multiple inclusion - examples: Make use of XML_GetBuffer and be more consistent across examples - Address compiler warnings - Version info bumped from 9:9:8 to 9:10:8; see https://verbump.de/ for what these numbers do ==== gdb ==== - Patches added (swo#29277): * gdb-fix-assert-in-handle_jit_event.patch - Maintenance script qa.sh: * Add PR29706 and PR28617 kfails. ==== gettext-runtime ==== Version update (0.21 -> 0.21.1) Subpackages: libtextstyle0 - update keyring for the last version update - Update to Version 0.21.1 * Runtime behaviour: - On AIX, locale names with a script or with an uppercase language are now supported. For example, sr_Cyrl_RS.UTF-8 is treated like sr_RS.UTF-8@cyrillic, and EN_US.UTF-8 is treated like en_US.UTF-8. * The base Unicode standard is now updated to 14.0.0. * Portability: - Building on macOS 11/arm64 is now supported. - Building on Linux/powerpc64le with glibc ≥ 2.35 is now supported. ==== gtk4 ==== Version update (4.8.1 -> 4.8.2) Subpackages: gtk4-lang gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0 - Update to version 4.8.2: + Input: - Give input methods more control over resets and allow them to preserve state. - Align interpretation of modifiers in key events in X11 and Wayland. + GtkColumnView: Fixes to focus handling. + GtkPopover: - Fix problems with focus when dismissing popovers. - Fix problems with focusing editable labels in popovers. + Build: - Fix build problems with resources and non-gnu linkers. - Fix gi-docgen detection in cross builds. - Require meson 0.60. + Debugging: - Make more debug options available in no-debug builds. - Improve consistency of debug logging. - Give names to all sources. + Accessibility: Introduce GtkAccessibleRange. + Wayland: - Make monitor bounds handling more robust. - Prevent shrinking clients due to wrong toplevel bounds. + Broadway: Return correct pointer coordinates from device queries. + Updated translations. ==== irqbalance ==== Subpackages: irqbalance-ui - run tests - add Avoid-double-free-on-deinit_thermal.patch (bsc#1204607) ==== kernel-firmware ==== Version update (20220930 -> 20221017) Subpackages: kernel-firmware-all kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-ath11k kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-prestera kernel-firmware-qcom kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network ucode-amd - Update to version 20221017 (git commit 48407ffd7adb): * cnm: update chips&media wave521c firmware. * brcm: add symlink for Pi Zero 2 W NVRAM file * rtw89: 8852b: add initial fw v0.27.32.0 * iwlwifi: add new FWs from core72-129 release * iwlwifi: update 9000-family firmwares to core72-129 * rtl_bt: Update RTL8852C BT USB firmware to 0xD5B8_A40A * amdgpu: update GC 10.3.6 RLC firmware * amdgpu: update GC 10.3.7 RLC firmware * amdgpu: update Yellow Carp RLC firmware * amdgpu: update Beige Goby RLC firmware * amdgpu: update Dimgrey Cavefish RLC firmware * amdgpu: update Navy Flounder RLC firmware * amdgpu: update Sienna Cichlid RLC firmware * mediatek: Update mt8195 SOF firmware to v0.4.1 * qcom: add squashed version of a530 zap shader * rtw89: 8852c: update fw to v0.27.56.1 * rtw89: 8852c: update fw to v0.27.56.0 * mediatek: Update mt8186 SCP firmware - Update Cirrus CS35L41 firmware (bsc#1203699) cirrus-WHENCE-update.patch - Update aliases from 6.1-rc1 kernel ==== keylime ==== Version update (6.5.1 -> 6.5.2) Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tenant keylime-tpm_cert_store keylime-verifier python310-keylime - Update to version v6.5.2: * Back to 6.5.1 * This PR fixes a bug that prevented 6.5.x verifiers from interacting with 6.2. agents * Revert "Revert "tenant: open file to send utf-8 encoded" (#1136)" (#1141) * Revert "tenant: open file to send utf-8 encoded" (#1136) * ca_util: allow users in the same group to read the created certificates and keys (#1138) * Update sample ima-policy to exclude overlayfs * installer: remove tarball option ==== libidn2 ==== Version update (2.3.3 -> 2.3.4) Subpackages: libidn2-0 libidn2-lang - update to 2.3.4: * Support for Unicode 15.0.0 * Uses IDNA2008 from tables from unicode.org rather than IANA for consistency with other implementation and support for Unicode versions 12 through 15. This breaks backwards- compatibility regarding U+19DA and recent releases ==== libreoffice ==== Version update (7.4.1.2 -> 7.4.2.3) Subpackages: libreoffice-base libreoffice-branding-upstream libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-l10n-cs libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-el libreoffice-l10n-en libreoffice-l10n-en_GB libreoffice-l10n-es libreoffice-l10n-fr libreoffice-l10n-hu libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-pl libreoffice-l10n-pt_BR libreoffice-l10n-ru libreoffice-l10n-zh_CN libreoffice-l10n-zh_TW libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-qt5 libreoffice-writer libreofficekit - Fix bsc#1201095 - LO-L3: Text box shows that does not show in PowerPoint * bsc1201095.patch - Update to 7.4.2.3: https://wiki.documentfoundation.org/Releases/7.4.2/RC3 https://wiki.documentfoundation.org/Releases/7.4.2/RC2 https://wiki.documentfoundation.org/Releases/7.4.2/RC1 - Remove upstreamed patches: * poppler-22.09.0.patch * bsc1203502.patch ==== libxshmfence ==== Version update (1.3 -> 1.3.1) - Update to version 1.3.1 * Update README for gitlab migration * Update configure.ac bug URL for gitlab migration * Fix spelling/wording issues * gitlab CI: add a basic build test * alloc: prefer atomic close-on-exec without O_TMPFILE as well * alloc: prefer SHM_ANON on FreeBSD a la memfd_create ==== multipath-tools ==== Version update (0.9.2+57+suse.cf3c1e9 -> 0.9.2+59+suse.ac8942d) Subpackages: kpartx libmpath0 - Update to version 0.9.2+59+suse.ac8942d: * Fix segfault in "multipath -t" command (boo#1204731) ==== openSUSE-build-key ==== - add the SUSE Container key in PEM format too to new /usr/share/pki/containers/ directory. (bsc#1204706) ==== pkcs11-helper ==== Version update (1.28.0 -> 1.29.0) Subpackages: libpkcs11-helper1 - Update to 1.29.0: * build: do not fail if slot evnets are disabled, thanks to Fabrice Fontaine. * core: do not assume standard objects supported by provider. * openssl: set back key into EVP for openssl-3 to work, thanks to apollo13. ==== python-SQLAlchemy ==== Version update (1.4.41 -> 1.4.42) - update to version 1.4.42: * orm + The Session.execute.bind_arguments dictionary is no longer mutated when passed to Session.execute() and similar; instead, it’s copied to an internal dictionary for state changes. Among other things, this fixes and issue where the “clause” passed to the Session.get_bind() method would be incorrectly referring to the Select construct used for the “fetch” synchronization strategy, when the actual query being emitted was a Delete or Update. This would interfere with recipes for “routing sessions”. References: #8614 + A warning is emitted in ORM configurations when an explicit remote() annotation is applied to columns that are local to the immediate mapped class, when the referenced class does not include any of the same table columns. Ideally this would raise an error at some point as it’s not correct from a mapping point of view. References: #7094 + A warning is emitted when attempting to configure a mapped class within an inheritance hierarchy where the mapper is not given any polymorphic identity, however there is a polymorphic discriminator column assigned. Such classes should be abstract if they never intend to load directly. References: #7545 + Fixed regression for 1.4 in contains_eager() where the “wrap in subquery” logic of joinedload() would be inadvertently triggered for use of the contains_eager() function with similar statements (e.g. those that use distinct(), limit() or offset()), which would then lead to secondary issues with queries that used some combinations of SQL label names and aliasing. This “wrapping” is not appropriate for contains_eager() which has always had the contract that the user-defined SQL statement is unmodified with the exception of adding the appropriate columns to be fetched. References: #8569 + Fixed regression where using ORM update() with synchronize_session=’fetch’ would fail due to the use of evaluators that are now used to determine the in-Python value for expressions in the the SET clause when refreshing objects; if the evaluators make use of math operators against non-numeric values such as PostgreSQL JSONB, the non-evaluable condition would fail to be detected correctly. The evaluator now limits the use of math mutation operators to numeric types only, with the exception of “+” that continues to work for strings as well. SQLAlchemy 2.0 may alter this further by fetching the SET values completely rather than using evaluation. References: [#8507] * engine + Fixed issue where mixing “*” with additional explicitly-named column expressions within the columns clause of a select() construct would cause result-column targeting to sometimes consider the label name or other non-repeated names to be an ambiguous target. References: #8536 * asyncio + Improved implementation of asyncio.shield() used in context managers as added in #8145, such that the “close” operation is enclosed within an asyncio.Task which is then strongly referenced as the operation proceeds. This is per Python documentation indicating that the task is otherwise not strongly referenced. References: #8516 * postgresql + aggregate_order_by now supports cache generation. References: [#8574] * mysql + Adjusted the regular expression used to match “CREATE VIEW” when testing for views to work more flexibly, no longer requiring the special keyword “ALGORITHM” in the middle, which was intended to be optional but was not working correctly. The change allows view reflection to work more completely on MySQL-compatible variants such as StarRocks. Pull request courtesy John Bodley. References: #8588 * mssql + Fixed yet another regression in SQL Server isolation level fetch (see #8231, #8475), this time with “Microsoft Dynamics CRM Database via Azure Active Directory”, which apparently lacks the system_views view entirely. Error catching has been extended that under no circumstances will this method ever fail, provided database connectivity is present. References: #8525 - Also remove the conditional definition of python_module. ==== python-oauthlib ==== Version update (3.2.1 -> 3.2.2) - update to version 3.2.2: * OAuth2.0 Provider: * CVE-2022-36087 - Also remove the conditional definition of python_module. ==== python-typing_extensions ==== Version update (4.3.0 -> 4.4.0) - Clean specfile from old cruft. - Requires Python 3.7+ - Fix testsuite: Must test as module; don't need multibuild. - Update Summary and Description - Update to version 4.4.0 * Add `typing_extensions.Any` a backport of python 3.11's Any class which is subclassable at runtime. (backport from python/cpython#31841, by Shantanu and Jelle Zijlstra). Patch by James Hilton-Balfe (@Gobot1234). * Add initial support for TypeVarLike `default` parameter, PEP 696. Patch by Marc Mueller (@cdce8p). * Runtime support for PEP 698, adding `typing_extensions.override`. Patch by Jelle Zijlstra. * Add the `infer_variance` parameter to `TypeVar`, as specified in PEP 695. Patch by Jelle Zijlstra. ==== rust-keylime ==== Version update (0.1.0+git.1664480840.0ea0492 -> 0.1.0+git.1666019359.f5de47b) - Add cargo-audit service per policy - Update to version 0.1.0+git.1666019359.f5de47b: * README: mark Rust agent as the official one, fix cargo run command ==== samba ==== Version update (4.17.1+git.270.17afe7cb6b -> 4.17.2+git.273.a55a83528b9) Subpackages: libsamba-policy0-python3 samba-ad-dc-libs samba-client samba-client-libs samba-libs samba-libs-python3 samba-python3 - Update to 4.17.2 * CVE-2022-3592 [SECURITY] samba: Wide links protection broken; (bso#15207); (bsc#1204499). * CVE-2022-3437 [SECURITY] samba: Buffer overflow in Heimdal unwrap_des3();(bso#15134); (bsc#1204254). ==== sddm ==== Subpackages: sddm-branding-openSUSE - Add patch to avoid launching xdg-desktop-portal by accident: * 0001-disable-automatic-portal-launching.patch ==== syslogd ==== Version update (1.4.1 -> 1.5.1) - Update ot version 1.5.1 ChangeLog for version 1.5.1 Many thanks to Rainer Gerhards, rsyslog project lead, for identifying a problem with how rsyslog's rsyslogd and sysklogd's syslogd check for invalid priority values (CVE-2014-3634). ChangeLog for version 1.5 * Fix file descriptor leak in klogd * Improve argument list processing * Prevent potential buffer overflow in reading messages from the kernel log ringbuffer * Ensure that "len" is not placed in a register, and that the endtty() signal handler is not installed too early which could cause a segmentation fault or worse * klogd will reconnect to the logger (mostly syslogd) after it went away during operation * On heavily loaded system syslog will not spit out error messages anymore when recvfrom() results in EAGAIN * Makefile improvements * Local copy of module.h * Improved manpage * Always log with syslogd's timezone and locale * Remove trailing newline when forwarding messages * Continue working properly if /etc/service is missing and ignore network activity * Continue writing to log files as soon as space becomes available again after a filled up disk * Removed test to detect control characters> 0x20 as this prevented characters encoded in UTF-8 to be properly passed through * Only resolve the local domain when accepting messages from remote * Properly accompany the MARK message with the facility * Improved daemonise routine in klogd to stabilise startup * klogd will not change the console log level anymore unless -c is given * Added back /usr/src/linux/System.map as fall-back location * Rewrite the module symbol parser to read from /proc/kallsyms * Notify the waiting parent process if the client dies * Complete rewrite of the oops kernel module for Linux 2.6 * Only read kernel symbols from /proc/kallsyms if no System.map has been read * Improved symbol lookup * Prevent named pipes from becoming the controlling tty * Fixing a race condition in syslogd discovered in UML * Improved README.linux * Added boundary checks in klogd * Don't block on the network socket in case of packet loss * Don't crash when filesize limit is reached (e.g. without LFS) * Fix spurious hanging syslogd in connection with futex and NPTL introduced in recent glibc versions and Linux 2.6 (details) * Improved syslog.conf(5) manpage * Use socklen_t where appropriate * Use newer query_module function rather than stepping through /dev/kmem. * Remove special treatment of the percent sign in klogd - Remove patches now upstream solved * klogd-obsolete.patch * sysklogd-1.4.1-fileleak.patch * sysklogd-1.4.1-ksym.patch * sysklogd-1.4.1-no_SO_BSDCOMPAT.diff * sysklogd-1.4.1-owl-crunch_list.diff * sysklogd-1.4.1-preserve_percents.patch * sysklogd-1.4.1-utf8.patch - Port patches * sysklogd-1.4.1-CVE-2014-3634.patch * sysklogd-1.4.1-clearing.patch * sysklogd-1.4.1-dgram.patch * sysklogd-1.4.1-dns.patch * sysklogd-1.4.1-dontsleep.patch * sysklogd-1.4.1-forw.patch * sysklogd-1.4.1-klogd24.dif * sysklogd-1.4.1-ksyslogsize.diff * sysklogd-1.4.1-large.patch * sysklogd-1.4.1-nofortify.patch * sysklogd-1.4.1-reload.dif * sysklogd-1.4.1-reopen.patch * sysklogd-1.4.1-showpri.patch * sysklogd-1.4.1-signal.dif * sysklogd-1.4.1-sparc.patch * sysklogd-1.4.1-sysmap-prior-to-2.5.patch * sysklogd-1.4.1-systemd-multi.dif * sysklogd-1.4.1-systemd-sock-name.patch * sysklogd-1.4.1-systemd.dif * sysklogd-1.4.1-unix_sockets.patch * sysklogd-1.4.1.dif * sysklogd-ipv6.diff ==== systemd ==== Version update (251.6 -> 251.7) Subpackages: libsystemd0 libudev1 systemd-doc systemd-lang udev - Import commit c212388f7de8d22a3f7c22b19553548ccc0cdd15 (merge of v251.7) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/f78bba8d037cc26c09bbdd167625b2d7fe1f5a30...c212388f7de8d22a3f7c22b19553548ccc0cdd15 - specfile: reindent comments ==== transactional-update ==== Version update (4.0.1 -> 4.1.0) Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit - Version 4.1.0 - t-u: Add a "setup-kdump" command; implements [jsc#PED-1441] - Export TRANSACTIONAL_UPDATE_ROOT (the path to the snapshot) in the update environment; implements [jsc#PED-1078] - Add support for "notify" reboot method for desktop use [gh#openSUSE/transactional-update#93] - Fix kdump initrd recreation detection; the check was performed in the active snapshot instead of the target snapshot - Document register command [bsc#1202900] - Avoid unnecessary snapshots for register command [bsc#1202901] - Various optimizations for register command - Remove bogus error message when triggering reboot - Rework /etc overlay documentation in "The Transactional Update Guide" - Fix incorrect manpage formatting - Remove leftover "salt" reboot method in configuration example file - Replace deprecated std::mem_fn with lambdas ==== vulkan-loader ==== Version update (1.3.224.0 -> 1.3.231.0) - Update to release SDK-1.3.231.0 * Don't pass portability bit to ICDs that dont expect it. * Allow implicit layers for all API versions. ==== vulkan-tools ==== Version update (1.3.224.0 -> 1.3.231) - Update to release 1.3.231.0 * Adapt to Vulkan 231 API, but otherwise no interesting changes - Add 0001-cubepp-Fix-presentKHR-assert.patch ==== webkit2gtk3 ==== Version update (2.38.0 -> 2.38.1) Subpackages: WebKit2GTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update to version 2.38.1: + Make xdg-dbus-proxy work if host session bus address is an abstract socket. + Use a single xdg-dbus-proxy process when sandbox is enabled. + Fix high resolution video playback due to unimplemented changeType operation. + Ensure GSubprocess uses posix_spawn() again and inherit file descriptors. + Fix player stucking in buffering (paused) state for progressive streaming. + Do not try to preconnect on link click when link preconnect setting is disabled. + Fix close status code returned when the client closes a WebSocket in some cases. + Fix media player duration calculation. + Fix several crashes and rendering issues. ==== webkit2gtk4 ==== Version update (2.38.0 -> 2.38.1) Subpackages: WebKit2GTK-5.0-lang libjavascriptcoregtk-5_0-0 libwebkit2gtk-5_0-0 webkit2gtk-5_0-injected-bundles - Update to version 2.38.1: + Make xdg-dbus-proxy work if host session bus address is an abstract socket. + Use a single xdg-dbus-proxy process when sandbox is enabled. + Fix high resolution video playback due to unimplemented changeType operation. + Ensure GSubprocess uses posix_spawn() again and inherit file descriptors. + Fix player stucking in buffering (paused) state for progressive streaming. + Do not try to preconnect on link click when link preconnect setting is disabled. + Fix close status code returned when the client closes a WebSocket in some cases. + Fix media player duration calculation. + Fix several crashes and rendering issues. ==== xcb-util-cursor ==== Version update (0.1.3 -> 0.1.4) - Update to version 0.1.4 * Update README for gitlab migration * Add README.md to EXTRA_DIST * Use AC_CONFIG_FILES to replace the deprecated AC_OUTPUT with parameters * Update m4 to xorg/util/xcb-util-m4@c617eee22ae5c285e79e81 * gitlab CI: add a basic build test * configure: Drop AM_MAINTAINER_MODE * autogen.sh: Honor NOCONFIGURE=1 * autogen.sh: use quoted string variables * autogen: add default patch prefix * autogen.sh: use exec instead of waiting for configure to finish * documentation: Call xcb_free_cursor() when done * Fix out-of-source builds ==== xdg-user-dirs ==== Version update (0.17 -> 0.18) Subpackages: xdg-user-dirs-lang - update to 0.18: + Fixed minor leak + Updated translations + Documentation fixes ==== yast2 ==== Version update (4.5.17 -> 4.5.18) Subpackages: yast2-logs - Improve logging in the ProductControl module, use the new "log.group" call to group logs for each workflow step (bsc#1204625) - 4.5.18 ==== yast2-add-on ==== Version update (4.5.1 -> 4.5.2) - support 'repo' scheme for add-ons (jsc#SLE-22578, jsc#SLE-24584) - 4.5.2 ==== yast2-ruby-bindings ==== Version update (4.5.3 -> 4.5.4) - Added "log.group" method for grouping the log messages (bsc#1204625) - Update Rakefile to allow installing the Ruby files in inst-sys using the "yupdate" command - 4.5.4