Packages changed: Mesa Mesa-drivers MozillaFirefox (106.0.5 -> 107.0) bluez (5.65 -> 5.66) curl distrobox ffmpeg-4 installation-images-MicroOS (17.64 -> 17.65) lcms2 libXft (2.3.6 -> 2.3.7) libalternatives open-iscsi python-jsonschema (4.16.0 -> 4.17.0) systemd (251.8 -> 252.1) webkit2gtk3 webkit2gtk4 xfsprogs (5.19.0 -> 6.0.0) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - try to fix build on ppc64le due to running OOM (boo#1205441) * let's request 20G of physical memory via _constraints file ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-gallium Mesa-libva - try to fix build on ppc64le due to running OOM (boo#1205441) * let's request 20G of physical memory via _constraints file ==== MozillaFirefox ==== Version update (106.0.5 -> 107.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 107.0 MFSA 2022-47 (bsc#1205270) * CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files * CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass * CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation * CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm * CVE-2022-45407 (bmo#1793314) Loading fonts on workers was not thread-safe * CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName * CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection * CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy * CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers * CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers * CVE-2022-45413 (bmo#1791201) SameSite=Strict cookies could have been sent cross-site via intent URLs * CVE-2022-40674 (bmo#1791598) Use-after-free vulnerability in expat * CVE-2022-45415 (bmo#1793551) Downloaded file may have been saved with malicious extension * CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage * CVE-2022-45417 (bmo#1794508) Service Workers in Private Browsing Mode may have been written to disk * CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn over browser UI * CVE-2022-45419 (bmo#1716082) Deleting a security exception did not take effect immediately * CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside the iframe * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 - requires * NSS >= 3.84 * rust = 1.64 ==== bluez ==== Version update (5.65 -> 5.66) Subpackages: bluez-auto-enable-devices bluez-cups libbluetooth3 - update to 5.66: * Fix issue with A2DP and transport connection collisions. * Fix issue with allowing application specific error codes. * Fix issue with not setting initiator flag correctly. * Fix issue with HoG Report MAP size handling. * Add initial support for Basic Audio Profile. * Add initial support for Volume Control Profile. - remove RPi-Move-the-43xx-firmware-into-lib-firmware.patch (does not apply anymore), replace with CPPFLAGS define ==== curl ==== Subpackages: libcurl4 - Add 1.50.0 as the minimum libnghttp2 build requirement version as a bandaid. Curl's 7.86.0 release introduces the use of nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, introduced by nghttp2 1.50.0 release, without introducing a check for the function/right version in their build scripts. This will make Zypper/cURL unusable in some corner cases where users installing something that requires libcurl4 before doing full system upgrade, thus updating the cURL stack, but not libnghttp2's. Background: boo#1204983, Factory mailing list threadd: "? broken dependency in curl and/or *zyp* ?", and forums thread: Curl-is-broken-after-an-update-which-subsequently-breaks-zypper. ==== distrobox ==== Subpackages: distrobox-bash-completion - Do not recommend bash-completion subpackage: this triggers installation even if bash-completion is not there yet. All (well, most for now) packages are handled to install the completion IF bash-completion is present (which is the default on standard setups). ==== ffmpeg-4 ==== Subpackages: libavcodec58_134 libavfilter7_110 libavformat58_76 libavresample4_0 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9 - Add ffmpeg-CVE-2022-3964.patch: Backport from upstream to fix out of bounds read in update_block_in_prev_frame() (bsc#1205388). ==== installation-images-MicroOS ==== Version update (17.64 -> 17.65) - merge gh#openSUSE/installation-images#615 - systemd lib moved to /usr/lib64 - 17.65 ==== lcms2 ==== - Removed reverse-0001-fix-memory-leaks-on-testbed.patch and added 0001-fix-memory-corruption-when-unregistering-plugins.patch as final fix for https://github.com/hughsie/colord/issues/145 ==== libXft ==== Version update (2.3.6 -> 2.3.7) - Update to version 2.3.7 * libxft issue #15 https://gitlab.freedesktop.org/xorg/lib/libxft/-/issues/15 XftFontLoadGlyphs for mono font returns wrong info in extents from XftTextExtentsUtf8 for variable chars Patch by Scott Mcdermott, based on https://github.com/googlefonts/Inconsolata/issues/42 * fix compiler warning * libxft issue #16 https://gitlab.freedesktop.org/xorg/lib/libxft/-/issues/16 Stack gets smashed in fonts with colors when calling XftGlyphRender BGRA changes made incorrect comparison for local vs allocated buffer in XftGlyphSpecRender * stdint.h header is needed for SIZE_MAX ==== libalternatives ==== Subpackages: alts libalternatives1 - switch to a manual service rather than a buildtime tar service which introduces a bootstrap cycle between python and tar_scm ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0_2_0 - Updated to latest upstream. Changes: * scsid/iscsiuio: fix OOM adjustment (github issue #377) ==== python-jsonschema ==== Version update (4.16.0 -> 4.17.0) - update to 4.17.0: * The check_schema method on jsonschema.protocols.Validator instances now enables format validation by default when run. This can catch some additional invalid schemas (e.g. containing invalid regular expressions) where the issue is indeed uncovered by validating against the metaschema with format validation enabled as an assertion. * The jsonschema CLI (along with jsonschema.cli the module) are now deprecated. Use check-jsonschema instead, which can be installed via pip install check-jsonschema and found here. * Make ErrorTree have a more grammatically correct repr. ==== systemd ==== Version update (251.8 -> 252.1) Subpackages: libsystemd0 libudev1 systemd-doc systemd-lang udev - Upgrade to v252.1 (commit 64dc546913525e33e734500055a62ed0e963c227) See https://github.com/openSUSE/systemd/blob/SUSE/v252/NEWS for details. * Rebased 0001-conf-parser-introduce-early-drop-ins.patch 1000-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch * The new tools systemd-measure and systemd-pcrphase have been added to the experimental sub-package for now. * Add temporarly 6000-meson-install-test-kernel-install-only-when-Dkernel-.patch until this patch is mainstreamed. ==== webkit2gtk3 ==== Subpackages: WebKit2GTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update _constraints for webkit2gtk3:gtk3-soup2 on aarch64 to avoid slow workers and OOM ==== webkit2gtk4 ==== Subpackages: WebKit2GTK-5.0-lang libjavascriptcoregtk-5_0-0 libwebkit2gtk-5_0-0 webkit2gtk-5_0-injected-bundles - Update _constraints for webkit2gtk3:gtk3-soup2 on aarch64 to avoid slow workers and OOM ==== xfsprogs ==== Version update (5.19.0 -> 6.0.0) - update to 6.0.0: - libxfs: kernel sync - xfs_db: use preferable macro to seek offset for local dir3 - xfs_quota: optimize -L/-U calls for dump/report