Removed rpms ============ Added rpms ========== - arping2 - jq - libjq1 - libnet9 - libonig4 - libpcap1 - man-pages-ru - poppler-data Package Source Changes ====================== MozillaFirefox +- Firefox Extended Support Release 102.7.0 ESR + Placeholder changelog-entry (bsc#1207119) + - Placeholder changelog-entry (bsc#1206242) + * Fixed: Various stability, functionality, and security fixes. + MFSA 2022-52 (bsc#1206242) + * CVE-2022-46880 (bmo#1749292) + Use-after-free in WebGL + * CVE-2022-46872 (bmo#1799156) + Arbitrary file read from a compromised content process + * CVE-2022-46881 (bmo#1770930) + Memory corruption in WebGL + * CVE-2022-46874 (bmo#1746139) + Drag and Dropped Filenames could have been truncated to + malicious extensions + * CVE-2022-46875 (bmo#1786188) + Download Protections were bypassed by .atloc and .ftploc + files on Mac OS + * CVE-2022-46882 (bmo#1789371) + Use-after-free in WebGL + * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685, + bmo#1801102, bmo#1801315, bmo#1802395) + Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6 bind +- Update to release 9.16.35 + Bug Fixes: + * A crash was fixed that happened when a dnssec-policy zone that + used NSEC3 was reconfigured to enable inline-signing. + * In certain resolution scenarios, quotas could be erroneously + reached for servers, including any configured forwarders, + resulting in SERVFAIL answers being sent to clients. + * rpz-ip rules in response-policy zones could be ineffective in + some cases if a query had the CD (Checking Disabled) bit set to + 1. + * Previously, if Internet connectivity issues were experienced + during the initial startup of named, a BIND resolver with + dnssec-validation set to auto could enter into a state where it + would not recover without stopping named, manually deleting the + managed-keys.bind and managed-keys.bind.jnl files, and starting + named again. + * The statistics counter representing the current number of + clients awaiting recursive resolution results (RecursClients) + could overflow in certain resolution scenarios. + * Previously, BIND failed to start on Solaris-based systems with + hundreds of CPUs. + * When a DNS resource record’s TTL value was equal to the + resolver’s configured prefetch “eligibility” value, the record + was erroneously not treated as eligible for prefetching. + [jsc#SLE-24600] + +- Update to release 9.16.34 + New Features: + * Support for parsing and validating the dohpath service + parameter in SVCB records was added. + * named now logs the supported cryptographic algorithms during + startup and in the output of named -V. + Bug Fixes: + * Changing just the TSIG key names for primaries in catalog + zones’ member zones was not effective. This has been fixed. + Known Issues: + * Upgrading from BIND 9.16.32 or any older version may require a + manual configuration change. The following configurations are + affected: + - type primary zones configured with dnssec-policy but without + either allow-update or update-policy, + - type secondary zones configured with dnssec-policy. + In these cases please add inline-signing yes; to the individual + zone configuration(s). Without applying this change, named will + fail to start. For more details, see + https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing + [jsc#SLE-24600] + bubblewrap +- update to v0.7.0: + * --size option controls the size of a subsequent --tmpfs (#509) + * Better error messages if a mount operation fails (#472) + * Better error message if creating the new user namespace fails with + ENOSPC (#487) + * When building as a Meson subproject, a RUNPATH can be set on the + executable to make it easier to bundle its libcap dependency + * Fix test failures when running as uid 0 but with limited capabilities + (#510) + * Use POSIX command -v in preference to non-standard which (#527) + * Fix a copy/paste error in --help (#531) + +- Update to version 0.6.2: + + New features in Meson build: + - Auto-detect whether the man page can be generated. + - -Dbwrapdir=... changes the installation directory (useful + when being used as a subproject). + - -Dtests=false disables unit tests. + + Bug fixes: + - Add --add-seccomp-fd to shell completions + - Document --add-seccomp-fd, --json-status-fd and --share-net + in the man page + - Add attributes to silence various compiler warnings + - Allow compilation of tests with musl on mips architectures + - Allow compilation with older glibc + - Disable sanitizers for a test helper whose seccomp profile + breaks the instrumentation + - Disable AddressSanitizer leak detection where it interferes + with unit testing + +- Update to 0.6.1: + - Add a release checklist + - completions: Make zsh completion non-executable + The Autotools build system installed it with 0644 permissions because + it's listed as DATA, but the Meson build system installs executable + files as executable by default. + zsh completions don't need to be executable to work, and this one doesn't + have the `#!` marker that should start an executable script. +- update to 0.6.0: + - meson: Improve compatibility with Meson 0.49 + That version doesn't allow more than two arguments for define_variable. + - Disable test-specifying-pidns.sh under 'meson dist' while I investigate + This test is hanging when run under 'meson dist' for some reason, but + not when run under 'meson test', and not locally, only in the Github + Workflow-based CI. Disable it for now. + - meson: Actually build and run the tests + - tests: Fix compiler warnings for unused arguments + - meson: Run test scripts from $srcdir + - meson: Make G_TEST_SRCDIR, G_TEST_BUILDDIR match Autotools + - meson: Run the Python test script with Python, not bash + The python build option can be used to swap to a different interpreter, + for environments like the Steam Runtime where the python3 executable in + the PATH is extremely old but there is a better interpreter available. + This is treated as non-optional, because Meson is written in Python, + so the situation where there is no Python interpreter at build-time + shouldn't arise. + - meson: Build the try-syscall helper + - meson: Build tests with equivalent of -I$(top_srcdir) -I$(top_builddir) + - meson.build: Remove unnecessary check for sh + - Add a Meson build system + This allows bwrap to be built as a subproject in larger Meson projects. + When built as a subproject, we install into the --libexecdir and + require a program prefix to be specified: for example, Flatpak would use + program_prefix=flatpak- to get /usr/libexec/flatpak-bwrap. Verified to + be backwards-compatible as far as Meson 0.49.0 (Debian 9 backports). + Loosely based on previous work by Jussi Pakkanen (see #133). + Differences between the Autotools and Meson builds: + The Meson build requires a version of libcap that has pkg-config + metadata (introduced in libcap 2.23, in 2013). + The Meson build has no equivalent of --with-priv-mode=setuid. On + distributions like Debian <= 10 and RHEL <= 7 that require a setuid bwrap + executable, the sysadmin or distribution packaging will need to set the + correct permissions on the bwrap executable; Debian already did this via + packaging rather than the upstream build system. + The Meson build supports being used as a subproject, and there is CI + for this. It automatically disables shell completions and man pages, + moves the bubblewrap executable to ${libexecdir}, and renames the + bubblewrap executable according to a program_prefix option that the + caller must specify (for example, Flatpak would use + - Dprogram_prefix=flatpak- to get /usr/libexec/flatpak-bwrap). See the + tests/use-as-subproject/ directory for an example. + - Use HEAD to refer to other projects' default branches in documentation + This makes the URL independent of the name they have chosen for their + default branches. + - workflows: Update for rename of default branch to main + - tests: Exercise seccomp filters + - Allow loading more than one seccomp program + This will allow Flatpak to combine an allow-list (default-deny) of + known system calls with a deny-list (default-allow) of system calls + that are undesired. + Resolves: https://github.com/containers/bubblewrap/issues/453 + - Generalize linked lists of LockFile and SetupOp + I'm about to add a third linked list, for seccomp programs, which would + seem like too much duplication. + - Handle argc == 0 better + Unfortunately it's possible for argc to be 0, so error out pretty early + on in that case. I don't think this is a security issue in this case. + - Fix typo + - Remove trailing whitespace + - Fix spelling + - bash: Fix shellcheck warnings + - bash: Invoke bash using /usr/bin/env + - bubblewrap: Avoid a -Wjump-misses-init false-positive + When building with -Wjump-misses-init as part of a larger project, gcc + reports that we jump past initialization of cover_proc_dirs. This is + technically true, but we only use this variable in the case where it's + initialized, so that's harmless. + However, we can avoid this altogether by making the array static and + constant, which allows it to be moved from initialized data to read-only + data. + - bind-mount: Be more const-correct + When compiled with -Wwrite-strings as part of a larger project, gcc and + clang both warn that we're assigning a string constant to a mutable + struct member. There's actually no reason why it should be mutable, so + make it const. + - die_with_error: Save errno sooner + We need to save errno immediately, otherwise it could be overwritten + by a failing library call somewhere in the implementation of fprintf. + - main: Warn when non-repeatable options are repeated + A user might reasonably expect that `bwrap --seccomp 3 --seccomp 4 ...` + would load seccomp programs from both fds 3 and 4, but in fact it only + loads the program from fd 4. + Helps: https://github.com/containers/bubblewrap/issues/453 + Resolves: https://github.com/containers/bubblewrap/issues/454 + - utils: Add warn() + - Add SPDX-License-Identifier for files that already specify license + This is a step towards REUSE compliance. Third-party files that we do + not otherwise edit (git.mk, m4/attributes.m4) are excluded here. + - tests: Use preferred spelling for SPDX license identifiers + - Remove obsolete .travis.yml + We no longer use Travis-CI. + - Remove obsolete papr CI + We no longer use this. + +- Update to version 0.5.0: + + New features: + - --chmod changes permissions + - --clearenv unsets every environment variable (except PWD) + - --perms sets permissions for one subsequent --bind-data, + - -dir, --file, --ro-bind-data or --tmpfs + + Other enhancements: + - Better diagnostics when a --bind or other bind-mount fails + - zsh tab-completion + - Better test coverage + + Bug fixes: + - Use Python 3 for tests and examples + - Mount points for non-directories are created with permissions + - r--r--r-- instead of -rw-rw-rw- + - Don't remount items in /proc read-only if already EROFS, + required to run under Docker + - Allow mounting an non-directory over an existing + non-directory, e.g. --bind "$XDG_RUNTIME_DIR/my-log-socket" + /dev/log + - Silence kernel messages for our bind-mounts + - Make sure pkg-config is checked for, regardless of build + options + - Improve ability to bind-mount directories on case-insensitive + filesystems + - Fix -Wshadow warnings + - Fix deprecation warnings with newer SELinux +- Add new subpackage bubblewrap-zsh-completion + dracut +- Update to version 055+suse.343.g0113f4b9: + A series of changes for the NVMeoF boot feature (jsc#PED-1449): + * fix(dracut.spec): require jq for nvmf + * fix(suse/dracut.spec): require program for duplicate IP address detection + * fix(iscsi): install 8021q module unconditionally + * fix(nvmf): install 8021q module unconditionally + * feat(nvmf): enable module if NBFT exists + * feat(nvmf): add NBFT connect support, and fix configuration priority + * feat(nvmf): add code for parsing the NBFT + * fix(dracut.spec): require libopenssl1_1-hmac for dracut-fips (bsc#1206439) + gnutls +- FIPS: Change all the 140-2 references to FIPS 140-3 in order to + account for the new FIPS certification [bsc#1207346] + * Add gnutls-FIPS-140-3-references.patch + +- FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183] + * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch + libXpm +- U_regression2-bug1207029_1207030_1207031.patch + * second regression fix: Use gzip -d instead of gunzip + +- U_regression-bug1207029_1207030_1207031.patch + * regression fix for above patches + +- U_0000-Update-README-for-gitlab-migration.patch + * needed by U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch +- U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch + * needed by U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch +- U_0002-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch + * libXpm: Infinite loop on unclosed comments (CVE-2022-46285, + bsc#1207029) +- U_0004-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch + * libXpm: Runaway loop on width of 0 and enormous height + (CVE-2022-44617, bsc#1207030) +- U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch + * libXpm: compression commands depend on $PATH (CVE-2022-4883, + bsc#1207031) + -- libXpm 3.5.9 - * This minor maintenance release provides a large collection of - build configuration improvements and other janitorial - cleanups. - -- libXpm 3.5.8 -- bumped version number to 7.5 - -- add baselibs.conf as a source - -- revert static library and .la file removal - for SUSE versions <= 11.1. - -- remove static libraries and "la" files -- run ldconfig in postun - man-pages-ja +- Update to release 20220815 + * Improved manual pages + manpages-l10n +- Update to version 4.17.0: + * Updated many translations. + * Swedish is now actively maintained. + * New language: Russian. + mozilla-nss +- Add upstream patch nss-fix-bmo1774654.patch to fix CVE-2022-3479 + (bsc#1204272) + +- update to NSS 3.79.3 (bsc#1207038) + * Bug 1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and + CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates + (CVE-2022-23491) + poppler +- Add patch to reduce the boost dependencies (which isn't really + needed) so we can build poppler 23.01.0 in SLE-15-SP4/SP5: + * reduce-boost-required-version.patch + +- update to 23.01.0: + core: + * PDFDoc::sign: Fix crash if font can't be found + * PDFDoc::sign: Try Arial to sign if Helvetica isn't found + * FoFiType1::parse: Be more flexible parsing the encoding content. Issue #1324 + * Gfx::opBeginMarkedContent: Support Span with Name. Issue #1327 + * Splash: Avoid color issues due to implicit rounding + * Splash: Fix crash on malformed file. + * CairoOutputDev: Ignore text rendering mode for type3 fonts + * Remove unused FoFiType1::load function + build system: + * Increase minimum required versions of several dependencies + * Improve include path handling + qt6: + * Use less deprecated functions + procps +- Extend patch procps-3.3.17-library-bsc1181475.patch (bsc#1206412) +- Make sure that correct library version is installed (bsc#1206412) + python-certifi +- remove all TrustCor CAs, as TrustCor issued multiple man-in-the-middle + certs (bsc#1206212 CVE-2022-23491) + - TrustCor RootCert CA-1 + - TrustCor RootCert CA-2 + - TrustCor ECA-1 +- Add removeTrustCor.patch + python-py +- Remove all traces of py._path.svn{url,wc}. (bsc#1204364, CVE-2022-42969) +- Add patch remove-svn-remants.patch to help with that goal. +- Refresh pr_222.patch as needed for above. + python-setuptools +- Add CVE-2022-40897-ReDos.patch to fix Regular Expression Denial of Service + (ReDoS) in package_index.py. + bsc#1206667 + qemu +- Fixes jsc#PED-1716 + * Patches added: + configure-Add-Wno-gnu-variable-sized-typ.patch + s390x-pci-add-routine-to-get-host-functi.patch + s390x-pci-don-t-fence-interpreted-device.patch + s390x-pci-enable-adapter-event-notificat.patch + s390x-pci-enable-for-load-store-interpre.patch + s390x-pci-let-intercept-devices-have-sep.patch + s390x-pci-reflect-proper-maxstbl-for-gro.patch + Update-linux-headers-to-v6.0-rc4.patch + systemd +- Make sure that /lib/udev exists and is a symlink to /usr/lib/udev when the + testsuite is run. + +- Import commit 1bfa716e7fb6d7169cece864e75dfe9e52914c99 (merge of v249.14) + For a complete list of changes, visit: + https://github.com/openSUSE/systemd/compare/540e0bd5374f9f42f1e645eb15971431ebb4b8c8...1bfa716e7fb6d7169cece864e75dfe9e52914c99 +- Rebase 1001-udev-use-lock-when-selecting-the-highest-priority-de.patch + +- Don't overwrite /etc/pam.d/systemd-user on update (bsc#1207264) + Regression introduced when systemd was forked for 15.4. + +- Ship systemd-pstore with udev (jsc#PED-2663) + +- Import commit 540e0bd5374f9f42f1e645eb15971431ebb4b8c8 + 29fb8a2dd0 core/unit: try to submit stop_when_unneeded queue on removing dependencies + bd63eab381 core/device: start units specified in SYSTEMD_WANTS if it is not running + e0898fa873 coredump: do not allow user to access coredumps with changed uid/gid/capabilities (bsc#1205000 CVE-2022-4415) + 119424f96e coredump: adjust whitespace + 3833d5a408 coredump: drop an unused variable + 36728edcfd coredump: Fix format string type mismatch + 34f6867a8a analyze: use DumpUnitsMatchingPatternsByFileDescriptor + e67a7087ec manager: add DumpUnitsMatchingPatternsByFileDescriptor() + feb8f2a983 manager: rename dbus method + 98fed27339 analyze: extend the dump command to accept patterns + a06d9470af man: document the Dump() calls of the PID 1 D-Bus interface, and what they are + 79eb37a5e0 cryptsetup: retry TPM2 unseal operation if it fails with TPM2_RC_PCR_CHANGED (bsc#1204944) +- Drop 5000-coredump-Fix-format-string-type-mismatch.patch + 5001-coredump-drop-an-unused-variable.patch + 5002-coredump-adjust-whitespace.patch + 5003-coredump-do-not-allow-user-to-access-coredumps-with-.patch + They have been merged into SUSE/v249 branch. + tar +- Fix hang when unpacking test tarball, bsc#1202436 + * bsc1202436.patch + xdg-dbus-proxy +- BuildRequire dbus-1 in SLE-15 where the dbus-1 package is not + splitted to generate a dbus-1-daemon package. + +- Update to version 0.1.4: + + Add a Meson build system, with support for being used as a + subproject. The original Autotools build system remains + available for now, but might be removed in future. + + Fix movement through multiline auth messages. + + Fix an unintended fallthrough if the message bus replies to + Hello() with a non-REPLY such as an ERROR. + + Fix compiler warnings. + + Update AX_CODE_COVERAGE from autoconf-archive. + + Bundle a copy of AX_CHECK_GNU_MAKE from autoconf-archive, + required by AX_CODE_COVERAGE. +- Switch to meson buildsystem, add meson BuildRequires and replace + autotools macros with meson ones. +- Add dbus-1-daemon BuildRequires and check section: Run meson_test + macro during build. + +- Update to version 0.1.3: + + Silence compiler warnings. + + Fix build with musl. + xdg-utils +- xdg-open: convert usage of obsolete egrep to grep -E + add xdg-utils-egrep.patch, boo#1203092 + +- Update to version 1.1.3+20210805: + * xdg-email fails on kde with desktop files #187 +- switch to obs_scm + zlib +- Update to 1.13: + * Fix configure issue that discarded provided CC definition + * Correct incorrect inputs provided to the CRC functions + * Repair prototypes and exporting of new CRC functions + * Fix inflateBack to detect invalid input with distances too far + * Have infback() deliver all of the available output up to any error + * Fix a bug when getting a gzip header extra field with inflate() + * Fix bug in block type selection when Z_FIXED used + * Tighten deflateBound bounds + * Remove deleted assembler code references + * Various portability and appearance improvements +- Added patches: + * zlib-1.2.13-IBM-Z-hw-accelerated-deflate-s390x.patch + * zlib-1.2.13-fix-bug-deflateBound.patch + * zlib-1.2.13-optimized-s390.patch +- Refreshed patches: + * zlib-1.2.12-add-optimized-slide_hash-for-power.patch + * zlib-1.2.12-add-vectorized-longest_match-for-power.patch + * zlib-1.2.12-s390-vectorize-crc32.patch +- Removed patches: + * zlib-1.2.12-fix-configure.patch + * zlib-1.2.12-IBM-Z-hw-accelerated-deflate-s390x.patch + * zlib-1.2.12-optimized-crc32-power8.patch + * zlib-1.2.12-correct-inputs-provided-to-crc-func.patch + * zlib-1.2.12-fix-CVE-2022-37434.patch + * zlib-1.2.11-optimized-s390.patch + +- build zlib with optflags again +