Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=3&version=Tumbleweed&build=20231127 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MozillaFirefox (119.0.1 -> 120.0) gstreamer-plugins-bad icewm (3.4.3 -> 3.4.4) inxi (3.3.27 -> 3.3.31) kyotocabinet (1.2.77 -> 1.2.80) libdrm (2.4.117 -> 2.4.118) nghttp2 (1.57.0 -> 1.58.0) pam-config (2.9 -> 2.10) pipewire (0.3.85 -> 1.0.0) policycoreutils python-charset-normalizer (3.3.0 -> 3.3.2) python-lxml python-setproctitle (1.3.2 -> 1.3.3) restorecond tango-icon-theme tpm2-0-tss transmission (4.0.3 -> 4.0.4) usbutils (015 -> 017) wireplumber (0.4.15 -> 0.4.16) xwayland === Details === ==== MozillaFirefox ==== Version update (119.0.1 -> 120.0) - Mozilla Firefox 120.0 https://www.mozilla.org/en-US/firefox/120.0/releasenotes MFSA 2023-49 (bsc#1217230) * CVE-2023-6204 (bmo#1841050) Out-of-bound memory access in WebGL2 blitFramebuffer * CVE-2023-6205 (bmo#1854076) Use-after-free in MessagePort::Entangled * CVE-2023-6206 (bmo#1857430) Clickjacking permission prompts using the fullscreen transition * CVE-2023-6207 (bmo#1861344) Use-after-free in ReadableByteStreamQueueEntry::Buffer * CVE-2023-6208 (bmo#1855345) Using Selection API would copy contents into X11 primary selection. * CVE-2023-6209 (bmo#1858570) Incorrect parsing of relative URLs starting with "///" * CVE-2023-6210 (bmo#1801501) Mixed-content resources not blocked in a javascript: pop-up * CVE-2023-6211 (bmo#1850200) Clickjacking to load insecure pages in HTTPS-only mode * CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252, bmo#1856072, bmo#1856091, bmo#1859030, bmo#1860943, bmo#1862782) Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5 * CVE-2023-6213 (bmo#1849265, bmo#1851118, bmo#1854911) Memory safety bugs fixed in Firefox 120 - rebased patches ==== gstreamer-plugins-bad ==== Subpackages: libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Stop passing sctp=disabled and pass sctp=enabled to meson setup instead, enable build of sctp plugin. ==== icewm ==== Version update (3.4.3 -> 3.4.4) Subpackages: icewm-config-upstream icewm-default icewm-lang icewm-lite - update to 3.4.4: * Use fcsmart for capturing loadText data. * Support TIFF and WEBP in icewmbg. * More permissive parsing of a PAM image header in icesh. * Remove obsolete winoption examples and add one for plank. * Use --disable-librsvg instead of --disable-rsvg. * Add `supportsFormat` to check for support of additional image formats. * Support JXL, JP2, RAW, SVG, TGA image formats in icewmbg. * Test if a color can be considered dark for issue #715. * Brighten the color of inactive preview icons for dark themes for issue * Fix a crash when a ping timeout dialog is destroyed for issue #729. * Let icewmbg interpret command-line arguments relative to the current working directory. * Clarify prefoverride and closes #750 * When mapping a client by PID, search for the best match. * Don't enforce the use of clang++ in the debug build. * Fix ordering in the 4th configuration * Fix minor warnings from recent CMake and GCC * Translated using Weblate (Portuguese (Brazil)) ==== inxi ==== Version update (3.3.27 -> 3.3.31) - Updated to version 3.3.31: + /usr/share/doc/packages/inxi/inxi.changelog. - Updated spec file for new location of inxi at codeberg.org. ==== kyotocabinet ==== Version update (1.2.77 -> 1.2.80) - update to 1.2.80: - configure.in supports strict C99 rules. - Fixed errors of kcdirtest on BtrFS. - Fixed build warnings. ==== libdrm ==== Version update (2.4.117 -> 2.4.118) Subpackages: libdrm2 libdrm_amdgpu1 libdrm_nouveau2 libdrm_radeon1 - update to 2.4.118: * improve SMPTE color LUT accuracy * util: factor out and optimize C8 SMPTE color LUT * util: add support for DRM_FORMAT_C[124] * util: store number of colors for indexed formats * util: add SMPTE pattern support for C4 format * util: add SMPTE pattern support for C1 format * util: add SMPTE pattern support for C2 format * modetest: add support for DRM_FORMAT_C[124] * modetest: add SMPTE pattern support for C[124] formats * intel: determine target endianness using meson * util: fix 32 bpp patterns on big-endian * util: fix 16 bpp patterns on big-endian * util: add missing big-endian RGB16 frame buffer formats * modetest: add support for parsing big-endian formats * util: add test pattern support for big-endian XRGB1555/RGB565 * util: fix pwetty on big-endian * util: add pwetty support for big-endian RGB565 * modetest: add support for big-endian XRGB1555/RGB565 * modetest: add support for DRM_FORMAT_NV{15,20,30} * modetest: switch usage to proper options grammar * xf86drm: add drmGetNodeTypeFromDevId * Sync headers with drm-next * xf86drmMode: add drmModeCloseFB() ==== nghttp2 ==== Version update (1.57.0 -> 1.58.0) - update to 1.58.0: * Update manual pages * Bump neverbleed * Bump ngtcp2 * Prefer clock_gettime if __CYGWIN__ defined * Do not require strict c++ mode * nghttpx: Stricter transfer-encoding checks * Refactor character comparison * Integration servertester h3 * integration: Enable http3 test with cmake ==== pam-config ==== Version update (2.9 -> 2.10) - Update to version 2.10 - Enable session and account support for kanidm and himmelblau ==== pipewire ==== Version update (0.3.85 -> 1.0.0) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-jack pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.0.0 (El Presidente): * Highlights - Fix a memfd/dmabuf leak when uploading buffers while shutting down. - Handle concurrent jack_port_get_buffer() calls because ardour seems to be doing this. - Improve time reporting (less jitter) in ALSA when using IRQ. - Many doc improvements. * PipeWire - Respect PIPEWIRE_DLCLOSE everywhere, remove pw_in_valgrind(). - Remove a warning when a client tries to change ignored properties. * Modules - Fix a memfd/dmabuf leak when uploading buffers while shutting down. - Fix a potential segfault when copying mix structures. (#3658) - Avoid races in setrlimit in module-rt. - Fix a memory leak in filter-chain. - Set rtp.ptime on senders, not receivers. - The ROC modules were ported to ROC 0.3 * SPA - Improve time reporting (less jitter) in ALSA when using IRQ. (#3657) - Add latency param query in libcamera. - Fix some compiler warnings. - The EVL plugin was updated. * Bluetooth - LC3 codec and compatibility improvements. * Pulse server - Fix emission of events when a sink/source state changes. (#3660) * JACK - Improve transport and time handling. Use unique ids to make consistent snapshots of the current time and transport. - Avoid enumerating port params that we are not going to use. - Optimize buffer reuse. - Handle concurrent jack_port_get_buffer() calls because ardour seems to be doing this. (#3632) * Docs - Many doc improvements. - Add man pages for pw-dump, pw-loopback, modules, pipewire-pulse. - Manpages are now made with Doxygen. - Add docs for pulse-modules ==== policycoreutils ==== Subpackages: policycoreutils-python-utils python3-policycoreutils - Change deprecated `%patch1 -p1` syntax to supported `%patch -P1 -p1` (bsc#1216669) ==== python-charset-normalizer ==== Version update (3.3.0 -> 3.3.2) - update to 3.3.2: * Unintentional memory usage regression when using large payload that match several encoding (#376) * Regression on some detection case showcased in the documentation (#371) * Noise (md) probe that identify malformed arabic representation due to the presence of letters in isolated form * Optional mypyc compilation upgraded to version 1.6.1 for Python >= 3.8 * Improved the general detection reliability based on reports from the community ==== python-lxml ==== - Add libxml2212-tests.patch to fix tests with new libxml2 ==== python-setproctitle ==== Version update (1.3.2 -> 1.3.3) - update to 1.3.3: * Add support for Python 3.12 * Fix package metadata to include Python 3.11, 3.12. ==== restorecond ==== - Change deprecated `%patch1 -p1` syntax to supported `%patch -P1 -p1` (bsc#1216669) ==== tango-icon-theme ==== - Use %patch -P N instead of deprecated %patchN. ==== tpm2-0-tss ==== Subpackages: libtss2-esys0 libtss2-mu0 libtss2-rc0 libtss2-sys1 libtss2-tctildr0 - libtss2-fapi1 requires system-user-tss for tmpfile creation ==== transmission ==== Version update (4.0.3 -> 4.0.4) Subpackages: transmission-common transmission-gtk - Update to version 4.0.4: + Fixed bug in sending torrent metadata to peers. + Avoid unnecessary heap memory allocations. + Fixed filename collision edge case when renaming files. + Fixed locale errors that broke number rounding when displaying statistics, e.g. upload / download ratios. + Always use a fixed-length key query in tracker announces. This isn't required by the spec, but some trackers rely on that fixed length because it's common practice by other BitTorrent clients. + Fixed potential Windows crash when getstdhandle() returns NULL. + Fixed 4.0.0 bug where the port numbers in LDP announces are sometimes malformed. + Fixed a bug that prevented editing the query part of a tracker URL. + Fixed a bug where Transmission may not announce LPD on its listening interface. + Made small performance improvements in libtransmission. + Qt Client: - Fixed torrent name rendering when showing magnet links in compact view. - Fixed bug that broke the "Move torrent file to trash" setting. - Fixed Qt 6.4 deprecation warning. - Fixed poor resolution of Qt application icon. + GTK Client: Fixed missing 'Remove torrent' tooltip. + Web Client: - Don't show null as a tier name in the inspector's tier list. - Fixed truncated play / pause icons. - Fixed overflow when rendering peer lists and made speed indicators honor prefers-color-scheme media queries. - Made the main menu accessible even on smaller displays. + transmission-cli: - Fixed "no such file or directory" warning when adding a magnet link. - Fixed bug that caused the wrong decimal separator to be used in some locales. + transmission-remote: Fixed display bug that failed to show some torrent labels. + Everything Else: - Ran all PNG files through lossless compressors to make them smaller. - Fixed potential build issue when compiling on macOS with gcc. ==== usbutils ==== Version update (015 -> 017) - update to 017: * lsusb: fix up [unknown] vendor and product strings. * lsusb: fix build warning for dump_billboard_alt_mode_capability_desc() * lsusb: add fallback names for 'lsusb -v' output * names: simplify get_vendor_product_with_fallback() a bit * rezso (1): * Honor system libdir and includedir * usbutils 016 * usbutils: lsusb-t: print entries for devices with no interfaces * Fix a typo in usb-spec.h * lsusb.py.in: Display (device) power/wakeup via -w option. * Fix an incorrect length value in hid descriptor. * Fix misalignments in hid device descripptor. * Use bigger buffer to place speed value string * lsusb -h returns an error * lsusb -h fixups * lsusb -t: sort in bus order, not reverse order * lsusb -t: print ports and busses and devices with same width * lsusb -t: assign_interface_to_parent() fixups * lsusb.8.in: fix up missing '-' in text * README.md: add source location * lsusb.py: fix up wakeup logic for devices that do not support it * lsusb.py.in: add another default path for usb.ids * names.c: if a string can not be found in the usb.ids file, return [unknown] * lsusb-t: if a driver is not bound to an interface, report "[none]" * Generate usbutils.pc pkgconfig file * usbreset: Allow idProduct and idVendor to be 0 * usb-devices: make shellcheck happy * lsusb: Add function that sorts the output by device ID. * lsusb: Additional sorting by bus number. * lsusb: This is a more compact implementation of the device list sort implemented within this pull request. The output remains the same as the one demonstrated in the previous commit. ==== wireplumber ==== Version update (0.4.15 -> 0.4.16) Subpackages: libwireplumber-0_4-0 wireplumber-audio - Update to version 0.4.16: * Additions: - Added a new "sm-objects" script that allows loading objects on demand via metadata entries that describe the object to load; this can be used to load pipewire modules, such as filters or network sources/sinks, on demand - Added a mechanism to override device profile priorities in the configuration, mainly as a way to re-prioritize Bluetooth codecs, but this also can be used for other devices - Added a mechanism in the endpoints policy to allow connecting filters between a certain endpoint's virtual sink and the device sink; this is specifically intended to allow plugging a filter-chain to act as equalizer on the Multimedia endpoint - Added wp_core_get_own_bound_id() method in WpCore * Changes: - PipeWire 0.3.68 is now required - policy-dsp now has the ability to hide hardware nodes behind the DSP sink to prevent hardware misuse or damage - JSON parsing in Lua now allows keys inside objects to be without quotes - Added optional argument in the Lua JSON parse() method to limit recursions, making it possible to partially parse a JSON object - It is now possible to pass nil in Lua object constructors that expect an optional properties object; previously, omitting the argument was the only way to skip the properties - The endpoints policy now marks the endpoint nodes as "passive" instead of marking their links, adjusting for the behavior change in PipeWire 0.3.68 - Removed the "passive" property from si-standard-link, since only nodes are marked as passive now * Fixes: - Fixed the wpctl clear-default command to completely clear all the default nodes state instead of only the last set default - Reduced the amount of globals that initially match the interest in the object manager - Used an idle callback instead of pw_core_sync() in the object manager to expose tmp globals - Remove patches included upstream: * 0001-object-manager-reduce-the-amount-of-globals-that-initially.patch * 0002-object-manager-use-an-idle-callback-to-expose-tmp-globals.patch * 0001-policy-dsp-add-ability-to-hide-parent-nodes.patch - Update split-config-file.py ==== xwayland ==== - This release contains the following patches mentioned in previous sle15 releases * U_Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch: fixes regression introduced with security update for CVE-2022-46340 (bsc#1205874) * U_bsc1216135-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch: fix handling of PropModeAppend/Prepend ((CVE-2023-5367, ZDI-CAN-22153, bsc#1216135) * U_bsc1216261-0001-mi-fix-CloseScreen-initialization-order.patch, U_bsc1216261-0002-fb-properly-wrap-unwrap-CloseScreen.patch: Server Damage Object Use-After-Free Local Privilege Escalation Vulnerability (CVE-2023-5574, ZDI-CAN-21213, bsc#1216261) * U_bsc1216261-0003-dix-always-initialize-pScreen-CloseScreen.patch: fixes a regresion, which can trigger a segfault in Xwayland on exit, introduced by U_bsc1216261-0002-fb-properly-wrap-unwrap-CloseScreen.patch (CVE-2023-5574, ZDI-CAN-21213, bsc#1216261)