Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=3&version=Tumbleweed&build=20241204 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: libcap (2.70 -> 2.73) logrotate (3.21.0 -> 3.22.0) mozjs128 (128.4.0 -> 128.5.1) polkit-default-privs (1550+20241111.762abac -> 1550+20241129.21d7d0b) python311 python311-core selinux-policy (20241105 -> 20241118) systemd (256.7 -> 256.9) === Details === ==== libcap ==== Version update (2.70 -> 2.73) - update to 2.73: * https://sites.google.com/site/fullycapable/release-notes-for-libcap?authuser... ==== logrotate ==== Version update (3.21.0 -> 3.22.0) - Skip test-0110.sh which fails after update in the build chroot but not with identical settings on TW. * Add logrotate-3.22-skip-failing-test.patch - update to 3.22.0: * fix calculations for time differences * fix extension for zip compression * fix omitted copy for logs with `mail` and `rotate 0` * fix wrongly skipping copy with `copytruncate` and `compress` * fix ambiguities between `mode`, `UID` and `GID` parsing when not specifying all options * fix hang when encountering a named pipe * on prerotate failure logs are preserved instead of rotated * in case a configuration file was skipped due to unsafe permissions the * exit status after rotattion will be `1` * the state is no longer written to non-regular files * the systemd timer now correctly utilizes load distribution * add dateformat specifier `%z` for timezone offsets * change default mode for created `olddir` directories to `0755` * support quoted user and group names in `su`, `create`, and `createolddir` - update logroate.keyring: new maintainer ==== mozjs128 ==== Version update (128.4.0 -> 128.5.1) - Update to version 128.5.1: + Fixed an issue that prevented some websites from loading when using SSL Inspection. (bmo#1933747) - Changes from version 128.5.0: + Various security fixes and other quality improvements. + CVE-2024-11691: Out-of-bounds write in Apple GPU drivers via WebGL. + CVE-2024-11692: Select list elements could be shown over another site. + CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility Shims. + CVE-2024-11695: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters. + CVE-2024-11696: Unhandled Exception in Add-on Signature Verification. + CVE-2024-11697: Improper Keypress Handling in Executable File Confirmation Dialog. ==== polkit-default-privs ==== Version update (1550+20241111.762abac -> 1550+20241129.21d7d0b) - Update to version 1550+20241129.21d7d0b: * profiles: adjust tuned settings to new upstream default (bsc#1232412) * profiles: add tuned methods for instance handling / PPD (bsc#1232412) - Add format_spec_file service in manual mode - Update to version 1550+20241127.a20426b: * profiles: whitelist systemd v257 actions (bsc#1233295) - _service: switch from "disabled" mode to "manual" mode, which is a more fitting setting which is available now. ==== python311 ==== Subpackages: python311-curses python311-dbm - Add add-loongarch64-support.patch to support loongarch64 - Fix changelog ==== python311-core ==== Subpackages: libpython3_11-1_0 python311-base - Add add-loongarch64-support.patch to support loongarch64 - Fix changelog ==== selinux-policy ==== Version update (20241105 -> 20241118) Subpackages: selinux-policy-targeted - Fix minimum policy by readding snapper module (bsc#1234037) - Update to version 20241118: * Add workaround for /run/rpmdb lockfile (bsc#1231127) * Add dedicated health-checker module (bsc#1231127) - Packaging rework: moving all config files to git repository https://gitlab.suse.de/selinux/selinux-policy - Moved booleans to dist/*/booleans.conf and dropped from package: * booleans-minimum.conf - user facing change: boolean settings are now the same as in upstream * booleans-mls.conf - user facing change: boolean settings are now the same as in upstream * booleans-targeted.conf - user facing change: kerberos_enabled boolean was not enabled due to a bug, now it is enabled - Moved booleans.subs_dist to dist/booleans.subs_dist and dropped from package - Moved customizable_types to dist/customizable_types and dropped from package - user facing change: using upstream version - Moved file_contexts.subs_dist to config/file_contexts.subs_dist and dropped from package - user facing change: changed systemd entries in file_contexts.subs_dist: /run/systemd/system -> dropped from file /run/systemd/generator.early /run/systemd/generator /run/systemd/generator.late /run/systemd/generator - Moved modules config to dist/<policytype>/modules.conf and dropped from package: - user facing change: minimum policy: modules base and contrib are merged into modules.lst and modules-enabled.lst was added which contains the enabled modules, replacing modules-minimum-disable.lst * modules-minimum-base.conf * modules-minimum-contrib.conf * modules-minimum-disable.lst * Added: modules-minimum.lst - user facing change: mls policy: modules base + contrib are merged into modules.lst * modules-mls-base.conf * modules-mls-contrib.conf - user facing change: targeted policy: modules base + contrib are merged into modules.lst: * modules-targeted-base.conf * modules-targeted-contrib.conf - Moved securetty config to config/appconfig-<policytype>/securetty_types and dropped from package - user facing change: using upstream version for all policy types * securetty_types-minimum * securetty_types-mls * securetty_types-targeted - Moved setrans config to dist/<policytype>/setrans.conf and dropped from package * setrans-minimum.conf * setrans-mls.conf * setrans-targeted.conf - Moved users config to dist/<policytype>/users and dropped from package * users-minimum - user facing change: added guest_u and xguest_u * users-mls * users-targeted - Fix debug-build.sh to follow symlinks when creating the tarball - Update embedded container-selinux version to commit: * 3f06c141bebc00a07eec4c0ded038aac4f2ae3f0 - Update to version 20241107: * Re-add kanidm module to dist/targeted/modules.conf * Add SUSE-specific file contexts to file_contexts.subs_dist * Disallow execstack in dist/minimum/booleans.conf * Add SUSE-specific booleans to dist/targeted/booleans.conf * Add SUSE specific modules to targeted modules.conf * Label /var/cache/systemd/home with systemd_homed_cache_t * Allow login_userdomain connect to systemd-homed over a unix socket * Allow boothd connect to systemd-homed over a unix socket * Allow systemd-homed get attributes of a tmpfs filesystem * Allow abrt-dump-journal-core connect to systemd-homed over a unix socket * Allow aide connect to systemd-homed over a unix socket * Label /dev/hfi1_[0-9]+ devices * Remove the openct module sources * Remove the timidity module sources * Enable the slrn module * Remove i18n_input module sources * Enable the distcc module * Remove the ddcprobe module sources * Remove the timedatex module sources * Remove the djbdns module sources * Confine iio-sensor-proxy * Allow staff user nlmsg_write * Update policy for xdm with confined users * Allow virtnodedev watch mdevctl config dirs * Allow ssh watch home config dirs * Allow ssh map home configs files * Allow ssh read network sysctls * Allow chronyc sendto to chronyd-restricted * Allow cups sys_ptrace capability in the user namespace * Add policy for systemd-homed * Remove fc entry for /usr/bin/pump * Label /usr/bin/noping and /usr/bin/oping with ping_exec_t * Allow accountsd read gnome-initial-setup tmp files * Allow xdm write to gnome-initial-setup fifo files * Allow rngd read and write generic usb devices * Allow qatlib search the content of the kernel debugging filesystem * Allow qatlib connect to systemd-machined over a unix socket * mls/modules.conf - fix typo * Use dist/targeted/modules.conf in build workflow * Fix default and dist config files * Allow unprivileged user watch /run/systemd * CI: update to actions/checkout@v4 * Allow boothd connect to kernel over a unix socket * Clean up and sync securetty_types * Bring config files from dist-git into the source repo * Confine gnome-remote-desktop * Allow virtstoraged execute mount programs in the mount domain * Make mdevctl_conf_t member of the file_type attribute ==== systemd ==== Version update (256.7 -> 256.9) Subpackages: libsystemd0 libudev1 systemd-boot systemd-container systemd-experimental udev - Add 5005-Revert-boot-Make-initrd_prepare-semantically-equival.patch Revert commit d64193a2a652b15db9cb9ed10c6b77a17ca46cd2 until the regression it caused, reported at https://github.com/systemd/systemd/issues/35439, is fixed (see also bsc#1233752 for its downstream counterpart). - Disable EFI support on architectures that are not EFI-compliant - Import commit 290170c8550bf2de4b5085ecdf7f056769944444 (merge of v256.9) This merge includes the following fix: cf7b3cc182 pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary, noone else (bsc#1232227) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/c7671762b39ead7f8f9e70064256f5ef... - Import commit aee28e4c20a053ea27f8be69f2ea981e43bcb0b6 aee28e4c20 udev-builtin-path_id: SAS wide ports must have num_phys > 1 (bsc#1231610) 280989cfa4 core: when switching root remove /run/systemd before executing the binary specified by init= (bsc#1227580) - Drop 5003-core-when-switching-root-remove-run-systemd-before-e.patch, this patch has been integrated in branch 'SUSE/v256', see above.