New Arm Tumbleweed snapshot 20220613 released!
Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=3&version=Tumbleweed&build=20220613 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: apache2 (2.4.53 -> 2.4.54) apache2-manual (2.4.53 -> 2.4.54) apache2-mod_php7 (7.4.29 -> 7.4.30) apache2-prefork (2.4.53 -> 2.4.54) apache2-utils (2.4.53 -> 2.4.54) bluedevil5 (5.24.5 -> 5.25.0) breeze (5.24.5 -> 5.25.0) breeze-gtk (5.24.5 -> 5.25.0) discover (5.24.5 -> 5.25.0) drkonqi5 (5.24.5 -> 5.25.0) glibmm2_4 (2.66.2 -> 2.66.4) gnome-bluetooth (42.0 -> 42.1) inxi (3.3.16 -> 3.3.17) kactivitymanagerd (5.24.5 -> 5.25.0) kcm_sddm (5.24.5 -> 5.25.0) kde-cli-tools5 (5.24.5 -> 5.25.0) kde-gtk-config5 (5.24.5 -> 5.25.0) kgamma5 (5.24.5 -> 5.25.0) khotkeys5 (5.24.5 -> 5.25.0) kinfocenter5 (5.24.5 -> 5.25.0) kmenuedit5 (5.24.5 -> 5.25.0) kscreen5 (5.24.5 -> 5.25.0) kscreenlocker (5.24.5 -> 5.25.0) ksshaskpass5 (5.24.5 -> 5.25.0) ksystemstats5 (5.24.5 -> 5.25.0) kwayland-integration (5.24.5 -> 5.25.0) kwin5 (5.24.5 -> 5.25.0) kwrited5 (5.24.5 -> 5.25.0) layer-shell-qt (5.24.5 -> 5.25.0) libkdecoration2 (5.24.5 -> 5.25.0) libkscreen2 (5.24.5 -> 5.25.0) libksysguard5 (5.24.5 -> 5.25.0) milou5 (5.24.5 -> 5.25.0) oxygen5-sounds (5.24.5 -> 5.25.0) php7 (7.4.29 -> 7.4.30) plasma-browser-integration (5.24.5 -> 5.25.0) plasma-nm5 (5.24.5 -> 5.25.0) plasma5-addons (5.24.5 -> 5.25.0) plasma5-desktop (5.24.5 -> 5.25.0) plasma5-disks (5.24.5 -> 5.25.0) plasma5-integration (5.24.5 -> 5.25.0) plasma5-openSUSE (84.87~git20220116T220745~fffd234 -> 84.87~git20220602T134713~22403ba) plasma5-pa (5.24.5 -> 5.25.0) plasma5-systemmonitor (5.24.5 -> 5.25.0) plasma5-thunderbolt (5.24.5 -> 5.25.0) plasma5-workspace (5.24.5 -> 5.25.0) polkit-kde-agent-5 (5.24.5 -> 5.25.0) powerdevil5 (5.24.5 -> 5.25.0) python python-MarkupSafe python-base systemsettings5 (5.24.5 -> 5.25.0) xdg-desktop-portal-kde (5.24.5 -> 5.25.0) === Details === ==== apache2 ==== Version update (2.4.53 -> 2.4.54) - update httpd-framework to svn revision 1898917 - version update to 2.4.54 Changes with Apache 2.4.54 * ) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Credits: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue * ) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with websockets (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-30522: mod_sed denial of service (cve.mitre.org) If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. Credits: This issue was found by Brian Moussalli from the JFrog Security Research team * ) SECURITY: CVE-2022-29404: Denial of service in mod_lua r:parsebody (cve.mitre.org) In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-28615: Read beyond bounds in ap_strcmp_match() (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite() (cve.mitre.org) The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. Credits: Ricter Z @ 360 Noah Lab * ) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063. [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic] * ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. PR 65666. [Yann Ylavic] * ) mod_md: a bug was fixed that caused very large MDomains with the combined DNS names exceeding ~7k to fail, as request bodies would contain partially wrong data from uninitialized memory. This would have appeared as failure in signing-up/renewing such configurations. [Stefan Eissing, Ronald Crane (Zippenhop LLC)] * ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. PR 65666. [Yann Ylavic] * ) MPM event: Restart children processes killed before idle maintenance. PR 65769. [Yann Ylavic, Ruediger Pluem] * ) ab: Allow for TLSv1.3 when the SSL library supports it. [abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic] * ) core: Disable TCP_NOPUSH optimization on OSX since it might introduce transmission delays. PR 66019. [Yann Ylavic] * ) MPM event: Fix accounting of active/total processes on ungraceful restart, PR 66004 (follow up to PR 65626 from 2.4.52). [Yann Ylavic] * ) core: make ap_escape_quotes() work correctly on strings with more than MAX_INT/2 characters, counting quotes double. Credit to <generalbugs@zippenhop.com> for finding this. [Stefan Eissing] * ) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of an ACME CA. This gives a failover for renewals when several consecutive attempts to get a certificate failed. A new directive was added: `MDRetryDelay` sets the delay of retries. A new directive was added: `MDRetryFailover` sets the number of errored attempts before an alternate CA is selected for certificate renewals. [Stefan Eissing] * ) mod_http2: remove unused and insecure code. Fixes PR66037. Thanks to Ronald Crane (Zippenhop LLC) for reporting this. [Stefan Eissing] * ) mod_proxy: Add backend port to log messages to ease identification of involved service. [Rainer Jung] * ) mod_http2: removing unscheduling of ongoing tasks when connection shows potential abuse by a client. This proved counter-productive and the abuse detection can false flag requests using server-side-events. Fixes <https://github.com/icing/mod_h2/issues/231>. [Stefan Eissing] * ) mod_md: Implement full auto status ("key: value" type status output). Especially not only status summary counts for certificates and OCSP stapling but also lists. Auto status format is similar to what was used for mod_proxy_balancer. [Rainer Jung] * ) mod_md: fixed a bug leading to failed transfers for OCSP stapling information when more than 6 certificates needed updates in the same run. [Stefan Eissing] * ) mod_proxy: Set a status code of 502 in case the backend just closed the connection in reply to our forwarded request. [Ruediger Pluem] * ) mod_md: a possible NULL pointer deref was fixed in the JSON code for persisting time periods (start+end). Fixes #282 on mod_md's github. Thanks to @marcstern for finding this. [Stefan Eissing] * ) mod_heartmonitor: Set the documented default value "10" for HeartbeatMaxServers instead of "0". With "0" no shared memory slotmem was initialized. [Rainer Jung] * ) mod_md: added support for managing certificates via a local tailscale daemon for users of that secure networking. This gives trusted certificates for tailscale assigned domain names in the *.ts.net space. [Stefan Eissing] - modified patches % apache-test-application-xml-type.patch (refreshed) % apache-test-turn-off-variables-in-ssl-var-lookup.patch (refreshed) % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed) ==== apache2-manual ==== Version update (2.4.53 -> 2.4.54) - update httpd-framework to svn revision 1898917 - version update to 2.4.54 Changes with Apache 2.4.54 * ) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Credits: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue * ) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with websockets (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-30522: mod_sed denial of service (cve.mitre.org) If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. Credits: This issue was found by Brian Moussalli from the JFrog Security Research team * ) SECURITY: CVE-2022-29404: Denial of service in mod_lua r:parsebody (cve.mitre.org) In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-28615: Read beyond bounds in ap_strcmp_match() (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite() (cve.mitre.org) The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. Credits: Ricter Z @ 360 Noah Lab * ) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063. [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic] * ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. PR 65666. [Yann Ylavic] * ) mod_md: a bug was fixed that caused very large MDomains with the combined DNS names exceeding ~7k to fail, as request bodies would contain partially wrong data from uninitialized memory. This would have appeared as failure in signing-up/renewing such configurations. [Stefan Eissing, Ronald Crane (Zippenhop LLC)] * ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. PR 65666. [Yann Ylavic] * ) MPM event: Restart children processes killed before idle maintenance. PR 65769. [Yann Ylavic, Ruediger Pluem] * ) ab: Allow for TLSv1.3 when the SSL library supports it. [abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic] * ) core: Disable TCP_NOPUSH optimization on OSX since it might introduce transmission delays. PR 66019. [Yann Ylavic] * ) MPM event: Fix accounting of active/total processes on ungraceful restart, PR 66004 (follow up to PR 65626 from 2.4.52). [Yann Ylavic] * ) core: make ap_escape_quotes() work correctly on strings with more than MAX_INT/2 characters, counting quotes double. Credit to <generalbugs@zippenhop.com> for finding this. [Stefan Eissing] * ) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of an ACME CA. This gives a failover for renewals when several consecutive attempts to get a certificate failed. A new directive was added: `MDRetryDelay` sets the delay of retries. A new directive was added: `MDRetryFailover` sets the number of errored attempts before an alternate CA is selected for certificate renewals. [Stefan Eissing] * ) mod_http2: remove unused and insecure code. Fixes PR66037. Thanks to Ronald Crane (Zippenhop LLC) for reporting this. [Stefan Eissing] * ) mod_proxy: Add backend port to log messages to ease identification of involved service. [Rainer Jung] * ) mod_http2: removing unscheduling of ongoing tasks when connection shows potential abuse by a client. This proved counter-productive and the abuse detection can false flag requests using server-side-events. Fixes <https://github.com/icing/mod_h2/issues/231>. [Stefan Eissing] * ) mod_md: Implement full auto status ("key: value" type status output). Especially not only status summary counts for certificates and OCSP stapling but also lists. Auto status format is similar to what was used for mod_proxy_balancer. [Rainer Jung] * ) mod_md: fixed a bug leading to failed transfers for OCSP stapling information when more than 6 certificates needed updates in the same run. [Stefan Eissing] * ) mod_proxy: Set a status code of 502 in case the backend just closed the connection in reply to our forwarded request. [Ruediger Pluem] * ) mod_md: a possible NULL pointer deref was fixed in the JSON code for persisting time periods (start+end). Fixes #282 on mod_md's github. Thanks to @marcstern for finding this. [Stefan Eissing] * ) mod_heartmonitor: Set the documented default value "10" for HeartbeatMaxServers instead of "0". With "0" no shared memory slotmem was initialized. [Rainer Jung] * ) mod_md: added support for managing certificates via a local tailscale daemon for users of that secure networking. This gives trusted certificates for tailscale assigned domain names in the *.ts.net space. [Stefan Eissing] - modified patches % apache-test-application-xml-type.patch (refreshed) % apache-test-turn-off-variables-in-ssl-var-lookup.patch (refreshed) % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed) ==== apache2-mod_php7 ==== Version update (7.4.29 -> 7.4.30) - version update to 7.4.30 * This is a security release. https://www.php.net/ChangeLog-7.php#7.4.30 ==== apache2-prefork ==== Version update (2.4.53 -> 2.4.54) - update httpd-framework to svn revision 1898917 - version update to 2.4.54 Changes with Apache 2.4.54 * ) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Credits: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue * ) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with websockets (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-30522: mod_sed denial of service (cve.mitre.org) If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. Credits: This issue was found by Brian Moussalli from the JFrog Security Research team * ) SECURITY: CVE-2022-29404: Denial of service in mod_lua r:parsebody (cve.mitre.org) In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-28615: Read beyond bounds in ap_strcmp_match() (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite() (cve.mitre.org) The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. Credits: Ricter Z @ 360 Noah Lab * ) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063. [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic] * ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. PR 65666. [Yann Ylavic] * ) mod_md: a bug was fixed that caused very large MDomains with the combined DNS names exceeding ~7k to fail, as request bodies would contain partially wrong data from uninitialized memory. This would have appeared as failure in signing-up/renewing such configurations. [Stefan Eissing, Ronald Crane (Zippenhop LLC)] * ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. PR 65666. [Yann Ylavic] * ) MPM event: Restart children processes killed before idle maintenance. PR 65769. [Yann Ylavic, Ruediger Pluem] * ) ab: Allow for TLSv1.3 when the SSL library supports it. [abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic] * ) core: Disable TCP_NOPUSH optimization on OSX since it might introduce transmission delays. PR 66019. [Yann Ylavic] * ) MPM event: Fix accounting of active/total processes on ungraceful restart, PR 66004 (follow up to PR 65626 from 2.4.52). [Yann Ylavic] * ) core: make ap_escape_quotes() work correctly on strings with more than MAX_INT/2 characters, counting quotes double. Credit to <generalbugs@zippenhop.com> for finding this. [Stefan Eissing] * ) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of an ACME CA. This gives a failover for renewals when several consecutive attempts to get a certificate failed. A new directive was added: `MDRetryDelay` sets the delay of retries. A new directive was added: `MDRetryFailover` sets the number of errored attempts before an alternate CA is selected for certificate renewals. [Stefan Eissing] * ) mod_http2: remove unused and insecure code. Fixes PR66037. Thanks to Ronald Crane (Zippenhop LLC) for reporting this. [Stefan Eissing] * ) mod_proxy: Add backend port to log messages to ease identification of involved service. [Rainer Jung] * ) mod_http2: removing unscheduling of ongoing tasks when connection shows potential abuse by a client. This proved counter-productive and the abuse detection can false flag requests using server-side-events. Fixes <https://github.com/icing/mod_h2/issues/231>. [Stefan Eissing] * ) mod_md: Implement full auto status ("key: value" type status output). Especially not only status summary counts for certificates and OCSP stapling but also lists. Auto status format is similar to what was used for mod_proxy_balancer. [Rainer Jung] * ) mod_md: fixed a bug leading to failed transfers for OCSP stapling information when more than 6 certificates needed updates in the same run. [Stefan Eissing] * ) mod_proxy: Set a status code of 502 in case the backend just closed the connection in reply to our forwarded request. [Ruediger Pluem] * ) mod_md: a possible NULL pointer deref was fixed in the JSON code for persisting time periods (start+end). Fixes #282 on mod_md's github. Thanks to @marcstern for finding this. [Stefan Eissing] * ) mod_heartmonitor: Set the documented default value "10" for HeartbeatMaxServers instead of "0". With "0" no shared memory slotmem was initialized. [Rainer Jung] * ) mod_md: added support for managing certificates via a local tailscale daemon for users of that secure networking. This gives trusted certificates for tailscale assigned domain names in the *.ts.net space. [Stefan Eissing] - modified patches % apache-test-application-xml-type.patch (refreshed) % apache-test-turn-off-variables-in-ssl-var-lookup.patch (refreshed) % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed) ==== apache2-utils ==== Version update (2.4.53 -> 2.4.54) - update httpd-framework to svn revision 1898917 - version update to 2.4.54 Changes with Apache 2.4.54 * ) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Credits: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue * ) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with websockets (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-30522: mod_sed denial of service (cve.mitre.org) If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. Credits: This issue was found by Brian Moussalli from the JFrog Security Research team * ) SECURITY: CVE-2022-29404: Denial of service in mod_lua r:parsebody (cve.mitre.org) In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-28615: Read beyond bounds in ap_strcmp_match() (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite() (cve.mitre.org) The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue * ) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. Credits: Ricter Z @ 360 Noah Lab * ) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063. [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic] * ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. PR 65666. [Yann Ylavic] * ) mod_md: a bug was fixed that caused very large MDomains with the combined DNS names exceeding ~7k to fail, as request bodies would contain partially wrong data from uninitialized memory. This would have appeared as failure in signing-up/renewing such configurations. [Stefan Eissing, Ronald Crane (Zippenhop LLC)] * ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. PR 65666. [Yann Ylavic] * ) MPM event: Restart children processes killed before idle maintenance. PR 65769. [Yann Ylavic, Ruediger Pluem] * ) ab: Allow for TLSv1.3 when the SSL library supports it. [abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic] * ) core: Disable TCP_NOPUSH optimization on OSX since it might introduce transmission delays. PR 66019. [Yann Ylavic] * ) MPM event: Fix accounting of active/total processes on ungraceful restart, PR 66004 (follow up to PR 65626 from 2.4.52). [Yann Ylavic] * ) core: make ap_escape_quotes() work correctly on strings with more than MAX_INT/2 characters, counting quotes double. Credit to <generalbugs@zippenhop.com> for finding this. [Stefan Eissing] * ) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of an ACME CA. This gives a failover for renewals when several consecutive attempts to get a certificate failed. A new directive was added: `MDRetryDelay` sets the delay of retries. A new directive was added: `MDRetryFailover` sets the number of errored attempts before an alternate CA is selected for certificate renewals. [Stefan Eissing] * ) mod_http2: remove unused and insecure code. Fixes PR66037. Thanks to Ronald Crane (Zippenhop LLC) for reporting this. [Stefan Eissing] * ) mod_proxy: Add backend port to log messages to ease identification of involved service. [Rainer Jung] * ) mod_http2: removing unscheduling of ongoing tasks when connection shows potential abuse by a client. This proved counter-productive and the abuse detection can false flag requests using server-side-events. Fixes <https://github.com/icing/mod_h2/issues/231>. [Stefan Eissing] * ) mod_md: Implement full auto status ("key: value" type status output). Especially not only status summary counts for certificates and OCSP stapling but also lists. Auto status format is similar to what was used for mod_proxy_balancer. [Rainer Jung] * ) mod_md: fixed a bug leading to failed transfers for OCSP stapling information when more than 6 certificates needed updates in the same run. [Stefan Eissing] * ) mod_proxy: Set a status code of 502 in case the backend just closed the connection in reply to our forwarded request. [Ruediger Pluem] * ) mod_md: a possible NULL pointer deref was fixed in the JSON code for persisting time periods (start+end). Fixes #282 on mod_md's github. Thanks to @marcstern for finding this. [Stefan Eissing] * ) mod_heartmonitor: Set the documented default value "10" for HeartbeatMaxServers instead of "0". With "0" no shared memory slotmem was initialized. [Rainer Jung] * ) mod_md: added support for managing certificates via a local tailscale daemon for users of that secure networking. This gives trusted certificates for tailscale assigned domain names in the *.ts.net space. [Stefan Eissing] - modified patches % apache-test-application-xml-type.patch (refreshed) % apache-test-turn-off-variables-in-ssl-var-lookup.patch (refreshed) % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed) ==== bluedevil5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: bluedevil5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * Use appropriate jobs to lauch helpers * Fix single instance window activation on Wayland - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * DeviceItem: Port to contextualActionsModel * applet: Make placeholder text consistent with what's in the KCM * KCM: Add icons to PlaceholderMessage instances * applet: put PlaceholderMessage in a Loader to save a bit of memory * applet: give PlaceholderMessage an icon * applet: use common property to get list emptiness status * Add qt6 CI support * It's enabled in qt6 * Port to PlasmaExtras version of Highlight * [wizard] Don't set minimum size * install plugins in kf<version> * kded/devicemonitor: Check BlueDevilDaemon exists when calling login1PrepareForSleep (kde#450195) * Make it compile against qt6 * Remove unused Exec entry * applet: set contentWidth properly * applet: remove unnecessary delegate width override * [applet] Fix undefined property access * [applet] Add a bit of small spacing on the left of the checkbox * [applet] Replace == equality with strict === equality in JavaScript * Fix "Enable bluetooth" button * Remove redundant saveState call * applet: Toggle Bluetooth status on middle-click (kde#427816) ==== breeze ==== Version update (5.24.5 -> 5.25.0) Subpackages: breeze5-cursors breeze5-decoration breeze5-style breeze5-style-lang libbreezecommon5-5 - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * kstyle: fix qqc2 desktop style sliders in RtL (kde#430101) * Fix mixup of PM_ToolBarItemMargin & PM_ToolBarFrameWidth - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Too many changes to list here ==== breeze-gtk ==== Version update (5.24.5 -> 5.25.0) Subpackages: gtk2-metatheme-breeze gtk3-metatheme-breeze metatheme-breeze-common - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * GTK3,4: Make checkbox colors a pixel-perfect copy of QStyle * assets: Make checkmark a pixel-perfect copy of qstyle - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Too many changes to list here ==== discover ==== Version update (5.24.5 -> 5.25.0) Subpackages: discover-backend-flatpak discover-backend-fwupd discover-backend-packagekit discover-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * PackageKit backend: fix searching for appstream id's without .desktop suffix * Clean up Kirigami.Heading code a bit * ApplicationPage: standardize on whitespace between sections * flatpak notifier: Be more precise about when notifying about updates * flatpak notifier: Do not set up twice the system installation * notifier: Pass a token when we are starting from a notification - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Too many changes to list here ==== drkonqi5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: drkonqi5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * remove wrong visibility toggle (kde#454927) * allow navigating back to the mainpage (kde#453989) * DeveloperPage: do not automatically hide Save and Copy actions * DeveloperPage: Remove extra padding on the backtrace - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Too many changes to list here ==== glibmm2_4 ==== Version update (2.66.2 -> 2.66.4) Subpackages: libgiomm-2_4-1 libglibmm-2_4-1 - Update to version 2.66.4: + Glib: ustring_Iterator: Don't declare copy constructor =default. The fix in the 2.66.3 release broke ABI. (Kjell Ahlstedt) Issue #98 (Scotty Trees) ==== gnome-bluetooth ==== Version update (42.0 -> 42.1) Subpackages: libgnome-bluetooth-3_0-13 libgnome-bluetooth-ui-3_0-13 typelib-1_0-GnomeBluetooth-3_0 - Update to version 42.1: + Fix the display of devices with '&' in their names. + Updated translations. ==== inxi ==== Version update (3.3.16 -> 3.3.17) - - Updated to version 3.3.17: * /usr/share/doc/packages/inxi/inxi.changelog. ==== kactivitymanagerd ==== Version update (5.24.5 -> 5.25.0) Subpackages: kactivitymanagerd-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Remove dependency on Boost.Container * Add unistd.h include for sleep() * Fix XML parser porting regression * Add Qt6 CI * Don't advertise debug stream operator publicly if we don't export it * Port to KApplicationTrader * Port to QXmlStreamReader * Fix some compile errors against qt6 * Fix DBus service name registration ==== kcm_sddm ==== Version update (5.24.5 -> 5.25.0) Subpackages: kcm_sddm-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * Fix broken connect in NewStuff.Action QML component usage (kde#454884) * Clear cache when syncing (kde#440957) * Re-enable apply button on save failure (kde#429348) * Avoid empty error box (kde#413032) - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Make the Halt and Reboot Commands' text fields editable * Add Qt6 CI support * Add support for new kauth includes * Allow to build against qt6 ==== kde-cli-tools5 ==== Version update (5.24.5 -> 5.25.0) - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Disable more deprecated fallback code paths * Wrap deprecated API usage KCMShell in deprecation wrappers * Qt::AA_UseHighDpiPixmaps is enabled by default in qt6 * Remaining bits to build with Qt6 * Remove ktraderclient for 6 * Port from KMimeTypeTrader to KParts::PartLoader * Start to adapt build system for building against qt6 * kioclient: improve the format of the usage/help message * plasma-open-settings: Support passing args as the path of the URL * Remove explicit QuickSettings init method call * plasma-open-settings: systemsettings5 is now systemsettings * [keditfiletype] Set proper name in desktop file * Convert KCM desktop file to JSON * kcmshell: List KCMs that are queried without KServiceTypeTrader (kde#448396) ==== kde-gtk-config5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: kde-gtk-config5-gtk3 - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Prepare build system for building against qt6 * Port deprecated method * Use the right data type for globalAnimationEntryValue * Use Header palette if exists ==== kgamma5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: kgamma5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Add qt6 CI support * Allow to build against qt6 ==== khotkeys5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: khotkeys5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * docbook: Update settings.png * Only show KCM when on X11 ==== kinfocenter5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: kinfocenter5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * redirect stderr to stdout (kde#454197) - Fix 0002-Look-for-binaries-in-Mesa-demos-path-as-well.patch (boo#1199975) - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Fix about distro KCM not being able to be pinned * Fix: Iterate with std::as_const, to avoid copying vector * Finishing touches for the Qt6 build * Use non-deprecated KAuth includes * modules/about-distro: use standard inner margins for page * modules/about-distro: simplify spacing before "open in Info Center" button * modules/about-distro: remove bottom padding from page (kde#452437) * Explicitly set parent app for energyinfo KCM * Add some DMI data to about-distro * Hide filter bar when showing an error message * Display more informative and actionable error messages * Use not deprecated ECMFindQmlModule * Fix install against qt6 * Also horizontally center the error messages in their pages * new module firmware security * Allow to build against qt6 * fix up help paths (kde#450918) * about-distro: remove unnecessary spacers above sections * Search in /usr/local/sbin:/usr/sbin:/sbin as fallback (kde#449792) * Add plasma-systemmonitor as the dependency of kinfocenter * Don't use deprecated variable * Drop unnecessary KIconThemes dependency - Refresh 0002-Look-for-binaries-in-Mesa-demos-path-as-well.patch ==== kmenuedit5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: kmenuedit5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Raise window when activating instance * Add Qt6 CI support * Make compile against qt6 * Fix some qt6 compile error * Adapt build system for building against qt6 * Make it appear in launchers and app stores * Set SingleMainWindow=true * Kdelibs4ConfigMigrator will be removed in qt6 ==== kscreen5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: kscreen5-lang kscreen5-plasmoid - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * kcm: Make screen area use full width * kcm: Don't force width of screens area * X11: fix kded xcb resource leak (kde#453280) - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * plasmoid: Copy InhibitionHint from battery applet * plasmoid: Fix leftMargin expression and delete dummy invisible CheckBox * plasmoid: Port to PlasmaComponents3 * plasmoid: Port away from theme context property to PlasmaCore.Theme fonts * plasmoid: Pass down screenLayouts model explicitly through a property * plasmoid: Fix JavaScript code style * plasmoid: Port away from plasmoid context property to attached Plasmoid * plasmoid: Port away from unit context property to PlasmaCore.Units * OSD: Don't wrap current index around when holding left/right key * Add test checking when we connect an external monitor while the device is rotated * Fix connecting external monitors when a monitor is rotated * readability: construct qbytearray directly instead of going through qstring * kcm: fix choosing the refresh rate * kcm: fix refresh rate list not being updated (kde#453392) * Prefer more common aspect ratios over correct math (kde#443764) * KCM: Explain what overscan and rgb range do (kde#442549) * kcm: hide the whole "Primary" RowLayout with only one screen * kcm: fixup 1b9b190d1f00e6287e7afc3d9b493d3aa04d1f85 (bad indentation) * KCM: Explain what being the Primary screen means * KCM: Center Orientation label when there's no automatic options * kcm: port checkboxes and radio buttons to use onToggled signal handlers * kcm: use correct left spacing for intended checkbox * kcm: Use KConfigXt to manage global scale * kcm: Use qmlRegisterAnonymousType * X11: align touchscreen to internal display (kde#415683) * KCM: fix crash when editing disabled display output's refresh rate (kde#450265) * [kcm] Only enable revert action when revert sheet is open (kde#449931) * Ensure to emit ResolutionRole dataChanged signals (kde#448855) * Use more generic name for panel connectors ==== kscreenlocker ==== Version update (5.24.5 -> 5.25.0) Subpackages: kscreenlocker-lang libKScreenLocker5 - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * Handle fallback packages when checking for screenlocker API version * Wait for screenlocker UI to call close * Remove old non-compliant Ctrl+Alt+L shortcut that interferes with apps (kde#454397) - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Disable logind integration for kwin's unit tests * Add fallback to the absolute path to kscreenlocker_greet (kde#452817) * Guard double authenticate calls * Fix two minor Qt6 build regressions * Cleanup kcheckpass * Plasma 5.25 brings breaking API changes to the lockscreen * Port screen geometry change handling away from QDesktopWidget * Don't recommend current session * Port away from deprecated KDeclarative API * kcm: Fix the load of wallpaper kcms (kde#452757) * Port away from KWayland::Server * Remove uneeded default args for plugin constructors * Port away from using KAboutData with KCMs * Install KCM in new namespaces * De-duplicate json metadata of KPackages * Remove explicit QuickSettings init method call * Use PACKAGE_PREFIX_DIR before any find_dependency() calls * Make the CMake config file work in a Qt6 build as well * Adapt build system to also support Qt6 * Port from KDeclarative::ConfigPropertyMap to KConfigPropertyMap * Adapt to Layer Shell Qt API change * Add form factors to embedded json metadata * Port to KLibexec ==== ksshaskpass5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: ksshaskpass5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Don't pretend we have a parent window for opening the wallet * Adapt build system for building against qt6 (still missing porting * It compile file without deprecated methods ==== ksystemstats5 ==== Version update (5.24.5 -> 5.25.0) - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Add more network sensor * Add a window system sensor (kde#452461) * cmake: Make sure we also search for dbus interfaces in DESTDIR * Remove duplicate header between header cpp file * Add Qt6 CI * Allow to compile against qt6 * CPU Plugin: Prevent integer overflow of total usage (kde#448626) * Set proper initial values for many SensorProperties (kde#446414) * disks: Properly initialize read/write counters (kde#448494) ==== kwayland-integration ==== Version update (5.24.5 -> 5.25.0) - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * Remove KGuiAddons dependency - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Ensure that xdgActivationTokenArrived is not emitted directly from requestXdgActivationToken * Finalize the Qt6/KF6 port and add Qt6 CI * Remove modifierkeyinfo plugin * Adapt build system for building against qt6 * Prevent double deletion of shmpools (kde#443706) ==== kwin5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: kwin5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Too many changes to list here - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Too many changes to list here - Refresh 0001-Export-consistent-hostname-as-XAUTHLOCALHOSTNAME.patch ==== kwrited5 ==== Version update (5.24.5 -> 5.25.0) - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Install in kf<version> * Add CI qt6 support * Make it compile against qt6 ==== layer-shell-qt ==== Version update (5.24.5 -> 5.25.0) - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * Mark required deps as required (kde#454912) - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Minor api doc improvement for api.kde.org * Build with Qt6 * Add desiredScreen property to LayerShellQt::Window ==== libkdecoration2 ==== Version update (5.24.5 -> 5.25.0) Subpackages: libkdecorations2-5 libkdecorations2-5-lang libkdecorations2private9 - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Add RtL support (kde#432390) * Hide tooltip when pressing button * decoration:add blurregion property * Add KF6 build support and CI ==== libkscreen2 ==== Version update (5.24.5 -> 5.25.0) Subpackages: libKF5Screen7 libkscreen2-plugin - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * Remove CI dependency on kwayland-server as that is no longer a thing. - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Use const'ref * Delete proxy for PrimaryOutput wayland interface in destructor (kde#451847) * Adapt recent DPMS changes to also build with Qt6 * [doctor] Port dpms handling to QtWaylandScanner * Adapt build system to also support Qt6 * backends/kwayland: Use output name to guess output type * Update required PlasmaWaylandProtocols version ==== libksysguard5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: ksysguardsystemstats-data libKSysGuardSystemStats1 libksysguard5-imports libksysguard5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Recommend the plugins package (boo#1199851) - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Too many changes to list here ==== milou5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: milou5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * ResultDelegate: Fix height binding loop on multiline (kde#454507) - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Remove duplicate header between header cpp file * MAke compile without deprecated method * Show all headers in qtc6 * Make compile against qt6 on CI * Adapt to build against qt6 * Remove douplicate timeout logic in RunnerResultsModel * Avoid sorting old results based on new query input string ==== oxygen5-sounds ==== Version update (5.24.5 -> 5.25.0) - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 - New package containing the now-split oxygen-sounds ==== php7 ==== Version update (7.4.29 -> 7.4.30) Subpackages: php7-cli php7-ctype php7-dom php7-gd php7-gettext php7-iconv php7-json php7-mbstring php7-mysql php7-openssl php7-pdo php7-sqlite php7-tokenizer php7-xmlreader php7-xmlwriter - version update to 7.4.30 * This is a security release. https://www.php.net/ChangeLog-7.php#7.4.30 ==== plasma-browser-integration ==== Version update (5.24.5 -> 5.25.0) Subpackages: plasma-browser-integration-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * It's enabled by default in qt6 * Add Qt5 Linux CI * Final touches to compile with Qt6 * Show headers in qtc6 * ignore build dir * Prepare build system for building against qt6 * Use HTTPS for link to KDE homepage * Fix typo in author's email * Use WeakSet to avoid memory leak * [Tabs Runner] Only list tabs from "normal" windows ==== plasma-nm5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: plasma-nm5-lang plasma-nm5-openconnect plasma-nm5-openvpn plasma-nm5-pptp plasma-nm5-vpnc - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * Add xdg activation support to captive portal notification - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Too many changes to list here ==== plasma5-addons ==== Version update (5.24.5 -> 5.25.0) Subpackages: plasma5-addons-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * [applets/konsoleprofiles] Fix invalid property error * wallpapers/potd: update accent color on image changed * Explicitly list relevant lunar phase events (kde#454801) * applets/dict: focus on input field on expanded - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Too many changes to list here - Needs newer GCC on Leap ==== plasma5-desktop ==== Version update (5.24.5 -> 5.25.0) Subpackages: plasma5-desktop-emojier - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * desktoppackage: use `dominant` color instead of `highlight` color * containments: add an application icon to the dragged location (kde#454581) * Drop hack after porting back to lastSpacer * containments/panel: fix Layout binding in `appletContainerComponent` (kde#454095,kde#454517) * Change default keyboard switching shortcut to Meta+Alt+K * desktoppackage: don't focus on panel when pressing applet shortcuts (kde#453166) * Fix icon applet positioning (kde#454105) * Fix applet background becoming opaque when no window is maximized (kde#454175) * kcms/ksplash: Fix 'None' entry not appearing last in the grid view (kde#451422) - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Too many changes to list here ==== plasma5-disks ==== Version update (5.24.5 -> 5.25.0) - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Use new kauth includes * compile fine without deprecated methods * Use new reuse-lint ci support * Add CI qt6 support * Make if compile against qt6 ==== plasma5-integration ==== Version update (5.24.5 -> 5.25.0) Subpackages: plasma5-integration-plugin plasma5-integration-plugin-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * QDbusMenuBar: properly handle app-wide menubars - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Remove duplicate header between header cpp file * Update unit test to reflect code changes * Fix qt6 cmake support * Port QX11Info * Adapt build system for building against qt6 * Initialise globals on startup (kde#452060) * WaylandIntegration: Install event filter * Unshadow variable * Exclude the kwin process when checking if we are in wayland * Use QWaylandClientExtension for wayland code * Initial support for building against Qt6 * const'ify variables * [KDEPlatformFileDialog] Don't do stat if baseUrl didn't change * It compiles file without deprecated methods * Move import QtQuickSettings into platformtheme * Gracefully handle invalid color scheme setting (kde#449613) * Avoid creating plasma APIs for non-toplevels ==== plasma5-openSUSE ==== Version update (84.87~git20220116T220745~fffd234 -> 84.87~git20220602T134713~22403ba) Subpackages: plasma5-defaults-openSUSE plasma5-theme-openSUSE plasma5-workspace-branding-openSUSE sddm-theme-openSUSE - Update to 5.25.0 - Update to version 84.87~git20220602T134713~22403ba: * Set ColorScheme=BreezeClassic in /etc/xdg/kdeglobals as well - Update to 5.24.90 ==== plasma5-pa ==== Version update (5.24.5 -> 5.25.0) Subpackages: plasma5-pa-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Modernize code * applet: Add fallback icons in device view and stream view * Initalise member variable * Remove duplicate header between header cpp file * SpeakerTest: Fix subwoofer test (kde#445523) * We need kf5.90 for building against qt6 * Add Qt6 CI * applet: Fix logic to show virtual devices * gconf is long gone, always use gsettings * Add unmute message in both KCM and applet tooltip * [CI] Require passing unit tests * Speaker Test: Show playback errors in the UI * Applet: Hide virtual devices by default * Make compile against qt6 * [kcm] Update device combobox when current device changes externally * Make distinction between audio level and audio meter clear ==== plasma5-systemmonitor ==== Version update (5.24.5 -> 5.25.0) - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Fix activating running instance on Wayland * Set loadType to onstart for history page * Add a page option to allow preloading a page (kde#440402) * REmove duplicate header between header/file * Remove explicit QuickSettings init method call * Add CI support * It's enabled by default in qt6 * Fix compile against qt6 * Allow to build against qt6 * Do not use Control as container for config UI elements * Set "noMargins" to true for Applications and Processes pages (kde#447146) * Mark as single window app ==== plasma5-thunderbolt ==== Version update (5.24.5 -> 5.25.0) - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Add CI qt6 support * Make it compiles against qt6 ==== plasma5-workspace ==== Version update (5.24.5 -> 5.25.0) Subpackages: gmenudbusmenuproxy plasma5-session plasma5-session-wayland plasma5-workspace-lang plasma5-workspace-libs xembedsniproxy - Add patch to fix a multiscreen bug when PLASMA_USE_QT_SCALING=1 (kde#450443, https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/1781) * 0001-shell-refresh-geometries-of-all-DesktopView-and-Pane.patch - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Too many changes to list here - Drop patches, now upstream: * 0001-startkde-Reload-systemd-on-Plasma-start.patch - Add patch to fix opensuse-welcome autostart disabling: * 0001-startkde-Reload-systemd-on-Plasma-start.patch - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Too many changes to list here - Drop patches, now upstream: * 0001-applets-appmenu-fix-top-level-menu-text-coloration.patch * 0001-kcms-desktoptheme-find-metadata.json-when-loading-Th.patch ==== polkit-kde-agent-5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: polkit-kde-agent-5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * Add Qt6 CI support * Make compile against qt6 ==== powerdevil5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: powerdevil5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - No code changes since 5.24.90 - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Changes since 5.24.5: * daemon/actions: remove unused variable * Remove unused KRun code * Use non-deprecated KAuth includes * Deduce pair types automatically * Remove unused includes * Adapt to QtX11Extras being gone in Qt6 * Use version-less install dir variables * Port away from QStringRef * Fix Commit 761fc8a4 * Add percentage display next to the brightness and keyboard backlight sliders in KCM (kde#440314) * Adapt build system for building against qt6 (need kscreen not ported yet) * Write brightness to all raw devices (kde#399646) * Fix signature in qt6 * Use new kauth includes * Improved backlight devices selection (kde#399646) * Support hardware with only one charging threshold, not both (kde#449997) * Use not deprecated SYSTEMD_USER_UNIT_INSTALL_DIR ==== python ==== - Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the command injection in the mailcap module. - Filter out executable-stack error that is triggered for i586 target. - Update bundled pip wheel to the latest SLE version patched against bsc#1186819 (CVE-2021-3572). - Recover again proper value of %python2_package_prefix (bsc#1175619). - BuildRequire rpm-build-python: The provider to inject python(abi) has been moved there. rpm-build pulls rpm-build-python automatically in when building anything against python3-base, but this implies that the initial build of python3-base does not trigger the automatic installation. - Older SLE versions should use old OpenSSL. - Add CVE-2022-0391-urllib_parse-newline-parsing.patch (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs containing ASCII newline and tabs in urlparse. - Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146, bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib not trust the PASV response. - build against openssl 1.1.x (incompatible with openssl 3.0x) for now. - on sle12, python2 modules will still be called python-xxxx until EOL, for newer SLE versions they will be python2-xxxx - BuildRequire rpm-build-python: The provider to inject python(abi) has been moved there. rpm-build pulls rpm-build-python automatically in when building anything against python3-base, but this implies that the initial build of python3-base does not trigger the automatic installation. - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 (CVE-2019-20907, bpo#39017) avoiding possible infinite loop in specifically crafted tarball. Add recursion.tar as a testing tarball for the patch. - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). - Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211 (CVE-2020-26116, bpo#39603) no longer allowing special characters in the method parameter of HTTPConnection.putrequest in httplib, stopping injection of headers. Such characters now raise ValueError. - Renamed patch for assigned CVE: * bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch -> CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch (boo#1189241, CVE-2021-3737) - Renamed patch for assigned CVE: * bpo43075-fix-ReDoS-in-request.patch -> CVE-2021-3733-fix-ReDoS-in-request.patch (boo#1189287, CVE-2021-3733) - Fix python-doc build (bpo#35293): * sphinx-update-removed-function.patch - Update documentation formatting for Sphinx 3.0 (bpo#40204). - Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in request (bpo#43075, boo#1189287). - Add missing security announcement to bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch. - Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch which fixes http client infinite line reading (DoS) after a http 100 (bpo#44022, boo#1189241). - Modify Lib/ensurepip/__init__.py to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668). - Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids use of semicolon as a query string separator (bpo#42967, bsc#1182379, CVE-2021-23336). - Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution. - (bsc#1180125) We really don't Require python-rpm-macros package. Unnecessary dependency. - Add patch configure_PYTHON_FOR_REGEN.patch which makes configure.ac to consider the correct version of PYTHON_FO_REGEN (bsc#1078326). - Use python3-Sphinx on anything more recent than SLE-15 (inclusive). - Update to 2.7.18, final release of Python 2. Ever.: - Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process. - Fixes a ReDoS vulnerability in `http.cookiejar`. Patch by Ben Caller. - Fixed line numbers and column offsets for AST nodes for calls without arguments in decorators. - bsc#1155094 (CVE-2019-18348) Disallow control characters in hostnames in http.client. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. - Fix urllib.urlretrieve failing on subsequent ftp transfers from the same host. - Fix problems identified by GCC's -Wstringop-truncation warning. - AddRefActCtx() was needlessly being checked for failure in PC/dl_nt.c. - Prevent failure of test_relative_path in test_py_compile on macOS Catalina. - Fixed possible leak in `PyArg_Parse` and similar functions for format units "es#" and "et#" when the macro `PY_SSIZE_T_CLEAN` is not defined. - Remove upstreamed patches: - CVE-2019-18348-CRLF_injection_via_host_part.patch - python-2.7.14-CVE-2017-1000158.patch - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch - CVE-2018-1061-DOS-via-regexp-difflib.patch - CVE-2019-10160-netloc-port-regression.patch - CVE-2019-16056-email-parse-addr.patch - Add CVE-2019-9674-zip-bomb.patch to improve documentation warning about dangers of zip-bombs and other security problems with zipfile library. (bsc#1162825 CVE-2019-9674) - Change to Requires: libpython%{so_version} == %{version}-%{release} to python-base to keep both packages always synchronized (add %{so_version}) (bsc#1162224). - Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug "Python urrlib allowed an HTTP server to conduct Regular Expression Denial of Service (ReDoS)" (bsc#1162367) - Provide python-testsuite from devel subkg to ease py2->py3 dependencies - Add python-2.7.17-switch-off-failing-SSL-tests.patch to switch off tests coliding with the combination of modern Python and ancient OpenSSL on SLE-12. - libnsl is required only on more recent SLEs and openSUSE, older glibc supported NIS on its own. - Add provides in gdbm subpackage to provide dbm symbols. This allows us to use %%{python_module dbm} as a dependency and have it properly resolved for both python2 and python3 - Drop appstream-glib BuildRequires and no longer call appstream-util validate-relax: eliminate a build cycle between as-glib and python. The only thing would would gain by calling as-uril is catching if upstream breaks the appdata.xml file in a future release. Considering py2 is dying, chances for a new release, let alone one breaking the xml file, are slim. - Unify packages among openSUSE:Factory and SLE versions. (bsc#1159035) ; add missing records to this changelog. - Add idle.desktop and idle.appdata.xml to provide IDLE in menus (bsc#1153830) - Add python2_split_startup Provide to make it possible to conflict older packages by shared-python-startup. - Move /etc/pythonstart script to shared-python-startup package. - Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes bsc#1149792 - Add adapted-from-F00251-change-user-install-location.patch fixing pip/distutils to install into /usr/local. - Update to 2.7.17: - a bug fix release in the Python 2.7.x series. It is expected to be the penultimate release for Python 2.7. - Removed patches included upstream: - CVE-2018-20852-cookie-domain-check.patch - CVE-2019-16935-xmlrpc-doc-server_title.patch - CVE-2019-9636-netloc-no-decompose-characters.patch - CVE-2019-9947-no-ctrl-char-http.patch - CVE-2019-9948-avoid_local-file.patch - python-2.7.14-CVE-2018-1000030-1.patch - python-2.7.14-CVE-2018-1000030-2.patch - Renamed remove-static-libpython.diff and python-bsddb6.diff to remove-static-libpython.patch and python-bsddb6.patch to unify filenames. - Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in python/Lib/DocXMLRPCServer.py - Add bpo36302-sort-module-sources.patch (boo#1041090) - Add CVE-2019-16056-email-parse-addr.patch fixing the email module wrongly parses email addresses [bsc#1149955, CVE-2019-16056] - boo#1141853 (CVE-2018-20852) add CVE-2018-20852-cookie-domain-check.patch fixing http.cookiejar.DefaultPolicy.domain_return_ok which did not correctly validate the domain: it could be tricked into sending cookies to the wrong server. - Skip test_urllib2_localnet that randomly fails in OBS - bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch which fixes regression introduced by the previous patch. (CVE-2019-10160) Upstream gh#python/cpython#13812 - Set _lto_cflags to nil as it will prevent to propage LTO for Python modules that are built in a separate package. - bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. - bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch removing unnecessary (and potentially harmful) URL scheme local-file://. - bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch Characters in the netloc attribute that decompose under NFKC normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the URL is decomposed before parsing, or is not a Unicode string, no error will be raised (CVE-2019-9636). Upstream commits e37ef41 and 507bd8c. - (bsc#1111793) Update to 2.7.16: * bugfix-only release: complete list of changes on https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.16rc1.rst * Removed openssl-111.patch and CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch which are fully included in the tarball. * Updated patches to apply cleanly: CVE-2019-5010-null-defer-x509-cert-DOS.patch bpo36160-init-sysconfig_vars.patch do-not-use-non-ascii-in-test_ssl.patch openssl-111-middlebox-compat.patch openssl-111-ssl_options.patch python-2.5.1-sqlite.patch python-2.6-gettext-plurals.patch python-2.7-dirs.patch python-2.7.2-fix_date_time_compiler.patch python-2.7.4-canonicalize2.patch python-2.7.5-multilib.patch python-2.7.9-ssl_ca_path.patch python-bsddb6.diff remove-static-libpython.patch * Update python-2.7.5-multilib.patch to pass with new platlib regime. - bsc#1109847 (CVE-2018-14647): add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo-34623. - bsc#1073748: add bpo-29347-dereferencing-undefined-pointers.patch PyWeakref_NewProxy@Objects/weakrefobject.c creates new isntance of PyWeakReference struct and does not intialize wr_prev and wr_next of new isntance. These pointers can have garbage and point to random memory locations. Python should not crash while destroying the isntance created in the same interpreter function. As per my understanding, both wr_prev and wr_next of PyWeakReference instance should be initialized to NULL to avoid segfault. - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch fixing bpo-35746 (CVE-2019-5010). An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. ==== python-MarkupSafe ==== - Require python 3.6. There is no need to require a newer version and this way it builds on openSUSE Leap >= 15.3 ==== python-base ==== Subpackages: libpython2_7-1_0 python-xml - Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the command injection in the mailcap module. ==== systemsettings5 ==== Version update (5.24.5 -> 5.25.0) Subpackages: systemsettings5-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * systemsettingsrunner: Fix all matches having the same id * IconView: Remove duplicated tooltips (kde#409327) - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Too many changes to list here ==== xdg-desktop-portal-kde ==== Version update (5.24.5 -> 5.25.0) Subpackages: xdg-desktop-portal-kde-lang - Update to 5.25.0 * New bugfix release * For more details please see: * https://kde.org/announcements/plasma/5/5.25.0 - Changes since 5.24.90: * [filechooser] Make sure outgoing URIs are encoded (kde#454850) * [screenshot] Encode result URI * UserInfo: Fix initialization error * screencast: Include valid windows in the list of streams to stream * screencast: When we stop a stream, do it actively * screencast: When closing a session, only close the streams from that session * screencast: Do not provide every running stream * screencast: Keep persisting if the user chose to persist (kde#454128) * Add FreeBSD CI * don't supply excess argument - Update to 5.24.90 * New feature release * For more details please see: * https://kde.org/announcements/plasma/5/5.24.90 - Too many changes to list here
participants (1)
-
Guillaume Gardet