Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=3&version=Tumbleweed&build=20211127 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: ImageMagick (7.1.0.14 -> 7.1.0.16) MozillaFirefox (94.0.1 -> 94.0.2) apache2 apache2-manual apache2-prefork apache2-utils at audacity bison blueberry (1.4.4 -> 1.4.5) brltty ceph (16.2.6.462+g5fefbbf8888 -> 16.2.6.463+g22e7612f9ad) cups-filters dbus-1 dbus-1-x11 fprintd (1.90.9 -> 1.94.1) gpg2 (2.2.27 -> 2.3.3) librsvg (2.52.3 -> 2.52.4) libstorage-ng (4.4.57 -> 4.4.58) libvpx libzapojit lirc mailx ncurses (6.3.20211115 -> 6.3.20211120) protobuf-c python-PyYAML (5.4.1 -> 6.0) python-psutil python-pysmbc seahorse-sharing syslogd tgt xapps (2.2.3 -> 2.2.5) yast2-storage-ng (4.4.14 -> 4.4.15) === Details === ==== ImageMagick ==== Version update (7.1.0.14 -> 7.1.0.16) Subpackages: ImageMagick-config-7-SUSE ImageMagick-extra libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - update to 7.1.0.16: * Fixed an OpenCL build problem. * Added support for reading extra channels in a PSD file (reference * Fix alpha channel calculation of arithmetic divide compose operator. ==== MozillaFirefox ==== Version update (94.0.1 -> 94.0.2) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 94.0.2: * Update preference design for Firefox Suggest for improved clarity * Resolved general instability/crashes on Linux caused by a file descriptor leak when backgrounding tabs using WebGL (bmo#1741997) ==== apache2 ==== - httpd-framework updated to svn1894461 - added patches fix reverted logic, DirectorySlash NotFound is available in trunk only + apache-test-DirectorySlash-NotFound-logic.patch - do not consider php tests, they do not run anyway ==== apache2-manual ==== - httpd-framework updated to svn1894461 - added patches fix reverted logic, DirectorySlash NotFound is available in trunk only + apache-test-DirectorySlash-NotFound-logic.patch - do not consider php tests, they do not run anyway ==== apache2-prefork ==== - httpd-framework updated to svn1894461 - added patches fix reverted logic, DirectorySlash NotFound is available in trunk only + apache-test-DirectorySlash-NotFound-logic.patch - do not consider php tests, they do not run anyway ==== apache2-utils ==== - httpd-framework updated to svn1894461 - added patches fix reverted logic, DirectorySlash NotFound is available in trunk only + apache-test-DirectorySlash-NotFound-logic.patch - do not consider php tests, they do not run anyway ==== at ==== - Drop ProtectSystem and ProtectHome hardening. Unfortunately they're breaking at jobs (boo#1192294) ==== audacity ==== Subpackages: audacity-lang - Conflict pipewire-libjack-0_3 to prevent boo#1191585 ==== bison ==== Subpackages: bison-lang - disable tests and profiling using tests on armv6l (boo#1192737) ==== blueberry ==== Version update (1.4.4 -> 1.4.5) Subpackages: blueberry-lang - Update to version 1.4.5: * Add Turn bluetooth on/off option in tray menu. * blueberry-tray.py: Remove menu positioning code. * blueberry-tray.py: Silence a runtime warning. * rfkillMagic: Rewrite safechild in shell script to reduce memory usage. * Added build & install steps to readme file. * l10n: Update POT. - Restore Group. ==== brltty ==== Subpackages: brltty-driver-at-spi2 brltty-driver-brlapi brltty-driver-speech-dispatcher brltty-driver-xwindow libbrlapi0_8 python3-brlapi system-user-brltty xbrlapi - Add all sysusers.d Requires ==== ceph ==== Version update (16.2.6.462+g5fefbbf8888 -> 16.2.6.463+g22e7612f9ad) Subpackages: librados2 librbd1 - Update to 16.2.6-463-g22e7612f9ad: + (bsc#1178073) mgr/dashboard: fix downstream NFS doc links - Preservation of Bugzilla, Jira and CVE citations from earlier incarnations of this changes file after double-checking that none of these fixes got lost in the pacific rebase: + bsc#1163764 (--container-init feature cherry-picked to octopus) + bsc#1170200 (mgr/dashboard: Fix for CrushMap viewer items getting compressed vertically) + bsc#1172926 (mgr/orchestrator: Sort 'ceph orch device ls' by host) + bsc#1173079 (mgr/devicehealth: device_health_metrics pool gets created even without any OSDs in the cluster) + bsc#1174466 (mon: have 'mon stat' output json as well) + bsc#1174526 (mgr/dashboard: allow getting fresh inventory data from the orchestrator) + bsc#1174529 (rpm: on SUSE, podman is required for cephadm to work) + bsc#1174644 (cephadm: log to file) + bsc#1175120 (downstream branding) + bsc#1175161 (downstream branding) + bsc#1175169 (downstream branding) + bsc#1176390 (mgr/dashboard: enable different URL for users of browser to Grafana) + bsc#1176451 (Drop patch "rpm: on SUSE, podman is required for cephadm to work") + bsc#1176489 (mgr/cephadm: lock multithreaded access to OSDRemovalQueue) + bsc#1176499 (mgr/cephadm: fix RemoveUtil.load_from_store()) + bsc#1176638 (ceph-volume: batch: call the right prepare method) + bsc#1176679 (mgr/dashboard: enable different URL for users of browser to Grafana) + bsc#1176828 (cephadm: command_unit: call systemctl with verbose=True) + bsc#1177078 (mgr/dashboard: Fix bugs in a unit test and i18n translation) + bsc#1177151 (python-common: do not skip unavailable devices) + bsc#1177319 (--container-init feature cherry-picked to octopus) + bsc#1177344 (mgr/dashboard: support Orchestrator and user-defined Ganesha cluster) + bsc#1177360 (cephadm: silence "Failed to evict container" log msg) + bsc#1177450 (ceph-volume: don't exit before empty report can be printed) + bsc#1177643 (Revert "spec: Podman (temporarily) requires apparmor-abstractions on suse") + bsc#1177676 (cephadm: allow uid/gid == 0 in copy_tree, copy_files, move_files) + bsc#1177843 (CVE-2020-25660) + bsc#1177857 (mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails) + bsc#1177933 (cephadm: configure journald as the logdriver) + bsc#1178531 (cephadm: set default container_image to registry.suse.com/ses/7/ceph/ceph) + bsc#1178837 (rgw: cls/user: set from_index for reset stats calls) + bsc#1178860 (mgr/dashboard: Disable TLS 1.0 and 1.1) + bsc#1178905 (CVE-2020-25678) + bsc#1178932 (cephadm: reference the last local image by digest) + bsc#1179016 (rpm: require smartmontools on SUSE) + bsc#1179452 (mgr/insights: Test environment requires 'six') + bsc#1179526 (rgw: during GC defer, prevent new GC enqueue) + bsc#1179569 (cephadm: reference the last local image by digest) + bsc#1179802 (CVE-2020-27781) + bsc#1179997 (CVE-2020-27839) + bsc#1180107 (ceph-volume: pass --filter-for-batch from drive-group subcommand) + bsc#1180155 (CVE-2020-27781) + bsc#1181291 (mgr/cephadm: alias rgw-nfs -> nfs) + bsc#1182766 (cephadm: fix 'inspect' and 'pull') + bsc#1183074 (CVE-2021-20288) + bsc#1183561 (mgr/cephadm: on ssh connection error, advice chmod 0600) + bsc#1183899 (bluestore: fix huge reads/writes at BlueFS) + bsc#1184231 (cephadm: Allow to use paths in all <_devices> drivegroup sections) + bsc#1184517 (cls/rgw: look for plane entries in non-ascii plain namespace too) + bsc#1185246 (rgw: check object locks in multi-object delete) + bsc#1185619 (CVE-2021-3524) + bsc#1185619 (CVE-2021-3524) + bsc#1186020 (CVE-2021-3531) + bsc#1186021 (CVE-2021-3509) + bsc#1186348 (mgr/zabbix: adapt zabbix_sender default path) + bsc#1188979 ("mgr/cephadm: pass --container-init to "cephadm deploy" if specified" and "Revert "cephadm: default container_init to False") + bsc#1189173 (downstream branding) + jsc#SES-1071 (ceph-volume: major batch refactor - upstream PR#34740) + jsc#SES-185 (SES support with cache software) + jsc#SES-704 (mgr/snap_schedule) ==== cups-filters ==== - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_cups-browsed.service.patch ==== dbus-1 ==== Subpackages: libdbus-1-3 - Add CONFIG parameter to %sysusers_generate_pre - Added BuildRequires alts for libalternatives. - Fixed spec file regarding removing old update-alternatives entries. - Use libalternatives instead of update-alternatives. ==== dbus-1-x11 ==== - Added BuildRequires alts for libalternatives. - Fixed spec file regarding removing old update-alternatives entries. - Use libalternatives instead of update-alternatives. ==== fprintd ==== Version update (1.90.9 -> 1.94.1) Subpackages: fprintd-lang fprintd-pam - Update to version 1.94.1 * Highlights: + Fix systemd unit so that udev hotplug events are processed + Report back the selected finger if there is only one + Change PolicyKit strings for clarity + Various fixes to the testsuite + Plenty of translation updates - Changes from 1.94.0 * Highlights: + Implement suspend/resume handling. + This requires writing "power/persist" and "power/wakeup" in sysfs. + Support libfprint overheat protections + Delete host prints when device prints disappeared + pam: Immediately return success information + Plenty of updated translations thanks to move to Fedora Weblate + Fix possible race when retrieving session information + Fix possible race when a client disconnects + GLib 2.56 compatibility fixes - Changes from 1.92.0 * Highlights: + fprintd now prevents the same finger to be enrolled twice + Support clearing storage of match-on-chip devices + pam: Cancel authentication on SIGINT (e.g. ctrl+c with sudo) + pam: Always return PAM_AUTHINFO_UNAVAIL for devices without prints + Expose finger status on DBus + Add method to delete only a specific print of a user + Improved error reporting for deletion + Wait for finger removal before cancelling operations + Prefer older prints when garbage collecting + Major improvements to test coverage - Remove README.SUSE because rh#1693356 and upstream classified it as not a problem ==== gpg2 ==== Version update (2.2.27 -> 2.3.3) Subpackages: dirmngr - GnuPG 2.3.3: * agent: Fix segv in GET_PASSPHRASE (regression) * dirmngr: Fix Let's Encrypt certificate chain validation * gpg: Change default and maximum AEAD chunk size to 4 MiB * gpg: Print a warning when importing a bad cv25519 secret key * gpg: Fix --list-packets for undecryptable AEAD packets * gpg: Verify backsigs for v5 keys correctly * keyboxd: Fix checksum computation for no UBID entry on disk * keyboxd: Fix "invalid object" error with cv448 keys * dirmngr: New option --ignore-cert * agent: Fix calibrate_get_time use of clock_gettime * Support a gpgconf.ctl file under Unix and use this for the regression tests - GnuPG 2.3.2: * gpg: Allow fingerprint based lookup with --locate-external-key. * gpg: Allow decryption w/o public key but with correct card inserted. * gpg: Auto import keys specified with --trusted-keys. * gpg: Do not use import-clean for LDAP keyserver imports. * gpg: Fix mailbox based search via AKL keyserver method. * gpg: Fix memory corruption with --clearsign introduced with 2.3.1. * gpg: Use a more descriptive prompt for symmetric decryption. * gpg: Improve speed of secret key listing. * gpg: Support keygrip search with traditional keyring. * gpg: Let --fetch-key return an exit code on failure. * gpg: Emit the NO_SECKEY status again for decryption. * gpgsm: Support decryption of password based encryption (pwri). * gpgsm: Support AES-GCM decryption. * gpgsm: Let --dump-cert --show-cert also print an OpenPGP fingerprint. * gpgsm: Fix finding of issuer in use-keyboxd mode. * gpgsm: New option --ldapserver as an alias for --keyserver. * agent: Use SHA-256 for SSH fingerprint by default. * agent: Fix calling handle_pincache_put. * agent: Fix importing protected secret key. * agent: Fix a regression in agent_get_shadow_info_type. * agent: Add translatable text for Caps Lock hint. * agent: New option --pinentry-formatted-passphrase. * agent: Add checkpin inquiry for pinentry. * agent: New option --check-sym-passphrase-pattern. * agent: Use the sysconfdir for a pattern file. * agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry. * dirmngr: LDAP search by a mailbox now ignores revoked keys. * dirmngr: For KS_SEARCH return the fingerprint also with LDAP. * dirmngr: Allow for non-URL specified ldap keyservers. * dirmngr: New option --ldapserver. * dirmngr: Fix regression in KS_GET for mail address pattern. * card: New option --shadow for the list command. * tests: Make sure the built keyboxd is used. * scd: Fix computing shared secrets for 512 bit curves. * scd: Fix unblock PIN by a Reset Code with KDF. * scd: Fix PC/SC removed card problem. * scd: Recover the partial match for PORTSTR for PC/SC. * scd: Make sure to release the PC/SC context. * scd: Fix zero-byte handling in ECC. * scd: Fix serial number detection for Yubikey 5. * scd: Add basic support for AET JCOP cards. * scd: Detect external interference when --pcsc-shared is in use. * scd: Fix access to the list of cards. * gpgconf: Do not list a disabled tpm2d. * gpgconf: Make runtime changes with different homedir work. * keyboxd: Fix searching for exact mail adddress. * keyboxd: Fix searching with multiple patterns. * tools: Extend gpg-check-pattern. * wkd: Fix client issue with leading or trailing spaces in user-ids. * Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry. * Change the default keyserver to keyserver.ubuntu.com. This is a temporary change due to the shutdown of the SKS keyserver pools. - GnuPG 2.3.1: * The new configuration file common.conf is now used to enable the use of the key database daemon with "use-keyboxd". Using this option in gpg.conf and gpgsm.conf is supported for a transitional period. See doc/example/common.conf for more. * gpg: Force version 5 key creation for ed448 and cv448 algorithms. * gpg: By default do not use the self-sigs-only option when importing from an LDAP keyserver. * gpg: Lookup a missing public key of the active card via LDAP. * gpgsm: New command --show-certs. * scd: Fix CCID driver for SCM SPR332/SPR532. * scd: Further improvements for PKCS#15 cards. * New configure option --with-tss to allow the selection of the TSS library. - Rebase patches: * gnupg-add_legacy_FIPS_mode_option.patch * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch * gnupg-dont-fail-with-seahorse-agent.patch * gnupg-set_umask_before_open_outfile.patch - GnuPG 2.3.0: * A new experimental key database daemon is provided. To enable it put "use-keyboxd" into gpg.conf and gpgsm.conf. Keys are stored in a SQLite database and make key lookup much faster. * New tool gpg-card as a flexible frontend for all types of supported smartcards. * New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and gpg-connect-agent. * The gpg-wks-client tool is now installed under bin; a wrapper for its old location at libexec is also installed. * tpm2d: New daemon to physically bind keys to the local machine. * gpg: Switch to ed25519/cv25519 as default public key algorithms. * gpg: Verification results now depend on the --sender option and the signer's UID subpacket. * gpg: Do not use any 64-bit block size cipher algorithm for encryption. Use AES as last resort cipher preference instead of 3DES. This can be reverted using --allow-old-cipher-algos. * gpg: Support AEAD encryption mode using OCB or EAX. * gpg: Support v5 keys and signatures. * gpg: Support curve X448 (ed448, cv448). * gpg: Allow use of group names in key listings. * gpg: New option --full-timestrings to print date and time. * gpg: New option --force-sign-key. * gpg: New option --no-auto-trust-new-key. * gpg: The legacy key discovery method PKA is no longer supported. The command --print-pka-records and the PKA related import and export options have been removed. * gpg: Support export of Ed448 Secure Shell keys. * gpgsm: Add basic ECC support. * gpgsm: Support creation of EdDSA certificates. [#4888] * agent: Allow the use of "Label:" in a key file to customize the pinentry prompt. * agent: Support ssh-agent extensions for environment variables. With a patched version of OpenSSH this avoids the need for the "updatestartuptty" kludge. * scd: Improve support for multiple card readers and tokens. * scd: Support PIV cards. * scd: Support for Rohde&Schwarz Cybersecurity cards. * scd: Support Telesec Signature Cards v2.0 * scd: Support multiple application on certain smartcard. * scd: New option --application-priority. * scd: New option --pcsc-shared; see man page for important notes. * dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs. * The symcryptrun tool, a wrapper for the now obsolete external Chiasmus tool, has been removed. * Full Unicode support for the command line. - dropped legacy commands: gpg-zip ==== librsvg ==== Version update (2.52.3 -> 2.52.4) Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 rsvg-thumbnailer typelib-1_0-Rsvg-2_0 - Disable testsuite for now, let upstream figure out the issue with harfbuzz 3.1.1. - Update to version 2.52.4: + New features: - Support the isolation property from the Compositing and Blending Level 1 specification. - Support Visual Studio 2022. + Bug fixes: - The opacity and mix-blend-mode properties were not being applied when an element has a mask. - Fix panic when an empty group has a pattern fill and filters. - Fix the tests on Windows; the still only work when Fontconfig is present. - Work around a bug in the cairo-rs bindings in the test suite, that only manifests itself in s/390x due to its calling convention. See https://github.com/gtk-rs/gtk-rs-core/issues/335 ==== libstorage-ng ==== Version update (4.4.57 -> 4.4.58) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Catalan) (bsc#1149754) - 4.4.58 ==== libvpx ==== - Rename libvpx-configure-add-s390.patch to libvpx-configure-add-arch.patch: add support for RISC-V ==== libzapojit ==== Subpackages: libzapojit-0_0-0 typelib-1_0-Zpj-0_0 - Add upstream patch, fixes: CVE-2021-39360: libzapojit-skydrive-Guard-against-invalid-SSL-certificates.patch: skydrive: Guard against invalid SSL certificates. ==== lirc ==== - Add pyyaml-60-compatibility.patch to make the package compatible with PyYAML 6.0+ (sht#lirc#365). ==== mailx ==== - Add patch mailx-12.5-systemd.patch to add description how to avoid bugs like bsc#1192916 -- mailx does not send mails unless run via strace or in verbose mode ==== ncurses ==== Version update (6.3.20211115 -> 6.3.20211120) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20211120 + add dim, ecma+strikeout to st-0.6 -TD + deallocate the tparm cache when del_curterm is called for the last allocated TERMINAL structure (report/testcase by Bram Moolenaar, cf: 20200531). + modify test-package to more closely conform to Debian multi-arch. + if the --with-pkg-config-libdir option is not given, use ${libdir}/pkgconfig as a default (prompted by discussion with Ross Burton). - Correct offsets of patch ncurses-6.3.dif ==== protobuf-c ==== - Drop no longer needed rpmlintrc. - Also add a protobuf-c =< version Obsoletes to devel sub-package. - Fold main package into devel package, as it needed its own devel-package, add a protobuf-c = version Provides to devel sub-package. ==== python-PyYAML ==== Version update (5.4.1 -> 6.0) - Add patch setuptools.patch - update to 6.0 * drop Python 2.7 * always require `Loader` arg to `yaml.load()` * fix float resolver to ignore `.` and `._` * fix representation of Enum subclasses * fix libyaml extension compiler warnings * fix ResourceWarning on leaked file descriptors * remove remaining direct distutils usage ==== python-psutil ==== - Update skip-obs.patch to also skip TestProcess.test_ionice_linux ==== python-pysmbc ==== - Remove python2 guard so we always Provide/Obsolete the old name. ==== seahorse-sharing ==== - - Add 2.3 to the list of accepted GPG versions. ==== syslogd ==== Subpackages: klogd syslog-service - Added hardening to systemd service(s) (bsc#1181400). Modified: * klog.service * klogd.service * syslogd.service ==== tgt ==== - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_tgtd.service.patch Modified: * tgtd.service ==== xapps ==== Version update (2.2.3 -> 2.2.5) Subpackages: libxapp1 typelib-1_0-XApp-1_0 xapps-common xapps-common-lang - Update to version 2.2.5. * xapp-favorites: Fix introspection notation for _get_favorites(). * Fix a couple of build warnings. - Updates for version 2.2.4. * meson gir: Export 'xapp' as a package * xapp-gtk3-module.c: Apply window icon override to all windows for an app. ==== yast2-storage-ng ==== Version update (4.4.14 -> 4.4.15) - Fixed typo in message about encryption (part of jsc#SLE-21308) - 4.4.15