Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=3&version... Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: 389-ds (2.4.0~git113.84a845c -> 2.4.0~git126.5936946) 7zip Mesa (23.3.3 -> 23.3.4) Mesa-drivers (23.3.3 -> 23.3.4) MozillaFirefox (121.0.1 -> 122.0) btrfsprogs (6.6.2 -> 6.7) ceph corosync gcc13 (13.2.1+git8205 -> 13.2.1+git8250) gpg2 (2.4.3 -> 2.4.4) grub2 gstreamer-plugins-bad inih (57 -> 58) kernel-source lftp libmaxminddb (1.8.0 -> 1.9.1) libqmi libsolv (0.7.27 -> 0.7.28) libstorage-ng (4.5.175 -> 4.5.176) libvirt man mozilla-nss (3.95 -> 3.96.1) mutter nvidia-open-driver-G06-signed openssl-1_1 perl-Bootloader (1.10 -> 1.11) postfix (3.8.4 -> 3.8.5) publicsuffix (20240107 -> 20240123) python-lxml raspberrypi-firmware-dt ruby (3.2 -> 3.3) ruby3.2 rubygem-gem2rpm spice-gtk thin-provisioning-tools (1.0.9 -> 1.0.10) tiff transactional-update virt-manager webkit2gtk3 webkit2gtk3-soup2 yast2 (5.0.3 -> 5.0.4) yast2-bootloader (5.0.2 -> 5.0.4) yast2-installation (5.0.3 -> 5.0.4) zbar === Details === ==== 389-ds ==== Version update (2.4.0~git113.84a845c -> 2.4.0~git126.5936946) Subpackages: lib389 libsvrcore0 - Update to version 2.4.0~git126.5936946: * Issue 6028 - vlv index keys inconsistencies (#6031) * Issue 5989 - RFE support of inChain Matching Rule (#5990) * Issue 6022 - lmdb inconsistency between vlv index and vlv cache names (#6026) * Issue 6015 - Fix typo remeber (#6014) * Issue 6016 - Pin upload/download artifacts action to v3 * Issue 5939 - During an update, if the target entry is reverted in the entry cache, the server should not retry to lock it (#6007) * Issue 4673 - Update Rust crates * Issue 6004 - idletimeout may be ignored (#6005) * Issue 5954 - Disable Transparent Huge Pages * Issue 5997 - test_inactivty_and_expiration CI testcase is wrong (#5999) * Issue 5993 - Fix several race condition around CI tests (#5996) * Issue 5944 - Reversion of the entry cache should be limited to BETXN plugin failures (#5994) * Bump openssl from 0.10.55 to 0.10.60 in /src (#5995) ==== 7zip ==== - Fix build on SLE-15-SP6 * fix-avx-sle.patch ==== Mesa ==== Version update (23.3.3 -> 23.3.4) Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libOSMesa8 libgbm1 - Update to bugfix release 23.3.4 - -> https://docs.mesa3d.org/relnotes/23.3.4.html ==== Mesa-drivers ==== Version update (23.3.3 -> 23.3.4) Subpackages: Mesa-dri Mesa-gallium Mesa-libva - Update to bugfix release 23.3.4 - -> https://docs.mesa3d.org/relnotes/23.3.4.html ==== MozillaFirefox ==== Version update (121.0.1 -> 122.0) - Mozilla Firefox 122.0 https://www.mozilla.org/en-US/firefox/122.0/releasenotes/ MFSA 2024-01 (bsc#1218955) * CVE-2024-0741 (bmo#1864587) Out of bounds write in ANGLE * CVE-2024-0742 (bmo#1867152) Failure to update user input timestamp * CVE-2024-0743 (bmo#1867408) Crash in NSS TLS method * CVE-2024-0744 (bmo#1871089) Wild pointer dereference in JavaScript * CVE-2024-0745 (bmo#1871838) Stack buffer overflow in WebAudio * CVE-2024-0746 (bmo#1660223) Crash when listing printers on Linux * CVE-2024-0747 (bmo#1764343) Bypass of Content Security Policy when directive unsafe-inline was set * CVE-2024-0748 (bmo#1783504) Compromised content process could modify document URI * CVE-2024-0749 (bmo#1813463) Phishing site popup could show local origin in address bar * CVE-2024-0750 (bmo#1863083) Potential permissions request bypass via clickjacking * CVE-2024-0751 (bmo#1865689) Privilege escalation through devtools * CVE-2024-0752 (bmo#1866840) Use-after-free could occur when applying update on macOS * CVE-2024-0753 (bmo#1870262) HSTS policy on subdomain could bypass policy of upper domain * CVE-2024-0754 (bmo#1871605) Crash when using some WASM files in devtools * CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701) Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7 - requires NSS 3.96.1 - rebased patches ==== btrfsprogs ==== Version update (6.6.2 -> 6.7) Subpackages: btrfsprogs-bash-completion btrfsprogs-udev-rules libbtrfs0 libbtrfsutil1 - update to 6.7 * mkfs: make 4k sectorsize default, recommended minimum kernel for that is 6.1 and requires subpage support on architectures with page size > 4k * subvolume create: return correct error code when a target already exists * tree-checker: dump tree block on error (btrfs-convert, ...) * scrub limit: fix reporting of a limit set while there's none * fi usage: fix reporting of unallocated data or raid56 profile without root privs due to lack of that information * convert: * align data block group lengths to 64K * fix conversion of a large filesystem when there are partial inode items present due to caching * other: * build fixes * updated documentation * new and updated tests - update to 6.6.3 * subvol create: accept multiple arguments * subvol delete: print the subvolume id in the output * subvol sync: check if the filesystems is still writeable so it does not wait indefinitely * device delete: add a timeout and warning when deleting multiple devices * scrub status: report limit if set in sysfs/../scrub_speed_max * scrub limit: new command to show or set the per-device scrub limits * scrub start: report the limit if set * build: * fix CPU feature detection on aarch64 * support Botan and OpenSSL (3.2+) as crypto backends * other: * documentation updates, RTD config update * new and updated tests * CI updates ==== ceph ==== Subpackages: librados2 librbd1 - Advertised user/groups that are generated by the pre scripts: * package cephadm generates user/group cephadm * package ceph-common generates user/group ceph ==== corosync ==== Subpackages: libcfg6 libcmap4 libcorosync_common4 libcpg4 libquorum5 - Provide user(coroqnetd) and group(coroqnetd) in the -qnetd package: user and group are generated by the pre script. ==== gcc13 ==== Version update (13.2.1+git8205 -> 13.2.1+git8250) Subpackages: cpp13 libasan8 libatomic1 libgcc_s1 libgccjit0 libgfortran5 libgomp1 libhwasan0 libitm1 liblsan0 libobjc4 libstdc++6 libstdc++6-locale libstdc++6-pp libtsan2 libubsan1 - Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250 * Includes fix for building TVM. [boo#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [boo#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [boo#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. ==== gpg2 ==== Version update (2.4.3 -> 2.4.4) Subpackages: dirmngr - Update to 2.4.4: [bsc#1219191] * gpg: Do not keep an unprotected smartcard backup key on disk. See https://gnupg.org/blog/20240125-smartcard-backup-key.html for a security advisory. [T6944] * gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit platforms. [T6736] * gpg: Fix expiration time when Creation-Date is specified. [T5252] * gpg: Add support for Subkey-Expire-Date. [rG96b69c1866] * gpg: Add option --with-v5-fingerprint. [T6705] * gpg: Add sub-option ignore-attributes to --import-options. * gpg: Add --list-filter properties sig_expires/sig_expires_d. * gpg: Fix validity of re-imported keys. [T6399] * gpg: Report BEGIN_ status before examining the input. [T6481] * gpg: Don't try to compress a read-only keybox. [T6811] * gpg: Choose key from inserted card over a non-inserted card. [T6831] * gpg: Allow to create revocations even with non-compliant algos. [T6929] * gpg: Fix regression in the Revoker keyword of the parameter file. [T6923] * gpg: Improve error message for expired default keys. [T4704] * gpgsm: Add --always-trust feature. [T6559] * gpgsm: Support ECC certificates in de-vs mode. [T6802] * gpgsm: Major rewrite of the PKCS#12 parser. [T6536] * gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654] * keyboxd: Timeout on failure to get the database lock. [T6838] * agent: Update the key stubs only if really modified. [T6829] * scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080] * scd: Add support for CardOS 5.4 cards. [rG812f988059] * scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09] * scd: Add support for Smartcafe Expert 7.0 cards. [T6919] * scd: Add a length check for a new PIN. [T6843] * tpm: Fix keytotpm handling in the agent. [rG9909f622f6] * tpm: Fixes for the TPM test suite. [T6052] * dirmngr: New option --ignore-crl-extensions. [T6545] * dirmngr: Support config value "none" to disable the default keyserver. [T6708] * dirmngr: Fix handling of the HTTP Content-Length. [rGa5e33618f4] * gpgconf: Add commands --lock and --unlock. [rG93b5ba38dc] * gpgconf: Add keyword socketdir to gpgconf.ctl. [rG239c1fdc28] * gpgconf: Adjust the -X command for the new VERSION file format. [T6918] * wkd: Use export-clean for gpg-wks-client's --mirror and --create commands. [rG2c7f7a5a278c] * wkd: Make --add-revocs the default in gpg-wks-client. New option - -no-add-revocs. [rG10c937ee68] * Remove duplicated backslashes when setting the homedir. [T6833] * Ignore attempts to remove the /dev/null device. [T6556] * Improve advisory file lock retry strategy. [T3380] * Release-info: https://dev.gnupg.org/T6578 * Remove patch upstream: - gnupg-Report-BEGIN_-status-before-examining-the-input.patch ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-snapper-plugin grub2-systemd-sleep-plugin - Reinstate the verification for a non-zero total entry count to skip unmapped data blocks (bsc#1218864) * 0001-fs-xfs-always-verify-the-total-number-of-entries-is-.patch - Removed temporary fix as reverting it will cause a different XFS parser bug * 0001-Revert-fs-xfs-Fix-XFS-directory-extent-parsing.patch ==== gstreamer-plugins-bad ==== Subpackages: libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Disable zxing in Leap15 * Leap 15 can not provide zxing >= 1.4.0, zxing is inherited from SLE15 but SLE15 do provide zxing version 1.2.0 only, Factory do have zxing-cpp 2.0.0 however it's not an API compatible version. ==== inih ==== Version update (57 -> 58) - Update to version 58 * Add ini_ prefix even to static names so inih can be used as an [#]include. ==== kernel-source ==== - rpm/constraints.in: add static multibuild packages Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for constraints on multibuild) added "kernel-source:" prefix to the dynamically generated kernels. But there are also static ones like kernel-docs. Those fail to build as the constraints are still not applied. So add the prefix also to the static ones. Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it will ever be multibuilt... - commit c2e0681 - Revert "Limit kernel-source build to architectures for which the kernel binary" This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132. The fix for bsc#1108281 directly causes bsc#1218768, revert. - commit 2943b8a - mkspec: Include constraints for both multibuild and plain package always There is no need to check for multibuild flag, the constraints can be always generated for both cases. - commit 308ea09 - rpm/mkspec: use kernel-source: prefix for constraints on multibuild Otherwise the constraints are not applied with multibuild enabled. - commit 841012b - rpm/kernel-source.rpmlintrc: add action-ebpf Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf plugin) added this precompiled binary blob. Adapt rpmlintrc for kernel-source. - commit b5ccb33 - scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old The previous change added the manual entry from kernel-sources.change.old to old_changelog.txt unnecessarily. Let's fix it. - commit fb033e8 - rpm/kernel-docs.spec.in: fix build with 6.8 Since upstream commit f061c9f7d058 (Documentation: Document each netlink family), the build needs python yaml. - commit 6a7ece3 - futex: Prevent the reuse of stale pi_state (bsc#1218841). Update upstream status (Queued in subsystem maintainer repository). - commit a3ee207 - Refresh patches.rpmify/media-solo6x10-replace-max-a-min-b-c-by-clamp-b-a-c.patch. Update usptream status. - commit 589bdfa - Update config files, enable CONFIG_IMA_DISABLE_HTABLE in all archs for Tumbleweed as SLE15-SP6 kernel does (bsc#1218400). - commit 020caa6 ==== lftp ==== - Apply "0001-lftp_ssl-deinitialize-the-lftp_ssl_openssl_instance.patch" to fix a crash that ocurred when lftp is run on s390x with an IBM crypto card installed. The issue has been reported to upstream at https://github.com/lavv17/lftp/issues/716. [bsc#1213984] ==== libmaxminddb ==== Version update (1.8.0 -> 1.9.1) - libmaxminddb 1.9.1: * On very large databases, the calculation to determine the search tree size could overflow. This was fixed and several additional guards against overflows were added * build system tweaks ==== libqmi ==== Subpackages: libqmi-glib5 libqmi-tools - Add patch: * 0001-message-fix-16bit-service-on-big-endian.patch - Fixes 16-bit service indications on big endian architectures. Cherry-picked from upstream qmi-1-34 branch ==== libsolv ==== Version update (0.7.27 -> 0.7.28) Subpackages: libsolv-tools ruby-solv - build for multiple python versions [jsc#PED-6218] - bump version to 0.7.28 ==== libstorage-ng ==== Version update (4.5.175 -> 4.5.176) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Swedish) (bsc#1149754) - 4.5.176 ==== libvirt ==== Subpackages: libvirt-client libvirt-daemon-common libvirt-daemon-config-network libvirt-daemon-driver-interface libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lock libvirt-daemon-log libvirt-daemon-plugin-lockd libvirt-daemon-qemu libvirt-libs - Replace temporary build fix with upstream equivalent bsc#1218823 ==== man ==== - Skip posttrans dependency on systemd to support container without systemd (boo#1215538) - Use %(trans)filetriggerin and %(trans)filetriggerpostun to get an uptodate man database for installed manual pages ==== mozilla-nss ==== Version update (3.95 -> 3.96.1) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-tools - update to NSS 3.96.1 * bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh * bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups) * bmo#1867408 - add a defensive check for large ssl_DefSend return values * bmo#1869378 - Add dependency to the taskcluster script for Darwin * bmo#1869378 - Upgrade version of the MacOS worker for the CI ==== mutter ==== - Rebase mutter-disable-cvt-s390x.patch for mutter 45.x. ==== nvidia-open-driver-G06-signed ==== - splitted up 61-nvidia-$flavor.conf to 59-nvidia-$flavor.conf and 61-nvidia-$flavor.conf, because 'install' line cannot be overwritten with higher config number ... - mistakenly moved dracut config file from 60-nvidia-%1.conf to 61-nvidia-%1.conf --> reverted! - switched from 60-nvidia-$flavor.conf to 61-nvidia-$flavor.conf in modprobe.d to resolve conflict with older package, which can be installed in parallel ==== openssl-1_1 ==== Subpackages: libopenssl1_1 - Because OpenSSL 1.1.1 is no longer default, let's rename engine directories to contain version of OpenSSL and let unversioned for the default OpenSSL. [bsc#1194187, bsc#1207472, bsc#1218933] * /etc/ssl/engines.d -> /etc/ssl/engines1_1.d * /etc/ssl/engdef.d -> /etc/ssl/engdef1_1.d * Update patches: - openssl-1_1-ossl-sli-002-ran-make-update.patch - openssl-1_1-use-include-directive.patch ==== perl-Bootloader ==== Version update (1.10 -> 1.11) - merge gh#openSUSE/perl-bootloader#162 - handle script exit codes properly (bsc#1218847) - 1.11 ==== postfix ==== Version update (3.8.4 -> 3.8.5) - update to 3.8.5 * Security: this release improves support to defend against an email spoofing attack (SMTP smuggling) on recipients at a Postfix server. For background, see https://www.postfix.org/smtp-smuggling.html. ==== publicsuffix ==== Version update (20240107 -> 20240123) - Update to version 20240123: * util: gTLD data autopull updates for 2024-01-23T15:14:10 UTC (#1921) ==== python-lxml ==== - Fix build error for Leap. Use build and test as descriped on upstream. ==== raspberrypi-firmware-dt ==== - Extend "ARM: dts: bcm27xx: Use better name for spidev" patch coverage. Change compatible "spidev" to "rohm,dh2228fv" in overlay files too. Fixes bsc#1219094. ==== ruby ==== Version update (3.2 -> 3.3) - switch the default ruby to 3.3 ==== ruby3.2 ==== Subpackages: libruby3_2-3_2 - Omit test_session_reuse_but_expire if OpenSSL 3.2.0 Add Omit-test_session_reuse_but_expire-if-OpenSSL-3.2.0.patch ==== rubygem-gem2rpm ==== - Update the ruby ABI version in the 3.3.0 paths to the final string. - enable building for ruby 3.3 ==== spice-gtk ==== Subpackages: libspice-client-glib-2_0-8 libspice-client-glib-helper libspice-client-gtk-3_0-5 typelib-1_0-SpiceClientGlib-2_0 typelib-1_0-SpiceClientGtk-3_0 - Use libphotodav-3.0 on SLE/Leap 15.6+ (boo#1219083). ==== thin-provisioning-tools ==== Version update (1.0.9 -> 1.0.10) - Update to version 1.0.10: * Bump version to 1.0.10 * [build] Update dependencies * [all] Fix clippy lints and typos * [space_map] Allow non-zero values in unused index block entries * [thin_repair] Fix child keys checking on the node with a zero key * [thin_check] Tweak the logs to avoid confusion with node errors * [thin_check] Support overriding the details tree root * [tests] Update expected help text for _pack and _unpack * [all] Fix clippy lints on optional targets * [build] Simplify the pre-commit hooks by checking all the targets at once * [thin_metadata_unpack] Allow long format for input and output * [space map] Fix incorrect index_entry.nr_free while expansion * thin_metadata_pack: Allow long format for input and output ==== tiff ==== - security update: * CVE-2023-52356 [bsc#1219213] Fix segfault in TIFFReadRGBATileExt() + tiff-CVE-2023-52356.patch ==== transactional-update ==== Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit tukitd - Use "up" instead of "dup" by default on ALP [bsc#1218861] ==== virt-manager ==== Subpackages: virt-install virt-manager-common - Upstream bug fixes (bsc#1027942) (jsc#PED-6305) 058-uri-Mock-domcaps-returning-NO_SUPPORT.patch 059-tests-cli-Adjust-hotplug-test-for-latest-libvirt.patch 060-Fix-some-pylint.patch 061-tests-ui-make-newvm-test-start-less-flakey.patch 062-tests-ui-make-creatnet-test-start-less-flakey.patch - Cleanup now working or non-existant %check tests ==== webkit2gtk3 ==== Subpackages: libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue (bsc#1219113 CVE-2024-23222). ==== webkit2gtk3-soup2 ==== Subpackages: libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 webkit2gtk-4_0-injected-bundles - Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue (bsc#1219113 CVE-2024-23222). ==== yast2 ==== Version update (5.0.3 -> 5.0.4) Subpackages: yast2-logs - Reading Kernel Params: Use kernel cmdline when install.inf is not available (bsc#1216408) - 5.0.4 ==== yast2-bootloader ==== Version update (5.0.2 -> 5.0.4) - Persist s390 cio_ignore kernel argument always when given (bsc#1210525). - 5.0.4 - Do not try finding undefined bootloader name to avoid error in logs (bsc#1218700) - 5.0.3 ==== yast2-installation ==== Version update (5.0.3 -> 5.0.4) - Keep cio_ignore kernel argument when present in the parmfile or use the cio_ignore -k output if not and write it always even in zVM and KVM (bsc#1210525). - 5.0.4 ==== zbar ==== - Fix building for Leap