openSUSE Factory
Threads by month
- ----- 2024 -----
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
January 2023
- 72 participants
- 77 discussions
Dear Tumbleweed users and hackers,
This week, we had to hold back two snapshots again after a long time.
0120 and 0121 were tested but considered too risky to send out (issues
with transactional-updates and microos-tools detected). So, instead,
you only got five snapshots this week (0119, 0122, 0123, 0124, and
0125).
The main changes delivered during this week were:
* Linux kernel 6.1.7 & 6.1.8
* GCC 13.0.1
* Mozilla Firefox 109.0
* IceWM 3.3.0 & 3.3.1
* LLVM 15.0.7
* LibreOffice 7.4.4.2
* libxmlb: the first lib in the repo with hwcaps enabled subpackage:
libxmlb2-x86-64-v3, Nothing triggers auto-installation of those
packages yet. That is a feature to be worked out yet.
* GNOME now identifies as 43.1 in its control center
* Dracut 059
* Libvirt 9.0.0
* Wine 8.0 final release
The following week is difficult to predict. As you might have heard,
Hackweek is going on. Some resources thus deviate and there might be
fewer submissions – or more if things go nicely and new stuff appears
sooner. In any case, the Staging projects currently hold these items:
* KDE Plasma 5.27 beta (5.26.90)
* GStreamer 1.22.0
* Staging:H still tests ruby 3.2 as the new default (some yast
modules failing to build)
* Staging:L holds some packages breaking others stuff taking more
time, like boost, gpg2, and ant
* Staging:Gcc7 tests the impact of using GCC 13 as the default
compiler
Cheers,
Dominique
1
0
Hi,
as announced nearly a year ago (See "Deprecation of NIS" from Feb 4th
2022): it's time to retire NIS, and the first step will be that I will
file a drop request for ypserv from Factory now.
Thorsten
--
Thorsten Kukuk, Distinguished Engineer, Senior Architect, Future Technologies
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nuernberg, Germany
Managing Director: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman
(HRB 36809, AG Nürnberg)
2
3
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&versio…
Please do not reply to this email to report issues, rather file a bug
on bugzilla.opensuse.org. For more information on filing bugs please
see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
Mesa
Mesa-drivers
gnome-sudoku (43.0 -> 43.1)
icewm (3.3.0 -> 3.3.1)
kernel-source (6.1.7 -> 6.1.8)
libpcap (1.10.1 -> 1.10.3)
libvirt (8.10.0 -> 9.0.0)
nano (7.1 -> 7.2)
python-libvirt-python (8.10.0 -> 9.0.0)
samba (4.17.4+git.303.89e23854eb7 -> 4.17.4+git.314.7b07e3c51a6)
sendmail
squid
systemd
virtualbox (7.0.4 -> 7.0.6)
virtualbox-kmp (7.0.4_k6.1.7_1 -> 7.0.6_k6.1.8_1)
vlgothic-fonts
xf86-video-qxl (0.1.5 -> 0.1.6)
zeromq
=== Details ===
==== Mesa ====
Subpackages: Mesa-dri-devel Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1
- force usage of gcc 12 only on Leap 15.5; there is no gcc12 on
Leap 15.4
- Add BuildRequires for x264 and x265 in case video_codecs should
be built.
- re-enable build on Leap, but only for 15.5; there is no gcc12
on Leap 15.4, which is now officially required by Mesa 22.3
==== Mesa-drivers ====
Subpackages: Mesa-dri Mesa-gallium Mesa-libva libxatracker2
- force usage of gcc 12 only on Leap 15.5; there is no gcc12 on
Leap 15.4
- Add BuildRequires for x264 and x265 in case video_codecs should
be built.
- re-enable build on Leap, but only for 15.5; there is no gcc12
on Leap 15.4, which is now officially required by Mesa 22.3
==== gnome-sudoku ====
Version update (43.0 -> 43.1)
Subpackages: gnome-sudoku-lang
- Update to version 43.1:
+ Revert "Fix redundant undo stack entries for earmarks".
+ Warnings when solution to puzzle is violated no longer consider
earmarks.
+ Updated translations.
==== icewm ====
Version update (3.3.0 -> 3.3.1)
Subpackages: icewm-config-upstream icewm-default icewm-lang icewm-lite
- Update to 3.3.1:
* Fully support nanosvg as an alternative to librsvg.
* Rolled up windows can now be moved vertically with icesh.
* Fix multi-monitor when primary monitor is right-below of secondary.
* Don't resize when a client adjusts its WM_NORMAL_HINTS increments.
* Report the audio interface in the configure summary.
* Consider that the keyboard may have been changed externally.
* Increase the timeout for the dynamic menu generator to 2 seconds.
* Don't reactivate a focused window when RaiseOnClick is guaranteed.
* Let the winoption "ignorePositionHint" also ignore the USPosition.
* Fix the "ignoreOverrideRedirect" winoption.
* Let icesh also spy on RandR monitor configuration events.
==== kernel-source ====
Version update (6.1.7 -> 6.1.8)
- Linux 6.1.8 (bsc#1012628).
- dma-buf: fix dma_buf_export init order v2 (bsc#1012628).
- btrfs: fix trace event name typo for FLUSH_DELAYED_REFS
(bsc#1012628).
- wifi: iwlwifi: fw: skip PPAG for JF (bsc#1012628).
- pNFS/filelayout: Fix coalescing test for single DS
(bsc#1012628).
- selftests/bpf: check null propagation only neither reg is
PTR_TO_BTF_ID (bsc#1012628).
- net: ethernet: marvell: octeontx2: Fix uninitialized variable
warning (bsc#1012628).
- tools/virtio: initialize spinlocks in vring_test.c
(bsc#1012628).
- vdpa/mlx5: Return error on vlan ctrl commands if not supported
(bsc#1012628).
- vdpa/mlx5: Avoid using reslock in event_handler (bsc#1012628).
- vdpa/mlx5: Avoid overwriting CVQ iotlb (bsc#1012628).
- virtio_pci: modify ENOENT to EINVAL (bsc#1012628).
- vduse: Validate vq_num in vduse_validate_config() (bsc#1012628).
- vdpa_sim_net: should not drop the multicast/broadcast packet
(bsc#1012628).
- net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
(bsc#1012628).
- r8169: move rtl_wol_enable_rx() and rtl_prepare_power_down()
(bsc#1012628).
- r8169: fix dmar pte write access is not set error (bsc#1012628).
- bpf: keep a reference to the mm, in case the task is dead
(bsc#1012628).
- RDMA/srp: Move large values to a new enum for gcc13
(bsc#1012628).
- selftests: net: fix cmsg_so_mark.sh test hang (bsc#1012628).
- btrfs: always report error in run_one_delayed_ref()
(bsc#1012628).
- x86/asm: Fix an assembler warning with current binutils
(bsc#1012628).
- f2fs: let's avoid panic if extent_tree is not created
(bsc#1012628).
- perf/x86/rapl: Treat Tigerlake like Icelake (bsc#1012628).
- cifs: fix race in assemble_neg_contexts() (bsc#1012628).
- memblock tests: Fix compilation error (bsc#1012628).
- perf/x86/rapl: Add support for Intel Meteor Lake (bsc#1012628).
- perf/x86/rapl: Add support for Intel Emerald Rapids
(bsc#1012628).
- of: fdt: Honor CONFIG_CMDLINE* even without /chosen node,
take 2 (bsc#1012628).
- fbdev: omapfb: avoid stack overflow warning (bsc#1012628).
- Bluetooth: hci_sync: Fix use HCI_OP_LE_READ_BUFFER_SIZE_V2
(bsc#1012628).
- Bluetooth: hci_qca: Fix driver shutdown on closed serdev
(bsc#1012628).
- wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices
(bsc#1012628).
- wifi: mac80211: fix MLO + AP_VLAN check (bsc#1012628).
- wifi: mac80211: reset multiple BSSID options in stop_ap()
(bsc#1012628).
- wifi: mac80211: sdata can be NULL during AMPDU start
(bsc#1012628).
- nommu: fix memory leak in do_mmap() error path (bsc#1012628).
- nommu: fix do_munmap() error path (bsc#1012628).
- nommu: fix split_vma() map_count error (bsc#1012628).
- proc: fix PIE proc-empty-vm, proc-pid-vm tests (bsc#1012628).
- Add exception protection processing for vd in
axi_chan_handle_err function (bsc#1012628).
- LoongArch: Add HWCAP_LOONGARCH_CPUCFG to elf_hwcap
(bsc#1012628).
- zonefs: Detect append writes at invalid locations (bsc#1012628).
- nilfs2: fix general protection fault in nilfs_btree_insert()
(bsc#1012628).
- mm/shmem: restore SHMEM_HUGE_DENY precedence over MADV_COLLAPSE
(bsc#1012628).
- hugetlb: unshare some PMDs when splitting VMAs (bsc#1012628).
- mm/khugepaged: fix collapse_pte_mapped_thp() to allow anon_vma
(bsc#1012628).
- serial: stm32: Merge hard IRQ and threaded IRQ handling into
single IRQ handler (bsc#1012628).
- Revert "serial: stm32: Merge hard IRQ and threaded IRQ handling
into single IRQ handler" (bsc#1012628).
- xhci-pci: set the dma max_seg_size (bsc#1012628).
- usb: xhci: Check endpoint is valid before dereferencing it
(bsc#1012628).
- xhci: Fix null pointer dereference when host dies (bsc#1012628).
- xhci: Add update_hub_device override for PCI xHCI hosts
(bsc#1012628).
- xhci: Add a flag to disable USB3 lpm on a xhci root port level
(bsc#1012628).
- usb: acpi: add helper to check port lpm capability using acpi
_DSM (bsc#1012628).
- xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI
tables (bsc#1012628).
- prlimit: do_prlimit needs to have a speculation check
(bsc#1012628).
- USB: serial: option: add Quectel EM05-G (GR) modem
(bsc#1012628).
- USB: serial: option: add Quectel EM05-G (CS) modem
(bsc#1012628).
- USB: serial: option: add Quectel EM05-G (RS) modem
(bsc#1012628).
- USB: serial: option: add Quectel EC200U modem (bsc#1012628).
- USB: serial: option: add Quectel EM05CN (SG) modem
... changelog too long, skipping 227 lines ...
- commit 2ebd33f
==== libpcap ====
Version update (1.10.1 -> 1.10.3)
- update to 1.10.3:
* Sort the PUBHDR variable in Makefile.in in "ls" order.
* Fix typo in comment in pflog.h.
* Remove two no-longer-present files from .gitignore.
* Update code and comments for handling failure to set promiscuous
mode based on new information.
- update to 1.10.2:
* Build system updates
* Developer visible fixes
* Fix some formatting string issues found by cppcheck
* "Dead" pcap_ts from pcap_open_dead() and ..._with_tstamp_precision():
Don't crash if pcap_breakloop() is called.
* Savefiles: multiple bug fixes handling files
* Capture: Never process more than INT_MAX packets in a
pcap_dispatch() call, to avoid integer overflow
* Packet filtering: PFLOG bug fixes and improvements
* Fix memory leak in capture device open
* Fix detection of CAN/CAN FD packets in direction check
* Fix double-free crashes on errors such as running on a kernel
with CONFIG_PACKET_MMAP not configured
* Multiple CANbus bug fixes
* Fix pcap_findalldevs() to find usbmon devices
* Fix handling of VLAN tagged packets if the link-layer type is
changed from DLT_LINUX_SLL to DLT_LINUX_SLL2
* Always turn on PACKET_AUXDATA
* Correctly compute the "real" length for isochronous USB transfers
==== libvirt ====
Version update (8.10.0 -> 9.0.0)
Subpackages: libvirt-client libvirt-daemon libvirt-daemon-config-network libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-qemu libvirt-daemon-xen libvirt-libs
- Update to libvirt 9.0.0
- jsc#PED-620
- Many incremental improvements and bug fixes, see
https://libvirt.org/news.html#v9-0-0-2023-01-16
- Added patches:
ef482951-apparmor-Allow-umount-dev.patch,
d6a8b9ee-qemu-Fix-managed-no-when-creating-ethdev.patch
==== nano ====
Version update (7.1 -> 7.2)
Subpackages: nano-lang
- update to 7.2:
* <Shift+Insert> is prevented from pasting in view mode.
==== python-libvirt-python ====
Version update (8.10.0 -> 9.0.0)
- Update to 9.0.0
- Add all new APIs and constants in libvirt 9.0.0
- jsc#PED-620
==== samba ====
Version update (4.17.4+git.303.89e23854eb7 -> 4.17.4+git.314.7b07e3c51a6)
Subpackages: libsamba-policy0-python3 samba-ad-dc-libs samba-ad-dc-libs-32bit samba-client samba-client-32bit samba-client-libs samba-client-libs-32bit samba-gpupdate samba-ldb-ldap samba-libs samba-libs-32bit samba-libs-python3 samba-python3 samba-winbind samba-winbind-libs samba-winbind-libs-32bit
- libdsdb-module-samba4 should be packaged as part of samba-libs and
not samba-ad-dc-libs. Additionally no need for it to be
removed conditionally.
- Clean up logic for PAM migration settings in spec file.
==== sendmail ====
Subpackages: libmilter1_0
- Fix source URLs: ftp.sendmail.com was restructured and the
pub/sendmail directory is now the root directory.
- Switch over to https URLs
- Fix wrong "without sysvinit", don't require sysvinit in that case
==== squid ====
- Disable NIS auth module (NIS is deprecated and get's currently
removed)
==== systemd ====
Subpackages: libsystemd0 libsystemd0-32bit libudev1 libudev1-32bit systemd-32bit systemd-container systemd-devel systemd-lang udev
- Drop 1000-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch
It's no more necessary since util-linux 2.38 has been released in Factory.
- Make sure we apply the presets on units shipped by systemd package
==== virtualbox ====
Version update (7.0.4 -> 7.0.6)
- VirtualBox 7.0.6 (released January 17 2023)
This is a maintenance release. The following items were fixed and/or added: [1]
- VMM: Fixed guru running the FreeBSD loader on older Intel CPUs without unrestricted guest support (bug #21332)
- GUI: Fixed virtual machines grouping when VM was created or modified in command line (bugs #11500, #20933)
- GUI: Introduced generic changes in settings dialogs
- VirtioNet: Fixed broken network after loading saved state (bug #21172)
- Storage: Added support for increasing the size of the following VMDK image variants: monolithicFlat, monolithicSparse, twoGbMaxExtentSparse, twoGbMaxExtentFlat
- VBoxManage: Added missing --directory switch for guestcontrol mktemp command
- Mouse Integration: Guest was provided with extended host mouse state (bug #21139)
- DnD: Introduced generic improvements
- Guest Control: Fixed handling creation mode for temporary directories (bug #21394)
- Linux Host and Guest: Added initial support for building UEK7 kernel on Oracle Linux 8
- Linux Host and Guest: Added initial support for RHEL 9.1 kernel
- Linux Guest Additions: Added initial support for kernel 6.2 for vboxvideo
- Audio: The "--audio" option in VBoxManage is now marked as deprecated; please use "--audio-driver" and "--audio-enabled" instead. This will allow more flexibility when changing the driver and/or controlling the audio functionality
Additionally, it fixes 6 CVE's: [2]
CVE-2023-21886 Oracle VM VirtualBox Core Multiple Yes 8.1 Network High None None Un-
changed High High High Prior to 6.1.42, prior to 7.0.6
CVE-2023-21898 Oracle VM VirtualBox Core None No 5.5 Local Low Low None Un-
changed None None High Prior to 6.1.42, prior to 7.0.6 See Note 1
CVE-2023-21899 Oracle VM VirtualBox Core None No 5.5 Local Low Low None Un-
changed None None High Prior to 6.1.42, prior to 7.0.6 See Note 1
CVE-2023-21884 Oracle VM VirtualBox Core None No 4.4 Local Low High None Un-
changed None None High Prior to 6.1.42, prior to 7.0.6
CVE-2023-21885 Oracle VM VirtualBox Core None No 3.8 Local Low Low None Changed Low None None Prior to 6.1.42, prior to 7.0.6 See Note 2
CVE-2023-21889 Oracle VM VirtualBox Core None No 3.8 Local Low Low None Changed Low None None Prior to 6.1.42, prior to 7.0.6
Note 1: Applies to VirtualBox VMs running Windows 7 and later.
Note 2: Applies to Windows only.
Links:
[1] https://www.virtualbox.org/wiki/Changelog-7.0#v6
[2] https://www.oracle.com/security-alerts/cpujan2023.html#AppendixOVIR
- unify buildrequires to libopenssl-devel to handle openssl 3 transition
==== virtualbox-kmp ====
Version update (7.0.4_k6.1.7_1 -> 7.0.6_k6.1.8_1)
- VirtualBox 7.0.6 (released January 17 2023)
This is a maintenance release. The following items were fixed and/or added: [1]
- VMM: Fixed guru running the FreeBSD loader on older Intel CPUs without unrestricted guest support (bug #21332)
- GUI: Fixed virtual machines grouping when VM was created or modified in command line (bugs #11500, #20933)
- GUI: Introduced generic changes in settings dialogs
- VirtioNet: Fixed broken network after loading saved state (bug #21172)
- Storage: Added support for increasing the size of the following VMDK image variants: monolithicFlat, monolithicSparse, twoGbMaxExtentSparse, twoGbMaxExtentFlat
- VBoxManage: Added missing --directory switch for guestcontrol mktemp command
- Mouse Integration: Guest was provided with extended host mouse state (bug #21139)
- DnD: Introduced generic improvements
- Guest Control: Fixed handling creation mode for temporary directories (bug #21394)
- Linux Host and Guest: Added initial support for building UEK7 kernel on Oracle Linux 8
- Linux Host and Guest: Added initial support for RHEL 9.1 kernel
- Linux Guest Additions: Added initial support for kernel 6.2 for vboxvideo
- Audio: The "--audio" option in VBoxManage is now marked as deprecated; please use "--audio-driver" and "--audio-enabled" instead. This will allow more flexibility when changing the driver and/or controlling the audio functionality
Additionally, it fixes 6 CVE's: [2]
CVE-2023-21886 Oracle VM VirtualBox Core Multiple Yes 8.1 Network High None None Un-
changed High High High Prior to 6.1.42, prior to 7.0.6
CVE-2023-21898 Oracle VM VirtualBox Core None No 5.5 Local Low Low None Un-
changed None None High Prior to 6.1.42, prior to 7.0.6 See Note 1
CVE-2023-21899 Oracle VM VirtualBox Core None No 5.5 Local Low Low None Un-
changed None None High Prior to 6.1.42, prior to 7.0.6 See Note 1
CVE-2023-21884 Oracle VM VirtualBox Core None No 4.4 Local Low High None Un-
changed None None High Prior to 6.1.42, prior to 7.0.6
CVE-2023-21885 Oracle VM VirtualBox Core None No 3.8 Local Low Low None Changed Low None None Prior to 6.1.42, prior to 7.0.6 See Note 2
CVE-2023-21889 Oracle VM VirtualBox Core None No 3.8 Local Low Low None Changed Low None None Prior to 6.1.42, prior to 7.0.6
Note 1: Applies to VirtualBox VMs running Windows 7 and later.
Note 2: Applies to Windows only.
Links:
[1] https://www.virtualbox.org/wiki/Changelog-7.0#v6
[2] https://www.oracle.com/security-alerts/cpujan2023.html#AppendixOVIR
- unify buildrequires to libopenssl-devel to handle openssl 3 transition
==== vlgothic-fonts ====
- spec-cleaner run
- fix URL
==== xf86-video-qxl ====
Version update (0.1.5 -> 0.1.6)
- Update to version 0.1.6
* This release flushes out the last [checks calendar] ~6 years of
patches that have been sitting on the master branch. Please see
the git shortlog below for details.
- supersedes the following patches
* Xspice-python3.patch
* n_disable-surfaces-on-kms.patch
* n_hardcode_libdrm_cflags.patch
* u_fix-build-against-xserver-21_1.patch
==== zeromq ====
Subpackages: libzmq5 zeromq-tools
- qemu-user.patch: Fix build with qemu linux-user emulation
1
0
All meeting minutes can be found here:
https://etherpad.opensuse.org/p/ReleaseEngineering-meeting
Meeting is hosted here
https://meet.opensuse.org/ReleaseEngineeringMeeting
## Attendees
rbrown, DimStar, lkocman, dirk, wengel, DocB, ddemaio
**THE MEETING ON 1ST of FEBRUARY WILL BE SKIPPED DUE TO HACKWEEK**
https://hackweek.opensuse.org/
## Leap
Code submission deadline for SLES 15 SP5 Beta4 is today (Jan 25th) at
15:00.
Leap Builds were stuck on
https://bugzilla.opensuse.org/show_bug.cgi?id=1207395 and previously
https://bugzilla.suse.com/show_bug.cgi?id=1206718
Due to this we were not able to produce a decent build that would give
us good idea about quality. I'm bit worried that the actual beta
release might be delayed.
Cisco openh264 setup is finialized on our side
https://news.opensuse.org/2023/01/24/opensuse-simplifies-codec-install/
## openSUSE Tumbleweed
openSUSE:Factory build fail stats: 217 failed 16 unresolvable (last
week: 21 / 24)
https://tinyurl.com/ysy4nnnz
* Staging:H Ruby 3.2 made some progress, only 3 more yast build fails
(y2-config-management, y2-packager, y2-storage-ng)
* Staging:L has a few failures collected:
* boost: breaks libreoffice (incl. libetonyek)
* gpg2: breaks gpgme
* ant and xmlgraphics-common: breaking ant-antlr and xmlgraphics-
fop
* Staging:M test to also build python311 modules
* Staging:N openssl-3-as-default testing: almost ready! All build fails
have been fixed (or are in the queue)
* Staging:O: preparation work to identify the minimal list of 'i586'
builds to enable in openSUSE:Factory to allow wine/steam to
build/install (currently 992 packages, and counting; big part of it is
for rpmlint and such things)
* Staging:Gcc7: early experiments to set GCC 13 as distro compiler
* openSUSE:Factory has switched to a 4k RSA key
* https://news.opensuse.org/2023/01/23/new-4096-bit-signing-key/
* osc build (with chroot) complains about missing keys (we did not do
a full rebuild, osc gets the 4k project key, RPMs are signed with the
2k key. workaround: use osc build --vm-type=kvm (setup oscrc to have
sufficient ram and disk size; I use 2GB of RAM and 10GB disk for most
cases)
i586 carve-out from Factory
=> Migration (manual so far) is possible for users. The first 'zypper
dup' after changing the repo could include a bunch of 'package
downgrades' as the rebuild counters are not synced across projects.
Automatic migration of users (by means of openSUSE-release) will happen
by end of January (giving the braves ones time to test and report
issues before we mass-switch)
## Richard (MicroOS)
Desktop-GNOME: The Road to Release:
transactional-update-notifier is in Factory! WIP making it configured
by default
Working on a "mod-check" tool to report the following to users
List of installed (1st party) packages, with comparisions to both an
upstream pristine list and previous snapshots
Automatically reset official packages to that upstream pristine list,
or previous snapshots
Any 3rd party packages and their origin
Any known unsupported configurations/alterations and offer remedies if
possible
mod-check doesn't really 'check' as much as planned at the moment,
instead going way further and effectively reinstalling MicroOS Desktop
(GNOME) in place, making that new snapshot the new boot target. This
will be awesome for any user who wants to 'freshen' up an otherwise
heavily altered MicroOS Desktop, or when major Tumbleweed/MicroOS
changes occur that otherwise cant be easily modeled in patterns. It
also potentially could be a method of migrating non-transactional
systems to a transactional one. Heavy testing/development underway..and
possibly a rename if mod-check doesn't start actually -checking stuff
soon.
Bugs still WIP
osinfo-db still doesn't recognise MicroOS as a seperate distribution -
debates with upstream ongoing
Working on YaST-less installation media with FDE by default
## Max
Leap Micro 5.4
* The project has been bootstrapped
* The missing bits
** Tweak Leap specific patches
** Enable pkglistgen
lkocman: is on it
Leap 15.5
* The fixed kernel for bsc#1206718 has got merged to SLE15-SP5(just
yesterday)
* Build stats in Backports(x86_64): 8 unresolvables, 59 fails(last
week: 8 unresolvables, 54 fails)
## Guillaume - Arm
Tumbleweed:
* Blocked due to a broken binutils patch for armv7. Will be
unblocked by https://build.opensuse.org/request/show/1060656
* WiFi works again on RPi3/4 (and other systems):
https://bugzilla.suse.com/show_bug.cgi?id=1206697
* Pointer Authentication issue, seen in zypper has been fixed:
https://bugzilla.suse.com/show_bug.cgi?id=1206684
* NVIDIA: tester with aarch64 server and NVIDIA card wanted
- Proprietary drivers are now available for aarch64 (only G06):
https://download.nvidia.com/opensuse/tumbleweed/
- New opengpu driver also available in OBS:
https://build.opensuse.org/project/monitor/X11:Drivers:Video
lkocman to check on who is the aarch64 + nvidia effort blocked on. I
recall that there was a chosen point of contact.
Leap:
* 15.5 aarch64: covered by Leap section above
* 15.5 armv7: no blocker
ALP:
* No aarch64 specific issues
WSL:
* Works with x86 emulator since appx installer is x86-64, but this
is not really an issue since arm64 Win11 includes x86 emulator by
default.
Steps documented on the wiki to install the appx from download.o.o:
https://en.opensuse.org/openSUSE:WSL#With_Appx_from_openSUSE_download_server
## Sarah - s390x
Tumbleweed
* kdump is fixed (with calibrate.conf by SLE because of blocked builds
for s390x)
-> Tumbleweed is rolling again
Leap:
* tests are failing because of timeout (my next ToDo)
* qore updated
Question:
What should we do with packages buildable only on s390x and not on
x86?
Example:
https://build.opensuse.org/package/show/home:AdaLovelace:branches:server:da…
lkocman: I'd start with a bug against the package, then let's agree on
next steps with maintainer.
Please use bug against openSUSE.org choose 3rd party package. Can be
used for anything that is from OBS.
## Doug
* articles
* 4096 bit RSA signing key published (thx to mmeissner)
* openh264 article published
* openSUSE Community booth at CLT2023
lkocman: Do we have some sort of list/calendar with events where
openSUSE is usually present?
* GSoC
* Updating GSoC wiki pages
* New projects being added
* Additional admins added
* Application nearly complete.
* Need to complete "How many potential mentors have agreed to mentor
this year?"
* Workshop to finalize projects & application scheduled for on Feb. 7
(deadline at 18:00 UTC)
* oSC23
* Waiting on contract signature (in legal review)
* 13 registered, 9 submissions
* FOSDEM
* Booth in Building/Hall H (we have traditionally be in Building/Hall
K)
* Bus has 29 sign ups
* Passangers to be briefed on bus departure location
* Contact ddemaio if you're in Nuremberg and want to take the bus to
FOSDEM. Space may be limited.
* FLOSS Weekly
* Test call on 26.01
* Podcast scheduled for Feb. 8
## Dirk
* Initial x86_64-v3 glibc hwcaps package has landed in Factory (libxmlb
- visible in GNOME repositories openqa runs)
* Determine list of extra shared libraries to enable (likely all
compression and media decoding libraries (libpng, jpeg and so on)
* Helped with OpenSSL 3.x switch and Python 3.11 modules enablement
* Starting to draft
https://en.opensuse.org/openSUSE:OpenSUSE_Tumbleweed_Maintainer_Policy
(draft, will be announced on the mailing list when ~ ready)
DimStar: ~150 python modules are currently failing with 3.11, a lot of
fallout is expected.
(enabling 3.11 will roughly double those numbers judging from the
current devel project state)
* Continued work on SUSE:ALP:RISCV
* force published 15.4 and 15.5 for armv7 builds, openqa builds have
been triggered it appears it is set to do post-release testing?
* qemu/libseccomp 15.5 failure still in investigation
Biggest speedup can be observed by switching zlib to zlib-ng, so
looked into fixing the build failures caused by switching to zlibo-ng-
compat
## Wolfgang (Package Hub), Scott Bahling
Discussion about moving ipxe package to SLE and release ipxe-bootimgs
for x86_64 and aarch64 to HPC-Module (SLE-15-SP5). Needs to be accepted
by Michal Svec. If that is the case ipxe will be removed from
openSUSE:Backports:SLE-15-SP5 and subpackage ipxe-bootimgs for ppc64le
and s390x will be released via subpackages repository.
Need to sync with Max regarding the package list for subpackages
repository for SLE-15-SP5 when he is back from vacation.
15 SP5 Package HUB channel is set up. Stefan did initial testing and
looks good.
Some packages are still missing, this is on agenda for today and next
week.
The workshop regarding Package HUB equivalent for ALP
Lubos will schedule a call with wolfgang and Scott to ensure that
they're in loop for the High Level requirements document.
https://en.opensuse.org/openSUSE:ALP/Workgroups/Community/Workshops/Consumi…
Package Hub for SLE-15-SP5 product definition added and SCC is
currently picking it up so it will be ready for testing with the beta
of SLE-15-SP5
## Maintenance team (Marcus or Maurizio (m4u))
Fixed a long standing issue with gnome-music that was blocking openqa
for a long time.
15.4 is working
5.3 is working
15.5 setup TBD (Mid-to-End February would be preferred).
Nothing worrysome, preannoucement for 15.3 EOL was sent to mainling
list End of December 2022.
There were three chromium updates in single week.
lkocman: 15.3 EOL could lead to stopping our physical Source DVD
effort, as it seems we will not produce. As this was the last release
which you could still get on a physical media.
Configuration setup problem for Maintenance of Leap 15.4 maintenance
updates / openQA
Marcus regarding Leap 15.4 Image respin - package set will change, we
do need to refresh the packagelist
* Lubos to talk to Jan Stehlik, we can't put all on Marcuses shoulder.
https://etherpad.opensuse.org/p/ReleaseEngineering-20221110-maintenance-dis…
Confirmation that QA/QA-maint team will oversee the setup (issues)
Lubos: I was asked to provide requirements for the QA team. Mostly for
the GA/current release but also for the update. Lubos will make wiki
with requirements (something like maintenance plan perhaps). Marcus
will review it.
* Leap Micro 5.3 maint setup done
ffmpeg - (still unsolved) possible file conflict on the next update, no
idea how to avoid vendor switching at the moment.
Removing the patch on the openSUSE side (that might contain security
fixes) or releasing update on the packman side could fix the issue.
Lubos to give Marcus some working contact for the team.
## Adrian - OBS
After changing the signing key of Factory without rebuilding the
distribution "osc build" using
chroot builds run into the problem that gpg verification of the rpm's
failed.
To tell osc to use also the old gpg key we introduced a temporary
openSUSE:Tumbleweed:OldKey project. We will remove this project again
after full rebuild of Factory.
This should work for all arches. Users get additional question if they
want to trust the additional project once.
This solves the issue for people who build against
openSUSE:Tumbleweed/standard or openSUSE:Factory/snapshot. It does not
solve it when building against openSUSE:Factory/standard directly (not
the default in OBS).
Dirk: Recommended solution is to use the kvm build (add `build-type =
kvm` to your ~/.oscrc)
Adrian: Agreed that we should aim for switching the osc default here
(also wanted by security team). Still some issues to solve to make it
more convinient.
## Project maintainer work flow Status
* Base policy to be developed
Background on topic found at
https://etherpad.opensuse.org/p/ReleaseEngineering-20221221
For me it comes down to a matter of communication.
A note like 'thx for your SR, I think we should adapt the following '
or ' we are reviewing your SR, and quite stuck with work...' could
already change a lot. Silence for more then 4 week is clearly a perfect
way to annoy contributors.
And the question should be asked if those unresponsive maintainers are
still willing to maintain their projects. Or they may even not be
active anymore, another discussion we are having
1
0
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&versio…
Please do not reply to this email to report issues, rather file a bug
on bugzilla.opensuse.org. For more information on filing bugs please
see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
apache2 (2.4.54 -> 2.4.55)
apache2-manual (2.4.54 -> 2.4.55)
apache2-prefork (2.4.54 -> 2.4.55)
apache2-utils (2.4.54 -> 2.4.55)
dracut (057+suse.353.g6dab83eb -> 059+suse.358.g8ecd6e83)
ffmpeg-4
ffmpeg-5
gdm
gdm-branding-openSUSE
gedit (44.1 -> 44.2)
glib2 (2.74.4 -> 2.74.5)
gnome-desktop (43 -> 43.1)
gpgme
gpgmeqt
kpipewire
libraw (0.21.0 -> 0.21.1)
live555 (2022.12.01 -> 2023.01.19)
microos-tools (2.17 -> 2.18)
nautilus (43.1 -> 43.2)
python-numpy
soundtouch (2.3.1 -> 2.3.2)
sudo (1.9.12p1 -> 1.9.12p2)
transactional-update (4.1.0 -> 4.1.2)
urlview
vim (9.0.1188 -> 9.0.1234)
vte
yast2-network (4.5.12 -> 4.5.14)
yast2-trans (84.87.20230116.80083546af -> 84.87.20230123.08c503a922)
=== Details ===
==== apache2 ====
Version update (2.4.54 -> 2.4.55)
- Update to 2.4.55:
* ) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
2.4.55 allows a backend to trigger HTTP response splitting
(cve.mitre.org)
Prior to Apache HTTP Server 2.4.55, a malicious backend can
cause the response headers to be truncated early, resulting in
some headers being incorporated into the response body. If the
later headers have any security purpose, they will not be
interpreted by the client.
Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
* ) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
Possible request smuggling (cve.mitre.org)
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it
forwards requests to. This issue affects Apache HTTP Server
Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
at Qi'anxin Group
* ) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write
of zero byte (cve.mitre.org)
A carefully crafted If: request header can cause a memory read,
or write of a single zero byte, in a pool (heap) memory location
beyond the header value sent. This could cause the process to
crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.
* ) mod_dav: Open the lock database read-only when possible.
PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
* ) mod_proxy_http2: apply the standard httpd content type handling
to responses from the backend, as other proxy modules do. Fixes PR 66391.
Thanks to Jérôme Billiras for providing the patch.
[Stefan Eissing]
* ) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
[Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
<alejandro.alvarez.ayllon cern.ch>]
* ) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic]
* ) mod_http2: version 2.0.10 of the module, synchronizing changes
with the gitgub version. This is a partial rewrite of how connections
and streams are handled.
- an APR pollset and pipes (where supported) are used to monitor
the main connection and react to IO for request/response handling.
This replaces the stuttered timed waits of earlier versions.
- H2SerializeHeaders directive still exists, but has no longer an effect.
- Clients that seemingly misbehave still get less resources allocated,
but ongoing requests are no longer disrupted.
- Fixed an issue since 1.15.24 that "Server" headers in proxied requests
were overwritten instead of preserved. [PR by @daum3ns]
- A regression in v1.15.24 was fixed that could lead to httpd child
processes not being terminated on a graceful reload or when reaching
MaxConnectionsPerChild. When unprocessed h2 requests were queued at
the time, these could stall. See #212.
- Improved information displayed in 'server-status' for H2 connections when
Extended Status is enabled. Now one can see the last request that IO
operations happened on and transferred IO stats are updated as well.
- When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
send a GOAWAY frame much too early on new connections, leading to invalid
protocol state and a client failing the request. See PR65731 at
<https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
The module now initializes the HTTP/2 protocol correctly and allows the
client to submit one request before the shutdown via a GOAWAY frame
is being announced.
- :scheme pseudo-header values, not matching the
connection scheme, are forwarded via absolute uris to the
http protocol processing to preserve semantics of the request.
Checks on combinations of pseudo-headers values/absence
have been added as described in RFC 7540. Fixes #230.
- A bug that prevented trailers (e.g. HEADER frame at the end) to be
generated in certain cases was fixed. See #233 where it prevented
gRPC responses to be properly generated.
- Request and response header values are automatically stripped of leading
and trialing space/tab characters. This is equivalent behaviour to what
Apache httpd's http/1.1 parser does.
The checks for this in nghttp2 v1.50.0+ are disabled.
- Extensive testing in production done by Alessandro Bianchi (@alexskynet)
on the v2.0.x versions for stability. Many thanks!
* ) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
request ':authority' is known. Improved test case that did not catch that
the previous 'fix' was incorrect.
* ) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
* ) mod_proxy: The AH03408 warning for a forcibly closed backend
connection is now logged at INFO level. [Yann Ylavic]
* ) mod_ssl: When dumping the configuration, the existence of
certificate/key files is no longer tested. [Joe Orton]
* ) mod_authn_core: Add expression support to AuthName and AuthType.
[Graham Leggett]
* ) mod_ssl: when a proxy connection had handled a request using SSL, an
error was logged when "SSLProxyEngine" was only configured in the
location/proxy section and not the overall server. The connection
continued to work, the error log was in error. Fixed PR66190.
[Stefan Eissing]
* ) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
* ) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
* ) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
* ) mod_md: a new directive `MDStoreLocks` can be used on cluster
setups with a shared file system for `MDStoreDir` to order
activation of renewed certificates when several cluster nodes are
... changelog too long, skipping 12 lines ...
PR 66313. [Emmanuel Dreyfus]
==== apache2-manual ====
Version update (2.4.54 -> 2.4.55)
- Update to 2.4.55:
* ) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
2.4.55 allows a backend to trigger HTTP response splitting
(cve.mitre.org)
Prior to Apache HTTP Server 2.4.55, a malicious backend can
cause the response headers to be truncated early, resulting in
some headers being incorporated into the response body. If the
later headers have any security purpose, they will not be
interpreted by the client.
Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
* ) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
Possible request smuggling (cve.mitre.org)
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it
forwards requests to. This issue affects Apache HTTP Server
Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
at Qi'anxin Group
* ) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write
of zero byte (cve.mitre.org)
A carefully crafted If: request header can cause a memory read,
or write of a single zero byte, in a pool (heap) memory location
beyond the header value sent. This could cause the process to
crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.
* ) mod_dav: Open the lock database read-only when possible.
PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
* ) mod_proxy_http2: apply the standard httpd content type handling
to responses from the backend, as other proxy modules do. Fixes PR 66391.
Thanks to Jérôme Billiras for providing the patch.
[Stefan Eissing]
* ) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
[Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
<alejandro.alvarez.ayllon cern.ch>]
* ) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic]
* ) mod_http2: version 2.0.10 of the module, synchronizing changes
with the gitgub version. This is a partial rewrite of how connections
and streams are handled.
- an APR pollset and pipes (where supported) are used to monitor
the main connection and react to IO for request/response handling.
This replaces the stuttered timed waits of earlier versions.
- H2SerializeHeaders directive still exists, but has no longer an effect.
- Clients that seemingly misbehave still get less resources allocated,
but ongoing requests are no longer disrupted.
- Fixed an issue since 1.15.24 that "Server" headers in proxied requests
were overwritten instead of preserved. [PR by @daum3ns]
- A regression in v1.15.24 was fixed that could lead to httpd child
processes not being terminated on a graceful reload or when reaching
MaxConnectionsPerChild. When unprocessed h2 requests were queued at
the time, these could stall. See #212.
- Improved information displayed in 'server-status' for H2 connections when
Extended Status is enabled. Now one can see the last request that IO
operations happened on and transferred IO stats are updated as well.
- When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
send a GOAWAY frame much too early on new connections, leading to invalid
protocol state and a client failing the request. See PR65731 at
<https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
The module now initializes the HTTP/2 protocol correctly and allows the
client to submit one request before the shutdown via a GOAWAY frame
is being announced.
- :scheme pseudo-header values, not matching the
connection scheme, are forwarded via absolute uris to the
http protocol processing to preserve semantics of the request.
Checks on combinations of pseudo-headers values/absence
have been added as described in RFC 7540. Fixes #230.
- A bug that prevented trailers (e.g. HEADER frame at the end) to be
generated in certain cases was fixed. See #233 where it prevented
gRPC responses to be properly generated.
- Request and response header values are automatically stripped of leading
and trialing space/tab characters. This is equivalent behaviour to what
Apache httpd's http/1.1 parser does.
The checks for this in nghttp2 v1.50.0+ are disabled.
- Extensive testing in production done by Alessandro Bianchi (@alexskynet)
on the v2.0.x versions for stability. Many thanks!
* ) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
request ':authority' is known. Improved test case that did not catch that
the previous 'fix' was incorrect.
* ) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
* ) mod_proxy: The AH03408 warning for a forcibly closed backend
connection is now logged at INFO level. [Yann Ylavic]
* ) mod_ssl: When dumping the configuration, the existence of
certificate/key files is no longer tested. [Joe Orton]
* ) mod_authn_core: Add expression support to AuthName and AuthType.
[Graham Leggett]
* ) mod_ssl: when a proxy connection had handled a request using SSL, an
error was logged when "SSLProxyEngine" was only configured in the
location/proxy section and not the overall server. The connection
continued to work, the error log was in error. Fixed PR66190.
[Stefan Eissing]
* ) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
* ) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
* ) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
* ) mod_md: a new directive `MDStoreLocks` can be used on cluster
setups with a shared file system for `MDStoreDir` to order
activation of renewed certificates when several cluster nodes are
... changelog too long, skipping 12 lines ...
PR 66313. [Emmanuel Dreyfus]
==== apache2-prefork ====
Version update (2.4.54 -> 2.4.55)
- Update to 2.4.55:
* ) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
2.4.55 allows a backend to trigger HTTP response splitting
(cve.mitre.org)
Prior to Apache HTTP Server 2.4.55, a malicious backend can
cause the response headers to be truncated early, resulting in
some headers being incorporated into the response body. If the
later headers have any security purpose, they will not be
interpreted by the client.
Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
* ) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
Possible request smuggling (cve.mitre.org)
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it
forwards requests to. This issue affects Apache HTTP Server
Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
at Qi'anxin Group
* ) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write
of zero byte (cve.mitre.org)
A carefully crafted If: request header can cause a memory read,
or write of a single zero byte, in a pool (heap) memory location
beyond the header value sent. This could cause the process to
crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.
* ) mod_dav: Open the lock database read-only when possible.
PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
* ) mod_proxy_http2: apply the standard httpd content type handling
to responses from the backend, as other proxy modules do. Fixes PR 66391.
Thanks to Jérôme Billiras for providing the patch.
[Stefan Eissing]
* ) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
[Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
<alejandro.alvarez.ayllon cern.ch>]
* ) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic]
* ) mod_http2: version 2.0.10 of the module, synchronizing changes
with the gitgub version. This is a partial rewrite of how connections
and streams are handled.
- an APR pollset and pipes (where supported) are used to monitor
the main connection and react to IO for request/response handling.
This replaces the stuttered timed waits of earlier versions.
- H2SerializeHeaders directive still exists, but has no longer an effect.
- Clients that seemingly misbehave still get less resources allocated,
but ongoing requests are no longer disrupted.
- Fixed an issue since 1.15.24 that "Server" headers in proxied requests
were overwritten instead of preserved. [PR by @daum3ns]
- A regression in v1.15.24 was fixed that could lead to httpd child
processes not being terminated on a graceful reload or when reaching
MaxConnectionsPerChild. When unprocessed h2 requests were queued at
the time, these could stall. See #212.
- Improved information displayed in 'server-status' for H2 connections when
Extended Status is enabled. Now one can see the last request that IO
operations happened on and transferred IO stats are updated as well.
- When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
send a GOAWAY frame much too early on new connections, leading to invalid
protocol state and a client failing the request. See PR65731 at
<https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
The module now initializes the HTTP/2 protocol correctly and allows the
client to submit one request before the shutdown via a GOAWAY frame
is being announced.
- :scheme pseudo-header values, not matching the
connection scheme, are forwarded via absolute uris to the
http protocol processing to preserve semantics of the request.
Checks on combinations of pseudo-headers values/absence
have been added as described in RFC 7540. Fixes #230.
- A bug that prevented trailers (e.g. HEADER frame at the end) to be
generated in certain cases was fixed. See #233 where it prevented
gRPC responses to be properly generated.
- Request and response header values are automatically stripped of leading
and trialing space/tab characters. This is equivalent behaviour to what
Apache httpd's http/1.1 parser does.
The checks for this in nghttp2 v1.50.0+ are disabled.
- Extensive testing in production done by Alessandro Bianchi (@alexskynet)
on the v2.0.x versions for stability. Many thanks!
* ) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
request ':authority' is known. Improved test case that did not catch that
the previous 'fix' was incorrect.
* ) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
* ) mod_proxy: The AH03408 warning for a forcibly closed backend
connection is now logged at INFO level. [Yann Ylavic]
* ) mod_ssl: When dumping the configuration, the existence of
certificate/key files is no longer tested. [Joe Orton]
* ) mod_authn_core: Add expression support to AuthName and AuthType.
[Graham Leggett]
* ) mod_ssl: when a proxy connection had handled a request using SSL, an
error was logged when "SSLProxyEngine" was only configured in the
location/proxy section and not the overall server. The connection
continued to work, the error log was in error. Fixed PR66190.
[Stefan Eissing]
* ) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
* ) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
* ) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
* ) mod_md: a new directive `MDStoreLocks` can be used on cluster
setups with a shared file system for `MDStoreDir` to order
activation of renewed certificates when several cluster nodes are
... changelog too long, skipping 12 lines ...
PR 66313. [Emmanuel Dreyfus]
==== apache2-utils ====
Version update (2.4.54 -> 2.4.55)
- Update to 2.4.55:
* ) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
2.4.55 allows a backend to trigger HTTP response splitting
(cve.mitre.org)
Prior to Apache HTTP Server 2.4.55, a malicious backend can
cause the response headers to be truncated early, resulting in
some headers being incorporated into the response body. If the
later headers have any security purpose, they will not be
interpreted by the client.
Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
* ) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
Possible request smuggling (cve.mitre.org)
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it
forwards requests to. This issue affects Apache HTTP Server
Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
at Qi'anxin Group
* ) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write
of zero byte (cve.mitre.org)
A carefully crafted If: request header can cause a memory read,
or write of a single zero byte, in a pool (heap) memory location
beyond the header value sent. This could cause the process to
crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.
* ) mod_dav: Open the lock database read-only when possible.
PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
* ) mod_proxy_http2: apply the standard httpd content type handling
to responses from the backend, as other proxy modules do. Fixes PR 66391.
Thanks to Jérôme Billiras for providing the patch.
[Stefan Eissing]
* ) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
[Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
<alejandro.alvarez.ayllon cern.ch>]
* ) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic]
* ) mod_http2: version 2.0.10 of the module, synchronizing changes
with the gitgub version. This is a partial rewrite of how connections
and streams are handled.
- an APR pollset and pipes (where supported) are used to monitor
the main connection and react to IO for request/response handling.
This replaces the stuttered timed waits of earlier versions.
- H2SerializeHeaders directive still exists, but has no longer an effect.
- Clients that seemingly misbehave still get less resources allocated,
but ongoing requests are no longer disrupted.
- Fixed an issue since 1.15.24 that "Server" headers in proxied requests
were overwritten instead of preserved. [PR by @daum3ns]
- A regression in v1.15.24 was fixed that could lead to httpd child
processes not being terminated on a graceful reload or when reaching
MaxConnectionsPerChild. When unprocessed h2 requests were queued at
the time, these could stall. See #212.
- Improved information displayed in 'server-status' for H2 connections when
Extended Status is enabled. Now one can see the last request that IO
operations happened on and transferred IO stats are updated as well.
- When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
send a GOAWAY frame much too early on new connections, leading to invalid
protocol state and a client failing the request. See PR65731 at
<https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
The module now initializes the HTTP/2 protocol correctly and allows the
client to submit one request before the shutdown via a GOAWAY frame
is being announced.
- :scheme pseudo-header values, not matching the
connection scheme, are forwarded via absolute uris to the
http protocol processing to preserve semantics of the request.
Checks on combinations of pseudo-headers values/absence
have been added as described in RFC 7540. Fixes #230.
- A bug that prevented trailers (e.g. HEADER frame at the end) to be
generated in certain cases was fixed. See #233 where it prevented
gRPC responses to be properly generated.
- Request and response header values are automatically stripped of leading
and trialing space/tab characters. This is equivalent behaviour to what
Apache httpd's http/1.1 parser does.
The checks for this in nghttp2 v1.50.0+ are disabled.
- Extensive testing in production done by Alessandro Bianchi (@alexskynet)
on the v2.0.x versions for stability. Many thanks!
* ) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
request ':authority' is known. Improved test case that did not catch that
the previous 'fix' was incorrect.
* ) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
* ) mod_proxy: The AH03408 warning for a forcibly closed backend
connection is now logged at INFO level. [Yann Ylavic]
* ) mod_ssl: When dumping the configuration, the existence of
certificate/key files is no longer tested. [Joe Orton]
* ) mod_authn_core: Add expression support to AuthName and AuthType.
[Graham Leggett]
* ) mod_ssl: when a proxy connection had handled a request using SSL, an
error was logged when "SSLProxyEngine" was only configured in the
location/proxy section and not the overall server. The connection
continued to work, the error log was in error. Fixed PR66190.
[Stefan Eissing]
* ) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
* ) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
* ) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
* ) mod_md: a new directive `MDStoreLocks` can be used on cluster
setups with a shared file system for `MDStoreDir` to order
activation of renewed certificates when several cluster nodes are
... changelog too long, skipping 12 lines ...
PR 66313. [Emmanuel Dreyfus]
==== dracut ====
Version update (057+suse.353.g6dab83eb -> 059+suse.358.g8ecd6e83)
Subpackages: dracut-mkinitrd-deprecated
- Update to version 059+suse.358.g8ecd6e83:
See https://github.com/dracutdevs/dracut/releases/tag/058 for details (059
just adds missing entries in NEWS.md).
Additional changes:
* chore(suse): add execute permission to all scripts
* chore(suse): update spec
- Update to version 057+suse.355.g1b722fda:
* fix(dracut.spec): require libopenssl1_1-hmac for dracut-fips (bsc#1206439)
==== ffmpeg-4 ====
Subpackages: libavcodec58_134 libavformat58_76 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9
- Add ffmpeg-CVE-2022-3341.patch: Backport from upstream to fix
null pointer dereference in decode_main_header() in
libavformat/nutdec.c (bsc#1206778).
==== ffmpeg-5 ====
Subpackages: libavcodec59 libavdevice59 libavfilter8 libavformat59 libavutil57 libpostproc56 libswresample4 libswscale6
- Provide a ffmpeg-5-mini-devel build recipe to help split
anticipated build cycles.
- Reenable SDL2 for ffmpeg-5.spec. ffplay and -vf sdl should be
back. [boo#1206505]
==== gdm ====
Subpackages: gdm-lang gdm-schema gdmflexiserver libgdm1 typelib-1_0-Gdm-1_0
- Update gdm-disable-gnome-initial-setup.patch: Refactoring to
disable it on SLE runtime, so with the same executable it is
still possible to run on Leap (jsc#PED-1719).
==== gdm-branding-openSUSE ====
- Bring back gnome-initial-setup for Leap 15.5 while keep it
disabled on SLE 15 SP5 (jsc#PED-1719).
==== gedit ====
Version update (44.1 -> 44.2)
Subpackages: gedit-lang python3-gedit
- Update to version 44.2:
+ File Browser plugin: bug fix.
+ Updated translations.
==== glib2 ====
Version update (2.74.4 -> 2.74.5)
Subpackages: glib2-lang glib2-tools libgio-2_0-0 libgio-2_0-0-32bit libglib-2_0-0 libglib-2_0-0-32bit libgmodule-2_0-0 libgmodule-2_0-0-32bit libgobject-2_0-0 libgobject-2_0-0-32bit libgthread-2_0-0 libgthread-2_0-0-32bit
- Update to version 2.74.5:
+ Bugs fixed: glgo#GNOME/GLib#2843, glgo#GNOME/GLib#2881,
glgo#GNOME/GLib#2883, glgo#GNOME/GLib!3165,
glgo#GNOME/GLib!3166, glgo#GNOME/GLib!3182,
glgo#GNOME/GLib!3197, glgo#GNOME/GLib!3204,
glgo#GNOME/GLib!3214.
+ Updated translations.
- Drop 1539540.patch: Fixed upstream.
==== gnome-desktop ====
Version update (43 -> 43.1)
Subpackages: gnome-desktop-lang libgnome-desktop-3-20 libgnome-desktop-3_0-common libgnome-desktop-4-2 typelib-1_0-GnomeDesktop-3_0 typelib-1_0-GnomeDesktop-4_0
- Update to version 43.1:
+ Fix gnome_parse_locale returning NULL for the C locale
+ Use more sensible default keyboard for es_US
+ Delete failed thumbnail if successfully savings thumbnail
+ Skip territory if no translation available
+ Updated translations.
==== gpgme ====
Subpackages: libgpgme11 libgpgmepp6
- Update upstream keyring: https://gnupg.org/signature_key.asc
- add python311.patch to build language bindings for python 3.11
==== gpgmeqt ====
- Update upstream keyring: https://gnupg.org/signature_key.asc
- add python311.patch to build language bindings for python 3.11
==== kpipewire ====
Subpackages: kpipewire-imports libKPipeWire5 libKPipeWire5-lang libKPipeWireRecord5
- Require pipewire-devel for the -devel package
==== libraw ====
Version update (0.21.0 -> 0.21.1)
- update to 0.21.1:
* fixed typo in panasonic metadata parser
* Multiple fixes inspired by oss-fuzz project
* Phase One/Leaf IIQ-S v2 support
* Canon CR3 filmrolls
* Canon CRM (movie) files
* Tiled bit-packed (and 16-bit unpacked) DNGs
* (non-standard) Deflate-compressed integer DNG files are allowed
* Canon EOS R3, R7 and R10
* Fujifilm X-H2S, X-T30 II
* OM System OM-1
* Leica M11
* Sony A7-IV (ILCE-7M4)
* DJI Mavic 3
* Nikon Z9: standard compression formats only
==== live555 ====
Version update (2022.12.01 -> 2023.01.19)
Subpackages: libUsageEnvironment3 libgroupsock30 libliveMedia107
- update to 2023.01.19:
- By default, we no longer compile "groupsock/NetAddress.cpp" for Windows to use
"gethostbyname()", because of a report that this breaks IPv6 name resolution.
- update to 2023.01.11:
* Updated the "BasicTaskScheduler"/"DelayQueue" implementation to make the 'token counter'
a field of the task scheduler object, rather than having it be a static variable.
This avoids potential problems if an application uses more than one thread (with each thread
having its own task scheduler).
==== microos-tools ====
Version update (2.17 -> 2.18)
- Update to version 2.18:
- Add TMPDIR to tukit binddirs for Salt
- 98selinux-microos: Add chroot as dependency
- Fix spelling error in warning
==== nautilus ====
Version update (43.1 -> 43.2)
Subpackages: gnome-shell-search-provider-nautilus libnautilus-extension4 nautilus-lang
- Update to version 43.2:
+ Regressions addressed:
- Launch search from shell correctly
- Make nautilus-autorun-software work again
- Restore 2-dimensional navigation from sushi
- Resolve stuttering scrolling
- Reintroduce 64px icon size for grid view
- Show full filename again in grid, using tooltips
+ Other bugfixes:
- Avoid a many crashes
- Stop showing � in the type on Properties
- Show rename error dialogs again
- Handle X11-only drag-and-drop quirks
- Allow autorun.sh without executable bit
- Improve selection-setting
- Restrict DND actions over drag source
- Focus replaces files
- Improve keyboard focus navigation on the new views
- Stop blocking on the tracker connection
- Don't add missing emblems
+ Updated translations.
==== python-numpy ====
- Slightly reformat the specfile condition blocks: The
%python_subpackages generator misses " %if" lines with a
preceding whitespace. Relevant for d:l:p:backports not having
libalternatives.
==== soundtouch ====
Version update (2.3.1 -> 2.3.2)
- update to 2.3.2:
* autotools improvements
==== sudo ====
Version update (1.9.12p1 -> 1.9.12p2)
Subpackages: sudo-plugin-python
- Update to 1.9.12p2:
* Fixes bsc#1207082
* Changes in 1.9.12p2:
Fixed a compilation error on Linux/aarch64. GitHub issue #197.
Fixed a potential crash introduced in the fix GitHub issue #134.
If a userâs sudoers entry did not have any RunAs userâs set,
running sudo -U otheruser -l would dereference a NULL pointer.
Fixed a bug introduced in sudo 1.9.12 that could prevent sudo
from creating a I/O files when the iolog_file sudoers setting
contains six or more Xs.
Fixed a compilation issue on AIX with the native compiler.
GitHub issue #231.
Fixed CVE-2023-22809, a flaw in sudoâs -e option (aka sudoedit)
that could allow a malicious user with sudoedit privileges to
edit arbitrary files. For more information, see Sudoedit can
edit arbitrary files.
==== transactional-update ====
Version update (4.1.0 -> 4.1.2)
Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit tukitd
- Version 4.1.2
- Don't try to mount user mounts if they don't exist [boo#1207366]
- Version 4.1.1
- Mount user specific binddirs last: Prevously the internal mounts would
potentially overwrite user bind mounts [boo#1205011]
- selinux: Relabel shadowed /var files during update to make sure they
don't interfere with the update [boo#1205937]
- Clean up /var/lib/overlay more aggressively [boo#1206947]
- tukit: Merge /etc overlay into parent if --discard is used together
with --continue - previously the files were incorrectly always merged
with the currently running system
- status: do not execute the status command if experimental
- Don't delete created mount point dirs any more
- Small code optimizations
==== urlview ====
- Update to latest URL
==== vim ====
Version update (9.0.1188 -> 9.0.1234)
Subpackages: gvim vim-data vim-data-common
- Updated to version 9.0.1234, fixes the following problems
* Return value of type() for class and object unclear.
* Invalid memory access with folding and using "L".
* Some Bazel files are not recognized.
* No error when class function argument shadows a member.
* Cannot map <Esc> when using the Kitty key protocol.
* Compiler warning for comparing pointer with int.
* Restoring KeyTyped when building statusline not tested.
* Code is indented more than necessary.
* Dump file missing from patch.
* Abstract class not supported yet.
* Crash when using kitty and using a mapping with <Esc>.
* AppVeyor builds with an old Python version.
* Assignment with operator doesn't work in object method.
* Crash when iterating over list of objects.
* Return type of values() is always list<any>.
* Expression compiled the wrong way after using an object.
* Crash when handling class that extends another class with more than one
object members.
* Testing with Python on AppVeyor does not work properly.
* Error when object type is expected but getting "any".
* Code is indented more than necessary.
* Getting interface member does not always work.
* Compiler complains about declaration after label.
* Storing value in interface member does not always work.
* Cannot read back what setcellwidths() has done.
* Adding a line below the last one does not expand fold.
* File left behind after running tests.
* Using isalpha() adds dependency on current locale.
* Coverity warns for ignoring return value.
* Using an object member in a closure doesn't work.
* Completion includes functions that don't work.
* Handling of FORTIFY_SOURCE flags doesn't match Fedora usage.
* Termcap/terminfo entries do not indicate where modifiers might appear.
* Code is indented more than necessary.
* Cannot use setcellwidths() below 0x100.
* Cannot call a :def function with a number for a float argument.
* Reading past the end of a line when formatting text.
==== vte ====
Subpackages: libvte-2_91-0 typelib-1_0-Vte-2_91 vte-lang
- Add ddb2c8a.patch: widget: Use correct end row for getting the
selected text. The range is end-exclusive, so use end_row()
instead of last_row(). Fixes glgo#GNOME/vte#2584
==== yast2-network ====
Version update (4.5.12 -> 4.5.14)
- Fix the return of packages needed by the selected backend when
running an autoinstallation (bsc#1207221)
- 4.5.14
- Fixed dirname evaluation when creating the directory for the
configuration files to be copied to the target system
(bsc#1206723, bsc#1207382)
- 4.5.13
==== yast2-trans ====
Version update (84.87.20230116.80083546af -> 84.87.20230123.08c503a922)
Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu
- Update to version 84.87.20230123.08c503a922:
* Translated using Weblate (Macedonian)
* Translated using Weblate (Macedonian)
* Translated using Weblate (Portuguese)
* Translated using Weblate (Portuguese)
* Translated using Weblate (Portuguese)
* Translated using Weblate (Portuguese)
1
0
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&versio…
Please do not reply to this email to report issues, rather file a bug
on bugzilla.opensuse.org. For more information on filing bugs please
see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
CoreFreq (1.94.3_k6.1.7_1 -> 1.95.1_k6.1.7_1)
binutils
exiv2 (0.27.5 -> 0.27.6)
fetchmail
gnutls
hidapi (0.13.0 -> 0.13.1)
ibus-libzhuyin (1.10.1 -> 1.10.2)
libgit2 (1.5.0 -> 1.5.1)
liburing (2.2 -> 2.3)
man-pages-ja (20221215 -> 20230115)
miniupnpc (2.2.2 -> 2.2.4)
postfix
python-future (0.18.2 -> 0.18.3)
python-pbr (5.11.0 -> 5.11.1)
python-requests (2.28.1 -> 2.28.2)
python-urllib3 (1.26.13 -> 1.26.14)
rubygem-rack-2.2 (2.2.4 -> 2.2.6.2)
rubygem-rack (3.0.2 -> 3.0.4.1)
thunar
xfce4-notifyd (0.7.1 -> 0.7.2)
=== Details ===
==== CoreFreq ====
Version update (1.94.3_k6.1.7_1 -> 1.95.1_k6.1.7_1)
- update to 1.95.1:
* [Intel] RPL: voltage of Pcore, Ecore, System Agent
* [Intel] RPL and ADL Chipset device IDs
* [Intel] Decode the RPL IMC and improve DDR5 support
* [Build] Raise `MAX_FREQ_HZ` up to 7125000000 Hertz
* [Intel] Mobile {Coffee Lake, Kaby Lake} codenames
* [Intel] Braswell codename detection
* [AMD] SYSCFG Register
* [AMD] EPYC 9654
* [AMD] Transparent SME
* [AMD] DRAM Data Scrambling
* [AMD] Adding "Barcelo R" and "Rembrandt R"
==== binutils ====
Subpackages: gprofng libctf-nobfd0 libctf0
- fix build on x86_64_vX platforms
- Add binutils-maxpagesize.diff for a problem on old code
streams, where we would generate too large binaries.
- s390-pic-dso.diff: use %pB instead of %B
- SLE toolchain update of binutils. Update to 2.39 from 2.37,
which means obsoleting and hence removing these patches:
binutils-add-efi-aarch64-1.diff, binutils-add-efi-aarch64-2.diff,
binutils-add-efi-aarch64-3.diff, binutils-fix-keepdebug.diff,
binutils-add-z16-name.diff.
Implements [jsc#SLE-25046, jsc#PED-2029, jsc#PED-2035, jsc#PED-2033,
jsc#PED-2030, jsc#PED-2038, jsc#PED-2032, jsc#PED-2034, jsc#PED-2031,
jsc#SLE-25047]
- This fixes these CVEs relative to 2.37:
[bsc#1188374, bsc#1185597] aka (GCC) PR99935 aka CVE-2021-3648
[bsc#1193929] aka PR28694 aka CVE-2021-45078
[bsc#1194783] aka (GCC) PR98886 aka CVE-2021-46195
[bsc#1197592] aka (GCC) PR105039 aka CVE-2022-27943
[bsc#1202966] aka PR29289 aka CVE-2022-38126
[bsc#1202967] aka PR29290 aka CVE-2022-38127
[bsc#1202969] aka CVE-2021-3826
- add arm32-avoid-copyreloc.patch for PR16177 (bsc#1200962)
- Add binutils-pr29482.diff for PR29482, aka CVE-2022-38533
[bsc#1202816]
==== exiv2 ====
Version update (0.27.5 -> 0.27.6)
- update to 0.27.6:
* Add Nikon3.WhiteBalanceBias2
* Add Nikon LensData v0802
* Add some F mount lenses
* Initial support for OM System MakerNote
* Add Sony ARW compression to dict
* Exif start can be at any byte in payload, not word aligned
* Fix exception type when writing BMFF file
* Add more MIME type mappings for TIFF-based raws
* Fix naming of canon EF 35-80mm
* Replace assert with enforce
* PNG: always strip the existing iCCP chunk
* Account for header bytes for Exif and XMP boxes
* Fix Integer overflow in Photoshop::setIptcIrb
* Fix Integer-overflow in sumToLong
* Fix out of bounds read in isValidBoxFileType()
* Fix in Jp2 metadata writing & improvements in reading
* Strip XMP raw packet before decoding
* Add tiff tags
* Add more DNG 1.6 tags
* Fix bug in iterating over the elements of dateStrings
* Use memmove in TiffEncoder::updateDirEntry
* Treat Exif.Sony1.PreviewImage as undefined tag
==== fetchmail ====
Subpackages: fetchmailconf
- disable opie support
==== gnutls ====
Subpackages: libgnutls-dane0 libgnutls30 libgnutls30-32bit libgnutls30-hmac
- FIPS: Change all the 140-2 references to FIPS 140-3 in order to
account for the new FIPS certification [bsc#1207346]
* Add gnutls-FIPS-140-3-references.patch
- FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183]
* Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch
==== hidapi ====
Version update (0.13.0 -> 0.13.1)
- update to 0.13.1:
* hidraw: fix invalid read past the UDEV buffer
==== ibus-libzhuyin ====
Version update (1.10.1 -> 1.10.2)
- update to 1.10.2:
* bug fixes
==== libgit2 ====
Version update (1.5.0 -> 1.5.1)
- update to 1.5.1:
* This is a security release to address CVE-2023-22742: when compiled
using the optional, included libssh2 backend, libgit2 fails to verify
SSH keys by default. boo#1207364
* When using an SSH remote with the optional, included libssh2 backend,
libgit2 does not perform certificate checking by default. Prior versions
of libgit2 require the caller to set the `certificate_check` field of
libgit2's `git_remote_callbacks` structure - if a certificate check
callback is not set, libgit2 does not perform any certificate checking.
This means that by default - without configuring a certificate check
callback, clients will not perform validation on the server SSH keys and
may be subject to a man-in-the-middle attack.
==== liburing ====
Version update (2.2 -> 2.3)
- add 0001-test-helpers-fix-socket-length-type.patch
fixes tests on big endian
- update to 2.3:
* Support non-libc build for aarch64.
* Add io_uring_{enter,enter2,register,setup} syscall functions.
* Add sync cancel interface, io_uring_register_sync_cancel().
* Fix return value of io_uring_submit_and_wait_timeout() to match the
man page.
* Improvements to the regression tests
* Add support and test case for passthrough IO
* Add recv and recvmsg multishot helpers and support
* Add documentation and support for IORING_SETUP_DEFER_TASKRUN
* Fix potential missing kernel entry with IORING_SETUP_IOPOLL
* Add support and documentation for zero-copy network transmit
* Various optimizations
* Many cleanups
* Many man page additions and updates
- drop handle-eintr.patch, test-xattr-don-t-rely-on-NUL-termination.patch: upstream
==== man-pages-ja ====
Version update (20221215 -> 20230115)
- update to version 20230115
* Improved and updated manual pages
==== miniupnpc ====
Version update (2.2.2 -> 2.2.4)
- update to 2.2.4:
* upnpc: use of @ to replace local lan address
* python module : Allow to specify the root description url
* Change directory structure : include/ and src/ directories.
- drop makefile-deps-fix.patch (upstream)
==== postfix ====
- Fix SELinux labeling issue caused by /usr/sbin/config.postfix (bsc#1207227).
==== python-future ====
Version update (0.18.2 -> 0.18.3)
- update to 0.18.3:
* Backport fix for bpo-38804 (c91d70b)
* Fix bug in fix_print.py fixer (dffc579)
* Fix bug in fix_raise.py fixer (3401099)
* Fix newint bool in py3 (fe645ba)
* Fix bug in super() with metaclasses (6e27aac)
* docs: fix simple typo, reqest -> request (974eb1f)
* Correct eq (c780bf5)
* Pass if lint fails (2abe00d)
* fix order (f96a219)
* Add flake8 to image (046ff18)
* Make lint.sh executable (58cc984)
* Add docker push to optimize CI (01e8440)
* Build System (42b3025)
* Add docs build status badge to README.md (3f40bd7)
* Use same docs requirements in tox (18ecc5a)
* Add docs/requirements.txt (5f9893f)
* Add PY37_PLUS, PY38_PLUS, and PY39_PLUS (bee0247)
* fix 2.6 test, better comment (ddedcb9)
* fix 2.6 test (3f1ff7e)
* remove nan test (4dbded1)
* include list test values (e3f1a12)
* fix other python2 test issues (c051026)
* fix missing subTest (f006cad)
* import from old imp library on older python versions (fc84fa8)
* replace fstrings with format for python 3.4,3.5 (4a687ea)
* minor style/spelling fixes (8302d8c)
* improve cmp function, add unittest (0d95a40)
* Pin typing==3.7.4.1 for Python 3.3 compatiblity (1a48f1b)
* Fix various py26 unit test failures (9ca5a14)
* Add initial contributing guide with docs build instruction (e55f915)
* Add docs building to tox.ini (3ee9e7f)
* Support NumPy's specialized int types in builtins.round (b4b54f0)
* Added r""" to the docstring to avoid warnings in python3 (5f94572)
* Add subclasscheck for past.types.basestring (c9bc0ff)
* Correct example in README (681e78c)
* Add simple documentation (6c6e3ae)
* Add pre-commit hooks (a9c6a37)
* Handling of next and next by future.utils.get_next was reversed (52b0ff9)
* Add a test for our fix (461d77e)
* Compare headers to correct definition of str (3eaa8fd)
* Add support for negative ndigits in round; additionally, fixing a bug so
that it handles passing in Decimal properly (a4911b9)
* Add tkFileDialog to future.movers.tkinter (f6a6549)
* Sort before comparing dicts in TestChainMap (6126997)
* Fix typo (4dfa099)
* Fix formatting in "What's new" (1663dfa)
* Fix typo (4236061)
* Avoid DeprecationWarning caused by invalid escape (e4b7fa1)
* Fixup broken link to external django documentation re: porting to Python 3
and unicode_literals (d87713e)
* Fixed newdict checking version every time (99030ec)
* Add count from 2.7 to 2.6 (1b8ef51)
- drop CVE-2022-40899.patch (upstream)
==== python-pbr ====
Version update (5.11.0 -> 5.11.1)
- update to 5.11.1:
* Run PBR integration on Ubuntu Focal too
* Remove numpy dependencies
* Tie recursion calls to Dist object, not module
* Update tox.ini to work with tox 4
==== python-requests ====
Version update (2.28.1 -> 2.28.2)
- update to 2.28.2:
- Requests now supports charset\_normalizer 3.x.
- Updated MissingSchema exception to suggest https scheme rather than http.
- drop requests-allow-charset-normalizer-3.patch (upstream)
==== python-urllib3 ====
Version update (1.26.13 -> 1.26.14)
- update to 1.26.14:
* Fixed parsing of port 0 (zero) returning None, instead of 0.
* Removed deprecated getheaders() calls in contrib module.
==== rubygem-rack-2.2 ====
Version update (2.2.4 -> 2.2.6.2)
- updated to version 2.2.6.2
[CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
[CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
[CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
See installed CHANGELOG.md for more changes
==== rubygem-rack ====
Version update (3.0.2 -> 3.0.4.1)
updated to version 3.0.4.1
[CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
[CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
[CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
For more detailed information see the installed CHANGELOG.md
==== thunar ====
Subpackages: libthunarx-3-0 thunar-lang
- Add switch_pane_shortcut.patch
Backport upstream fix for gxo#xfce/thunar#1005
- Add differentiate_zoom_levels_between_view_modes.patch
Backport upstream fix for gxo#xfce/thunar#832
==== xfce4-notifyd ====
Version update (0.7.1 -> 0.7.2)
Subpackages: xfce4-notifyd-lang
- Update to 0.7.2:
* Fix sound proplist memleak when notification isn't shown
* Improve sorting in known apps list of settings
* Add extra margin in the known app settings
* Fix word casing in known app settings
* Add ability to exclude specific applications from log
* Better, non-quadratic algo for xfce_notify_count_apps_in_log()
* Plug memleak in notify_get_from_desktop_file()
* Redesign the known apps panel a bit
* Remove a few more GTK_CHECK_VERSION call sites
* Avoid use-after-free when deleting known app
* Improve algo for finding desktop file for known app name
* Improve icon loading for known apps list
* Don't set invalid icon name in known apps list
* Translation Updates
1
0
Update on adding additional x86_64-vX subarchitecture leves via glibc hwcaps
by Dirk Müller 24 Jan '23
by Dirk Müller 24 Jan '23
24 Jan '23
Hi all,
just as an update before the end of the year holidays. Michael
Schroeder, Fabian Vogt and myself have been finishing off all missing
pieces of implementation work to be able to transparently utilize the
build service to provide glibc-hwcaps overlays of shared libraries
optimized for higher architecture levels than baseline.
While the original intention was to implement the proposal
https://en.opensuse.org/openSUSE:X86-64-Architecture-Levels#Available_optio…
which is addressing an x86_64 specific need, all of the implemented
pieces are reusable to also utilize on other architectures that have
similar needs (can think of s390x here for example).
What needs to be done as a package?
By default, nothing. The x86_64-vX (I suggest targeting -v3 as it has
a good balance of performance improvement and hardware compatibility
over -v4 or -v2) builds will be limited to those packages that are
opting into the glibc-hwcaps feature. if they opt in (which probably
needs some analysis as we have seen also seen no increase or slight
performance decrease), the only thing needed to do is to add one extra
line to the spec file:
%{?suse_build_hwcaps_libs}
It only works if the package is building a shared library following
the shared library policy as a subpackage and provides a
`baselibs.conf` file that identifies that package by name.
see https://en.opensuse.org/openSUSE:Packaging_Conventions_RPM_Macros#%{?suse_b…
for details
Currently this macro is undefined as it relies on a number of
not-yet-upstream-accepted changes:
* https://github.com/rpm-software-management/rpm/pull/2315
* https://github.com/openSUSE/obs-build/pull/904
* https://github.com/openSUSE/obs-build/pull/907
* https://github.com/openSUSE/post-build-checks/pull/54
* https://build.opensuse.org/package/rdiff/Base:System/filesystem?opackage=fi…
* optional: yet undetermined way of providing the user an ability to
"opt into the optimized libraries" (current suggestion is via a
specific provides in the system to be provided by the patterns
package, but could be also done via some zypper specific feature).
Once all those changes are in, we can start implementing this in
Tumbleweed, if consensus is given on the approach. Unlikely to happen
still in 2022.
In my testing, it appears beneficial to enable that for most of the
dependencies of ImageMagick, the webbrowser dependencies and also the
toolkit libraries (gtk, glib, qt etc) for improved desktop experience.
In total that would be around 50 packages to submit with the
additional macro, but I don't have a very scientific way of
determining whether it is worth it yet.
Happy to hear your input or feedback.
Greetings,
Dirk
3
7
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&versio…
Please do not reply to this email to report issues, rather file a bug
on bugzilla.opensuse.org. For more information on filing bugs please
see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
Mesa
Mesa-drivers
MozillaFirefox (108.0.2 -> 109.0)
container-selinux (2.188.0 -> 2.198.0)
crash
ctags
ddclient
fwupd
git (2.39.0 -> 2.39.1)
gnome-software
highway (1.0.2 -> 1.0.3)
icewm (3.2.2 -> 3.3.0)
iptables (1.8.8 -> 1.8.9)
kernel-firmware
libeconf (0.5.0 -> 0.5.1)
libinput (1.22.0 -> 1.22.1)
libksane
libreoffice (7.4.3.2 -> 7.4.4.2)
libspectre (0.2.11 -> 0.2.12)
libxmlb
libzypp-plugin-appdata (1.0.1+git.20220816 -> 1.0.1+git.20230117)
llvm15 (15.0.6 -> 15.0.7)
mozilla-nss (3.85 -> 3.86)
mozjs102 (102.6.0 -> 102.7.0)
multipath-tools
netpbm
rubygem-ruby-dbus (0.18.1 -> 0.19.0)
salt
tcpdump (4.99.2 -> 4.99.3)
thunar (4.18.2 -> 4.18.3)
tpm2-0-tss
translation-update
xfce4-notifyd (0.6.5 -> 0.7.1)
xfce4-whiskermenu-plugin (2.7.1 -> 2.7.2)
xfdesktop (4.18.0 -> 4.18.1)
xfsprogs (6.1.0 -> 6.1.1)
yast2 (4.5.21 -> 4.5.22)
yast2-network (4.5.11 -> 4.5.12)
zlib (1.2.12 -> 1.2.13)
=== Details ===
==== Mesa ====
Subpackages: Mesa-dri-devel Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1
- Add support for Rusticl - Mesa's new OpenCL implementation.
* See https://docs.mesa3d.org/rusticl
You will need to set your environment to use it
* See https://docs.mesa3d.org/envvars#rusticl-environment-variables
- Compile with gcc12 on Leaps: building drivers fails with:
/usr/include/dxguids/dxguids.h:70:1: internal compiler error:
in cxx_eval_bit_field_ref, at cp/constexpr.c:2578
- Fix some deprecation warnings
* WARNING: option "false" deprecated, please use "disabled" instead.
* WARNING: option "true" deprecated, please use "enabled" instead.
==== Mesa-drivers ====
Subpackages: Mesa-dri Mesa-gallium Mesa-libva libxatracker2
- Add support for Rusticl - Mesa's new OpenCL implementation.
* See https://docs.mesa3d.org/rusticl
You will need to set your environment to use it
* See https://docs.mesa3d.org/envvars#rusticl-environment-variables
- Compile with gcc12 on Leaps: building drivers fails with:
/usr/include/dxguids/dxguids.h:70:1: internal compiler error:
in cxx_eval_bit_field_ref, at cp/constexpr.c:2578
- Fix some deprecation warnings
* WARNING: option "false" deprecated, please use "disabled" instead.
* WARNING: option "true" deprecated, please use "enabled" instead.
==== MozillaFirefox ====
Version update (108.0.2 -> 109.0)
Subpackages: MozillaFirefox-translations-common
- Mozilla Firefox 109.0
MFSA 2023-01 (bsc#1207119)
* CVE-2023-23597 (bmo#1538028)
Logic bug in process allocation allowed to read arbitrary
files
* CVE-2023-23598 (bmo#1800425)
Arbitrary file read from GTK drag and drop on Linux
* CVE-2023-23599 (bmo#1777800)
Malicious command could be hidden in devtools output on
Windows
* CVE-2023-23600 (bmo#1787034)
Notification permissions persisted between Normal and Private
Browsing on Android
* CVE-2023-23601 (bmo#1794268)
URL being dragged from cross-origin iframe into same tab
triggers navigation
* CVE-2023-23602 (bmo#1800890)
Content Security Policy wasn't being correctly applied to
WebSockets in WebWorkers
* CVE-2023-23603 (bmo#1800832)
Calls to <code>console.log</code> allowed bypasing Content
Security Policy via format directive
* CVE-2023-23604 (bmo#1802346)
Creation of duplicate <code>SystemPrincipal</code> from less
secure contexts
* CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)
Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7
* CVE-2023-23606 (bmo#1764974, bmo#1798591, bmo#1799201,
bmo#1800446, bmo#1801248, bmo#1802100, bmo#1803393,
bmo#1804626, bmo#1804971, bmo#1807004)
Memory safety bugs fixed in Firefox 109
- requires NSS 3.86
- rebased patches
==== container-selinux ====
Version update (2.188.0 -> 2.198.0)
- Update to version 2.198.0:
* Fix spc_t transition rules on tmpfs_t
- Changes from 2.197.0:
* Add boolean containers_use_ecryptfs policy
- Changes from 2.195.1:
* Readd missing allow rules for container_t
- Changes from 2.194.0:
* Allow syslogd_t to use tmpfs files created by container runtime
- Changes from 2.193.0:
* Allow containers to mount tmpfs_t file systems
* Label spc_t as a init initrc daemon
* Allow userdomains to run containers
- Changes from 2.191.0:
* Create container_logwriter_t type
- Changes from 2.190.1:
* Support BuildKit
* container.fc: Set label for kata-agent
* support nerdctl
- Changes from 2.190.0:
* Packit: initial enablement
* Allow iptables to list directories labeled as container_file_t
- Changes from 2.189.0:
* Dont audit searching other processes in /proc.
==== crash ====
- Added crash-trace-2021-02-08.tar.bz2 and modified project to
create the crash-trace package. If installed with crash installed
the extension can be used for diagnosing kernel trace data.
==== ctags ====
- CVE-2022-4515.patch: fixes arbitrary command execution via
a tag file with a crafted filename (bsc#1206543, CVE-2022-4515)
- Stop resetting ctags update-alternative priority back to auto.
These are admin settings.
- Remove u-a links in the correct scriptlet
==== ddclient ====
- Add curl as BuildRequires/Requires to be able to use the '-curl'
option (eg. in DDCLIENT_OPTIONS in /etc/sysconfig/ddclient).
==== fwupd ====
Subpackages: fwupd-bash-completion fwupd-lang libfwupd2 typelib-1_0-Fwupd-2_0
- Fix error generating grub.cfg when an update is available.
+ uefi-capsule-Do-not-call-grub2-probe-without-argumen.patch
==== git ====
Version update (2.39.0 -> 2.39.1)
Subpackages: git-core git-email git-gui git-svn git-web gitk perl-Git
- git 2.39.1, fixing two security issues that could allow remote
code execution when accessing specially crafted repositories:
* CVE-2022-41903: log format integer overflow boo#1207033
* CVE-2022-23521: gitattributed parsing integer overflow
boo#1207032
==== gnome-software ====
Subpackages: gnome-software-lang gnome-software-plugin-packagekit
- Also add download.opensuse.org-non-oss (NON-OSS repo)
download.opensuse.org-oss (OSS repo), and
download.opensuse.org-tumbleweed (Update repo) to
software-opensuse.gschema.override, declaring them also
official repositories (the names match the ones picked by the NET
installer).
==== highway ====
Version update (1.0.2 -> 1.0.3)
- Update to release 1.0.3
* Add RearrangeToOddPlusEven, Xor3, 8-bit CompressStore,
HWY_ASSUME
* Add contrib/bit_pack for 8/16-bit lanes
* Update for new RVV intrinsics; faster WASM min/max and
extmul/q15mul
==== icewm ====
Version update (3.2.2 -> 3.3.0)
Subpackages: icewm-config-upstream icewm-default icewm-lang icewm-lite
- Update to 3.3.0:
* Prevent a derefence of a null-Pixel in xftColor.
* Add "getClass" and "setClass" commands to icesh.
* Support tabs in task grouping.
* Use spaces instead of dots when printing WM_COMMAND.
* When a focused window hides or rolls up, focus some other window.
* When looking for a focusable window, avoid rolled up windows.
* Fix for setting focus on passive motif dialogs
* Fallback to rolled up windows in the second pass of getLastFocus.
* Use CurrentTime when setting focus to a passive client in the timeout.
* On icon not found, report dimensions.
* Don't refocus a focused window in focusLastWindow.
* Don't activate an active window when receiving an activation message.
* Ignore duplicate map requests.
* Let icesh implicitly select windows at most once.
* Add support for nanosvg for issue #695.
* Add preference ToolTipIcon=1 for issue #637.
* Add nanosvg to .gitignore.
* Remove unneeded logevent from icesh.
- Remove unknown options from configure
- Rebase icewm-preferences.patch
- update to 3.2.3:
* Only freeze the task pane layout when a button was removed,
* which fixes the KeySysWorkspaceNext+Prev+Last bug.
* Ensure that a task button is updated once it is mapped,
* which prevents stale task button titles.
* Show a big icon in the tooltip of a toolbar button and the tray.
* All of the winoptions are now fully tab-aware.
* More documentation about tabbing in the icewm manpage.
* Document the "workspace" directory for icons on workspace buttons.
* Add "loadicon" and "saveicon" commands to icesh.
* Updated translations: Catalan, Dutch, Slovak, Japanese,
* Portuguese + Brazil, Macedonian.
==== iptables ====
Version update (1.8.8 -> 1.8.9)
Subpackages: libip4tc2 libip6tc2 libxtables12 xtables-plugins
- Update to release 1.8.9
* arptables-nft: Support --exact flag
* Support more chunk types in the "sctp" extension
* Print `--` in ip6tables' "opt" column for consistency with
iptables
* More verbose error messages if iptables-nft-restore fails
* Support `-p Length` with ebtables-nft,
needed for 802_3 extension.
==== kernel-firmware ====
Subpackages: kernel-firmware-all kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-ath11k kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-prestera kernel-firmware-qcom kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network
- Correct alias list for ACPI entries (bsc#1207211)
==== libeconf ====
Version update (0.5.0 -> 0.5.1)
Subpackages: libeconf0 libeconf0-32bit
- Update to version 0.5.1:
* Reading files in /usr/_vendor_/_example_._suffix_.d/* regardless
there is a /etc/_example_._suffix_ file. (#175)
==== libinput ====
Version update (1.22.0 -> 1.22.1)
Subpackages: libinput-udev libinput10
- Update to release 1.22.1:
* This version includes quirks for laptops from Apple and Dell,
as well as for the Glorious Model 0 mouse. It also backports a
meson fix for use of libinput as subproject and a fix for
libinput debug-events not flushing the output, resulting in
truncated information.
* Finally, the tablet touch arbitration rectangle was increased
by 50mm in both directions to reduce the number of misdetected
touches.
- Use ldconfig_scriptlets macro for post(un) handling.
==== libksane ====
Subpackages: libKF5Sane5 libksane-lang
- Add patch to avoid -devel depending on KSaneCore:
* 0001-Don-t-search-for-KSane-Core-in-KF5SaneConfig.patch
==== libreoffice ====
Version update (7.4.3.2 -> 7.4.4.2)
Subpackages: libreoffice-base libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-l10n-cs libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-el libreoffice-l10n-en libreoffice-l10n-en_GB libreoffice-l10n-es libreoffice-l10n-fr libreoffice-l10n-hu libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-pl libreoffice-l10n-pt_BR libreoffice-l10n-ru libreoffice-l10n-zh_CN libreoffice-l10n-zh_TW libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-qt5 libreoffice-writer libreofficekit
- Update to 7.4.4.2:
https://wiki.documentfoundation.org/Releases/7.4.4/RC2
https://wiki.documentfoundation.org/Releases/7.4.4/RC1
- Updated bundled dependencies:
* poppler-22.09.0.tar.xz -> poppler-22.12.0.tar.xz
==== libspectre ====
Version update (0.2.11 -> 0.2.12)
- update to 0.2.12:
* This is another bugfix only release in the libspectre's 0.2 series.
* Fix exporting to PDF with newer ghostscript (Albert Astals Cid)
==== libxmlb ====
- build hwcaps optimized libraries
==== libzypp-plugin-appdata ====
Version update (1.0.1+git.20220816 -> 1.0.1+git.20230117)
- Update to version 1.0.1+git.20230117:
* InstallAppdata: use subprocess.run instead of os.system (CVE-2023-22643)
- Update to version 1.0.1+git.20220909:
* Add dist directory, for openSUSE packaging
==== llvm15 ====
Version update (15.0.6 -> 15.0.7)
Subpackages: clang-tools clang15 libLLVM15 libclang-cpp15 libclang13 llvm15-gold
- Update to version 15.0.7.
* This release contains bug-fixes for the LLVM 15.0.0 release.
This release is API and ABI compatible with 15.0.0.
- Rebase llvm-do-not-install-static-libraries.patch.
- Build stage 2 with -fno-plt on x86_64: since building with
- Wl,-z,now the PLT stubs are basically dead code, so eliminating
the indirection reduces the number of branches and improves code
locality for the quite frequent cross-DSO calls.
- Add llvm-workaround-superfluous-branches.patch: hints LLVM to
eliminate branches until gh#llvm/llvm-project#28804 is solved.
==== mozilla-nss ====
Version update (3.85 -> 3.86)
Subpackages: libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss-certs mozilla-nss-tools
- update to NSS 3.86
* bmo#1803190 - conscious language removal in NSS
* bmo#1794506 - Set nssckbi version number to 2.60
* bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
CKA_NSS_EMAIL_DISTRUST_AFTER for 3
TrustCor Root Certificates
* bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS
* bmo#1797559 - Remove EC-ACC root cert from NSS
* bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS
* bmo#1794495 - Remove Network Solutions Certificate Authority
* bmo#1802331 - compress docker image artifact with zstd
* bmo#1799315 - Migrate nss from AWS to GCP
* bmo#1800989 - Enable static builds in the CI
* bmo#1765759 - Removing SAW docker from the NSS build system
* bmo#1783231 - Initialising variables in the rsa blinding code
* bmo#320582 - Implementation of the double-signing of the message
for ECDSA
* bmo#1783231 - Adding exponent blinding for RSA.
==== mozjs102 ====
Version update (102.6.0 -> 102.7.0)
- Update to version 102.7.0:
+ Various stability, functionality, and security fixes.
+ CVE-2022-46871: libusrsctp library out of date.
+ CVE-2023-23598: Arbitrary file read from GTK drag and drop on
Linux.
+ CVE-2023-23599: Malicious command could be hidden in devtools
output on Windows.
+ CVE-2023-23601: URL being dragged from cross-origin iframe into
same tab triggers navigation.
+ CVE-2023-23602: Content Security Policy wasn't being correctly
applied to WebSockets in WebWorkers.
+ CVE-2022-46877: Fullscreen notification bypass.
+ CVE-2023-23603: Calls to <code>console.log</code> allowed
bypasing Content Security Policy via format directive.
+ CVE-2023-23605: Memory safety bugs fixed in Firefox 109 and
Firefox ESR 102.7.
==== multipath-tools ====
Subpackages: kpartx libmpath0
- Fix "rpm --verify" (bsc#1207232)
==== netpbm ====
Subpackages: libnetpbm11
- Drop patch big-endian.patch, already in upstream since 10.87.00
==== rubygem-ruby-dbus ====
Version update (0.18.1 -> 0.19.0)
- 0.19.0
API:
* Added a ObjectManager mix-in to implement the service-side
ObjectManager interface.
Bug fixes:
* dbus_attr_accessor and friends validate the signature
* (gh#mvidner/ruby-dbus#120).
* Declare the Introspectable interface in exported
* objects (gh#mvidner/ruby-dbus#99).
* Do reply with an error when calling a nonexisting object
with an existing path prefix (gh#mvidner/ruby-dbus#121).
==== salt ====
Subpackages: python3-salt salt-master salt-minion salt-transactional-update
- Control the collection of lvm grains via config (bsc#1204939)
- Added:
* control-the-collection-of-lvm-grains-via-config.patch
==== tcpdump ====
Version update (4.99.2 -> 4.99.3)
- update to 4.99.3:
* Updated printers:
PTP: Use the proper values for the control field and print un-allocated
values for the message field as "Reserved" instead of "none".
* Source code:
smbutil.c: Replace obsolete function call (asctime)
* Documentation:
Reformat the installation notes (INSTALL.txt) in Markdown.
Convert CONTRIBUTING to Markdown.
CONTRIBUTING.md: Document the use of "protocol: " in a commit summary.
Add a README file for NetBSD.
Fix CMake build to set man page section numbers in tcpdump.1
==== thunar ====
Version update (4.18.2 -> 4.18.3)
Subpackages: libthunarx-3-0 thunar-lang
- Update to 4.18.3:
* Prevent critical when changing directory (gxo#xfce/thunar#1014)
* Keep hidden toolbar hidden after Ctrl+L (gxo#xfce/thunar#1011)
* Prevent jumping cursor on file deletion (gxo#xfce/thunar#910)
* Prevent Critical when file counting is enabled
* Properly handle resident thunar plugins (gxo#xfce/thunar#1007)
* Translation Updates
==== tpm2-0-tss ====
Subpackages: libtss2-esys0 libtss2-mu0 libtss2-rc0 libtss2-sys1 libtss2-tctildr0
- add 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch: fixes
CVE-2023-22745 (bsc#1207325): Buffer Overlow in TSS2_RC_Decode. Overly large
RC values passed to the TSS2 function could lead to memory overread or
memory overread.
This patch is not yet part of any upstream git tag.
==== translation-update ====
Subpackages: translation-update-cs translation-update-da translation-update-de translation-update-el translation-update-en_GB translation-update-es translation-update-fr translation-update-hu translation-update-it translation-update-ja translation-update-pl translation-update-pt translation-update-pt_BR translation-update-ru translation-update-zh_CN translation-update-zh_TW
- Update translation list (add az, ms and oc).
==== xfce4-notifyd ====
Version update (0.6.5 -> 0.7.1)
Subpackages: xfce4-notifyd-lang
- Update to 0.7.1:
* Fix incorrect usage of XDT_CHECK_OPTIONAL_PACKAGE
* Properly validate markup
* Update glade file to remove use of deprecated properties
* Support the 'action-icons' hint
* Add support for notification sounds
* Clean up notification ID storage
* Return replaces_id if provided
* Remove xfconf prop name define duplication
* Add ability to disallow certain apps to send critical notifications
* Add a context menu that allows individual known application deletion
* Fix a slide-out loop when the mouse pointer is in the way
* Add option to hide panel button when no unread notifications
* Remove more pre-GTK-3.22 guards
* Bump GTK minimum to 2.22 and remove/ifdef X11-isms
* Support Wayland
* Don't set a nonsensical icon name
* Clean up xfce_notify_window_set_icon_pixbuf()
* xfce_notify_window_set_icon_pixbuf() shouldn't take ownership
* Move urgency hint fetch inside check for correct type
* DRY up the configuration handling
* Add pref to show summary & body with gauge values
* Update glade file to latest version
* settings: Disable single click to mute apps
(gxo#apps/xfce4-notifyd#5)
* Do not treat zero expiration time as urgent
* Add compile_flags.txt generation
* Fix incorrect icon name for preview notification
* Fix blurry icons when UI scale factor > 1
* build: Let xdt-depends.m4 macros set GLib macros
* Translation Updates
==== xfce4-whiskermenu-plugin ====
Version update (2.7.1 -> 2.7.2)
Subpackages: xfce4-whiskermenu-plugin-lang
- Update to version 2.7.2
* Fix missing version number
* Fix memory leak when adding launchers to panel
* Fix skipping first treeview item when switching modes
* Fix clipping when changing application icon size
* Fix missing NULL checks with String class
* Use Thunar for adding launchers to desktop
* Translation Updates
==== xfdesktop ====
Version update (4.18.0 -> 4.18.1)
Subpackages: xfdesktop-lang
- Update to version 4.18.1:
* Load removable volume information asynchronously
* Fix apps menu not popping up when menu icons disabled
* Translation Updates
==== xfsprogs ====
Version update (6.1.0 -> 6.1.1)
Subpackages: libhandle1 xfsprogs-scrub
- update to 6.1.1:
- scrub: fix warnings/errors due to missing include
- debian: Add missing pkg version to the changelog
==== yast2 ====
Version update (4.5.21 -> 4.5.22)
Subpackages: yast2-logs
- Replace transitional %usrmerged macro with regular version check (boo#1206798)
- 4.5.22
==== yast2-network ====
Version update (4.5.11 -> 4.5.12)
- Copy only the specific backend configuration to the target system
having a clean installation (bsc#1206723)
- 4.5.12
==== zlib ====
Version update (1.2.12 -> 1.2.13)
Subpackages: libminizip1 libz1 zlib-devel
- Update to 1.13:
* Fix configure issue that discarded provided CC definition
* Correct incorrect inputs provided to the CRC functions
* Repair prototypes and exporting of new CRC functions
* Fix inflateBack to detect invalid input with distances too far
* Have infback() deliver all of the available output up to any error
* Fix a bug when getting a gzip header extra field with inflate()
* Fix bug in block type selection when Z_FIXED used
* Tighten deflateBound bounds
* Remove deleted assembler code references
* Various portability and appearance improvements
- Added patches:
* zlib-1.2.13-IBM-Z-hw-accelerated-deflate-s390x.patch
* zlib-1.2.13-fix-bug-deflateBound.patch
* zlib-1.2.13-optimized-s390.patch
- Refreshed patches:
* zlib-1.2.12-add-optimized-slide_hash-for-power.patch
* zlib-1.2.12-add-vectorized-longest_match-for-power.patch
* zlib-1.2.12-s390-vectorize-crc32.patch
- Removed patches:
* zlib-1.2.12-fix-configure.patch
* zlib-1.2.12-IBM-Z-hw-accelerated-deflate-s390x.patch
* zlib-1.2.12-optimized-crc32-power8.patch
* zlib-1.2.12-correct-inputs-provided-to-crc-func.patch
* zlib-1.2.12-fix-CVE-2022-37434.patch
* zlib-1.2.11-optimized-s390.patch
1
0
All meeting minutes can be found here:
https://etherpad.opensuse.org/p/ReleaseEngineering-meeting
Meeting is hosted here
https://meet.opensuse.org/ReleaseEngineeringMeeting
## Attendees
DimStar,GuillaumeG, Sarah, Rbrown, lkocman, ddemaio, DocB, maxlin
## Leap
Waiting for a new Leap build
Leap Builds were stuck on
https://bugzilla.suse.com/show_bug.cgi?id=1206718 kernel was accepted
yesterday
Cisco openh264 setup is finialized on our side -
http://codecs.opensuse.org/ big thanks to openSUSE Heroes and Adrian
for finalizing publishing
Changes to https://en.opensuse.org/OpenH264
No response from cisco on my request
Code submission deadline for any SLES 15 SP5 related features in a week
fro now. I'm bit concerned that we'll have to shift schedule a bit
given the fact that we were stack on SLES
15.5 Feature tracking at https://code.opensuse.org/leap/features/issues
Legaldb issues https://github.com/openSUSE/cavil/issues/62 that seems
to cause serious delays
## openSUSE Tumbleweed
openSUSE:Factory build fail stats: 21 failed 24 unresolvable (last
week: 22 / 4)
https://tinyurl.com/ysy4nnnz
* Most work for the x86-64-vN multiarch libs should be in place, RPM as
one of the last missing bits should be merged this week (allowing us to
co-install -vN builds based on hwcaps for specifically identified libs)
* Ruby 3.2 made some progress, only 3 more yast build fails in
Staging:H
* Staging:L has a few failures collected:
* boost: breaks libreoffice (incl. libetonyek)
* gpg2: breaks gpgme
* libpcap: breaks meson's test suite
* Staging:N openssl-3-as-default testing
* Various announcer emails are not going out: seems -Current iso files
are no longer symlinks (or not followe symlinks?) DimStar noticed it on
MicroOS x86_64
i586 carve-out from Factory
* openSUSE:Factory:LegacyX86 is setup and builds are in a similar state
as openSUSE:Factory
* Bots are already up and running: ttm, pkglistgen, trigger-rebuild for
rebuild=local
* openQA is setup https://openqa.opensuse.org/group_overview/75
=> Migration (manual so far) is possible for users. The first 'zypper
dup' after changing the repo could include a bunch of 'package
downgrades' as the rebuild counters are not synced across projects.
Automatic migration of users (by means of openSUSE-release) will happen
by end of January (giving the braves ones time to test and report
issues before we mass-switch)
* We plan to switch to 4096bit RSA key begin of 2023. Keys are added to
the openSUSE-build-key for Leap 15.x.
Marcus: the 15.3, 15.4 key was updated. 15.4 continues to rebuild. I'd
like to do it for 15.5 during the development phase. Then I'd switch
it for only for 15.5 and TW , but not 15.4. We need to handle
transition effort for 15.4 as it will switch from 2k to 4k key.
## Richard (MicroOS)
Desktop-GNOME: The Road to Release:
transactional-update-notifier is in Factory! Finally!
Working on a "mod-check" tool to report the following to users
List of installed (1st party) packages, with comparisions to both an
upstream pristine list and previous snapshots
Automatically reset official packages to that upstream pristine list,
or previous snapshots
Any 3rd party packages and their origin
Any known unsupported configurations/alterations and offer remedies if
possible
mod-check doesn't really 'check' as much as planned at the moment,
instead going way further and effectively reinstalling MicroOS Desktop
(GNOME) in place, making that new snapshot the new boot target. This
will be awesome for any user who wants to 'freshen' up an otherwise
heavily altered MicroOS Desktop, or when major Tumbleweed/MicroOS
changes occur that otherwise cant be easily modeled in patterns. It
also potentially could be a method of migrating non-transactional
systems to a transactional one. Heavy testing/development underway..and
possibly a rename if mod-check doesn't start actually -checking stuff
soon.
Bugs still WIP
osinfo-db still doesn't recognise MicroOS as a seperate distribution -
debates with upstream ongoing
Working on YaST-less installation media with FDE by default
## Max
Leap Micro 5.4
* The project has been bootstrapped
* The missing bits
** Tweak Leap specific patches
** Enable pkglistgen
lkocman: is on it
Leap 15.5
* The fixed kernel for bsc#1206718 has got merged to SLE15-SP5(just
yesterday)
* Build stats in Backports(x86_64): 8 unresolvables, 59 fails(last
week: 8 unresolvables, 54 fails)
## Guillaume - Arm
Tumbleweed:
* Rolling, but e-mail with changes for 20230116 has not been sent
(See Tumbleweed section above).
* WiFi is broken on RPi3/4 (and other systems) with kernel 6.1. A
fix has been submitted upstream -
https://bugzilla.suse.com/show_bug.cgi?id=1206697
* Pointer Authentication issue, seen in zypper. Fixed upstream,
gcc13 should be updated soon in Factory -
https://bugzilla.suse.com/show_bug.cgi?id=1206684
* NVIDIA: tester with aarch64 server and NVIDIA card wanted
- Proprietary drivers are now available for aarch64 (only G06):
https://download.nvidia.com/opensuse/tumbleweed/
- New opengpu driver also available in OBS:
https://build.opensuse.org/project/monitor/X11:Drivers:Video
lkocman to check on who is the aarch64 + nvidia effort blocked on. I
recall that there was a chosen point of contact.
Leap:
* 15.5 aarch64: covered by Leap section above
* 15.5 armv7 now in openQA:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=106
ALP:
* No aarch64 specific issues
WSL:
* Works with x86 emulator since appx installer is x86-64, but this
is not really an issue since arm64 Win11 includes x86 emulator by
default.
Steps documented on the wiki to install the appx from download.o.o:
https://en.opensuse.org/openSUSE:WSL#With_Appx_from_openSUSE_download_server
## Sarah - s390x
Tumbleweed
* kdump is fixed (with calibrate.conf by SLE because of blocked builds
for s390x)
-> Tumbleweed is rolling again
Leap:
* tests are failing because of timeout (my next ToDo)
* qore updated
Question:
What should we do with packages buildable only on s390x and not on
x86?
Example:
https://build.opensuse.org/package/show/home:AdaLovelace:branches:server:da…
lkocman: I'd start with a bug against the package, then let's agree on
next steps with maintainer.
Please use bug against openSUSE.org choose 3rd party package. Can be
used for anything that is from OBS.
## Doug
* Updating openSUSE wiki
* Summarizing release manager info for those who can help maintain
other architectures
* GSoC
* Closing out issues
* Workshop to finalize projects & application scheduled for on Feb. 7
(deadline at 18:00 UTC)
* oSC23
* PO made
* Waiting on contract signature
* 10 registered, 8 submissions
* FOSDEM
* Booth in Building/Hall H (we have traditionally be in Building/Hall
K)
* Bus has 29 sign ups
* Article about booth location & activities published
* Contact ddemaio if you're in Nuremberg and want to take the bus to
FOSDEM. Space may be limited.
* FLOSS Weekly podcast schedule for Feb. 8
## Dirk
Not available
* Continued work on SUSE:ALP:RISCV bootstrap issues - looking into the
java stack which can not be built within ALP
* force published 15.4 and 15.5 for armv7 builds, openqa builds have
been triggered it appears it is set to do post-release testing?
* qemu/libseccomp 15.5 failure still in investigation
* made a x86_64-baseline with x86_64-v3 hwcaps prototype for
Tumbleweed. Seems successful, has open issue on debuginfo and auto-
installation of the v3 optimized version. Performance benefit seems
hard to measure. Biggest speedup can be observed by switching zlib to
zlib-ng, so looked into fixing the build failures caused by switching
to zlib-ng-compat
## Wolfgang (Package Hub), Scott Bahling
Not available
15 SP5 Package HUB channel is set up. Stefan did initial testing and
looks good.
Some packages are still missing, this is on agenda for today and next
week.
The workshop regarding Package HUB equivalent for ALP
Lubos will schedule a call with wolfgang and Scott to ensure that
they're in loop for the High Level requirements document.
https://en.opensuse.org/openSUSE:ALP/Workgroups/Community/Workshops/Consumi…
Package Hub for SLE-15-SP5 product definition added and SCC is
currently picking it up so it will be ready for testing with the beta
of SLE-15-SP5
## Maintenance team (Marcus or Maurizio (m4u))
Fixed a long standing issue with gnome-music that was blocking openqa
for a long time.
15.4 is working
5.3 is working
15.5 setup TBD (Mid-to-End February would be preferred).
Nothing worrysome, preannoucement for 15.3 EOL was sent to mainling
list End of December 2022.
There were three chromium updates in single week.
Configuration setup problem for Maintenance of Leap 15.4 maintenance
updates / openQA
Marcus regarding Leap 15.4 Image respin - package set will change, we
do need to refresh the packagelist
* Lubos to talk to Jan Stehlik, we can't put all on Marcuses shoulder.
https://etherpad.opensuse.org/p/ReleaseEngineering-20221110-maintenance-dis…
Confirmation that QA/QA-maint team will oversee the setup (issues)
Lubos: I was asked to provide requirements for the QA team. Mostly for
the GA/current release but also for the update. Lubos will make wiki
with requirements (something like maintenance plan perhaps). Marcus
will review it.
* Leap Micro 5.3 maint setup done
ffmpeg - (still unsolved) possible file conflict on the next update, no
idea how to avoid vendor switching at the moment.
Removing the patch on the openSUSE side (that might contain security
fixes) or releasing update on the packman side could fix the issue.
Lubos to give Marcus some working contact for the team.
## Adrian - OBS
DimStart pointed me to the fact that ftp-trees with factory ppc and
s390x are not building. It seems to be caused by a smallest worked who
is not large enough to handle the cache (caching of all rpms takes
about a 1 TB) and it times out.
New year cleanup requesting removal of repositories building against
EOL distros.
## Project maintainer work flow Status
* Base policy to be developed
Background on topic found at
https://etherpad.opensuse.org/p/ReleaseEngineering-20221221
For me it comes down to a matter of communication.
A note like 'thx for your SR, I think we should adapt the following '
or ' we are reviewing your SR, and quite stuck with work...' could
already change a lot. Silence for more then 4 week is clearly a perfect
way to annoy contributors.
And the question should be asked if those unresponsive maintainers are
still willing to maintain their projects. Or they may even not be
active anymore, another discussion we are having
6
5
23 Jan '23
4
3