Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20211126 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: ImageMagick (7.1.0.14 -> 7.1.0.16) MozillaFirefox (94.0.1 -> 94.0.2) apache2 apache2-manual apache2-prefork apache2-utils at audacity bison brltty ceph (16.2.6.462+g5fefbbf8888 -> 16.2.6.463+g22e7612f9ad) cups cups-filters dbus-1 dbus-1-x11 gpg2 (2.2.27 -> 2.3.3) librsvg (2.52.3 -> 2.52.4) libstorage-ng (4.4.57 -> 4.4.58) libvpx libzapojit lirc mailx ncurses (6.3.20211115 -> 6.3.20211120) protobuf-c python-PyYAML (5.4.1 -> 6.0) python-psutil python-pysmbc syslogd tgt virtualbox (6.1.28 -> 6.1.30) virtualbox-kmp (6.1.28_k5.15.3_1 -> 6.1.30_k5.15.3_1) xapps (2.2.3 -> 2.2.5) yast2-storage-ng (4.4.14 -> 4.4.15) === Details === ==== ImageMagick ==== Version update (7.1.0.14 -> 7.1.0.16) Subpackages: ImageMagick-config-7-SUSE ImageMagick-extra libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - update to 7.1.0.16: * Fixed an OpenCL build problem. * Added support for reading extra channels in a PSD file (reference * Fix alpha channel calculation of arithmetic divide compose operator. ==== MozillaFirefox ==== Version update (94.0.1 -> 94.0.2) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 94.0.2: * Update preference design for Firefox Suggest for improved clarity * Resolved general instability/crashes on Linux caused by a file descriptor leak when backgrounding tabs using WebGL (bmo#1741997) ==== apache2 ==== - httpd-framework updated to svn1894461 - added patches fix reverted logic, DirectorySlash NotFound is available in trunk only + apache-test-DirectorySlash-NotFound-logic.patch - do not consider php tests, they do not run anyway ==== apache2-manual ==== - httpd-framework updated to svn1894461 - added patches fix reverted logic, DirectorySlash NotFound is available in trunk only + apache-test-DirectorySlash-NotFound-logic.patch - do not consider php tests, they do not run anyway ==== apache2-prefork ==== - httpd-framework updated to svn1894461 - added patches fix reverted logic, DirectorySlash NotFound is available in trunk only + apache-test-DirectorySlash-NotFound-logic.patch - do not consider php tests, they do not run anyway ==== apache2-utils ==== - httpd-framework updated to svn1894461 - added patches fix reverted logic, DirectorySlash NotFound is available in trunk only + apache-test-DirectorySlash-NotFound-logic.patch - do not consider php tests, they do not run anyway ==== at ==== - Drop ProtectSystem and ProtectHome hardening. Unfortunately they're breaking at jobs (boo#1192294) ==== audacity ==== Subpackages: audacity-lang - Conflict pipewire-libjack-0_3 to prevent boo#1191585 ==== bison ==== Subpackages: bison-lang - disable tests and profiling using tests on armv6l (boo#1192737) ==== brltty ==== Subpackages: brltty-driver-at-spi2 brltty-driver-brlapi brltty-driver-speech-dispatcher brltty-driver-xwindow brltty-lang libbrlapi0_8 python3-brlapi system-user-brltty xbrlapi - Add all sysusers.d Requires ==== ceph ==== Version update (16.2.6.462+g5fefbbf8888 -> 16.2.6.463+g22e7612f9ad) Subpackages: librados2 librbd1 - Update to 16.2.6-463-g22e7612f9ad: + (bsc#1178073) mgr/dashboard: fix downstream NFS doc links - Preservation of Bugzilla, Jira and CVE citations from earlier incarnations of this changes file after double-checking that none of these fixes got lost in the pacific rebase: + bsc#1163764 (--container-init feature cherry-picked to octopus) + bsc#1170200 (mgr/dashboard: Fix for CrushMap viewer items getting compressed vertically) + bsc#1172926 (mgr/orchestrator: Sort 'ceph orch device ls' by host) + bsc#1173079 (mgr/devicehealth: device_health_metrics pool gets created even without any OSDs in the cluster) + bsc#1174466 (mon: have 'mon stat' output json as well) + bsc#1174526 (mgr/dashboard: allow getting fresh inventory data from the orchestrator) + bsc#1174529 (rpm: on SUSE, podman is required for cephadm to work) + bsc#1174644 (cephadm: log to file) + bsc#1175120 (downstream branding) + bsc#1175161 (downstream branding) + bsc#1175169 (downstream branding) + bsc#1176390 (mgr/dashboard: enable different URL for users of browser to Grafana) + bsc#1176451 (Drop patch "rpm: on SUSE, podman is required for cephadm to work") + bsc#1176489 (mgr/cephadm: lock multithreaded access to OSDRemovalQueue) + bsc#1176499 (mgr/cephadm: fix RemoveUtil.load_from_store()) + bsc#1176638 (ceph-volume: batch: call the right prepare method) + bsc#1176679 (mgr/dashboard: enable different URL for users of browser to Grafana) + bsc#1176828 (cephadm: command_unit: call systemctl with verbose=True) + bsc#1177078 (mgr/dashboard: Fix bugs in a unit test and i18n translation) + bsc#1177151 (python-common: do not skip unavailable devices) + bsc#1177319 (--container-init feature cherry-picked to octopus) + bsc#1177344 (mgr/dashboard: support Orchestrator and user-defined Ganesha cluster) + bsc#1177360 (cephadm: silence "Failed to evict container" log msg) + bsc#1177450 (ceph-volume: don't exit before empty report can be printed) + bsc#1177643 (Revert "spec: Podman (temporarily) requires apparmor-abstractions on suse") + bsc#1177676 (cephadm: allow uid/gid == 0 in copy_tree, copy_files, move_files) + bsc#1177843 (CVE-2020-25660) + bsc#1177857 (mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails) + bsc#1177933 (cephadm: configure journald as the logdriver) + bsc#1178531 (cephadm: set default container_image to registry.suse.com/ses/7/ceph/ceph) + bsc#1178837 (rgw: cls/user: set from_index for reset stats calls) + bsc#1178860 (mgr/dashboard: Disable TLS 1.0 and 1.1) + bsc#1178905 (CVE-2020-25678) + bsc#1178932 (cephadm: reference the last local image by digest) + bsc#1179016 (rpm: require smartmontools on SUSE) + bsc#1179452 (mgr/insights: Test environment requires 'six') + bsc#1179526 (rgw: during GC defer, prevent new GC enqueue) + bsc#1179569 (cephadm: reference the last local image by digest) + bsc#1179802 (CVE-2020-27781) + bsc#1179997 (CVE-2020-27839) + bsc#1180107 (ceph-volume: pass --filter-for-batch from drive-group subcommand) + bsc#1180155 (CVE-2020-27781) + bsc#1181291 (mgr/cephadm: alias rgw-nfs -> nfs) + bsc#1182766 (cephadm: fix 'inspect' and 'pull') + bsc#1183074 (CVE-2021-20288) + bsc#1183561 (mgr/cephadm: on ssh connection error, advice chmod 0600) + bsc#1183899 (bluestore: fix huge reads/writes at BlueFS) + bsc#1184231 (cephadm: Allow to use paths in all <_devices> drivegroup sections) + bsc#1184517 (cls/rgw: look for plane entries in non-ascii plain namespace too) + bsc#1185246 (rgw: check object locks in multi-object delete) + bsc#1185619 (CVE-2021-3524) + bsc#1185619 (CVE-2021-3524) + bsc#1186020 (CVE-2021-3531) + bsc#1186021 (CVE-2021-3509) + bsc#1186348 (mgr/zabbix: adapt zabbix_sender default path) + bsc#1188979 ("mgr/cephadm: pass --container-init to "cephadm deploy" if specified" and "Revert "cephadm: default container_init to False") + bsc#1189173 (downstream branding) + jsc#SES-1071 (ceph-volume: major batch refactor - upstream PR#34740) + jsc#SES-185 (SES support with cache software) + jsc#SES-704 (mgr/snap_schedule) ==== cups ==== Subpackages: cups-client cups-config libcups2 libcups2-32bit libcupsimage2 - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_cups.service.patch ==== cups-filters ==== - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_cups-browsed.service.patch ==== dbus-1 ==== Subpackages: libdbus-1-3 libdbus-1-3-32bit - Add CONFIG parameter to %sysusers_generate_pre - Added BuildRequires alts for libalternatives. - Fixed spec file regarding removing old update-alternatives entries. - Use libalternatives instead of update-alternatives. ==== dbus-1-x11 ==== - Added BuildRequires alts for libalternatives. - Fixed spec file regarding removing old update-alternatives entries. - Use libalternatives instead of update-alternatives. ==== gpg2 ==== Version update (2.2.27 -> 2.3.3) Subpackages: dirmngr gpg2-lang - GnuPG 2.3.3: * agent: Fix segv in GET_PASSPHRASE (regression) * dirmngr: Fix Let's Encrypt certificate chain validation * gpg: Change default and maximum AEAD chunk size to 4 MiB * gpg: Print a warning when importing a bad cv25519 secret key * gpg: Fix --list-packets for undecryptable AEAD packets * gpg: Verify backsigs for v5 keys correctly * keyboxd: Fix checksum computation for no UBID entry on disk * keyboxd: Fix "invalid object" error with cv448 keys * dirmngr: New option --ignore-cert * agent: Fix calibrate_get_time use of clock_gettime * Support a gpgconf.ctl file under Unix and use this for the regression tests - GnuPG 2.3.2: * gpg: Allow fingerprint based lookup with --locate-external-key. * gpg: Allow decryption w/o public key but with correct card inserted. * gpg: Auto import keys specified with --trusted-keys. * gpg: Do not use import-clean for LDAP keyserver imports. * gpg: Fix mailbox based search via AKL keyserver method. * gpg: Fix memory corruption with --clearsign introduced with 2.3.1. * gpg: Use a more descriptive prompt for symmetric decryption. * gpg: Improve speed of secret key listing. * gpg: Support keygrip search with traditional keyring. * gpg: Let --fetch-key return an exit code on failure. * gpg: Emit the NO_SECKEY status again for decryption. * gpgsm: Support decryption of password based encryption (pwri). * gpgsm: Support AES-GCM decryption. * gpgsm: Let --dump-cert --show-cert also print an OpenPGP fingerprint. * gpgsm: Fix finding of issuer in use-keyboxd mode. * gpgsm: New option --ldapserver as an alias for --keyserver. * agent: Use SHA-256 for SSH fingerprint by default. * agent: Fix calling handle_pincache_put. * agent: Fix importing protected secret key. * agent: Fix a regression in agent_get_shadow_info_type. * agent: Add translatable text for Caps Lock hint. * agent: New option --pinentry-formatted-passphrase. * agent: Add checkpin inquiry for pinentry. * agent: New option --check-sym-passphrase-pattern. * agent: Use the sysconfdir for a pattern file. * agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry. * dirmngr: LDAP search by a mailbox now ignores revoked keys. * dirmngr: For KS_SEARCH return the fingerprint also with LDAP. * dirmngr: Allow for non-URL specified ldap keyservers. * dirmngr: New option --ldapserver. * dirmngr: Fix regression in KS_GET for mail address pattern. * card: New option --shadow for the list command. * tests: Make sure the built keyboxd is used. * scd: Fix computing shared secrets for 512 bit curves. * scd: Fix unblock PIN by a Reset Code with KDF. * scd: Fix PC/SC removed card problem. * scd: Recover the partial match for PORTSTR for PC/SC. * scd: Make sure to release the PC/SC context. * scd: Fix zero-byte handling in ECC. * scd: Fix serial number detection for Yubikey 5. * scd: Add basic support for AET JCOP cards. * scd: Detect external interference when --pcsc-shared is in use. * scd: Fix access to the list of cards. * gpgconf: Do not list a disabled tpm2d. * gpgconf: Make runtime changes with different homedir work. * keyboxd: Fix searching for exact mail adddress. * keyboxd: Fix searching with multiple patterns. * tools: Extend gpg-check-pattern. * wkd: Fix client issue with leading or trailing spaces in user-ids. * Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry. * Change the default keyserver to keyserver.ubuntu.com. This is a temporary change due to the shutdown of the SKS keyserver pools. - GnuPG 2.3.1: * The new configuration file common.conf is now used to enable the use of the key database daemon with "use-keyboxd". Using this option in gpg.conf and gpgsm.conf is supported for a transitional period. See doc/example/common.conf for more. * gpg: Force version 5 key creation for ed448 and cv448 algorithms. * gpg: By default do not use the self-sigs-only option when importing from an LDAP keyserver. * gpg: Lookup a missing public key of the active card via LDAP. * gpgsm: New command --show-certs. * scd: Fix CCID driver for SCM SPR332/SPR532. * scd: Further improvements for PKCS#15 cards. * New configure option --with-tss to allow the selection of the TSS library. - Rebase patches: * gnupg-add_legacy_FIPS_mode_option.patch * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch * gnupg-dont-fail-with-seahorse-agent.patch * gnupg-set_umask_before_open_outfile.patch - GnuPG 2.3.0: * A new experimental key database daemon is provided. To enable it put "use-keyboxd" into gpg.conf and gpgsm.conf. Keys are stored in a SQLite database and make key lookup much faster. * New tool gpg-card as a flexible frontend for all types of supported smartcards. * New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and gpg-connect-agent. * The gpg-wks-client tool is now installed under bin; a wrapper for its old location at libexec is also installed. * tpm2d: New daemon to physically bind keys to the local machine. * gpg: Switch to ed25519/cv25519 as default public key algorithms. * gpg: Verification results now depend on the --sender option and the signer's UID subpacket. * gpg: Do not use any 64-bit block size cipher algorithm for encryption. Use AES as last resort cipher preference instead of 3DES. This can be reverted using --allow-old-cipher-algos. * gpg: Support AEAD encryption mode using OCB or EAX. * gpg: Support v5 keys and signatures. * gpg: Support curve X448 (ed448, cv448). * gpg: Allow use of group names in key listings. * gpg: New option --full-timestrings to print date and time. * gpg: New option --force-sign-key. * gpg: New option --no-auto-trust-new-key. * gpg: The legacy key discovery method PKA is no longer supported. The command --print-pka-records and the PKA related import and export options have been removed. * gpg: Support export of Ed448 Secure Shell keys. * gpgsm: Add basic ECC support. * gpgsm: Support creation of EdDSA certificates. [#4888] * agent: Allow the use of "Label:" in a key file to customize the pinentry prompt. * agent: Support ssh-agent extensions for environment variables. With a patched version of OpenSSH this avoids the need for the "updatestartuptty" kludge. * scd: Improve support for multiple card readers and tokens. * scd: Support PIV cards. * scd: Support for Rohde&Schwarz Cybersecurity cards. * scd: Support Telesec Signature Cards v2.0 * scd: Support multiple application on certain smartcard. * scd: New option --application-priority. * scd: New option --pcsc-shared; see man page for important notes. * dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs. * The symcryptrun tool, a wrapper for the now obsolete external Chiasmus tool, has been removed. * Full Unicode support for the command line. - dropped legacy commands: gpg-zip ==== librsvg ==== Version update (2.52.3 -> 2.52.4) Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 rsvg-thumbnailer typelib-1_0-Rsvg-2_0 - Disable testsuite for now, let upstream figure out the issue with harfbuzz 3.1.1. - Update to version 2.52.4: + New features: - Support the isolation property from the Compositing and Blending Level 1 specification. - Support Visual Studio 2022. + Bug fixes: - The opacity and mix-blend-mode properties were not being applied when an element has a mask. - Fix panic when an empty group has a pattern fill and filters. - Fix the tests on Windows; the still only work when Fontconfig is present. - Work around a bug in the cairo-rs bindings in the test suite, that only manifests itself in s/390x due to its calling convention. See https://github.com/gtk-rs/gtk-rs-core/issues/335 ==== libstorage-ng ==== Version update (4.4.57 -> 4.4.58) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Catalan) (bsc#1149754) - 4.4.58 ==== libvpx ==== - Rename libvpx-configure-add-s390.patch to libvpx-configure-add-arch.patch: add support for RISC-V ==== libzapojit ==== Subpackages: libzapojit-0_0-0 typelib-1_0-Zpj-0_0 - Add upstream patch, fixes: CVE-2021-39360: libzapojit-skydrive-Guard-against-invalid-SSL-certificates.patch: skydrive: Guard against invalid SSL certificates. ==== lirc ==== - Add pyyaml-60-compatibility.patch to make the package compatible with PyYAML 6.0+ (sht#lirc#365). ==== mailx ==== - Add patch mailx-12.5-systemd.patch to add description how to avoid bugs like bsc#1192916 -- mailx does not send mails unless run via strace or in verbose mode ==== ncurses ==== Version update (6.3.20211115 -> 6.3.20211120) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20211120 + add dim, ecma+strikeout to st-0.6 -TD + deallocate the tparm cache when del_curterm is called for the last allocated TERMINAL structure (report/testcase by Bram Moolenaar, cf: 20200531). + modify test-package to more closely conform to Debian multi-arch. + if the --with-pkg-config-libdir option is not given, use ${libdir}/pkgconfig as a default (prompted by discussion with Ross Burton). - Correct offsets of patch ncurses-6.3.dif ==== protobuf-c ==== - Drop no longer needed rpmlintrc. - Also add a protobuf-c =< version Obsoletes to devel sub-package. - Fold main package into devel package, as it needed its own devel-package, add a protobuf-c = version Provides to devel sub-package. ==== python-PyYAML ==== Version update (5.4.1 -> 6.0) - Add patch setuptools.patch - update to 6.0 * drop Python 2.7 * always require `Loader` arg to `yaml.load()` * fix float resolver to ignore `.` and `._` * fix representation of Enum subclasses * fix libyaml extension compiler warnings * fix ResourceWarning on leaked file descriptors * remove remaining direct distutils usage ==== python-psutil ==== - Update skip-obs.patch to also skip TestProcess.test_ionice_linux ==== python-pysmbc ==== - Remove python2 guard so we always Provide/Obsolete the old name. ==== syslogd ==== Subpackages: klogd syslog-service - Added hardening to systemd service(s) (bsc#1181400). Modified: * klog.service * klogd.service * syslogd.service ==== tgt ==== - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_tgtd.service.patch Modified: * tgtd.service ==== virtualbox ==== Version update (6.1.28 -> 6.1.30) Subpackages: virtualbox-guest-tools virtualbox-guest-x11 - Version bump to 6.1.30 (released November 22 2021 by Oracle) This is a maintenance release. The following items were fixed and/or added: VMM: Fixed 6.1.28 regression preventing VMs starting when using Hyper-V mode on Windows 10 GUI: Fixed inability to complete First Run wizard after browsing for an external image GUI: Fixed crash on macOS Big Sur while browsing for an external image from First Run wizard GUI: Fixed bug on Windows with inability to save taken screenshot under a folder with native name (bug #15561) GUI: Fixed bug on X11 with drag and drop initiated on single mouse click in VM storage settings GUI: Fixed settings check on machines not supporting hardware virtualization GUI: Non critical media related errors should not cause modal pop-up error messages Host-only networking: Fixed crash parsing /etc/vbox/networks.conf DVD: Fixed drive lock handling across VM reset VBoxHeadless: Fixed crash when running on macOS Monterey (bug #20636) VBoxManage: Fixed incorrect help text for "hostonlyif" vboximg-mount: Error message if no image is specified Linux host: For all distribution specific packages (deb/rpm format) fix the packaging so that the feature for unattended installation of guest OSes works Linux host and guest: Introduced initial support for kernel 5.16 Shared Clipboard: Improved communication between guest and host when guest has no clipboard data to report Linux Guest Additions: Allow running only one VBoxDRMClient instance (bug #19373) File "fixes_for_5.14.patch" deleted - fixed upstream. File "fixes-for-5.15.patch" deleted - fixed upstream. File "fixes-for-5.16.patch" deleted - fixed upstream. ==== virtualbox-kmp ==== Version update (6.1.28_k5.15.3_1 -> 6.1.30_k5.15.3_1) - Version bump to 6.1.30 (released November 22 2021 by Oracle) This is a maintenance release. The following items were fixed and/or added: VMM: Fixed 6.1.28 regression preventing VMs starting when using Hyper-V mode on Windows 10 GUI: Fixed inability to complete First Run wizard after browsing for an external image GUI: Fixed crash on macOS Big Sur while browsing for an external image from First Run wizard GUI: Fixed bug on Windows with inability to save taken screenshot under a folder with native name (bug #15561) GUI: Fixed bug on X11 with drag and drop initiated on single mouse click in VM storage settings GUI: Fixed settings check on machines not supporting hardware virtualization GUI: Non critical media related errors should not cause modal pop-up error messages Host-only networking: Fixed crash parsing /etc/vbox/networks.conf DVD: Fixed drive lock handling across VM reset VBoxHeadless: Fixed crash when running on macOS Monterey (bug #20636) VBoxManage: Fixed incorrect help text for "hostonlyif" vboximg-mount: Error message if no image is specified Linux host: For all distribution specific packages (deb/rpm format) fix the packaging so that the feature for unattended installation of guest OSes works Linux host and guest: Introduced initial support for kernel 5.16 Shared Clipboard: Improved communication between guest and host when guest has no clipboard data to report Linux Guest Additions: Allow running only one VBoxDRMClient instance (bug #19373) File "fixes_for_5.14.patch" deleted - fixed upstream. File "fixes-for-5.15.patch" deleted - fixed upstream. File "fixes-for-5.16.patch" deleted - fixed upstream. ==== xapps ==== Version update (2.2.3 -> 2.2.5) Subpackages: libxapp1 typelib-1_0-XApp-1_0 xapps-common xapps-common-lang - Update to version 2.2.5. * xapp-favorites: Fix introspection notation for _get_favorites(). * Fix a couple of build warnings. - Updates for version 2.2.4. * meson gir: Export 'xapp' as a package * xapp-gtk3-module.c: Apply window icon override to all windows for an app. ==== yast2-storage-ng ==== Version update (4.4.14 -> 4.4.15) - Fixed typo in message about encryption (part of jsc#SLE-21308) - 4.4.15