Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20241129 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: Mesa Mesa-drivers MozillaFirefox (132.0.2 -> 133.0) gnome-session libpwquality libreoffice (24.8.2.1 -> 24.8.3.2) openSUSE-release (20241127 -> 20241129) python-setuptools (72.1.0 -> 75.6.0) python311-packaging (24.1 -> 24.2) unbound webkit2gtk3 (2.46.3 -> 2.46.4) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - trying to make buildservice happy by adding both tarballs to specfile ... - on s390x build Mesa 24.1.7 to fix colors with Xvnc (boo#1233167) - adjusted patches for Mesa 24.1.7: * python36-buildfix1-s390x.patch * u_dep_xcb-s390x.patch * u_mesa-CVE-2023-45913-s390x.patch ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-gallium Mesa-libva libxatracker2 - trying to make buildservice happy by adding both tarballs to specfile ... - on s390x build Mesa 24.1.7 to fix colors with Xvnc (boo#1233167) - adjusted patches for Mesa 24.1.7: * python36-buildfix1-s390x.patch * u_dep_xcb-s390x.patch * u_mesa-CVE-2023-45913-s390x.patch ==== MozillaFirefox ==== Version update (132.0.2 -> 133.0) Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common - Mozilla Firefox 133.0 https://www.mozilla.org/en-US/firefox/133.0/releasenotes MFSA 2024-63 (bsc#1233695) * CVE-2024-11691 (bmo#1914707, bmo#1924184) Memory corruption in Apple GPU drivers * CVE-2024-11700 (bmo#1836921) Potential Tapjacking Exploit for Intent Confirmation on Android * CVE-2024-11692 (bmo#1909535) Select list elements could be shown over another site * CVE-2024-11701 (bmo#1914797) Misleading Address Bar State During Navigation Interruption * CVE-2024-11702 (bmo#1918884) Inadequate Clipboard Protection in Private Browsing Mode on Android * CVE-2024-11693 (bmo#1921458) Download Protections were bypassed by .library-ms files on Windows * CVE-2024-11694 (bmo#1924167) CSP Bypass and XSS Exposure via Web Compatibility Shims * CVE-2024-11695 (bmo#1925496) URL Bar Spoofing via Manipulated Punycode and Whitespace Characters * CVE-2024-11703 (bmo#1928779) Password access without authentication via PIN bypass on Android * CVE-2024-11696 (bmo#1929600) Unhandled Exception in Add-on Signature Verification * CVE-2024-11697 (bmo#1842187) Improper Keypress Handling in Executable File Confirmation Dialog * CVE-2024-11704 (bmo#1899402) Potential Double-Free Vulnerability in PKCS#7 Decryption Handling * CVE-2024-11698 (bmo#1916152) Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS * CVE-2024-11705 (bmo#1921768) Null Pointer Dereference in NSC_DeriveKey * CVE-2024-11706 (bmo#1923767) Null Pointer Dereference in PKCS#12 Utility * CVE-2024-11708 (bmo#1922912) Data race with PlaybackParams * CVE-2024-11699 (bmo#1880582, bmo#1929911) Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5, and Thunderbird 128.5 - requires NSS 3.106 - remove obsolete mozilla-python313.patch - add mozilla-python313.patch to fix build with python 3.13+ ==== gnome-session ==== Subpackages: gnome-session-core gnome-session-lang gnome-session-wayland gnome-session-xsession - Build gnome-session-wayland also on s390x: It was originally excluded because xwayland did not exist. That has been solved in 2021 though. ==== libpwquality ==== Subpackages: libpwquality-lang libpwquality1 libpwquality1-32bit pam_pwquality pam_pwquality-32bit - Drop python 2.x support (it's been 4 years). - Add python3-setuptools BuildRequires which is needed for distutils. ==== libreoffice ==== Version update (24.8.2.1 -> 24.8.3.2) Subpackages: libreoffice-base libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-l10n-cs libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-el libreoffice-l10n-en libreoffice-l10n-en_GB libreoffice-l10n-es libreoffice-l10n-fr libreoffice-l10n-hu libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-pl libreoffice-l10n-pt_BR libreoffice-l10n-ru libreoffice-l10n-zh_CN libreoffice-l10n-zh_TW libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-qt5 libreoffice-qt6 libreoffice-writer libreofficekit - Update to 24.8.3.2 (24.8.3 final) * Release notes: https://wiki.documentfoundation.org/Releases/24.8.3/RC1 https://wiki.documentfoundation.org/Releases/24.8.3/RC2 - Update bundled dependencies: * curl 8.10.1 -> 8.11.0 - New translation: Tagalog ==== openSUSE-release ==== Version update (20241127 -> 20241129) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== python-setuptools ==== Version update (72.1.0 -> 75.6.0) - Skip over the tests which require network. - Don't use pytest-xdist, it breaks test suite. - update to 75.6.0: * Preserve original PKG-INFO into METADATA when creating wheel (instead of calling wheel.metadata.pkginfo_to_metadata). This helps to be more compliant with the flow specified in PEP 517. * Changed the WindowsSdkVersion, FrameworkVersion32 and FrameworkVersion64 properties of setuptools.msvc.PlatformInfo to return an empty tuple instead of None as a fallthrough case -- by :user:`Avasam` - update to 75.5.0: * Removed support for SETUPTOOLS_DANGEROUSLY_SKIP_PYPROJECT_VALIDATION, as it is deemed prone to errors. * Added support for the environment variable SETUPTOOLS_DANGEROUSLY_SKIP_PYPROJECT_VALIDATION=true, allowing users to bypass the validation of pyproject.toml. This option should be used only as a last resort when resolving dependency issues, as it may lead to improper functioning. Users who enable this setting are responsible for ensuring that pyproject.toml complies with setuptools requirements. (#4611) Attention! This environment variable was removed in a later version of setuptools. * Require Python 3.9 or later. (#4718) * Remove dependency on importlib_resources and the vendored copy of the library. Instead, setuptools consistently rely on stdlib's importlib.resources (available on Python 3.9+). (#4718) * Setuptools' bdist_wheel implementation no longer produces wheels with the m SOABI flag (pymalloc-related). This flag was removed on Python 3.8+ (see :obj:`sys.abiflags`). (#4718) * Updated vendored packaging version to 24.2. (#4740) * Merge with pypa/distutils@251797602, including fix for dirutil.mkpath handling in pypa/distutils#304. * Allowed using dict as an ordered type in setuptools.dist.check_requirements -- by :user:`Avasam` * Ensured methods in setuptools.modified preferably raise a consistent distutils.errors.DistutilsError type (except in the deprecated use case of SETUPTOOLS_USE_DISTUTILS=stdlib) - - by :user:`Avasam` * Fix the ABI tag when building a wheel using the debug build of Python 3.13 on Windows. Previously, the ABI tag was missing the "d" flag. * Fix clashes for optional-dependencies in pyproject.toml and extra_requires in setup.cfg/setup.py. As per PEP 621, optional-dependencies have to be honoured and dynamic behaviour is not allowed. * #4560 * Made errors when parsing Distribution data more explicit about the expected type (tuple[str, ...] | list[str]) -- by :user:`Avasam` * Fix a TypeError when a Distribution's old included attribute was a tuple -- by :user:`Avasam` * Add workaround for bdist_wheel --dist-info-dir errors when customisation does not inherit from setuptools. * Re-use pre-existing .dist-info dir when creating wheels via the build backend APIs (PEP 517) and the metadata_directory argument is passed -- by :user:`pelson`. * Changed egg_info command to avoid adding an empty .egg-info directory while iterating over entry-points. This avoids triggering integration problems with importlib.metadata/importlib_metadata (reference: pypa/pyproject-hooks#206). * Deprecated bdist_wheel.universal configuration. * Removed reference to upload_docs module in entry points. * Declare also the dependencies used by distutils (adds jaraco.collections). * Removed upload_docs command. * Merge with pypa/distutils@7283751. Removed the register and upload commands and the config module that backs them (pypa/distutils#294). Removed the borland compiler. Replaced vendored dependencies with natural dependencies. Cygwin C compiler now gets compilers from sysconfig (pypa/distutils#296). * Fix cross-platform compilation using distutils._msvccompiler.MSVCCompiler -- by :user:`saschanaz` and :user:`Avasam` * Fixed TypeError in sdist filelist processing by adding support for pathlib Paths for the build_base. * Removed degraded and deprecated test_integration (easy_install) from the test suite. * Fixed TypeError in msvc.EnvironmentInfo.return_env when no runtime redistributables are installed. * Added support for defining ext-modules via pyproject.toml (EXPERIMENTAL, may change in future releases). * Merge with pypa/distutils@3dcdf8567, removing the duplicate vendored copy of packaging. * Restored setuptools.msvc.Environmentinfo as it is used externally. * Changed the type of error raised by setuptools.command.easy_install.CommandSpec.from_param on unsupported argument from AttributeError to TypeError -- by :user:`Avasam` * Added detection of ARM64 variant of MSVC -- by :user:`saschanaz` * Made setuptools.package_index.Credential a typing.NamedTuple - - by :user:`Avasam` * Reraise error from setuptools.command.easy_install.auto_chmod ... changelog too long, skipping 42 lines ... get_msvcr() (pypa/distutils#274). ==== python311-packaging ==== Version update (24.1 -> 24.2) - update to 24.2: * PEP 639: Implement License-Expression and License-File (:issue:`828`) * Use !r formatter for error messages with filenames (:issue:`844`) * Add support for PEP 730 iOS tags (:issue:`832`) * Fix prerelease detection for > and < (:issue:`794`) * Fix uninformative error message (:issue:`830`) * Refactor canonicalize_version (:issue:`793`) * Patch python_full_version unconditionally (:issue:`825`) * Fix doc for canonicalize_version to mention strip_trailing_zero and a typo in a docstring (:issue:`801`) * Fix typo in Version __str__ (:issue:`817`) * Support creating a SpecifierSet from an iterable of Specifier objects (:issue:`775`) ==== unbound ==== Subpackages: libunbound8 unbound-anchor - add workaround for bug https://github.com/NLnetLabs/unbound/issues/509 Starting up with 127.0.0.1 in the /etc/resolv.conf leads to long delays if the anchor update is being run as ExecStartPre in the unbound service ==== webkit2gtk3 ==== Version update (2.46.3 -> 2.46.4) Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update to version 2.46.4: + Improve memory consumption and performance of Canvas getImageData. + Fix preserve-3D intersection rendering. + Fix video dimensions since GStreamer 1.24.9. + Fix the HTTP-based remote Web Inspector not loading in Chromium. + Fix content filters not working on about:blank iframes. + Fix several crashes and rendering issues. + Security fixes: CVE-2024-44308, CVE-2024-44309. - Drop patches fixed upstream: + 9e9ea966373d3858668f6a29d8ba91a5807c8dd8.patch + webkit2gtk3-CVE-2024-44308.patch + webkit2gtk3-CVE-2024-44309.patch