Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20220410 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: SDL apache2-mod_php7 busybox delayacct-utils (5.16.10 -> 5.17.1) freetype2 (2.11.1 -> 2.12.0) gnome-shell-extensions gnome-software libid3tag libnma (1.8.36 -> 1.8.38) libnvme (1.0~8 -> 1.0) libqt5-qtwebengine (5.15.8 -> 5.15.9) libsndfile (1.0.31 -> 1.1.0) nvme-cli (2.0~8 -> 2.0) php7 squashfs (4.5 -> 4.5.1) webkit2gtk3 webkit2gtk3-soup2 xdpyinfo (1.3.2 -> 1.3.3) yast2-schema-default (4.4.11 -> 4.5.1) yast2-storage-ng (4.4.36 -> 4.5.1) yast2-users (4.4.10 -> 4.5.1) === Details === ==== SDL ==== - Add CVE-2021-33657.patch: always create a full 256-entry color map in case color values are out of range (boo#1198001 CVE-2021-33657). ==== apache2-mod_php7 ==== - Disable build with '-z now' as it breaks the php-mysql extension ==== busybox ==== Subpackages: busybox-static - Enable udhcpc ==== delayacct-utils ==== Version update (5.16.10 -> 5.17.1) - rebuild when kernel version changes - spec cleaning ==== freetype2 ==== Version update (2.11.1 -> 2.12.0) Subpackages: freetype2-devel libfreetype6 libfreetype6-32bit - update to 2.12.0: - FreeType now handles OT-SVG fonts, to be controlled with `FT_CONFIG_OPTION_SVG` configuration macro. By default, it can only load the 'SVG ' table of an OpenType font. However, by using the `svg-hooks` property of the new 'ot-svg' module it is possible to register an external SVG rendering engine. The FreeType demo programs have been set up to use 'librsvg' as the rendering library. - The handling of fonts with an 'sbix' table has been improved. - The internal 'zlib' code has been updated to be in sync with the current 'zlib' version (1.2.11). - The previously internal load flag `FT_LOAD_SBITS_ONLY` is now public. - Some minor improvements of the building systems, in particular handling of the 'zlib' library (internal vs. external). - Support for non-desktop Universal Windows Platform. - Various other minor bug and documentation fixes. - The `ftdump` demo program shows more information for Type1 fonts if option `-n` is given. - `ftgrid` can now display embedded bitmap strikes. ==== gnome-shell-extensions ==== Subpackages: gnome-shell-classic gnome-shell-extensions-common gnome-shell-extensions-common-lang - Deprecate SLE-Classic in GNOME 42: + Drop 00_org.gnome.shell.extensions.sle-classic.gschema.override + Drop gse-sle-classic-ext.patch + Drop sle-classic.desktop + Drop sle-classic.json + Drop sle-classic@suse.com.tar.gz SLE-Classic is not compatible with GNOME 42 which makes this mode not usable. After careful consideration, we decide to deprecate SLE-Classic in GNOME 42, please find the reason in (boo#1197907). ==== gnome-software ==== Subpackages: gnome-software-lang - Add 8cbce25.patch: Fix Gnome-Software keep poping up notification "Software updates failed". ==== libid3tag ==== - Add id3_ucs4_length-sanity-check.patch as Patch0. The patch helps to avoid a segfault in programs using this library, such as minidlna and potentially others; for details see <https://github.com/tenacityteam/libid3tag/pull/7> and <https://github.com/tenacityteam/libid3tag/issues/6> ==== libnma ==== Version update (1.8.36 -> 1.8.38) Subpackages: libnma-gtk4-0 libnma-lang libnma0 typelib-1_0-NMA-1_0 - Update to version 1.8.38: + libnma-gtk4 is no longer considered EXPERIMENTAL. + meson now builds libnma-gtk4 properly. + Keyboard accelerator for certificate chooser works again. + Fixed libnma-gtk4 version of mobile-wizard. ==== libnvme ==== Version update (1.0~8 -> 1.0) - Update to version 1.0: * tree: Remove default port setting for TCP and RDMA ports * tree: add 'f_args' argument to pass user data to the filter function * tree: remove 'ctrl_get_ana_state()' * tree: add namespace path iterators * tree: filter out namespaces * tree: update nvme_scan_filter_t usage ==== libqt5-qtwebengine ==== Version update (5.15.8 -> 5.15.9) - Update to version 5.15.9: * QPdfView: scale page rendering according to devicePixelRatio * Update documented Chromium version * Use IsSameDocument() rather than IsLoadingToDifferentDocument() * Update module-split for installer * Fix printing PDF files * Do not override signal handlers * Avoid using xkbcommon in non-X11 builds * Update documentation * Update Chromium: * Bump V8_PATCH_LEVEL * Do not overwrite signal handlers in the browser process. * Replace base::ranges::set_union with std::set_union to fix MSVC2017 build * [Backport] CVE-2022-0100: Heap buffer overflow in Media streams API * [Backport] CVE-2022-0102: Type Confusion in V8 * [Backport] CVE-2022-0103: Use after free in SwiftShader * [Backport] CVE-2022-0104: Heap buffer overflow in ANGLE * [Backport] CVE-2022-0108: Inappropriate implementation in Navigation * [Backport] CVE-2022-0109: Inappropriate implementation in Autofill * [Backport] CVE-2022-0111 and CVE-2022-0117 * [Backport] CVE-2022-0113: Inappropriate implementatio n in Blink * [Backport] CVE-2022-0116: Inappropriate implementation in Compositing * [Backport] CVE-2022-0289: Use after free in Safe browsing * [Backport] CVE-2022-0291: Inappropriate implementation in Storage * [Backport] CVE-2022-0293: Use after free in Web packaging * [Backport] CVE-2022-0298: Use after free in Scheduling * [Backport] CVE-2022-0305: Inappropriate implementation in Service Worker API * [Backport] CVE-2022-0306: Heap buffer overflow in PDFium * [Backport] CVE-2022-0310 and CVE-0311: Heap buffer overflow in Task Manager * [Backport] CVE-2022-0456: Use after free in Web Search * [Backport] CVE-2022-0459: Use after free in Screen Capture * [Backport] CVE-2022-0460: Use after free in Window Dialog * [Backport] CVE-2022-0461: Policy bypass in COOP * [Backport] CVE-2022-0606: Use after free in ANGLE * [Backport] CVE-2022-0607: Use after free in GPU * [Backport] CVE-2022-0608: Integer overflow in Mojo * [Backport] CVE-2022-0609: Use after free in Animation * [Backport] CVE-2022-0610: Inappropriate implementation in Gamepad API * [Backport] CVE-2022-0971 (boo#1197163) * [Backport] CVE-2022-1096 (boo#1197552) * [Backport] CVE-2022-23852 * [Backport] Copy 'name_' member during StyleRuleProperty::Copy * [Backport] Security bug 1256885 * [Backport] Security bug 1258603 * [Backport] Security bug 1259557 * [Backport] Security bug 1261415 * [Backport] Security bug 1265570 * [Backport] Security bug 1268448 * [Backport] Security bug 1270014 * [Backport] Security bug 1274113 * [Backport] Security bug 1276331 * [Backport] Security bug 1280743 * [Backport] Security bug 1289394 * [Backport] Security bug 1292537 * [Backport] sandbox: build if glibc 2.34+ dynamic stack size is enabled - Drop patches, now upstream: * CVE-2022-0971-qtwebengine-5.15.patch * CVE-2022-1096-qtwebengine-5.15.patch ==== libsndfile ==== Version update (1.0.31 -> 1.1.0) - update to 1.1.0: * Added MPEG Encode/Decode Support * New fuzzer for OSS-Fuzz, thanks @DavidKorczynski. Fixed: * Memory leak in caf_read_header(), credit to OSS-Fuzz (issue 30375). * Stack overflow in guess_file_type() * Abort in fuzzer, thanks @bobsayshilol, credit to OSS-Fuzz * Infinite loop in svx_read_header(), thanks @bobsayshilol, credit to OSS-Fuzz * GCC and Clang pedantic warnings, thanks @bobsayshilol. * Normalisation issue when scaling floating point data to int in replace_read_f2i(), thanks @bobsayshilol, (issue #702). * Missing samples when doing a partial read of Ogg file from index till the end of file, thanks @arthurt (issue #643). * sndfile-salvage: Handle files > 4 GB on Windows OS * Undefined shift in dyn_get_32bit(), credit to OSS-Fuzz * Integer overflow in nms_adpcm_update(), credit to OSS-Fuzz * Integer overflow in psf_log_printf(), credit to OSS-Fuzz * ABI version incompatibility between Autotools and CMake build on Apple platforms. * Heap buffer overflow in wavlike_ima_decode_block() * Heap buffer overflow in msadpcm_decode_block() * Heap buffer overflow in psf_binheader_readf() * Index out of bounds in psf_nms_adpcm_decode_block() * Heap buffer overflow in flac_buffer_copy() * Heap buffer overflow in copyPredictorTo24() * Uninitialized variable in psf_binheader_readf() - drop sndfile-deinterlace-channels-check.patch ms_adpcm-Fix-and-extend-size-checks.patch, libsndfile-CVE-2021-4156.patch (obsolete) ==== nvme-cli ==== Version update (2.0~8 -> 2.0) Subpackages: nvme-cli-bash-completion nvme-cli-zsh-completion - Update to version 2.0: * fabrics: Create persistent controller using unique subsystem NQN (bsc#1198243) * fabrics: Set KATO for discovery controller when connecting * fabrics: Do no modify default config for discovery controller * fabrics: Set default trsvcid ports for TCP and RDMA (bsc#1195858) * fabrics: Support connect even when no /etc/nvme/hostnqn file exists * nvme: update to nvme_scan_filter_t modifications (bsc#1195938) * plugins/intel: make 'buckets' a json array * plugins: Update WDC capabilities command with new commmands * plugins: Add OCP plugin ==== php7 ==== Subpackages: php7-cli php7-ctype php7-dom php7-gd php7-gettext php7-iconv php7-json php7-mbstring php7-mysql php7-openssl php7-pdo php7-sqlite php7-tokenizer php7-xmlreader php7-xmlwriter - Disable build with '-z now' as it breaks the php-mysql extension ==== squashfs ==== Version update (4.5 -> 4.5.1) - update to 4.5.1 (bsc#1190531, CVE-2021-41072): * This release adds Manpages for Mksquashfs(1), Unsquashfs(1), Sqfstar(1) and Sqfscat(1). * The -help text output from the utilities has been improved and extended as well (but the Manpages are now more comprehensive). * CVE-2021-41072 which is a writing outside of destination exploit, has been fixed. * The number of hard-links in the filesystem is now also displayed by Mksquashfs in the output summary. * The number of hard-links written by Unsquashfs is now also displayed in the output summary. * Unsquashfs will now write to a pre-existing destination directory, rather than aborting. * Unsquashfs now allows "." to used as the destination, to extract to the current directory. * The Unsquashfs progress bar now tracks empty files and hardlinks, in addition to data blocks. * -no-hardlinks option has been implemented for Sqfstar. * More sanity checking for "corrupted" filesystems, including checks for multiply linked directories and directory loops. * Options that may cause filesystems to be unmountable have been moved into a new "experts" category in the Mksquashfs help text (and Manpage). * Maximum cpiostyle filename limited to PATH_MAX. This prevents attempts to overflow the stack, or cause system calls to fail with a too long pathname. * Don't always use "max open file limit" when calculating length of queues, as a very large file limit can cause Unsquashfs to abort. Instead use the smaller of max open file limit and cache size. * Fix Mksquashfs silently ignoring Pseudo file definitions when appending. * Don't abort if no XATTR support has been built in, and there's XATTRs in the filesystem. This is a regression introduced in 2019 in Version 4.4. * Fix duplicate check when the last file block is sparse. ==== webkit2gtk3 ==== Subpackages: WebKit2GTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Drop webkit2gtk3-gcc12.patch. It isn't needed anymore, since the relevant gcc change has been reverted for now. - Update some minimum version requirements to match cmake checks. - Remove build requirements on geoclue and libbrotlidec: they are no longer build-time dependencies. Add geoclue2 to Recommends. ==== webkit2gtk3-soup2 ==== Subpackages: WebKit2GTK-4.0-lang libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 typelib-1_0-JavaScriptCore-4_0 typelib-1_0-WebKit2-4_0 webkit2gtk-4_0-injected-bundles - Drop webkit2gtk3-gcc12.patch. It isn't needed anymore, since the relevant gcc change has been reverted for now. - Update some minimum version requirements to match cmake checks. - Remove build requirements on geoclue and libbrotlidec: they are no longer build-time dependencies. Add geoclue2 to Recommends. ==== xdpyinfo ==== Version update (1.3.2 -> 1.3.3) - Update to version 1.3.3: * This release includes a pair of changes to align with the xserver-21.x release series - it prints the version without the leading "1." for 21.x xservers, and it changes the default for building DMX support from --with-dmx to --without-dmx as DMX is no longer included in the 21.x xservers. (The DMX support in xdpyinfo is not removed in this release, and can be enabled at build time with the --with-dmx flag to configure, but may be fully removed in a future release of xdpyinfo.) ==== yast2-schema-default ==== Version update (4.4.11 -> 4.5.1) - Remove dependency of YaST NIS packages from TW (bsc#1183893). - 4.5.1 - Bump version to 4.5.0 (#bsc1198109) ==== yast2-storage-ng ==== Version update (4.4.36 -> 4.5.1) - Fix fstab entry filesystem matching allowing the use of quotes surrounding the device UUID or label (bsc#1197692) - 4.5.1 - Bump version to 4.5.0 (#bsc1198109) ==== yast2-users ==== Version update (4.4.10 -> 4.5.1) - Fix import users: do not fail if the group does not exist (bsc#1197040). - 4.5.1 - Bump version to 4.5.0 (#bsc1198109)