Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20241029 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: inkscape (1.3.2 -> 1.4) kvm_stat libxslt mozilla-nss (3.104 -> 3.105) openSUSE-release (20241028 -> 20241029) openssh openssl-3 (3.1.4 -> 3.1.7) openssl (3.1.4 -> 3.1.7) openvpn tigervnc === Details === ==== inkscape ==== Version update (1.3.2 -> 1.4) Subpackages: inkscape-extensions-extra inkscape-extensions-gimp inkscape-lang - Update to version 1.4: + Filter Gallery + Modular grids & improved axonometric grids + Swatches dialog and palette file handling improved + Unified font browser preview + Customizable handles + Fast image clipping with the Shape Builder + Affinity Designer File Import + Support for internal links in exported PDF files + A whole new icon set + See the full release notes https://inkscape.org/release/inkscape-1.4 - Drop inkscape-poppler-24.03.0.patch, inkscape-libxml2.12.patch, inkscape-poppler-c++20.patch, inkscape-poppler-24.05.0.patch, inkscape-poppler-c++20-2.patch, inkscape_1.3.2_fix_tiff.patch, fixed upstream ==== kvm_stat ==== - Add a patch that makes it possible to use kvm_stat from scripts (it has been submitted upstream already): * Added patches: fix-termination-behavior-when-not-on-a-terminal.patch ==== libxslt ==== Subpackages: libexslt0 libxslt-tools libxslt1 - Add libxslt-reproducible.patch to make xml output deterministic (boo#1062303) ==== mozilla-nss ==== Version update (3.104 -> 3.105) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-sysinit mozilla-nss-tools - update to NSS 3.105 * bmo#1915792 - Allow importing PKCS#8 private EC keys missing public key * bmo#1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c * bmo#1919577 - set KRML_MUSTINLINE=inline in makefile builds * bmo#1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * bmo#1918767 - override default definition of KRML_MUSTINLINE * bmo#1916525 - libssl support for mlkem768x25519 * bmo#1916524 - support for ML-KEM-768 in softoken and pk11wrap * bmo#1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL * bmo#1911912 - Avoid misuse of ctype(3) functions * bmo#1917311 - part 2: run clang-format * bmo#1917311 - part 1: upgrade to clang-format 13 * bmo#1916953 - clang-format fuzz * bmo#1910370 - DTLS client message buffer may not empty be on retransmit * bmo#1916413 - Optionally print config for TLS client and server fuzz target * bmo#1916059 - Fix some simple documentation issues in NSS. * bmo#1915439 - improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * bmo#1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN ==== openSUSE-release ==== Version update (20241028 -> 20241029) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Don't force using gcc11 on SLFO/ALP which have a newer version. - Add patches from upstream: - To fix a copy&paste oversight in an ifdef : * 0001-fix-utmpx-ifdef.patch - To fix a regression introduced when the "Match" criteria tokenizer was modified since it stopped supporting the "Match criteria=argument" format: * 0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch - To fix the previous patch which broke on negated Matches: * 0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch - To fix the ML-KEM768x25519 kex algorithm on big-endian systems: * 0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch ==== openssl-3 ==== Version update (3.1.4 -> 3.1.7) Subpackages: libopenssl3 libopenssl3-32bit libopenssl3-x86-64-v3 - Update to 3.1.7: * Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024] - Fixed possible denial of service in X.509 name checks (CVE-2024-6119) - Fixed possible buffer overread in SSL_select_next_proto() (CVE-2024-5535) * Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024] - Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741) - Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) - Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) * Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024] - Fixed PKCS12 Decoding crashes (CVE-2024-0727) - Fixed Excessive time spent checking invalid RSA public keys [CVE-2023-6237) - Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129) - Fix excessive time spent in DH check / generation with large Q parameter value (CVE-2023-5678) * Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF * Rebase patches: - openssl-Force-FIPS.patch - openssl-FIPS-embed-hmac.patch - openssl-FIPS-services-minimize.patch - openssl-FIPS-RSA-disable-shake.patch - openssl-CVE-2023-50782.patch * Remove patches fixed in the update: - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch - openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch - openssl-CVE-2024-4741.patch openssl-CVE-2024-4603.patch - openssl-CVE-2024-2511.patch openssl-CVE-2024-0727.patch - openssl-CVE-2023-6237.patch openssl-CVE-2023-6129.patch - openssl-CVE-2023-5678.patch - openssl-Enable-BTI-feature-for-md5-on-aarch64.patch - openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch - openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch - reproducible.patch ==== openssl ==== Version update (3.1.4 -> 3.1.7) - Update to 3.1.7 ==== openvpn ==== - Fix multiple exit notifications from authenticated clients will extend the validity of a closing session (bsc#1227546 CVE-2024-28882) Patchname:openvpn-CVE-2024-28882.patch - Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305) if libnl >= 3.4 is available ==== tigervnc ==== Subpackages: libXvnc1 xorg-x11-Xvnc xorg-x11-Xvnc-module - Require /usr/bin/dbus-launch insted of dbus-1-x11: Do not rely on legacy dbus-1-x11 package, which is going away after moving to dbus-broker.