Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20210913 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MozillaFirefox (91.0.2 -> 92.0) amarok (2.9.75git.20210626T134054~59b22189f6 -> 2.9.75git.20210830T182443~10309f00af) argyllcms (2.1.2 -> 2.2.0) c-ares emacs ghostscript irqbalance libetonyek (0.1.9 -> 0.1.10) libqt5-qtwebengine (5.15.5 -> 5.15.6) libsrtp2 (2.4.0 -> 2.4.1) libtpms libxfce4ui (4.16.0 -> 4.16.1) linux-glibc-devel (5.13 -> 5.14) nfs-utils patterns-base postgresql13 (13.3 -> 13.4) python-kiwi (9.23.49 -> 9.23.54) python-mysqlclient tuned (2.15.0+git.1625694366.bc3f737 -> 2.16.0) util-linux util-linux-systemd virtualbox virtualbox-kmp === Details === ==== MozillaFirefox ==== Version update (91.0.2 -> 92.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 92.0 * More secure connections: Firefox can now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc headers * Full-range color levels are now supported for video playback on many systems MFSA 2021-38 (bsc#1190269) * CVE-2021-29993 (bmo#1708544, bmo#1708767, bmo#1712240, bmo#1712242, bmo#1729259) Handling custom intents could lead to crashes and UI spoofs * CVE-2021-38491 (bmo#1551886) Mixed-Content-Blocking was unable to check opaque origins * CVE-2021-38492 (bmo#1721107) Navigating to `mk:` URL scheme could load Internet Explorer * CVE-2021-38493 (bmo#1723391, bmo#1724101, bmo#1724107) Memory safety bugs fixed in Firefox 92, Firefox ESR 78.14 and Firefox ESR 91.1 * CVE-2021-38494 (bmo#1723920, bmo#1725638) Memory safety bugs fixed in Firefox 92 - updated appdata - remove mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch (does not apply anymore; unclear if obsolete) - bring back mozilla-silence-no-return-type.patch and run post-build-checks everywhere again - requires NSS 3.69.1 - Add mozilla-bmo1708709.patch: On [wayland] popup can be wrongly repositioned due to rounding errors when font scaling != 1 (bmo#1708709); patch taken from upstream bug report and rebased to apply cleanly against current version. - Bump using with GCC (tested locally). ==== amarok ==== Version update (2.9.75git.20210626T134054~59b22189f6 -> 2.9.75git.20210830T182443~10309f00af) - Update to version 2.9.75git.20210830T182443~10309f00af: * Set Attributes before constructing the Application * Port away from KRandom, bump Qt req. ver. to 5.10 - Rebase amarok-2.9.75git.20210830T182443~10309f00af.tar.xz - Update translations ==== argyllcms ==== Version update (2.1.2 -> 2.2.0) - Update to version 2.2.0: * Added native i1Pro3 and i1Pro3 Plus driver. * Fix bug in applycal.c where it gets an "Error - Write file: 1, icmTextDescription_write: ascii string is shorter" error on replacing one calibration with another. * Improved i1pro & Munki patch recognition to work much more reliably with a slow swipe speed. * Fixed oeminst to work with spyder V5.5. setup.exe * Fixed bug in oemdld that prevented HTML encoded characters in download file decoding properly, which prevented certain filenames from working. * Fixed bug in ccxxmake -S -f where save error wasn't being fully reported, and display technology presence check was faulty. * Fixed typo in display technology, VPA -> PVA. * Made Klein K10A "Lights Off" command timeout a soft error. For some reason this command doesn't seem to be implemented on some K10A's. * Added CIE dE2000 to spotread output. * Fixed accidental global "wrl" in gamut/gamut.h that cases compile warnings. * For more see http://www.argyllcms.com/doc/ChangesSummary.html - Drop argyllcms--gcc--fno-common.patch (upstreamed with exception of static declaration of struct huft, which is not required). ==== c-ares ==== - new upstream website - drop multibuild - tests do not require static library anymore - spec file cleanup - drop sources that were re-added to upstream distibution (c-ares-config.cmake.in ares_dns.h libcares.pc.cmake) - 5c995d5.patch: augment input validation on hostnames to allow _ as part of DNS response (bsc#1190225) ==== emacs ==== Subpackages: emacs-info emacs-nox emacs-x11 etags - Work for boo#1183497: make sure that if ibus is the input method that there exists a working gtk immodule for ibus as well as the ibus daemon is up and running ==== ghostscript ==== Subpackages: ghostscript-x11 - CVE-2021-3781.patch fixes CVE-2021-3781 Trivial -dSAFER bypass cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 (bsc#1190381) ==== irqbalance ==== Subpackages: irqbalance-ui - Update to version 1.8.0.18.git+2435e8d: * fix unsigned integer subtraction sign overflow * fix opendir fails in check_platform_device * irqbalance: Check validity of numa_node * configure.ac: use pkg-config to find numa * Disable the communication socket when UI is disabled * Fix comma typo in ui.c * drop NoNewPrivs from irqbalance service * remove no existing irq in banned_irqs * Fix compile issue with none AARCH64 builds - Fixes integrated mainline: * bsc#1119461 * bsc#1138190 * bsc#1154905 * bsc#1178477 bsc#1183405 (removed patches due to mainline integration): procinterrupts-check-xen-dyn-event-more-flexible.patch * bsc#1182254 bsc#1156315 (removed patches due to mainline integration): fix-ambiguous-parsing-of-node-entries-in-sys.patch * bsc#1183157 also-fetch-node-info-for-non-PCI-devices.patch ==== libetonyek ==== Version update (0.1.9 -> 0.1.10) - Added patch: * resolve-ambiguities.patch + fix some ambiguities in type resolutions on older compilers + enables building on sle12-sp5 - Update to 0.1.10: * Parse shadow. * Improve detection of the "new" formats. * Fix handling of text baseline shift. * Improve various formats. - Remove upstreamed patch 0001-add-missing-include-for-std-for_each.patch ==== libqt5-qtwebengine ==== Version update (5.15.5 -> 5.15.6) - Update to version 5.15.6: * Update Chromium: + [Backport] CVE-2021-30560: Use after free in Blink XSLT + [Backport] CVE-2021-30566: Stack buffer overflow in Printing + [Backport] CVE-2021-30585: Use after free in sensor handling + Bump V8_PATCH_LEVEL + [Backport] Security bug 1228036 + [Backport] CVE-2021-30604: Use after free in ANGLE + [Backport] CVE-2021-30603: Race in WebAudio + [Backport] CVE-2021-30602: Use after free in WebRTC + [Backport] CVE-2021-30599: Type Confusion in V8 + [Backport] CVE-2021-30598: Type Confusion in V8 + [Backport] Security bug 1227933 + [Backport] Security bug 1205059 + [Backport] Security bug 1184294 + [Backport] Security bug 1198385 + [Backport] CVE-2021-30588: Type Confusion in V8 + [Backport] CVE-2021-30587: Inappropriate implementation in Compositing on Windows + [Backport] CVE-2021-30573: Use after free in GPU + [Backport] CVE-2021-30569, security bugs 1198216 and 1204814 + [Backport] CVE-2021-30568: Heap buffer overflow in WebGL + [Backport] CVE-2021-30541: Use after free in V8 + [Backport] Security bugs 1197786 and 1194330 + [Backport] Security bug 1194689 + [Backport] CVE-2021-30563: Type Confusion in V8 + [Backport] Security bug 1211215 + [Backport] Security bug 1209558 + [Backport] CVE-2021-30553: Use after free in Network service + [Backport] CVE-2021-30548: Use after free in Loader + [Backport] CVE-2021-30547: Out of bounds write in ANGLE + [Backport] CVE-2021-30556: Use after free in WebAudio + [Backport] CVE-2021-30559: Out of bounds write in ANGLE + [Backport] CVE-2021-30533: Insufficient policy enforcement in PopupBlocker + [Backport] Security bug 1202534 + [Backport] CVE-2021-30536: Out of bounds read in V8 + [Backport] CVE-2021-30522: Use after free in WebAudio + [Backport] CVE-2021-30554 Use after free in WebGL + [Backport] CVE-2021-30551: Type Confusion in V8 + [Backport] CVE-2021-30544: Use after free in BFCache + [Backport] CVE-2021-30535: Double free in ICU + [Backport] CVE-2021-30534: Insufficient policy enforcement in iFrameSandbox + [Backport] CVE-2021-30530: Out of bounds memory access in WebAudio + [Backport] CVE-2021-30523: Use after free in WebRTC + Generate mojo bindings before compiling extension API registration * Bump version from 5.15.5 to 5.15.6 * Always send phased wheel events beginning with Began - Import patch from the chromium package: * 0001-return-ENOSYS-for-clone3.patch - Add changes from the chromium package to 0001-Fix-build-with-glibc-2.34.patch ==== libsrtp2 ==== Version update (2.4.0 -> 2.4.1) - Update to release 2.4.1 * Use a full-length key even with null ciphers ==== libtpms ==== - security update - added patches fix CVE-2021-3746 [bsc#1189935], out-of-bounds access via specially crafted TPM 2 command packets + libtpms-CVE-2021-3746.patch ==== libxfce4ui ==== Version update (4.16.0 -> 4.16.1) Subpackages: libxfce4ui-2-0 libxfce4ui-lang libxfce4ui-tools typelib-1_0-Libxfce4ui-2_0 - Update to version 4.16.1 * Add 4.16 section to docs * about: Replace stock with regular button * about: Make Close button translatable (bxo#xfce/libxfce4ui#41) * Fix cast alignment warning * Remove Gtk2 leftovers * Don't reserve vertical space for subtitles in headerbars * Translation Updates - Remove headerbar_subtitle.patch - fixed upstream ==== linux-glibc-devel ==== Version update (5.13 -> 5.14) - Update to kernel headers 5.14 ==== nfs-utils ==== Subpackages: libnfsidmap1 nfs-client nfs-kernel-server - Add 0001-gssd-fix-crash-in-debug-message.patch Fix crash when rpc-gssd run with -v. (boo#1190144) ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-documentation patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-transactional_base patterns-base-x11 patterns-base-x11_enhanced - Fix typo in the icon name for the fips pattern (bsc#1189550) ==== postgresql13 ==== Version update (13.3 -> 13.4) Subpackages: libpq5 postgresql13-contrib postgresql13-docs postgresql13-llvmjit postgresql13-server - bsc#1185952: fix build with llvm12 on s390x. 0001-jit-Workaround-potential-datalayout-mismatch-on-s390.patch - bsc#1179945: Re-enable icu for PostgreSQL 10. - Upgrade to version 13.4: https://www.postgresql.org/docs/13/release-13-4.html * CVE-2021-3677 (boo#1189748) The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. - bsc#1187751: Make the dependency of postgresqlXX-server-devel on llvm and clang optional (postgresql-llvm-optional.patch). ==== python-kiwi ==== Version update (9.23.49 -> 9.23.54) - Bump version: 9.23.53 ? 9.23.54 - Fixed condition for GRUB_DISABLE_LINUX_UUID="true" The grub config parameter GRUB_DISABLE_LINUX_UUID must only be set if the device persistence setting is not UUID. However, in kiwi UUID device names are the default and doesn't have to be expressed explicitly. Therefore the condition to check for different than 'by-uuid' is wrong for the default case were no device persistence setting exists. This results in a wrong grub option to be set. This commit fixes it in a way to disable UUID device names in grub if the only other device persistency setting in kiwi named: 'by-label' is explicitly configured. This Fixes #1842 - Added force_trailing_slash argument to sync_data A speciality of the rsync tool is that it behaves differently if the given source_dir ends with a '/' or not. If it ends with a slash the data structure below will be synced to the target_dir. If it does not end with a slash the source_dir and its contents are synced to the target_dir. For example: source ??? some_data 1. $ rsync -a source target target ??? source ??? some_data 2. $ rsync -a source/ target target ??? some_data The parameter force_trailing_slash in the DataSync::sync_data method can be used to make sure rsync behaves like shown in the second case. This Fixes #1786 - Added type hints for DataSync class - Bump version: 9.23.52 ? 9.23.53 - Add missing bootloader tests Merging #1850 exposed the missing bootloader tests. This reminds me to move the gitlab driven unit tests to github actions because for forked repos the gitlab tests does not run but github actions tests would run - Fix logging of ISO publisher - Improving text formatting - Added documentation for grub2 loopback ISO images - Bump version: 9.23.51 ? 9.23.52 - Fixed pep E711 code smell comparison to None should be 'if cond is not None:' - Bump version: 9.23.50 ? 9.23.51 - No compression with encryption When an image is setup to use encryption the resulting image appears as a random stream of bytes and cannot be compressed. Simply skip the compression in this case. - Fix typo in schema documentation ciper -> cipher. Fix originally done by Robert Schweikert and moved to the right place, see Issue #1906 for details - Allow target dir for archive - Add the option to specify a target directory to unpack the archive - Update doc for target dir attribute This Fixes #1794 - Log deprecation errors to stderr Make sure information about deprecated shell methods logs their information to stderr. This will cause the error message to be exposed to the user and not only in the log file - Fixed TW build test Explicitly added packages that causes conflicts due to the busybox alternatives - Bump version: 9.23.49 ? 9.23.50 - Added support for repo customization script repo files allows for several customization options which could not be set by kiwi through the current repository schema. As the options used do not follow any standard and are not compatible between package managers and distributions the only generic way to handle this is through a script which is invoked with the repo file as parameter for each file created to describe a repo for the selected package manager. This allows users to update/change the repo file content on their individual needs. In the kiwi description the path to the custom script can be specified as follows <repository ... customize="/path/to/custom_script"> <source path="..."/> </repository> This Fixes #1896 ==== python-mysqlclient ==== - Add liberally-accept-charsets.patch: * Support multibyte utf8 return values with new versions of MariaDB. ==== tuned ==== Version update (2.15.0+git.1625694366.bc3f737 -> 2.16.0) - Update to version 2.16.0: * bootloader: make skip_grub_config consistent with initrd_remove_dir ==== util-linux ==== Subpackages: libblkid1 libblkid1-32bit libfdisk1 libmount1 libmount1-32bit libsmartcols1 libuuid-devel libuuid1 libuuid1-32bit util-linux-lang - Remove the raw utility altogether, as it is not even built any more with glibc >=2.34. ==== util-linux-systemd ==== - Remove the raw utility altogether, as it is not even built any more with glibc >=2.34. - login.pamd: use pam_motd to unify motd handling [bsc#1185897]. Else motd snippets of e.g. cockpit will not be shown. ==== virtualbox ==== Subpackages: virtualbox-guest-tools virtualbox-guest-x11 - Add file "fixes-for-5.15.patch" to fix builds on kernel 5.15. ==== virtualbox-kmp ==== - Add file "fixes-for-5.15.patch" to fix builds on kernel 5.15.