Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20240209 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: SDL2 (2.28.5 -> 2.30.0) c-ares (1.20.1 -> 1.26.0) distribution-logos-openSUSE (20230921 -> 20240207) fwupd (1.9.12 -> 1.9.13) gstreamer-plugins-bad libzypp (17.31.28 -> 17.31.31) lzip (1.23 -> 1.24) man numactl (2.0.17.8.g67984e5 -> 2.0.18.0.g3871b1c) polkit-default-privs (1550+20231213.09963a4 -> 1550+20240207.d833f4b) postgresql postgresql16 (16.1 -> 16.2) pulseaudio (16.1 -> 17.0) python-mysqlclient (2.2.1 -> 2.2.4) python-typing_extensions selinux-policy (20240116 -> 20240205) yast2-network (5.0.1 -> 5.0.2) === Details === ==== SDL2 ==== Version update (2.28.5 -> 2.30.0) - Update to release 2.30 * Added support for 2 bits-per-pixel indexed surface formats. * Added the function SDL_GameControllerGetSteamHandle() to get the Steam API handle for a controller, if available. * Added the event SDL_CONTROLLERSTEAMHANDLEUPDATED which is sent when the Steam API handle for a controller changes. This could also change the name, VID, and PID of the controller. * Added the environment variable SDL_LOGGING to control default log output. ==== c-ares ==== Version update (1.20.1 -> 1.26.0) - Ensure multibuild flavors result in different src names. - c-ares 1.26.0: * Event Thread support. Integrators are no longer required to monitor the file descriptors registered by c-ares for events and call ares_process() when enabling the event thread feature via ARES_OPT_EVENT_THREAD passed to ares_init_options(). * Added flags to are_dns_parse() to force RAW packet parsing * Mark ares_fds() as deprecated * Bug fixes - move tests into a build flavor to avoid gtest/gmock build loop - Update to version 1.25 Changes: o Rewrite ares_strsplit() as a wrapper for ares__buf_split() for memory safety reasons. o The ahost utility now uses ares_getaddrinfo() and returns both IPv4 and IPv6 addresses by default. Bug Fixes: o Tests: Live reverse lookups for Google's public DNS servers no longer return results, replace with CloudFlare pubic DNS servers. o Connection failures should increment the server failure count first or a retry might be enqueued to the same server o On systems that don't implement the ability to enumerate network interfaces the stubs used the wrong prototype. o Fix minor warnings and documentation typos o Fix support for older GoogleTest versions o getrandom() may require sys/random.h on some systems. o Fix building tests with symbol hiding enabled. - 0001-Use-RPM-compiler-options.patch: dropped, obsolete - Update to version 1.24 Features: * Add support for IPv6 link-local DNS servers. Nameserver formats can now accept the 0face suffix, and a new ares_get_servers_csv() function was added to return servers that can contain the link-local interface name. Changes: * Unbundle GoogleTest for test cases. Package maintainers will now need torequire GoogleTest (GMock) as a build dependency if building tests. New GoogleTest versions require C++14 or later. * Replace nameserver parsing code to use new memory-safe functions. * Replace the sortlist parser with new memory-safe functions. * Various warning fixes and dead code removal. Bugfixes: * Old Linux versions require POSIX_C_SOURCE or _GNU_SOURCE to compile with thread safety support * A non-responsive DNS server that caused timeouts wouldn't increment thefailure count, this would lead to other servers not being tried. Regression introduced in 1.22.0 * Some projects that depend on c-ares expect invalid parameter option valuespassed into ares_init_options() to simply be ignored. This behavior has been restored * getrandom() can fail if the kernel doesn't support the syscall, fall back to another random source * ares_cancel() when performing ares_gethostbyname() or ares_getaddrinfo()with AF_UNSPEC, if called after one address class was returned but before the other address class, it would return ARES_SUCCESS rather than ARES_ECANCELLED - disable-live-tests.patch: dropped, not needed - Update to version 1.23 Features: Introduce optional (but on by default) thread-safety for the c-ares library. This has no API nor ABI implications. resolv.conf in modern systems uses attempts and timeouts options instead of the old retrans and retry options. Query caching support based on TTL of responses. Can be enabled via ares_init_options() with ARES_OPT_QUERY_CACHE. Bugfixes: ares_init_options() for ARES_OPT_UDP_PORT and ARES_OPT_TCP_PORT accept theport in host byte order, but it was reading it as network byte order. Regression introduced in 1.20.0. ares_init_options() for ARES_FLAG_NOSEARCH was not being honored forares_getaddrinfo() or ares_gethostbyname(). Regression introduced in 1.16.0. Autotools MacOS and iOS version check was failing Environment variables passed to c-ares are meant to be an override for system configuration. Regression introduced in 1.22.0. Spelling fixes as detected by codespell. The timeout returned by ares_timeout() was truncated to milliseconds butvalidated to microseconds which could cause a user to attempt to process timeouts prior to the timeout actually expiring. CMake was not honoring CXXFLAGS passed in via the environment which couldcause compile and link errors with distribution hardening flags during packaging. Fix Windows UWP and Cygwin compilation. ares_set_servers_*() for legacy reasons needs to accept an empty server listand zero out all servers. This results in an inoperable channel and thus is only used in simulation testing, but we don't want to break users. Regression introduced in 1.21.0. Changes in version 1.22.1 Bugfixes: Fix /etc/hosts processing performance with all entries using same IPaddress. Large hosts files using the same IP address for all entries could use exponential time. Fix typos in manpages Fix OpenWatcom building Changes in version 1.22.0 Features: ares_reinit() is now implemented to re-read any system configuration and immediately apply to an existing ares channel The adig command line program has been rewritten and its format now more closely matches that of BIND's dig utility The new DNS message parser and writer functions have now been made public RFC9460 HTTPS and SVCB records are now supported RFC6698 TLSA records are now supported The server list is now internally dynamic and can be changed without impacting existing queries Hosts file processing is now cached until the file is detected to be changed to speed up repetitive lookups of large hosts files Changes: Internally all DNS messages are now written using the new DNS writing functions EDNS is now enabled by default Internal cleanups in function prototypes Bugfixes: Randomize retry penalties to prevent thundering herd issues when dns servers throttle requests Fix Windows build error for missing if_indextoname() - update to 1.21.0: * Replace multiple DNS hand-made parsers with new memory-safe DNS message parser * developer visible changes and bug fixes ==== distribution-logos-openSUSE ==== Version update (20230921 -> 20240207) Subpackages: distribution-logos-openSUSE-Tumbleweed distribution-logos-openSUSE-icons - switch to a service using zstd - list the source url - Update Leap 15.6 branding poo#131666 ==== fwupd ==== Version update (1.9.12 -> 1.9.13) Subpackages: fwupd-bash-completion fwupd-lang libfwupd2 typelib-1_0-Fwupd-2_0 - Update to version 1.9.13: + This release adds the following features: - Add a timer inhibit if the daemon took a long time to startup. - Add a concept of 'Test Mode' rather than enabling specific plugins. - Do not idle-quit the daemon if there is a connected D-Bus client. + This release fixes the following bugs: - Allow plugins to opt-out of the child-device first depsolve. - Allow setting multiple flags in LVFS::DeviceFlags. - Do not migrate config comments for removed keys. - Do not request the Advantech BMC to reboot. - Do not warn the user about ESP when using MBR. - Fix a critical warning when adding a PixArt wireless device. - Fix migration of legacy config files. - Only save config values to the mutable config file. - Parse DS-20 descriptors earlier in device setup. - Store the version format in the history database to fix offline reports. - Use the correct GUID for matching realtek-mst and parade-lspcon. + This release adds support for the following hardware: - GoodWay Acer Dock. ==== gstreamer-plugins-bad ==== Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Require libvpl only on supported architectures (x86_64 and aarch64) ==== libzypp ==== Version update (17.31.28 -> 17.31.31) - tui: allow to access the underlying ostream of out::Info. - Add MLSep: Helper to produce not-NL-terminated multi line output. - version 17.31.31 (22) - applydeltaprm: Create target directory if it does not exist (bsc#1219442) - Add ProblemSolution::skipsPatchesOnly (for openSUSE/zypper#514) - Fix problems with EINTR in ExternalDataSource::getline (fixes bsc#1215698) - version 17.31.30 (22) - CheckAccessDeleted: fix running_in_container detection (bsc#1218782) - Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime (bsc#1218831) - Make Wakeup class EINTR safe. - Add a way to cancel media operations on shutdown (openSUSE/zypper#522) This patch adds a mechanism to signal libzypp that a shutdown was requested, usually when CTRL+C was pressed by the user. Currently only the media backend will utilize this, but can be extended to all code paths that use g_poll() to wait for events. - Manually poll fds for curl in MediaCurl. Using curl_easy_perform does not give us the required control on when we want to cancel a download. Switching to the MultiCurl implementation with a external poll() event loop will give us much more freedom and helps us to improve our Ctrl+C handling. - Move reusable curl poll code to curlhelper.h. - version 17.31.29 (22) ==== lzip ==== Version update (1.23 -> 1.24) - Update to release 1.24 * Added the command-line switches --empty-error and - -marking-error * The option -o/--output now preserves dates, permissions, and ownership of the file when (de)compressing exactly one file. * The option -o/--output now creates missing intermediate directories when writing to a file. ==== man ==== - Make lua scriplets more failsafe (boo#1219370) ==== numactl ==== Version update (2.0.17.8.g67984e5 -> 2.0.18.0.g3871b1c) Subpackages: libnuma1 - Update to version 2.0.18.0.g3871b1c: * Increase version number to 2.0.18 * man pages: fix table include preprocessor ==== polkit-default-privs ==== Version update (1550+20231213.09963a4 -> 1550+20240207.d833f4b) - Update to version 1550+20240207.d833f4b: * profiles: remove no longer used device-rebind action ==== postgresql ==== Subpackages: postgresql-contrib postgresql-server - bsc#1219340: Require fillup. ==== postgresql16 ==== Version update (16.1 -> 16.2) Subpackages: libpq5 postgresql16-contrib postgresql16-server - Upgrade to 16.2: * bsc#1219679, CVE-2024-0985: Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY. One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. Fix things so that all user-determined code is run as the view's owner, as expected * If you use GIN indexes, you may need to reindex after updating to this release. * LLVM 18 is now supported. * https://www.postgresql.org/docs/release/16.2/ ==== pulseaudio ==== Version update (16.1 -> 17.0) Subpackages: libpulse-mainloop-glib0 libpulse0 pulseaudio-setup pulseaudio-utils system-user-pulse - Update to version 17.0: * Updates to ALSA UCM-based setups * Battery level indication to Bluetooth devices * Support for the Bluetooth FastStream codec * webrtc-audio-processing dependency updated * Trigger role groups added to module-role-cork * XDG base directory spec for profile-set loading * PA_RATE_MAX increased * webrtc-audio-processing dependency updated For details, see: https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/17.0/ - Drop obsoleted patches: echo-cancel-add-webrtc-AEC3-support.patch build-sys-Bump-cpp_std-to-c-17.patch build-sys-Bump-webrtc-audio-processing-dependency.patch ==== python-mysqlclient ==== Version update (2.2.1 -> 2.2.4) - update to 2.2.4: * Support ssl=True in connect(). ==== python-typing_extensions ==== - Add backport-recent-implementation-of-protocol.patch upstream patch gh#python/typing_extensions@004b893ddce2 ==== selinux-policy ==== Version update (20240116 -> 20240205) Subpackages: selinux-policy-targeted - Update to version 20240205: * Allow gpg manage rpm cache * Allow login_userdomain name_bind to howl and xmsg udp ports * Allow rules for confined users logged in plasma * Label /dev/iommu with iommu_device_t * Remove duplicate file context entries in /run * Dontaudit getty and plymouth the checkpoint_restore capability * Allow su domains write login records * Revert "Allow su domains write login records" * Allow login_userdomain delete session dbusd tmp socket files * Allow unix dgram sendto between exim processes * Allow su domains write login records * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on * Allow chronyd-restricted read chronyd key files * Allow conntrackd_t to use bpf capability2 * Allow systemd-networkd manage its runtime socket files * Allow init_t nnp domain transition to colord_t * Allow polkit status systemd services * nova: Fix duplicate declarations * Allow httpd work with PrivateTmp * Add interfaces for watching and reading ifconfig_var_run_t * Allow collectd read raw fixed disk device * Allow collectd read udev pid files * Set correct label on /etc/pki/pki-tomcat/kra * Allow systemd domains watch system dbus pid socket files * Allow certmonger read network sysctls * Allow mdadm list stratisd data directories * Allow syslog to run unconfined scripts conditionally * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t * Allow qatlib set attributes of vfio device files * Allow systemd-sleep set attributes of efivarfs files * Allow samba-dcerpcd read public files * Allow spamd_update_t the sys_ptrace capability in user namespace * Allow bluetooth devices work with alsa * Allow alsa get attributes filesystems with extended attributes * Allow hypervkvp_t write access to NetworkManager_etc_rw_t * Add interface for write-only access to NetworkManager rw conf * Allow systemd-sleep send a message to syslog over a unix dgram socket * Allow init create and use netlink netfilter socket * Allow qatlib load kernel modules * Allow qatlib run lspci * Allow qatlib manage its private runtime socket files * Allow qatlib read/write vfio devices * Label /etc/redis.conf with redis_conf_t * Remove the lockdown-class rules from the policy * Allow init read all non-security socket files * Replace redundant dnsmasq pattern macros * Remove unneeded symlink perms in dnsmasq.if * Add additions to dnsmasq interface * Allow nvme_stas_t create and use netlink kobject uevent socket * Allow collectd connect to statsd port * Allow keepalived_t to use sys_ptrace of cap_userns * Allow dovecot_auth_t connect to postgresql using UNIX socket * Make named_zone_t and named_var_run_t a part of the mountpoint attribute * Allow sysadm execute traceroute in sysadm_t domain using sudo * Allow sysadm execute tcpdump in sysadm_t domain using sudo * Allow opafm search nfs directories * Add support for syslogd unconfined scripts * Allow gpsd use /dev/gnss devices * Allow gpg read rpm cache * Allow virtqemud additional permissions * Allow virtqemud manage its private lock files * Allow virtqemud use the io_uring api * Allow ddclient send e-mail notifications * Allow postfix_master_t map postfix data files * Allow init create and use vsock sockets * Allow thumb_t append to init unix domain stream sockets * Label /dev/vas with vas_device_t * Create interface selinux_watch_config and add it to SELinux users * Update cifs interfaces to include fs_search_auto_mountpoints() * Allow sudodomain read var auth files * Allow spamd_update_t read hardware state information * Allow virtnetworkd domain transition on tc command execution * Allow sendmail MTA connect to sendmail LDA * Allow auditd read all domains process state * Allow rsync read network sysctls * Add dhcpcd bpf capability to run bpf programs * Dontaudit systemd-hwdb dac_override capability * Allow systemd-sleep create efivarfs files * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on * Allow graphical applications work in Wayland * Allow kdump work with PrivateTmp * Allow dovecot-auth work with PrivateTmp * Allow nfsd get attributes of all filesystems * Allow unconfined_domain_type use io_uring cmd on domain * ci: Only run Rawhide revdeps tests on the rawhide branch * Label /var/run/auditd.state as auditd_var_run_t * Allow fido-device-onboard (FDO) read the crack database * Allow ip an explicit domain transition to other domains * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t * Allow winbind_rpcd_t processes access when samba_export_all_* is on * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection * Allow ntp to bind and connect to ntske port. ==== yast2-network ==== Version update (5.0.1 -> 5.0.2) - Consider firmware configured interfaces as non bridgeable (bsc#1218595). - 5.0.2