Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version... Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: 389-ds (3.0.1~git39.e24615f -> 3.1.1~git0.aef1668) MozillaFirefox (128.0 -> 128.0.3) coreutils coreutils-systemd git (2.45.2 -> 2.46.0) libX11 (1.8.9 -> 1.8.10) libzypp (17.35.1 -> 17.35.6) openSUSE-release (20240730 -> 20240731) p11-kit perl-Bootloader (1.13 -> 1.14) python-cryptography (42.0.8 -> 43.0.0) python-pycairo (1.26.0 -> 1.26.1) python311 python311-core systemd-presets-branding-Aeon sysuser-tools (3.2 -> 3.3) === Details === ==== 389-ds ==== Version update (3.0.1~git39.e24615f -> 3.1.1~git0.aef1668) Subpackages: lib389 libsvrcore0 - Update to version 3.1.1~git0.aef1668: * Bump version to 3.1.1 * Issue 6256 - nsslapd-numlisteners limit is not enforced (#6257) * Issue 5327 - Fix test metadata * Security fix for CVE-2024-6237 * Security fix for CVE-2024-5953 * Security fix for CVE-2024-3657 * Security fix for CVE-2024-2199 * Issue 6256 - nsslapd-numlisteners limit is not enforced * Issue 6265 - lmdb - missing entries in range searches (#6266) * Issue 5853 - Update Cargo.lock * Bump openssl from 0.10.64 to 0.10.66 in /src * Issue 6245 - Revert __COVERITY__ ifndef (#6268) * Issue 6248 - fix fanalyzer warnings (#6253) * Issue 6238 - Fix test_audit_json_logging CI test regression (#6264) * Issue 6254 - Enabling replication for a sub suffix crashes browser (#6255) * Issue 6155 - ldap-agent fails to start because of permission error (#6179) * Issue 6238 - RFE - add option to write audit log in JSON format * Issue 6216 - CI test_fast_slow_import sometime fail (#6247) * Issue 6245 - covscan fixes (#6246) * Issue 6241 - Add support for CRYPT-YESCRYPT (#6242) * Issue 6229 - After an initial failure, subsequent online backups fail (#6230) * Issue 6236 - rpm: fix compatibility with RPM 4.20 * Issue 6227 - dsconf schema does not show inChain matching rule (#6228) * Issue 6233 - CI test wait_for_async_feature_test sometime fails (#6234) * Bump ws from 7.5.9 to 7.5.10 in /src/cockpit/389-console * Issue 6224 - d2entry - Could not open id2entry err 0 - at startup when having sub-suffixes (#6225) * Issue 6222 - CI test acl/test_timeofday_keyword sometime fails (#6223) * Issue 6120 - /usr/lib64/dirsrv/plugins/libback-bdb.so has an invalid-looking DT_RPATH: /usr/lib/dirsrv * Issue 5772 - ONE LEVEL search fails to return sub-suffixes (#6219) * Issue 6183 - Slow ldif2db import on a newly created BDB backend (#6208) * Issue 6207 - Random crash in test_long_rdn CI test (#6215) * Bump braces from 3.0.2 to 3.0.3 in /src/cockpit/389-console * Issue 6191 - Node.js 16 actions are deprecated * Issue 6199 - unprotected search query during certificate based authentication (#6205) * Issue 6200 - Disable WebUI CI tests * Issue 6192 - Test failure: test_match_large_valueset * Issue 6181 - RFE - Allow system to manage uid/gid at startup * Issue 6188 - Add nsslapd-haproxy-trusted-ip to cn=schema (#6201) * Issue 6181 - RFE - Allow system to manage uid/gid at startup (#6182) * Issue 6170 - audit log buffering doesn't handle large updates * Issue 6193 - Test failure: test_tls_command_returns_error_text * Issue 6177 - Spec file cleanup * Issue 6189 - CI tests fail with `[Errno 2] No such file or directory: '/var/cache/dnf/metadata_lock.pid'` * Issue 6175 - Referential integrity plugin - in referint_thread_func does not handle null from ldap_utf8strtok (#6168) * Change default salt sizes generated in crypt_pwd (#6185) * Issue 6123 - Allow DNA plugin to reuse global config for bind method and connection protocol (#6124) * Issue 6159 - Add a test to check URP add and delete conflict (#6160) * Issue 6151 - Use %bcond macro for conditional builds in the spec file * Issue 6172 - RFE: improve the performance of evaluation of filter component when tested against a large valueset (like group members) (#6173) * Bump version to 3.1.0 * fix issue6165 (#6167) ==== MozillaFirefox ==== Version update (128.0 -> 128.0.3) Subpackages: MozillaFirefox-translations-common - Firefox 128.0.3 Release * Fixed: Fixed an issue causing some sites to not load when connecting via HTTP/2. (bmo#1908161, bmo#1909666) * Fixed: Fixed collapsed table rows not appearing when expected in some situations. (bmo#1907789) * Fixed: Fixed the Windows on-screen keyboard potentially concealing the webpage when displayed. (bmo#1907766) - Firefox 128.0.2 Release * Fixed: Fixed an audio echo in video calls on macOS under certain conditions. (bmo#1908539) * Fixed: Fixed an issue where the Adguard extension popup was not displaying. (bmo#1906132) * Fixed: Fixed an issue causing some screen readers to fail to read when navigating by character in rich text editors. (Bug 1905021) * Fixed: Fixed visual glitches when dark mode is enabled in Windows ARM devices. (bmo#1897444) * Fixed: Fixed an issue causing NTLM authentication failure. (bmo#1908115) * Fixed: Fixed an issue where content displayed on mouseover was not captured in a screenshot. (bmo#1905468) * Fixed: Various stability fixes. - renamed firefox-3781e3117706.patch to mozilla-bmo1905018.patch to conform with patch structure and naming for the package ==== coreutils ==== Subpackages: coreutils-lang - Avoid empty scriptlets ==== coreutils-systemd ==== - Avoid empty scriptlets ==== git ==== Version update (2.45.2 -> 2.46.0) Subpackages: git-core git-email git-svn git-web perl-Git - update to 2.46.0 UI, Workflows & Features * The "--rfc" option of "git format-patch" learned to take an optional string value to be used in place of "RFC" to tweak the "[PATCH]" on the subject header. * The credential helper protocol, together with the HTTP layer, have been enhanced to support authentication schemes different from username & password pair, like Bearer and NTLM. * Command line completion script (in contrib/) learned to complete "git symbolic-ref" a bit better (you need to enable plumbing commands to be completed with GIT_COMPLETION_SHOW_ALL_COMMANDS). * When the user responds to a prompt given by "git add -p" with an unsupported command, list of available commands were given, which was too much if the user knew what they wanted to type but merely made a typo. Now the user gets a much shorter error message. * The color parsing code learned to handle 12-bit RGB colors, spelled as "#RGB" (in addition to "#RRGGBB" that is already supported). * The operation mode options (like "--get") the "git config" command uses have been deprecated and replaced with subcommands (like "git config get"). * "git tag" learned the "--trailer" option to futz with the trailers in the same way as "git commit" does. * A new global "--no-advice" option can be used to disable all advice messages, which is meant to be used only in scripts. * Updates to symbolic refs can now be made as a part of ref transaction. * The trailer API has been reshuffled a bit. * Terminology to call various ref-like things are getting straightened out. * The command line completion script (in contrib/) has been adjusted to the recent update to "git config" that adopted subcommand based UI. * The knobs to tweak how reftable files are written have been made available as configuration variables. * When "git push" notices that the commit at the tip of the ref on the other side it is about to overwrite does not exist locally, it used to first try fetching it if the local repository is a partial clone. The command has been taught not to do so and immediately fail instead. * The promisor.quiet configuration knob can be set to true to make lazy fetching from promisor remotes silent. * The inter/range-diff output has been moved to the end of the patch when format-patch adds it to a single patch, instead of writing it before the patch text, to be consistent with what is done for a cover letter for a multi-patch series. * A new command has been added to migrate a repository that uses the files backend for its ref storage to use the reftable backend, with limitations. * "git diff --exit-code --ext-diff" learned to take the exit status of the external diff driver into account when deciding the exit status of the overall "git diff" invocation when configured to do so. * "git update-ref --stdin" learned to handle transactional updates of symbolic-refs. * "git format-patch --interdiff" for multi-patch series learned to turn on cover letters automatically (unless told never to enable cover letter with "--no-cover-letter" and such). * The "--heads" option of "ls-remote" and "show-ref" has been been deprecated; "--branches" replaces "--heads". * For over a year, setting add.interactive.useBuiltin configuration variable did nothing but giving a "this does not do anything" warning. The warning has been removed. * The http transport can now be told to send request with authentication material without first getting a 401 response. * A handful of entries are added to the GitFAQ document. * "git var GIT_SHELL_PATH" should report the path to the shell used to spawn external commands, but it didn't do so on Windows, which has been corrected. Performance, Internal Implementation, Development Support etc. * Advertise "git contacts", a tool for newcomers to find people to ask review for their patches, a bit more in our developer documentation. * In addition to building the objects needed, try to link the objects that are used in fuzzer tests, to make sure at least they build without bitrot, in Linux CI runs. * Code to write out reftable has seen some optimization and simplification. * Tests to ensure interoperability between reftable written by jgit and our code have been added and enabled in CI. * The singleton index_state instance "the_index" has been eliminated by always instantiating "the_repository" and replacing references to "the_index" with references to its .index member. * Git-GUI has a new maintainer, Johannes Sixt. * The "test-tool" has been taught to run testsuite tests in parallel, bypassing the need to use the "prove" tool. * The "whitespace check" task that was enabled for GitHub Actions CI has been ported to GitLab CI. * The refs API lost functions that implicitly assumes to work on the primary ref_store by forcing the callers to pass a ref_store as an argument. * Code clean-up to reduce inter-function communication inside builtin/config.c done via the use of global variables. * The pack bitmap code saw some clean-up to prepare for a follow-up topic. * Preliminary code clean-up for "git send-email". * The default "creation-factor" used by "git format-patch" has been raised to make it more aggressively find matching commits. * Before discovering the repository details, We used to assume SHA-1 as the "default" hash function, which has been corrected. Hopefully this will smoke out codepaths that rely on such an unwarranted ... changelog too long, skipping 230 lines ... (merge 616e94ca24 tb/doc-max-tree-depth-fix later to maint). ==== libX11 ==== Version update (1.8.9 -> 1.8.10) Subpackages: libX11-6 libX11-data libX11-xcb1 - Update to 1.8.10; this release includes: * Re-fix XIM input sometimes jumbled (#205, #206, #207, #208, !246) * Fix various static analysis errors (!250) * Add compose sequences for Arabic hamza (!218), Ezh (!221), and hryvnia currency (!259) * Make colormap private interfaces thread safe (#215, !254) * Fix deadlock in XRebindKeysym() (!256) * Assorted memory handling cleanups (!251, !258) * Restore VAX support still in use by NetBSD (!257) ==== libzypp ==== Version update (17.35.1 -> 17.35.6) - Export CredentialManager for legacy YAST versions (bsc#1228420) - version 17.35.6 (35) - Export asSolvable for YAST (bsc#1228420) - Fix 4 typos in zypp.conf. - version 17.35.5 (35) - Fix typo in the geoip update pipeline (bsc#1228206) - Export RepoVariablesStringReplacer for yast2 (bsc#1228138) - version 17.35.4 (35) - Translation: updated .pot file. - Conflict with python zypp-plugin < 0.6.4 (bsc#1227793) Older zypp-plugins reject stomp headers including a '-'. Like the 'content-length' header we may send. - Fix int overflow in Provider (fixes #559) This patch fixes an issue in safe_strtonum which caused timestamps to overflow in the Provider message parser. - Fix error reporting on repoindex.xml parse error (bsc#1227625) - version 17.35.3 (35) - Keep UrlResolverPlugin API public (fixes #560) - Blacklist /snap executables for 'zypper ps' (bsc#1226014) - Fix handling of buddies when applying locks (bsc#1225267) Buddy pairs (like -release package and product) internally share the same status object. When applying locks from query results the locked bit must be set if either item is locked. - version 17.35.2 (35) ==== openSUSE-release ==== Version update (20240730 -> 20240731) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== p11-kit ==== Subpackages: libp11-kit0 libp11-kit0-32bit p11-kit-tools - Added a backport of an upstream commit in p11-kit-d938f4a8a3a2.patch to avoid passing an incompatible pointer type to a function which is an error by default in GCC 14. ==== perl-Bootloader ==== Version update (1.13 -> 1.14) - merge gh#openSUSE/perl-bootloader#169 - support grub2-bls (bsc#1226676, bsc#1208135) - better config file reading - add check whether bootloader is supported - unit test output changed, adjust reference data - adjust GRUB_ENABLE_BLSCFG when setting grub2-bls - add config, install, add-kernel, remove-kernel for grub2-bls - support --default option for grub2* - unify cmdline parsing code and move to library - add missing options for bls conforming loaders - updated tests - unify test case names - adjust documentation - 1.14 ==== python-cryptography ==== Version update (42.0.8 -> 43.0.0) - update to 43.0.0: * BACKWARDS INCOMPATIBLE: Support for OpenSSL less than 1.1.1e has been removed. Users on older version of OpenSSL will need to upgrade. * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.8. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.3.1. * Updated the minimum supported Rust version (MSRV) to 1.65.0, from 1.63.0. * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generat e_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits. * :func:`~cryptography.hazmat.primitives.serialization.pkcs7.se rialize_certificates` now emits ASN.1 that more closely follows the recommendations in RFC 2315. * Added new :doc:`/hazmat/decrepit/index` module which contains outdated and insecure cryptographic primitives. :class:`~cryp tography.hazmat.primitives.ciphers.algorithms.CAST5`, :class: `~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :c lass:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA `, and :class:`~cryptography.hazmat.primitives.ciphers.algori thms.Blowfish`, which were deprecated in 37.0.0, have been added to this module. They will be removed from the cipher module in 45.0.0. * Moved :class:`~cryptography.hazmat.primitives.ciphers.algorit hms.TripleDES` and :class:`~cryptography.hazmat.primitives.ci phers.algorithms.ARC4` into :doc:`/hazmat/decrepit/index` and deprecated them in the cipher module. They will be removed from the cipher module in 48.0.0. * Added support for deterministic :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDSA` (RFC 6979) * Added support for client certificate verification to the :mod:`X.509 path validation <cryptography.x509.verification>` APIs in the form of :class:`~cryptography.x509.verification.ClientVerifier`, :class:`~cryptography.x509.verification.VerifiedClient`, and PolicyBuilder :meth:`~cryptography.x509.verification.PolicyBu ilder.build_client_verifier`. * Added Certificate :attr:`~cryptography.x509.Certificate.publi c_key_algorithm_oid` and Certificate Signing Request :attr:`~ cryptography.x509.CertificateSigningRequest.public_key_algori thm_oid` to determine the :class:`~cryptography.hazmat._oid.PublicKeyAlgorithmOID` Object Identifier of the public key found inside the certificate. * Added :attr:`~cryptography.x509.InvalidityDate.invalidity_dat e_utc`, a timezone-aware alternative to the naïve datetime attribute :attr:`~cryptography.x509.InvalidityDate.invalidity_date`. * Added support for parsing empty DN string in :meth:`~cryptography.x509.Name.from_rfc4514_string`. * Added the following properties that return timezone-aware datetime objects: :meth:`~cryptography.x509.ocsp.OCSPResponse.produced_at_utc`, :meth:`~cryptography.x509.ocsp.OCSPResponse.revocation_time_u tc`, :meth:`~cryptography.x509.ocsp.OCSPResponse.this_update_utc`, :meth:`~cryptography.x509.ocsp.OCSPResponse.next_update_utc`, :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.revocation_ time_utc`, :meth:`~cryptography.x509.ocsp.OCSPSingleResponse. this_update_utc`, :meth:`~cryptography.x509.ocsp.OCSPSingleRe sponse.next_update_utc`, These are timezone-aware variants of existing properties that return naïve datetime objects. * Added :func:`~cryptography.hazmat.primitives.asymmetric.rsa.r sa_recover_private_exponent` * Added :meth:`~cryptography.hazmat.primitives.ciphers.CipherCo ntext.reset_nonce` for altering the nonce of a cipher context without initializing a new instance. See the docs for additional restrictions. * :class:`~cryptography.x509.NameAttribute` now raises an exception when attempting to create a common name whose length is shorter or longer than RFC 5280 permits. * Added basic support for PKCS7 encryption (including SMIME) via :class:`~cryptography.hazmat.primitives.serialization.pkc s7.PKCS7EnvelopeBuilder`. - add use-offline-build.patch ==== python-pycairo ==== Version update (1.26.0 -> 1.26.1) - Update to 1.26.1 * Fix Surface.set_mime_data() with Python 3.13 :pr:`366` This also fixes the test suite with Python 3.13b2. * Update vendored Windows wheel dependencies :pr:`370` ==== python311 ==== Subpackages: python311-curses python311-dbm python311-x86-64-v3 - Remove %suse_update_desktop_file macro as it is not useful any more. - Adding bso1227999-reproducible-builds.patch fixing bsc#1227999 adding reproducibility patches from gh#python/cpython!121872 and gh#python/cpython!121883. - Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378). ==== python311-core ==== Subpackages: libpython3_11-1_0 libpython3_11-1_0-x86-64-v3 python311-base python311-base-x86-64-v3 - Remove %suse_update_desktop_file macro as it is not useful any more. - Adding bso1227999-reproducible-builds.patch fixing bsc#1227999 adding reproducibility patches from gh#python/cpython!121872 and gh#python/cpython!121883. - Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378). ==== systemd-presets-branding-Aeon ==== - Enable aeon-check.service (boo#1228416) ==== sysuser-tools ==== Version update (3.2 -> 3.3) - Allow setting of UID:GID for as defined in sysusers.d