Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20240829 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: ImageMagick (7.1.1.36 -> 7.1.1.37) emacs ffmpeg-4 libaom (3.7.1 -> 3.7.2) libdrm (2.4.122 -> 2.4.123) ncurses (6.5.20240817 -> 6.5.20240824) openSUSE-release (20240828 -> 20240829) openssh (9.6p1 -> 9.8p1) openssh-askpass-gnome (9.6p1 -> 9.8p1) patterns-base perl-Net-DNS (1.450.0 -> 1.460.0) python-pip (24.0 -> 24.2) python-setuptools (70.1.1 -> 72.1.0) selinux-policy (20240823 -> 20240828) systemd-presets-common-SUSE wicked === Details === ==== ImageMagick ==== Version update (7.1.1.36 -> 7.1.1.37) Subpackages: ImageMagick-config-7-SUSE libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - version update to 7.1.1.37 * Bump azure/trusted-signing-action from 0.3.20 to 0.4.0 #7518 * Silence warning and fix HEIC_COMPUTE_NUMERIC_VERSION definition when heic delegate is disabled. #7516 * protect macro arguments with parens 86cb2b1 * eliminate compiler warnings d90d8b4 * correct copyright year 115271e * Ignore multiple exif and xmp profiles for the same jxl frame and fix reading those profiles per frame. c301208 * read/write in chunks fff3058 * optimize fwrite() arguments ada6785 * Renamed Output folder to Artifacts. 2a69677 * cancel interactive window selection with right button press ea2a2db * cosmetic 712bde4 * eliminate compiler warning 9a9a25c * eliminate compiler warning 0bd1687 * Make images mandatory in the issue template. c01fd37 * Added extra header detection for avif files. 9fc0590 * allow SeekBlob() to set an offset beyond the end of the blob 27c3f99 * be less forgiving for invalid image indexes 25db2e5 * Fixed problem with empty macros (#7562) 9fda5f2 * Added missing null checks for RequestOpenCLDevice. f85448e * Added missing null check for AcquireOpenCLCommandQueue. 295e9c8 * persist app1 jpeg profile (ImageMagick/ImageMagick#4713) f0357c7 * Fixed build error. b3dd431 * Remove some of the dependencies for the macos-13 build. d0bce95 * parentheses is the plural of parenthesis 1fac80a * distribute quantization error for -dither FloydSteinberg -depth 5b2825b * release 8a0da9f * properly set image byte order 40f6599 * set max colormap size for remap 1ffe565 ==== emacs ==== Subpackages: emacs-el emacs-eln emacs-info emacs-nox etags - flymake-tests fails with gcc14 on 32bit architectures ... therefore use gcc13 here ==== ffmpeg-4 ==== Subpackages: libavcodec58_134 libavformat58_76 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9 - Add 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch [boo#1229338] ==== libaom ==== Version update (3.7.1 -> 3.7.2) - Exclude third_party from obscpio - Update to version 3.7.2: * aomedia:3520: get_cubic_kernel_dbl: Assertion `0 <= x && x < 1' failed. * aomedia:3526: alloc_compressor_data() is called during every aom_codec_control() call on the encoder. Note that this partially reverts the fix for bug aomedia:3349. * b/310457427 and b/310766628: Only use rec_sse in CBR mode. ==== libdrm ==== Version update (2.4.122 -> 2.4.123) Subpackages: libdrm2 libdrm_amdgpu1 libdrm_intel1 libdrm_nouveau2 libdrm_radeon1 - update to 2.4.123 * amdgpu: add new marketing names * amdgpu: add new marketing names * Convert to Android.bp * libs: Tie DSO minor versions to libdrm version * readdir_r is deprecated. * Fix FTBS on undefined clock_gettime() and asprintf() * Export include dirs with -isystem * Makes libdrm available on host * Adds libdrm_headers * Make libdrm recovery_available * add crosvm to com.android.virt * Enable GPU in crosvm * Android.bp: Add include exports for android dir * Disable ioctl signed overload for Bionic libc * build: bump version to 2.4.123 * Delete all Makefile.sources files * tests: Make modetest and proptest cc_binary in Android.bp ==== ncurses ==== Version update (6.5.20240817 -> 6.5.20240824) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20240824 + modify infocmp and tabs to use actual name in usage and header. + modify test/demo_keyok.c to accept ^Q for quit, for consistency. - Break dependency cycle between libncurses6 which provides "ncurses" by only let terminfo-base recommending "ncurses" ==== openSUSE-release ==== Version update (20240828 -> 20240829) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openssh ==== Version update (9.6p1 -> 9.8p1) Subpackages: openssh-clients openssh-common openssh-server - Add patch to fix sshd not logging in the audit failed login attempts (submitted to upstream in https://github.com/openssh/openssh-portable/pull/516): * fix-audit-fail-attempt.patch - Use --enable-dsa-keys when building openssh. It's required if the user sets the crypto-policy mode to LEGACY, where DSA keys should be allowed. The option was added by upstream in 9.7 and set to disabled by default. - These two changes fix 2 of the 3 issues reported in bsc#1229650. - Fix a dbus connection leaked in the logind patch that was missing a sd_bus_unref call (found by Matthias Gerstner): * logind_set_tty.patch - Add a patch that fixes a small memory leak when parsing the subsystem configuration option: * fix-memleak-in-process_server_config_line_depth.patch - Update to openssh 9.8p1: = Security * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387). A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon. Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation. OpenBSD is not vulnerable. We thank the Qualys Security Advisory Team for discovering, reporting and demonstrating exploitability of this problem, and for providing detailed feedback on additional mitigation measures. * 2) Logic error in ssh(1) ObscureKeystrokeTiming (bsc#1227318, CVE-2024-39894). In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an OpenSSH server version 9.5 or later, a logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective - a passive observer could still detect which network packets contained real keystrokes when the countermeasure was active because both fake and real keystroke packets were being sent unconditionally. This bug was found by Philippos Giavridis and also independently by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the University of Cambridge Computer Lab. Worse, the unconditional sending of both fake and real keystroke packets broke another long-standing timing attack mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for traffic received on TTYs in echo-off mode, such as when entering a password into su(8) or sudo(8). This bug rendered these fake keystroke echoes ineffective and could allow a passive observer of a SSH session to once again detect when echo was off and obtain fairly limited timing information about keystrokes in this situation (20ms granularity by default). This additional implication of the bug was identified by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and we thank them for their detailed analysis. This bug does not affect connections when ObscureKeystrokeTiming was disabled or sessions where no TTY was requested. = Future deprecation notice * OpenSSH plans to remove support for the DSA signature algorithm in early 2025. This release disables DSA by default at compile time. DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent. OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to-implement algorithm in the SSHv2 RFCs, mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. This release, and its deactivation of DSA by default at compile-time, marks the second step in our timeline to finally deprecate DSA. The final step of removing DSA support entirely is planned for the first OpenSSH release of 2025. DSA support may be re-enabled in OpenBSD by setting "DSAKEY=yes" in Makefile.inc. To enable DSA support in portable OpenSSH, pass the "--enable-dsa-keys" option to configure. = Potentially-incompatible changes * all: as mentioned above, the DSA signature algorithm is now disabled at compile time. * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the ... changelog too long, skipping 181 lines ... add "VSOCK VirtIO"). ==== openssh-askpass-gnome ==== Version update (9.6p1 -> 9.8p1) - Update to openssh 9.8p1: * No changes for askpass, see main package changelog for details. ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-transactional_base patterns-base-x11 patterns-base-x11_enhanced - Move suggests for libz1 from patterns-base-base to patterns-base-minimal_base: be nicer with CI consumers. ==== perl-Net-DNS ==== Version update (1.450.0 -> 1.460.0) - updated to 1.460.0 (1.46) see /usr/share/doc/packages/perl-Net-DNS/Changes ==== python-pip ==== Version update (24.0 -> 24.2) - update to 24.2: * Deprecate pip install --editable falling back to setup.py develop when using a setuptools version that does not support PEP 660 (setuptools v63 and older). * Check unsupported packages for the current platform. (#11054) * Check unsupported packages for the current platform. * Use system certificates and certifi certificates to verify HTTPS connections on Python 3.10+. Python 3.9 and earlier only use certifi. To revert to previous behaviour, pass the flag --use-deprecated=legacy-certs. (#11647) * Use system certificates and certifi certificates to verify HTTPS connections on Python 3.10+. Python 3.9 and earlier only use certifi. * To revert to previous behaviour, pass the flag --use- deprecated=legacy-certs. * Improve discovery performance of installed packages when the importlib.metadata backend is used to load distribution metadata (used by default under Python 3.11+). (#12656) * Improve discovery performance of installed packages when the importlib.metadata backend is used to load distribution metadata (used by default under Python 3.11+). * Improve performance when the same requirement string appears many times during resolution, by consistently caching the parsed requirement string. (#12663) * Improve performance when the same requirement string appears many times during resolution, by consistently caching the parsed requirement string. * Minor performance improvement of finding applicable package candidates by not repeatedly calculating their versions (#12664) * Minor performance improvement of finding applicable package candidates by not repeatedly calculating their versions * Disable pip's self version check when invoking a pip subprocess to install PEP 517 build requirements. (#12683) * Disable pip's self version check when invoking a pip subprocess to install PEP 517 build requirements. * Improve dependency resolution performance by caching platform compatibility tags during wheel cache lookup. (#12712) * Improve dependency resolution performance by caching platform compatibility tags during wheel cache lookup. * wheel is no longer explicitly listed as a build dependency of pip. setuptools injects this dependency in the get_requires_for_build_wheel() hook and no longer needs it on newer versions. (#12728) * wheel is no longer explicitly listed as a build dependency of pip. setuptools injects this dependency in the get_requires_for_build_wheel() hook and no longer needs it on newer versions. * Ignore --require-virtualenv for pip check and pip freeze (#12842) * Ignore --require-virtualenv for pip check and pip freeze * Improve package download and install performance. Increase chunk sizes when downloading (256 kB, up from 10 kB) and reading files (1 MB, up from 8 kB). This reduces the frequency of updates to pip's progress bar. (#12810) * Improve package download and install performance. * Increase chunk sizes when downloading (256 kB, up from 10 kB) and reading files (1 MB, up from 8 kB). This reduces the frequency of updates to pip's progress bar. * Improve pip install performance. Files are now extracted in 1MB blocks, or in one block matching the file size for smaller files. A decompressor is no longer instantiated when extracting 0 bytes files, it is not necessary because there is no data to decompress. (#12803) * Improve pip install performance. * Files are now extracted in 1MB blocks, or in one block matching the file size for smaller files. A decompressor is no longer instantiated when extracting 0 bytes files, it is not necessary because there is no data to decompress. * Set no_color to global rich.Console instance. * Fix resolution to respect --python-version when checking Requires-Python. * Perform hash comparisons in a case-insensitive manner. * Avoid dlopen failure for glibc detection in musl builds * Avoid keyring logging crashes when pip is run in verbose mode. * Fix finding hardlink targets in tar files with an ignored top-level directory. * Improve pip install performance by only creating required parent directories once, instead of before extracting every file in the wheel. * Improve pip install performance by calculating installed packages printout in linear time instead of quadratic time. * Remove vendored tenacity. * Update the preload list for the DEBUNDLED case, to replace pep517 that has been renamed to pyproject_hooks. * Use tomllib from the stdlib if available, rather than tomli * Upgrade certifi to 2024.7.4 * Upgrade platformdirs to 4.2.2 * Upgrade pygments to 2.18.0 * Upgrade setuptools to 70.3.0 * Upgrade typing_extensions to 4.12.2 * Correct â-ignore-conflicts (including an em dash) to - -ignore-conflicts. * Fix finding hardlink targets in tar files with an ignored top-level directory. - add disable-ssl-context-in-buildenv.patch: treat missing ca-certificates as "ssl not available" for buildenvs - update to 24.1.1: ... changelog too long, skipping 51 lines ... variables. ==== python-setuptools ==== Version update (70.1.1 -> 72.1.0) - Update to 72.1.0: * Restore the tests command and deprecate access to the module. * Added return types to typed public functions. * Removed lingering unused code around Distribution._patched_dist. * Reset the backports module when enabling vendored packages. * Include all vendored files in the sdist. * Restored package data that went missing in 71.0. This change also incidentally causes tests to be installed once again. * Now setuptools declares its own dependencies in the core extra. Dependencies are still vendored for bootstrapping purposes, but setuptools will prefer installed dependencies if present. The core extra is used for informational purposes and should *not* be declared in package metadata (e.g. build-requires). * Support for loading distutils from the standard library is now deprecated, including use of SETUPTOOLS_USE_DISTUTILS=stdlib and importing distutils before importing setuptools. * Fix distribution name normalisation for valid versions that are not canonical (e.g. 1.0-2). ==== selinux-policy ==== Version update (20240823 -> 20240828) Subpackages: selinux-policy-targeted - Update to version 20240828: * Allow systemd-ssh-generator to load net-pf-40 (bsc#1229766) ==== systemd-presets-common-SUSE ==== - Enable soft-reboot-cleanup.service to make soft-reboot possible with container and/or firewalld. ==== wicked ==== Subpackages: wicked-service - systemd: Fix wicked start failures because of dependency issue. With the change to dbus-broker, wicked has to trigger dbus service start. Use BindsTo= in favor of Requisite= (bsc#1229745,gh#openSUSE/wicked#1032, gh#openSUSE/wicked#1033). [+ 0002-systemd-use-Bindsto-in-favor-of-Requisite-bsc-1229745.patch] - compat-suse: fix dummy interfaces configuration with INTERFACETYPE=dummy (boo#1229555, gh#openSUSE/wicked#1031) [+ 0001-compat-suse-repair-dummy-interfaces-boo-1229555.patch]