Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20231127 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MozillaFirefox (119.0.1 -> 120.0) gstreamer-plugins-bad icewm (3.4.3 -> 3.4.4) inxi (3.3.27 -> 3.3.31) kyotocabinet (1.2.77 -> 1.2.80) libdrm (2.4.117 -> 2.4.118) nghttp2 (1.57.0 -> 1.58.0) opencc (1.1.6 -> 1.1.7) pam-config (2.9 -> 2.10) pipewire (0.3.85 -> 1.0.0) policycoreutils python-charset-normalizer (3.3.0 -> 3.3.2) python-lxml python-setproctitle (1.3.2 -> 1.3.3) restorecond tango-icon-theme tpm2-0-tss transmission (4.0.3 -> 4.0.4) usbutils (015 -> 017) wireplumber (0.4.15 -> 0.4.16) xwayland === Details === ==== MozillaFirefox ==== Version update (119.0.1 -> 120.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 120.0 https://www.mozilla.org/en-US/firefox/120.0/releasenotes MFSA 2023-49 (bsc#1217230) * CVE-2023-6204 (bmo#1841050) Out-of-bound memory access in WebGL2 blitFramebuffer * CVE-2023-6205 (bmo#1854076) Use-after-free in MessagePort::Entangled * CVE-2023-6206 (bmo#1857430) Clickjacking permission prompts using the fullscreen transition * CVE-2023-6207 (bmo#1861344) Use-after-free in ReadableByteStreamQueueEntry::Buffer * CVE-2023-6208 (bmo#1855345) Using Selection API would copy contents into X11 primary selection. * CVE-2023-6209 (bmo#1858570) Incorrect parsing of relative URLs starting with "///" * CVE-2023-6210 (bmo#1801501) Mixed-content resources not blocked in a javascript: pop-up * CVE-2023-6211 (bmo#1850200) Clickjacking to load insecure pages in HTTPS-only mode * CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252, bmo#1856072, bmo#1856091, bmo#1859030, bmo#1860943, bmo#1862782) Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5 * CVE-2023-6213 (bmo#1849265, bmo#1851118, bmo#1854911) Memory safety bugs fixed in Firefox 120 - rebased patches ==== gstreamer-plugins-bad ==== Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Stop passing sctp=disabled and pass sctp=enabled to meson setup instead, enable build of sctp plugin. ==== icewm ==== Version update (3.4.3 -> 3.4.4) Subpackages: icewm-config-upstream icewm-default icewm-lang icewm-lite - update to 3.4.4: * Use fcsmart for capturing loadText data. * Support TIFF and WEBP in icewmbg. * More permissive parsing of a PAM image header in icesh. * Remove obsolete winoption examples and add one for plank. * Use --disable-librsvg instead of --disable-rsvg. * Add `supportsFormat` to check for support of additional image formats. * Support JXL, JP2, RAW, SVG, TGA image formats in icewmbg. * Test if a color can be considered dark for issue #715. * Brighten the color of inactive preview icons for dark themes for issue * Fix a crash when a ping timeout dialog is destroyed for issue #729. * Let icewmbg interpret command-line arguments relative to the current working directory. * Clarify prefoverride and closes #750 * When mapping a client by PID, search for the best match. * Don't enforce the use of clang++ in the debug build. * Fix ordering in the 4th configuration * Fix minor warnings from recent CMake and GCC * Translated using Weblate (Portuguese (Brazil)) ==== inxi ==== Version update (3.3.27 -> 3.3.31) - Updated to version 3.3.31: + /usr/share/doc/packages/inxi/inxi.changelog. - Updated spec file for new location of inxi at codeberg.org. ==== kyotocabinet ==== Version update (1.2.77 -> 1.2.80) - update to 1.2.80: - configure.in supports strict C99 rules. - Fixed errors of kcdirtest on BtrFS. - Fixed build warnings. ==== libdrm ==== Version update (2.4.117 -> 2.4.118) Subpackages: libdrm2 libdrm_amdgpu1 libdrm_intel1 libdrm_nouveau2 libdrm_radeon1 - update to 2.4.118: * improve SMPTE color LUT accuracy * util: factor out and optimize C8 SMPTE color LUT * util: add support for DRM_FORMAT_C[124] * util: store number of colors for indexed formats * util: add SMPTE pattern support for C4 format * util: add SMPTE pattern support for C1 format * util: add SMPTE pattern support for C2 format * modetest: add support for DRM_FORMAT_C[124] * modetest: add SMPTE pattern support for C[124] formats * intel: determine target endianness using meson * util: fix 32 bpp patterns on big-endian * util: fix 16 bpp patterns on big-endian * util: add missing big-endian RGB16 frame buffer formats * modetest: add support for parsing big-endian formats * util: add test pattern support for big-endian XRGB1555/RGB565 * util: fix pwetty on big-endian * util: add pwetty support for big-endian RGB565 * modetest: add support for big-endian XRGB1555/RGB565 * modetest: add support for DRM_FORMAT_NV{15,20,30} * modetest: switch usage to proper options grammar * xf86drm: add drmGetNodeTypeFromDevId * Sync headers with drm-next * xf86drmMode: add drmModeCloseFB() ==== nghttp2 ==== Version update (1.57.0 -> 1.58.0) - update to 1.58.0: * Update manual pages * Bump neverbleed * Bump ngtcp2 * Prefer clock_gettime if __CYGWIN__ defined * Do not require strict c++ mode * nghttpx: Stricter transfer-encoding checks * Refactor character comparison * Integration servertester h3 * integration: Enable http3 test with cmake ==== opencc ==== Version update (1.1.6 -> 1.1.7) Subpackages: libopencc1_1 opencc-data - update to 1.1.7: * Added python package rebuild on commit to verify package generation (#822). * Support Python 3.12 and Node 20, remove builds for Python 3.7 and Node 16 (#820). * Add support of CMake config modules (#763). * Several other minor fixes. - drop fix-soversion.patch (obsolete) ==== pam-config ==== Version update (2.9 -> 2.10) - Update to version 2.10 - Enable session and account support for kanidm and himmelblau ==== pipewire ==== Version update (0.3.85 -> 1.0.0) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-jack pipewire-lang pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.0.0 (El Presidente): * Highlights - Fix a memfd/dmabuf leak when uploading buffers while shutting down. - Handle concurrent jack_port_get_buffer() calls because ardour seems to be doing this. - Improve time reporting (less jitter) in ALSA when using IRQ. - Many doc improvements. * PipeWire - Respect PIPEWIRE_DLCLOSE everywhere, remove pw_in_valgrind(). - Remove a warning when a client tries to change ignored properties. * Modules - Fix a memfd/dmabuf leak when uploading buffers while shutting down. - Fix a potential segfault when copying mix structures. (#3658) - Avoid races in setrlimit in module-rt. - Fix a memory leak in filter-chain. - Set rtp.ptime on senders, not receivers. - The ROC modules were ported to ROC 0.3 * SPA - Improve time reporting (less jitter) in ALSA when using IRQ. (#3657) - Add latency param query in libcamera. - Fix some compiler warnings. - The EVL plugin was updated. * Bluetooth - LC3 codec and compatibility improvements. * Pulse server - Fix emission of events when a sink/source state changes. (#3660) * JACK - Improve transport and time handling. Use unique ids to make consistent snapshots of the current time and transport. - Avoid enumerating port params that we are not going to use. - Optimize buffer reuse. - Handle concurrent jack_port_get_buffer() calls because ardour seems to be doing this. (#3632) * Docs - Many doc improvements. - Add man pages for pw-dump, pw-loopback, modules, pipewire-pulse. - Manpages are now made with Doxygen. - Add docs for pulse-modules ==== policycoreutils ==== Subpackages: policycoreutils-lang policycoreutils-python-utils python3-policycoreutils - Change deprecated `%patch1 -p1` syntax to supported `%patch -P1 -p1` (bsc#1216669) ==== python-charset-normalizer ==== Version update (3.3.0 -> 3.3.2) - update to 3.3.2: * Unintentional memory usage regression when using large payload that match several encoding (#376) * Regression on some detection case showcased in the documentation (#371) * Noise (md) probe that identify malformed arabic representation due to the presence of letters in isolated form * Optional mypyc compilation upgraded to version 1.6.1 for Python >= 3.8 * Improved the general detection reliability based on reports from the community ==== python-lxml ==== - Add libxml2212-tests.patch to fix tests with new libxml2 ==== python-setproctitle ==== Version update (1.3.2 -> 1.3.3) - update to 1.3.3: * Add support for Python 3.12 * Fix package metadata to include Python 3.11, 3.12. ==== restorecond ==== - Change deprecated `%patch1 -p1` syntax to supported `%patch -P1 -p1` (bsc#1216669) ==== tango-icon-theme ==== - Use %patch -P N instead of deprecated %patchN. ==== tpm2-0-tss ==== Subpackages: libtss2-esys0 libtss2-mu0 libtss2-rc0 libtss2-sys1 libtss2-tctildr0 - libtss2-fapi1 requires system-user-tss for tmpfile creation ==== transmission ==== Version update (4.0.3 -> 4.0.4) Subpackages: transmission-common transmission-gtk transmission-gtk-lang - Update to version 4.0.4: + Fixed bug in sending torrent metadata to peers. + Avoid unnecessary heap memory allocations. + Fixed filename collision edge case when renaming files. + Fixed locale errors that broke number rounding when displaying statistics, e.g. upload / download ratios. + Always use a fixed-length key query in tracker announces. This isn't required by the spec, but some trackers rely on that fixed length because it's common practice by other BitTorrent clients. + Fixed potential Windows crash when getstdhandle() returns NULL. + Fixed 4.0.0 bug where the port numbers in LDP announces are sometimes malformed. + Fixed a bug that prevented editing the query part of a tracker URL. + Fixed a bug where Transmission may not announce LPD on its listening interface. + Made small performance improvements in libtransmission. + Qt Client: - Fixed torrent name rendering when showing magnet links in compact view. - Fixed bug that broke the "Move torrent file to trash" setting. - Fixed Qt 6.4 deprecation warning. - Fixed poor resolution of Qt application icon. + GTK Client: Fixed missing 'Remove torrent' tooltip. + Web Client: - Don't show null as a tier name in the inspector's tier list. - Fixed truncated play / pause icons. - Fixed overflow when rendering peer lists and made speed indicators honor prefers-color-scheme media queries. - Made the main menu accessible even on smaller displays. + transmission-cli: - Fixed "no such file or directory" warning when adding a magnet link. - Fixed bug that caused the wrong decimal separator to be used in some locales. + transmission-remote: Fixed display bug that failed to show some torrent labels. + Everything Else: - Ran all PNG files through lossless compressors to make them smaller. - Fixed potential build issue when compiling on macOS with gcc. ==== usbutils ==== Version update (015 -> 017) - update to 017: * lsusb: fix up [unknown] vendor and product strings. * lsusb: fix build warning for dump_billboard_alt_mode_capability_desc() * lsusb: add fallback names for 'lsusb -v' output * names: simplify get_vendor_product_with_fallback() a bit * rezso (1): * Honor system libdir and includedir * usbutils 016 * usbutils: lsusb-t: print entries for devices with no interfaces * Fix a typo in usb-spec.h * lsusb.py.in: Display (device) power/wakeup via -w option. * Fix an incorrect length value in hid descriptor. * Fix misalignments in hid device descripptor. * Use bigger buffer to place speed value string * lsusb -h returns an error * lsusb -h fixups * lsusb -t: sort in bus order, not reverse order * lsusb -t: print ports and busses and devices with same width * lsusb -t: assign_interface_to_parent() fixups * lsusb.8.in: fix up missing '-' in text * README.md: add source location * lsusb.py: fix up wakeup logic for devices that do not support it * lsusb.py.in: add another default path for usb.ids * names.c: if a string can not be found in the usb.ids file, return [unknown] * lsusb-t: if a driver is not bound to an interface, report "[none]" * Generate usbutils.pc pkgconfig file * usbreset: Allow idProduct and idVendor to be 0 * usb-devices: make shellcheck happy * lsusb: Add function that sorts the output by device ID. * lsusb: Additional sorting by bus number. * lsusb: This is a more compact implementation of the device list sort implemented within this pull request. The output remains the same as the one demonstrated in the previous commit. ==== wireplumber ==== Version update (0.4.15 -> 0.4.16) Subpackages: libwireplumber-0_4-0 wireplumber-audio wireplumber-lang - Update to version 0.4.16: * Additions: - Added a new "sm-objects" script that allows loading objects on demand via metadata entries that describe the object to load; this can be used to load pipewire modules, such as filters or network sources/sinks, on demand - Added a mechanism to override device profile priorities in the configuration, mainly as a way to re-prioritize Bluetooth codecs, but this also can be used for other devices - Added a mechanism in the endpoints policy to allow connecting filters between a certain endpoint's virtual sink and the device sink; this is specifically intended to allow plugging a filter-chain to act as equalizer on the Multimedia endpoint - Added wp_core_get_own_bound_id() method in WpCore * Changes: - PipeWire 0.3.68 is now required - policy-dsp now has the ability to hide hardware nodes behind the DSP sink to prevent hardware misuse or damage - JSON parsing in Lua now allows keys inside objects to be without quotes - Added optional argument in the Lua JSON parse() method to limit recursions, making it possible to partially parse a JSON object - It is now possible to pass nil in Lua object constructors that expect an optional properties object; previously, omitting the argument was the only way to skip the properties - The endpoints policy now marks the endpoint nodes as "passive" instead of marking their links, adjusting for the behavior change in PipeWire 0.3.68 - Removed the "passive" property from si-standard-link, since only nodes are marked as passive now * Fixes: - Fixed the wpctl clear-default command to completely clear all the default nodes state instead of only the last set default - Reduced the amount of globals that initially match the interest in the object manager - Used an idle callback instead of pw_core_sync() in the object manager to expose tmp globals - Remove patches included upstream: * 0001-object-manager-reduce-the-amount-of-globals-that-initially.patch * 0002-object-manager-use-an-idle-callback-to-expose-tmp-globals.patch * 0001-policy-dsp-add-ability-to-hide-parent-nodes.patch - Update split-config-file.py ==== xwayland ==== - This release contains the following patches mentioned in previous sle15 releases * U_Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch: fixes regression introduced with security update for CVE-2022-46340 (bsc#1205874) * U_bsc1216135-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch: fix handling of PropModeAppend/Prepend ((CVE-2023-5367, ZDI-CAN-22153, bsc#1216135) * U_bsc1216261-0001-mi-fix-CloseScreen-initialization-order.patch, U_bsc1216261-0002-fb-properly-wrap-unwrap-CloseScreen.patch: Server Damage Object Use-After-Free Local Privilege Escalation Vulnerability (CVE-2023-5574, ZDI-CAN-21213, bsc#1216261) * U_bsc1216261-0003-dix-always-initialize-pScreen-CloseScreen.patch: fixes a regresion, which can trigger a segfault in Xwayland on exit, introduced by U_bsc1216261-0002-fb-properly-wrap-unwrap-CloseScreen.patch (CVE-2023-5574, ZDI-CAN-21213, bsc#1216261)