Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20231222 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MozillaFirefox (120.0.1 -> 121.0) cronie libzypp (17.31.25 -> 17.31.27) lsof (4.99.0 -> 4.99.3) protobuf rubygem-agama (6 -> 7) traceroute (2.1.3 -> 2.1.5) xmlsec1 (1.2.37 -> 1.2.38) yast2-firstboot (5.0.0 -> 5.0.1) yast2-installation (5.0.2 -> 5.0.3) === Details === ==== MozillaFirefox ==== Version update (120.0.1 -> 121.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 121.0 https://www.mozilla.org/en-US/firefox/121.0/releasenotes MFSA 2023-56 (bsc#1217974) * CVE-2023-6856 (bmo#1843782) Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver * CVE-2023-6135 (bmo#1853908) NSS susceptible to "Minerva" attack * CVE-2023-6865 (bmo#1864123) Potential exposure of uninitialized data in EncryptingOutputStream * CVE-2023-6857 (bmo#1796023) Symlinks may resolve to smaller than expected buffers * CVE-2023-6858 (bmo#1826791) Heap buffer overflow in nsTextFragment * CVE-2023-6859 (bmo#1840144) Use-after-free in PR_GetIdentitiesLayer * CVE-2023-6866 (bmo#1849037) TypedArrays lack sufficient exception handling * CVE-2023-6860 (bmo#1854669) Potential sandbox escape due to VideoBridge lack of texture validation * CVE-2023-6867 (bmo#1863863) Clickjacking permission prompts using the popup transition * CVE-2023-6861 (bmo#1864118) Heap buffer overflow affected nsWindow::PickerOpen(void) in headless mode * CVE-2023-6868 (bmo#1865488) WebPush requests on Firefox for Android did not require VAPID key * CVE-2023-6869 (bmo#1799036) Content can paint outside of sandboxed iframe * CVE-2023-6870 (bmo#1823316) Android Toast notifications may obscure fullscreen event notifications * CVE-2023-6871 (bmo#1828334) Lack of protocol handler warning in some instances * CVE-2023-6872 (bmo#1849186) Browsing history leaked to syslogs via GNOME * CVE-2023-6863 (bmo#1868901) Undefined behavior in ShutdownObserver() * CVE-2023-6864 (bmo#1736385, bmo#1810805, bmo#1846328, bmo#1856090, bmo#1858033, bmo#1858509, bmo#1862777, bmo#1864015) Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6 * CVE-2023-6873 (bmo#1855327, bmo#1862089, bmo#1862723) Memory safety bugs fixed in Firefox 121 - requires NSS 3.95 ==== cronie ==== Subpackages: cron - Update to 1.7.0: * anacron: Add support for NO_MAIL_OUTPUT environment variable * anacron: Support enabling anacron jobs on battery power * crond: Support -n crontab entry option to disable mailing the output * crontab: Make a backup of the crontab file on edition and deletion - Add patch cronie-pam_config-nonlogin.diff - Refreshed patches: * cronie-crond_pid.diff * cronie-pam_config.diff * cronie-nheader_lines.diff * fix-manpage-replace-anacrontab-with-crontab.patch - PAM: Use common-session-nonlogin for >15 codestreams More info in https://github.com/SUSE/pam-config/pull/16 ==== libzypp ==== Version update (17.31.25 -> 17.31.27) - CheckAccessDeleted: fix 'running in container' filter (bsc#1218291) - version 17.31.27 (22) - Call zypp commit plugins during transactional update (fixes #506) - Add support for loongarch64 (fixes #504) - Teach MediaMultiCurl to download HTTP Multibyte ranges. - Teach zsync downloads to MultiCurl. - Expand RepoVars in URLs downloading a .repo file (bsc#1212160) Convenient and helps documentation as it may refer to a single command for a bunch of distributions. Like e.g. "zypper ar 'https://server.my/$releasever/my.repo'". - version 17.31.26 (22) ==== lsof ==== Version update (4.99.0 -> 4.99.3) - lsof 4.99.3: * Fix compilation error when HASIPv6 is not defined * Add configure option --disable-liblsof to disable installation of liblsof - add lsof-4.99.3-fix-version-in-configure-ac.patch ==== protobuf ==== Subpackages: libprotobuf-lite23_4_0 libprotobuf23_4_0 - build against modern python on sle15 ==== rubygem-agama ==== Version update (6 -> 7) - Version 7 - Update software issues after calling to solver (gh#openSUSE/agama#945). - Set snapshots as not configurable by default (gh#openSUSE/agama#926). - Explicitly add dependencies instead of relying on the live ISO to provide the required packages (gh#openSUSE/agama/911). - Redefine the InstFunctions module to avoid calling code that causes unwanted side effects, like resetting the timezone (gh#openSUSE/agama#903). - Version 6 ==== traceroute ==== Version update (2.1.3 -> 2.1.5) - update to 2.1.5: * Parse interface information (rfc5837) for ICMP extensions * Add `fastopen' tcp module option (cookie negotiation only) * Complete tcp module option `mss' to discover possible mss clamping along the path being traced. * Complete tcp module option `info' to print returned tcp header options too (all those that can be set or altered by `-O' for tcp module). ==== xmlsec1 ==== Version update (1.2.37 -> 1.2.38) Subpackages: libxmlsec1-1 libxmlsec1-nss1 libxmlsec1-openssl1 - Update to 1.2.38 * Have a look at the changelog for the list of changes ==== yast2-firstboot ==== Version update (5.0.0 -> 5.0.1) - Allow selecting WSL systemd pattern (jsc#PED-5644, jsc#PED-5099) - 5.0.1 ==== yast2-installation ==== Version update (5.0.2 -> 5.0.3) - Enclose IPv6 addresses within square brackets when calling the mount command (bsc#1217637). - 5.0.3