Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20230706 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MozillaFirefox (114.0.2 -> 115.0) accountsservice eog (44.2 -> 44.3) evince (44.2 -> 44.3) fwupd gdm gnome-maps (44.2 -> 44.3) gnome-user-docs (44.1 -> 44.3) gupnp (1.6.3 -> 1.6.4) hwinfo (22.3 -> 23.1) ibus-table-others (1.3.13 -> 1.3.16) libxcrypt (4.4.34 -> 4.4.35) mozilla-nss (3.89.1 -> 3.90) pulseaudio python-configobj python-urllib3 (2.0.2 -> 2.0.3) python311 (3.11.3 -> 3.11.4) python311-core (3.11.3 -> 3.11.4) swtpm upower (1.90.0 -> 1.90.1) wicked === Details === ==== MozillaFirefox ==== Version update (114.0.2 -> 115.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 115.0 * Support for importing payment methods saved in Chrome-based browser * Hardware video decoding is now enabled for Intel GPUs on Linux * The Tab Manager dropdown now features close buttons, so tabs can be closed more quickly * Streamlined the user interface for importing data in from other browsers * Users without platform support for H264 video decoding can now fallback to Cisco's OpenH264 plugin for playback. * Undo and redo are now available in Password fields * Changed: On Linux, middle clicks on the new tab button will now open the xclipboard contents in the new tab. If the xclipboard content is a URL then that URL is opened, any other text is opened with your default search provider. * Changed: For users with a Firefox Colorways built-in theme, the theme will be automatically migrated to the same theme hosted on addons.mozilla.org for Firefox profiles that have disabled add-ons auto-updates. This will allow users to keep their Colorways theme when they are later removed from Firefox installer files. * Changed: Certain Firefox users may come across a message in the extensions panel indicating that their add-ons are not allowed on the site currently open. We have introduced a new back-end feature to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns. * HTML5: The builtin editor now behaves similarly to other browsers with `contenteditable` and `designMode` when splitting a node, e.g. typing Enter to split a paragraph, and also when joining two nodes, e.g. typing Backspace at the start of a paragraph to join the paragraph and the previous one. When a node is split, the builtin editor creates a new node after the original one instead of before, i.e. creates the right node instead of the left node. Similarly, when two nodes are joined, the builtin editor deletes the latter node and moves its children to the end of the preceding node instead of deleting the former node and moving its child to the start of the following node. * HTML5: WebRTC application developers can now specify a target in milliseconds of media for the jitter buffer to hold. Altering the target value allows applications to control the tradeoff between playout delay and the risk of running out of audio or video frames due to network jitter. * HTML5: Change array by copy provides additional methods on `Array.prototype` and `TypedArray.prototype` to enable changes on the array by returning a new copy of it with the change. * HTML5: The animation-composition property is now supported, allowing a declarative way to define the composite operation used when multiple animations affect the same property simultaneously. * HTML5: Added the URL.canParse() function to allow easy and fast checking if URLs are valid and parseable. * HTML5: IndexedDB is now also supported in private browsing without memory limits thanks to encrypted storage on disk. The temporary keys to decrypt the information are hold in RAM only and all stored information is purged at the normal end of a private browsing session from disk. * HTML5: Supports conditions are now supported in CSS import rules @import supports(...) * Developer: In web development, we rely on third-party libraries which you may not be interested in while debugging. These can be ignored. Ignoring them means that breakpoints will not get hit and they are skipped during stepping. You can now choose to **Hide ignore-listed sources** in the Developer Tools source tree * Developer: We have introduced a new option, `devtools.f12_enabled`, that can be utilized to prevent the accidental use of the F12 key, which opens the DevTools toolbox (bug). * Enterprise: You can find information about policy updates and enterprise specific bug fixes in the Firefox for Enterprise 115 Release Notes. MFSA 2023-22 (bsc#1212438) * CVE-2023-3482 (bmo#1839464) Block all cookies bypass for localstorage * CVE-2023-37201 (bmo#1826002) Use-after-free in WebRTC certificate generation * CVE-2023-37202 (bmo#1834711) Potential use-after-free from compartment mismatch in SpiderMonkey * CVE-2023-37203 (bmo#291640) Drag and Drop API may provide access to local system files * CVE-2023-37204 (bmo#1832195) Fullscreen notification obscured via option element * CVE-2023-37205 (bmo#1704420) URL spoofing in address bar using RTL characters * CVE-2023-37206 (bmo#1813299) Insufficient validation of symlinks in the FileSystem API * CVE-2023-37207 (bmo#1816287) Fullscreen notification obscured * CVE-2023-37208 (bmo#1837675) Lack of warning when opening Diagcab files * CVE-2023-37209 (bmo#1837993) Use-after-free in `NotifyOnHistoryReload` * CVE-2023-37210 (bmo#1821886) Full-screen mode exit prevention * CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, bmo#1836550, bmo#1837450) Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, ... changelog too long, skipping 9 lines ... - removed obsolete mozilla-buildfixes.patch ==== accountsservice ==== Subpackages: accountsservice-lang libaccountsservice0 typelib-1_0-AccountsService-1_0 - Rebase accountsservice-sysconfig.patch: (boo#1212675 boo#1212973). - Remove accountsservice-assume-gdm.patch: Fixed by new rebasing of accountsservice-sysconfig.patch. ==== eog ==== Version update (44.2 -> 44.3) Subpackages: eog-lang - Update to version 44.3: + EOG gets stuck in infinite while loop if animation loops a finite number of times. + Updated translations. ==== evince ==== Version update (44.2 -> 44.3) Subpackages: evince-lang evince-plugin-comicsdocument evince-plugin-djvudocument evince-plugin-dvidocument evince-plugin-pdfdocument evince-plugin-tiffdocument evince-plugin-xpsdocument libevdocument3-4 libevview3-3 typelib-1_0-EvinceDocument-3_0 typelib-1_0-EvinceView-3_0 - Update to version 44.3: + Add support for validating appdata versions. + Check for NEWS and appdata updates for new releases. + Don't discard matches without text area in the find bar. + Updated translations. ==== fwupd ==== Subpackages: fwupd-bash-completion fwupd-lang libfwupd2 typelib-1_0-Fwupd-2_0 - Enable efi_fw_update on riscv64 - fwupdagent and dfu-tool are only built %{with efi_fw_update} ==== gdm ==== Subpackages: gdm-lang gdm-schema gdmflexiserver libgdm1 typelib-1_0-Gdm-1_0 - Merge pulseaudio-gdm-hooks into the gdm package. This was previously part of pulseaudio.spec, which was fairly complex (dir ownership, separate tmpfiles, dependencies) and it also caused pulseaudio.spec to runtime depend on gdm. Avoid all of that by just adding it here: + Add default.pa + Add entries to gdm.tmpfiles ==== gnome-maps ==== Version update (44.2 -> 44.3) Subpackages: gnome-maps-lang - Update to version 44.3: + Add support for auth headers in the OpenTripPlanner plugin. + Updated translations. ==== gnome-user-docs ==== Version update (44.1 -> 44.3) - Update to version 44.3: + Updated translations. ==== gupnp ==== Version update (1.6.3 -> 1.6.4) - Update to version 1.6.4: + Keep a weak reference to proxy in action. + Add API to provide HTTP credentials for simple authentication. + Remove xmlRecoverMemory usage. - Drop 80e68995.patch: Fixed upstream. ==== hwinfo ==== Version update (22.3 -> 23.1) - merge gh#openSUSE/hwinfo#137 - adjust exported symbols to yast2-hardware-detection test case - 23.1 - merge gh#openSUSE/hwinfo#134 - restrict libhd exported symbols to the documented API (bsc#1212756) - fix pppoe compile warning - 23.0 ==== ibus-table-others ==== Version update (1.3.13 -> 1.3.16) Subpackages: ibus-table-rustrad ibus-table-translit - Update to 1.3.16 * feat: several improvements to Old Hungarian * fix: remove { and } from VALID_INPUT_CHARS in LaTeX table ==== libxcrypt ==== Version update (4.4.34 -> 4.4.35) Subpackages: libcrypt1 libcrypt1-32bit libxcrypt-devel - update to 4.4.35: * Fix build with Perl v5.38.0 (issue #170). * Fix build with MinGW-w(32|64). ==== mozilla-nss ==== Version update (3.89.1 -> 3.90) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-tools - update to NSS 3.90 * bmo#1623338 - ride along: remove a duplicated doc page * bmo#1623338 - remove a reference to IRC * bmo#1831983 - clang-format lib/freebl/stubs.c * bmo#1831983 - Add a constant time select function * bmo#1774657 - Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access. * bmo#1830973 - output early build errors by default * bmo#1804505 - Update the technical constraints for KamuSM * bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates * bmo#1790763 - Enable default UBSan Checks * bmo#1786018 - Add explicit handling of zero length records * bmo#1829391 - Tidy up DTLS ACK Error Handling Path * bmo#1786018 - Refactor zero length record tests * bmo#1829112 - Fix compiler warning via correct assert * bmo#1755267 - run linux tests on nss-t/t-linux-xlarge-gcp * bmo#1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator * bmo#1784163 - Fix reading raw negative numbers * bmo#1748237 - Repairing unreachable code in clang built with gyp * bmo#1783647 - Integrate Vale Curve25519 * bmo#1799468 - Removing unused flags for Hacl* * bmo#1748237 - Adding a better error message * bmo#1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6 * bmo#1782980 - Fall back to the softokn when writing certificate trust * bmo#1806010 - FIPS-104-3 requires we restart post programmatically * bmo#1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13 * bmo#1818766 - Update ACVP dockerfile for compatibility with debian package changes * bmo#1815796 - Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files * bmo#1819958 - Removed deprecated sprintf function and replaced with snprintf * bmo#1822076 - fix rst warnings in nss doc * bmo#1821997 - Fix incorrect pygment style * bmo#1821292 - Change GYP directive to apply across platforms * Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag - add nss-fix-bmo1836925.patch to fix build-errors - Remove nss-fips-tls-allow-md5-prf.patch, since we no longer need the workaround in FIPS mode (bsc#1200325) - Remove nss-fips-tests-skip.patch. This is no longer needed since we removed the code to short-circuit broken hashes and moved to using the SLI - Add nss-allow-slow-tests.patch, which allows a timed test to run longer than 1s. This avoids turning slow builds into broken builds - Add nss-fips-drbg-libjitter.patch to use libjitterentropy for entropy. This is disabled until we can avoid the inline assembler in the latter's header file that relies on GNU extensions - Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency checks ==== pulseaudio ==== Subpackages: libpulse-mainloop-glib0 libpulse0 pulseaudio-setup pulseaudio-utils system-user-pulse - Drop pulseaudio-gdm-hooks subpackage including default.pa-for-gdm and pulseaudio-gdm-hooks.tmpfiles. Moved to gdm instead. ==== python-configobj ==== - Add remove_six.patch (gh#DiffSK/configobj#239) removing the need for six. ==== python-urllib3 ==== Version update (2.0.2 -> 2.0.3) - Disable test_deprecated_no_scheme so it needs network connection to run correctly. - update to 2.0.3: * Allowed alternative SSL libraries such as LibreSSL, while still issuing a warning as we cannot help users facing issues with implementations other than OpenSSL. * Deprecated URLs which don't have an explicit scheme * Fixed response decoding with Zstandard when compressed data is made of several frames. * Fixed ``assert_hostname=False`` to correctly skip hostname check. ==== python311 ==== Version update (3.11.3 -> 3.11.4) Subpackages: python311-curses python311-dbm - Update to Python 3.11.4: - gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727). - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329 (bsc#1208471). - gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. - gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. - gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). - gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details (fixing CVE-2007-4559, bsc#1203750). - Remove upstreamed patches: - CVE-2007-4559-filter-tarfile_extractall.patch ==== python311-core ==== Version update (3.11.3 -> 3.11.4) Subpackages: libpython3_11-1_0 python311-base - Update to Python 3.11.4: - gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727). - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329 (bsc#1208471). - gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. - gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. - gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). - gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details (fixing CVE-2007-4559, bsc#1203750). - Remove upstreamed patches: - CVE-2007-4559-filter-tarfile_extractall.patch ==== swtpm ==== Subpackages: swtpm-selinux - Make selinux optional to allow building this package for Leap, too. ==== upower ==== Version update (1.90.0 -> 1.90.1) Subpackages: libupower-glib3 typelib-1_0-UpowerGlib-1_0 upower-lang - Update to 1.90.1: * Detect headsets with kernel batteries such as Logitech and Steelseries headsets, and make them automatically disappear if the headset is turned off (if the kernel driver supports the wireless_status attribute) * Hide duplicate Logitech Bluetooth devices (Bolt-compatible devices connected through Bluetooth would show as 2 batteries) * Hide duplicate Logitech wireless devices when they get connected through USB as well * Fix Bluetooth device names not synchronising, and use user-chosen names when available * Handle the "present" sysfs attribute changing * Fix iDevices not appearing * Fix reading capacity_level with newer libgudev ==== wicked ==== Subpackages: wicked-service - ifconfig: fix arp notify loop (boo#1212806) and burst sending [+ 0001-fix_arp_notify_loop_and_burst_sending.patch]