Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20200528 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MozillaThunderbird (68.8.0 -> 68.8.1) fribidi kernel-firmware (20200517 -> 20200519) libgphoto2 (2.5.24 -> 2.5.25) perl-Mojolicious (8.42 -> 8.50) pragha python-SQLAlchemy (1.3.16 -> 1.3.17) python-Twisted python-attrs python-bcrypt python-cryptography (2.8 -> 2.9.2) python-dkimpy python-jedi python-lxml python-netaddr python-pywbem (0.17.1 -> 0.17.2) rubygem-actioncable-6.0 (6.0.3 -> 6.0.3.1) rubygem-actionmailbox-6.0 (6.0.3 -> 6.0.3.1) rubygem-actionmailer-6.0 (6.0.3 -> 6.0.3.1) rubygem-actionpack-6.0 (6.0.3 -> 6.0.3.1) rubygem-actiontext-6.0 (6.0.3 -> 6.0.3.1) rubygem-actionview-6.0 (6.0.3 -> 6.0.3.1) rubygem-activejob-6.0 (6.0.3 -> 6.0.3.1) rubygem-activemodel-6.0 (6.0.3 -> 6.0.3.1) rubygem-activerecord-6.0 (6.0.3 -> 6.0.3.1) rubygem-activestorage-6.0 (6.0.3 -> 6.0.3.1) rubygem-activesupport-6.0 (6.0.3 -> 6.0.3.1) rubygem-puma (4.3.3 -> 4.3.5) rubygem-rails-6.0 (6.0.3 -> 6.0.3.1) rubygem-railties-6.0 (6.0.3 -> 6.0.3.1) rubygem-rspec-rails (4.0.0 -> 4.0.1) rubygem-websocket-driver (0.7.1 -> 0.7.2) xfce4-power-manager (1.6.5 -> 1.6.6) === Details === ==== MozillaThunderbird ==== Version update (68.8.0 -> 68.8.1) Subpackages: MozillaThunderbird-translations-common - Mozilla Thunderbird 68.8.1 * fixed: IMAP stability improvements (bmo#1586494) * fixed: HTML tags in IRC topic changes were rendered incorrectly (bmo#1607097) * fixed: MailExtensions: Websockets could not be used (bmo#1627649) ==== fribidi ==== Subpackages: libfribidi0 libfribidi0-32bit - Add no-config-h.diff - copied from Debian Remove HAVE_CONFIG_H from public API - Add Truncate-isolate_level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.diff - copied from Debian, CVE-2019-18397 Truncate isolate_level to FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL - Run spec-cleaner ==== kernel-firmware ==== Version update (20200517 -> 20200519) Subpackages: kernel-firmware-all kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network ucode-amd - Update to version 20200519 (git commit 8ba6fa665c52): * iwlwifi: update and add new FWs from core50-70 and core52-81 releases * rtw88: RTL8821C: add firmware file v24.5 * iwlwifi: update FWs to core47-142 release * iwlwifi: update 8265 FW - Update modaliases for Intel SST ==== libgphoto2 ==== Version update (2.5.24 -> 2.5.25) Subpackages: libgphoto2-6 libgphoto2-6-lang - updated to 2.5.25 release - ptp2: * Liveview support for Leica SL * PTP 1.1 Streaming parameters added. * Olympus OMD capture fixes * Nikon DSLR/Z: * various improvements to liveview error reporting. * much more properties added, some values added * allow downloading of "large thumbnails" instead of "regular thumbnails", can be selected by "thumbsize" gphoto2 local setting. * fixes for D3000, D3100 methods * maximum capture wait extended to 1000 seconds (as the D870 has 900 seconds max now) * Canon EOS * initialization fixes (if it breaks your EOS M or PowerShot, please report) * liveview enablement fixed * maximum capture wait extended to 90seconds * EOS R shutterspeed , aperture reporting fixed * various bugfixes * Cameras added to id list: * Sony NEX 5 * Canon EOS 90D * Fuji XT-4 * Sanyo VPC-FH1 * Leica SL Typ 601 - lumix: * fixed initialisation, might help capture - all: * ongoing stability fixes from AFL fuzzing - translation updates: * sv ==== perl-Mojolicious ==== Version update (8.42 -> 8.50) updated to 8.50 see /usr/share/doc/packages/perl-Mojolicious/Changes 8.50 2020-05-23 - Increased Perl version requirement to 5.16.0. This is just a first step however, at some point in the not so distant future we will increase the Perl version requirement to 5.20.0 for full subroutine signatures support. - Improved Mojo::Base to enable the Perl 5.16 feature bundle with "unicode_strings", "unicode_eval", "evalbytes", "current_sub" and "fc". 8.43 2020-05-20 - Removed deprecated argument handling from Mojo::Promise::new. - Removed experimental status from all_settled method in Mojo::Promise. - Removed experimental status from content_type and file_type methods in Mojolicious::Types. - Removed experimental status from cleanup event in Mojo::IOLoop::Subprocess. - Switched from Storable to JSON serialization for Mojo::IOLoop::Subprocess IPC to increase efficiency. - Added exit_code method to Mojo::IOLoop::Subprocess. - Improved Mojo::Promise to warn when an unhandled rejected promise is destroyed. - Fixed a bug where the resolve class method in Mojo::Promise would unnecessarily create new promises. - Fixed a promise chaining bug in Mojo::Promise. (karjala) ==== pragha ==== Subpackages: pragha-lang pragha-plugins - Fix build for Leap 15.2 ==== python-SQLAlchemy ==== Version update (1.3.16 -> 1.3.17) - update to version 1.3.17: * orm + Added an accessor Comparator.expressions which provides access to the group of columns mapped under a multi-column ColumnProperty attribute. References: #5262 + Introduce relationship.sync_backref flag in a relationship to control if the synchronization events that mutate the in-Python attributes are added. This supersedes the previous change #5149, which warned that viewonly=True relationship target of a back_populates or backref configuration would be disallowed. References: #5237 + Fixed bug where using with_polymorphic() as the target of a join via RelationshipComparator.of_type() on a mapper that already has a subquery-based with_polymorphic setting that?s equivalent to the one requested would not correctly alias the ON clause in the join. References: #5288 + Fixed issue in the area of where loader options such as selectinload() interact with the baked query system, such that the caching of a query is not supposed to occur if the loader options themselves have elements such as with_polymorphic() objects in them that currently are not cache-compatible. The baked loader could sometimes not fully invalidate itself in these some of these scenarios leading to missed eager loads. References: #5303 + Modified the internal ?identity set? implementation, which is a set that hashes objects on their id() rather than their hash values, to not actually call the __hash__() method of the objects, which are typically user-mapped objects. Some methods were calling this method as a side effect of the implementation. References: #5304 + An informative error message is raised when an ORM many-to-one comparison is attempted against an object that is not an actual mapped instance. Comparisons such as those to scalar subqueries aren?t supported; generalized comparison with subqueries is better achieved using Comparator.has(). References: #5269 * engine + Fixed fairly critical issue where the DBAPI connection could be returned to the connection pool while still in an un-rolled-back state. The reset agent responsible for rolling back the connection could be corrupted in the case that the transaction was ?closed? without being rolled back or committed, which can occur in some scenarios when using ORM sessions and emitting .close() in a certain pattern involving savepoints. The fix ensures that the reset agent is always active. References: [#5326] * schema + Fixed issue where an Index that is deferred in being associated with a table, such as as when it contains a Column that is not associated with any Table yet, would fail to attach correctly if it also contained a non table-oriented expession. References: [#5298] + A warning is emitted when making use of the MetaData.sorted_tables attribute as well as the sort_tables() function, and the given tables cannot be correctly sorted due to a cyclic dependency between foreign key constraints. In this case, the functions will no longer sort the involved tables by foreign key, and a warning will be emitted. Other tables that are not part of the cycle will still be returned in dependency order. Previously, the sorted_table routines would return a collection that would unconditionally omit all foreign keys when a cycle was detected, and no warning was emitted. References: [#5316] + Add comment attribute to Column __repr__ method. References: [#4138] * postgresql + Added support for columns or type ARRAY of Enum, JSON or JSONB in PostgreSQL. Previously a workaround was required in these use cases. References: #5265 + Raise an explicit CompileError when adding a table with a column of type ARRAY of Enum configured with Enum.native_enum set to False when Enum.create_constraint is not set to False References: #5266 * mssql + Fix a regression introduced by the reflection of computed column in MSSQL when using the legacy TDS version 4.2. The dialect will try to detect the protocol version of first connect and run in compatibility mode if it cannot detect it. References: #5255 + Fix a regression introduced by the reflection of computed column in MSSQL when using SQL server versions before 2012, which does not support the concat function. References: #5271 * oracle + Some modifications to how the cx_oracle dialect sets up per-column outputtype handlers for LOB and numeric datatypes to adjust for potential changes coming in cx_Oracle 8. References: [#5246] + Changed the implementation of fetching CLOB and BLOB objects to use cx_Oracle?s native implementation which fetches CLOB/BLOB objects inline with other result columns, rather than performing a separate fetch. As always, this can be disabled by setting auto_convert_lobs to False. + As part of this change, the behavior of a CLOB that was given a blank string on INSERT now returns None on SELECT, which is now consistent with that of VARCHAR on Oracle. References: #5314 * firebird + Adjusted dialect loading for firebird:// URIs so the external sqlalchemy-firebird dialect will be used if it has been installed, otherwise fall back to the (now deprecated) internal Firebird dialect. References: #5278 ==== python-Twisted ==== - %python3_only -> %python_alternative ==== python-attrs ==== - Do not restrict us to new setuptools, we generate stuff even with the older variants ==== python-bcrypt ==== - Relax the setuptools dependency on 40.8.0 to 40.5.0 since that version is only required by upstream because of a pip issue (see https://github.com/pyca/bcrypt/commit/bc8a55e70e179a59fa89fb109353182f8f438e...). This way we can build in SLE 15 SP2 / Leap 15.2 . ==== python-cryptography ==== Version update (2.8 -> 2.9.2) - update to 2.9.2 * 2.9.2 - 2020-04-22 - Updated the macOS wheel to fix an issue where it would not run on macOS versions older than 10.15. * 2.9.1 - 2020-04-21 - Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1g. * 2.9 - 2020-04-02 - BACKWARDS INCOMPATIBLE: Support for Python 3.4 has been removed due to low usage and maintenance burden. - BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.0.1 has been removed. Users on older version of OpenSSL will need to upgrade. - BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.6.x has been removed. - Removed support for calling public_bytes() with no arguments, as per our deprecation policy. You must now pass encoding and format. - BACKWARDS INCOMPATIBLE: Reversed the order in which rfc4514_string() returns the RDNs as required by RFC 4514. - Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1f. - Added support for parsing single_extensions in an OCSP response. - NameAttribute values can now be empty strings. ==== python-dkimpy ==== - %python3_only -> %python_alternative ==== python-jedi ==== - Skip two tests on leap not just sp1+ ==== python-lxml ==== - Remove explicit Provides of python-doc, which is just wrong. ==== python-netaddr ==== - %python3_only -> %python_alternative ==== python-pywbem ==== Version update (0.17.1 -> 0.17.2) - Update to 0.17.2: - Fixed raise error for invalid reference_direction in WBEMServer.get_central_instances(). (See issue #2187) - Fixed raise error for missing ports in WBEMListener.__init__(). (See issue #2188) ==== rubygem-actioncable-6.0 ==== Version update (6.0.3 -> 6.0.3.1) - updated to version 6.0.3.1 * no changes ==== rubygem-actionmailbox-6.0 ==== Version update (6.0.3 -> 6.0.3.1) - updated to version 6.0.3.1 * no changes ==== rubygem-actionmailer-6.0 ==== Version update (6.0.3 -> 6.0.3.1) - updated to version 6.0.3.1 * no changes ==== rubygem-actionpack-6.0 ==== Version update (6.0.3 -> 6.0.3.1) Subpackages: ruby2.6-rubygem-actionpack-6.0 ruby2.7-rubygem-actionpack-6.0 - updated to version 6.0.3.1 * CVE-2020-8166: HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token * CVE-2020-8164: Return self when calling #each, #each_pair, and [#]each_value instead of the raw @parameters hash ==== rubygem-actiontext-6.0 ==== Version update (6.0.3 -> 6.0.3.1) - updated to version 6.0.3.1 * no changes ==== rubygem-actionview-6.0 ==== Version update (6.0.3 -> 6.0.3.1) Subpackages: ruby2.6-rubygem-actionview-6.0 ruby2.7-rubygem-actionview-6.0 - updated to version 6.0.3.1 * CVE-2020-8167: Check that request is same-origin prior to including CSRF token in XHRs ==== rubygem-activejob-6.0 ==== Version update (6.0.3 -> 6.0.3.1) - updated to version 6.0.3.1 * no changes ==== rubygem-activemodel-6.0 ==== Version update (6.0.3 -> 6.0.3.1) Subpackages: ruby2.6-rubygem-activemodel-6.0 ruby2.7-rubygem-activemodel-6.0 - updated to version 6.0.3.1 * no changes ==== rubygem-activerecord-6.0 ==== Version update (6.0.3 -> 6.0.3.1) - updated to version 6.0.3.1 * no changes ==== rubygem-activestorage-6.0 ==== Version update (6.0.3 -> 6.0.3.1) - updated to version 6.0.3.1 * CVE-2020-8162: Include Content-Length in signature for ActiveStorage direct upload (bsc#1172163) ==== rubygem-activesupport-6.0 ==== Version update (6.0.3 -> 6.0.3.1) Subpackages: ruby2.6-rubygem-activesupport-6.0 ruby2.7-rubygem-activesupport-6.0 - updated to version 6.0.3.1 * CVE-2020-8165: Deprecate Marshal.load on raw cache read in RedisCacheStore * CVE-2020-8165: Avoid Marshal.load on raw cache value in MemCacheStore ==== rubygem-puma ==== Version update (4.3.3 -> 4.3.5) Subpackages: ruby2.6-rubygem-puma ruby2.7-rubygem-puma - updated to version 4.3.5 * CVE-2020-11076, CVE-2020-11077: Fixed two separate HTTP smuggling vulnerabilities that used the Transfer-Encoding header ==== rubygem-rails-6.0 ==== Version update (6.0.3 -> 6.0.3.1) - updated to version 6.0.3.1 Changes are in Rails's modules. Release Blog entry: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been... ==== rubygem-railties-6.0 ==== Version update (6.0.3 -> 6.0.3.1) Subpackages: ruby2.6-rubygem-railties-6.0 ruby2.7-rubygem-railties-6.0 - updated to version 6.0.3.1 * no changes ==== rubygem-rspec-rails ==== Version update (4.0.0 -> 4.0.1) - updated to version 4.0.1 Bug Fixes: * Remove warning when calling `driven_by` in system specs. (Aubin Lorieux, #2302) * Fix comparison of times for `#at` in job matchers. (Jon Rowe, Markus Doits, #2304) * Allow `have_enqueued_mail` to match when a sub class of `ActionMailer::DeliveryJob` is set using `<Class>.delivery_job=`. (Atsushi Yoshida #2305) * Restore Ruby 2.2.x compatibility. (Jon Rowe, #2332) * Add `required_ruby_version` to gem spec. (Marc-André Lafortune, #2319, #2338) ==== rubygem-websocket-driver ==== Version update (0.7.1 -> 0.7.2) - updated to version 0.7.2 * Emit `ping` and `pong` events from the `Server` driver * Handle draft-76 handshakes correctly if the request's body is a frozen string ==== xfce4-power-manager ==== Version update (1.6.5 -> 1.6.6) Subpackages: xfce4-power-manager-lang xfce4-power-manager-plugin - Update to version 1.6.6 * Dismiss critical notification when connecting to AC * Fix inhibiting xfce4-screensaver (bxo#16364) * settings: Move % sign out of spinbutton (bxo#15994) * panel-plugin: Toggle presentation mode on middle click * panel-plugin: Properly show 'About' menu item * panel-plugin: Add missing about callback * panel-plugin: Properly hook up about signal * panel-plugin: Replace deprecated call * Switch to symbolic window-close icons