Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20241122 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: apache2-mod_php8 (8.3.13 -> 8.3.14) dnsmasq gtk4 (4.16.5 -> 4.16.6) inkscape libimobiledevice llvm19 (19.1.3 -> 19.1.4) multipath-tools (0.10.0+108+suse.2c2e597 -> 0.11.0~1+118+suse.4a51b1a) net-snmp openSUSE-release (20241121 -> 20241122) php8 (8.3.13 -> 8.3.14) postgresql17 (17.1 -> 17.2) python-constantly (15.1.0 -> 23.10.4) rpm util-linux util-linux-systemd === Details === ==== apache2-mod_php8 ==== Version update (8.3.13 -> 8.3.14) - version update to 8.3.14 CLI: Fixed bug GH-16373 (Shebang is not skipped for router script in cli-server started through shebang). Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface). COM: Fixed out of bound writes to SafeArray data. Core: Fixed bug GH-16168 (php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15). Fixed bug GH-16371 (Assertion failure in Zend/zend_weakrefs.c:646). Fixed bug GH-16515 (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline). Fixed bug GH-16509 (Incorrect line number in function redeclaration error). Fixed bug GH-16508 (Incorrect line number in inheritance errors of delayed early bound classes). Fixed bug GH-16648 (Use-after-free during array sorting). Curl: Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if curl_multi_add_handle fails). Date: Fixed bug GH-16454 (Unhandled INF in date_sunset() with tiny $utcOffset). Fixed bug GH-14732 (date_sun_info() fails for non-finite values). DBA: Fixed bug GH-16390 (dba_open() can segfault for "pathless" streams). DOM: Fixed bug GH-16316 (DOMXPath breaks when not initialized properly). Add missing hierarchy checks to replaceChild. Fixed bug GH-16336 (Attribute intern document mismanagement). Fixed bug GH-16338 (Null-dereference in ext/dom/node.c). Fixed bug GH-16473 (dom_import_simplexml stub is wrong). Fixed bug GH-16533 (Segfault when adding attribute to parent that is not an element). Fixed bug GH-16535 (UAF when using document as a child). Fixed bug GH-16593 (Assertion failure in DOM->replaceChild). Fixed bug GH-16595 (Another UAF in DOM -> cloneNode). EXIF: Fixed bug GH-16409 (Segfault in exif_thumbnail when not dealing with a real file). FFI: Fixed bug GH-16397 (Segmentation fault when comparing FFI object). Filter: Fixed bug GH-16523 (FILTER_FLAG_HOSTNAME accepts ending hyphen). FPM: Fixed bug GH-16628 (FPM logs are getting corrupted with this log statement). GD: Fixed bug GH-16334 (imageaffine overflow on matrix elements). Fixed bug GH-16427 (Unchecked libavif return values). Fixed bug GH-16559 (UBSan abort in ext/gd/libgd/gd_interpolation.c:1007). GMP: Fixed floating point exception bug with gmp_pow when using large exposant values. (David Carlier). Fixed bug GH-16411 (gmp_export() can cause overflow). Fixed bug GH-16501 (gmp_random_bits() can cause overflow). Fixed gmp_pow() overflow bug with large base/exponents. Fixed segfaults and other issues related to operator overloading with GMP objects. LDAP: Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932) MBstring: Fixed bug GH-16361 (mb_substr overflow on start/length arguments). MySQLnd: Fixed bug GHSA-h35g-vwh6-m678 (Leak partial content of the heap through heap buffer over-read). (CVE-2024-8929) Opcache: Fixed bug GH-16408 (Array to string conversion warning emitted in optimizer). OpenSSL: Fixed bug GH-16357 (openssl may modify member types of certificate arrays). Fixed bug GH-16433 (Large values for openssl_csr_sign() $days overflow). Fix various memory leaks on error conditions in openssl_x509_parse(). PDO DBLIB: Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes). (CVE-2024-11236) PDO Firebird: Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter causing OOB writes). (CVE-2024-11236) PDO ODBC: Fixed bug GH-16450 (PDO_ODBC can inject garbage into field values). Phar: Fixed bug GH-16406 (Assertion failure in ext/phar/phar.c:2808). PHPDBG: Fixed bug GH-16174 (Empty string is an invalid expression for ev). Reflection: Fixed bug GH-16601 (Memory leak in Reflection constructors). Session: Fixed bug GH-16385 (Unexpected null returned by session_set_cookie_params). Fixed bug GH-16290 (overflow on cookie_lifetime ini value). SOAP: Fixed bug GH-16318 (Recursive array segfaults soap encoding). Fixed bug GH-16429 (Segmentation fault access null pointer in SoapClient). Sockets: Fixed bug with overflow socket_recvfrom $length argument. SPL: Fixed bug GH-16337 (Use-after-free in SplHeap). Fixed bug GH-16464 (Use-after-free in SplDoublyLinkedList::offsetSet()). Fixed bug GH-16479 (Use-after-free in SplObjectStorage::setInfo()). Fixed bug GH-16478 (Use-after-free in SplFixedArray::unset()). Fixed bug GH-16588 (UAF in Observer->serialize). Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor). Fixed bug GH-16589 (UAF in SplDoublyLinked->serialize()). Fixed bug GH-14687 (segfault on SplObjectIterator instance). Fixed bug GH-16604 (Memory leaks in SPL constructors). Fixed bug GH-16646 (UAF in ArrayObject::unset() and ArrayObject::exchangeArray()). Standard: Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with bail enabled). Streams: Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs). (CVE-2024-11234) Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with convert.quoted-printable-decode filter). (CVE-2024-11233) SysVMsg: Fixed bug GH-16592 (msg_send() crashes when a type does not properly serialized). SysVShm: Fixed bug GH-16591 (Assertion error in shm_put_var). XMLReader: Fixed bug GH-16292 (Segmentation fault in ext/xmlreader/php_xmlreader.c). Zlib: Fixed bug GH-16326 (Memory management is broken for bad dictionaries.) (cmb) ==== dnsmasq ==== - Enable --nftset support ==== gtk4 ==== Version update (4.16.5 -> 4.16.6) Subpackages: gtk4-lang gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0 - Update to version 4.16.6: + To prevent issues when using GTK under kwin, this release makes Wayland color management opt-in. To experiment with it, set GDK_DEBUG=color-mgmt. + GtkText: Don't select inserted Emoji + GtkApplication: Set the default window icon from the app ID + GtkFontChooser: Make the dialog more shrinkable + Updated translations. ==== inkscape ==== Subpackages: inkscape-extensions-extra inkscape-extensions-gimp inkscape-lang - Drop obsolete and unused pkgconfig(gdl-3.0) BuildRequires. - Add explicit pkgconfig(glibmm-2.4), pkgconfig(gdkmm-3.0), pkgconfig(gdkmm-3.0), pkgconfig(gtk+-3.0) and pkgconfig(gdk-3.0) BuildRequires: Align with what cmake checks for. ==== libimobiledevice ==== - add python3-setuptools for python 3.13 support ==== llvm19 ==== Version update (19.1.3 -> 19.1.4) Subpackages: clang-tools clang19 libLLVM19 libclang-cpp19 libclang13 libclang_rt19 llvm19-gold - Update to version 19.1.4. * This release contains bug-fixes for the LLVM 19.1.0 release. This release is API and ABI compatible with 19.1.0. - Rebase llvm-do-not-install-static-libraries.patch. ==== multipath-tools ==== Version update (0.10.0+108+suse.2c2e597 -> 0.11.0~1+118+suse.4a51b1a) Subpackages: kpartx libmpath0 - Update to version 0.11.0~1+118+suse.4a51b1a See NEWS.md for details about upstream changes in 0.11.0. * Pre-release of upstream 0.11.0 * Rework of the path checking algorithm to reduce wait time and improve performance * Modified the systemd unit `multipathd.service` such that multipathd will now restart after a failure or crash (gh#opensvc/multipath-tools#100) * multipathd: move systemd watchdog handling into daemon (bsc#1232227) * libmultipath: dm_get_maps(): don't bail out for single-map failures (bsc#1233588, gh#opensvc/multipath-tools#102) * libmultipath: don't set dev_loss_tmo to 0 for NO_PATH_RETRY_FAIL * multipathd: fix deferred_failback_tick for reload removes ==== net-snmp ==== Subpackages: libsnmp40 perl-SNMP snmp-mibs - logrotate should use reload instead of restart (bsc#1232030) ==== openSUSE-release ==== Version update (20241121 -> 20241122) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== php8 ==== Version update (8.3.13 -> 8.3.14) Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter - version update to 8.3.14 CLI: Fixed bug GH-16373 (Shebang is not skipped for router script in cli-server started through shebang). Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface). COM: Fixed out of bound writes to SafeArray data. Core: Fixed bug GH-16168 (php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15). Fixed bug GH-16371 (Assertion failure in Zend/zend_weakrefs.c:646). Fixed bug GH-16515 (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline). Fixed bug GH-16509 (Incorrect line number in function redeclaration error). Fixed bug GH-16508 (Incorrect line number in inheritance errors of delayed early bound classes). Fixed bug GH-16648 (Use-after-free during array sorting). Curl: Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if curl_multi_add_handle fails). Date: Fixed bug GH-16454 (Unhandled INF in date_sunset() with tiny $utcOffset). Fixed bug GH-14732 (date_sun_info() fails for non-finite values). DBA: Fixed bug GH-16390 (dba_open() can segfault for "pathless" streams). DOM: Fixed bug GH-16316 (DOMXPath breaks when not initialized properly). Add missing hierarchy checks to replaceChild. Fixed bug GH-16336 (Attribute intern document mismanagement). Fixed bug GH-16338 (Null-dereference in ext/dom/node.c). Fixed bug GH-16473 (dom_import_simplexml stub is wrong). Fixed bug GH-16533 (Segfault when adding attribute to parent that is not an element). Fixed bug GH-16535 (UAF when using document as a child). Fixed bug GH-16593 (Assertion failure in DOM->replaceChild). Fixed bug GH-16595 (Another UAF in DOM -> cloneNode). EXIF: Fixed bug GH-16409 (Segfault in exif_thumbnail when not dealing with a real file). FFI: Fixed bug GH-16397 (Segmentation fault when comparing FFI object). Filter: Fixed bug GH-16523 (FILTER_FLAG_HOSTNAME accepts ending hyphen). FPM: Fixed bug GH-16628 (FPM logs are getting corrupted with this log statement). GD: Fixed bug GH-16334 (imageaffine overflow on matrix elements). Fixed bug GH-16427 (Unchecked libavif return values). Fixed bug GH-16559 (UBSan abort in ext/gd/libgd/gd_interpolation.c:1007). GMP: Fixed floating point exception bug with gmp_pow when using large exposant values. (David Carlier). Fixed bug GH-16411 (gmp_export() can cause overflow). Fixed bug GH-16501 (gmp_random_bits() can cause overflow). Fixed gmp_pow() overflow bug with large base/exponents. Fixed segfaults and other issues related to operator overloading with GMP objects. LDAP: Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932) MBstring: Fixed bug GH-16361 (mb_substr overflow on start/length arguments). MySQLnd: Fixed bug GHSA-h35g-vwh6-m678 (Leak partial content of the heap through heap buffer over-read). (CVE-2024-8929) Opcache: Fixed bug GH-16408 (Array to string conversion warning emitted in optimizer). OpenSSL: Fixed bug GH-16357 (openssl may modify member types of certificate arrays). Fixed bug GH-16433 (Large values for openssl_csr_sign() $days overflow). Fix various memory leaks on error conditions in openssl_x509_parse(). PDO DBLIB: Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes). (CVE-2024-11236) PDO Firebird: Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter causing OOB writes). (CVE-2024-11236) PDO ODBC: Fixed bug GH-16450 (PDO_ODBC can inject garbage into field values). Phar: Fixed bug GH-16406 (Assertion failure in ext/phar/phar.c:2808). PHPDBG: Fixed bug GH-16174 (Empty string is an invalid expression for ev). Reflection: Fixed bug GH-16601 (Memory leak in Reflection constructors). Session: Fixed bug GH-16385 (Unexpected null returned by session_set_cookie_params). Fixed bug GH-16290 (overflow on cookie_lifetime ini value). SOAP: Fixed bug GH-16318 (Recursive array segfaults soap encoding). Fixed bug GH-16429 (Segmentation fault access null pointer in SoapClient). Sockets: Fixed bug with overflow socket_recvfrom $length argument. SPL: Fixed bug GH-16337 (Use-after-free in SplHeap). Fixed bug GH-16464 (Use-after-free in SplDoublyLinkedList::offsetSet()). Fixed bug GH-16479 (Use-after-free in SplObjectStorage::setInfo()). Fixed bug GH-16478 (Use-after-free in SplFixedArray::unset()). Fixed bug GH-16588 (UAF in Observer->serialize). Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor). Fixed bug GH-16589 (UAF in SplDoublyLinked->serialize()). Fixed bug GH-14687 (segfault on SplObjectIterator instance). Fixed bug GH-16604 (Memory leaks in SPL constructors). Fixed bug GH-16646 (UAF in ArrayObject::unset() and ArrayObject::exchangeArray()). Standard: Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with bail enabled). Streams: Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs). (CVE-2024-11234) Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with convert.quoted-printable-decode filter). (CVE-2024-11233) SysVMsg: Fixed bug GH-16592 (msg_send() crashes when a type does not properly serialized). SysVShm: Fixed bug GH-16591 (Assertion error in shm_put_var). XMLReader: Fixed bug GH-16292 (Segmentation fault in ext/xmlreader/php_xmlreader.c). Zlib: Fixed bug GH-16326 (Memory management is broken for bad dictionaries.) (cmb) ==== postgresql17 ==== Version update (17.1 -> 17.2) Subpackages: libpq5 postgresql17-contrib postgresql17-llvmjit postgresql17-server - Upgrade to 17.2: * Repair ABI break for extensions that work with struct ResultRelInfo. * Restore functionality of ALTER {ROLE|DATABASE} SET role. * Fix cases where a logical replication slot's restart_lsn could go backwards. * Avoid deleting still-needed WAL files during pg_rewind. * Fix race conditions associated with dropping shared statistics entries. * Count index scans in contrib/bloom indexes in the statistics views, such as the pg_stat_user_indexes.idx_scan counter. * Fix crash when checking to see if an index's opclass options have changed. * Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing. * https://www.postgresql.org/about/news/p-2965/ * https://www.postgresql.org/docs/release/17.2/ ==== python-constantly ==== Version update (15.1.0 -> 23.10.4) - update to 23.10.4: * switch to PEP517 build * Python 3.12 support ==== rpm ==== Subpackages: librpmbuild10 - Bump debugedit version (bsc#1233156) ==== util-linux ==== Subpackages: libblkid1 libfdisk1 libmount1 libsmartcols1 libuuid1 util-linux-lang - Skip aarch64 decode path for rest of the architectures (bsc#1229476, util-linux-lscpu-skip-aarch64-decode.patch). - agetty: Prevent login cursor escape (bsc#1194818, util-linux-agetty-prevent-cursor-escape.patch). - Document unexpected side effects of lazy destruction (bsc#1159034, util-linux-umount-losetup-lazy-destruction.patch, util-linux-umount-losetup-lazy-destruction-generated.patch). ==== util-linux-systemd ==== Subpackages: lastlog2 liblastlog2-2 - Skip aarch64 decode path for rest of the architectures (bsc#1229476, util-linux-lscpu-skip-aarch64-decode.patch). - agetty: Prevent login cursor escape (bsc#1194818, util-linux-agetty-prevent-cursor-escape.patch). - Document unexpected side effects of lazy destruction (bsc#1159034, util-linux-umount-losetup-lazy-destruction.patch, util-linux-umount-losetup-lazy-destruction-generated.patch).