Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20230823 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: apache2-mod_php8 (8.2.8 -> 8.2.9) gnutls (3.8.0 -> 3.8.1) gpgme (1.21.0 -> 1.22.0) gpgmeqt (1.21.0 -> 1.22.0) libupnp (1.14.17 -> 1.14.18) mutter php8 (8.2.8 -> 8.2.9) python-pexpect xz yast2-apparmor (4.6.1 -> 4.6.2) === Details === ==== apache2-mod_php8 ==== Version update (8.2.8 -> 8.2.9) - version update to 8.2.9 * This is a security release. * Fixes CVE-2023-3824 [bsc#1214103] and CVE-2023-3823 [bsc#1214106] * https://www.php.net/ChangeLog-8.php#8.2.9 - deleted patches - php-unicode-allow-redistribution.patch (upstreamed) - deleted sources - repack.sh (not needed) ==== gnutls ==== Version update (3.8.0 -> 3.8.1) Subpackages: libgnutls-dane0 libgnutls30 libgnutls30-32bit - Fix missing GNUTLS_NO_EXTENSIONS compatibility. * Upstream: gitlab.com/gnutls/gnutls/commit/abfa8634 * Add gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch - tests: Fix the SRP test that fails with SIGPIPE signal return due to a socket being closed before using it. * Add gnutls-srp-test-SIGPIPE.patch - Update to version 3.8.1: * libgnutls: ClientHello extensions are randomized by default To make fingerprinting harder, TLS extensions in ClientHello messages are shuffled. As this behavior may cause compatibility issue with legacy applications that do not accept the last extension without payload, the behavior can be reverted with the %NO_SHUFFLE_EXTENSIONS priority keyword. * libgnutls: Add support for RFC 9258 external PSK importer. This enables to deploy the same PSK across multiple TLS versions (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application needs to set up a callback that formats the PSK identity using gnutls_psk_format_imported_identity(). * libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to %GNUTLS_NO_DEFAULT_EXTENSIONS. * libgnutls: Add additional PBKDF limit checks in FIPS mode as defined in SP 800-132. Minimum salt length is 128 bits and minimum iterations bound is 1000 for PBKDF in FIPS mode. * libgnutls: Add a mechanism to control whether to enforce extended master secret (RFC 7627). FIPS 140-3 mandates the use of TLS session hash (extended master secret, EMS) in TLS 1.2. To enforce this, a new priority keyword %FORCE_SESSION_HASH is added and if it is set and EMS is not set, the peer aborts the connection. This behavior is the default in FIPS mode, though it can be overridden through the configuration file with the "tls-session-hash" option. In either case non-EMS PRF is reported as a non-approved operation through the FIPS service indicator. * New option --attime to specify current time. To make testing with different timestamp to the system easier, the tools doing certificate verification now provide a new option - -attime, which takes an arbitrary time. * API and ABI modifications: gnutls_psk_client_credentials_function3: New typedef gnutls_psk_server_credentials_function3: New typedef gnutls_psk_set_server_credentials_function3: New function gnutls_psk_set_client_credentials_function3: New function gnutls_psk_format_imported_identity: New function GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags * Rebase patches: - gnutls-FIPS-140-3-references.patch - gnutls-FIPS-jitterentropy.patch * Remove patches merged/fixed upstream: - gnutls-FIPS-PCT-DH.patch - gnutls-FIPS-PCT-ECDH.patch ==== gpgme ==== Version update (1.21.0 -> 1.22.0) Subpackages: libgpgme11 libgpgmepp6 - Fix builds with qt and qt6 [T6673]: * qt,tests: Fix build in source directory. Include Qt binding sources before C++ binding sources and C sources. This fixes the problem that the debug.h in the C sources was found before the one in the Qt bindings. * build: Suggest out-of-source build. Suggest to run configure from a build subdirectory. * Add patches: - gpgme-qt-tests-Fix-build-in-source-directory.patch - gpgme-build-Suggest-out-of-source-build.patch - Update to 1.22.0: * Prevent wrong plaintext when verifying clearsigned signature. * Return bad data error instead of general error on unexpected data. * Take care of offline mode for all operations of gpgsm engine. * Prepare the use of the forthcoming libassuan version 3. * New configure option --with-libtool-modification. * cpp: Expose gpgme_decrypt_result_t.is_mime. * qt: Clean up after failure or cancel of sign/encrypt archive operation. * qt: Add setInputEncoding to QGpgMe::EncryptJob. * qt: Make toLogString helper public. * Interface changes relative to the 1.21.0 release: - qt: EncryptJob::setInputEncoding NEW. - qt: DecryptionResult::isMime NEW. - qt: toLogString NEW. ==== gpgmeqt ==== Version update (1.21.0 -> 1.22.0) - Fix builds with qt and qt6 [T6673]: * qt,tests: Fix build in source directory. Include Qt binding sources before C++ binding sources and C sources. This fixes the problem that the debug.h in the C sources was found before the one in the Qt bindings. * build: Suggest out-of-source build. Suggest to run configure from a build subdirectory. * Add patches: - gpgme-qt-tests-Fix-build-in-source-directory.patch - gpgme-build-Suggest-out-of-source-build.patch - Update to 1.22.0: * Prevent wrong plaintext when verifying clearsigned signature. * Return bad data error instead of general error on unexpected data. * Take care of offline mode for all operations of gpgsm engine. * Prepare the use of the forthcoming libassuan version 3. * New configure option --with-libtool-modification. * cpp: Expose gpgme_decrypt_result_t.is_mime. * qt: Clean up after failure or cancel of sign/encrypt archive operation. * qt: Add setInputEncoding to QGpgMe::EncryptJob. * qt: Make toLogString helper public. * Interface changes relative to the 1.21.0 release: - qt: EncryptJob::setInputEncoding NEW. - qt: DecryptionResult::isMime NEW. - qt: toLogString NEW. ==== libupnp ==== Version update (1.14.17 -> 1.14.18) Subpackages: libixml11 libupnp17 - Update to release 1.14.18 * miniserver: fix busy loop on socket error ==== mutter ==== Subpackages: mutter-lang - Add mutter-revert-window_draw_issues.patch: Revert commit 43cee4b6: Do clipped redraws when drawing offscreen (boo#1210744, glgo#GNOME/mutter#2771). ==== php8 ==== Version update (8.2.8 -> 8.2.9) Subpackages: php8-cli php8-ctype php8-dom php8-gd php8-gettext php8-iconv php8-mbstring php8-mysql php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter - version update to 8.2.9 * This is a security release. * Fixes CVE-2023-3824 [bsc#1214103] and CVE-2023-3823 [bsc#1214106] * https://www.php.net/ChangeLog-8.php#8.2.9 - deleted patches - php-unicode-allow-redistribution.patch (upstreamed) - deleted sources - repack.sh (not needed) ==== python-pexpect ==== - add 31fab7b0edbe9b3401507b5dfa4db6aaf3fabca5.patch dae602d37493bae239e0e8db5b3dabafebfd59db.patch: python 3.12 compat ==== xz ==== Subpackages: liblzma5 liblzma5-32bit xz-lang - xznew: Remove bashsism. - build: pass CONFIG_SHELL=/bin/sh to configure: the posix tools are setting the current SHELL as the shebang, which is overkill: any posix compliant shell, aka /bin/sh, is sufficient. ==== yast2-apparmor ==== Version update (4.6.1 -> 4.6.2) - bsc#1214418 - Fixed crash on internal error when scanning audit.log - 4.6.2