New Tumbleweed snapshot 20240918 released!
Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20240918 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: emacs ffmpeg-4 gnome-online-accounts (3.50.4 -> 3.50.5) gnome-shell (46.4 -> 46.5) gnome-software (46.4 -> 46.5) groff groff-full gvfs (1.54.2 -> 1.54.3) kexec-tools kwallet libadwaita (1.5.3 -> 1.5.4) librsvg (2.58.3 -> 2.58.4) mc (4.8.31 -> 4.8.32) mutter (46.4 -> 46.5) openSUSE-release (20240917 -> 20240918) ovmf pam pam-config (2.11+git.20240906 -> 2.11+git.20240911) pam-full-src polari (46.0 -> 46.0+18) poppler poppler-qt6 python-cryptography python311 (3.11.9 -> 3.11.10) python311-core (3.11.9 -> 3.11.10) wayland (1.23.0 -> 1.23.1) === Details === ==== emacs ==== Subpackages: emacs-el emacs-eln emacs-info emacs-nox etags - Add patch emacs-gcc14.patch to make flymake-tests work even with gcc14 (backport from upstream master) ==== ffmpeg-4 ==== Subpackages: libavcodec58_134 libavformat58_76 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9 - Add ffmpeg-4-CVE-2024-7055.patch: Backporting 3faadbe2 from upstream, Use 64bit for input size check, Fixes: out of array read, Fixes: poc3. (CVE-2024-7055, bsc#1229026) ==== gnome-online-accounts ==== Version update (3.50.4 -> 3.50.5) Subpackages: gnome-online-accounts-lang libgoa-1_0-0 libgoa-backend-1_0-2 - Update to version 3.50.5: + goaimapsmtpprovider: quick fix for yahoo auto-detect + Updated translations. ==== gnome-shell ==== Version update (46.4 -> 46.5) Subpackages: gnome-extensions gnome-shell-calendar gnome-shell-lang - Update to version 46.5: + Fix smartcard logins + Fix glitch when quick settings menu animation is interrupted + Fix new wifi connections for restricted users + Do not disable required animations + Fix showing pending PAM messages on login screen + Plugged leak + Misc. bug fixes and cleanups + Updated translations. - Drop gnome-shell-private-connection.patch: Should not be needed anymore after changes upstream. ==== gnome-software ==== Version update (46.4 -> 46.5) Subpackages: gnome-software-lang gnome-software-plugin-packagekit - Update to version 46.5: + Reduce power usage when the main window is closed. + Updated translations. ==== groff ==== - Add groff-restore-hyphen-minus.patch (bsc#1226153) ==== groff-full ==== Subpackages: gxditview - Add groff-restore-hyphen-minus.patch (bsc#1226153) ==== gvfs ==== Version update (1.54.2 -> 1.54.3) Subpackages: gvfs-backend-afc gvfs-backend-goa gvfs-backend-samba gvfs-backends gvfs-fuse gvfs-lang - Update to version 1.54.3: + onedrive: - Set name of drive root - Handle multiple drives with same IDs - Guess mime type locally if not set by the server + Updated translations. ==== kexec-tools ==== - To create rckexec-reload, the service binary is required at build time. This binary is provided by aaa_base. Make sure this package is available during build. ==== kwallet ==== Subpackages: kwallet-tools kwallet-tools-lang kwalletd5 kwalletd5-lang libKF5Wallet5 libkwalletbackend5-5 - Use the %lang_package macro for kwallet-tools-lang (boo#1230570) ==== libadwaita ==== Version update (1.5.3 -> 1.5.4) Subpackages: libadwaita-1-0 libadwaita-lang typelib-1_0-Adw-1 - Update to version 1.5.4: + AdwAboutDialog/Window: Support non-deprecated GPL-2/3.0-only SPDX IDs + AdwHeaderBar: Fix back button menu picking up phantom pages in some situations + AdwTabBar/Overview: Fix 2 crashes with drag-n-drop + Stylesheet: Fix scroll undershoot in dropdowns and emoji picker + Updated translations. ==== librsvg ==== Version update (2.58.3 -> 2.58.4) Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 rsvg-thumbnailer typelib-1_0-Rsvg-2_0 - Update to version 2.58.4: + Fix regression when using an SVG inside a feImage element. ==== mc ==== Version update (4.8.31 -> 4.8.32) Subpackages: mc-lang - Update to 4.8.32: - Core - Tell the current directory to the terminal using OSC 7 sequence (so it can open new tabs there) (#3088) - Preserve ext2fs attributes on copy/move operations (#4532) - Change name of temporary directory: make it unique for each run (#4535) - Hide password in file operation progress dialog (#4541) - Support reget in file move operation (#4563) - Implement nanosecond precision timestamps on non-Linux (macOS, BSD, AIX, Solaris) (#4563) - Remove remaining mmap code to simplify maintenance (#3960) - VFS - extfs: support unrar-7 (#4518) - Editor - Improve syntax highlighting: - C and C++ (MidnightCommander?/mc#195, #4556) - Viewer - Diff viewer - Add man page mcdiff.1 (#4224) - Misc - Code cleanup (#4524) - New skins - xoria256-thin, xoria256root-thin (#4530) - modarcon16-defbg-thin, modarcon16-thin, modarcon16root-defbg-thin, modarcon16root-thin (#4530) - modarin256-defbg-thin, modarin256-thin, modarin256root-defbg-thin, modarin256root-thin (#4530) - julia256root (#4536) - mc.ext.ini: clarify escaping of spaces and parenthesis (#4502) - Fixes - External editor does not work with arguments in $EDITOR (#4533) - fish shell: strings " cd (printf '%b' ... " in history (#4521) - Redundant back slashes for autocomplete (#4292) - subshell: call execl with argv[0] that is not an actual path to Bash (#4549) - mcedit: php.syntax: comment highlight from start of light only (#4519) - mcedit: wrong replacement using regular expressions with begin or end of line (#4525, #4526) - mcedit: losing column position when navigating up/down (MidnightCommander?/mc#194) - mcedit: macro deletes text (#4540) - mcedit: macros are applied to the pasted text (#4562) - extfs: iso9660: xorriso is slow to open an ISO image (#3570, #4567) - extfs: u7z: wrong add of nested directories to archive (#4559) - extfs: segfault on enter to deleted archive (#4560) - tar: segfault on copy files from archive (#4561) - man: typo (#4550) - Remove mc-extfs-iso9660-xorriso.patch patch which doesn't apply anymore. - Other patches reapplied. ==== mutter ==== Version update (46.4 -> 46.5) Subpackages: mutter-lang - Update to version 45.5: + Fix drag and drop between X11 and wayland clients + Fix drag and drop from grabbing popups + Fix EGLDevice support + Fix frozen cursor on some hybrid machines + Fix touch window dragging with pointer lock enabled + Fix propagating tablet device removals to clients + Fix tablet input in maximized windows + Reduce damage on window movement + Fix frozen cursor after suspend + Fix using modifiers on multi-GPU setups + Fixed crashes + Misc. bug fixes and cleanups + Updated translations. ==== openSUSE-release ==== Version update (20240917 -> 20240918) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== ovmf ==== Subpackages: qemu-ovmf-x86_64 - Add ovmf-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in (bsc#1230587) ==== pam ==== Subpackages: pam-32bit - baselibs.conf: add pam-userdb - pam_limits-systemd.patch: update to final PR - Add systemd-logind support to pam_limits (pam_limits-systemd.patch) - Remove /usr/etc/pam.d, everything should be migrated - Remove pam_limits from default common-sessions* files. pam_limits is now part of pam-extra and not in our default generated config. - pam_issue-systemd.patch: only count class user sessions ==== pam-config ==== Version update (2.11+git.20240906 -> 2.11+git.20240911) - Add PreRequires for pam-extra, several other packages depend on that pam_limits is installed and enabled by default - Update to version 2.11+git.20240911: * Only add pam_limits if available ==== pam-full-src ==== - baselibs.conf: add pam-userdb - pam_limits-systemd.patch: update to final PR - Add systemd-logind support to pam_limits (pam_limits-systemd.patch) - Remove /usr/etc/pam.d, everything should be migrated - Remove pam_limits from default common-sessions* files. pam_limits is now part of pam-extra and not in our default generated config. - pam_issue-systemd.patch: only count class user sessions ==== polari ==== Version update (46.0 -> 46.0+18) Subpackages: polari-lang - Update to version 46.0+18: + joinDialog: Fix closing the dialog. + Updated translations. ==== poppler ==== Subpackages: libpoppler-cpp1 libpoppler-glib8 libpoppler139 poppler-tools - Poppler can load ghostscript fonts (n022003l.pfb and the like) so the package now recommends the ghostscript-fonts-std package (boo#1230636). ==== poppler-qt6 ==== - Poppler can load ghostscript fonts (n022003l.pfb and the like) so the package now recommends the ghostscript-fonts-std package (boo#1230636). ==== python-cryptography ==== - Fix building on SLE based distributions ==== python311 ==== Version update (3.11.9 -> 3.11.10) Subpackages: python311-curses python311-dbm python311-x86-64-v3 - Update to 3.11.10: - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts * mode* of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` causing infinite loops (gh-122905) without breaking contents using legitimate characters (bsc#1229704, CVE-2024-8088). - gh-123067: Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592). - gh-122905: :class:`zipfile.Path` objects now sanitize names from the zipfile. - gh-121650: :mod:`email` headers with embedded newlines are now quoted on output. The :mod:`~email.generator` will now refuse to serialize (write) headers that are unsafely folded or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`; CVE-2024-6923, bsc#1228780). - gh-119506: Fix :meth:`!io.TextIOWrapper.write` method breaks internal buffer when the method is called again during flushing internal buffer. - gh-118643: Fix an AttributeError in the :mod:`email` module when re-fold a long address list. Also fix more cases of incorrect encoding of the address separator in the address list. - gh-113171: Fixed various false positives and false negatives in * :attr:`ipaddress.IPv4Address.is_private` (see these docs for details) * :attr:`ipaddress.IPv4Address.is_global` * :attr:`ipaddress.IPv6Address.is_private` * :attr:`ipaddress.IPv6Address.is_global` Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network` attributes. Fixes bsc#1226448 (CVE-2024-4032). - gh-102988: :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return ``('', '')`` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use ``strict=False`` to get the old behavior, accept malformed inputs. ``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check if the *strict* paramater is available. Patch by Thomas Dwyer and Victor Stinner to improve the CVE-2023-27043 fix (bsc#1210638). - gh-67693: Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple slashes and no authority. Based on patch by Ashwin Ramaswami. - Core and Builtins - gh-112275: A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now fixed. Patch by ChuBoning based on previous Python 3.12 fix by Victor Stinner. - gh-109120: Added handle of incorrect star expressions, e.g ``f(3, *)``. Patch by Grigoryev Semyon - Removed upstreamed patches: - CVE-2023-27043-email-parsing-errors.patch - CVE-2024-4032-private-IP-addrs.patch - CVE-2024-6923-email-hdr-inject.patch - CVE-2024-8088-inf-loop-zipfile_Path.patch - Add gh120226-fix-sendfile-test-kernel-610.patch to avoid failing test_sendfile_close_peer_in_the_middle_of_receiving tests on Linux >= 6.10 (GH-120227). ==== python311-core ==== Version update (3.11.9 -> 3.11.10) Subpackages: libpython3_11-1_0 libpython3_11-1_0-x86-64-v3 python311-base python311-base-x86-64-v3 - Update to 3.11.10: - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts * mode* of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` causing infinite loops (gh-122905) without breaking contents using legitimate characters (bsc#1229704, CVE-2024-8088). - gh-123067: Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592). - gh-122905: :class:`zipfile.Path` objects now sanitize names from the zipfile. - gh-121650: :mod:`email` headers with embedded newlines are now quoted on output. The :mod:`~email.generator` will now refuse to serialize (write) headers that are unsafely folded or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`; CVE-2024-6923, bsc#1228780). - gh-119506: Fix :meth:`!io.TextIOWrapper.write` method breaks internal buffer when the method is called again during flushing internal buffer. - gh-118643: Fix an AttributeError in the :mod:`email` module when re-fold a long address list. Also fix more cases of incorrect encoding of the address separator in the address list. - gh-113171: Fixed various false positives and false negatives in * :attr:`ipaddress.IPv4Address.is_private` (see these docs for details) * :attr:`ipaddress.IPv4Address.is_global` * :attr:`ipaddress.IPv6Address.is_private` * :attr:`ipaddress.IPv6Address.is_global` Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network` attributes. Fixes bsc#1226448 (CVE-2024-4032). - gh-102988: :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return ``('', '')`` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use ``strict=False`` to get the old behavior, accept malformed inputs. ``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check if the *strict* paramater is available. Patch by Thomas Dwyer and Victor Stinner to improve the CVE-2023-27043 fix (bsc#1210638). - gh-67693: Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple slashes and no authority. Based on patch by Ashwin Ramaswami. - Core and Builtins - gh-112275: A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now fixed. Patch by ChuBoning based on previous Python 3.12 fix by Victor Stinner. - gh-109120: Added handle of incorrect star expressions, e.g ``f(3, *)``. Patch by Grigoryev Semyon - Removed upstreamed patches: - CVE-2023-27043-email-parsing-errors.patch - CVE-2024-4032-private-IP-addrs.patch - CVE-2024-6923-email-hdr-inject.patch - CVE-2024-8088-inf-loop-zipfile_Path.patch - Add gh120226-fix-sendfile-test-kernel-610.patch to avoid failing test_sendfile_close_peer_in_the_middle_of_receiving tests on Linux >= 6.10 (GH-120227). ==== wayland ==== Version update (1.23.0 -> 1.23.1) Subpackages: libwayland-client0 libwayland-cursor0 libwayland-egl1 libwayland-server0 - Update to release 1.23.1: * meson: Fix use of install_data() without specifying install_dir * Put WL_DEPRECATED in front of the function declarations * client: Handle proxies with no queue * scanner: extract validator function emission to helper function * scanner: fix validator for bitfields * tests: add enum bitfield test
participants (1)
-
Dominique Leuenberger