Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=15.1&buil... https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&qu... When you reply to discuss some issues, make sure to change the subject. Please use the test plan at https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3m... to record your testing efforts and use bugzilla to report bugs. Packages changed: gnuhealth-client (3.4.3 -> 3.4.4) hplip (3.17.9 -> 3.18.6) kipi-plugins (5.9.0 -> 5.9.1) libzypp-plugin-appdata mozilla-nss (3.40.1 -> 3.41.1) orc python-base python3-base samba (4.9.4+git.138.e50f45d83ad -> 4.9.5+git.149.9593f64a5c3) xerces-c === Details === ==== gnuhealth-client ==== Version update (3.4.3 -> 3.4.4) - version 3.4.4 - Security fix boo#1131707 ==== hplip ==== Version update (3.17.9 -> 3.18.6) Subpackages: hplip-hpijs hplip-sane - Remove dependency on python3-pillow on SLE (bsc#1131613), and remove the hp-scan tool that needs it. "scanimage" must be used instead. - don't mark /usr/lib/udev/rules.d/56-hpmud.rules as config file, fixes rpmlint warning (override it by copying it to /etc/udev/rules.d). - Fix hp-toolbox exiting after 10s under GNOME (bsc#1112331) * removed ui5-systemtray.py-make-children-exit-if-no-systray-f.patch Patch "ui5-systemtray-wait-only-10s-for-system-tray.patch" is sufficient to fix the logout problem (bsc#1112331, lp#1721534) - Fix hang during GNOME session logout (bsc#1112331, lp#1721534) * added ui5-systemtray.py-make-children-exit-if-no-systray-f.patch * added ui5-systemtray-wait-only-10s-for-system-tray.patch - removed Fix-scanning-with-python-pillow-4.2.0.patch as resolved upstream. Closes boo#1096755 - removed hplip-mdns.patch and hplip-mdns-retry-query.patch, since upstream further improved the code in this area - update to 3.18.7 avoided due to newly added ImageProcessor.so blob - update to 3.18.6: Added Support for the following new Printers: - HP DesignJet Z6810 42in PostScript - HP DesignJet Z6810 60in PostScript - HP DesignJet Z6610 60in PostScript - update to 3.18.5: Added Support for the following new Printers: - HP DesignJet T1700 PostScript - HP DesignJet T1700dr PostScript - HP Color LaserJet Pro M253a - HP Color LaserJet Pro M254dn - HP Color LaserJet Pro M254n - HP Color LaserJet Pro M254dne - HP Color LaserJet Pro M254nw - HP Color LaserJet Pro M254dw - HP Color LaserJet Pro M254cnw - HP Color LaserJet Pro M253nw - HP Color LaserJet Pro M253cnw - HP Color LaserJet Pro M254cdw - HP Color LaserJet Pro MFP M180nw - HP Color LaserJet Pro MFP M181fw - HP Color LaserJet Pro MFP M179fw - HP Color LaserJet Pro MFP M179cfw - HP Color LaserJet Pro MFP M181fnw - HP Color LaserJet Pro MFP M181cfw - HP Color LaserJet Pro MFP M180n - HP Color LaserJet Pro MFP M178cn - HP Color LaserJet Pro MFP M178n - HP Color LaserJet Pro MFP M180cn - HP Color LaserJet Pro MFP M281fdw - HP Color LaserJet Pro MFP M279fdw - HP Color LaserJet Pro MFP M281cdw - HP Color LaserJet Pro MFP M281fdn - HP Color LaserJet Pro MFP M281dne - HP Color LaserJet Pro MFP M278dn - HP Color LaserJet Pro MFP M280nw - HP Color LaserJet Pro MFP M278nw - HP Color LaserJet Pro MFP M278cw - HP Color LaserJet Pro MFP M280cnw - HP Color LaserJet Pro MFP M280c2 - HP Color LaserJet Pro M154a - HP Color LaserJet M153a - HP Color LaserJet M153b - HP Color LaserJet M154b - HP Color LaserJet M154nw - HP Color LaserJet M153nw - HP Color LaserJet M153cnw - HP Color LaserJet M153c1 - HP Color LaserJet M154cnw - HP Color LaserJet M154c1 - HP PageWide Managed Color P75250dn - HP PageWide Managed Color MFP P77940dns - HP PageWide Managed Color MFP P77940dn - HP PageWide Managed Color MFP P77940dn+ - HP PageWide Managed Color MFP P77950dns - HP PageWide Managed Color MFP P77950dn - HP PageWide Managed Color MFP P77950dn+ - HP PageWide Managed Color MFP P77960dns - HP PageWide Managed Color MFP P77960dn - HP PageWide Managed Color MFP P77960dn+ - HP PageWide Managed Color MFP P77440dn - HP PageWide Managed Color Flow MFP E77950z - HP PageWide Managed Color Flow MFP E77950zs - HP PageWide Managed Color Flow MFP E77950z+ - HP PageWide Managed Color Flow MFP E77960z - HP PageWide Managed Color Flow MFP E77960zs - HP PageWide Managed Color Flow MFP E77960zts - HP PageWide Managed Color Flow MFP E77960z+ - update to 3.18.4: Added Support for the following new Printers: - HP LaserJet Pro MFP M28a - HP LaserJet Pro MFP M29a - HP LaserJet Pro MFP M30a - HP LaserJet Pro MFP M31a - HP LaserJet Pro MFP M30c - HP LaserJet Pro MFP M31c - HP LaserJet Pro MFP M28w - HP LaserJet Pro MFP M29w - HP LaserJet Pro MFP M30w - HP LaserJet Pro MFP M31w - HP LaserJet Pro MFP M30cw - HP LaserJet Pro MFP M31cw - HP LaserJet Pro M14a - HP LaserJet Pro M15a - HP LaserJet Pro M16a - HP LaserJet Pro M17a - HP LaserJet Pro M14c - HP LaserJet Pro M17c - HP LaserJet Pro M14w - HP LaserJet Pro M15w - HP LaserJet Pro M16w - HP LaserJet Pro M17w - HP LaserJet Pro M14cw - HP LaserJet Pro M17cw Added Support for the following new Distros: - Ubuntu 18.04 Beta Version (64 bit) - Debian 9.2 (32 bit and 64 bit) - Debian 9.3 (32 bit and 64 bit) - Debian 9.4 (32 bit and 64 bit) - update to 3.18.3: Added Support for the following new Printers: - HP DesignJet Z2600 PostScript - HP DesignJet Z5600 PostScript - HP PageWide XL 8000ps Printer - HP PageWide XL 8000 Blueprinter - HP PageWide XL 5000 Printer - HP PageWide XL 5000 MFP - HP PageWide XL 5000 Blueprinter - HP PageWide XL 4500 Printer - HP PageWide XL 4500 MFP - HP PageWide XL 4000 Printer - HP PageWide XL 4000 MFP - HP PageWide XL 5100ps - HP PageWide XL 5100ps MFP - HP PageWide XL 5100ps MFP Blueprinter - HP PageWide XL 6000ps - HP PageWide XL 6000ps MFP Added Support for the following new Distros: - Manjaro Linux 17.1.4 (64 bit) - Fedora 27 (64 bit) - Linux Mint 18.3 (32 bit and 64 bit) Launchpad fixes: - 1736221 : hplip-3.17.11 source tarball contains compiled binaries - 1741214 : scan.py - scans cannot be saved as JPEG since python-pillow-4.2.0 - update to 3.17.11: Added Support for the following new Distros: - Ubuntu 17.10 (64bit) Other requirement: - Class Driver support - update to 3.17.10: Added Support for the following new Scanners: - HP Scanjet Enterprise Flow N9120 fn2 Document Scanner - HP Digital Sender Flow 8500 fn2 Document Capture Workstation Added Support for the following new Distros: - Debian 9.1 - refresh patches - adjust mdns.c changes (which looses newly added _uscan._tcp.local queries, but requires interface changes) - fix build due to unexpanded ppd/hpcups/*.ppd.gz usage in Makefile - require python3-Pillow for hp-scan to work (bsc#1100511) - Fix scanning with python-pillow 4.2.0 (boo#1096755, #lp1741214) * added Fix-scanning-with-python-pillow-4.2.0.patch - Fix bug in hpijs-avoid-segfault-in-DJGenericVIP-DJGenericVIP.patch: default behavior of DJ9xxVIP device must not be changed - avoid segfault in DJGenericVIP::DJGenericVIP() (boo#1094141, lp#1774660) * added hpijs-avoid-segfault-in-DJGenericVIP-DJGenericVIP.patch ==== kipi-plugins ==== Version update (5.9.0 -> 5.9.1) Subpackages: kipi-plugins-lang - Update to 5.9.1 * https://jriddell.org/2019/04/19/kipi-plugins-5-9-1-released/ * First official stand-alone release outside of digikam * No code changes - Drop kipi-plugins-lang.tar.xz, the translations are included in the source tarball - Remove ImageMagick, enblend-enfuse and hugin Recommends, nothing in kipi-plugins uses them anymore since a long time - Change URL to www.kde.org as it is no longer released by the digikam project - Make creation of lang package conditional ==== libzypp-plugin-appdata ==== - Only Recommend instead of require AppStream: Allow distros like SLE not to ship AppStream as part of the main channel, but only in PK for example. SLE only ships GNOME Software, which does not rely on the xapian database, so we don't need this cache being refreshed. On SLE+PH or openSUSE, we also have KDE Discover, where xapian becomes a topic (boo#1125898). ==== mozilla-nss ==== Version update (3.40.1 -> 3.41.1) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs - update to NSS 3.41.1 * (3.41) required by Firefox 65.0 New functionality * Implemented EKU handling for IPsec IKE. (bmo#1252891) * Enable half-closed states for TLS. (bmo#1423043) * Enabled the following ciphersuites by default: (bmo#1493215) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 Notable changes * The following CA certificates were added: CN = Certigna Root CA CN = GTS Root R1 CN = GTS Root R2 CN = GTS Root R3 CN = GTS Root R4 CN = UCA Global G2 Root CN = UCA Extended Validation Root * The following CA certificates were removed: CN = AC Ra�z Certic�mara S.A. CN = Certplus Root CA G1 CN = Certplus Root CA G2 CN = OpenTrust Root CA G1 CN = OpenTrust Root CA G2 CN = OpenTrust Root CA G3 Bugs fixed * Reject empty supported_signature_algorithms in Certificate Request in TLS 1.2 (bmo#1412829) * Cache side-channel variant of the Bleichenbacher attack (bmo#1485864) (CVE-2018-12404) * Resend the same ticket in ClientHello after HelloRetryRequest (bmo#1481271) * Set session_id for external resumption tokens (bmo#1493769) * Reject CCS after handshake is complete in TLS 1.3 (bmo#1507179) * Add additional null checks to several CMS functions to fix a rare CMS crash. (bmo#1507135, bmo#1507174) (3.41.1) - removed obsolete patches nss-disable-ocsp-test.patch ==== orc ==== - Add relax-tests.patch to increase test timeouts to 2 minutes, also limit the max value for memcpy_speed.c test bsc#1130085 ==== python-base ==== Subpackages: libpython2_7-1_0 python-xml - bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch removing unnecessary (and potentially harmful) URL scheme local-file://. - bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch Characters in the netloc attribute that decompose under NFKC normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the URL is decomposed before parsing, or is not a Unicode string, no error will be raised. Upstream commits e37ef41 and 507bd8c. ==== python3-base ==== Subpackages: libpython3_6m1_0 - bsc#1129346: add CVE-2019-9636-urlsplit-NFKC-norm.patch Characters in the netloc attribute that decompose under NFKC normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the URL is decomposed before parsing, or is not a Unicode string, no error will be raised. (CVE-2019-9636) Upstream gh#python/cpython#12224 ==== samba ==== Version update (4.9.4+git.138.e50f45d83ad -> 4.9.5+git.149.9593f64a5c3) Subpackages: libdcerpc-binding0 libdcerpc-binding0-32bit libdcerpc0 libdcerpc0-32bit libndr-krb5pac0 libndr-krb5pac0-32bit libndr-nbt0 libndr-nbt0-32bit libndr-standard0 libndr-standard0-32bit libndr0 libndr0-32bit libnetapi0 libnetapi0-32bit libsamba-credentials0 libsamba-credentials0-32bit libsamba-errors0 libsamba-errors0-32bit libsamba-hostconfig0 libsamba-hostconfig0-32bit libsamba-passdb0 libsamba-passdb0-32bit libsamba-policy0-python3 libsamba-util0 libsamba-util0-32bit libsamdb0 libsamdb0-32bit libsmbclient0 libsmbconf0 libsmbconf0-32bit libsmbldap2 libsmbldap2-32bit libtevent-util0 libtevent-util0-32bit libwbclient0 libwbclient0-32bit samba-client samba-client-32bit samba-libs samba-libs-32bit samba-libs-python samba-libs-python3 samba-python3 samba-winbind samba-winbind-32bit - CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ). - CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703); - Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol <pid> debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744); ==== xerces-c ==== - Add patch to fix CVE-2017-12627 bsc#1083630 * xerces-c-CVE-2017-12627.patch -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org