Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&... Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: bash (5.0.18 -> 5.1.4) dnsmasq (2.82 -> 2.83) gstreamer (1.18.2 -> 1.18.3) gstreamer-plugins-bad (1.18.2 -> 1.18.3) gstreamer-plugins-base (1.18.2 -> 1.18.3) gstreamer-plugins-good (1.18.2 -> 1.18.3) gstreamer-plugins-libav (1.18.2 -> 1.18.3) gstreamer-plugins-ugly (1.18.2 -> 1.18.3) libqt5-qtbase ncurses (6.2.20201205 -> 6.2.20210109) openldap2 (2.4.56 -> 2.4.57) perl-Mojolicious (8.70 -> 8.71) perl-Net-DNS (1.28 -> 1.29) publicsuffix (20201223 -> 20210108) qemu readline (8.0 -> 8.1) rubygem-cri rubygem-delayed_job (4.1.8 -> 4.1.9) rubygem-delayed_job_active_record (4.1.4 -> 4.1.5) rubygem-pdf-core (0.8.1 -> 0.9.0) rubygem-ttfunk (1.6.2.1 -> 1.7.0) rubygem-xml-simple (1.1.5 -> 1.1.8) vlc (3.0.11.1 -> 3.0.12) vulkan-loader (1.2.162.0 -> 1.2.165) === Details === ==== bash ==== Version update (5.0.18 -> 5.1.4) Subpackages: bash-doc bash-lang - Update to final bash 5.1 * Which is mainly the last rc3 veresion - Add official patch bash51-001 There is a missing dependency on a constructed file, which can cause highly parellel builds to fail. - Add official patch bash51-002 If there are no jobs, and the `-n' and `-p' options are both supplied to `wait', bash can assign a value to the variable name specified with `-p' instead of leaving it unset. - Add official patch bash51-003 Bash does not put a command substitution process that is started to perform an expansion in a child process into the right process group where it can receive keyboard-generated signals. - Add official patch bash51-004 If a key-value compound array assignment to an associative array is supplied as an assignment statement argument to the `declare' command that declares the array, the assignment doesn't perform the correct word expansions. This patch makes key-value assignment and subscript assignment perform the same expansions when they're supplied as an argument to `declare'. - Update to bash 5.1 rc3 * The `assoc_expand_once' option now affects the evaluation of the -v primary to test and the [[ compound command. ==== dnsmasq ==== Version update (2.82 -> 2.83) - Update to 2.83: * bsc#1177077: Fixed DNSpooq vulnerabilities * Use the values of --min-port and --max-port in outgoing TCP connections to upstream DNS servers. * Fix a remote buffer overflow problem in the DNSSEC code. Any dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 CVE-2020-25687. * Be sure to only accept UDP DNS query replies at the address from which the query was originated. This keeps as much entropy in the {query-ID, random-port} tuple as possible, to help defeat cache poisoning attacks. Refer: CVE-2020-25684. * Use the SHA-256 hash function to verify that DNS answers received are for the questions originally asked. This replaces the slightly insecure SHA-1 (when compiled with DNSSEC) or the very insecure CRC32 (otherwise). Refer: CVE-2020-25685 * Handle multiple identical near simultaneous DNS queries better. Previously, such queries would all be forwarded independently. This is, in theory, inefficent but in practise not a problem, _except_ that is means that an answer for any of the forwarded queries will be accepted and cached. An attacker can send a query multiple times, and for each repeat, another {port, ID} becomes capable of accepting the answer he is sending in the blind, to random IDs and ports. The chance of a succesful attack is therefore multiplied by the number of repeats of the query. The new behaviour detects repeated queries and merely stores the clients sending repeats so that when the first query completes, the answer can be sent to all the clients who asked. Refer: CVE-2020-25686. ==== gstreamer ==== Version update (1.18.2 -> 1.18.3) Subpackages: gstreamer-lang gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.18.3: + Highlighted bugfixes: - Fix ogg playback regression for ogg files that also have ID3 or APE tags - compositor: fix artefacts and invalid memory access when blending subsampled formats - Exported mini object ref/unref/copy functions for use in bindings such as gstreamer-sharp - Add support for Apple silicon (M1) to cerbero package builder - Ship RIST plugin in binary packages - Various stability, performance and reliability improvements - Memory leak fixes - Build fixes + gstreamer: - gst: Add non-inline ref/unref/copy/replace methods for various mini objects (buffer, bufferlist, caps, context, event, memory, message, promise, query, sample, taglist, uri) for use in bindings such as gstreamer-sharp. - harness: don't use GST_DEBUG_OBJECT with GstHarness which is not a GObject. ==== gstreamer-plugins-bad ==== Version update (1.18.2 -> 1.18.3) Subpackages: gstreamer-plugins-bad-lang gstreamer-transcoder libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 typelib-1_0-GstTranscoder-1_0 - Update to version 1.18.3: + assrender: fix mutex handling in certain flushing/error situations + dvbsuboverlay: Add support for dynamic resolution update + dashsink: fix critical log of dynamic pipeline + d3d11shader: Fix ID3DBlob object leak + d3d11videosink: Prepare window once streaming started + decklinkaudiosrc: Fix duration of the first audio frame after each discont + intervideosrc: fix negotiation of interlaced caps + msdk: - Needn't close mfx session when failed, fixes double free / potential crash - Check GstMsdkContext instead of mfxSession instance + srt: fix locking when retrieving stats + rtmp2src: fix leaks when connection is cancelled during startup or connection fails ==== gstreamer-plugins-base ==== Version update (1.18.2 -> 1.18.3) Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.18.3: + audiorate: Make buffer writable before changing its metadata + compositor: fix blending of subsampled components + decodebin3: - When reconfiguring a slot make sure that the ghostpad is unlinked - Release selection lock when pushing EOS + encodebasebin: Ensure that parsers are compatible with selected encoders + tagdemux: resize and trim buffer in place to fix interaction with oggdemux + videoaggregator: Pop out old buffers on timeout + video-blend: fix blending 8-bit and 16-bit frames together + appsrc: fix signal documentation + gl: document some GL caps specifics + libvisual: workaround clang compiler warning ==== gstreamer-plugins-good ==== Version update (1.18.2 -> 1.18.3) Subpackages: gstreamer-plugins-good-extra gstreamer-plugins-good-gtk gstreamer-plugins-good-jack gstreamer-plugins-good-lang gstreamer-plugins-good-qtqml - Update to version 1.18.3: + splitmuxsink: - Avoid deadlock when releasing a pad from a running muxer - Fix bogus fragment split + v4l2object: Map correct video format for RGBA + videoflip: fix possible crash when changing video-direction/method while running ==== gstreamer-plugins-libav ==== Version update (1.18.2 -> 1.18.3) - Update to version 1.18.3: + avauddec: Drain decoder on decoding failure, fixes timestamps after decoding errors ==== gstreamer-plugins-ugly ==== Version update (1.18.2 -> 1.18.3) Subpackages: gstreamer-plugins-ugly-lang - Update to version 1.18.3: + No changes ==== libqt5-qtbase ==== Subpackages: libQt5Concurrent5 libQt5Core5 libQt5DBus5 libQt5Gui5 libQt5Network5 libQt5OpenGL5 libQt5PrintSupport5 libQt5Sql5 libQt5Sql5-mysql libQt5Sql5-sqlite libQt5Test5 libQt5Widgets5 libQt5Xml5 libqt5-qtbase-platformtheme-gtk3 - Add patch to fix infinite loop in KWin on XServer exit: * 0001-Let-QXcbConnection-getTimestamp-properly-exit-when-X.patch - Spec file cleanup, remove conditionals for Leap 42.x ==== ncurses ==== Version update (6.2.20201205 -> 6.2.20210109) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20210109 + fix errata in man/ncurses.3x from recent updates. + improve quoting/escaping in configure script, uses some features of autoconf 2.52.20210105 - Add ncurses patch 20210102 + update man/curs_memleaks.3x, to include <term.h> which declares exit_terminfo. + clarify man/curs_terminfo.3x, to mention why the macro setterm is defined in <curses.h>, and remove it from the list of prototypes (prompted by patch by Graeme McCutcheon). + amend man/curs_terminfo.3x, to note that <curses.h> is required for certain functions, e.g., those using chtype or attr_t for types, as well as mvcur (cf: 20201031). + use parameter-names in prototypes in curs_sp_funcs.3x, for consistency with other manpages. - Add ncurses patch 20201227 + update terminology entry to 1.8.1 -TD + fix some compiler-warnings which gcc8 reports incorrectly. - Add ncurses patch 20201219 + suppress hyphenation in generated html for manpages, to address regression in upgrade of groff 1.22.2 to 1.22.3. + fix inconsistent sort-order in see-also sections of manpages (report by Chris Bennett). - Port patch ncurses-6.2.dif - Add ncurses patch 20201212 + improve manual pages for form field-types. ==== openldap2 ==== Version update (2.4.56 -> 2.4.57) Subpackages: libldap-2_4-2 libldap-2_4-2-32bit libldap-data openldap2-client - updated to 2.4.57 OpenLDAP 2.4.57 Release (2021/01/18) Fixed ldapexop to use correct return code (ITS#9417) Fixed slapd to remove asserts in UUIDNormalize (ITS#9391) Fixed slapd to remove assert in csnValidate (ITS#9410) Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9411, ITS#9427) Fixed slapd validity checks for serialNumberAndIssuerCheck (ITS#9404, ITS#9424) Fixed slapd AVA sort with invalid RDN (ITS#9412) Fixed slapd ldap_X509dn2bv to check for invalid BER after RDN count (ITS#9423, ITS#9425) Fixed slapd saslauthz to remove asserts in validation (ITS#9406, ITS#9407) Fixed slapd saslauthz to use slap_sl_free on normalized DN (ITS#9409) Fixed slapd saslauthz SEGV in slap_parse_user (ITS#9413) Fixed slapd modrdn memory leak (ITS#9420) Fixed slapd double-free in vrfilter (ITS#9408) Fixed slapd cancel operation to correctly terminate (ITS#9428) Fixed slapd-ldap fix binds on retry with closed connection (ITS#9400) Fixed slapo-syncprov to ignore duplicate sessionlog entries (ITS#9394) ==== perl-Mojolicious ==== Version update (8.70 -> 8.71) - updated to 8.71 see /usr/share/doc/packages/perl-Mojolicious/Changes 8.71 2021-01-17 - Added EXPERIMENTAL freeze option to reset method in Mojo::IOLoop. - Improved Mojo::IOLoop::Subprocess not to close connections after fork. ==== perl-Net-DNS ==== Version update (1.28 -> 1.29) - update to 1.29 Include test number in summary of failed non-fatal tests. Remove Net::DNS::SEC specific tests. Fix faulty test plan in t/08-recurse.t. ==== publicsuffix ==== Version update (20201223 -> 20210108) - Update to version 20210108: * Added ghost.io to PSL (#1180) * Add myshopify.com (#1179) ==== qemu ==== Subpackages: qemu-arm qemu-block-curl qemu-block-dmg qemu-block-gluster qemu-block-iscsi qemu-block-nfs qemu-block-rbd qemu-block-ssh qemu-chardev-baum qemu-chardev-spice qemu-guest-agent qemu-hw-display-qxl qemu-hw-display-virtio-gpu qemu-hw-display-virtio-gpu-pci qemu-hw-display-virtio-vga qemu-hw-usb-redirect qemu-hw-usb-smartcard qemu-ipxe qemu-ksm qemu-kvm qemu-lang qemu-microvm qemu-ppc qemu-s390x qemu-seabios qemu-sgabios qemu-skiboot qemu-tools qemu-ui-curses qemu-ui-gtk qemu-ui-opengl qemu-ui-spice-app qemu-ui-spice-core qemu-vgabios qemu-vhost-user-gpu qemu-x86 - Fix qemu-testsuite issue where white space processing gets handled differently under bash 5.1 (boo#1181054) iotests-Fix-_send_qemu_cmd-with-bash-5.1.patch - Convert qemu-kvm from a script to a symlink. Using qemu-kvm to invoke the QEMU emulator has been deprecated for some time, but is still provided. It has as it's ancient origins a version of QEMU which had KVM acceleration enabled by default, and then recently, until now, it is a shell script which execs the QEMU emulator, adding '-machine accel=kvm' to the beginning of the list of command line options passed to the emulator. This method collides with the now preferred method of specifying acceleration options by using -accel. qemu-kvm is now changed to simply be a symlink to the same QEMU binary which the prior script exec'd. This new approach takes advantage of a built-in QEMU feature where if QEMU is invoked using a program name ending in 'kvm', KVM emulation is enabled. This approach is better in that it is more compatible with any other command line option that may be added for describing acceleration. For those who have modified qemu-kvm to add additional command line options, or take other actions in the context of the script you will now need to create an alternate script "emulator" to achieve the same result. Note that it's possible there may be some very subtle behavioral difference in the switch from a script to a symlink, but given that qemu-kvm is a deprecated package, we're not going to worry about that. ==== readline ==== Version update (8.0 -> 8.1) Subpackages: libreadline8 readline-doc - Update to final readline-8.1 which is mainly rc3 - Remove obsolate patches and the signatures * readline80-001 * readline80-001.sig * readline80-002 * readline80-002.sig * readline80-003 * readline80-003.sig * readline80-004 * readline80-004.sig - Port patches * readline-5.2-conf.patch * readline-6.2-metamode.patch * readline-6.3-destdir.patch * readline-6.3-input.dif * readline-6.3-rltrace.patch * readline-7.0-screen.patch - Port and rename patch readline-8.0.dif which is now readline-8.1.dif - Update to readline-8.1-rc3 for testing * Fixed a bug that could cause point to be set beyond the end of the line buffer when aborting an incremental search. - Update to readline-8.1-rc2 for testing * Bracketed paste mode is enabled by default. There is a configure-time option (--enable-bracketed-paste-default) to set the default to on or off. * Terminals that are named "dumb" or unknown do not enable bracketed paste by default. * Ensure that disabling bracketed paste turns off highlighting the incremental search string when the search is successful. - Remove patch readline-8.1-bracketed_paste_off.patch and use the new build time configuration ==== rubygem-cri ==== - limit to ruby 2.7 on TW ==== rubygem-delayed_job ==== Version update (4.1.8 -> 4.1.9) - updated to version 4.1.9 Support for Rails 6.1 Add support for parameterized mailers via delay call (#1121) ==== rubygem-delayed_job_active_record ==== Version update (4.1.4 -> 4.1.5) - updated to version 4.1.5 no changelog found, but allows Rails 6.1 ==== rubygem-pdf-core ==== Version update (0.8.1 -> 0.9.0) updated to version 0.9.0 no changelog found ==== rubygem-ttfunk ==== Version update (1.6.2.1 -> 1.7.0) updated to version 1.7.0 see installed CHANGELOG.md [#]# 1.7.0 [#]## Changes * Allow gem installation on Ruby 3.0 Pavel Lobashov * Allow TTC files to be read from IO object Tom de Grunt ==== rubygem-xml-simple ==== Version update (1.1.5 -> 1.1.8) updated to version 1.1.8 no changelog found ==== vlc ==== Version update (3.0.11.1 -> 3.0.12) Subpackages: libvlc5 libvlccore9 vlc-codec-gstreamer vlc-lang vlc-noX vlc-qt vlc-vdpau - Update to version 3.0.12: + Access: Add new RIST access module compliant with simple profile (VSF_TR-06-1). + Access Output: Add new RIST access output module compliant with simple profile (VSF_TR-06-1). + Demux: Fixed adaptive's handling of resolution settings. + Audio output: Fix audio distortion on macOS during start of playback. + Video Output: Direct3D11: Fix some potential crashes when using video filters. + Misc: - Several fixes in the web interface, including privacy and security improvements - Update YouTube and Vocaroo scripts. + Updated translations. - Drop vlc-CVE-2020-26664.patch: fixed upstream. - Drop fix-missing-includes-with-qt-5.15.patch: fixed upstream. ==== vulkan-loader ==== Version update (1.2.162.0 -> 1.2.165) - update to 1.2.165: * loader: Properly check for elevated permissions * loader: Remove SEEK_END usage * Rename LIB_SUFFIX to VULKAN_LIB_SUFFIX * build: Update known-good files for 1.2.165 header