New Tumbleweed snapshot 20210120 released! - openSUSE Factory

21 Jan 2021

Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.

Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&am…

Please do not reply to this email to report issues, rather file a bug
on bugzilla.opensuse.org. For more information on filing bugs please
see https://en.opensuse.org/openSUSE:Submitting_bug_reports

Packages changed:
  bash (5.0.18 -> 5.1.4)
  dnsmasq (2.82 -> 2.83)
  gstreamer (1.18.2 -> 1.18.3)
  gstreamer-plugins-bad (1.18.2 -> 1.18.3)
  gstreamer-plugins-base (1.18.2 -> 1.18.3)
  gstreamer-plugins-good (1.18.2 -> 1.18.3)
  gstreamer-plugins-libav (1.18.2 -> 1.18.3)
  gstreamer-plugins-ugly (1.18.2 -> 1.18.3)
  libqt5-qtbase
  ncurses (6.2.20201205 -> 6.2.20210109)
  openldap2 (2.4.56 -> 2.4.57)
  perl-Mojolicious (8.70 -> 8.71)
  perl-Net-DNS (1.28 -> 1.29)
  publicsuffix (20201223 -> 20210108)
  qemu
  readline (8.0 -> 8.1)
  rubygem-cri
  rubygem-delayed_job (4.1.8 -> 4.1.9)
  rubygem-delayed_job_active_record (4.1.4 -> 4.1.5)
  rubygem-pdf-core (0.8.1 -> 0.9.0)
  rubygem-ttfunk (1.6.2.1 -> 1.7.0)
  rubygem-xml-simple (1.1.5 -> 1.1.8)
  vlc (3.0.11.1 -> 3.0.12)
  vulkan-loader (1.2.162.0 -> 1.2.165)

=== Details ===

==== bash ====
Version update (5.0.18 -> 5.1.4)
Subpackages: bash-doc bash-lang

- Update to final bash 5.1
  * Which is mainly the last rc3 veresion
- Add official patch bash51-001
  There is a missing dependency on a constructed file, which can cause highly
  parellel builds to fail.
- Add official patch bash51-002
  If there are no jobs, and the `-n' and `-p' options are both supplied to
  `wait', bash can assign a value to the variable name specified with `-p'
  instead of leaving it unset.
- Add official patch bash51-003
  Bash does not put a command substitution process that is started to perform an
  expansion in a child process into the right process group where it can receive
  keyboard-generated signals.
- Add official patch bash51-004
  If a key-value compound array assignment to an associative array is supplied
  as an assignment statement argument to the `declare' command that declares the
  array, the assignment doesn't perform the correct word expansions.
  This patch makes key-value assignment and subscript assignment perform the
  same expansions when they're supplied as an argument to `declare'.
- Update to bash 5.1 rc3
  * The `assoc_expand_once' option now affects the evaluation of the -v primary
    to test and the [[ compound command.

==== dnsmasq ====
Version update (2.82 -> 2.83)

- Update to 2.83:
  * bsc#1177077: Fixed DNSpooq vulnerabilities
  * Use the values of --min-port and --max-port in outgoing
    TCP connections to upstream DNS servers.
  * Fix a remote buffer overflow problem in the DNSSEC code.
    Any dnsmasq with DNSSEC compiled in and enabled is vulnerable
    to this, referenced by CVE-2020-25681, CVE-2020-25682,
    CVE-2020-25683 CVE-2020-25687.
  * Be sure to only accept UDP DNS query replies at the address
    from which the query was originated. This keeps as much
    entropy in the {query-ID, random-port} tuple as possible, to
    help defeat cache poisoning attacks. Refer: CVE-2020-25684.
  * Use the SHA-256 hash function to verify that DNS answers
    received are for the questions originally asked. This replaces
    the slightly insecure SHA-1 (when compiled with DNSSEC) or
    the very insecure CRC32 (otherwise). Refer: CVE-2020-25685
  * Handle multiple identical near simultaneous DNS queries better.
    Previously, such queries would all be forwarded independently.
    This is, in theory, inefficent but in practise not a problem,
    _except_ that is means that an answer for any of the forwarded
    queries will be accepted and cached.
    An attacker can send a query multiple times, and for each
    repeat, another {port, ID} becomes capable of accepting the
    answer he is sending in the blind, to random IDs and ports.
    The chance of a succesful attack is therefore multiplied by the
    number of repeats of the query. The new behaviour detects
    repeated queries and merely stores the clients sending repeats
    so that when the first query completes, the answer can be sent
    to all the clients who asked. Refer: CVE-2020-25686.

==== gstreamer ====
Version update (1.18.2 -> 1.18.3)
Subpackages: gstreamer-lang gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0

- Update to version 1.18.3:
  + Highlighted bugfixes:
  - Fix ogg playback regression for ogg files that also have ID3
    or APE tags
  - compositor: fix artefacts and invalid memory access when
    blending subsampled formats
  - Exported mini object ref/unref/copy functions for use in
    bindings such as gstreamer-sharp
  - Add support for Apple silicon (M1) to cerbero package builder
  - Ship RIST plugin in binary packages
  - Various stability, performance and reliability improvements
  - Memory leak fixes
  - Build fixes
  + gstreamer:
  - gst: Add non-inline ref/unref/copy/replace methods for
    various mini objects (buffer, bufferlist, caps, context,
    event, memory, message, promise, query, sample, taglist, uri)
    for use in bindings such as gstreamer-sharp.
  - harness: don't use GST_DEBUG_OBJECT with GstHarness which is
    not a GObject.

==== gstreamer-plugins-bad ====
Version update (1.18.2 -> 1.18.3)
Subpackages: gstreamer-plugins-bad-lang gstreamer-transcoder libgstadaptivedemux-1_0-0
libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0
libgstcodecs-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0
libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstvulkan-1_0-0
libgstwayland-1_0-0 libgstwebrtc-1_0-0 typelib-1_0-GstTranscoder-1_0

- Update to version 1.18.3:
  + assrender: fix mutex handling in certain flushing/error
    situations
  + dvbsuboverlay: Add support for dynamic resolution update
  + dashsink: fix critical log of dynamic pipeline
  + d3d11shader: Fix ID3DBlob object leak
  + d3d11videosink: Prepare window once streaming started
  + decklinkaudiosrc: Fix duration of the first audio frame after
    each discont
  + intervideosrc: fix negotiation of interlaced caps
  + msdk:
  - Needn't close mfx session when failed, fixes double free /
    potential crash
  - Check GstMsdkContext instead of mfxSession instance
  + srt: fix locking when retrieving stats
  + rtmp2src: fix leaks when connection is cancelled during startup
    or connection fails

==== gstreamer-plugins-base ====
Version update (1.18.2 -> 1.18.3)
Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0
libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0
libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0
typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0
typelib-1_0-GstVideo-1_0

- Update to version 1.18.3:
  + audiorate: Make buffer writable before changing its metadata
  + compositor: fix blending of subsampled components
  + decodebin3:
  - When reconfiguring a slot make sure that the ghostpad is
    unlinked
  - Release selection lock when pushing EOS
  + encodebasebin: Ensure that parsers are compatible with selected
    encoders
  + tagdemux: resize and trim buffer in place to fix interaction
    with oggdemux
  + videoaggregator: Pop out old buffers on timeout
  + video-blend: fix blending 8-bit and 16-bit frames together
  + appsrc: fix signal documentation
  + gl: document some GL caps specifics
  + libvisual: workaround clang compiler warning

==== gstreamer-plugins-good ====
Version update (1.18.2 -> 1.18.3)
Subpackages: gstreamer-plugins-good-extra gstreamer-plugins-good-gtk
gstreamer-plugins-good-jack gstreamer-plugins-good-lang gstreamer-plugins-good-qtqml

- Update to version 1.18.3:
  + splitmuxsink:
  - Avoid deadlock when releasing a pad from a running muxer
  - Fix bogus fragment split
  + v4l2object: Map correct video format for RGBA
  + videoflip: fix possible crash when changing
    video-direction/method while running

==== gstreamer-plugins-libav ====
Version update (1.18.2 -> 1.18.3)

- Update to version 1.18.3:
  + avauddec: Drain decoder on decoding failure, fixes timestamps
    after decoding errors

==== gstreamer-plugins-ugly ====
Version update (1.18.2 -> 1.18.3)
Subpackages: gstreamer-plugins-ugly-lang

- Update to version 1.18.3:
  + No changes

==== libqt5-qtbase ====
Subpackages: libQt5Concurrent5 libQt5Core5 libQt5DBus5 libQt5Gui5 libQt5Network5
libQt5OpenGL5 libQt5PrintSupport5 libQt5Sql5 libQt5Sql5-mysql libQt5Sql5-sqlite
libQt5Test5 libQt5Widgets5 libQt5Xml5 libqt5-qtbase-platformtheme-gtk3

- Add patch to fix infinite loop in KWin on XServer exit:
  * 0001-Let-QXcbConnection-getTimestamp-properly-exit-when-X.patch
- Spec file cleanup, remove conditionals for Leap 42.x

==== ncurses ====
Version update (6.2.20201205 -> 6.2.20210109)
Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm
terminfo-screen

- Add ncurses patch 20210109
  + fix errata in man/ncurses.3x from recent updates.
  + improve quoting/escaping in configure script, uses some features of
    autoconf 2.52.20210105
- Add ncurses patch 20210102
  + update man/curs_memleaks.3x, to include <term.h> which declares
    exit_terminfo.
  + clarify man/curs_terminfo.3x, to mention why the macro setterm is
    defined in <curses.h>, and remove it from the list of prototypes
    (prompted by patch by Graeme McCutcheon).
  + amend man/curs_terminfo.3x, to note that <curses.h> is required
    for certain functions, e.g., those using chtype or attr_t for
    types, as well as mvcur (cf: 20201031).
  + use parameter-names in prototypes in curs_sp_funcs.3x, for
    consistency with other manpages.
- Add ncurses patch 20201227
  + update terminology entry to 1.8.1 -TD
  + fix some compiler-warnings which gcc8 reports incorrectly.
- Add ncurses patch 20201219
  + suppress hyphenation in generated html for manpages, to address
    regression in upgrade of groff 1.22.2 to 1.22.3.
  + fix inconsistent sort-order in see-also sections of manpages (report
    by Chris Bennett).
- Port patch ncurses-6.2.dif
- Add ncurses patch 20201212
  + improve manual pages for form field-types.

==== openldap2 ====
Version update (2.4.56 -> 2.4.57)
Subpackages: libldap-2_4-2 libldap-2_4-2-32bit libldap-data openldap2-client

- updated to 2.4.57
  OpenLDAP 2.4.57 Release (2021/01/18)
  Fixed ldapexop to use correct return code (ITS#9417)
  Fixed slapd to remove asserts in UUIDNormalize (ITS#9391)
  Fixed slapd to remove assert in csnValidate (ITS#9410)
  Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9411, ITS#9427)
  Fixed slapd validity checks for serialNumberAndIssuerCheck (ITS#9404, ITS#9424)
  Fixed slapd AVA sort with invalid RDN (ITS#9412)
  Fixed slapd ldap_X509dn2bv to check for invalid BER after RDN count (ITS#9423,
ITS#9425)
  Fixed slapd saslauthz to remove asserts in validation (ITS#9406, ITS#9407)
  Fixed slapd saslauthz to use slap_sl_free on normalized DN (ITS#9409)
  Fixed slapd saslauthz SEGV in slap_parse_user (ITS#9413)
  Fixed slapd modrdn memory leak (ITS#9420)
  Fixed slapd double-free in vrfilter (ITS#9408)
  Fixed slapd cancel operation to correctly terminate (ITS#9428)
  Fixed slapd-ldap fix binds on retry with closed connection (ITS#9400)
  Fixed slapo-syncprov to ignore duplicate sessionlog entries (ITS#9394)

==== perl-Mojolicious ====
Version update (8.70 -> 8.71)

- updated to 8.71
  see /usr/share/doc/packages/perl-Mojolicious/Changes
  8.71  2021-01-17
  - Added EXPERIMENTAL freeze option to reset method in Mojo::IOLoop.
  - Improved Mojo::IOLoop::Subprocess not to close connections after fork.

==== perl-Net-DNS ====
Version update (1.28 -> 1.29)

- update to 1.29
  Include test number in summary of failed non-fatal tests.
  Remove Net::DNS::SEC specific tests.
  Fix faulty test plan in t/08-recurse.t.

==== publicsuffix ====
Version update (20201223 -> 20210108)

- Update to version 20210108:
  * Added ghost.io to PSL (#1180)
  * Add myshopify.com (#1179)

==== qemu ====
Subpackages: qemu-arm qemu-block-curl qemu-block-dmg qemu-block-gluster qemu-block-iscsi
qemu-block-nfs qemu-block-rbd qemu-block-ssh qemu-chardev-baum qemu-chardev-spice
qemu-guest-agent qemu-hw-display-qxl qemu-hw-display-virtio-gpu
qemu-hw-display-virtio-gpu-pci qemu-hw-display-virtio-vga qemu-hw-usb-redirect
qemu-hw-usb-smartcard qemu-ipxe qemu-ksm qemu-kvm qemu-lang qemu-microvm qemu-ppc
qemu-s390x qemu-seabios qemu-sgabios qemu-skiboot qemu-tools qemu-ui-curses qemu-ui-gtk
qemu-ui-opengl qemu-ui-spice-app qemu-ui-spice-core qemu-vgabios qemu-vhost-user-gpu
qemu-x86

- Fix qemu-testsuite issue where white space processing gets
  handled differently under bash 5.1 (boo#1181054)
  iotests-Fix-_send_qemu_cmd-with-bash-5.1.patch
- Convert qemu-kvm from a script to a symlink. Using qemu-kvm to
  invoke the QEMU emulator has been deprecated for some time,
  but is still provided. It has as it's ancient origins a version
  of QEMU which had KVM acceleration enabled by default, and then
  recently, until now, it is a shell script which execs the QEMU
  emulator, adding '-machine accel=kvm' to the beginning of the
  list of command line options passed to the emulator.
  This method collides with the now preferred method of specifying
  acceleration options by using -accel. qemu-kvm is now changed to
  simply be a symlink to the same QEMU binary which the prior
  script exec'd. This new approach takes advantage of a built-in
  QEMU feature where if QEMU is invoked using a program name ending
  in 'kvm', KVM emulation is enabled. This approach is better in
  that it is more compatible with any other command line option
  that may be added for describing acceleration.
  For those who have modified qemu-kvm to add additional command
  line options, or take other actions in the context of the script
  you will now need to create an alternate script "emulator" to
  achieve the same result. Note that it's possible there may be
  some very subtle behavioral difference in the switch from a
  script to a symlink, but given that qemu-kvm is a deprecated
  package, we're not going to worry about that.

==== readline ====
Version update (8.0 -> 8.1)
Subpackages: libreadline8 readline-doc

- Update to final readline-8.1
  which is mainly rc3
- Remove obsolate patches and the signatures
  * readline80-001
  * readline80-001.sig
  * readline80-002
  * readline80-002.sig
  * readline80-003
  * readline80-003.sig
  * readline80-004
  * readline80-004.sig
- Port patches
  * readline-5.2-conf.patch
  * readline-6.2-metamode.patch
  * readline-6.3-destdir.patch
  * readline-6.3-input.dif
  * readline-6.3-rltrace.patch
  * readline-7.0-screen.patch
- Port and rename patch readline-8.0.dif which is now readline-8.1.dif
- Update to readline-8.1-rc3 for testing
  * Fixed a bug that could cause point to be set beyond the end of the line
    buffer when aborting an incremental search.
- Update to readline-8.1-rc2 for testing
  * Bracketed paste mode is enabled by default. There is a configure-time
    option (--enable-bracketed-paste-default) to set the default to on or off.
  * Terminals that are named "dumb" or unknown do not enable bracketed paste
    by default.
  * Ensure that disabling bracketed paste turns off highlighting the incremental
    search string when the search is successful.
- Remove patch readline-8.1-bracketed_paste_off.patch and use the
  new build time configuration

==== rubygem-cri ====

- limit to ruby 2.7 on TW

==== rubygem-delayed_job ====
Version update (4.1.8 -> 4.1.9)

- updated to version 4.1.9
    Support for Rails 6.1
    Add support for parameterized mailers via delay call (#1121)

==== rubygem-delayed_job_active_record ====
Version update (4.1.4 -> 4.1.5)

- updated to version 4.1.5
  no changelog found, but allows Rails 6.1

==== rubygem-pdf-core ====
Version update (0.8.1 -> 0.9.0)

updated to version 0.9.0
  no changelog found

==== rubygem-ttfunk ====
Version update (1.6.2.1 -> 1.7.0)

updated to version 1.7.0
  see installed CHANGELOG.md
  [#]# 1.7.0
  [#]## Changes
  * Allow gem installation on Ruby 3.0
    Pavel Lobashov
  * Allow TTC files to be read from IO object
    Tom de Grunt

==== rubygem-xml-simple ====
Version update (1.1.5 -> 1.1.8)

updated to version 1.1.8
  no changelog found

==== vlc ====
Version update (3.0.11.1 -> 3.0.12)
Subpackages: libvlc5 libvlccore9 vlc-codec-gstreamer vlc-lang vlc-noX vlc-qt vlc-vdpau

- Update to version 3.0.12:
  + Access: Add new RIST access module compliant with simple
    profile (VSF_TR-06-1).
  + Access Output: Add new RIST access output module compliant with
    simple profile (VSF_TR-06-1).
  + Demux: Fixed adaptive's handling of resolution settings.
  + Audio output: Fix audio distortion on macOS during start of
    playback.
  + Video Output: Direct3D11: Fix some potential crashes when using
    video filters.
  + Misc:
  - Several fixes in the web interface, including privacy and
    security improvements
  - Update YouTube and Vocaroo scripts.
  + Updated translations.
- Drop vlc-CVE-2020-26664.patch: fixed upstream.
- Drop fix-missing-includes-with-qt-5.15.patch: fixed upstream.

==== vulkan-loader ====
Version update (1.2.162.0 -> 1.2.165)

- update to 1.2.165:
  * loader: Properly check for elevated permissions
  * loader: Remove SEEK_END usage
  * Rename LIB_SUFFIX to VULKAN_LIB_SUFFIX
  * build: Update known-good files for 1.2.165 header