Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=15.2&build=498.2&groupid=50 https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&query_format=advanced&resolution=---&version=Leap%2015.2 When you reply to discuss some issues, make sure to change the subject. Please use the test plan at https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3m... to record your testing efforts and use bugzilla to report bugs. Packages changed: Mesa Mesa-drivers MozillaFirefox (60.6.2 -> 60.8.0) MozillaFirefox-branding-openSUSE aaa_base bash ceph (14.2.2.349+g6716a1e448 -> 14.2.2.354+g8878cf2360) chromium (76.0.3809.132 -> 77.0.3865.75) cups-filters (1.20.3 -> 1.25.0) curl (7.60.0 -> 7.66.0) desktop-file-utils device-mapper expat ghostscript ibus kernel-source (5.3.rc7 -> 5.3.0) kpat krb5 libdrm libreoffice (6.2.5.2 -> 6.2.7.1) libstorage-ng (4.2.3 -> 4.2.11) libvirt (5.1.0 -> 5.7.0) lmdb lvm2 makedumpfile (1.6.3 -> 1.6.6) openldap2 python-Werkzeug python-cairo python-libvirt-python (5.1.0 -> 5.7.0) python-urllib3 samba (4.9.5+git.176.375e1f05788 -> 4.9.5+git.187.71edee57d5a) yast2 (4.2.20 -> 4.2.21) yast2-control-center (4.1.7 -> 4.2.2) yast2-installation (4.2.12 -> 4.2.13) yast2-network (4.2.11 -> 4.2.12) yast2-packager (4.2.24 -> 4.2.25) yast2-schema (4.2.2 -> 4.2.3) yast2-security (4.2.1 -> 4.2.2) yast2-services-manager (4.2.4 -> 4.2.5) yast2-storage-ng (4.2.36 -> 4.2.38) yast2-ycp-ui-bindings (4.1.0 -> 4.2.1) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - U_intel-Add-support-for-Comet-Lake.patch * adds support for Cometlake (jira #SLE-4983, bsc#1137515) ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-dri-nouveau Mesa-gallium Mesa-libva libvdpau_nouveau libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libvulkan_intel libvulkan_radeon libxatracker2 - U_intel-Add-support-for-Comet-Lake.patch * adds support for Cometlake (jira #SLE-4983, bsc#1137515) ==== MozillaFirefox ==== Version update (60.6.2 -> 60.8.0) Subpackages: MozillaFirefox-translations-common MozillaFirefox-translations-other - Mozilla Firefox Firefox ESR 60.8 MFSA 2019-22 (bsc#1140868) * CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327) Sandbox escape via installation of malicious language pack * CVE-2019-11711 (bmo#1552541) Script injection within domain through inner window reuse * CVE-2019-11712 (bmo#1543804) Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects * CVE-2019-11713 (bmo#1528481) Use-after-free with HTTP/2 cached stream * CVE-2019-11729 (bmo#1515342) Empty or malformed p256-ECDH public keys may trigger a segmentation fault * CVE-2019-11715 (bmo#1555523) HTML parsing error can contribute to content XSS * CVE-2019-11717 (bmo#1548306) Caret character improperly escaped in origins * CVE-2019-11719 (bmo#1540541) Out-of-bounds read when importing curve25519 private key * CVE-2019-11730 (bmo#1558299) Same-origin policy treats all files in a directory as having the same-origin * CVE-2019-11709 (bmo#1515052, bmo#1533522, bmo#1539219, bmo#1540759, bmo#1547266, bmo#1547757, bmo#1548822, bmo#1550498, bmo#1550498) Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 - Mozilla Firefox Firefox 60.7.2 MFSA 2019-19 (bsc#1138872) * CVE-2019-11708 (bmo#1559858) sandbox escape using Prompt:Open - Mozilla Firefox Firefox 60.7.1 MFSA 2019-18 (bsc#1138614) * CVE-2019-11707 (bmo#1544386) Type confusion in Array.pop - Added the new Mozilla's GPG key with subkey fingerprint 097B 3130 77AE 62A0 2F84 DA4D F1A6 668F BB7D 572E, expiring on 2021-05-29 to the mozilla.keyring file - Fix broken language plugins (bsc#1137792) - update to Firefox ESR 60.7 (bsc#1135824) * Font and date adjustments to accommodate the new Reiwa era in Japan * MFSA 2019-14/CVE-2019-9817 (bmo#1540221) Stealing of cross-domain images using canvas * MFSA 2019-14/CVE-2019-9800 (bmo#1499108, bmo#1499719, bmo#1516325, bmo#1532465, bmo#1533554, bmo#1534593, bmo#1535194, bmo#1535612, bmo#1538042, bmo#1538619, bmo#1538736, bmo#1540136, bmo#1540166, bmo#1541580, bmo#1542097, bmo#1542324, bmo#1546327) Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 * MFSA 2019-14/CVE-2019-9816 (bmo#1536768) Type confusion with object groups and UnboxedObjects * MFSA 2019-14/CVE-2019-9815 (bmo#1546544, bmo#https://mdsattacks.com/) Disable hyperthreading on content JavaScript threads on macOS * MFSA 2019-14/CVE-2019-11698 (bmo#1543191) Theft of user history data through drag and drop of hyperlinks to and from bookmarks * MFSA 2019-14/CVE-2019-11692 (bmo#1544670) Use-after-free removing listeners in the event listener manager * MFSA 2019-14/CVE-2019-11693 (bmo#1532525) Buffer overflow in WebGL bufferdata on Linux * MFSA 2019-14/CVE-2019-7317 (bmo#1542829) Use-after-free in png_image_free of libpng library * MFSA 2019-14/CVE-2019-9820 (bmo#1536405) Use-after-free of ChromeEventHandler by DocShell * MFSA 2019-14/CVE-2019-9818 (bmo#1542581) Use-after-free in crash generation server * MFSA 2019-14/CVE-2019-11691 (bmo#1542465) Use-after-free in XMLHttpRequest * MFSA 2019-14/CVE-2019-9819 (bmo#1532553) Compartment mismatch with fetch API * MFSA 2019-14/CVE-2019-11694 (bmo#1534196) Uninitialized memory memory leakage in Windows sandbox - Sync with Devel:Desktop:Mozilla:*:next - Enable Firefox to build with Rust >= 1.30 with fix. See below. - update to 60.6.3 (bmo#1549249) * Further improvements to re-enable web extensions which had been disabled for users with a master password set. ==== MozillaFirefox-branding-openSUSE ==== - layout.word_select.stop_at_punctuation -> true (boo#1133163) ==== aaa_base ==== Subpackages: aaa_base-extras aaa_base-malloccheck - Add patch git-07-82a17f1689e8957635c8ccaae7c9b3bff7f94d49.patch * add sysctl.d/51-network.conf to tighten network security a bit see also (boo#1146866) (jira#SLE-9132) ==== bash ==== Subpackages: bash-doc bash-lang libreadline7 readline-doc - Rework patch readline-7.0-screen.patch again for bug boo#1143055 * Map all "screen(-xxx)?.yyy(-zzz)?" to "screen" as well as map "konsole(-xxx)?" and "gnome(-xxx)?" to "xterm" - Add patch bash-4.4-bgpoverflow.patch which is a backport from bash 5.0 to perform better with large numbers of sub processes (bsc#1133773) ==== ceph ==== Version update (14.2.2.349+g6716a1e448 -> 14.2.2.354+g8878cf2360) Subpackages: librados2 librbd1 - Update to 14.2.2-354-g8878cf2360: + rgw: Move upload_info declaration out of conditional (bsc#1137189, https://github.com/SUSE/ceph/pull/325) ==== chromium ==== Version update (76.0.3809.132 -> 77.0.3865.75) - Add patch from Fedora for cert transparency: * chromium-77.0.3865.75-certificate-transparency.patch - Add patches from gentoo: * chromium-77-clang.patch * chromium-77-gcc-no-opt-safe-math.patch * chromium-77-no-cups.patch * chromium-77-std-string.patch - Update patch old-libva.patch to build on openSUSE Leap 15.0 - Update to chromium 77.0.3865.75 bsc#1150425: * CVE-2019-5870: Use-after-free in media * CVE-2019-5871: Heap overflow in Skia * CVE-2019-5872: Use-after-free in Mojo * CVE-2019-5874: External URIs may trigger other browsers * CVE-2019-5875: URL bar spoof via download redirect * CVE-2019-5876: Use-after-free in media * CVE-2019-5877: Out-of-bounds access in V8 * CVE-2019-5878: Use-after-free in V8 * CVE-2019-5879: Extension can bypass same origin policy * CVE-2019-5880: SameSite cookie bypass * CVE-2019-5881: Arbitrary read in SwiftShader * CVE-2019-13659: URL spoof * CVE-2019-13660: Full screen notification overlap * CVE-2019-13661: Full screen notification spoof * CVE-2019-13662: CSP bypass * CVE-2019-13663: IDN spoof * CVE-2019-13664: CSRF bypass * CVE-2019-13665: Multiple file download protection bypass * CVE-2019-13666: Side channel using storage size estimate * CVE-2019-13667: URI bar spoof when using external app URIs * CVE-2019-13668: Global window leak via console * CVE-2019-13669: HTTP authentication spoof * CVE-2019-13670: V8 memory corruption in regex * CVE-2019-13671: Dialog box fails to show origin * CVE-2019-13673: Cross-origin information leak using devtools * CVE-2019-13674: IDN spoofing * CVE-2019-13675: Extensions can be disabled by trailing slash * CVE-2019-13676: Google URI shown for certificate warning * CVE-2019-13677: Chrome web store origin needs to be isolated * CVE-2019-13678: Download dialog spoofing * CVE-2019-13679: User gesture needed for printing * CVE-2019-13680: IP address spoofing to servers * CVE-2019-13681: Bypass on download restrictions * CVE-2019-13682: Site isolation bypass * CVE-2019-13683: Exceptions leaked by devtools - Added patches: * chromium-77-blink-include.patch * chromium-77-fix-gn-gen.patch * chromium-77-gcc-abstract.patch * chromium-77-gcc-include.patch * chromium-77-system-hb.patch * chromium-unbundle-zlib.patch - Removed merged patches: * chromium-76-gcc-ambiguous-nodestructor.patch * chromium-76-gcc-blink-constexpr.patch * chromium-76-gcc-blink-namespace1.patch * chromium-76-gcc-blink-namespace2.patch * chromium-76-gcc-gl-init.patch * chromium-76-gcc-include.patch * chromium-76-gcc-noexcept.patch * chromium-76-gcc-private.patch * chromium-76-gcc-pure-virtual.patch * chromium-76-gcc-uint32.patch * chromium-76-gcc-vulkan.patch * chromium-76-quiche.patch * chromium-angle-inline.patch * chromium-fix-char_traits.patch * chromium-skia-aarch64-buildfix.patch * chromium-vaapi-fix.patch * gcc-lto-rsp-clobber.patch - Refreshed patches: * chromium-prop-codecs.patch * chromium-system-icu.patch * chromium-vaapi.patch * old-libva.patch ==== cups-filters ==== Version update (1.20.3 -> 1.25.0) - Add add-cstring-include.patch to include cstring for memcpy and strcmp - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut the build queues by allowing usage of systemd-mini - Update to version 1.25.0: * pdftoijs, pdftoopvp: Removed these deprecated filters completely as there is no demand for them any more. They also used unstable, undocumented APIs of Poppler. * pdftoraster: Changed from using unstable, undocumented APIs of Poppler to stable, documented ones, to improve maintainability of this filter, and with it of the cups-filters package. * libcupsfilters: Added support for color spaces CMY and RGBW when using filters without PPD file (mainly for development and debugging, option "print-color-mode" with values "cmy-XX" and "rgbw-XX" with XX being the number of bits per color). - Changes from version 1.24.0: * cups-browsed: Integration of Deepak Patankar's Google Summer of Code 2018 project with the main goal of clustering different printers and automatically selecting the destination printers by job content and option/attribute settings. * cups-browsed, implicitclass: Support for mixed clusters of remote CUPS queues and IPP network printers. For this PPD files of remote CUPS queues are generated by cups-browsed based on IPP queries, as for native IPP printers, the number of jobs for load balancing is polled in a way that it works also with native IPP printers, the implicitclass backend sends jobs directly to the printer instead of re-queueing them via CUPS. * cups-browsed: Merge IPP attributes of several printers to combined attributes for the cluster to generate the cluster's PPD file, including PPD constraints for option combinations not fulfillable by any of the member printers, and finding reasonable, non-conflicting default settings. * cups-browsed: Selection algorithm for the destination printer for a job sent to the cluster. Based on the job settings requested such as page size, media type, print quality, the best most suitable printer in the cluster for the job will be selected. * cups-browsed, implicitclass: Filter jobs to clusters already locally. Due to the fact that a cluster's member printers are not exclusively non-raw CUPS queues with the complete filtering framework on the remote server, but also native IPP printers, we need to support generic driverless printers as destination. So we cannot pass on the input data unfiltered but need to filter locally. We let the cluster's PPD file emulate a PDF printer, letting the local CUPS queue of the cluster run pdftopdf and any pre-filters to turn the input into PDF and we let the implicitclass backend turn PDF into a format understood by the destination printer, supporting the 4 formats of driverless IPP printing: PDF, PWG Raster, Apple Raster, PCLm. - Drop libpoppler-cpp0, libpoppler-devel and libpoppler-glib-devel BuildRequires. - Add pkgconfig(poppler-cpp) BuildRequires following upstream changes. - Update to version 1.23.0: * This release adds support for the "print-scaling" IPP attribute and has the code for the support of MuPDF as PDF renderer vastly simplified. * pdftops, mupdftoraster: Let pdftops call mutool directly and so that it directly outputs PostScript, eliminating the need to call the mupdftoraster and rastertops filters. * mupdftoraster: Reduced the use of temporary files from 3 to just one. * imagetopdf, imagetoraster, pdftopdf: Add support for print-scaling option. - Changes from version 1.22.6: * Bug fix release, to address a further issue of cups-browsed removing user-created print queues, to make grayscale/monochrome PostScript jobs of colored input file actually output grayscale/monochrome files, to fix several bugs when using MuPDF as PDF renderer, and to silence compiler warnings. - Version upgrade to 1.22.5 * foomatic-rip: Changed Ghostscript call to count pages in a PDF file to use "runpdfbegin" and not the undocumented Ghostscript internal "pdfdict", so that it works with Ghostscript 9.27 and later (Debian bug #926576, Arch Linux bug #62251, openSUSE boo#1131771, cups@cups.org mailing list thread https://lists.cups.org/pipermail/cups/2019-April/074563.html). - Version upgrade to 1.22.4 * cups-browsed: Fix broken trailing space removal on "NickName" (Pull request #103). * pdftops: Emit PostScript Level 2 instead of Level 3 for Brother PostScript printers as at least some of them report to support level 3 but ontly work with Level 2 (Ubuntu bug #1306849, comment #42). * bannertopdf: When multiplying the page for N-up or Duplex printing one page too much was generated (Issue #102). - Version upgrade to 1.22.3 * libcupsfilters: Added error checks for processing GIF, to avoid crashes or hangs on broken GIF files (Issues #81, #82, Pull request #100). * cups-browsed: Added hint to the man page and configuration file that with "DebugLogging stderr" the logging output goes to journal or syslog if cups-browsed is running as system service (Issue #28). - Version upgrade to 1.22.2 * cups-browsed: Let distribution of jobs sent to queues with "implicitclass" backend (usually clusters) be done by a "job-state" CUPS notification and not by "printer-state-changed" any more. The "job-state" notification already contains the job ID. Before we had to poll the job ID from CUPS via IPP which was sometimes unreliable (Issue #97). * imagetopdf, imagetoraster, pdftopdf, libcupsfilters: Added new page scaling options: "fill" scales the input page (typically a photo) so that the output page (typically with different aspect ratio) gets completely filled, aloowing for some content of the input page getting lost. "crop-to-fit" allows for easy printing of documents on slightly different output page sizes (A4 <-> Letter) maintaining the size and centering and cropping into the destination page. Thanks to Dheeraj Yadav (dhirajyadav135 at gmail dot com) for the patch (Pull request #92). * cups-browsed: Do not do IPP request for printer-is-shared option for remote cups queues with CUPS 2.2.x and newer (Pull request #91). * cups-browsed: Fix crash bug when reading "Cluster" directive from configuration file (Issue #94). * driverless: Updated man page as now also Mopria and Wi-Fi Direct printers are supported. Mentioned also ippusbxd. - Update to version 1.22.1: * braille: Use sort command with LC_ALL=C for reproducibility of the genrated files, needed for distribution packaging. * cups-browsed, driverless: When polling the printer's capabilities via get-printer-attributes IPP request for driverless printing, use the attributes "all" and "media-col-database". Without "all" some printers do not report "urf-supported" and without "media-col-database" not all paper size and marging info gets reported. * braille: Document how to rework output before embossing. - Update to version 1.22.0: * From this release on the pdftopdf filter flattens interactive PDF forms and annotations internally, using QPDF, instead of calling external utilities. This especially eliminates slowing factors as additional piping of the data and unneeded use of PDF interpreters. Using external utilities for flattening is still possible in case of problems. In addition, a crash bug in cups-browsed got fixed and compatibility of the filters with Poppler 0.72 assured. - Drop upstream fixed patches: * 0001-Raise-minimum-poppler-version-from-0.18-to-0.19.patch * 0002-Adapt-code-for-SplashXPathScanner-state-handling-sin.patch * 0003-Support-some-more-methods-returning-const.patch * 0004-Support-GooString-c_str-introduced-by-poppler-0.72.patch - Fix building with Poppler 0.72 Add 0001-Raise-minimum-poppler-version-from-0.18-to-0.19.patch Add 0002-Adapt-code-for-SplashXPathScanner-state-handling-sin.patch Add 0003-Support-some-more-methods-returning-const.patch Add 0004-Support-GooString-c_str-introduced-by-poppler-0.72.patch See https://github.com/OpenPrinting/cups-filters/pull/83 - Update to version 1.21.6: * Bug fix release, mainly for cups-browsed to avoid crashes and infinite printer removal/re-creation loops and spurious local queues for local CUPS printers. Also expanded PostScript interpreter bug workaround to more Apple LaserWriter models. * cups-browsed: To find out whether a DNS-SD-discovered printer is from the local machine, use not only the flags in the Avahi lookup result but also check the host name. * cups-browsed: When a local CUPS queue pointing to a remote CUPS printer was removed and re-created to make it a permanent queue, on_printer_deleted() was triggered by cupsd's notification to re-create a lost queue. Now on_printer_deleted() checks whether the queue is really gone and only re-creates then. * cups-browsed: When updating the CUPS queues, also removed and unregistered queues and not only created queues got checked for HTTP timeouts, which caused crashes on shutdown. * pdftops: Use the PS interpreter of Poppler for all Apple LaserWriter 16/600, 4/600, 12/640, 12/600, 12/660 as they all seem to not work with Ghostscript's PS output. * cups-browsed: On shutdown queues got removed even if they still had jobs. - Changes from version 1.21.5: * Bug fix release, to build with Poppler 0.71 and with cups-browsed converting temporary CUPS queues reliably to permanent queues. * cups-browsed: We cannot reliably determine whether a CUPS queue is temporary, so we apply the procedure to make a temporary queue permanent to any unshared queue. * pdftoraster, pdftopdf, pdftoijs, pdftoopvp: Do not use the Poppler-specific "GBool", "gFalse", "gTrue" any more, as Poppler has switched to standard "bool", "false", "true" in version 0.71.0. - Update to version 1.21.4: * cups-browsed: cups-browsed: Limit the number of retries for creating a print queue when it comes to HTTP timeouts. Number of retries given by HttpMaxRetries directive in cups-browsed.conf. * cups-browsed: Read out current time right before setting the timeouts. * libcupsfilters: In the PPD generator for driverless IPP printing let "*cupsManualCopies: true" lines get added to the PPD if printing is done in a raster format as then pdftopdf needs to generate the copies. * pdftoraster, pdftoopvp, pdftoijs: Fix build with Poppler >= 0.70 * pdftopdf: Fixed printing multiple copies on driverless IPP printers. When printing collated copies the multiple copies got applied twice, resulting in n*n instead of n copies. * pdftoraster, pdftoopvp, pdftoijs: Poppler removed memCheck and gMemReport functions, remove appropriate calls. - Changes from version 1.21.3: * foomatic-rip: Reset stdin after replacing the underlying file descriptor. - Changes from version 1.21.2: * cups-browsed: Fixed freeing of literal string caused by Coverity Scan issue fix. - Do not diferentiate for service location, it is in sbindir on all systems we support now - Use license for license install - Version update to 1.21.1: - foomatic-rip: Fixed segmentation fault caused by wrong Coverity Scan issue fix (Issue #57, Debian bug #907026). - Build system: Require QPDF 8.1.0 or later as it is needed by bannertopdf (Issue #56). - libcupsfilters, cups-browsed, driverless, foomatic-rip, parallel: Silenced warnings from newest gcc. - libcupsfilters: When generating a PPD for driverless printing on a remote IPP printer, make pdftopdf not being run by the local queue if the remote queue is a CUPS queue to avoid running pdftopdf twice (CUPS Issue #5361). - libcupsfilters, cups-browsed, driverless, bannertopdf, foomatic-rip, pdftops, pdftoraster, rastertops, rastertoescpx, sys5ippprinter, beh: Fixed Coverity Scan issues. Thanks to Zdenek Dohnal (zdohnal at redhat dot com) for the tests and the patches. - bannertopdf: Switched over from using Poppler to using QPDF for generating the PDF pages. With Poppler unstable APIs were used which were subject to change. Thanks to Sahil Arora for this project in the Google Summer of Code 2018 (Pull request #25). - cups-browsed: Manually defined clusters ("Cluster" directive in cups-browsed.conf) caused cups-browsed to crash. - Version upgrade to 1.20.4 - gstoraster: Removed unneeded "if"s (Ghostscript bug #692705). - cups-browsed: When checking whether there is already a local print queue with the same URI as the one of the discovered printer, consider also as equal URI if the URIs only differ by use of IPP or IPPS and/or use of HTTPS port 443 instead of IPP port 631. - cups-browsed: Also upgrade from ipp: to ipps: when the ipps: URI is on HTTPS port 443 instead of IPP port 631. This is common on IPP network printers. - pdftopdf: Removed support for hardware-implemented reversing of page order in PostScript printers. It was once not correctly implemented in cups-filters and second, such printers are extremely rare, and on Gutenprint PPDs with pseudo OutputOrder option hardware reversing was even wrongly assumed (Issue #47). - pdftopdf: Accept option "output-order=normal/reverse" for reversing page order (Issue #47) and also "page-delivery= same-order/reverse-order" (CUPS Issue #5340). - libcupsfilters: Let the PPD generator add "*PageStackOrder ..." lines to the choices of the "OutputBin" option, to mark which output bins need the pages printed in reverse order (Issue #47). - libcupsfilters: Let the PPD generator correctly create a "*DefaultOutputOrder: ..." entry, depending on whether the paper is put out face-up or face-down in the default output bin (Issue #47). - libcupsfilters: Fixed human-readable name of the OutputBin option in the PPD generator. - pdftoopvp: Silence compiler warning (Issue #42). - cups-browsed: If the user modifies/overwrites a print queue created by cups-browsed, it will now not only be automatically released from the control of cups-browsed, but we also create a replacement for our generated local queue under a new name. - cups-browsed: Make URIS for using the implicitclass backend correctly working also with queue names containing an '@' character. - braille: Strengthen error checking (Pull request #41). - braille: Index: Replace bogus characters with space (Pull request #41). - braille: Add print and braille page number options (Pull request #41). - braille: Index: Use standard duplex cups option (Pull request #41). - cups-browsed: Moved auto-generation of PPD file for IPP network printers from create_remote_printer_entry() function to update_cups_queues(). This allows re-creating accidentally removed or overwritten local queues without losing the PPD file. - braille: Add option to pick hyphenation rule according to current locale and make it the default for second translation table. (Pull request #38 and #39). - braille: Remove generated defs on "make clean". (Pull request #38). - braille: Turn non-breakable spaces to spaces. (Pull request [#38] and #39). - braille: Fix character encoding when extracting text. When extracing text from a zip file or a pdf, the resulting text is always utf-8 independently of the original locale, so we need to force that. (Pull request #38). - braille: Warn when no text translation was selected in case the user didn't notice. (Pull request #37). - braille: Fix spurious spacing after last Form-Feed (Pull request #45). - Drop pdftoopvp_Silence-compiler-warning.patch - Add pdftoopvp_Silence-compiler-warning.patch: pdftoopvp: Silence compiler warning. ==== curl ==== Version update (7.60.0 -> 7.66.0) Subpackages: libcurl4 libcurl4-32bit - Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481] [bsc#1149604, bsc#1149572, jsc#SLE-9295] * Changes: - CURLINFO_RETRY_AFTER: parse the Retry-After header value - HTTP3: initial (experimental still not working) support - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool - curl: support parallel transfers with -Z - curl_multi_poll: a sister to curl_multi_wait() that waits more - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID * Bugfixes: - CVE-2019-5481: FTP-KRB double-free - CVE-2019-5482: TFTP small blocksize heap buffer overflow - CMake: remove needless newlines at end of gss variables - CMake: use platform dependent name for dlopen() library - CURLINFO docs: mention that in redirects times are added - CURLOPT_ALTSVC.3: use a "" file name to not load from a file - CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED - CURLOPT_HEADERFUNCTION.3: clarify - CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly - CURLOPT_READFUNCTION.3: provide inline example - CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 - Curl_addr2string: take an addrlen argument too - Curl_fillreadbuffer: avoid double-free trailer buf on error - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown - alt-svc: add protocol version selection masking - alt-svc: fix removal of expired cache entry - alt-svc: make it use h3-22 with ngtcp2 as well - alt-svc: more liberal ALPN name parsing - alt-svc: send Alt-Used: in redirected requests - alt-svc: with quiche, use the quiche h3 alpn string - asyn-thread: create a socketpair to wait on - cleanup: move functions out of url.c and make them static - cleanup: remove the 'numsocks' argument used in many places - configure: avoid undefined check_for_ca_bundle - curl.h: add CURL_HTTP_VERSION_3 to the version enum - curl: cap the maximum allowed values for retry time arguments - curl: handle a libcurl build without netrc support - curl: make use of CURLINFO_RETRY_AFTER when retrying - curl: use CURLINFO_PROTOCOL to check for HTTP(s) - curl_global_init_mem.3: mention it was added in 7.12.0 - curl_version: bump string buffer size to 250 - curl_version_info.3: mentioned ALTSVC and HTTP3 - curl_version_info: offer quic (and h3) library info - curl_version_info: provide nghttp2 details - defines: avoid underscore-prefixed defines - docs/ALTSVC: remove what works and the experimental explanation - docs/EXPERIMENTAL: explain what it means and what's experimental now - docs/MANUAL.md: converted to markdown from plain text - docs/examples/curlx: fix errors - docs: s/curl_debug/curl_dbg_debug in comments and docs - easy: resize receive buffer on easy handle reset - examples: Avoid reserved names in hiperfifo examples - examples: add http3.c, altsvc.c and http3-present.c - http09: disable HTTP/0.9 by default in both tool and library - http2: when marked for closure and wanted to close == OK - http2_recv: trigger another read when the last data is returned - http: fix use of credentials from URL when using HTTP proxy - http_negotiate: improve handling of gss_init_sec_context() failures - md4: Use our own MD4 when no crypto libraries are available - multi: call detach_connection before Curl_disconnect - nss: use TLSv1.3 as default if supported - openssl: build warning free with boringssl - openssl: use SSL_CTX_set__proto_version() when available - plan9: add support for running on Plan 9 - progress: reset download/uploaded counter between transfers - readwrite_data: repair setting the TIMER_STARTTRANSFER stamp - scp: fix directory name length used in memcpy - smb: init *msg to NULL in smb_send_and_recv() - smtp: check for and bail out on too short EHLO response - source: remove names from source comments - spnego_sspi: add typecast to fix build warning - src/makefile: fix uncompressed hugehelp.c generation - ssh-libssh: do not specify O_APPEND when not in append mode - ssh: move code into vssh for SSH backends - sspi: fix memory leaks - tests: Replace outdated test case numbering documentation - tftp: return error when packet is too small for options - timediff: make it 64 bit (if possible) even with 32 bit time_t - travis: reduce number of torture tests in 'coverage' - url: make use of new HTTP version if alt-svc has one - urlapi: verify the IPv6 numerical address - urldata: avoid 'generic', use dedicated pointers - vauth: Use CURLE_AUTH_ERROR for auth function errors * Removed patches: - curl-CVE-2018-0500.patch - curl-CVE-2018-14618.patch - curl-CVE-2018-16839.patch - curl-CVE-2018-16840.patch - curl-CVE-2018-16842.patch - curl-CVE-2018-16890.patch - curl-CVE-2019-3822.patch - curl-CVE-2019-3823.patch - curl-CVE-2019-5436.patch - curl-CVE-2019-5481.patch - curl-CVE-2019-5482.patch - Security fix: [bsc#1149496,CVE-2019-5482] * TFTP small blocksize heap buffer overflow * Added curl-CVE-2019-5482.patch - Security fix: [bsc#1149495,CVE-2019-5481] * FTP-KRB: double-free during kerberos FTP data transfer * Added curl-CVE-2019-5481.patch - Update to 7.65.3 * progress: make the progress meter appear again - Update to 7.65.2 * Bugfixes: - CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH - CMake: Fix finding Brotli on case-sensitive file systems - CURLOPT_RANGE.3: Caution against using it for HTTP PUT - CURLOPT_SEEKDATA.3: fix variable name - bindlocal: detect and avoid IP version mismatches in bind() - build: fix Codacy warnings - c-ares: honor port numbers in CURLOPT_DNS_SERVERS - config-os400: add getpeername and getsockname defines - configure: --disable-progress-meter - configure: fix --disable-code-coverage - configure: more --disable switches to toggle off individual features - configure: remove CURL_DISABLE_TLS_SRP - conn_maxage: move the check to prune_dead_connections() - curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds - docs: Explain behavior change in --tlsv1. options since 7.54 - docs: Fix links to OpenSSL docs - docs: fix string suggesting HTTP/2 is not the default - headers: Remove no longer exported functions - http2: call done_sending on end of upload - http2: don't call stream-close on already closed streams - http2: remove CURL_DISABLE_TYPECHECK define - http: allow overriding timecond with custom header - http: clarify header buffer size calculation - krb5: fix compiler warning - lib: Use UTF-8 encoding in comments - libcurl: Restrict redirect schemes to HTTP, HTTPS, FTP and FTPS - multi: enable multiplexing by default (again) - multi: fix the transfer hashes in the socket hash entries - multi: make sure 'data' can present in several sockhash entries - netrc: Return the correct error code when out of memory - nss: don't set unused parameter - nss: inspect returnvalue of token check - nss: only cache valid CRL entries - openssl: define HAVE_SSL_GET_SHUTDOWN based on version number - openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined - openssl: fix pubkey/signature algorithm detection in certinfo - os400: make vsetopt() non-static as Curl_vsetopt() for os400 support - quote.d: asterisk prefix works for SFTP as well - runtests: keep logfiles around by default - runtests: report single test time + total duration - test1165: verify that CURL_DISABLE_ symbols are in sync - test1521: adapt to SLISTPOINT - test1523: test CURLOPT_LOW_SPEED_LIMIT - test153: fix content-length to avoid occasional hang - test188/189: fix Content-Length - tests: have runtests figure out disabled features - tests: support non-localhost HOSTIP for dict/smb servers - tests: update fixed IP for hostip/clientip split - tool_cb_prg: Fix integer overflow in progress bar - typecheck: CURLOPT_CONNECT_TO takes an slist too - typecheck: add 3 missing strings and a callback data pointer - unit1654: cleanup on memory failure - unpause: trigger a timeout for event-based transfers - url: Fix CURLOPT_MAXAGE_CONN time comparison - Rebased patch curl-use_OPENSSL_config.patch - Disable new added failing test1165 - Update to 7.65.1 * Bugfixes: - CURLOPT_LOW_SPEED_* repaired - NTLM: reset proxy "multipass" state when CONNECT request is done - PolarSSL: deprecate support step 1. Removed from configure - cmake: check for if_nametoindex() - cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables - conncache: Remove the DEBUGASSERT on length check - conncache: make "bundles" per host name when doing proxy tunnels - curl_share_setopt.3: improve wording - dump-header.d: spell out that no headers == empty file - example/http2-download: fix format specifier - examples: cleanups and compiler warning fixes - http2: Stop drain from being permanently set - http: don't parse body-related headers in bodyless responses - md4: build correctly with openssl without MD4 - md4: include the mbedtls config.h to get the MD4 info - multi: track users of a socket better - nss: allow to specify TLS 1.3 ciphers if supported by NSS - parse_proxy: make sure portptr is initialized - parse_proxy: use the IPv6 zone id if given - sectransp: handle errSSLPeerAuthCompleted from SSLRead() - singlesocket: use separate variable for inner loop - ssl: Update outdated "openssl-only" comments for supported backends - tests: add HAProxy keywords - tests: make test 1420 and 1406 work with rtsp-disabled libcurl - tls13-docs: mention it is only for OpenSSL >= 1.1.1 - tool_setopt: for builds with disabled-proxy, skip all proxy setopts() - url: fix bad feature-disable #ifdef - url: use correct port in ConnectionExists() - Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436] * Changes: - CURLOPT_DNS_USE_GLOBAL_CACHE: removed - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse - pipelining: removed * Bugfixes: - CVE-2019-5435: Integer overflows in curl_url_set - CVE-2019-5436: tftp: use the current blksize for recvfrom() - --config: clarify that initial : and = might need quoting - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk - CURLOPT_ADDRESS_SCOPE: fix range check and more - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value - CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE - CURL_MAX_INPUT_LENGTH: largest acceptable string input size - Curl_disconnect: treat all CONNECT_ONLY connections as "dead" - OS400/ccsidcurl: replace use of Curl_vsetopt - OpenSSL: Report -fips in version if OpenSSL is built with FIPS - WRITEFUNCTION: add missing set_in_callback around callback - altsvc: Fix building with cookies disabled - auth: Rename the various authentication clean up functions - base64: build conditionally if there are users - cmake: avoid linking executable for some tests with cmake 3.6+ - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use - cmake: set SSL_BACKENDS - configure: avoid unportable '==' test(1) operator - configure: error out if OpenSSL wasn't detected when asked for - configure: fix default location for fish completions - cookie: Guard against possible NULL ptr deref - curl: make code work with protocol-disabled libcurl - curl: report error for "--no-" on non-boolean options - curlver.h: use parenthesis in CURL_VERSION_BITS macro - docs/INSTALL: fix broken link - doh: acknowledge CURL_DISABLE_DOH - doh: disable DOH for the cases it doesn't work - examples: remove unused variables - ftplistparser: fix LGTM alert "Empty block without comment" - hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS - http: Ignore HTTP/2 prior knowledge setting for HTTP proxies - http: acknowledge CURL_DISABLE_HTTP_AUTH - http: mark bundle as not for multiuse on < HTTP/2 response - http_digest: Don't expose functions when HTTP and Crypto Auth are disabled - http_negotiate: do not treat failure of gss_init_sec_context() as fatal - http_ntlm: Corrected the name of the include guard - http_ntlm_wb: Handle auth for only a single request - http_ntlm_wb: Return the correct error on receiving an empty auth message - lib509: add missing include for strdup - lib557: initialize variables - mbedtls: enable use of EC keys - mime: acknowledge CURL_DISABLE_MIME - multi: improved HTTP_1_1_REQUIRED handling - netrc: acknowledge CURL_DISABLE_NETRC - nss: allow fifos and character devices for certificates - nss: provide more specific error messages on failed init - ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup - ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 - openssl: mark connection for close on TLS close_notify - openvms: Remove pre-processor for SecureTransport - parse_proxy: use the URL parser API - parsedate: disabled on CURL_DISABLE_PARSEDATE - pingpong: disable more when no pingpong protocols are enabled - polarssl_threadlock: remove conditionally unused code - progress: acknowledge CURL_DISABLE_PROGRESS_METER - proxy: acknowledge DISABLE_PROXY more - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries - revert "multi: support verbose conncache closure handle" - sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 - sasl: only enable if there's a protocol enabled using it - singleipconnect: show port in the verbose "Trying ..." message - socks5: user name and passwords must be shorter than 256 - socks: fix error message - socksd: new SOCKS 4+5 server for tests - spnego_gssapi: fix return code on gss_init_sec_context() failure - ssh-libssh: remove unused variable - ssh: define USE_SSH if SSH is enabled (any backend) - ssh: move variable declaration to where it's used - test1002: correct the name - test2100: Fix typos in test description - tests: Run global cleanup at end of tests - tests: make Impacket (SMB server) Python 3 compatible - tool_cb_wrt: fix bad-function-cast warning - tool_formparse: remove redundant assignment - tool_help: Warn if curl and libcurl versions do not match - tool_help: include for strcasecmp - url: always clone the CUROPT_CURLU handle - url: convert the zone id from a IPv6 URL to correct scope id - urlapi: add CURLUPART_ZONEID to set and get - urlapi: increase supported scheme length to 40 bytes - urlapi: require a non-zero host name length when parsing URL - urlapi: stricter CURLUPART_PORT parsing - urlapi: strip off zone id from numerical IPv6 addresses - urlapi: urlencode characters above 0x7f correctly - vauth/cleartext: update the PLAIN login to match RFC 4616 - vauth/oauth2: Fix OAUTHBEARER token generation - vauth: Fix incorrect function description for Curl_auth_user_contains_domain - vtls: fix potential ssl_buffer stack overflow - wildcard: disable from build when FTP isn't present - xattr: skip unittest on unsupported platforms ==== desktop-file-utils ==== - Add 0001-add-font-as-valid-media-type.patch from upstream to let update-desktop-database recognize font media types (bsc#1148080) - Revert pkconfig package name change back to correct pkg-config. - Add desktop-file-utils-add-Pantheon.patch: Backporting upstream patch to Add Pantheon to desktop env list(fdo#105785 bnc#1094774). - Move RPM macros to %_rpmmacrodir. - suse-update-mime-defaults requires coreutils and awk add both to package requires ==== device-mapper ==== Subpackages: libdevmapper-event1_03 libdevmapper1_03 libdevmapper1_03-32bit - Fix unknown feature in status message (bsc#1135984) + bug-1135984_cache-support-no_discard_passdown.patch - Fix using device aliases with lvmetad (bsc#1137296) + bug-1137296_pvremove-vgextend-fix-using-device-aliases-with-lvmetad.patch - Fix devices drop open error message (bsc#1122666) + bug-1122666_devices-drop-open-error-message.patch - Use %make_build in order to provide verbose output. ==== expat ==== Subpackages: libexpat1 libexpat1-32bit - Security fix (CVE-2019-15903, bsc#1149429) * Crafted XML input results in heap-based buffer over-read by fooling the parser into changing from DTD parsing to document parsing * Added patches: - expat-CVE-2019-15903.patch - expat-CVE-2019-15903-tests.patch ==== ghostscript ==== Subpackages: ghostscript-x11 - CVE-2019-10216.patch fixes CVE-2019-10216 forceput/superexec in .buildfont1 is still accessible https://bugzilla.suse.com/show_bug.cgi?id=1144621 bsc#1144621 https://bugs.ghostscript.com/show_bug.cgi?id=701394 ==== ibus ==== Subpackages: ibus-gtk ibus-gtk3 ibus-lang libibus-1_0-5 typelib-1_0-IBus-1_0 - Add ibus-CVE-2019-14822.patch: Fix misconfiguration of the DBus server allows to unprivileged user could monitor and send method calls to the ibus bus of another user(CVE-2019-14822 bnc#1150011). ==== kernel-source ==== Version update (5.3.rc7 -> 5.3.0) Subpackages: kernel-default kernel-vanilla - Update config files. Disable CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT. Not all drivers are ready for this yet, so enabling this config option causes regressions. See bsc#1150577 for an example. - commit 76ac02e - Delete patches.suse/0001-iommu-vt-d-Fix-race-condition-in-add_unmap.patch. - commit b0363d2 - Update to 5.3 final - Eliminated 3 patches - Refresh configs - NF_CONNTRACK_SLP is gone - commit 6baef36 - Move guarded patch into it's own out of tree section - commit 081b55b - powerpc/pseries: correctly track irq state in default idle (bsc#1150727 ltc#178925). - commit 97a4665 - series.conf: Add note on why pcc-cpufreq patch is being held for evaluation - commit a514b48 - Delete patches.suse/netfilter-ip_conntrack_slp.patch (FATE#324143 jsc#SLE-8944 bsc#1127886). This veteran out of tree patch is no longer needed since the userspace conntrack helper (in conntrack-tools / conntrackd) has reached Factory. - commit d6f0b71 - Update and reenable patches.suse/Revert-netfilter-conntrack-remove-helper-hook-again.patch (FATE#324143 jsc#SLE-8944 bsc#1127886). - commit 029452e - powerpc: dump kernel log before carrying out fadump or kdump (bsc#1149940 ltc#179958). - commit 4b365d2 - Refresh patches.suse/net-ibmvnic-Fix-missing-in-__ibmvnic_reset.patch. - commit 0ebba63 - series.conf: update sorted section banner Make the commit above sorted section less ambiguous. In particular, state clearly that patches without Git-commit which cannot be handled by git-sort do not belong in it. - commit 1506bb8 - series.conf: move unsortable patch out of sorted section Patch without Git-commit cannot be sorted so that there is no point having it into the sorted section. - commit f18376e - net/ibmvnic: Fix missing { in __ibmvnic_reset (bsc#1149652 ltc#179635). - commit a3cd2bf - net/ibmvnic: free reset work of removed device from queue (bsc#1149652 ltc#179635). - commit e64984b - Refresh patches.suse/xfs-repair-malformed-inode-items-during-log-recovery.patch. - commit cbb6da0 - config: enable SLAB_FREELIST_HARDENED (bsc#1127808) Enable SLAB_FREELIST_HARDENED on all architectures. This obscures the free object pointer on a per-cache basis making it more difficult to locate kernel objects via exploits probing the cache metadata. This change was requested by the upstream openSUSE community to make the kernel more resistent to slab freelist attacks. Tests conducted by the kernel performance teams confirmed that the performance impact is detectable but negligible. - commit 39e9013 - rpm/constraints.in: lower disk space required for ARM With a requirement of 35GB, only 2 slow workers are usable for ARM. Current aarch64 build requires 27G and armv6/7 requires 14G. Set requirements respectively to 30GB and 20GB. - commit f84c163 - Update to 5.3-rc8 - refresh armv6hl configs (IXP4xx drivers no longer visible) - commit 3dea797 - config: enable STACKPROTECTOR_STRONG also on armv6hl Recently reenabled armv6hl architecture has STACKPROTECTOR_STRONG disabled, enable it here as well. - commit 8c0677d - powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts (CVE-2019-15031 bsc#1149713). - powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction (CVE-2019-15030 bsc#1149713). - commit ca72e89 - series.conf: move unsortable patch out of sorted section - commit 8a360b5 - powerpc/xmon: Add a dump of all XIVE interrupts (bsc#1142019). - powerpc/xive: Fix dump of XIVE interrupt under pseries (bsc#1142019). - powerpc/xmon: Check for HV mode when dumping XIVE info from OPAL (bsc#1142019). - commit 68e4d5a - Enable klp-convert patches Enable patches.suse/livepatch-create-and-include-UAPI-headers.patch Enable and refresh patches.suse/livepatch-modpost-ignore-unresolved-symbols.patch Still not in upstream. Submitted though. It seems the final upstream version will be a bit different, but we need these two patches for our use case. - commit f385ff2 - Enable patches.suse/livepatch-mark-the-kernel-unsupported-when-disabling.patch Still SUSE-specific and still needed. - commit cd16e71 ==== kpat ==== Subpackages: kpat-lang - Add FcSolveSolver-cleanup-ressources.patch to fix crashes due to resource exhaustion (boo#1146622, kde#395624) ==== krb5 ==== Subpackages: krb5-32bit - Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947); (bsc#1144047); ==== libdrm ==== Subpackages: libdrm2 libdrm_amdgpu1 libdrm_intel1 libdrm_nouveau2 libdrm_radeon1 - U_intel-sync-i915_pciids.h-with-kernel-aml.patch * adds support for Amberlake (jira #SLE-4989, bsc#1137515) - U_intel-sync-i915_pciids.h-with-kernel-cml.patch * adds support for Cometalke (jira #SLE-4983, bsc#1137515) ==== libreoffice ==== Version update (6.2.5.2 -> 6.2.7.1) Subpackages: libreoffice-base libreoffice-base-drivers-firebird libreoffice-branding-upstream libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-l10n-ar libreoffice-l10n-bg libreoffice-l10n-bs libreoffice-l10n-ca libreoffice-l10n-cs libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-el libreoffice-l10n-en libreoffice-l10n-en_GB libreoffice-l10n-eo libreoffice-l10n-es libreoffice-l10n-et libreoffice-l10n-fa libreoffice-l10n-fi libreoffice-l10n-fr libreoffice-l10n-hu libreoffice-l10n-id libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-ko libreoffice-l10n-lt libreoffice-l10n-nb libreoffice-l10n-nl libreoffice-l10n-pl libreoffice-l10n-pt_BR libreoffice-l10n-ru libreoffice-l10n-sk libreoffice-l10n-sl libreoffice-l10n-sv libreoffice-l10n-uk libreoffice-l10n-zh_CN libreoffice-l10n-zh_TW libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-qt5 libreoffice-write r libreofficekit - Update to 6.2.7.1: bsc#1149944 VUL-0: CVE-2019-9854 Unsafe URL assembly flaw bsc#1149943 VUL-0: CVE-2019-9855 path equivalence handling flaw - Drop merged patch: * 0001-Fix-buidling-with-older-boost.patch - Add patch to fix build with SLE12 boost: * 0001-Fix-buidling-with-older-boost.patch - Update to 6.2.6.2 bsc#1146098 CVE-2019-9850 bsc#1146105 CVE-2019-9851 bsc#1146107 CVE-2019-9852: * Various bugfixes of 6.2 branch - Fix bsc#1133534 LO-L3: [PPTX] SmartArt: Basic rendering of Trapezoid List * bsc1133534.patch ==== libstorage-ng ==== Version update (4.2.3 -> 4.2.11) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Catalan) (bsc#1149754) - 4.2.11 - merge gh#openSUSE/libstorage-ng#671 - added integration test - 4.2.10 - merge gh#openSUSE/libstorage-ng#670 - added notes - 4.2.9 - merge gh#openSUSE/libstorage-ng#668 - removed unneeded code - cleanup integration tests - code cleanup - 4.2.8 - Translated using Weblate (Japanese) - 4.2.7 - Translated using Weblate (Slovak) - 4.2.6 - Translated using Weblate (Portuguese (Brazil)) - Translated using Weblate (Dutch) - Translated using Weblate (Czech) - merge gh#openSUSE/libstorage-ng#667 - update pot and po files - 4.2.5 - merge gh#openSUSE/libstorage-ng#666 - added note - use dev_t to save major and minor numbers - improved unit test - coding style - consistent function name - added support for plain encryption (bsc#1088641) - added unit test - added integration tests - 4.2.4 ==== libvirt ==== Version update (5.1.0 -> 5.7.0) Subpackages: libvirt-bash-completion libvirt-client libvirt-daemon libvirt-daemon-config-network libvirt-daemon-driver-interface libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-gluster libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-qemu libvirt-libs - Update to libvirt 5.7.0 - Experimental split of libvirtd into separate daemons - bsc#1145440, bsc#1145586 - Many incremental improvements and bug fixes, see https://libvirt.org/news.html - Dropped patches: 4ec3cf9a-apparmor-rules.patch, f38ef0fa-no-RDMA-check.patch, 411cdaf8-apparmor-check-profile-name.patch. 696239ba-qemu-fix-query-cpus-fast.patch, 09eb1ae0-conf-add-xenbus-controller.patch, fb059757-libxl-add-xenbus-controller.patch, ec5a1191-libxl-support-max-grant-frames.patch, 5a64c202-xenconfig-support-max-grant-frames.patch, CVE-2019-3886-api.patch, CVE-2019-3886-remote.patch, e0246257-cputest-add-data-for-Cascadelake-Server.patch, 5cd9db3a-cputest-add-data-E3-1225-v5.patch, 538d8735-cpu_map-Define-md-clear-CPUID-bit.patch, 96f41cd7-admin-reject-clients.patch, f111e094-locking-restrict-sockets-to-mode-0600.patch, e37bd65f-logging-restrict-sockets-to-mode-0600.patch, 9f4e35dc-network-improve-chain-create-error-report.patch, 686803a1-network-split-ipv4-ipv6-chains.patch, c1c235eb-nework-clear-cached-error.patch, 4330d138-network-refactor-global-chains.patch, 3b66bd9a-add-debug-chain-creation.patch, c6cbe187-network-delay-global-fw-setup.patch, CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc.patch, CVE-2019-10166-api-disallow-virDomainManagedSaveDefineXML.patch, CVE-2019-10167-api-disallow-virConnectGetDomainCapabilities.patch, CVE-2019-10168-api-disallow-virConnect-HypervisorCPU.patch, 51f9f80d-fix-copying-bitmaps.patch, 2878278c-cpu_map-add-Cascaselake-Server.patch, 4a0f604d-cpu_map-distribute-Cascaselake-Server.patch, d5572f62-qemu-support-override-max-thread.patch, 673f805d-qemu-chown-uniqDir.patch, 975b004d-virtlogd-over-logrotate.patch, 18d47d61-revert-d00c77ae.patch, d6943eab-libxl-pmsuspend-event.patch, 3d179919-virsh-precopy-bandwidth.patch, f4bdd829-rename-precopy-bandwidth.patch, xen-pv-cdrom.patch, blockcopy-check-dst-identical-device.patch, suse-libvirtd-service-xen.patch, xen-sxpr-disk-type.patch - virsh: use upstream name for migration precopy bandwidth parameter f4bdd829-rename-precopy-bandwidth.patch bsc#1145586 - virsh: support for setting precopy bandwidth in migrate 3d179919-virsh-precopy-bandwidth.patch bsc#1145586 - Rename patches to include commit ID revert-d00c77ae.patch -> 18d47d61-revert-d00c77ae.patch libxl-pmsuspend-event.patch -> d6943eab-libxl-pmsuspend-event.patch - libxl: fix domain state following successful suspend operation revert-d00c77ae.patch, libxl-pmsuspend-event.patch bsc#1145440 - logging: ensure virtlogd rollover takes priority over logrotate 975b004d-virtlogd-over-logrotate.patch bsc#1137137 - qemu: fix default value of security_default_confined Updated suse-qemu-conf.patch bsc#1143871 - qemu: Change owner of temp directories under /var/lib/libvirt/qemu 673f805d-qemu-chown-uniqDir.patch bsc#1143497 - Add apparmor-abstractions as a required package for daemon (bsc#1142992) - qemu: Add support for overriding max threads per process limit d5572f62-qemu-support-override-max-thread.patch bsc#1133719 - cpu_map: Add Cascadelake-Server CPU model e0246257-cputest-add-data-for-Cascadelake-Server.patch, 2878278c-cpu_map-add-Cascaselake-Server.patch, 4a0f604d-cpu_map-distribute-Cascaselake-Server.patch bsc#1141251 - util: fix copying bitmap to larger data buffer 51f9f80d-fix-copying-bitmaps.patch bsc#1138734 ==== lmdb ==== - Fix occasional crash when freed pages landed on the dirty list twice (bnc#1136132). * Add 0001-ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch ==== lvm2 ==== Subpackages: liblvm2app2_2 liblvm2cmd2_02 - Fix unknown feature in status message (bsc#1135984) + bug-1135984_cache-support-no_discard_passdown.patch - Fix using device aliases with lvmetad (bsc#1137296) + bug-1137296_pvremove-vgextend-fix-using-device-aliases-with-lvmetad.patch - Fix devices drop open error message (bsc#1122666) + bug-1122666_devices-drop-open-error-message.patch - Use %make_build in order to provide verbose output. ==== makedumpfile ==== Version update (1.6.3 -> 1.6.6) - makedumpfile-Increase-SECTION_MAP_LAST_BIT-to-4.patch: Increase SECTION_MAP_LAST_BIT to 4 (bsc#1144708). - Update to 1.6.6 * Support for AMD Secure Memory Encryption * Exclude pages that are logically offline * Support kernels up to 5.1.9 - Drop makedumpfile-coptflags.diff. - Also support extended address space with SLE 12 SP5 (bsc#1138451) * refresh makedumpfile-ppc64-VA-range-SUSE.patch - makedumpfile-ppc64-VA-range-SUSE.patch: Use correct l3 index size with SLE15-SP1 ppc64le kernels (bsc#1123015). - Update to 1.6.5 * Improve support for arm64 system with KASLR * Support kernels up to 4.19.4 - Update to 1.6.4 * 5-level paging support on x86_64 * --mem-usage support for arm64 * Support larger VA size with newer ppc64 kernels (bsc#1118445). * Support kernels up to 4.17.0 - Drop upstreamed patches: * makedumpfile-always-use-bigger-SECTION_MAP_MASK.patch * makedumpfile-sadump-fix-PTI-enabled-kernels.patch * makedumpfile-do-not-print-ETA-if-progress-is-0.patch * makedumpfile-is_cache_page-helper.patch * makedumpfile-check-PG_swapbacked.patch - Fix %license destination for older distributions. - Merge SLE12 changelog. - Patches that were never actually applied to Factory: * makedumpfile-x86_64-xen-vtop.patch (included in 1.6.2) * makedumpfile-Fix-elf_info-file_size-if-segment-excluded.patch (included in 1.6.2) - makedumpfile-Fix-elf_info-file_size-if-segment-excluded.patch: elf_info: Fix file_size if segment is excluded (bsc#1068925). - makedumpfile-x86_64-xen-vtop.patch: Fix the use of Xen physical and machine addresses (bsc#1014136, bsc#1068694). - makedumpfile-is_cache_page-helper.patch: Add is_cache_page() helper to check if a page belongs to the cache (bsc#1088354). - makedumpfile-check-PG_swapbacked.patch: Check PG_swapbacked for swap cache pages (bsc#1088354). - makedumpfile-do-not-print-ETA-if-progress-is-0.patch: Do not print ETA value if current progress is 0 (bsc#1084936). - Use %license instead of %doc [bsc#1082318] - makedumpfile-sadump-fix-PTI-enabled-kernels.patch: sadump: Fix a problem of PTI enabled kernel (bsc#1085826). - makedumpfile-always-use-bigger-SECTION_MAP_MASK.patch: Always use bigger SECTION_MAP_MASK (bsc#1066811, bsc#1067703). - Update to 1.6.3 * Support kernels up to 4.14.8 (bsc#1068864). * 86_64: handle renamed init_level4_pgt -> init_top_pgt * Fix SECTION_MAP_MASK for kernel >= v.13 * book3s/ppc64: Lower the max real address to 53 bits for kernels >= v4.11 * Support symbol __cpu_online_mask * ppc64: update hash page table geometry - Drop upstreamed patches: * makedumpfile-Fix-SECTION_MAP_MASK-for-kernel-v.13.patch * makedumpfile-handle-renamed-init_level4_pgt-init_top_pgt.patch * makedumpfile-ppc64-update-hash-page-table-geometry.patch * makedumpfile-book3s-ppc64-Lower-the-max-real-address-to-53-bits.patch * makedumpfile-__cpu_online_mask-symbol.patch * makedumpfile-vtop4_x86_64_pagetable.patch * makedumpfile-fix-KASLR-for-sadump.patch * makedumpfile-fix-KASLR-for-sadump-while-kdump.patch * makedumpfile-support-4.12.patch - Drop SLE12-specific patches: * makedumpfile-ppc64-update-hash-page-table-geometry.patch * makedumpfile-Revert-Clean-up-unused-KERNEL_IMAGE_SIZE.patch * makedumpfile-Revert-x86_64-kill-some-unused-init.patch * makedumpfile-Revert-kill-is_vmalloc_addr_x86_64.patch * makedumpfile-Revert-x86_64-translate-all-VA-to-PA-using-pgt.patch * makedumpfile-Revert-Calculate-page_offset-from-pt_load.patch - makedumpfile-__cpu_online_mask-symbol.patch: Support symbol __cpu_online_mask (FATE#323473, bsc#1070291). - makedumpfile-vtop4_x86_64_pagetable.patch: Introduce vtop4_x86_64_pagetable (FATE#323473, bsc#1070291). - makedumpfile-fix-KASLR-for-sadump.patch: Fix a KASLR problem of sadump (FATE#323473, bsc#1070291). - makedumpfile-fix-KASLR-for-sadump-while-kdump.patch: sadump: Fix a KASLR problem of sadump while kdump is working (FATE#323473, bsc#1070291). - makedumpfile-Revert-Clean-up-unused-KERNEL_IMAGE_SIZE.patch: Revert "Clean up unused KERNEL_IMAGE_SIZE" (bsc#1068925, bsc#1099121). - makedumpfile-Revert-x86_64-kill-some-unused-init.patch: Revert "x86_64: kill some unused initialization" (bsc#1068925, bsc#1099121). - makedumpfile-Revert-kill-is_vmalloc_addr_x86_64.patch: Revert "x86_64: kill is_vmalloc_addr_x86_64()" (bsc#1068925, bsc#1099121). - makedumpfile-Revert-x86_64-translate-all-VA-to-PA-using-pgt.patch: Revert "x86_64: translate all VA to PA using page table values" (bsc#1068925, bsc#1099121). - makedumpfile-Revert-Calculate-page_offset-from-pt_load.patch: Revert "x86_64: Calculate page_offset from pt_load" (bsc#1068925, bsc#1040469, bsc#1099121). - makedumpfile-ppc64-update-hash-page-table-geometry.patch: Kernel commit f6eedbba7a26 ("powerpc/mm/hash: Increase VA range to 128TB") updated hash page table geometry. A modified version of this commit is included in SLES12 SP3. Make the corresponding changes in makedumpfile tool for filtering dump appropriately (bsc#1068485) - ppc64 Can't convert a virtual address (bsc#1067703) * Added patches: makedumpfile-ppc64-update-hash-page-table-geometry.patch makedumpfile-book3s-ppc64-Lower-the-max-real-address-to-53-bits.patch * Refresh makedumpfile-Fix-SECTION_MAP_MASK-for-kernel-v.13.patch to also apply to SLE15 (4.12 kernel) due to backport of 2d070eab2e82 (bsc#1067703) - Handled renaming of init_level4_pgt to init_top_pgt (bsc#1066770). * Added patch: makedumpfile-handle-renamed-init_level4_pgt-init_top_pgt.patch - add makedumpfile-Fix-SECTION_MAP_MASK-for-kernel-v.13.patch (bnc#1066811) - Update to 1.6.2 * Fix the use of Xen physical and machine addresses (bsc#1014136) * Fix memory leak in get_kcore_dump_loads() * Support kernels up to 4.11.7 * Consider not page-size aligned phys_end for paddr_to_pfn() * Add runtime kaslr offset if it exists - Update to 1.6.1 (FATE#322011). * Enhance support for aarch64 * Enhance support for ppc64 * Support kernels up to 4.8 - Drop upstreamed patch * makedumpfile-_count-_refcount-rename.patch - Merge with updates on SLE12 SP2 (FATE#318012, bsc#992885, bsc#999869). - Rename Support-_count-_refcount-rename-in-struct-p.patch to makedumpfile-_count-_refcount-rename.patch. - Silence rpmlint errors about devel files in non-devel package; despite their .c suffix, the provided eppic scripts are intended for production, not development. - Build and install the eppic extension. - makedumpfile-override-libtinfo.patch: Allow to override the tinfo library used for eppic. - Update to 1.6.0 (FATE#320955). * Exclude page structures of non-dumped pages. - Drop upstreamed patch * Looking-for-page.compound_order-compound_dtor-.patch * Skip-examining-compound-tail-pages.patch - Looking-for-page.compound_order-compound_dtor-.patch: fix excluding hugepages (kernel 4.4 compatibility) - Skip-examining-compound-tail-pages.patch fix excluding compound tail pages (kernel 4.5 compatibility) - Support-_count-_refcount-rename-in-struct-p.patch: support 4.7 kernel (page._count renamed to page._refcount) - Update to 1.5.9 * support for aarch64 (FATE#318444) * Support kernels up to 4.1 * Enable compressed dump formats for Xen (FATE#316467). - Drop upstreamed patch * makedumpfile-add-aarch64.diff - Use url for source - Cleanup spec file with spec-cleaner - Adjust usage of install (-c is ignored) - makedumpfile-add-aarch64.diff: Add support for aarch64 This patch should be oboslet when switching to 1.5.9 - upgrade to makedumpfile-1.5.8 o Fair I/O workload assignment for --split o Make incomplete dumpfile readable o Support kernels up to 3.19 ==== openldap2 ==== Subpackages: libldap-2_4-2 libldap-2_4-2-32bit libldap-data openldap2-client - bsc#1143194 (CVE-2019-13565) - ssf memory reuse leads to incorrect authorisation of another connection, granting excess connection rights (ssf). * patch: 0201-ITS-9052-zero-out-sasl_ssf-in-connection_init.patch - bsc#1143273 (CVE-2019-13057) - rootDN of a backend may proxyauth incorrectly to another backend, violating multi-tenant isolation. * patch: 0202-ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch * patch: 0203-ITS-9038-Update-test028-to-test-this-is-enforced.patch * patch: 0204-ITS-9038-Another-test028-typo.patch - bsc#1111388 - incorrect post script call causes tmpfiles create not to be run. - bsc#1114845 - broken shebang line in openldap_update_modules_path.sh - fix the script - Emergency fix: move tmpfiles_create post from the library package to the main package's post script, which ships the tmpfiles.d configuration. Fixes the post script of the library (-p /sbin/ldconfig does not allow more statements in the script). - bsc#1111388 openldap and /var/lib/ldap/DB_CONFIG* (transactional-update) * source: openldap2.conf - Added a patch to let slapd return the uniqueness check filter used before constraint violation to the client. Fixed broken memory handling in affecting error response of slapo-unique ITS#8866 slapo-unique to return filter used in diagnostic message * patch: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch - Don't require systemd explicit, spec file can handle both cases correct and in containers we don't have systemd. - Fix CVE-2017-17740: when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack * patch: 0017-Fix-segfault-in-nops.patch (bsc#1073313) ==== python-Werkzeug ==== - Add 0001-unique-debugger-pin-in-Docker-containers.patch (bsc#1145383, CVE-2019-14806) When running the development server in Docker, the debugger security pin is now unique per container. ==== python-cairo ==== Subpackages: python2-cairo python3-cairo - Provide python-pycairo symbol to play nice with backporting python stack as new TW contains just this as a proper package name bsc#1142582 ==== python-libvirt-python ==== Version update (5.1.0 -> 5.7.0) - Update to 5.7.0 - Add all new APIs and constants in libvirt 5.7.0 - Update to 5.6.0 - Add all new APIs and constants in libvirt 5.6.0 - Update to 5.5.0 - Add all new APIs and constants in libvirt 5.5.0 - Update to 5.4.0 - Add all new APIs and constants in libvirt 5.4.0 - Update to 5.3.0 - Add all new APIs and constants in libvirt 5.3.0 - Update to 5.2.0 - Add all new APIs and constants in libvirt 5.2.0 ==== python-urllib3 ==== - Add missing dependency on python-six (bsc#1150895) - Update python-urllib3-recent-date.patch to have RECENT_DATE within the needed boundaries for the test suite. - Add urllib3-disallow-control-chars-in-http-urls.patch (bsc#1132663, CVE-2019-11236, bsc#1129071, CVE-2019-9740) - Skip test_source_address_error as we raise different error with fixes that we provide in new python2/3 - Add urllib3-cve-2019-11324.patch. Don't load system certs unless there were no CA certs or SSLContext object specified manually. (bsc#1132900,CVE-2019-11324) ==== samba ==== Version update (4.9.5+git.176.375e1f05788 -> 4.9.5+git.187.71edee57d5a) Subpackages: libdcerpc-binding0 libdcerpc-binding0-32bit libdcerpc0 libdcerpc0-32bit libndr-krb5pac0 libndr-krb5pac0-32bit libndr-nbt0 libndr-nbt0-32bit libndr-standard0 libndr-standard0-32bit libndr0 libndr0-32bit libnetapi0 libnetapi0-32bit libsamba-credentials0 libsamba-credentials0-32bit libsamba-errors0 libsamba-errors0-32bit libsamba-hostconfig0 libsamba-hostconfig0-32bit libsamba-passdb0 libsamba-passdb0-32bit libsamba-policy0-python3 libsamba-util0 libsamba-util0-32bit libsamdb0 libsamdb0-32bit libsmbclient0 libsmbconf0 libsmbconf0-32bit libsmbldap2 libsmbldap2-32bit libtevent-util0 libtevent-util0-32bit libwbclient0 libwbclient0-32bit samba-client samba-client-32bit samba-libs samba-libs-32bit samba-libs-python samba-libs-python3 samba-python3 samba-winbind samba-winbind-32bit - CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267). - Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059). ==== yast2 ==== Version update (4.2.20 -> 4.2.21) Subpackages: yast2-logs - support reading licenses from tar archive (jsc#SLE-7214) - 4.2.21 ==== yast2-control-center ==== Version update (4.1.7 -> 4.2.2) Subpackages: yast2-control-center-qt - Fix appdata for new spec (fate#319035) - 4.2.2 - Display GenericName and Comment, not Name (boo#1084864) - 4.2.1 - Change location of appdataa and fix it up (fate#319035) - 4.2.0 - Require libQt5Svg5 to support SVG icons (bsc#1127245) - 4.1.8 ==== yast2-installation ==== Version update (4.2.12 -> 4.2.13) - do NOT remove /mnt/run, it's a mounted directory (bsc#1149011) - 4.2.13 ==== yast2-network ==== Version update (4.2.11 -> 4.2.12) - bnc#1149234 - apply udev rule from AY profile according to device's mac value when permanent_mac is missing in list of the device's options - bsc#1133442 - Increased the DHCP timeout when NetworkManager is in use to its default (45 seconds). - 4.2.12 ==== yast2-packager ==== Version update (4.2.24 -> 4.2.25) - Added Y2Packager::MediumType class for detecting the installation medium type (related to jsc#SLE-7214) - 4.2.25 ==== yast2-schema ==== Version update (4.2.2 -> 4.2.3) - Ignoring X-SuSE-YaST-AutoInstResourceAliases entries in desktop files while evaluating resources (bsc#1144894). - 4.2.3 ==== yast2-security ==== Version update (4.2.1 -> 4.2.2) - AY: Supporting user defined permission files like "/etc/permissions.ultra". (bsc#1147173) - 4.2.2 ==== yast2-services-manager ==== Version update (4.2.4 -> 4.2.5) - Set BaseTargets::GRAPHICAL and Target::GRAPHICAL if package "xdm" will be installed (instead of xorg-x11-server) (bsc#1140735). - 4.2.5 ==== yast2-storage-ng ==== Version update (4.2.36 -> 4.2.38) - Partitioner: better handling of existing encryptions, including the possibility of reusing them (related to jsc#SLE-7376). - added translation for new EncryptionType::PLAIN (bsc#1088641) - 4.2.38 - bind-mount /run from inst-sys to target system during install (bsc#1136463) - 4.2.37 ==== yast2-ycp-ui-bindings ==== Version update (4.1.0 -> 4.2.1) - added example using scrollbar positions of RichText widget with hyperlinks (bsc#1150498) - 4.2.1 - added example using scrollbar positions of RichText widget (bsc#1150498) - 4.2.0 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org