Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=15.1&build=417.2&groupid=50 https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&query_format=advanced&resolution=---&version=Leap%2015.1 When you reply to discuss some issues, make sure to change the subject. Please use the test plan at https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3m... to record your testing efforts and use bugzilla to report bugs. Packages changed: btrfsprogs chromium (71.0.3578.98 -> 72.0.3626.96) gvfs konversation (1.7.4 -> 1.7.5) mutter patterns-base pim-sieve-editor python-numpy python-python-gnupg (0.4.3 -> 0.4.4) wicked (0.6.52 -> 0.6.53) zypper (1.14.24 -> 1.14.25) === Details === ==== btrfsprogs ==== Subpackages: btrfsprogs-udev-rules libbtrfs0 - Advise user of fs recovery options when we fail to mount (fate#320443, bsc#1122539) * Add dracut-fsck-help.txt * Add module-setup.sh ==== chromium ==== Version update (71.0.3578.98 -> 72.0.3626.96) - Update to 72.0.3626.96 bsc#1124936: * CVE-2019-5784: Inappropriate implementation in V8 - Provide web_browser so chromium can be installed instead of firefox. - Update to 72.0.3626.81 bsc#1123641: * CVE-2019-5754: Inappropriate implementation in QUIC Networking. Reported by Klzgrad on 2018-12-12 * CVE-2019-5782: Inappropriate implementation in V8. Reported by Qixun Zhao of Qihoo 360 Vulcan Team via Tianfu Cup on 2018-11-16 * CVE-2019-5755: Inappropriate implementation in V8. Reported by Jay Bosamiya on 2018-12-10 * CVE-2019-5756: Use after free in PDFium. Reported by Anonymous on 2018-10-14 * CVE-2019-5757: Type Confusion in SVG. Reported by Alexandru Pitis, Microsoft Browser Vulnerability Research on 2018-12-15 * CVE-2019-5758: Use after free in Blink. Reported by Zhe Jin?????Luyao Liu(???) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-11 * CVE-2019-5759: Use after free in HTML select elements. Reported by Almog Benin on 2018-12-05 * CVE-2019-5760: Use after free in WebRTC. Reported by Zhe Jin?????Luyao Liu(???) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-05 * CVE-2019-5761: Use after free in SwiftShader. Reported by Zhe Jin?????Luyao Liu(???) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-13 * CVE-2019-5762: Use after free in PDFium. Reported by Anonymous on 2018-10-31 * CVE-2019-5763: Insufficient validation of untrusted input in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-12-13 * CVE-2019-5764: Use after free in WebRTC. Reported by Eyal Itkin from Check Point Software Technologies on 2018-12-09 * CVE-2019-5765: Insufficient policy enforcement in the browser. Reported by Sergey Toshin (@bagipro) on 2019-01-16 * CVE-2019-5766: Insufficient policy enforcement in Canvas. Reported by David Erceg on 2018-11-20 * CVE-2019-5767: Incorrect security UI in WebAPKs. Reported by Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao from Indiana University Bloomington on 2018-11-06 * CVE-2019-5768: Insufficient policy enforcement in DevTools. Reported by Rob Wu on 2018-01-24 * CVE-2019-5769: Insufficient validation of untrusted input in Blink. Reported by Guy Eshel on 2018-12-11 * CVE-2019-5770: Heap buffer overflow in WebGL. Reported by hemidallt@ on 2018-11-27 * CVE-2019-5771: Heap buffer overflow in SwiftShader. Reported by Zhe Jin?????Luyao Liu(???) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-12 * CVE-2019-5772: Use after free in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-11-26 * CVE-2019-5773: Insufficient data validation in IndexedDB. Reported by Yongke Wang of Tencent's Xuanwu Lab (xlab.tencent.com) on 2018-12-24 * CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing. Reported by Junghwan Kang (ultract) and Juno Im on 2018-11-11 * CVE-2019-5775: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18 * CVE-2019-5776: Insufficient policy enforcement in Omnibox. Reported by Lnyas Zhang on 2018-07-14 * CVE-2019-5777: Insufficient policy enforcement in Omnibox. Reported by Khalil Zhani on 2018-06-04 * CVE-2019-5778: Insufficient policy enforcement in Extensions. Reported by David Erceg on 2019-01-02 * CVE-2019-5779: Insufficient policy enforcement in ServiceWorker. Reported by David Erceg on 2018-11-11 * CVE-2019-5780: Insufficient policy enforcement. Reported by Andreas Hegenberg (folivora.AI GmbH) on 2018-10-03 * CVE-2019-5781: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18 - Added patches: * chromium-crashpad-fix_aarch64.patch * chromium-fix_swiftshader.patch * chromium-webrtc-includes.patch - Obsoleted patches: * chromium-gcc8-alignof.patch * chromium-initialize-list.patch - Updated patches: * chromium-dma-buf.patch * chromium-non-void-return.patch * chromium-skia-system-fontconfig.patch * chromium-system-icu.patch * chromium-vaapi.patch - Try to reduce constraints to avoid being so much just in scheduled state ==== gvfs ==== Subpackages: gvfs-backend-afc gvfs-backend-samba gvfs-backends gvfs-fuse gvfs-lang - Add gvfs-CVE-2019-3827.patch: Prevent access if any authentication agent isn't available (glgo#GNOME/gvfs#355, bsc#1125084, CVE-2019-3827). ==== konversation ==== Version update (1.7.4 -> 1.7.5) Subpackages: konversation-lang - Update to 1.7.5: * Fixed building against Qt 5.11. - Drop fix-build-qt-5.11.patch, merged upstream ==== mutter ==== Subpackages: libmutter-1-0 mutter-data mutter-lang - Add mutter-keybindings-Super-should-be-inhibitable.patch: when a Wayland client issues a shortcut inhibit request which is granted by the user, the Super key should be passed to the surface instead of being handled by the compositor (bgo#790627, bsc#1120372). - Add mutter-xwayland-Don-t-abort-if-Xwayland-crashes.patch: make mutter exit instead of crash if Xwayland goes away unexpectedly. upstream commit 2d80fd (glgo#GNOME/mutter!76). ==== patterns-base ==== Subpackages: patterns-base-32bit patterns-base-apparmor patterns-base-apparmor-32bit patterns-base-apparmor_opt patterns-base-base patterns-base-base-32bit patterns-base-basesystem patterns-base-console patterns-base-enhanced_base patterns-base-enhanced_base-32bit patterns-base-enhanced_base_opt patterns-base-minimal_base patterns-base-minimal_base-32bit patterns-base-sw_management patterns-base-sw_management-32bit patterns-base-transactional_base patterns-base-update_test patterns-base-x11 patterns-base-x11-32bit patterns-base-x11_enhanced patterns-base-x11_enhanced-32bit patterns-base-x11_opt - Add busybox-static to Minimal system so people can recover really broken systems ==== pim-sieve-editor ==== Subpackages: pim-sieve-editor-lang - Remove unneeded build requirements ==== python-numpy ==== - bsc#1122208 add CVE-2019-6446_numpy_load.patch fixing gh#numpy/numpy#12759 numpy.load() has functionality which allows loading pickle with potentially insecure code. ==== python-python-gnupg ==== Version update (0.4.3 -> 0.4.4) - Enable tests - Update to 0.4.4: * Changed how any return value from the ``on_data`` callable is processed. In earlier versions, the return value was ignored. In this version, if the return value is ``False``, the data received from ``gpg`` is not buffered. Otherwise (if the value is ``None`` or ``True``, for example), the data is buffered as normal. This functionality can be used to do your own buffering, or to prevent buffering altogether. The ``on_data`` callable is also called once with an empty byte-string to signal the end of data from ``gpg``. * Added an additional attribute ``check_fingerprint_collisions`` to ``GPG`` instances, which defaults to ``False``. It seems that ``gpg`` is happy to have duplicate keys and fingerprints in a keyring, so we can't be too strict. A user can set this attribute of an instance to ``True`` to trigger a check for collisions. * With GnuPG 2.2.7 or later, provide the fingerprint of a signing key for a failed signature verification, if available. * For verification where multiple signatures are involved, a mapping of signature_ids to fingerprint, keyid, username, creation date, creation timestamp and expiry timestamp is provided. * Added a check to disallow certain control characters ('\r', '\n', NUL) in passphrases (CVE-2019-6690 bsc#1123498) - Remove superfluous devel dependency for noarch package ==== wicked ==== Version update (0.6.52 -> 0.6.53) Subpackages: libwicked-0-6 wicked-service - version 0.6.53 - dhcp: request hostname/fqdn option in the tester (bsc#1118378) - build: link with relro by default for binary hardening ==== zypper ==== Version update (1.14.24 -> 1.14.25) Subpackages: zypper-aptitude zypper-log - Fix installing plain rpm files with `zypper in` (bsc#1124897) - Show only required info in the summary in quiet mode (bsc#993025) - version 1.14.25 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org