[opensuse-factory] Leap 15.1 Build 441.4 released!

2 Apr 2019

      Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.

Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&version=15.1&build=441.4&groupid=50
https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&query_format=advanced&resolution=---&version=Leap%2015.1

When you reply to discuss some issues, make sure to change the subject.
Please use the test plan at
https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3m...
to record your testing efforts and use bugzilla to report bugs.

Packages changed:
  ImageMagick
  LibVNCServer
  NetworkManager
  chromium (72.0.3626.121 -> 73.0.3683.75)
  dracut (044.1 -> 044.2)
  gd
  gnome-control-center
  kwalletmanager5
  libcaca
  liblouis
  libmspack
  libnettle (3.4 -> 3.4.1)
  libstorage-ng (4.1.102 -> 4.1.103)
  libzypp (17.11.2 -> 17.11.3)
  open-vm-tools (10.3.5 -> 10.3.10)
  rpm
  sqlite3 (3.23.1 -> 3.27.2)
  tiff
  timezone (2018i -> 2019a)
  timezone-java (2018i -> 2019a)
  transactional-update (2.13.1 -> 2.14.1)
  translation-update
  wavpack
  xfce4-screenshooter (1.9.4 -> 1.9.5)
  yast2 (4.1.66 -> 4.1.67)
  yast2-bootloader (4.1.22 -> 4.1.23)
  yast2-firewall (4.1.10 -> 4.1.11)
  yast2-iscsi-client (4.1.6 -> 4.1.7)
  yast2-packager (4.1.33 -> 4.1.35)
  yast2-printer (4.1.0 -> 4.1.1)
  yast2-storage-ng (4.1.75 -> 4.1.77)
  zypper (1.14.26 -> 1.14.27)

=== Details ===

==== ImageMagick ====
Subpackages: libMagick++-7_Q16HDRI4 libMagickCore-7_Q16HDRI6 libMagickWand-7_Q16HDRI6

- security update
- added patches
  CVE-2019-7175 [bsc#1128649]
  + ImageMagick-CVE-2019-7175.patch
- security update (pdf.c):
  * CVE-2019-7397 [bsc#1124366]
    + ImageMagick-CVE-2019-7397.patch
- security update (psd.c):
  * CVE-2019-7395 [bsc#1124368]
    + ImageMagick-CVE-2019-7395.patch
- security update (sixel.c):
  * CVE-2019-7396 [bsc#1124367]
    + ImageMagick-CVE-2019-7396.patch
- security update (dib.c)
  * CVE-2019-7398 [bsc#1124365]
    + ImageMagick-CVE-2019-7398.patch
- clamp after edge [bsc#1106415]
  + ImageMagick-clamp-after-edge.patch
- security update (bmp.c):
  * CVE-2018-20467 [bsc#1120381]
    + ImageMagick-CVE-2018-20467.patch
- security update (msl.c):
  * CVE-2018-18544 [bsc#1113064]
    + ImageMagick-CVE-2018-18544.patch
- asan_build: build ASAN included
- debug_build: build more suitable for debugging

==== LibVNCServer ====

- Add BuildRequire libgnutls-devel: Remmina needs it for VNC
  connections (boo#1123805)

==== NetworkManager ====
Subpackages: NetworkManager-lang libnm-glib-vpn1 libnm-glib4 libnm-util2 libnm0 typelib-1_0-NM-1_0 typelib-1_0-NMClient-1_0 typelib-1_0-NetworkManager-1_0

- Modify NM-add-wifi-scan-polkit-rule.patch: Use polkit action
  "org.freedesktop.NetworkManager.wifi.scan" instead of
  "org.freedesktop.NetworkManager.wifi-scan" to sync with upstream
  (bsc#1128560).

==== chromium ====
Version update (72.0.3626.121 -> 73.0.3683.75)

- Update to 73.0.3683.75 bsc#1129059:
  * CVE-2019-5787: Use after free in Canvas.
  * CVE-2019-5788: Use after free in FileAPI.
  * CVE-2019-5789: Use after free in WebMIDI.
  * CVE-2019-5790: Heap buffer overflow in V8.
  * CVE-2019-5791: Type confusion in V8.
  * CVE-2019-5792: Integer overflow in PDFium.
  * CVE-2019-5793: Excessive permissions for private API in Extensions.
  * CVE-2019-5794: Security UI spoofing.
  * CVE-2019-5795: Integer overflow in PDFium.
  * CVE-2019-5796: Race condition in Extensions.
  * CVE-2019-5797: Race condition in DOMStorage.
  * CVE-2019-5798: Out of bounds read in Skia.
  * CVE-2019-5799: CSP bypass with blob URL.
  * CVE-2019-5800: CSP bypass with blob URL.
  * CVE-2019-5801: Incorrect Omnibox display on iOS.
  * CVE-2019-5802: Security UI spoofing.
  * CVE-2019-5803: CSP bypass with Javascript URLs'.
  * CVE-2019-5804: Command line command injection on Windows.
- Update patches:
  * chromium-buildname.patch
  * chromium-non-void-return.patch
  * chromium-old-glibc.patch
  * chromium-old-libva.patch
  * chromium-vaapi.patch
- Removed patches:
  * chromium-crashpad-fix_aarch64.patch
  * chromium-webrtc-includes.patch
- Added patches:
  * chromium-gcc.patch
  * chromium-fix_crashpad.patch

==== dracut ====
Version update (044.1 -> 044.2)

- Bump version to 044.2 to provide a version to lock on to (bsc#1127891)
- Check SUSE kernel module dependencies recursively (bsc#1127891)
  * adds 0594-Check-SUSE-kernel-module-dependencies-recursively.patch
- Avoid "Failed to chown ... Operation not permitted" when run from non-root,
  by not copying xattrs. (osc#1092178)
  * adds 0593-dracut-only-copy-xattr-if-root.patch
- Handle non-versioned dependency in purge-kernels.

==== gd ====

- security update
  * CVE-2019-6978 [bsc#1123522]
    + gd-CVE-2019-6978.patch
  * CVE-2019-6977 [bsc#1123361]
    + gd-CVE-2019-6977.patch

==== gnome-control-center ====
Subpackages: gnome-control-center-color gnome-control-center-goa gnome-control-center-lang gnome-control-center-user-faces

- Modify gnome-control-center-bring-back-firewall-zone.patch,
  Add control-center-network-fix-ce-apply-button.patch:
  network: disable the "Apply" button until a change has been made
  (glgo#GNOME/gnome-control-center!402 bsc#1040054).

==== kwalletmanager5 ====
Subpackages: kwalletmanager5-lang

- Provide/Obsolete kwalletmanager, it can access the KDE4 kwallet
  too since a while

==== libcaca ====

- Prevent overflow of arithmetic of large (unsigned) ints by
  * declaring fields as size_t
  * casting intermediate results to uint64_t
  [CVE-2018-20544, bsc#1120502,
  CVE-2018-20545, bsc#1120584,
  CVE-2018-20546, bsc#1120503,
  CVE-2018-20547, bsc#1120504,
  CVE-2018-20548, bsc#1120589,
  CVE-2018-20549, bsc#1120470,
  libcaca-prevent-overflow.patch]

==== liblouis ====
Subpackages: liblouis-data liblouis14 python3-louis

- Add CVE-2018-17294.patch: fix a buffer overflow translating
  strings, backported from upstream (boo#1109319 CVE-2018-17294).
- Add several security fixes:
  CVE-2018-11410.patch (boo#1094685 CVE-2018-11410)
  CVE-2018-11440.patch (boo#1095189 CVE-2018-11440)
  CVE-2018-11577.patch (boo#1095945 CVE-2018-11577)
  CVE-2018-11683.patch (boo#1095827 CVE-2018-11683)
  CVE-2018-11684.patch (boo#1095826 CVE-2018-11684)
  CVE-2018-11685.patch (boo#1095825 CVE-2018-11685)
  CVE-2018-12085.patch (boo#1097103 CVE-2018-12085)

==== libmspack ====

- Added patches:
  * libmspack-resize-buffer.patch -- CAB block input buffer is one
    byte too small for maximal Quantum block.
  * libmspack-fix-bounds-checking.patch --  Fix off-by-one bounds
    check on CHM PMGI/PMGL chunk numbers and reject empty filenames.
  * libmspack-reject-blank-filenames.patch -- Avoid returning CHM
    file entries that are "blank" because they have embedded null
    bytes.
  * (the last two patches were modified by removing unneeded part
    in order to make them more independent)
- Fixed bugs:
  * CVE-2018-18584 (bsc#1113038)
  * CVE-2018-18585 (bsc#1113039)

==== libnettle ====
Version update (3.4 -> 3.4.1)
Subpackages: libhogweed4 libhogweed4-32bit libnettle6 libnettle6-32bit

- Update to 3.4.1 - FATE#327114 (bsc#1129598)
  * Fix CVE-2018-16869 (bsc#1118086)
    libnettle-CVE-2018-16869-3.4.patch (removed)
    All functions using RSA private keys are now side-channel
    silent, meaning that they try hard to avoid any branches or
    memory accesses depending on secret data. This applies both to
    the bignum calculations, which now use GMP's mpn_sec_* family
    of functions, and the processing of PKCS#1 padding needed for
    RSA decryption.
  * Changes in behavior:
    The functions rsa_decrypt and rsa_decrypt_tr may now clobber
    all of the provided message buffer, independent of the
    actual message length. They are side-channel silent, in that
    branches and memory accesses don't depend on the validity or
    length of the message. Side-channel leakage from the
    caller's use of length and return value may still provide an
    oracle useable for a Bleichenbacher-style chosen ciphertext
    attack. Which is why the new function rsa_sec_decrypt is
    recommended.
  * New features:
    A new function rsa_sec_decrypt.
  * Bug fixes:
  - Fix bug in pkcs1-conv, missing break statements in the
    parsing of PEM input files.
  - Fix link error on the pss-mgf1-test test, affecting builds
    without public key support.

==== libstorage-ng ====
Version update (4.1.102 -> 4.1.103)
Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1

- Translated using Weblate (Arabic)
- Translated using Weblate (Catalan)
- Translated using Weblate (Chinese (China))
- Translated using Weblate (Chinese (Taiwan))
- Translated using Weblate (Czech)
- Translated using Weblate (Dutch)
- Translated using Weblate (French)
- Translated using Weblate (German)
- Translated using Weblate (Hungarian)
- Translated using Weblate (Italian)
- Translated using Weblate (Japanese)
- Translated using Weblate (Korean)
- Translated using Weblate (Polish)
- Translated using Weblate (Portuguese (Brazil))
- Translated using Weblate (Russian)
- Translated using Weblate (Slovak)
- Translated using Weblate (Spanish)
- Translated using Weblate (Swedish)
- 4.1.103

==== libzypp ====
Version update (17.11.2 -> 17.11.3)

- KeyManager: Work around bsc#1127220 [libgpgme] no error upon
  incomplete import due to signal received.
- MediaCurl: add hint to check SCC for an expired regcode on
  http error 403 (bsc#965786)
- version 17.11.3 (9)

==== open-vm-tools ====
Version update (10.3.5 -> 10.3.10)
Subpackages: libvmtools0 open-vm-tools-desktop

- Update to 10.3.10 (build 12406962) (boo#1130898)
  + Resolved - In certain cases, quiesced snapshots on Linux guests do not
    include backup manifests.
- Drop unnecessary patch:
  - include_log_h_for_g_info.patch
  - no_manifest_on_aborted_snapshot.patch
  - send_vmbackup_event_generic_manifest.patch
  - vmtoolsd_bailout_on_rpc_errors.patch

==== rpm ====
Subpackages: rpm-32bit

- Backport changelog cutoff date change from Factory (bnc#1129753)
  modified: macrosin.diff
- Translate dashes to underscores in kmod provides (FATE#326579,
    jsc#SLE-4117, jsc#SLE-3853, bsc#1119414).
  refresh: findksyms.diff
  add: find-provides.ksyms, find-requires.ksyms
- Re-add symset-table from SLE 12 (bsc#1126327).
  add: symset-table

==== sqlite3 ====
Version update (3.23.1 -> 3.27.2)
Subpackages: libsqlite3-0

- CVE-2018-20346, bsc#1119687: Upgrade to the most recent version
  to fix a remote code execution vulnerability in FTS3 (Magellan).
- Drop sqlite-fts5-link.patch and do it in the spec file instead.
- Version 3.27.2:
  * Add the VACUUM INTO command
  * Issue an SQLITE_WARNING message on the error log if a
    double-quoted string literal is used
  * Add the remove_diacritics=2 option to FTS3 and FTS5.
  * Add  the SQLITE_PREPARE_NO_VTAB option to sqlite3_prepare_v3().
    Use that option to prevent circular references to shadow tables
    from causing resource leaks.
  * Enhancements to the sqlite3_deserialize() interface
  * Enhancements to the CLI, mostly to support testing and debugging
    of the SQLite library itself
  * Increased robustness against malicious SQL that is run against
    a maliciously corrupted database
- Version 3.26.0:
  * Optimization: When doing an UPDATE on a table with indexes on
    expressions, do not update the expression indexes if they do
    not refer to any of the columns of the table being updated.
  * Allow the xBestIndex() method of virtual table implementations
    to return SQLITE_CONSTRAINT to indicate that the proposed query
    plan is unusable and should not be given further consideration.
  * Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the
    ability to create corrupt database files using ordinary SQL.
  * Added support for read-only shadow tables when the
    SQLITE_DBCONFIG_DEFENSIVE option is enabled.
  * Added the PRAGMA legacy_alter_table command, which if enabled
    causes the ALTER TABLE command to behave like older version of
    SQLite (prior to version 3.25.0) for compatibility.
  * Added PRAGMA table_xinfo that works just like PRAGMA table_info
    except that it also shows hidden columns in virtual tables.
  * Added the explain virtual table as a run-time loadable
    extension.
  * Add a limit counter to the query planner to prevent excessive
    sqlite3_prepare() times for certain pathological SQL inputs.
  * Added support for the sqlite3_normalized_sql() interface, when
    compiling with SQLITE_ENABLE_NORMALIZE.
  * Enhanced triggers so that they can use table-valued functions
    that exist in schemas other than the schema where the trigger
    is defined.
  * Improvements to the ".help" command in the CLI.
  * The SQLITE_HISTORY environment variable, if it exists,
    specifies the name of the command-line editing history file.
  * The --deserialize option associated with opening a new database
    in the CLI cause the database file to be read into memory and
    accessed using the sqlite3_deserialize() API. This simplifies
    running tests on a database without modifying the file on disk.
- Version 3.25.2:
  * Add the PRAGMA legacy_alter_table=ON command that causes the
    "ALTER TABLE RENAME" command to behave as in 3.24.0 and earlier
  * Fix issue with some expressions with windows functions in views
- Version 3.25.1:
  * Avoid false-positive error checks on ALTER TABLE
  * Further ORDER BY LIMIT optimization fixes for window functions
- Version 3.25.0:
  * Add support for window functions
  * Add support for renaming columns within a table
  * Query optimizer improvements
  * slightly better concurrency in multi-threaded environments
  * The ORDER BY LIMIT optimization might have caused an infinite
    loop in the byte code of the prepared statement under very
    obscure circumstances, due to a confluence of minor defects in
    the query optimizer
- Version 3.24.0:
  * Add support for PostgreSQL-style UPSERT
  * Add support for auxiliary columns in r-tree tables
  * Add C-language APIs for discovering SQL keywords used by SQLite
  * Add C-language APIs for dynamic strings based on sqlite3_str
  * Enhance ALTER TABLE so that it recognizes "true" and "false" as
    valid arguments to DEFAULT
  * Add the sorter-reference optimization as a compile-time option
  * Improve the format of the EXPLAIN QUERY PLAN raw output, so that
  it gives better information about the query plan and about the
    relationships between the various components of the plan
  * Added the SQLITE_DBCONFIG_RESET_DATABASE option to the
    sqlite3_db_config() API.
  * Automatically intercept the raw EXPLAIN QUERY PLAN output an
    reformat it into an ASCII-art graph.
  * Lines that begin with "#" and that are not in the middle of an
    SQL statement are interpreted as comments
  * Add the --append option to the ".backup" command
  * Add the ".dbconfig" command
  * various performance improvements
  * various bug fixes

==== tiff ====

- security update
  * CVE-2019-7663 [bsc#1125113]
    + tiff-CVE-2019-7663.patch
- security update
  * CVE-2019-6128 [bsc#1121626]
    + tiff-CVE-2019-6128.patch
- extend tiff-CVE-2018-19210.patch and rename it to
  tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11]
  * solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606]

==== timezone ====
Version update (2018i -> 2019a)

- timezone update 2019a:
  * Palestine "springs forward" on 2019-03-30 instead of 2019-03-23
  * Metlakatla "fell back" to rejoin Alaska Time on 2019-01-20 at
    02:00
  * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
  * zic now has an -r option to limit the time range of output data

==== timezone-java ====
Version update (2018i -> 2019a)

- timezone update 2019a:
  * Palestine "springs forward" on 2019-03-30 instead of 2019-03-23
  * Metlakatla "fell back" to rejoin Alaska Time on 2019-01-20 at
    02:00
  * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
  * zic now has an -r option to limit the time range of output data

==== transactional-update ====
Version update (2.13.1 -> 2.14.1)
Subpackages: transactional-update-zypp-config

- Update to version 2.14.1
  - Improve non-root fs changes checker based on feedback
  - Disable snapper's zypper plugin during transactional-update run
- Allow parallel installation with snapper's zypper plugin (useful on
  read-write systems).
- Update to version 2.14
  - Warn user if contents of /var have been changed during update
  - Noteworthy: swapped position of upperdir and lowerdir in fstab for better
    readability
  - Major update to the transactional-update guide
- Update to version 2.13.2
  - add hooks for telemetrics

==== translation-update ====
Subpackages: translation-update-ar translation-update-bg translation-update-ca translation-update-cs translation-update-da translation-update-de translation-update-el translation-update-en_GB translation-update-en_US translation-update-eo translation-update-es translation-update-et translation-update-fa translation-update-fi translation-update-fr translation-update-hu translation-update-id translation-update-it translation-update-ja translation-update-ko translation-update-lt translation-update-nb translation-update-nl translation-update-pl translation-update-pt translation-update-pt_BR translation-update-ru translation-update-sk translation-update-sl translation-update-sv translation-update-uk translation-update-zh_CN translation-update-zh_TW

- Refresh from
  translation-update-from-translation-update-upstream-20190327.tar.bz2:
  * Translation updates.
  * Adds 2 language subpackages.

==== wavpack ====

- Fix denial-of-service (resource exhaustion caused by an infinite
  loop; bsc#1120930, CVE-2018-19840, CVE-2018-19840.patch).
- Fix denial-of-service (out-of-bounds read and application crash;
  bsc#1120929, CVE-2018-19841, CVE-2018-19841.patch).

==== xfce4-screenshooter ====
Version update (1.9.4 -> 1.9.5)
Subpackages: xfce4-screenshooter-lang

- Update to version 1.9.5
  * Bug fixed:
  - Panel plugin: allow it to save files (bxo#15187)

==== yast2 ====
Version update (4.1.66 -> 4.1.67)
Subpackages: yast2-logs

- Firewall: Zone name has been removed from the common attributes
  declaration as it cannot be modified through the firewalld API.
  (bsc#1130354)
- 4.1.67

==== yast2-bootloader ====
Version update (4.1.22 -> 4.1.23)

- Removed double "smt" entry from *.rnc file (bsc#1128707).
- 4.1.23

==== yast2-firewall ====
Version update (4.1.10 -> 4.1.11)

- Autoyast: Export zone name explicitly as it has been removed from
  the common attributes list (bsc#1130354)
- Fixed textdomain names
- 4.1.11

==== yast2-iscsi-client ====
Version update (4.1.6 -> 4.1.7)

- further fixes of iscsiadm output parsing (bsc#1129946)
- 4.1.7

==== yast2-packager ====
Version update (4.1.33 -> 4.1.35)

- Fix malformed rpm commands (bsc#1129422).
- 4.1.35
- Use correct method name mount_path, not nonexistent mountpoint
  (bsc#1130287)
- 4.1.34

==== yast2-printer ====
Version update (4.1.0 -> 4.1.1)

- Security hardening (bsc#1118291)
- 4.1.1

==== yast2-storage-ng ====
Version update (4.1.75 -> 4.1.77)

- Improve unit tests: mocking architecture for Bcache is not needed
  anymore (fix regression tests for bsc#1129787).
- 4.1.77
- Fix boot disk detection (bsc#1129787).
- 4.1.76

==== zypper ====
Version update (1.14.26 -> 1.14.27)
Subpackages: zypper-aptitude zypper-log zypper-needs-restarting

- Add Requires: libaugeas0 >= 1.10.0 (fixes #265)
- bash-completion: add package completion for addlock (bsc#1047962)
- bash-completion: fix incorrect detection of command names (bsc#1049826)
- version 1.14.27

-- 
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Ludwig Nussel

tags

participants (1)