Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=15.1&buil... https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&qu... When you reply to discuss some issues, make sure to change the subject. Please use the test plan at https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3m... to record your testing efforts and use bugzilla to report bugs. Packages changed: ImageMagick LibVNCServer NetworkManager chromium (72.0.3626.121 -> 73.0.3683.75) dracut (044.1 -> 044.2) gd gnome-control-center kwalletmanager5 libcaca liblouis libmspack libnettle (3.4 -> 3.4.1) libstorage-ng (4.1.102 -> 4.1.103) libzypp (17.11.2 -> 17.11.3) open-vm-tools (10.3.5 -> 10.3.10) rpm sqlite3 (3.23.1 -> 3.27.2) tiff timezone (2018i -> 2019a) timezone-java (2018i -> 2019a) transactional-update (2.13.1 -> 2.14.1) translation-update wavpack xfce4-screenshooter (1.9.4 -> 1.9.5) yast2 (4.1.66 -> 4.1.67) yast2-bootloader (4.1.22 -> 4.1.23) yast2-firewall (4.1.10 -> 4.1.11) yast2-iscsi-client (4.1.6 -> 4.1.7) yast2-packager (4.1.33 -> 4.1.35) yast2-printer (4.1.0 -> 4.1.1) yast2-storage-ng (4.1.75 -> 4.1.77) zypper (1.14.26 -> 1.14.27) === Details === ==== ImageMagick ==== Subpackages: libMagick++-7_Q16HDRI4 libMagickCore-7_Q16HDRI6 libMagickWand-7_Q16HDRI6 - security update - added patches CVE-2019-7175 [bsc#1128649] + ImageMagick-CVE-2019-7175.patch - security update (pdf.c): * CVE-2019-7397 [bsc#1124366] + ImageMagick-CVE-2019-7397.patch - security update (psd.c): * CVE-2019-7395 [bsc#1124368] + ImageMagick-CVE-2019-7395.patch - security update (sixel.c): * CVE-2019-7396 [bsc#1124367] + ImageMagick-CVE-2019-7396.patch - security update (dib.c) * CVE-2019-7398 [bsc#1124365] + ImageMagick-CVE-2019-7398.patch - clamp after edge [bsc#1106415] + ImageMagick-clamp-after-edge.patch - security update (bmp.c): * CVE-2018-20467 [bsc#1120381] + ImageMagick-CVE-2018-20467.patch - security update (msl.c): * CVE-2018-18544 [bsc#1113064] + ImageMagick-CVE-2018-18544.patch - asan_build: build ASAN included - debug_build: build more suitable for debugging ==== LibVNCServer ==== - Add BuildRequire libgnutls-devel: Remmina needs it for VNC connections (boo#1123805) ==== NetworkManager ==== Subpackages: NetworkManager-lang libnm-glib-vpn1 libnm-glib4 libnm-util2 libnm0 typelib-1_0-NM-1_0 typelib-1_0-NMClient-1_0 typelib-1_0-NetworkManager-1_0 - Modify NM-add-wifi-scan-polkit-rule.patch: Use polkit action "org.freedesktop.NetworkManager.wifi.scan" instead of "org.freedesktop.NetworkManager.wifi-scan" to sync with upstream (bsc#1128560). ==== chromium ==== Version update (72.0.3626.121 -> 73.0.3683.75) - Update to 73.0.3683.75 bsc#1129059: * CVE-2019-5787: Use after free in Canvas. * CVE-2019-5788: Use after free in FileAPI. * CVE-2019-5789: Use after free in WebMIDI. * CVE-2019-5790: Heap buffer overflow in V8. * CVE-2019-5791: Type confusion in V8. * CVE-2019-5792: Integer overflow in PDFium. * CVE-2019-5793: Excessive permissions for private API in Extensions. * CVE-2019-5794: Security UI spoofing. * CVE-2019-5795: Integer overflow in PDFium. * CVE-2019-5796: Race condition in Extensions. * CVE-2019-5797: Race condition in DOMStorage. * CVE-2019-5798: Out of bounds read in Skia. * CVE-2019-5799: CSP bypass with blob URL. * CVE-2019-5800: CSP bypass with blob URL. * CVE-2019-5801: Incorrect Omnibox display on iOS. * CVE-2019-5802: Security UI spoofing. * CVE-2019-5803: CSP bypass with Javascript URLs'. * CVE-2019-5804: Command line command injection on Windows. - Update patches: * chromium-buildname.patch * chromium-non-void-return.patch * chromium-old-glibc.patch * chromium-old-libva.patch * chromium-vaapi.patch - Removed patches: * chromium-crashpad-fix_aarch64.patch * chromium-webrtc-includes.patch - Added patches: * chromium-gcc.patch * chromium-fix_crashpad.patch ==== dracut ==== Version update (044.1 -> 044.2) - Bump version to 044.2 to provide a version to lock on to (bsc#1127891) - Check SUSE kernel module dependencies recursively (bsc#1127891) * adds 0594-Check-SUSE-kernel-module-dependencies-recursively.patch - Avoid "Failed to chown ... Operation not permitted" when run from non-root, by not copying xattrs. (osc#1092178) * adds 0593-dracut-only-copy-xattr-if-root.patch - Handle non-versioned dependency in purge-kernels. ==== gd ==== - security update * CVE-2019-6978 [bsc#1123522] + gd-CVE-2019-6978.patch * CVE-2019-6977 [bsc#1123361] + gd-CVE-2019-6977.patch ==== gnome-control-center ==== Subpackages: gnome-control-center-color gnome-control-center-goa gnome-control-center-lang gnome-control-center-user-faces - Modify gnome-control-center-bring-back-firewall-zone.patch, Add control-center-network-fix-ce-apply-button.patch: network: disable the "Apply" button until a change has been made (glgo#GNOME/gnome-control-center!402 bsc#1040054). ==== kwalletmanager5 ==== Subpackages: kwalletmanager5-lang - Provide/Obsolete kwalletmanager, it can access the KDE4 kwallet too since a while ==== libcaca ==== - Prevent overflow of arithmetic of large (unsigned) ints by * declaring fields as size_t * casting intermediate results to uint64_t [CVE-2018-20544, bsc#1120502, CVE-2018-20545, bsc#1120584, CVE-2018-20546, bsc#1120503, CVE-2018-20547, bsc#1120504, CVE-2018-20548, bsc#1120589, CVE-2018-20549, bsc#1120470, libcaca-prevent-overflow.patch] ==== liblouis ==== Subpackages: liblouis-data liblouis14 python3-louis - Add CVE-2018-17294.patch: fix a buffer overflow translating strings, backported from upstream (boo#1109319 CVE-2018-17294). - Add several security fixes: CVE-2018-11410.patch (boo#1094685 CVE-2018-11410) CVE-2018-11440.patch (boo#1095189 CVE-2018-11440) CVE-2018-11577.patch (boo#1095945 CVE-2018-11577) CVE-2018-11683.patch (boo#1095827 CVE-2018-11683) CVE-2018-11684.patch (boo#1095826 CVE-2018-11684) CVE-2018-11685.patch (boo#1095825 CVE-2018-11685) CVE-2018-12085.patch (boo#1097103 CVE-2018-12085) ==== libmspack ==== - Added patches: * libmspack-resize-buffer.patch -- CAB block input buffer is one byte too small for maximal Quantum block. * libmspack-fix-bounds-checking.patch -- Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames. * libmspack-reject-blank-filenames.patch -- Avoid returning CHM file entries that are "blank" because they have embedded null bytes. * (the last two patches were modified by removing unneeded part in order to make them more independent) - Fixed bugs: * CVE-2018-18584 (bsc#1113038) * CVE-2018-18585 (bsc#1113039) ==== libnettle ==== Version update (3.4 -> 3.4.1) Subpackages: libhogweed4 libhogweed4-32bit libnettle6 libnettle6-32bit - Update to 3.4.1 - FATE#327114 (bsc#1129598) * Fix CVE-2018-16869 (bsc#1118086) libnettle-CVE-2018-16869-3.4.patch (removed) All functions using RSA private keys are now side-channel silent, meaning that they try hard to avoid any branches or memory accesses depending on secret data. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. * Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. * New features: A new function rsa_sec_decrypt. * Bug fixes: - Fix bug in pkcs1-conv, missing break statements in the parsing of PEM input files. - Fix link error on the pss-mgf1-test test, affecting builds without public key support. ==== libstorage-ng ==== Version update (4.1.102 -> 4.1.103) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Arabic) - Translated using Weblate (Catalan) - Translated using Weblate (Chinese (China)) - Translated using Weblate (Chinese (Taiwan)) - Translated using Weblate (Czech) - Translated using Weblate (Dutch) - Translated using Weblate (French) - Translated using Weblate (German) - Translated using Weblate (Hungarian) - Translated using Weblate (Italian) - Translated using Weblate (Japanese) - Translated using Weblate (Korean) - Translated using Weblate (Polish) - Translated using Weblate (Portuguese (Brazil)) - Translated using Weblate (Russian) - Translated using Weblate (Slovak) - Translated using Weblate (Spanish) - Translated using Weblate (Swedish) - 4.1.103 ==== libzypp ==== Version update (17.11.2 -> 17.11.3) - KeyManager: Work around bsc#1127220 [libgpgme] no error upon incomplete import due to signal received. - MediaCurl: add hint to check SCC for an expired regcode on http error 403 (bsc#965786) - version 17.11.3 (9) ==== open-vm-tools ==== Version update (10.3.5 -> 10.3.10) Subpackages: libvmtools0 open-vm-tools-desktop - Update to 10.3.10 (build 12406962) (boo#1130898) + Resolved - In certain cases, quiesced snapshots on Linux guests do not include backup manifests. - Drop unnecessary patch: - include_log_h_for_g_info.patch - no_manifest_on_aborted_snapshot.patch - send_vmbackup_event_generic_manifest.patch - vmtoolsd_bailout_on_rpc_errors.patch ==== rpm ==== Subpackages: rpm-32bit - Backport changelog cutoff date change from Factory (bnc#1129753) modified: macrosin.diff - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). refresh: findksyms.diff add: find-provides.ksyms, find-requires.ksyms - Re-add symset-table from SLE 12 (bsc#1126327). add: symset-table ==== sqlite3 ==== Version update (3.23.1 -> 3.27.2) Subpackages: libsqlite3-0 - CVE-2018-20346, bsc#1119687: Upgrade to the most recent version to fix a remote code execution vulnerability in FTS3 (Magellan). - Drop sqlite-fts5-link.patch and do it in the spec file instead. - Version 3.27.2: * Add the VACUUM INTO command * Issue an SQLITE_WARNING message on the error log if a double-quoted string literal is used * Add the remove_diacritics=2 option to FTS3 and FTS5. * Add the SQLITE_PREPARE_NO_VTAB option to sqlite3_prepare_v3(). Use that option to prevent circular references to shadow tables from causing resource leaks. * Enhancements to the sqlite3_deserialize() interface * Enhancements to the CLI, mostly to support testing and debugging of the SQLite library itself * Increased robustness against malicious SQL that is run against a maliciously corrupted database - Version 3.26.0: * Optimization: When doing an UPDATE on a table with indexes on expressions, do not update the expression indexes if they do not refer to any of the columns of the table being updated. * Allow the xBestIndex() method of virtual table implementations to return SQLITE_CONSTRAINT to indicate that the proposed query plan is unusable and should not be given further consideration. * Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL. * Added support for read-only shadow tables when the SQLITE_DBCONFIG_DEFENSIVE option is enabled. * Added the PRAGMA legacy_alter_table command, which if enabled causes the ALTER TABLE command to behave like older version of SQLite (prior to version 3.25.0) for compatibility. * Added PRAGMA table_xinfo that works just like PRAGMA table_info except that it also shows hidden columns in virtual tables. * Added the explain virtual table as a run-time loadable extension. * Add a limit counter to the query planner to prevent excessive sqlite3_prepare() times for certain pathological SQL inputs. * Added support for the sqlite3_normalized_sql() interface, when compiling with SQLITE_ENABLE_NORMALIZE. * Enhanced triggers so that they can use table-valued functions that exist in schemas other than the schema where the trigger is defined. * Improvements to the ".help" command in the CLI. * The SQLITE_HISTORY environment variable, if it exists, specifies the name of the command-line editing history file. * The --deserialize option associated with opening a new database in the CLI cause the database file to be read into memory and accessed using the sqlite3_deserialize() API. This simplifies running tests on a database without modifying the file on disk. - Version 3.25.2: * Add the PRAGMA legacy_alter_table=ON command that causes the "ALTER TABLE RENAME" command to behave as in 3.24.0 and earlier * Fix issue with some expressions with windows functions in views - Version 3.25.1: * Avoid false-positive error checks on ALTER TABLE * Further ORDER BY LIMIT optimization fixes for window functions - Version 3.25.0: * Add support for window functions * Add support for renaming columns within a table * Query optimizer improvements * slightly better concurrency in multi-threaded environments * The ORDER BY LIMIT optimization might have caused an infinite loop in the byte code of the prepared statement under very obscure circumstances, due to a confluence of minor defects in the query optimizer - Version 3.24.0: * Add support for PostgreSQL-style UPSERT * Add support for auxiliary columns in r-tree tables * Add C-language APIs for discovering SQL keywords used by SQLite * Add C-language APIs for dynamic strings based on sqlite3_str * Enhance ALTER TABLE so that it recognizes "true" and "false" as valid arguments to DEFAULT * Add the sorter-reference optimization as a compile-time option * Improve the format of the EXPLAIN QUERY PLAN raw output, so that it gives better information about the query plan and about the relationships between the various components of the plan * Added the SQLITE_DBCONFIG_RESET_DATABASE option to the sqlite3_db_config() API. * Automatically intercept the raw EXPLAIN QUERY PLAN output an reformat it into an ASCII-art graph. * Lines that begin with "#" and that are not in the middle of an SQL statement are interpreted as comments * Add the --append option to the ".backup" command * Add the ".dbconfig" command * various performance improvements * various bug fixes ==== tiff ==== - security update * CVE-2019-7663 [bsc#1125113] + tiff-CVE-2019-7663.patch - security update * CVE-2019-6128 [bsc#1121626] + tiff-CVE-2019-6128.patch - extend tiff-CVE-2018-19210.patch and rename it to tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11] * solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606] ==== timezone ==== Version update (2018i -> 2019a) - timezone update 2019a: * Palestine "springs forward" on 2019-03-30 instead of 2019-03-23 * Metlakatla "fell back" to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ==== timezone-java ==== Version update (2018i -> 2019a) - timezone update 2019a: * Palestine "springs forward" on 2019-03-30 instead of 2019-03-23 * Metlakatla "fell back" to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ==== transactional-update ==== Version update (2.13.1 -> 2.14.1) Subpackages: transactional-update-zypp-config - Update to version 2.14.1 - Improve non-root fs changes checker based on feedback - Disable snapper's zypper plugin during transactional-update run - Allow parallel installation with snapper's zypper plugin (useful on read-write systems). - Update to version 2.14 - Warn user if contents of /var have been changed during update - Noteworthy: swapped position of upperdir and lowerdir in fstab for better readability - Major update to the transactional-update guide - Update to version 2.13.2 - add hooks for telemetrics ==== translation-update ==== Subpackages: translation-update-ar translation-update-bg translation-update-ca translation-update-cs translation-update-da translation-update-de translation-update-el translation-update-en_GB translation-update-en_US translation-update-eo translation-update-es translation-update-et translation-update-fa translation-update-fi translation-update-fr translation-update-hu translation-update-id translation-update-it translation-update-ja translation-update-ko translation-update-lt translation-update-nb translation-update-nl translation-update-pl translation-update-pt translation-update-pt_BR translation-update-ru translation-update-sk translation-update-sl translation-update-sv translation-update-uk translation-update-zh_CN translation-update-zh_TW - Refresh from translation-update-from-translation-update-upstream-20190327.tar.bz2: * Translation updates. * Adds 2 language subpackages. ==== wavpack ==== - Fix denial-of-service (resource exhaustion caused by an infinite loop; bsc#1120930, CVE-2018-19840, CVE-2018-19840.patch). - Fix denial-of-service (out-of-bounds read and application crash; bsc#1120929, CVE-2018-19841, CVE-2018-19841.patch). ==== xfce4-screenshooter ==== Version update (1.9.4 -> 1.9.5) Subpackages: xfce4-screenshooter-lang - Update to version 1.9.5 * Bug fixed: - Panel plugin: allow it to save files (bxo#15187) ==== yast2 ==== Version update (4.1.66 -> 4.1.67) Subpackages: yast2-logs - Firewall: Zone name has been removed from the common attributes declaration as it cannot be modified through the firewalld API. (bsc#1130354) - 4.1.67 ==== yast2-bootloader ==== Version update (4.1.22 -> 4.1.23) - Removed double "smt" entry from *.rnc file (bsc#1128707). - 4.1.23 ==== yast2-firewall ==== Version update (4.1.10 -> 4.1.11) - Autoyast: Export zone name explicitly as it has been removed from the common attributes list (bsc#1130354) - Fixed textdomain names - 4.1.11 ==== yast2-iscsi-client ==== Version update (4.1.6 -> 4.1.7) - further fixes of iscsiadm output parsing (bsc#1129946) - 4.1.7 ==== yast2-packager ==== Version update (4.1.33 -> 4.1.35) - Fix malformed rpm commands (bsc#1129422). - 4.1.35 - Use correct method name mount_path, not nonexistent mountpoint (bsc#1130287) - 4.1.34 ==== yast2-printer ==== Version update (4.1.0 -> 4.1.1) - Security hardening (bsc#1118291) - 4.1.1 ==== yast2-storage-ng ==== Version update (4.1.75 -> 4.1.77) - Improve unit tests: mocking architecture for Bcache is not needed anymore (fix regression tests for bsc#1129787). - 4.1.77 - Fix boot disk detection (bsc#1129787). - 4.1.76 ==== zypper ==== Version update (1.14.26 -> 1.14.27) Subpackages: zypper-aptitude zypper-log zypper-needs-restarting - Add Requires: libaugeas0 >= 1.10.0 (fixes #265) - bash-completion: add package completion for addlock (bsc#1047962) - bash-completion: fix incorrect detection of command names (bsc#1049826) - version 1.14.27 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org