New Tumbleweed snapshot 20230427 released!
Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20230427 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MozillaFirefox (112.0.1 -> 112.0.2) git (2.40.0 -> 2.40.1) gtk3 (3.24.37 -> 3.24.37+68) java-11-openjdk (11.0.18.0 -> 11.0.19.0) libalternatives (1.2+3.b848aad -> 1.2+30.a5431e9) libsrtp2 libyui (4.5.1 -> 4.5.2) libyui-ncurses (4.5.1 -> 4.5.2) libyui-ncurses-pkg (4.5.1 -> 4.5.2) libyui-qt (4.5.1 -> 4.5.2) libyui-qt-graph (4.5.1 -> 4.5.2) libyui-qt-pkg (4.5.1 -> 4.5.2) mozjs102 openvpn (2.5.9 -> 2.6.3) setools (4.4.1 -> 4.4.2) suitesparse tracker (3.5.0 -> 3.5.1) tracker-miners (3.5.0 -> 3.5.1) vim (9.0.1443 -> 9.0.1488) virt-manager wxWidgets-3_2-nostl (3.2.1 -> 3.2.2.1) xf86-video-ati (19.1.0 -> 22.0.0) xset === Details === ==== MozillaFirefox ==== Version update (112.0.1 -> 112.0.2) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 112.0.2 * Fix a high memory usage issue with animated images in minimized (or completely covered) windows, especially when using animated themes (bmo#1828587) * Fix an issue where Linux users with bitmap fonts installed may have had entire sections of text invisible to them on some sites (bmo#1827950) - Include Leap 15.5 in check for which python version is required. ==== git ==== Version update (2.40.0 -> 2.40.1) Subpackages: git-core git-email git-gui git-svn git-web gitk perl-Git - git 2.40.1: * CVE-2023-25652: By feeding specially crafted input to git apply - -reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). * CVE-2023-25815: When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages. * CVE-2023-29007: When renaming or deleting a section from a configuration file, certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection. ==== gtk3 ==== Version update (3.24.37 -> 3.24.37+68) Subpackages: gtk3-data gtk3-immodule-amharic gtk3-immodule-inuktitut gtk3-immodule-thai gtk3-immodule-tigrigna gtk3-immodule-vietnamese gtk3-immodule-xim gtk3-lang gtk3-schema gtk3-tools libgtk-3-0 typelib-1_0-Gtk-3_0 - Update to version 3.24.37+68: + application: Clean up signal handlers + OLE2 DND: Check if move is supported + Address issue 5711 by checking that the context is not NULL + wayland: - Don't crash without xdg_activation_v1 - Don't crash on cursor size 0 + gdkscreen-wayland: Notify initial setting change from org.gtk.Settings + gdk: Swap Cairo calls when reading back from a GdkWindow + Updated translations. - Deprecate %gtk_immodule_(requires|post|postun) macros defined in the macros.gtk3 file. Since we are using RPM file triggers to provide their functionality, without nullifying them the commands will run twice, once by the file triggers and another time by the macros. ==== java-11-openjdk ==== Version update (11.0.18.0 -> 11.0.19.0) Subpackages: java-11-openjdk-headless - Upgrade to upsteam tag jdk-11.0.19+7 (April 2023 CPU) * Security fixes: + JDK-8287404: Improve ping times + JDK-8288436: Improve Xalan supports + JDK-8294474, CVE-2023-21930, bsc#1210628: Better AES support + JDK-8295304, CVE-2023-21938, bsc#1210632: Runtime support improvements + JDK-8296676, CVE-2023-21937, bsc#1210631: Improve String platform support + JDK-8296684, CVE-2023-21937, bsc#1210631: Improve String platform support + JDK-8296692, CVE-2023-21937, bsc#1210631: Improve String platform support + JDK-8296832, CVE-2023-21939, bsc#1210634: Improve Swing platform support + JDK-8297371: Improve UTF8 representation redux + JDK-8298191, CVE-2023-21954, bsc#1210635: Enhance object reclamation process + JDK-8298310, CVE-2023-21967, bsc#1210636: Enhance TLS session negotiation + JDK-8298667, CVE-2023-21968, bsc#1210637: Improved path handling + JDK-8299129: Enhance NameService lookups * Fixes: + JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion + JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/ /Receiver/bug6186488.java fails + JDK-8035787: SourcePositions are wrong for Strings concatenated with '+' operator + JDK-8065097: [macosx] javax/swing/Popup/ /TaskbarPositionTest.java fails because Popup is one pixel off + JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled + JDK-8129315: java/net/Socket/LingerTest.java and java/net/Socket/ShutdownBoth.java timeout intermittently + JDK-8144030: [macosx] test java/awt/Frame/ /ShapeNotSetSometimes/ShapeNotSetSometimes.java fails (again) + JDK-8170705: sun/net/www/protocol/http/StackTraceTest.java fails intermittently with Invalid Http response + JDK-8171405: java/net/URLConnection/ResendPostBody.java failed with "Error while cleaning up threads after test" + JDK-8179317: [TESTBUG] rewrite runtime shell tests in java + JDK-8247741: Test test/hotspot/jtreg/runtime/7162488/ /TestUnrecognizedVmOption.java fails when - XX:+IgnoreUnrecognizedVMOptions is set + JDK-8190492: Remove SSLv2Hello and SSLv3 from default enabled TLS protocols + JDK-8192931: Regression test java/awt/font/TextLayout/ /CombiningPerf.java fails + JDK-8195057: java/util/concurrent/CountDownLatch/Basic.java failed w/ Xcomp + JDK-8195716: BootstrapLoggerTest : Executor still alive + JDK-8202621: bad test with broken links needs to be updated + JDK-8207248: Reduce incidence of compiler.warn.source.no.bootclasspath in javac tests + JDK-8208077: File.listRoots performance degradation + JDK-8209023: fix 2 compiler tests to avoid JDK-8208690 + JDK-8209115: adjust libsplashscreen linux ppc64le builds for easier libpng update + JDK-8209774: Refactor shell test javax/xml/jaxp/common/8035437/run.sh to java + JDK-8209935: Test to cover CodeSource.getCodeSigners() + JDK-8210373: Deadlock in libj2gss.so when loading "j2gss" and "net" libraries in parallel. + JDK-8212165: JGSS: Fix cut/paste error in NativeUtil.c + JDK-8212216: JGSS: Fix leak in exception cases in getJavaOID() + JDK-8213130: Update ProblemList after verification of jtreg tests in Win 7 + JDK-8213265: fix missing newlines at end of files + JDK-8213932: [TESTBUG] assertEquals is invoked with the arguments in the wrong order + JDK-8214445: [test] java/net/URL/HandlerLoop has illegal reflective access + JDK-8215372: test/jdk/java/nio/file/DirectoryStream/Basic.java not correct when using a glob + JDK-8215759: [test] java/math/BigInteger/ModPow.java can throw an ArithmeticException + JDK-8217353: java/util/logging/LogManager/Configuration/ /updateConfiguration/HandlersOnComplexResetUpdate.java fails with Unexpected reference: java.lang.ref.WeakReference + JDK-8217730: Split up MakeBase.gmk + JDK-8218133: sun/net/www/protocol/http/ProtocolRedirect.java failed with "java.net.ConnectException" + JDK-8218431: Improved platform checking in makefiles + JDK-8221098: Run java/net/URL/HandlerLoop.java in othervm mode + JDK-8221168: java/util/concurrent/CountDownLatch/Basic.java fails + JDK-8221351: Crash in KlassFactory::check_shared_class_file_load_hook + JDK-8221621: FindTests.gmk cannot handle "=" in TEST.groups comments + JDK-8222430: Add tests for ElementKind predicates + JDK-8223463: Replace wildcard address with loopback or local host in tests - part 2 + JDK-8223716: sun/net/www/http/HttpClient/MultiThreadTest.java should be more resilient to unexpected traffic + JDK-8223736: jvmti/scenarios/contention/TC04/tc04t001/ /TestDescription.java fails due to wrong number of MonitorContendedEntered events ... changelog too long, skipping 298 lines ... + adapt to changed context ==== libalternatives ==== Version update (1.2+3.b848aad -> 1.2+30.a5431e9) Subpackages: alts libalternatives1 - Update to version v1.2+30.a5431e9: (bsc#1191692) * Change license to less restrictive Apache 2.0 * doc: fixing a few typos * Adds option to display target executable only * Makefiles and cmake: rework for reproducible build * Improve Makefile * libalts_exec_default: fix memory leak on error condition * libalts_write_binary_configured_priority_to_file: fix memory leak * saveConfigData(): fix file descriptor leak in while loop error case * loadConfigData(): use goto exit label to prevent file descriptor leaks * libalts_load_available_binaries: use goto err: label to fix leaks * loadAlternativeForBinary: goto-assisted error handling to avoid leaks * checkGroupConsistencies(): explicitly ignore unused `flags` * lib: refactor error handling of findAltConfig() * utils: fix possible memory leaks on error conditions * docs: fix some typos and grammar * Update README.md * lib: generally open[at] with O_CLOEXEC * Fix logic in options parser * Add basic Makefile for buidling without cmake * Added description for options=KeepArgv0 * cmake: Express the dependency on CUnit correctly for building tests * cmake: Build and install CMake and PkgConfig files * cmake: Fix setup of shared linker flags * config.h: Fix the version to match the current latest tag ==== libsrtp2 ==== - Enable running the regression tests: * Add libsrtp2-test-verbose.patch from the debian folks: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460534 ==== libyui ==== Version update (4.5.1 -> 4.5.2) - Qt UI: Fixed regression for icon loading (bsc#1210712) https://github.com/libyui/libyui/pull/100 - 4.5.2 ==== libyui-ncurses ==== Version update (4.5.1 -> 4.5.2) - Qt UI: Fixed regression for icon loading (bsc#1210712) https://github.com/libyui/libyui/pull/100 - 4.5.2 ==== libyui-ncurses-pkg ==== Version update (4.5.1 -> 4.5.2) - Qt UI: Fixed regression for icon loading (bsc#1210712) https://github.com/libyui/libyui/pull/100 - 4.5.2 ==== libyui-qt ==== Version update (4.5.1 -> 4.5.2) - Qt UI: Fixed regression for icon loading (bsc#1210712) https://github.com/libyui/libyui/pull/100 - 4.5.2 ==== libyui-qt-graph ==== Version update (4.5.1 -> 4.5.2) - Qt UI: Fixed regression for icon loading (bsc#1210712) https://github.com/libyui/libyui/pull/100 - 4.5.2 ==== libyui-qt-pkg ==== Version update (4.5.1 -> 4.5.2) - Qt UI: Fixed regression for icon loading (bsc#1210712) https://github.com/libyui/libyui/pull/100 - 4.5.2 ==== mozjs102 ==== - Add missing copyright in the spec to claim: + Frantisek Zatloukal's work from: https://src.fedoraproject.org/rpms/mozjs102/blob/rawhide/f/mozjs102.spec + Wolfgang Rosenauer's work from: https://build.opensuse.org/package/view_file/openSUSE:Leap:42.3/mozjs38/mozj... ==== openvpn ==== Version update (2.5.9 -> 2.6.3) - update to 2.6.3: * For full changelog please refer to: https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst * implement byte counter statistics for DCO Linux (p2mp server and client) * implement byte counter statistics for DCO Windows (client only) * '--dns server <n> address ...' now permits up to 8 v4 or v6 addresses * fix a few cases of possibly undefined behaviour detected by ASAN * add more unit tests for Windows cryptoapi interface * Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically create a tls-crypt key that is used for renegotiation. This ensure that only the previously authenticated peer can do trigger renegotiation and complete renegotiations. * Keying Material Exporters (RFC 5705) based key generation * As part of the cipher negotiation OpenVPN will automatically prefer the RFC5705 based key material generation to the current custom OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+. * OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort has been made to check or implement all the requirements/ recommendation of FIPS 140-2. This just allows OpenVPN to be run on a system that be configured OpenSSL in FIPS mode. * mlock will now check if enough memlock-able memory has been reserved, and if less than 100MB RAM are available, use setrlimit() to upgrade the limit. See Trac #1390. Not available on OpenSolaris. * The --peer-fingerprint option has been introduced to give users an easy to use alternative to the tls-verify for matching the fingerprint of the peer. The option takes use a number of allowed SHA256 certificate fingerprints. * When --peer-fingerprint is used, the --ca and --capath option become optional. This allows for small OpenVPN setups without setting up a PKI with Easy-RSA or similar software. * The --auth-user-pass-verify script supports now deferred authentication. * Both auth plugin and script can now signal pending authentication to the client when using deferred authentication. The new client-crresponse script option and OPENVPN_PLUGIN_CLIENT_CRRESPONSE plugin function can be used to parse a client response to a CR_TEXT two factor challenge. * The modernisation of defaults can impact the compatibility of OpenVPN 2.6.0 with older peers. The options --compat-mode allows UIs to provide users with an easy way to still connect to older servers. * OpenSSL 3.0 has been added. Most of OpenSSL 3.0 changes are not user visible but improve general compatibility with OpenSSL 3.0. - -tls-cert-profile insecure has been added to allow selecting the lowest OpenSSL security level (not recommended, use only if you must). OpenSSL 3.0 no longer supports the Blowfish (and other deprecated) algorithm by default and the new option --providers allows loading the legacy provider to renable these algorithms. * Ciphers in --data-ciphers can now be prefixed with a ? to mark those as optional and only use them if the SSL library supports them. * The --mssfix and --fragment options now allow an optional mtu parameter to specify that different overhead for IPv4/IPv6 should taken into account and the resulting size is specified as the total size of the VPN packets including IP and UDP headers. * Instead of allocating a connection for each client on the initial packet OpenVPN server will now use an HMAC based cookie as its session id. This way the server can verify it on completing the handshake without keeping state. This eliminates the amplification and resource exhaustion attacks. For tls-crypt-v2 clients, this requires OpenVPN 2.6 clients or later because the client needs to resend its client key on completing the hand shake. The tls-crypt-v2 option allows controlling if older clients are accepted. - Removed openvpn-fips140-2.3.2.patch ==== setools ==== Version update (4.4.1 -> 4.4.2) - Update to version 4.4.2: * Make NetworkX optional. sedta and seinfoflow tools, along with the equivalent analyses in apol require NetworkX. * Remove neverallow options in sesearch and apol. These are not usable since they are removed in the final binary policy. - Drop make_networkx_optional.patch, now merged upstream ==== suitesparse ==== Subpackages: libamd2 libcamd2 libccolamd2 libcholmod3 libcolamd2 libsuitesparseconfig5 libumfpack5 - Adjust licenses in SPEC files (bsc#1210879) ==== tracker ==== Version update (3.5.0 -> 3.5.1) Subpackages: libtracker-sparql-3_0-0 tracker-data-files tracker-lang typelib-1_0-Tracker-3_0 - Update to version 3.5.1: + Reintroduce order/distance independent handling of FTS terms. + Documentation improvements. + Do not prune too early content of failed batches for error processing purposes. ==== tracker-miners ==== Version update (3.5.0 -> 3.5.1) Subpackages: tracker-miner-files tracker-miners-lang - Update to version 3.5.1: + The tracker-extract-3 service moved all SPARQL queries and updates to a GResource. Consistently uses TrackerSparqlStatement/TrackerResource for updates. + Fixes in uniquely identifying files in BTRFS subvolumes. + Ensure deletion of files lingering in content graphs. + Ensure correct nie:dataSource after moving files between indexed folders. + Optimize mass removal of deleted files found during initialization. + Documentation improvements for the miner services. + Do not let systemd spuriously start the tracker-extract-3 service. + Test suite fixes. ==== vim ==== Version update (9.0.1443 -> 9.0.1488) Subpackages: vim-data vim-data-common xxd - Updated to version 9.0.1488, fixes the following problems * Ending Insert mode when accessing a hidden prompt buffer. * Crash when passing NULL to setcmdline(). (Andreas Louv) * openSUSE: configure doesn't find the Motif library. (Tony Mechelynck) * Unnecessary checks for the "skip" flag when skipping. * Condition is always true. * Diff test fails on MacOS 13. * Test for prompt buffer is flaky. * Unnecessary redrawing when 'showcmdloc' is not "last". * Code using EVAL_CONSTANT is dead, it is never set. * Typos in source code and tests. * Code indenting is confused by macros. * C++ 20 modules are not recognized. * Shortmess test depends on order of test execution. * No regression test for what patch 9.0.1333 fixes. * Buffer overflow when expanding long file name. * Typo in name of type. * Insufficient testing for getcmdcompltype(). * Ruler not drawn correctly when using 'rulerformat'. * Recursively calling :defer function if it does :qa. * Virtual text truncation only works with Unicode 'encoding'. * Strace filetype detection is expensive. * Haiku build fails. * Cannot use an object member name as a method argument. * Jenkinsfiles are not recognized as groovy. * Recursively calling :defer function if it does :qa in a compiled function. * Deferred functions not called from autocommands. * Deferred functions invoked in unexpected order when using :qa and autocommands. * Warnings for function declarations. * ":drop fname" may change the last used tab page. * Busted configuration files are not recognized. * Lines put in non-current window are not displayed. (Marius Gedminas) * Crash when recovering from corrupted swap file. * Filetypes for *.v files not detected properly. * Small source file problems; outdated list of distributed files. * Using popup menu may leave text in the command line. * Decrypting with libsodium may fail if the library changes. * Crash when textprop has a very large "padding" value. (Yegappan Lakshmanan) * += operator does not work on class member. * Coverity warns for using invalid array index. * no functions for converting from/to UTF-16 index. * Parallel make might not work. * Content-type header for LSP channel not according to spec. * xchacha20v2 crypt header is platform dependent. ==== virt-manager ==== Subpackages: virt-install virt-manager-common - bsc#1201748 - virt-install --graphics vnc fails with not support for video model 'virtio' virtinst-enable-video-virtio-for-arm.patch - Drop virtman-check-for-valid-display.patch. This patch is no longer required. ==== wxWidgets-3_2-nostl ==== Version update (3.2.1 -> 3.2.2.1) Subpackages: libwx_baseu-suse-nostl8_0_0 libwx_baseu_net-suse-nostl8_0_0 libwx_baseu_xml-suse-nostl8_0_0 libwx_gtk3u_core-suse-nostl8_0_0 libwx_gtk3u_html-suse-nostl8_0_0 libwx_gtk3u_qa-suse-nostl8_0_0 - Update to version 3.2.2.1: * Corrects a regression in 3.2.2 which resulted in not drawing any icons for the non-root item of wxGenericTreeCtrl in this release (gh#wxWidgets/wxWidgets#23255). - Changes of version 3.2.2: * Fix regression in saving TIFF images that could end up truncated * Fix long standing bug in parsing wxHTTP responses. * Fix memory leak when destroying wxThread * Allow 'T' separator in wxDateTime::ParseDateTime() * Add Serbian translations. * Fix MT-safety problem in wxZipInputStream * Add wxUILocale::GetSystemLocaleId() replacing GetSystemLocale() * Fail when setting unsupported "mixed" locale under Unix * Improve wxWebView::RunScriptAsync() performance * Fix data race when processing events generated in a worker thread. * Fix wxGeneric{List,Tree}Ctrl high DPI icons * Add macros for event tables for missing wxWebView events * Improve month selection in wxGenericCalendarCtrl * Fix maximum length of wxPropertyGrid editors * Add support for Caps/Num/Scroll Lock to wxGetKeyState() * Fix wxToolBar::GetToolBitmapSize() in high DPI under non-MSW * Fix resizing wxGLCanvas with EGL and Wayland * Fix display artefacts when using AUI without compositor under X11 * Allow selecting and copying text in wxMessageDialog * Fix initial size of top-level window on Wayland * Improve size and behaviour of in-place editor in wxTreeCtrl * wxQt: Fix creating wxFont using fractional point size ==== xf86-video-ati ==== Version update (19.1.0 -> 22.0.0) - Update to release 22.0.0 * Fix link failure with gcc 10 * Fix spelling/wording issues * gitlab CI: enable commit & merge request checks * gitlab CI: enable gitlab's builtin static analysis * radeon_glamor_wrappers.c: Convert from ISO-8859-1 to UTF-8 * Don't crash X server if GPU acceleration is not available * ati: cleanup terminology to use primary/secondary * Don't set SourceValidate pointer to NULL * Handle NULL fb_ptr in pixmap_get_fb * Guard local variable priv only used with glamor * Guard local variable info only used with glamor * Add GitLab CI pipeline * Only include dri.h with older versions of xserver * Fix return value check of drmIoctl() - supersedes the following patches * U_ati-cleanup-terminology-to-use-primary-secondary.patch * u_fno-common.patch * u_kscreen-rotation-fix.patch ==== xset ==== - Disable building with libXfontcache. xorg-server 1.6 removed the corresponding feature, and it seems unlikely and unusual for anyone to e.g. ssh from an old Xorg system to a contemporary SUSE to attempt to run the (undocumented) `xset fc` command.
This broke my vpn connections. Can't seem to find logs with journalctl, do I have to look somewhere else?
Am Samstag, 29. April 2023, 10:01:52 CEST schrieb Koen De Jaeger:
This broke my vpn connections. Can't seem to find logs with journalctl, do I have to look somewhere else?
Well, there is an update of openvpn in the snapshot. You can start openvpn from command line and it prints messages. What's the error after openvpn --config yourconfig.ovpn ? Regards, Alexander
Something about data-ciphers: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. But my issue is probably that the KDE network manager still just uses 'cipher' instead of 'data-ciphers'. Is there any log where I can verify that?
I tried adding 'data-ciphers=AES-256-CBC' to my vpn connections at '/etc/NetworkManager/system-connections/', but the didn't help.
Am Samstag, 29. April 2023, 16:16:53 CEST schrieb Koen De Jaeger:
Something about data-ciphers: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
But my issue is probably that the KDE network manager still just uses 'cipher' instead of 'data-ciphers'. Is there any log where I can verify that?
OK, I installed all updates and my usual VPN still works. So openvpn is not completely broken. What you posted here clearly is a warning and not the cause for an error. I guess you need to adapt your config and this seems an issue for a support forum, but not for this list. Regards, Alexander
participants (3)
-
AW
-
Dominique Leuenberger
-
Koen De Jaeger