Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20240524 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: ImageMagick freerdp2 libguestfs (1.52.0 -> 1.52.1) libqt5-qtlocation (5.15.13+kde6 -> 5.15.13+kde7) libqt5-qtwebengine (5.15.16 -> 5.15.17) libreoffice openSUSE-release (20240523 -> 20240524) opencc python-requests (2.31.0 -> 2.32.2) sane-backends (1.3.0 -> 1.3.1) talloc (2.4.1 -> 2.4.2) tdb (1.4.9 -> 1.4.10) tevent (0.16.0 -> 0.16.1) === Details === ==== ImageMagick ==== Subpackages: libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - reverted update-alternatives usage removal [bsc#1122033][bsc#1220818] ==== freerdp2 ==== Subpackages: libfreerdp2-2 libwinpr2-2 - Multiple CVE fixes + Add freerdp-CVE-2024-32659.patch (bsc#1223346, CVE-2024-32659) - out-of-bounds read if `((nWidth == 0) and (nHeight == 0))` + Add freerdp-CVE-2024-32660.patch (bsc#1223347, CVE-2024-32660) - client crash via invalid huge allocation size + Add freerdp-CVE-2024-32661.patch (bsc#1223348, CVE-2024-32661) - client NULL pointer dereference + Add freerdp-CVE-2024-32658.patch (bsc#1223353, CVE-2024-32658) - out-of-bounds read in Interleaved RLE Bitmap Codec in FreeRDP based clients ==== libguestfs ==== Version update (1.52.0 -> 1.52.1) Subpackages: libguestfs-appliance libguestfs-winsupport libguestfs-xfs libguestfs0 - Update to version 1.52.1 bug fix release (jsc#PED-6305) * There are no upstream release notes for verion 1.52.x * Several python fixes * Rework Std_utils.Option so it works like the OCaml stdlib module * Update common submodule to latest - Drop patches contained in new tarball Split-chown-parameter-on-character.patch Initialise-bar-fp-as-NULL.patch ==== libqt5-qtlocation ==== Version update (5.15.13+kde6 -> 5.15.13+kde7) - Update to version 5.15.13+kde7: * Update mapbox-gl-native (boo#1224376) ==== libqt5-qtwebengine ==== Version update (5.15.16 -> 5.15.17) - Add compatibility patches for ICU 75: * qt5-webengine-icu-75.patch * 0001-Use-default-constructor-in-place-of-self-delegation-.patch - Consequently build with a newer compiler on Leap 15 - Update to version 5.15.17: * Add option to chose python version for building 5.15 WebEngine * Update Chromium. Backported fixes: * [Backport] Security bug 325296797 * [Backport] CVE-2024-1059: Use after free in WebRTC * [Backport] Security bug 1518994 * Fixup for [Backport] Security bug 1519980 * [Backport] CVE-2024-1283: Heap buffer overflow in Skia * [Backport] CVE-2024-1060: Use after free in Canvas * [Backport] CVE-2024-1077: Use after free in Network * [Backport] Security bug 1519980 * [Backport] CVE-2024-0808: Integer underflow in WebUI * [Backport] CVE-2024-0807: Use after free in WebAudio * Fix ffmpeg assembly with newer binutil * [Backport] Security bug 1511689 * [Backport] CVE-2024-0224: Use after free in WebAudio * [Backport] CVE-2023-7024: Heap buffer overflow in WebRTC * [Backport] Security bug 1506535 * [Backport] CVE-2024-0519: Out of bounds memory access in V8 * [Backport] CVE-2024-0518: Type Confusion in V8 * [Backport] CVE-2024-0333: Insufficient data validation in Extensions * [Backport] CVE-2024-0222: Use after free in ANGLE * Fixup: [Backport] Security bug 1488199 * FIXUP: Fix compilation with system ICU * Fixup: [Backport] Security bug 1505632 * [Backport] Security bug 1505632 * [Backport] CVE-2023-6702: Type Confusion in V8 * [Backport] CVE-2023-6345: Integer overflow in Skia * Bump V8_PATCH_LEVEL * [Backport] Security bug 1488199 (2/2) * [Backport] Security bug 1488199 (1/2) * [Backport] CVE-2023-6510: Use after free in Media Capture * Fix building with system libxml2 * [Backport] CVE-2023-6347: Use after free in Mojo * [Backport] CVE-2023-6112: Use after free in Navigation * [Backport] CVE-2023-5997: Use after free in Garbage Collection - Drop patches, merged upstream: * 0001-Fix-building-with-system-libxml2.patch * qtwebengine-python3.patch * python311-fixes.patch - Update _service file, catapult snapshots are not needed anymore ==== libreoffice ==== Subpackages: libreoffice-base libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-l10n-cs libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-el libreoffice-l10n-en libreoffice-l10n-en_GB libreoffice-l10n-es libreoffice-l10n-fr libreoffice-l10n-hu libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-pl libreoffice-l10n-pt_BR libreoffice-l10n-ru libreoffice-l10n-zh_CN libreoffice-l10n-zh_TW libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-qt5 libreoffice-writer libreofficekit - bsc#1224309: LibreOffice fails to build with ICU 75. - Add patch to fix bsc#1224309. * icu-74-compatibility.patch - Add required 'sed' usage during %prep to fix bsc#1224309. - These two changes have been applied on both Gentoo and Arch Linux, but originally they come from upstream. ==== openSUSE-release ==== Version update (20240523 -> 20240524) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== opencc ==== Subpackages: libopencc1_1 opencc-data - switch to system rapidjson, fix boo#1221875 ==== python-requests ==== Version update (2.31.0 -> 2.32.2) - Update to 2.32.2 * To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0. - Update to 2.32.1 * Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (bsc#1224788, CVE-2024-35195) * verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. * Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. * Requests has officially added support for CPython 3.12 and dropped support for CPython 3.7. * Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling. ==== sane-backends ==== Version update (1.3.0 -> 1.3.1) Subpackages: libsane1 sane-backends-autoconfig - Updated to sane-backends version 1.3.1 * Re-release of 1.3.0 because upstream unreleased 1.3.0 due to VCS issues. ( https://gitlab.com/sane-project/backends/-/issues/751 ) ==== talloc ==== Version update (2.4.1 -> 2.4.2) Subpackages: libtalloc2 libtalloc2-32bit libtalloc2-x86-64-v3 python3-talloc python3-talloc-x86-64-v3 - Update to 2.4.2 * build with Python 3.12 (bso#15513) * documentation fixes * Update patch talloc-python3.5-fix-soabi_name.patch ==== tdb ==== Version update (1.4.9 -> 1.4.10) Subpackages: libtdb1 libtdb1-32bit python3-tdb - Update to 1.4.10 * build with Python 3.12 (bso#15513) * documentation fixes * minor build fixes ==== tevent ==== Version update (0.16.0 -> 0.16.1) Subpackages: libtevent0 libtevent0-32bit python3-tevent - Update to version 0.16.1 * build with Python 3.12 (bso#15513) * documentation fixes