Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20220112 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MozillaFirefox (95.0.2 -> 96.0) fetchmail gnome-desktop (41.2 -> 41.3) gnome-shell (41.2 -> 41.3) hdparm (9.62 -> 9.63) libpipeline (1.5.3 -> 1.5.5) mtr (0.94 -> 0.95) mutter (41.2 -> 41.3) qpdf rdma-core (38.0 -> 38.1) sssd tcsh (6.23.00 -> 6.23.02) vim (8.2.3995 -> 8.2.4063) wayland (1.19.0 -> 1.20.0) xen === Details === ==== MozillaFirefox ==== Version update (95.0.2 -> 96.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 96.0 * https://www.mozilla.org/en-US/firefox/96.0/releasenotes MFSA 2022-01 (bsc#1194547) * CVE-2022-22746 (bmo#1735071) Calling into reportValidity could have lead to fullscreen window spoof * CVE-2022-22743 (bmo#1739220) Browser window spoof using fullscreen mode * CVE-2022-22742 (bmo#1739923) Out-of-bounds memory access when inserting text in edit mode * CVE-2022-22741 (bmo#1740389) Browser window spoof using fullscreen mode * CVE-2022-22740 (bmo#1742334) Use-after-free of ChannelEventQueue::mOwner * CVE-2022-22738 (bmo#1742382) Heap-buffer-overflow in blendGaussianBlur * CVE-2022-22737 (bmo#1745874) Race condition when playing audio files * CVE-2021-4140 (bmo#1746720) Iframe sandbox bypass with XSLT * CVE-2022-22750 (bmo#1566608) IPC passing of resource handles could have lead to sandbox bypass * CVE-2022-22749 (bmo#1705094) Lack of URL restrictions when scanning QR codes * CVE-2022-22748 (bmo#1705211) Spoofed origin on external protocol launch dialog * CVE-2022-22745 (bmo#1735856) Leaking cross-origin URLs through securitypolicyviolation event * CVE-2022-22744 (bmo#1737252) The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection * CVE-2022-22747 (bmo#1735028) Crash when handling empty pkcs7 sequence * CVE-2022-22736 (bmo#1742692) Potential local privilege escalation when loading modules from the install directory. * CVE-2022-22739 (bmo#1744158) Missing throttling on external protocol launch dialog * CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366, bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221, bmo#1743515, bmo#1745373, bmo#1746011) Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5 * CVE-2022-22752 (bmo#1740534, bmo#1741210, bmo#1742770) Memory safety bugs fixed in Firefox 96 - removed obsolete patches * mozilla-bmo1745560.patch * mozilla-bmo1744896.patch * mozilla-sandbox-fips.patch - requires NSPR >= 4.33 NSS >= 3.73.1 ==== fetchmail ==== Subpackages: fetchmailconf - fix [bsc#1194203]: * Always create fetchmail group, even if the user is already present, as a leftover from Leap 15.2 upgrade. This may happen also if user is messing with groups/users directly or upgrading from even an older fetchmail versions. ==== gnome-desktop ==== Version update (41.2 -> 41.3) Subpackages: gnome-desktop-lang gnome-version libgnome-desktop-3-19 libgnome-desktop-3_0-common typelib-1_0-GnomeDesktop-3_0 - Update to version 41.3: + No changes, version bump only. ==== gnome-shell ==== Version update (41.2 -> 41.3) Subpackages: gnome-extensions gnome-shell-calendar gnome-shell-lang - Update to version 41.3: + Improve window tracking + Simplify scroll fade shader to work with old hardware + Tweak (un)minimize animations + Don't wake up screen in DND mode + Fix immediately withdrawn notifications getting stuck + Honor XDG SingleMainWindow key in .desktop files + Fixed crashes + Misc. bug fixes and cleanups + Updated translations. - Modernize our Supplements in gnome-shell-calendar sub-package. ==== hdparm ==== Version update (9.62 -> 9.63) - Update to 9.63: * new --sanitize-overwrite-passes flag, courtesy Michal Grzedzicki. * "Plurals patch" from Martin Guy. ==== libpipeline ==== Version update (1.5.3 -> 1.5.5) - Update to 1.5.5: * Move release process to GitLab CI. - Back to download from savannah.nongnu.org for a fully bootstrapped tar ball without the need of autoconfig and gl Compare https://gitlab.com/cjwatson/libpipeline/-/releases and https://gitlab.com/cjwatson/libpipeline/-/packages/4425007 - Use autoconf - update to 1.5.4: * Building libpipeline now requires Autoconf >= 2.64. * Developmed moved to Gitlab ==== mtr ==== Version update (0.94 -> 0.95) - update to 0.95: * loads of fixes, see https://raw.githubusercontent.com/traviscross/mtr/v0.95/NEWS - mtr-0.75-manmtr.patch, mtr-0.87-manxmtr.patch: refreshed to apply again ==== mutter ==== Version update (41.2 -> 41.3) Subpackages: mutter-lang - Update to version 41.3: + Check keyboard serials for activation + Fix mixed up refresh rates in multi-monitor setups + Allow disabling HW cursors + Improve damage handling + Consider xrandr flags for advertised modes + Ensure constraints after client resize + window-group: Disable culling when rendinging clone to offscreen buffer + Fix workspace switch animation in default plugin + Fix unfullscreening of window that were mapped fullscreen + Fix DMA-BUF screencasts with unredirected fullscreen windows + Fix orientation changes on devices with 90° + Fixed crashes + Plugged leaks + Misc. bug fixes and cleanups. - Drop patches fixed upstream: + mutter-allow-disable-hardware-cursors.patch + mutter-initialize-saved_rect_fullscreen.patch - Renumber patches yet again. ==== qpdf ==== - add fix-signedness-warning.patch (build for aarch64) ==== rdma-core ==== Version update (38.0 -> 38.1) Subpackages: libefa1 libibverbs libibverbs1 libmlx4-1 libmlx5-1 librdmacm1 rdma-ndd - Update to v38.1 - Major fixes for hns provider ==== sssd ==== Subpackages: libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 sssd-32bit sssd-krb5-common sssd-ldap - Remove libsmbclient-devel BuildRequires in favor of pkgconfig(smbclient) ==== tcsh ==== Version update (6.23.00 -> 6.23.02) Subpackages: tcsh-lang - Update to tcsh 6.23.02 9. Make the \U escape up to 8 hex digits. 8. V6.23.01 - 20211209 7. add \cc and \Uhhh, and document escape sequences 6. add $'string with escapes' ("dollar-single-quotes") (Kimmo Suominen) 5. don't glob the filetest builtin arguments twice 4. remove the duplicate echo escape parsing code and use parseescape 3. add \x{hh} \xhh \uhhh (H.Merijn Brand) 2. fix and document ln=target 1. Merge in patches from pkgsrc: - Modernize the installation targets so that they use INSTALL_DATA, INSTALL_PROGRAM, and MKDIR_P. - Enable SYSMALLOC and SHORT_STRINGS on NetBSD. - Enable NO_FIX_MALLOC and SHORT_STRINGS on OpenBSD. - Port patches * tcsh-6.17.06-dspmbyte.dif * tcsh-6.18.03-catalogs.dif * tcsh-6.21.00.dif ==== vim ==== Version update (8.2.3995 -> 8.2.4063) Subpackages: gvim vim-data vim-data-common - Updated to version 8.2.4063, fixes the following problems - fixes boo#1194559 CVE-2022-0156 * Not all sshconfig files are detected as such. * Vim9: type checking for list and dict lacks information about declared type. * Vim9: not enough testing for extend() and map(). * Asan error for adding zero to NULL. * Redundant check for NUL byte. * Coverity warns for checking for NULL pointer after using it. * Insert complete code uses global variables. * First char typed in Select mode can be wrong. * Error messages are spread out. * Old compiler complains about struct init with variable. * Error messages are spread out. * Vim9: crash when declaring variable on the command line. * Session does not restore help buffer properly when "options' is missing from 'sessionoptions'. * Error messages are spread out. * Reading one byte beyond the end of the line. * Error messages are spread out. * Test fails because of changed error number. * Error messages are spread out. * Build failure without the spell feature. * Git and gitcommit file types not properly recognized. * Build failure with tiny features. (Tony Mechelynck) * Vim9: incorrect error for argument that is shadowing var. * Gcc warns for misleading indent in Athena menu code. * ml_get error when win_execute redraws with Visual selection. * Vim9: import mechanism is too complicated. * Debugger test fails. * Missing part of the :import changes. * Two error messages in the wrong file. * Using uninitialized variable. * Confusing error message if imported name is used directly. * Error for import not ending in .vim does not work for .vimrc. * ml_get error with specific win_execute() command. (Sean Dewar) * ml_get error with :doautoall and Visual area. (Sean Dewar) * Debugging NFA regexp my crash, cached indent may be wrong. * A script local funcref is not found from a mapping. * Crash in xterm with only two lines. (Dominique Pellé) * ATTRIBUTE_NORETURN is not needed. * Running filetype tests leaves directory behind. * Coverity warns for possibly using a NULL pointer. * Timer triggered at the debug prompt may cause trouble. * Vim9: script test file is getting too long. * Insert mode completion is insufficiently tested. * Various code not used when features are disabled. * The xdiff library is linked in even when not used. * Keeping track of allocated lines in user functions is too complicated. * Using unitialized pointer. * Vim9: build error. * Using int for second argument of ga_init2(). * Vim9: no error when importing the same script twice. * Some global functions are only used in one file. * Some error messages not in the right place. * Depending on the build features error messages are unused. * gcc complains about use of "%p" in printf. * Vim9: reading before the start of the line with "$" by itself. * Vim9: need to prefix every item in an autoload script. * Compiler complains about possibly uninitialized variable. * Not easy to resize a window from a plugin. * Vim9: autoload mechanism doesn't fully work yet. * Vim9 script test fails. * Vim9: line break in expression causes v:errmsg to be filled. (Yegappan Lakshmanan) * Vim9: memory leak when exporting function in autoload script. * Vim9: not fully implementing the autoload mechanism. * Vim9: import test failure in wrong line. * Vim9: an expression of a map cannot access script-local items. (Maxim Kim) * win_execute() is slow on systems where getcwd() or chdir() is slow. (Rick Howe) * Codecov bash script is deprecated. * Match highlighting of tab too short. * Vim9: exported function in autoload script not found. (Yegappan Lakshmanan) ==== wayland ==== Version update (1.19.0 -> 1.20.0) Subpackages: libwayland-client0 libwayland-cursor0 libwayland-egl1 libwayland-server0 - Add wayland-shm-Close-file-descriptors-not-needed.patch: For platforms that support mremap(), we don't need to hold file descriptors all the time, because programs like Xwayland will hold a lot of file descriptors and may crash, this patch close file descriptors earlier for those platforms (bsc#1194190). - obsolete/provide libwayland-egl-devel 18.0.2 also on sle15-sp4 - Update to release 1.20 * A few protocol additions: wl_surface.offset allows clients to update a surface's buffer offset independently from the buffer, wl_output.name and description allow clients to identify outputs without depending on xdg-output-unstable-v1. * In protocol definitions, events have a new "type" attribute and can now be marked as destructors. * A number of bug fixes, including a race condition when destroying proxies in multi-threaded clients. ==== xen ==== Subpackages: xen-libs xen-tools xen-tools-domU - bsc#1193307 - pci backend does not exist when attach a vf to a pv guest libxl-Fix-PV-hotplug-and-stubdom-coldplug.patch Drop libxl-PCI-defer-backend-wait.patch