Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20230812 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: GraphicsMagick MozillaFirefox (115.0.3 -> 116.0.2) NetworkManager (1.42.8 -> 1.44.0) amavisd-new bluez (5.66 -> 5.68) catfish (4.16.4 -> 4.18.0) dcraw dracut (059+suse.488.g81715832 -> 059+suse.491.g87f19c22) glibc (2.37 -> 2.38) gspell (1.12.1 -> 1.12.2) java-11-openjdk libcloudproviders (0.3.1 -> 0.3.2) libgweather4 (4.2.0 -> 4.3.2) liborcus opensuse-welcome (0.1.9+git.0.66be0d8 -> 0.1.9+git.35.4b9444a) perl-Image-ExifTool (12.64 -> 12.65) signon (8.60 -> 8.61) systemd (253.7 -> 253.8) === Details === ==== GraphicsMagick ==== Subpackages: libGraphicsMagick++-Q16-12 libGraphicsMagick-Q16-3 libGraphicsMagick3-config - add strlcpy-wrong-sizing.patch: fix incorrect usages of strlcpy and strlcat detected by glibc 2.38's fortify ==== MozillaFirefox ==== Version update (115.0.3 -> 116.0.2) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 116.0.2 * fixes for other platforms - Fix OOM when linking on 32-bit - Mozilla Firefox 116.0.1 * fixes for other platforms - ship vaapitest binary for supported archs - re-enable ppc64le - ship v4l2test binary for supported archs - drop obsolete mozilla-bmo1775202.patch - Mozilla Firefox 116.0 * https://www.mozilla.org/en-US/firefox/116.0/releasenotes/ MFSA 2023-29 (bsc#1213746) * CVE-2023-4045 (bmo#1833876) Offscreen Canvas could have bypassed cross-origin restrictions * CVE-2023-4046 (bmo#1837686) Incorrect value used during WASM compilation * CVE-2023-4047 (bmo#1839073) Potential permissions request bypass via clickjacking * CVE-2023-4048 (bmo#1841368) Crash in DOMParser due to out-of-memory conditions * CVE-2023-4049 (bmo#1842658) Fix potential race conditions when releasing platform objects * CVE-2023-4050 (bmo#1843038) Stack buffer overflow in StorageManager * CVE-2023-4051 (bmo#1821884) Full screen notification obscured by file open dialog * CVE-2023-4052 (bmo#1824420) File deletion and privilege escalation through Firefox uninstaller * CVE-2023-4053 (bmo#1839079) Full screen notification obscured by external program * CVE-2023-4054 (bmo#1840777) Lack of warning when opening appref-ms files * CVE-2023-4055 (bmo#1782561) Cookie jar overflow caused unexpected cookie jar state * CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325, bmo#1843847) Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14 * CVE-2023-4057 (bmo#1841682) Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1 * CVE-2023-4058 (bmo#1819160, bmo#1828024) Memory safety bugs fixed in Firefox 116 - require NSS 3.91 - remove obsolete mozilla-fix-top-level-asm.patch - re-enable LTO ==== NetworkManager ==== Version update (1.42.8 -> 1.44.0) Subpackages: NetworkManager-bluetooth NetworkManager-lang NetworkManager-pppoe NetworkManager-tui NetworkManager-wwan libnm0 typelib-1_0-NM-1_0 - Update to version 1.44.0: + Introduce a new "link" setting that holds properties related to the kernel link such as "tx-queue-length", "gso-max-size", "gso-max-segments", "gro-max-size". + Support sending a DHCPv6 prefix delegation hint via the "ipv6.dhcp-pd-hint" connection property. + Support new bond options: "arp_missed_max", "lacp_active", "ns_ip6_target". + Add new "initial-eps-bearer-configure" and "initial-eps-bearer-apn" properties in the GSM setting. + Setting "connection.stable-id=default${CONNECTION}" changed behavior to be identical to the built-in default value when the stable-id is not set. + Add a "[keyfile].rename" option to NetworkManager.conf to force renaming profiles on disk when their name changes. + The ifcfg-rh plugin is deprecated; it will only receive bugfixes and no new features. A warning is emitted the log when a connection in ifcfg-rh format is found. + To automatically migrate existing ifcfg-rh connections to the keyfile format, a new configuration option "main.migrate-ifcfg-rh" is provided. Migration is disabled by default, but the default value can be changed at build time via "--with-config-migrate-ifcfg-rh-default=yes". + When configuring hostnames in non-public TLD (like "example.local"), use the TLD as default search domain instead of the full hostname. + Always apply DNS options from the [global-dns] configuration section + The NetworkManager daemon now acquires the D-Bus name only after populating the D-Bus tree. This can add a delay during startup but it is required to avoid race conditions with other services depending on NM. + Add a "version-id" argument to the Update2() D-Bus call to guard against concurrent modifications of profiles. + Don't use tentative IPv6 addresses to resolve the system hostname via DNS. + Track the number of autoconnect retries left for each device and connection. Previously it was tracked only per connection and this lead to unexpected behaviors in case of multiconnect profiles. + Set VLAN filtering options on bridge via netlink instead of sysfs. + nm-cloud-setup now supports IMDSv2 on Amazon EC2. + nmtui now allows to enable or disable Wi-Fi and WWAN radios. + Honor ignore-carrier=no for bond/bridge/team devices. + Add version mismatch warning when running nmcli commands. - Rebase patches with quilt. ==== amavisd-new ==== Subpackages: amavisd-new-docs - Package failed to rebuild on Perl version changes due to missing %{perl_requires} ==== bluez ==== Version update (5.66 -> 5.68) Subpackages: bluez-auto-enable-devices bluez-cups bluez-zsh-completion libbluetooth3 - 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch be removed by Timo Jyrinki when updating to 5.68. I saw some reasons: - Upstream didn't take this patch: https://www.spinics.net/lists/linux-bluetooth/msg40136.html - Fedora also marked this patch in bluez.spec since bluez-5.68-2.fc39 https://src.fedoraproject.org/rpms/bluez/blob/2b133d795f4f823c8b22ef5a075697... We didn't put any bug number of this patch when it be introduced to bluez.spec since Nov 23, 2021. So, let's remove this patch unless upstream or Fedora add it back. - update to 5.68 * Fix issue with A2DP and handling of Transport.Acquire. * Fix issue with BAP and initiating QoS and Enable procedures. * Fix issue with BAP and detaching streams when PAC is removed. * Fix issue with BAP and reading all instances of PAC. * Fix issue with BAP and not being able to reconfigure. * Fix issue with BAP and transport configuration changes. * Fix issue with BAP and handling unexpected disconnect. * Fix issue with GATT and not removing pending services. * Fix issue with GATT and client ready handling. * Fix issue with handling fallback to transient hostname. * Add support for SecureConnections configuration option. * Add support for Mesh Remove Provisioning. * Add support for Mesh Private Beacons. - Remove patches that are not needed with the new upstream. ==== catfish ==== Version update (4.16.4 -> 4.18.0) Subpackages: catfish-lang - Update to version 4.18.0 * Filters: Add Archives, Other, update Apps * Use Gio to open files, fix "no default app" issue * Add symlink emblem to thumbnails in thumbnail mode * config: Prefer plocate over mlocate if available * window: Avoid IndexError on right click when selection is empty * Create shared filetype lists for searching and filtering * Ensure site-packages directory is prepended to sys.path * Fix double border between sidebar and results area * window: Fix and refactor new_column() * window: Fix markup warnings in thumbnail view * Fix GtkBuilder warnings * Revert "Suppress the various GTK warnings GtkBuilder outputs" * Fix crash and translations when install prefix != /usr * Update `.gitignore` * Remove generated file po/catfish.pot * Performance improvements (fix #79) * Translation Updates - Refresh 0001-Force-disable-Zeitgeist-support.patch - Remove _service file ==== dcraw ==== Subpackages: dcraw-lang - add dcraw-glibc-2.38.patch to fix prototype clash on memmem with glibc 2.38+ ==== dracut ==== Version update (059+suse.488.g81715832 -> 059+suse.491.g87f19c22) - Update to version 059+suse.491.g87f19c22: * fix(dracut-install): protect against broken links pointing to themselves * fix(dracut.sh): exit if resolving executable dependencies fails (bsc#1214081) ==== glibc ==== Version update (2.37 -> 2.38) Subpackages: glibc-32bit glibc-devel glibc-extra glibc-lang glibc-locale glibc-locale-base nscd - Update to glibc 2.38 * When C2X features are enabled and the base argument is 0 or 2, the following functions support binary integers prefixed by 0b or 0B as input * PRIb*, PRIB* and SCNb* macros from C2X have been added to <inttypes.h>. * printf-family functions now support the wN format length modifiers for arguments of type intN_t, int_leastN_t, uintN_t or uint_leastN_t and the wfN format length modifiers for arguments of type int_fastN_t or uint_fastN_t, as specified in draft ISO C2X * A new tunable, glibc.pthread.stack_hugetlb, can be used to disable Transparent Huge Pages (THP) in stack allocation at pthread_create * Vector math library libmvec support has been added to AArch64 * The strlcpy and strlcat functions have been added * CVE-2023-25139: When the printf family of functions is called with a format specifier that uses an <apostrophe> (enable grouping) and a minimum width specifier, the resulting output could be larger than reasonably expected by a caller that computed a tight bound on the buffer size - Enable build with _FORTIFY_SOURCE - glibc-2.3.90-langpackdir.diff: avoid reference to __strcpy_chk - iconv-error-verbosity.patch: iconv: restore verbosity with unrecognized encoding names (BZ #30694) - printf-grouping.patch, strftime-time64.patch, getlogin-no-loginuid.patch, fix-locking-in-_IO_cleanup.patch, gshadow-erange-rhandling.patch, system-sigchld-block.patch, gmon-buffer-alloc.patch, check-pf-cancel-handler.patch, powerpc64-fcntl-lock.patch, realloc-limit-chunk-reuse.patch, dl-find-object-return.patch; Removed ==== gspell ==== Version update (1.12.1 -> 1.12.2) Subpackages: gspell-lang libgspell-1-2 typelib-1_0-Gspell-1 - Update to version 1.12.2: + Small code maintenance: don't use g_slice_*(). ==== java-11-openjdk ==== Subpackages: java-11-openjdk-headless - Added patch: * reproducible-javadoc-timestamp.patch + use SOURCE_DATE_EPOCH in javadoc and make the javadoc generation more reproducible ==== libcloudproviders ==== Version update (0.3.1 -> 0.3.2) - Update to version 0.3.2: + No upstream changes provided. ==== libgweather4 ==== Version update (4.2.0 -> 4.3.2) Subpackages: gweather4-data libgweather-4-0 libgweather4-lang typelib-1_0-GWeather-4_0 - Update to version 4.3.2: + Fix fallback metric unit detection logic + Documentation fixes + Performance improvements for nearest location lookups + Location database changes + Updated translations. ==== liborcus ==== - Removed patches: * liborcus-filesystem.patch * liborcus-tests.patch + reworked in order to send them upstream - Added patches: * 0001-Possibility-to-build-against-a-host-of-filesystem-im.patch * 0003-Allow-running-tests-with-python-3.4.patch * 0002-Allow-using-older-boost-filesystem.patch + split into chunks per topic so that upsteam can decide what to do ==== opensuse-welcome ==== Version update (0.1.9+git.0.66be0d8 -> 0.1.9+git.35.4b9444a) - Update to version 0.1.9+git.35.4b9444a: * panellayouter: use QTemporaryFile for applyLayout() (bsc#1213708, CVE-2023-32184). * Translation updates. ==== perl-Image-ExifTool ==== Version update (12.64 -> 12.65) Subpackages: exiftool perl-File-RandomAccess - Update to 12.65: * Added a new QuickTime Keys tag * Added a new CanonModelID * Added a new Canon LensType * Added number in brackets to converted Samsung MCCData value * Decode a number of new Sony tags * Decode a few new FlashPix tags (github #217) * Improved decoding of Nikon Z9 firmware 4.0 tags * Improved parsing of PDF:Keywords to support semicolon-separated lists * Enhanced -api option to show list of available options if no argument is provided * Lowered priority of IFD1 tags in ARW images so IFD0/SubIFD take precedence * Changed QuickTime tag names for atID (AlbumTitleID to ArtistID) and plID (PlayListID to AlbumID) (github issue #216), and added cmID (ComposerID) * Changed Apple:MediaGroupUUID tag name back to ContentIdentifier * Patched the -d option to handle the %s format code internally when writing (avoids problems due to inconsistent behaviour of this format code in the strptime function on different systems) * Patched patch of version 12.32 to restore ability to read from named pipes * Fixed bug which could cause a hang when processing a corrupt BigTIFF image * Fixed document number for auxiliary image metadata in HEIC files * Fixed misspelt Apple tag name * API Changes: + Added AvailableOptions method ==== signon ==== Version update (8.60 -> 8.61) Subpackages: libsignon-qt5-1 signon-plugins signond signond-libs - Update to 8.61 * Port away from QHash::unite * Don't emit QObject::destroyed() within Identity::destroy() * Build: remove unnecessary qmake options * Don't use -fno-rtti * Run test script with Busybox compatible mktemp * Fix typos in logs * Tests: add missing parameter to mkdir command * Fix deprecation warning * signond: register the adaptors in SignonDaemonAdaptor * signond: get appId of peer in SignonIdentityAdapter * signond: add Error class * signond: add ErrorAdaptor class * signond: use ErrorAdaptor in SignonSessionCore * signond: reduce usage of D-Bus in SignonIdentity class * signond: introduce PeerContext class * signond: reduce D-Bus usage in SignonAuthSession * signond: register the adaptors, not the object itself * signond: destroy adapter when Identity gets unregistered * Fix Unicode $HOME dir - Drop patch, merged upstream: * 0001-Don-t-use-fno-rtti.patch - Drop the unneeded baselibs.conf ==== systemd ==== Version update (253.7 -> 253.8) Subpackages: libsystemd0 libsystemd0-32bit libudev1 systemd-32bit systemd-container systemd-coredump systemd-lang udev - Import commit fcdb2dd2c921db3c6b7c28465dbda314f4469d17 (merge of v253.8) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/2dac0aff9ced1eca0cd11c24e264b330...