Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=15.0&build=189.1&groupid=50 https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&query_format=advanced&resolution=---&version=Leap%2015.0 When you reply to discuss some issues, make sure to change the subject. Please use the test plan at https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3m... to record your testing efforts and use bugzilla to report bugs. Packages changed: MozillaFirefox (58.0.2 -> 59.0.2) MozillaThunderbird gdm-branding-openSUSE gnome-dictionary (3.26.1 -> 3.26.1+20180313.ac6d4c0) gstreamer-plugins-bad kded libvorbis (1.3.5 -> 1.3.6) mozilla-nspr (4.17 -> 4.19) mozilla-nss (3.34.1 -> 3.36) vim xorg-x11-server === Details === ==== MozillaFirefox ==== Version update (58.0.2 -> 59.0.2) Subpackages: MozillaFirefox-translations-common - Reduce constraints on aarch64 - update to Firefox 59.0.2 * Invalid page rendering with hardware acceleration enabled (bmo#1435472) * Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites that use those keys with resistFingerprinting enabled (bmo#1433592) * High CPU / memory churn caused by third-party software on some computers (bmo#1446280) * Users who have configured an "automatic proxy configuration URL" and want to reload their proxy settings from the URL will find the Reload button disabled in the Connection Settings dialog when they select Preferences/Options>Network Proxy>Settings... (bmo#1445991) * URL Fragment Identifiers Break Service Worker Responses (bmo#1443850) * User's trying to cancel a print around the time it completes will continue to get intermittent crashes (bmo#1441598) MFSA 2018-10 (bsc#1087059) * CVE-2018-5148 (bmo#1440717) Use-after-free in compositor - removed obsolete patch mozilla-bmo1446062.patch - Added patches: * mozilla-i586-DecoderDoctorLogger.patch - bmo#1447070 fixes non-unified build error * mozilla-i586-domPrefs.patch - DOMPrefs.h fixes 32bit build error - update to Firefox 59.0.1 (bsc#1085671) MFSA 2018-08 * CVE-2018-5146 (bmo#1446062) Vorbis audio processing out of bounds write * CVE-2018-5147 (bmo#1446365) Out of bounds memory write in libtremor (mozilla-bmo1446062.patch) - Added patch: * mozilla-bmo1005535.patch: Enable skia_gpu on big endian platforms. - update to Firefox 59.0 * Performance enhancements * Drag-and-drop to rearrange Top Sites on the Firefox Home page * added features for Firefox Screenshots * Enhanced WebExtensions API * Improved RTC capabilities MFSA 2018-06 (bsc#1085130) * CVE-2018-5127 (bmo#1430557) Buffer overflow manipulating SVG animatedPathSegList * CVE-2018-5128 (bmo#1431336) Use-after-free manipulating editor selection ranges * CVE-2018-5129 (bmo#1428947) Out-of-bounds write with malformed IPC messages * CVE-2018-5130 (bmo#1433005) Mismatched RTP payload type can trigger memory corruption * CVE-2018-5131 (bmo#1440775) Fetch API improperly returns cached copies of no-store/no-cache resources * CVE-2018-5132 (bmo#1408194) WebExtension Find API can search privileged pages * CVE-2018-5133 (bmo#1430511, bmo#1430974) Value of the app.support.baseURL preference is not properly sanitized * CVE-2018-5134 (bmo#1429379) WebExtensions may use view-source: URLs to bypass content restrictions * CVE-2018-5135 (bmo#1431371) WebExtension browserAction can inject scripts into unintended contexts * CVE-2018-5136 (bmo#1419166) Same-origin policy violation with data: URL shared workers * CVE-2018-5137 (bmo#1432870) Script content can access legacy extension non-contentaccessible resources * CVE-2018-5138 (bmo#1432624) (Android only) Android Custom Tab address spoofing through long domain names * CVE-2018-5140 (bmo#1424261) Moz-icon images accessible to web content through moz-icon: protocol * CVE-2018-5141 (bmo#1429093) DOS attack through notifications Push API * CVE-2018-5142 (bmo#1366357) Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs * CVE-2018-5143 (bmo#1422643) Self-XSS pasting javascript: URL with embedded tab into addressbar * CVE-2018-5126 Memory safety bugs fixed in Firefox 59 * CVE-2018-5125 Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 - requires NSPR 4.18 and NSS 3.35 - requires rust >= 1.22.1 - removed obsolete patches: mozilla-alsa-sandbox.patch mozilla-enable-csd.patch firefox-no-default-ualocale.patch - removed l10n_changesets.txt since same information is now in Firefox source tree (updated create-tar.sh now requires jq) ==== MozillaThunderbird ==== Subpackages: MozillaThunderbird-translations-common - Exclude bigendian archs for now, have not built since version 45.8.0 ExcludeArch: ppc ppc64 s390 s390x ==== gdm-branding-openSUSE ==== - Append InitialSetupEnable=False in custom.conf on Leap, disabling the gnome-initial-setup gdm mode, making it consistent with the behavior of SLE (bsc#1067976 boo#1086056). ==== gnome-dictionary ==== Version update (3.26.1 -> 3.26.1+20180313.ac6d4c0) Subpackages: gnome-dictionary-lang - Update to version 3.26.1+20180313.ac6d4c0: + Remove po/Makevars. + Flatpak: use meson from flatpak build definition. + Fix translations of the Name key. + Drop build-api wrapper for Continuous. + Updated translations. - Switch to git-checkout via source services. - Drop obsolete gnome-utils Conflicts and update-desktop-files BuildRequires and stop passing glib2_gsettings_schema_requires and suse_update_desktop_file macros. - Use autosetup macro and pass explicit use_ipv6=true and build_man=true to meson, ensure we build the features we want. - Update URL to correct home. ==== gstreamer-plugins-bad ==== Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbadbase-1_0-0 libgstbadvideo-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstgl-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgsturidownloader-1_0-0 libgstwayland-1_0-0 - Move BuildRequires pkgconfig(dvdnav/dvdread) to BUILD_ORIG section. It is only needed when building BUILD_ORIG package, which is not the case for official builds for openSUSE Leap, Tumbleweed or SLE. - Add gst-bad-revert-automake-autoconf-versions.patch: Revert the autoconf and automake version bump upstream did without consideration about us, allow to build with the automake we have Leap 42.3 and SLE12. - Following the above patch, drop the explicit automake BuildRequires, as libtool BuildRequires brings it in, and we can now build with the old version we have in Leap/SLE. - Split out fluidsynth plugin in new sub-package gstreamer-plugins-bad-fluidsynth. - Following the above, add gstreamer-plugins-bad-fluidsynth and already built sub-package gstreamer-plugins-bad-chromaprint to baselibs.conf, build 32-bits support for these too. - Add conditional gstreamer-plugins-bad-fluidsynth and gstreamer-plugins-bad-chromaprint Requires: to -devel sub-package. - Modernize spec-file by calling spec-cleaner - Add gstreamer-plugins-bad-reproducible.patch to avoid variations in gtk-doc output (boo#1048207). - Following the above, add automake and libtool BuildRequires and pass autoreconf, as the above patch touches the buildsystem. ==== kded ==== Subpackages: kded-lang - Add patch to support Wayland sessions without QT_QPA_PLATFORM: * 0001-Add-platform-detection-and-adjustment-to-kded.patch ==== libvorbis ==== Version update (1.3.5 -> 1.3.6) Subpackages: libvorbis0 libvorbisenc2 libvorbisfile3 - Split libvorbis-doc subpackage to a separate spec file for reducing the dependencies ==== mozilla-nspr ==== Version update (4.17 -> 4.19) - update to version 4.19 * changed order of shutdown cleanup to avoid a crash on Mac OSX * build compatibility with Android NDK r16 and glibc 2.26 - update to version 4.18 * removed HP-UX DCE threads support * improvements for the Windows implementation of PR_SetCurrentThreadName * fixes for the Windows implementation of TCP Fast Open ==== mozilla-nss ==== Version update (3.34.1 -> 3.36) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs - update to NSS 3.36 New functionality * Experimental APIs for TLS session cache handling Notable Changes * Replaces existing vectorized ChaCha20 code with verified HACL* implementation. - Removed patch as no longer needed: renegotiate-transitional.patch upstream fix - update to NSS 3.35 New functionality * TLS 1.3 support has been updated to draft -23. This includes a large number of changes since 3.34, which supported only draft - 18. See below for details. New Types * SSLHandshakeType - The type of a TLS handshake message. * For the SSLSignatureScheme enum, the enumerated values ssl_sig_rsa_pss_sha* are deprecated in response to a change in TLS 1.3. Please use the equivalent ssl_sig_rsa_pss_rsae_sha* for rsaEncryption keys, or ssl_sig_rsa_pss_pss_sha* for PSS keys. Note that this release does not include support for the latter. Notable Changes * Previously, NSS used the DBM file format by default. Starting with version 3.35, NSS uses the SQL file format by default. Additional information can be found on this Fedora Linux project page: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql * Added formally verified implementations of non-vectorized Chacha20 and non-vectorized Poly1305 64-bit. * For stronger security, when creating encrypted PKCS#7 or PKCS#12 data, the iteration count for the password based encryption algorithm has been increased to one million iterations. Note that debug builds will use a lower count, for better performance in test environments. * NSS 3.30 had introduced a regression, preventing NSS from reading some AES encrypted data, produced by older versions of NSS. NSS 3.35 fixes this regression and restores the ability to read affected data. * The following CA certificates were Removed: OU = Security Communication EV RootCA1 CN = CA Disig Root R1 CN = DST ACES CA X6 Subject CN = VeriSign Class 3 Secure Server CA - G2 * The Websites (TLS/SSL) trust bit was turned off for the following CA certificates: CN = Chambers of Commerce Root CN = Global Chambersign Root * TLS servers are able to handle a ClientHello statelessly, if the client supports TLS 1.3. If the server sends a HelloRetryRequest, it is possible to discard the server socket, and make a new socket to handle any subsequent ClientHello. This better enables stateless server operation. (This feature is added in support of QUIC, but it also has utility for DTLS 1.3 servers.) * The tstclnt utility now supports DTLS, using the -P option. Note that a DTLS server is also provided in tstclnt. * TLS compression is no longer possible with NSS. The option can be enabled, but NSS will no longer negotiate compression. * The signatures of functions SSL_OptionSet, SSL_OptionGet, SSL_OptionSetDefault and SSL_OptionGetDefault have been modified, to take a PRIntn argument rather than PRBool. This makes it clearer, that options can have values other than 0 or 1. Note this does not affect ABI compatibility, because PRBool is a typedef for PRIntn. ==== vim ==== Subpackages: vim-data vim-data-common - instead of explicitly unsetting mouse, remove it from the defaults in the first place (boo#1079185, vim-8.0.1568-defaults.patch) - Switch to make -j1 clean to see if it fixes random build failures on Leap/SLE 15. ==== xorg-x11-server ==== Subpackages: xorg-x11-server-extra xorg-x11-server-wayland - Update and re-enable n_xserver-optimus-autoconfig-hack.patch. (bnc#1084411) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org