New MicroOS snapshot 20240926 released!

Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version=Tumbleweed&build=20240926 https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&component=MicroOS&query_format=advanced&resolution=--- Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MicroOS-release (20240924 -> 20240926) bash (5.2.32 -> 5.2.37) bluez cairomm (1.16.1 -> 1.16.2) chrony (4.5 -> 4.6) curl (8.10.0 -> 8.10.1) cyrus-sasl fwupd (1.9.24 -> 1.9.25) gcc gcr gcr3 gettext-runtime gstreamer (1.24.7 -> 1.24.8) gstreamer-plugins-bad (1.24.7 -> 1.24.8) gstreamer-plugins-base (1.24.7 -> 1.24.8) gstreamer-plugins-good (1.24.7 -> 1.24.8) gtk4 (4.16.1 -> 4.16.2) gupnp (1.6.6 -> 1.6.7) harfbuzz (9.0.0 -> 10.0.1) kernel-source (6.10.11 -> 6.11.0) libmbim (1.28.4 -> 1.30.0) libostree (2024.7 -> 2024.8) libpeas microos-tools (2.21+git13 -> 2.21+git16) openssh (9.8p1 -> 9.9p1) openssh-askpass-gnome (9.8p1 -> 9.9p1) openssl-3 orc (0.4.39 -> 0.4.40) pinentry pinentry-gui podman (5.2.2 -> 5.2.3) python-Jinja2 python-oauthlib python-pycurl python-pyrsistent python-pyserial sddm sddm-qt6 selinux-policy (20240912 -> 20240925) systemd (256.5 -> 256.6) toolbox transactional-update (4.8.2 -> 4.8.3) xorg-x11-server xwayland === Details === ==== MicroOS-release ==== Version update (20240924 -> 20240926) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== bash ==== Version update (5.2.32 -> 5.2.37) Subpackages: bash-sh - Add upstream patches * bash52-037 Fix the case where text to be completed from the line buffer (quoted) is compared to the common prefix of the possible matches (unquoted) and the quoting makes the former appear to be longer than the latter. Readline assumes the match doesn't add any characters to the word and doesn't display multiple matches. * bash52-036 When readline is accumulating bytes until it reads a complete multibyte character, reading a byte that makes the multibyte character invalid can result in discarding the bytes in the partial character. * bash52-035 There are systems that supply one of select or pselect, but not both. * bash52-034 If we parse a compound assignment during an alias expansion, it's possible to have the current input string popped out from underneath the parse. In this case, we should not restore the input we were using when we began to parse the compound assignment. * bash52-033 A typo in the autoconf test for strtold causes false negatives for strtold being available and working when compiled with gcc-14. - Port patch bash-3.2-printf.patch to fit change in bash52-033 ==== bluez ==== Subpackages: bluez-auto-enable-devices bluez-cups libbluetooth3 - add Fix-crash-after-bt_uhid_unregister_all.patch to fix crashes when devices disconnect or go to sleep ==== cairomm ==== Version update (1.16.1 -> 1.16.2) - update to version 1.16.2: * meson.build: Avoid configuration warnings * MSVC build: Support VS2022 builds (Chun-wei Fan) Merge request !20 * Meson build: When mm-common >= 1.0.4 is used, Perl is not required * Meson build: Specify 'check' option in run_command() Will be necessary with future versions of Meson. Require Meson >= 0.55.0 * Meson build: Avoid unnecessary configuration warnings (Kjell Ahlstedt) ==== chrony ==== Version update (4.5 -> 4.6) Subpackages: chrony-pool-openSUSE - Update to version 4.6: * Add activate option to local directive to set activation threshold * Add ipv4 and ipv6 options to server/pool/peer directive * Add kod option to ratelimit directive for server KoD RATE support * Add leapseclist directive to read NIST/IERS leap-seconds.list file * Add ptpdomain directive to set PTP domain for NTP over PTP * Allow disabling pidfile * Improve copy server option to accept unsynchronised status instantly * Log one selection failure on start * Add offset command to modify source offset correction * Add timestamp sources to ntpdata report * Fix crash on sources reload during initstepslew or RTC initialisation * Fix source refreshment to not repeat failed name resolving attempts * Obsoletes chrony-124-tai.patch - The project's new home is https://chrony-project.org/ . ==== curl ==== Version update (8.10.0 -> 8.10.1) Subpackages: libcurl4 - Update to 8.10.1: * Bugfixes: - autotools: fix `--with-ca-embed` build rule - cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync - cmake: fix MSH3 to appear on the feature list - connect: store connection info when really done - FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a - http2: when uploading data from stdin, fix eos forwarding - http: make max-filesize check not count ignored bodies - lib: fix AF_INET6 use outside of USE_IPV6 - multi: check that the multi handle is valid in curl_multi_assign - QUIC: on connect, keep on trying on draining server - request: correctly reset the eos_sent flag - setopt: remove superfluous use of ternary expressions - singleuse: drop `Curl_memrchr()` for no-HTTP builds - tool_cb_wrt: use "curl_response" if no file name in URL - transfer: fix sendrecv() without interim poll - vtls: fix `Curl_ssl_conn_config_match` doc param ==== cyrus-sasl ==== Subpackages: cyrus-sasl-gssapi libsasl2-3 - Make DIGEST-MD5 work with openssl3 ( bsc#1230111 ) RC4 is legacy provided since openSSL3 and requires explicit loading, dDisable openssl3 depricated API warnings. * Add cyrus-sasl-make-digestmd5-work-ssl3.patch ==== fwupd ==== Version update (1.9.24 -> 1.9.25) Subpackages: libfwupd2 typelib-1_0-Fwupd-2_0 - Update to version 1.9.25: + This release fixes the following bugs: - Fix checking new Synaptics MST firmware size - Make another ModemManager instance ID visible for firmware matching - Never set a zero-length device name when matching the vendor name - Recalculate the device supported flag when reparenting devices - Reduce idle power consumption of paired logitech-hidpp devices - Retry the open action to fix BC901 NVMe reload + This release adds support for the following hardware: - Algoltek devices supporting sector erase - Dell K2 dock - Intel USB4 hub 5787 - More MediaTek scaler devices - Nordic HID devices supporting DFUv1 ==== gcc ==== - Ensure every -build package conflicts and provides the non-build counterpart (related to boo#1230628) - Make gcc-build-fortran provide and conflict gcc-fortran. ==== gcr ==== Subpackages: gcr-ssh-askpass libgck-2-2 libgcr-4-4 typelib-1_0-Gck-2 typelib-1_0-Gcr-4 - BuildRequire gettext-devel instead of gettext: allow OBS to shortcut through gettext-runtime-mini. ==== gcr3 ==== Subpackages: gcr3-data gcr3-prompter gcr3-ssh-askpass libgck-1-0 libgcr-3-1 - BuildRequire gettext-devel instead of gettext: allow OBS to shortcut through gettext-runtime-mini. ==== gettext-runtime ==== Subpackages: libtextstyle0 - Move envsubst requires into main package, gettext.sh is not part of gettext-tools, but gettext-runtime (fixes boo#1227070) ==== gstreamer ==== Version update (1.24.7 -> 1.24.8) Subpackages: libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.24.8: + Highlighted bugfixes: - decodebin3: collection handling fixes - encodebin: Fix pad removal (and smart rendering in gst-editing-services) - glimagesink: Fix cannot resize viewport when video size changed in caps - matroskamux, webmmux: fix firefox compatibility issue with Opus audio streams - mpegtsmux: Wait for data on all pads before deciding on a best pad unless timing out - splitmuxsink: Override LATENCY query to pretend to downstream that we're not live - video: QoS event handling improvements - voamrwbenc: fix list of bitrates - vtenc: Restart encoding session when certain errors are detected - wayland: Fix ABI break in WL context type name - webrtcbin: Prevent crash when attempting to set answer on invalid SDP - cerbero: ship vp8/vp9 software encoders again, which went missing in 1.24.7; ship transcode plugin - Various bug fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - clock: Fix unchecked overflows in linear regression code - meta: Add missing include of gststructure.h - pad: Check data NULL-ness when probes are stopped - aggregator: Immediately return NONE from simple_get_next_time() on non-TIME segments ==== gstreamer-plugins-bad ==== Version update (1.24.7 -> 1.24.8) Subpackages: libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.24.8: + GstPlay: Name the different bus + GstPlay: check whether stream is seekable before seeking when state change + GstPlayer: Check GstPlayerSignalDispatcher type + mpegtsmux: Wait for data on all pads before deciding on a best pad unless timing out + mpegtsmux: Fix refcounting issue when selecting the best pad + uvcsink: fix caps event handling + v4l2codecs: h265: Minimize memory allocation + voamrwbenc: fix list of bitrates + vtenc: Restart encoding session when certain errors are detected + wayland: Fix ABI break in WL context type name + webrtcbin: Prevent crash when attempting to set answer on invalid SDP + wpe: fix gst-launch example ==== gstreamer-plugins-base ==== Version update (1.24.7 -> 1.24.8) Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 - Update to version 1.24.8: + decodebin3: Fix collection identity check + encodebin: Fix pad removal + glimagesink: Fix cannot resize viewport when video size changed in caps + video: Don't overshoot QoS earliest time by a factor of 2 + meson: gst-play: link to libm - Drop gst-plugins-base-decodebin3-collection-identity-check.patch: Fixed upstream. - Rebase add_wayland_dep_to_tests.patch with quilt. ==== gstreamer-plugins-good ==== Version update (1.24.7 -> 1.24.8) - Update to version 1.24.8: + jackaudiosrc: actually use the queried ports from JACK + matroskamux: Include end padding in the block duration for Opus streams, fixing firefox compatibility + osxaudio: Avoid dangling pointer on shutdown + splitmuxsink: Override LATENCY query to pretend to downstream that we're not live + v4l2bufferpool: actually queue back the empty buffer flagged LAST + v4l2videoenc: unref buffer pool after usage properly + v4l2: encoder: Add dynamic framerate support ==== gtk4 ==== Version update (4.16.1 -> 4.16.2) Subpackages: gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0 - Update to version 4.16.2: + GtkLabel: Fix centered text in RTL + Gsk: - Speed up some Vulkan operations - Improve startup speed by avoiding initialization of GL and Vulkan in most cases - Reduce critials at startup to warnings - Fix a crash on startup with some Vulkan drivers - Fix a big texture leak in NGL + Gdk: Speed up memory format conversions + Wayland: Be more careful with mimetypes during DND or copy-paste + Tools: builder-tool: Improve conversion of boxes + Updated translations. ==== gupnp ==== Version update (1.6.6 -> 1.6.7) - Update to version 1.6.7: + Fix compatiblity with libxml2 2.12.x + Improve reproducability + ControlPoint: Fix re-scan + ContextManager: Fix boot-id update + Context: Fix crash if served URI is not an IP address - Drop 00514fb6.patch: Fixed upstream. ==== harfbuzz ==== Version update (9.0.0 -> 10.0.1) Subpackages: libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz-subset0 libharfbuzz0 typelib-1_0-HarfBuzz-0_0 - Update to version 10.0.1: + Relax sanitization checks for “morx” subtables to fix broken AAT shaping of macOS 15.0 version of GeezaPro. - Switch to source service for tarball. - Update to version 10.0.0: + Unicode 16.0.0 support. + Various documentation fixes. + Various build fixes. + Add API to allow HarfBuzz client to set what glyph to use when a Unicode Variation Selector is not supported by the font, which would allow the client to customize what happens in this case, by using a different font for example. + Add a callback to for “hb_face_t” for getting the list of table tags. This is now used to make calling “hb_face_get_table_tags()” work on a faces created by “hb_face_create_for_tables()” (e.g. faces returned by “hb_subset_or_fail()”). + CGJ and Mongolian Variation Selectors are now ignored during glyph positioning, previously they would block both glyph substitution and positioning across them. + Support cairo script as an output format for “hb-view” command line tool. + Drop an optimization that would cause HarfBuzz not apply pair positioning lookup subtables under certain circumstances, for compatibility with other implementations that do apply these subtables. + Subsetting will now fail if source font has no glyphs, so feeding the subsetter invalid data will not silently return an empty face. + If after partially instancing a font no variation data is left (the instance is fully static), don’t consider this a failure. + Workaround a Firefox bug in displaying SVGs generated be “hb-view” command line tool under certain circumstances. + Fix bug in macroman mapping for “cmap” table. + Fix difference shaping output when HarfBuzz is built with with “HB_NO_OT_RULESETS_FAST_PATH” enabled. + Various subsetting and instancing fixes. + Various fuzzing fixes. + Add “with_libstdcxx” meson build option. ==== kernel-source ==== Version update (6.10.11 -> 6.11.0) - Revert "PCI: Extend ACS configurability" (bsc#1229019). - commit 4b97d57 - block: Fix elv_iosched_local_module handling of "none" scheduler (bsc#1230925). - commit d8cfa46 - drm/amdgpu/display: Fix a mistake in revert commit (bsc#1228093 - commit 39574a1 - Refresh patches.suse/ALSA-hda-Enhance-pm_blacklist-option.patch. - Refresh patches.suse/ALSA-hda-Keep-PM-disablement-for-deny-listed-instanc.patch. Update upstream status. - commit 2244c0f ==== libmbim ==== Version update (1.28.4 -> 1.30.0) - Update to version 1.30.0: + New Intel Mutual Authentication service + New Intel Tools service + New Google service + Extended the Microsoft-defined Basic Connect Extensions service - Drop patches included upstream: + 0001-intel-mutual-authentication-new-service-fcc-lock.patch + 0002-intel-tools-new-service-trace-config.patch ==== libostree ==== Version update (2024.7 -> 2024.8) Subpackages: libostree-1-1 - Update to version 2024.8: + Adapt to a change in libcurl 8.10.1 that caused ostree to start crashing. + switchroot: Stop making /sysroot mount private. ==== libpeas ==== - BuildRequire gettext-devel instead of gettext: allow OBS to shortcut through gettext-runtime-mini. ==== microos-tools ==== Version update (2.21+git13 -> 2.21+git16) - Update to version 2.21+git16: * selinux: Avoid parameter duplication * 98selinux-microos: Use a single thread for relabelling /etc * Use all cores for SELinux restorecon (related to jsc#SMO-382) - _service: Omit +git0 suffix in versions ==== openssh ==== Version update (9.8p1 -> 9.9p1) Subpackages: openssh-clients openssh-common openssh-server - Add a const to the openssl 1.1/RSA section of sshkey_is_private to keep it similar to what it used before the 9.9 rebase: * openssh-8.1p1-audit.patch - Add a openssl11 bcond to the spec file for the SLE12 case instead of checking suse_version in different parts. - Move conditional patches to a number >= 1000. - Update to openssh 9.9p1: = Future deprecation notice * OpenSSH plans to remove support for the DSA signature algorithm in early 2025. This release disables DSA by default at compile time. DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent. OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to-implement algorithm in the SSHv2 RFCs, mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. = Potentially-incompatible changes * ssh(1): remove support for pre-authentication compression. OpenSSH has only supported post-authentication compression in the server for some years. Compression before authentication significantly increases the attack surface of SSH servers and risks creating oracles that reveal information about information sent during authentication. * ssh(1), sshd(8): processing of the arguments to the "Match" configuration directive now follows more shell-like rules for quoted strings, including allowing nested quotes and \-escaped characters. If configurations contained workarounds for the previous simplistic quote handling then they may need to be adjusted. If this is the case, it's most likely to be in the arguments to a "Match exec" confition. In this case, moving the command to be evaluated from the Match line to an external shell script is easiest way to preserve compatibility with both the old and new versions. = New features * ssh(1), sshd(8): add support for a new hybrid post-quantum key exchange based on the FIPS 203 Module-Lattice Key Enapsulation mechanism (ML-KEM) combined with X25519 ECDH as described by https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This algorithm "mlkem768x25519-sha256" is available by default. * ssh(1): the ssh_config "Include" directive can now expand environment as well as the same set of %-tokens "Match Exec" supports. * sshd(8): add a sshd_config "RefuseConnection" option that, if set will terminate the connection at the first authentication request. * sshd(8): add a "refuseconnection" penalty class to sshd_config PerSourcePenalties that is applied when a connection is dropped by the new RefuseConnection keyword. * sshd(8): add a "Match invalid-user" predicate to sshd_config Match options that matches when the target username is not valid on the server. * ssh(1), sshd(8): update the Streamlined NTRUPrime code to a substantially faster implementation. * ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key exchange algorithm now has an IANA-assigned name in addition to the "@openssh.com" vendor extension name. This algorithm is now also available under this name "sntrup761x25519-sha512" * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being included in core dump files for most of their lifespans. This is in addition to pre-existing controls in ssh-agent(1) and sshd(8) that prevented coredumps. This feature is supported on OpenBSD, Linux and FreeBSD. * All: convert key handling to use the libcrypto EVP_PKEY API, with the exception of DSA. * sshd(8): add a random amount of jitter (up to 4 seconds) to the grace login time to make its expiry unpredictable. = Bugfixes * sshd(8): relax absolute path requirement back to what it was prior to OpenSSH 9.8, which incorrectly required that sshd was started with an absolute path in inetd mode. bz3717 * sshd(8): fix regression introduced in openssh-9.8 that swapped the order of source and destination addresses in some sshd log messages. * sshd(8): do not apply authorized_keys options when signature verification fails. Prevents more restrictive key options being incorrectly applied to subsequent keys in authorized_keys. bz3733 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase prompts. Helps the user know what's going on when ssh-keygen is invoked via other tools. Requested in GHPR503 * ssh(1), ssh-add(1): make parsing user@host consistently look for the last '@' in the string rather than the first. This makes it possible to more consistently use usernames that contain '@' characters. * ssh(1), sshd(8): be more strict in parsing key type names. Only allow short names (e.g "rsa") in user-interface code and require full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725 * regress: many performance and correctness improvements to the re-keying regression test. ... changelog too long, skipping 41 lines ... - Use gcc11 when building in SLE12 and SLE15. ==== openssh-askpass-gnome ==== Version update (9.8p1 -> 9.9p1) - Update to openssh 9.9p1: * No changes for askpass, see main package changelog for details. ==== openssl-3 ==== Subpackages: libopenssl3 - Security fix: [bsc#1230698, CVE-2024-41996] * Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used * Added openssl-CVE-2024-41996.patch ==== orc ==== Version update (0.4.39 -> 0.4.40) - Update to version 0.4.40: + Security: Minor follow-up fixes for CVE-2024-40897 + Fix include header use from C++ + orccodemem: Assorted memory mapping fixes + powerpc: fix div255w which still used the inexact substitution + powerpc: Disable VSX and ISA 2.07 for Apple targets + powerpc: Allow detection of ppc64 in Mac OS + x86: work around old GCC versions (pre 9.0) having broken xgetbv implementationsv + x86: consider MSYS2/Cygwin as Windows for ABI purposes only + x86: handle unnatural and misaligned array pointers + x86: Fix non-C11 typedefs + x86: try fixing AVX detection again by adding check for XSAVE + Some compatibility fixes for Musl + meson: Fix detecting XSAVE on older AppleClangv + Check return values of malloc() and realloc() ==== pinentry ==== - Make pinentry-efl optional ==== pinentry-gui ==== Subpackages: pinentry-gnome3 pinentry-qt6 - Make pinentry-efl optional ==== podman ==== Version update (5.2.2 -> 5.2.3) - Update to version 5.2.3: * Bugfixes - Fixed a bug that could cause network namespaces to fail to unmount, resulting in Podman commands hanging. - Fixed a bug where Podman could not run images which included SCTP exposed ports. - Fixed a bug where containers run by the root user, but inside a user namespace (including inside a container), could not use the pasta network mode. - Fixed a bug where volume copy-up did not properly chown empty volumes when the :idmap mount option was used. * Misc - Updated Buildah to v1.37.3 ==== python-Jinja2 ==== - Fix build error under Leap. ==== python-oauthlib ==== - Fix build error under Leap. ==== python-pycurl ==== - Add upstream patch test-bottle-flask.patch to use Flask instead of bottle for tests. gh#pycurl/pycurl#838 ==== python-pyrsistent ==== - Fix build error under Leap. ==== python-pyserial ==== - Fix build error under Leap. ==== sddm ==== - Move default value for [Autologin] Session 0001-Read-the-DISPLAYMANAGER_AUTOLOGIN-value-from-sysconf.patch to 00-general.conf - Add patches to make autologin with wayland more reliable (boo#1221507): * 0001-Remove-unused-Display-m_relogin-variable.patch * 0002-Set-Display-m_started-early.patch * 0003-Load-autologin-configuration-in-Display-Display.patch * 0004-Reset-daemonApp-first-in-the-Display-constructor.patch * 0005-If-autologin-is-used-avoid-starting-a-display-server.patch - Rebase 0001-Read-the-DISPLAYMANAGER_AUTOLOGIN-value-from-sysconf.patch ==== sddm-qt6 ==== Subpackages: sddm-greeter-qt6 - Move default value for [Autologin] Session 0001-Read-the-DISPLAYMANAGER_AUTOLOGIN-value-from-sysconf.patch to 00-general.conf - Add patches to make autologin with wayland more reliable (boo#1221507): * 0001-Remove-unused-Display-m_relogin-variable.patch * 0002-Set-Display-m_started-early.patch * 0003-Load-autologin-configuration-in-Display-Display.patch * 0004-Reset-daemonApp-first-in-the-Display-constructor.patch * 0005-If-autologin-is-used-avoid-starting-a-display-server.patch - Rebase 0001-Read-the-DISPLAYMANAGER_AUTOLOGIN-value-from-sysconf.patch ==== selinux-policy ==== Version update (20240912 -> 20240925) Subpackages: selinux-policy-targeted - Update to version 20240925: * Allow snapperd to manage unlabeled_t files (bsc#1230966) - Update to version 20240924: * Revert "Allow virtstoraged to manage images (bsc#1228742)" * Label /etc/mdevctl.d with mdevctl_conf_t * Sync users with Fedora targeted users * Update policy for rpc-virtstorage * Allow virtstoraged get attributes of configfs dirs * Fix SELinux policy for sandbox X server to fix 'sandbox -X' command * Update bootupd policy when ESP is not mounted * Allow thumb_t map dri devices * Allow samba use the io_uring API * Allow the sysadm user use the secretmem API * Allow nut-upsmon read systemd-logind session files * Allow sysadm_t to create PF_KEY sockets * Update bootupd policy for the removing-state-file test - Fix macros.selinux-policy (bsc#1230897) - %selinux_relabel_post should not relabel files in transactional systems in %post as the policy is not loaded into the kernel directly after install, instead the relabelling will happen on the next boot ==== systemd ==== Version update (256.5 -> 256.6) Subpackages: libsystemd0 libudev1 systemd-boot systemd-experimental udev - Import commit 8a0ae4d90aff1d067a125ff9366eafc7dd5d4701 (merge of v256.6) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/bef0958f4db1b774c23505e93537ffe1... - Don't try to restart the udev socket units anymore (bsc#1228809) There's currently no way to restart a socket activable service and its socket units "atomically" and safely. - Move 80-container-host0.network back to the network sub-package (bsc#1229098) Rev 428 mistakenly moved it to the container sub-package. ==== toolbox ==== - Update SLE/Leap Micro images from 5.4 to 6.0 (bsc#1227328) ==== transactional-update ==== Version update (4.8.2 -> 4.8.3) Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit tukitd - Version 4.8.3 - Check return value of register command [bsc#1230901] ==== xorg-x11-server ==== Subpackages: xorg-x11-server-Xvfb - added conflicts to patterns-wsl-tmpfiles to Xserver packages as this patterns package creates a symlink from /tmp/.X11-unix to /mnt/wslg/.X11-unix and therefore prevents Xservers from creating this needed directory (bsc#1230755) ==== xwayland ==== - added conflicts to patterns-wsl-tmpfiles as this patterns package creates a symlink from /tmp/.X11-unix to /mnt/wslg/.X11-unix and therefore prevents Xwayland from creating this needed directory (bsc#1230755)