New MicroOS snapshot 20230929 released!
Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version=Tumbleweed&build=20230929 https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&component=MicroOS&query_format=advanced&resolution=--- Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MozillaFirefox (117.0.1 -> 118.0.1) argyllcms (2.3.1 -> 3.0.0) glibc gstreamer (1.22.5 -> 1.22.6) gstreamer-plugins-bad (1.22.5 -> 1.22.6) gstreamer-plugins-base (1.22.5 -> 1.22.6) gstreamer-plugins-good (1.22.5 -> 1.22.6) libqt5-qtbase libssh libvpx mpg123 (1.31.3 -> 1.32.2) open-vm-tools openssl-3 (3.1.2 -> 3.1.3) openssl (3.1.2 -> 3.1.3) perl-HTTP-Message (6.44 -> 6.450.0) python-greenlet (2.0.2 -> 3.0.0~rc3) sddm smartmontools yast2-python-bindings (4.6.0 -> 5.0.1) === Details === ==== MozillaFirefox ==== Version update (117.0.1 -> 118.0.1) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 118.0.1 MFSA 2023-44 (bsc#1215814) * CVE-2023-5217 (bmo#1855550), Heap buffer overflow in libvpx - Mozilla Firefox 118.0 MFSA 2023-41 (bsc#1215575) * CVE-2023-5168 (bmo#1846683) Out-of-bounds write in FilterNodeD2D1 * CVE-2023-5169 (bmo#1846685) Out-of-bounds write in PathOps * CVE-2023-5170 (bmo#1846686) Memory leak from a privileged process * CVE-2023-5171 (bmo#1851599) Use-after-free in Ion Compiler * CVE-2023-5172 (bmo#1852218) Memory Corruption in Ion Hints * CVE-2023-5173 (bmo#1823172) Out-of-bounds write in HTTP Alternate Services * CVE-2023-5174 (bmo#1848454) Double-free in process spawning on Windows * CVE-2023-5175 (bmo#1849704) Use-after-free of ImageBitmap during process shutdown * CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824, bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983, bmo#1851195) Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 - requires NSS 3.93 - add mozilla-bmo1822730.patch - deactivated KDE integration temporarily (removed mozilla-kde.patch and firefox-kde.patch for now) ==== argyllcms ==== Version update (2.3.1 -> 3.0.0) - Update to 3.0.0: * Updated ccast/axTLS to get ChromCast working again with latest Google CC operating software. * Extensive re-write/re-factor of icclib to make it more future-proof. See https://www.argyllcms.com/doc/ChangesSummary.html for details. * Added ref/ColorCheckerPassport.ti2 and ref/ColorCheckerHalfPassport.ti2 to allow measuring ColorCheckerPassport with instrument. * Fixed bug in Munki spectro hi-res mode with some instruments. Luminance matching between normal and hi-res was sometimes quite poor. * Added ARGYLL_CREATE_DISPLAY_PROFILE_WITHOUT_CHAD environment variable. * Changed colprof -U flag to -u. Changed dispcal -J flag to -K to accommodate a potential new flag for colprof and dispcal. * Added workaround for bug in madHcNet64.dll32/64.dll which sometimes causes failure. * Added delay after USB set_config on OS X to help Spyder 3/4 on Ventura OS. * Added -Y parameter to dispwin to override automatic patch delay. * Changed i1d3 driver to cope with Rev. B "0x83" error robustly. This should fix any issues measuring low level Red only patch values on OLED displays, but with slower measurements when this occurs. * Added spotread -Y S option to save spectral sensitivity curves and added corresponding support in i1d3 driver. This allows for comparison of different instruments factory calibrations. * Added a -h scale parameter to dispread, to allow the automatic instrument calibration test patch values to be scaled down from their default 100% value. This is useful with HDR displays. * Added manifest to MSWindows executables to use UTF-8 code pages on Windows 1903 and later. This should improve non-ASCII filename and path handling. * Added a Violet colorant to the targen colorant list. * Fixed problem with OS X 64 bit backwards compatibility where it failed to locate serial instruments when the binaries are run on OS X V12 or latter machines. * Fixed bug in i1Pro3 driver where it was not returning the correct measurement conditions enum. * Fixed spotread so that ambient measure for monochrome sources doesn't error out due to bad CCT/VCT/VDT. Also change -T so that it suppresses CCT etc. if ambient mode is used. * Added hacky workaround to strange Mac M2/rosetta bug in del_i1proimp(). - Make the argyllcms-doc package noarch. ==== glibc ==== Subpackages: glibc-extra glibc-lang glibc-locale glibc-locale-base nscd - fstat-implementation.patch: io: Do not implement fstat with fstatat - getaddrinfo-memory-leak.patch: Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 (CVE-2023-5156, bsc#1215714, BZ #30884) - getcanonname-use-after-free.patch: getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806, bsc#1215281, BZ #30843) - Do not build any cross packages in SLES - no-aaaa-read-overflow.patch: Stack read overflow with large TCP responses in no-aaaa mode (CVE-2023-4527, bsc#1215280, BZ #30842) - Add systemd to passwd, group and shadow lookups (jsc#PED-5188) - ppc64-flock-fob64.patch: io: Fix record locking contants for powerpc64 with __USE_FILE_OFFSET64 (BZ #30804) - libio-io-vtables.patch: libio: Fix oversized __io_vtables - call-init-proxy-objects.patch: elf: Do not run constructors for proxy objects - dtors-reverse-ctor-order.patch: elf: Always call destructors in reverse constructor order (BZ #30785) - intl-c-utf-8-like-c-locale.patch: intl: Treat C.UTF-8 locale like C locale (BZ #16621) - glibc-disable-gettext-for-c-utf8.patch: Removed ==== gstreamer ==== Version update (1.22.5 -> 1.22.6) Subpackages: gstreamer-lang libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.22.6: + Highlighted bugfixes: - Security fixes for the MXF demuxer and H.265 video parser - Fix latency regression in H.264 hardware decoder base class - androidmedia: fix HEVC codec profile registration and fix coded_data handling - decodebin3: fix switching from a raw stream to an encoded stream - gst-inspect: prettier and more correct signal and action signals printing - rtmp2: Allow NULL flash version, omitting the field, for better RTMP server compatibility - rtspsrc: better compatibility with buggy RTSP servers that don't set a clock-rate - rtpjitterbuffer: fix integer overflow that led to more packets being declared lost than have been lost - v4l2: fix video encoding regression on RPi and fix support for left and top padding - waylandsink: Crop surfaces to their display width height - cerbero: Recognise Manjaro; add Rust support for MSVC ARM64; cmake detection fixes - Various bug fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - gst-inspect: prettier and more correct signal printing, and print action signals in g_signal_emit_by_name() format - gst-launch: Disable fault signal handlers on macOS - Rebase reduce-required-meson.patch ==== gstreamer-plugins-bad ==== Version update (1.22.5 -> 1.22.6) Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.22.6: + audiolatency: Forward latency query and event upstream + av1parser: Fix segmentation params update + codecparsers: Fix MPEG-1 aspect ratio table + d3d11convert: Passthrough allocation query on same caps + h264decoder: Update latency dynamically + h265parser: - Allow partially broken hvcC data - Fix possible overflow using max_sub_layers_minus1 + hlssink2: Always use forward slash separator + mdns: Fix a crash on context error + mxfdemux: Fix integer overflow causing out of bounds writes when handling invalid uncompressed video and check channels for AES3 + nvencoder: Fix negotiation error when interlace-mode is unspecified + rtmp2: Allow NULL flash version, omitting the field + rtmp2sink: fix crash if message conversion failed + transcodebin: Fixes for upstream selectable support + va: Fix in error logs functions mismatches + waylandsink: - Crop surfaces to their display width height - Fix cropping for video with non-square aspect ratio + webrtc: Fix docs for create-data-channel action signal - Rebase reduce-required-meson.patch ==== gstreamer-plugins-base ==== Version update (1.22.5 -> 1.22.6) Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstTag-1_0 - Update to version 1.22.6: + audio: Make sure to stop ringbuffer on error + decodebin3: - Avoid identity, sinkpad, parsebin leakage when reset input - Ensure the slot is unlinked before linking to decoder + sdp: - Fix wrong debug log error message for missing clock-rate in caps - Parse zero clock-rate as default - Rebase reduce-required-meson.patch ==== gstreamer-plugins-good ==== Version update (1.22.5 -> 1.22.6) Subpackages: gstreamer-plugins-good-gtk gstreamer-plugins-good-lang - Update to version 1.22.6: + adaptivedemux2: fix memory leak + pulsedeviceprovider: fix incorrect usage of GST_ELEMENT_ERROR + qt: - Unbreak build with qt-egl enabled but viv_fb missing - Fix searching of qt5/qt6 tools with qmake in Meson + qtdemux: - Fix premature EOS when some files are played in push mode - Attach cbcs crypt info at the right moment + rtpjitterbuffer: Avoid integer overflow in max saveable packets calculation with negative offset + videoflip: fix concurrent access when modifying the tag list + v4l2: - allocator: Don't close foreign dmabuf - bufferpool: . Fix large encoded stream regression . Problems when checking for truncated buffer - Fix support for left and top padding + v4l2object: clear format lists if source change event is received - Rebase reduce-required-meson.patch - Add libqt5-linguist BuildRequires: New dependency. ==== libqt5-qtbase ==== Subpackages: libQt5Concurrent5 libQt5Core5 libQt5DBus5 libQt5Gui5 libQt5Network5 libQt5OpenGL5 libQt5PrintSupport5 libQt5Sql5 libQt5Sql5-sqlite libQt5Test5 libQt5Widgets5 libQt5Xml5 libqt5-qtbase-platformtheme-gtk3 - switch icu-devel requires to pkgconfig to allow switching libicu versions ==== libssh ==== Subpackages: libssh-config libssh4 - Enable crypto-policies support: [bsc#1211301] * Rebase libssh_client.config libssh_server.config ==== libvpx ==== - Fixing CVE-2023-5217 heap buffer overflow (boo#1215778) added CVE-2023-5217.patch ==== mpg123 ==== Version update (1.31.3 -> 1.32.2) Subpackages: libmpg123-0 mpg123-openal - Update to version 1.32.2 * libmpg123: Re-introduce _64 symbols on native 64 bit offset platforms. This was a regression since 1.31 series. Sorry, too much cleanup, not enough testing. * build: + Better O_LARGEFILE logic, avoiding redefintion. * ports/cmake: + Require C99 (bug 360, among other points, thanks to Ozkan Sezer). + Fix broken O_LARGEFILE logic (bug 360). + Typo fix and cleanup, also manual SSE switch for Android on old x86 (bug 359). - Update to version 1.32.1 * Include man pages again in tarball and install. We cannot avoid the empty man directory when disabling programs with autoconf. * Fix signal handler prototype, avoiding some justified warnings. * ports/cmake: + Include CheckTypeSize, which seems to be needed sometimes + Avoid O_LARGEFILE redefinition, logic closer to autoconf. - Update to version 1.32.0 * build + Move version handling out of configure.ac to ease other build systems. + Include "fmt123.h" instead of <fmt123.h> in main API headers to make it more likely the correct one is included (at least gcc picks the one in the same directory as the including header first). + All headers are build-independent now. + Fix build for picky linkers by avoiding definition of wrap_getcpuflags() where it is not used (spurious linker error to non-exitent getcpuflags(), bug 353). + Handle deprecation of C99 detection macro in autoconf 2.70. + No use of AC_SYS_LARGEFILE anymore for explicit handling and differing choice for the libraries and frontend programs. + Added --enable-portable and --disable-largefile to configure, removing the other largefile-related options. + Added --disable-components --enable-libmpg123 to only build libmpg123 (and likewise --enable-libout123, - -enable-libout123-modules, --enable-libsyn123) to autoconf build. CMake build has something similar with BUILD_PROGRAMS and BUILD_LIBOUT123, which leave only libmpg123 and libsyn123 if disabled). + Consistent formatting of ./configure --help with AS_HELP_STRING(). * mpg123 + Added --libversion. + Added proper A-B looping with terminal control key 'o', renamed --pauseloop to --presetloop. + Really get rid of mpg123_position() usage. (It was all lies before!) + Fix terminal progress info when seeking in stopped mode (1.31 regression). + Patch up interaction of output buffer with generic remote control, adding non-interruptible drain after P 3, and dropping buffer on QUIT. + Uppercase some generic control replies for consinstency: SILENCE, PROGRESS, MUTE, UNMUTE * libmpg123, libout123, libsyn123 + Bumped API version for version query functions. + Replaced nearly all symbol renames with explicit INT123_ prefix declarations (intsym.h close to empty now). * libout123 + Add sleep builtin output module (silent, but proper timing). * libsyn123 + Introduced SYN123_PORTABLE_API for an API without off_t and ssize_t (see NEWS.libsyn123). * libmpg123 + Internal I/O using explicit largefile support via off64_t, lseek64, fallback to plain 32 bit off_t. + Added explicit 64 bit API with 64 suffix (mpg123_tell64(), not mpg123_tell_64()). This allows full avoidance of ambiguus off_t. The API is always using 64 bit integers, regardless of internal implementation. + Introduced MPG123_PORTABLE_API for an API subset without off_t and ssize_t. + Made mpg123_seek() and friends ignore offset sign for SEEK_END (always seeking towards beginning, assuming negative offset) to make lseek()-conforming usage possible. Seeking beyond the end never made sense, so no loss of valid functionality. * Overall use of INT123_strerror(), trying to use thread-safe strerror_l() if possible. ==== open-vm-tools ==== Subpackages: libvmtools0 open-vm-tools-desktop - 15 sp4 currently uses open-vm-tools rpms from 15 sp3. As such, enable the spec file fix for bug (bsc#1205927) for 15 sp3 onwards. ==== openssl-3 ==== Version update (3.1.2 -> 3.1.3) Subpackages: libopenssl3 - Update to 3.1.3: * Fix POLY1305 MAC implementation corrupting XMM registers on Windows (CVE-2023-4807) ==== openssl ==== Version update (3.1.2 -> 3.1.3) - Update to 3.1.3 ==== perl-HTTP-Message ==== Version update (6.44 -> 6.450.0) - updated to 6.45 see /usr/share/doc/packages/perl-HTTP-Message/Changes 6.45 2023-09-27 14:27:31Z - Allow for file ownership conflicts with Docker and GitHub Actions (GH#193) (Olaf Alders) - Add the 'status_code' function for getting all status codes as hash (GH#194) (Dai Okabayashi) ==== python-greenlet ==== Version update (2.0.2 -> 3.0.0~rc3) - update to 3.0.0~rc3: * Fix an intermittent error during process termination on some platforms (GCC/Linux/libstdc++). * Fix some potential bugs (assertion failures and memory leaks) in previously-untested error handling code. In some cases, this means that the process will execute a controlled ``abort()`` after severe trouble when previously the process might have continued for some time with a corrupt state. It is unlikely those errors occurred in practice. * Fix some assertion errors and potential bugs with re-entrant switches. * Fix a potential crash when certain compilers compile greenlet with high levels of optimization. The symptom would be that switching to a greenlet for the first time immediately crashes. * Fix a potential crash when the callable object passed to the greenlet constructor (or set as the ``greenlet.run`` attribute) has a destructor attached to it that switches. Typically, triggering this issue would require an unlikely subclass of ``greenlet.greenlet``. * Python 3.11+: Fix rare switching errors that could occur when a garbage collection was triggered during the middle of a switch, and Python-level code in ``__del__`` or weakref callbacks switched to a different greenlet and ultimately switched back to the original greenlet. This often manifested as a ``SystemError``: "switch returned NULL without an exception set." * Python 3.12: Fix walking the frame stack of suspended greenlets. Previously accessing ``glet.gr_frame.f_back`` would crash due to `changes in CPython's undocumented internal frame handling * Make the platform-specific low-level C/assembly snippets stop using the ``register`` storage class. Newer versions of standards remove this storage class, and it has been generally ignored by many compilers for some time. See `PR 347 <https://github.com/python-greenlet/greenlet/pull/347>`_ from Khem Raj. * Add initial support for Python 3.12. See `issue <https://github.com/python-greenlet/greenlet/issues/323>`_ and `PR <https://github.com/python-greenlet/greenlet/pull/327>`_; thanks go to (at least) Michael Droettboom, Andreas Motl, Thomas A Caswell, raphaelauv, Hugo van Kemenade, Mark Shannon, and Petr Viktorin. * Remove support for end-of-life Python versions, including Python 2.7, Python 3.5 and Python 3.6. * Require a compiler that supports ``noinline`` directives. See `issue 271 <https://github.com/python-greenlet/greenlet/issues/266>`_. * Require a compiler that supports C++11. ==== sddm ==== Subpackages: sddm-branding-openSUSE - Remove unnecessary Requires(post*) - Config file changes: * No longer own sddm.conf. The migration for this conflicts with the other migration code, so: * Drop code for migrating from Current=maui (Leap <= 42.2) and the monolithic /etc/sddm.conf (Leap <= 42.3) - Add patch and drop unnecessary BuildRequirements of extra-cmake-modules and kf5-filesystem: * 0001-Drop-unnecessary-ECM-dependency-and-dead-uninstall-t.patch - Split the greeter into a subpackage and use _multibuild to build both daemon and greeter for Qt 5 and Qt 6. Add patches to allow for greeter coinstallation: * 0002-Make-sddm-greeter-for-Qt-5-and-Qt-6-coinstallable.patch * 0003-Let-themes-specify-the-used-version-of-Qt.patch - Refresh 0001-Read-the-DISPLAYMANAGER_AUTOLOGIN-value-from-sysconf.patch - Don't set CMAKE_BUILD_TYPE=Release - Make branding packages noarch - Add %check ==== smartmontools ==== - Do not quit with an error when no drives to monitor are available (bsc#990406 bsc#1167051). - Add smartd_service_dont_quit.patch - Refresh harden_smartd.service.patch - Run through spec-cleaner, use autosetup ==== yast2-python-bindings ==== Version update (4.6.0 -> 5.0.1) - Fix inspect.getargspec() removed in python3.11; (bsc#1215226); - 5.0.1 - 5.0.0 (#bsc1185510)
participants (1)
-
Richard Brown