Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=microos&groupid=3&version=... https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&comp... Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MicroOS-release (20240916 -> 20240918) ffmpeg-4 gnome-online-accounts (3.50.4 -> 3.50.5) gnome-shell (46.4 -> 46.5) gnome-software (46.4 -> 46.5) gtk4 (4.16.0 -> 4.16.1) gvfs (1.54.2 -> 1.54.3) kernel-firmware (20240912 -> 20240913) kexec-tools kwallet libadwaita (1.5.3 -> 1.5.4) libcbor librsvg (2.58.3 -> 2.58.4) mutter (46.4 -> 46.5) pam pam-config (2.11+git.20240906 -> 2.11+git.20240911) poppler poppler-qt6 python-cryptography python311 (3.11.9 -> 3.11.10) python311-core (3.11.9 -> 3.11.10) rootlesskit (2.2.0 -> 2.3.1) rpm-config-SUSE shim transactional-update (4.8.1 -> 4.8.2) wayland (1.23.0 -> 1.23.1) === Details === ==== MicroOS-release ==== Version update (20240916 -> 20240918) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== ffmpeg-4 ==== Subpackages: libavcodec58_134 libavformat58_76 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9 - Add ffmpeg-4-CVE-2024-7055.patch: Backporting 3faadbe2 from upstream, Use 64bit for input size check, Fixes: out of array read, Fixes: poc3. (CVE-2024-7055, bsc#1229026) ==== gnome-online-accounts ==== Version update (3.50.4 -> 3.50.5) Subpackages: libgoa-1_0-0 libgoa-backend-1_0-2 - Update to version 3.50.5: + goaimapsmtpprovider: quick fix for yahoo auto-detect + Updated translations. ==== gnome-shell ==== Version update (46.4 -> 46.5) Subpackages: gnome-shell-calendar - Update to version 46.5: + Fix smartcard logins + Fix glitch when quick settings menu animation is interrupted + Fix new wifi connections for restricted users + Do not disable required animations + Fix showing pending PAM messages on login screen + Plugged leak + Misc. bug fixes and cleanups + Updated translations. - Drop gnome-shell-private-connection.patch: Should not be needed anymore after changes upstream. ==== gnome-software ==== Version update (46.4 -> 46.5) - Update to version 46.5: + Reduce power usage when the main window is closed. + Updated translations. ==== gtk4 ==== Version update (4.16.0 -> 4.16.1) Subpackages: gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0 - Update to version 4.16.1: + GtkFileChooser: Plug a memory leak + GtkCalendar: Avoid ending up with invalid dates + Printing: Fix initial printer selection in the print dialog + Gsk: - Fix shadows for opaque textures - Fix a crash in a corner case + Css: Make relative paths work again in theme files + Accessibility: Fix detection of the Flatpak portal + Updated translations. ==== gvfs ==== Version update (1.54.2 -> 1.54.3) Subpackages: gvfs-backend-afc gvfs-backend-goa gvfs-backend-samba gvfs-backends gvfs-fuse - Update to version 1.54.3: + onedrive: - Set name of drive root - Handle multiple drives with same IDs - Guess mime type locally if not set by the server + Updated translations. ==== kernel-firmware ==== Version update (20240912 -> 20240913) Subpackages: kernel-firmware-all kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-ath11k kernel-firmware-ath12k kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-prestera kernel-firmware-qcom kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network - Update to version 20240913 (git commit bcbdd1670bc3): * amdgpu: update DMCUB to v0.0.233.0 DCN351 * copy-firmware: Handle links to uncompressed files * WHENCE: Fix battmgr.jsn entry type - Drop obsoleted workaround patch: copy-firmware-fix-symlink-without-compress.patch - Temporary revert for ath12k firmware (bsc#1230596) ==== kexec-tools ==== - To create rckexec-reload, the service binary is required at build time. This binary is provided by aaa_base. Make sure this package is available during build. ==== kwallet ==== - Use the %lang_package macro for kwallet-tools-lang (boo#1230570) ==== libadwaita ==== Version update (1.5.3 -> 1.5.4) Subpackages: libadwaita-1-0 typelib-1_0-Adw-1 - Update to version 1.5.4: + AdwAboutDialog/Window: Support non-deprecated GPL-2/3.0-only SPDX IDs + AdwHeaderBar: Fix back button menu picking up phantom pages in some situations + AdwTabBar/Overview: Fix 2 crashes with drag-n-drop + Stylesheet: Fix scroll undershoot in dropdowns and emoji picker + Updated translations. ==== libcbor ==== - The doc fails to build with an assert in sphinx in 15sp6 also. ==== librsvg ==== Version update (2.58.3 -> 2.58.4) Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 rsvg-thumbnailer typelib-1_0-Rsvg-2_0 - Update to version 2.58.4: + Fix regression when using an SVG inside a feImage element. ==== mutter ==== Version update (46.4 -> 46.5) - Update to version 45.5: + Fix drag and drop between X11 and wayland clients + Fix drag and drop from grabbing popups + Fix EGLDevice support + Fix frozen cursor on some hybrid machines + Fix touch window dragging with pointer lock enabled + Fix propagating tablet device removals to clients + Fix tablet input in maximized windows + Reduce damage on window movement + Fix frozen cursor after suspend + Fix using modifiers on multi-GPU setups + Fixed crashes + Misc. bug fixes and cleanups + Updated translations. ==== pam ==== - baselibs.conf: add pam-userdb - pam_limits-systemd.patch: update to final PR - Add systemd-logind support to pam_limits (pam_limits-systemd.patch) - Remove /usr/etc/pam.d, everything should be migrated - Remove pam_limits from default common-sessions* files. pam_limits is now part of pam-extra and not in our default generated config. - pam_issue-systemd.patch: only count class user sessions ==== pam-config ==== Version update (2.11+git.20240906 -> 2.11+git.20240911) - Add PreRequires for pam-extra, several other packages depend on that pam_limits is installed and enabled by default - Update to version 2.11+git.20240911: * Only add pam_limits if available ==== poppler ==== Subpackages: libpoppler-cpp1 libpoppler-glib8 libpoppler139 - Poppler can load ghostscript fonts (n022003l.pfb and the like) so the package now recommends the ghostscript-fonts-std package (boo#1230636). ==== poppler-qt6 ==== - Poppler can load ghostscript fonts (n022003l.pfb and the like) so the package now recommends the ghostscript-fonts-std package (boo#1230636). ==== python-cryptography ==== - Fix building on SLE based distributions ==== python311 ==== Version update (3.11.9 -> 3.11.10) - Update to 3.11.10: - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts * mode* of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` causing infinite loops (gh-122905) without breaking contents using legitimate characters (bsc#1229704, CVE-2024-8088). - gh-123067: Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592). - gh-122905: :class:`zipfile.Path` objects now sanitize names from the zipfile. - gh-121650: :mod:`email` headers with embedded newlines are now quoted on output. The :mod:`~email.generator` will now refuse to serialize (write) headers that are unsafely folded or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`; CVE-2024-6923, bsc#1228780). - gh-119506: Fix :meth:`!io.TextIOWrapper.write` method breaks internal buffer when the method is called again during flushing internal buffer. - gh-118643: Fix an AttributeError in the :mod:`email` module when re-fold a long address list. Also fix more cases of incorrect encoding of the address separator in the address list. - gh-113171: Fixed various false positives and false negatives in * :attr:`ipaddress.IPv4Address.is_private` (see these docs for details) * :attr:`ipaddress.IPv4Address.is_global` * :attr:`ipaddress.IPv6Address.is_private` * :attr:`ipaddress.IPv6Address.is_global` Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network` attributes. Fixes bsc#1226448 (CVE-2024-4032). - gh-102988: :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return ``('', '')`` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use ``strict=False`` to get the old behavior, accept malformed inputs. ``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check if the *strict* paramater is available. Patch by Thomas Dwyer and Victor Stinner to improve the CVE-2023-27043 fix (bsc#1210638). - gh-67693: Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple slashes and no authority. Based on patch by Ashwin Ramaswami. - Core and Builtins - gh-112275: A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now fixed. Patch by ChuBoning based on previous Python 3.12 fix by Victor Stinner. - gh-109120: Added handle of incorrect star expressions, e.g ``f(3, *)``. Patch by Grigoryev Semyon - Removed upstreamed patches: - CVE-2023-27043-email-parsing-errors.patch - CVE-2024-4032-private-IP-addrs.patch - CVE-2024-6923-email-hdr-inject.patch - CVE-2024-8088-inf-loop-zipfile_Path.patch - Add gh120226-fix-sendfile-test-kernel-610.patch to avoid failing test_sendfile_close_peer_in_the_middle_of_receiving tests on Linux >= 6.10 (GH-120227). ==== python311-core ==== Version update (3.11.9 -> 3.11.10) Subpackages: libpython3_11-1_0 python311-base - Update to 3.11.10: - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts * mode* of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` causing infinite loops (gh-122905) without breaking contents using legitimate characters (bsc#1229704, CVE-2024-8088). - gh-123067: Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592). - gh-122905: :class:`zipfile.Path` objects now sanitize names from the zipfile. - gh-121650: :mod:`email` headers with embedded newlines are now quoted on output. The :mod:`~email.generator` will now refuse to serialize (write) headers that are unsafely folded or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`; CVE-2024-6923, bsc#1228780). - gh-119506: Fix :meth:`!io.TextIOWrapper.write` method breaks internal buffer when the method is called again during flushing internal buffer. - gh-118643: Fix an AttributeError in the :mod:`email` module when re-fold a long address list. Also fix more cases of incorrect encoding of the address separator in the address list. - gh-113171: Fixed various false positives and false negatives in * :attr:`ipaddress.IPv4Address.is_private` (see these docs for details) * :attr:`ipaddress.IPv4Address.is_global` * :attr:`ipaddress.IPv6Address.is_private` * :attr:`ipaddress.IPv6Address.is_global` Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network` attributes. Fixes bsc#1226448 (CVE-2024-4032). - gh-102988: :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return ``('', '')`` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use ``strict=False`` to get the old behavior, accept malformed inputs. ``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check if the *strict* paramater is available. Patch by Thomas Dwyer and Victor Stinner to improve the CVE-2023-27043 fix (bsc#1210638). - gh-67693: Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple slashes and no authority. Based on patch by Ashwin Ramaswami. - Core and Builtins - gh-112275: A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now fixed. Patch by ChuBoning based on previous Python 3.12 fix by Victor Stinner. - gh-109120: Added handle of incorrect star expressions, e.g ``f(3, *)``. Patch by Grigoryev Semyon - Removed upstreamed patches: - CVE-2023-27043-email-parsing-errors.patch - CVE-2024-4032-private-IP-addrs.patch - CVE-2024-6923-email-hdr-inject.patch - CVE-2024-8088-inf-loop-zipfile_Path.patch - Add gh120226-fix-sendfile-test-kernel-610.patch to avoid failing test_sendfile_close_peer_in_the_middle_of_receiving tests on Linux >= 6.10 (GH-120227). ==== rootlesskit ==== Version update (2.2.0 -> 2.3.1) - Update to version 2.3.1: * v2.3.1 * CI: attest-build-provenance: fix a subject-path issue (461) * v2.3.0+dev * v2.3.0 * Enable actions/attest-build-provenance * CI: update Docker (27.1.2) * CI: update pasta (2024_08_14.61c0b0d) * go.mod: golang.org/x/net v0.28.0 * go.mod: github.com/insomniacslk/dhcp v0.0.0-20240812123929-b105c29bd1b5 * Deprecate rootlesskit-docker-proxy (no longer needed since Docker v28) * child, pasta: Allow drivers to configure their own interface, let pasta do that * pasta: Let it run in background, and wait until it forks * CI: update Go to 1.23 * Build(deps): Bump github.com/urfave/cli/v2 from 2.27.3 to 2.27.4 * Build(deps): Bump golang.org/x/sys from 0.22.0 to 0.24.0 * Build(deps): Bump github.com/urfave/cli/v2 from 2.27.2 to 2.27.3 * Build(deps): Bump github.com/gofrs/flock from 0.12.0 to 0.12.1 * Build(deps): Bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2 * v2.2.0+dev ==== rpm-config-SUSE ==== - Use a deterministic binarychangelogtrim based on build times of BuildRequires (boo#1047218) ==== shim ==== - Update shim-install to apply the missing fix for openSUSE Leap (bsc#1210382) * 86b73d1 Fix that bootx64.efi is not updated on Leap - Update shim-install to use the 'removable' way for SL-Micro (bsc#1230316) * 433cc4e Always use the removable way for SL-Micro ==== transactional-update ==== Version update (4.8.1 -> 4.8.2) Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit tukitd - Version 4.8.2 - Allow specifying only low value with setup-kdump [bsc#1230537] ==== wayland ==== Version update (1.23.0 -> 1.23.1) Subpackages: libwayland-client0 libwayland-cursor0 libwayland-egl1 libwayland-server0 - Update to release 1.23.1: * meson: Fix use of install_data() without specifying install_dir * Put WL_DEPRECATED in front of the function declarations * client: Handle proxies with no queue * scanner: extract validator function emission to helper function * scanner: fix validator for bitfields * tests: add enum bitfield test