Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=microos&groupid=3&version=... https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&comp... Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: Mesa Mesa-drivers MozillaFirefox (108.0.2 -> 109.0) container-selinux (2.188.0 -> 2.198.0) ctags fwupd git (2.39.0 -> 2.39.1) gnome-software highway (1.0.2 -> 1.0.3) icewm (3.2.2 -> 3.3.0) iptables (1.8.8 -> 1.8.9) kernel-firmware libeconf (0.5.0 -> 0.5.1) libinput (1.22.0 -> 1.22.1) libxmlb libzypp-plugin-appdata (1.0.1+git.20220816 -> 1.0.1+git.20230117) llvm15 (15.0.6 -> 15.0.7) mozilla-nss (3.85 -> 3.86) mozjs102 (102.6.0 -> 102.7.0) multipath-tools netpbm raspberrypi-firmware (2022.12.12 -> 2023.01.18) raspberrypi-firmware-config (2022.12.12 -> 2023.01.18) raspberrypi-firmware-dt (2022.12.21 -> 2023.01.20) rubygem-ruby-dbus (0.18.1 -> 0.19.0) tpm2-0-tss translation-update u-boot-rpiarm64 (2022.10 -> 2023.01) xfsprogs (6.1.0 -> 6.1.1) yast2 (4.5.21 -> 4.5.22) yast2-network (4.5.11 -> 4.5.12) zlib (1.2.12 -> 1.2.13) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - Add support for Rusticl - Mesa's new OpenCL implementation. * See https://docs.mesa3d.org/rusticl You will need to set your environment to use it * See https://docs.mesa3d.org/envvars#rusticl-environment-variables - Compile with gcc12 on Leaps: building drivers fails with: /usr/include/dxguids/dxguids.h:70:1: internal compiler error: in cxx_eval_bit_field_ref, at cp/constexpr.c:2578 - Fix some deprecation warnings * WARNING: option "false" deprecated, please use "disabled" instead. * WARNING: option "true" deprecated, please use "enabled" instead. ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-gallium Mesa-libva - Add support for Rusticl - Mesa's new OpenCL implementation. * See https://docs.mesa3d.org/rusticl You will need to set your environment to use it * See https://docs.mesa3d.org/envvars#rusticl-environment-variables - Compile with gcc12 on Leaps: building drivers fails with: /usr/include/dxguids/dxguids.h:70:1: internal compiler error: in cxx_eval_bit_field_ref, at cp/constexpr.c:2578 - Fix some deprecation warnings * WARNING: option "false" deprecated, please use "disabled" instead. * WARNING: option "true" deprecated, please use "enabled" instead. ==== MozillaFirefox ==== Version update (108.0.2 -> 109.0) - Mozilla Firefox 109.0 MFSA 2023-01 (bsc#1207119) * CVE-2023-23597 (bmo#1538028) Logic bug in process allocation allowed to read arbitrary files * CVE-2023-23598 (bmo#1800425) Arbitrary file read from GTK drag and drop on Linux * CVE-2023-23599 (bmo#1777800) Malicious command could be hidden in devtools output on Windows * CVE-2023-23600 (bmo#1787034) Notification permissions persisted between Normal and Private Browsing on Android * CVE-2023-23601 (bmo#1794268) URL being dragged from cross-origin iframe into same tab triggers navigation * CVE-2023-23602 (bmo#1800890) Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers * CVE-2023-23603 (bmo#1800832) Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive * CVE-2023-23604 (bmo#1802346) Creation of duplicate <code>SystemPrincipal</code> from less secure contexts * CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974) Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 * CVE-2023-23606 (bmo#1764974, bmo#1798591, bmo#1799201, bmo#1800446, bmo#1801248, bmo#1802100, bmo#1803393, bmo#1804626, bmo#1804971, bmo#1807004) Memory safety bugs fixed in Firefox 109 - requires NSS 3.86 - rebased patches ==== container-selinux ==== Version update (2.188.0 -> 2.198.0) - Update to version 2.198.0: * Fix spc_t transition rules on tmpfs_t - Changes from 2.197.0: * Add boolean containers_use_ecryptfs policy - Changes from 2.195.1: * Readd missing allow rules for container_t - Changes from 2.194.0: * Allow syslogd_t to use tmpfs files created by container runtime - Changes from 2.193.0: * Allow containers to mount tmpfs_t file systems * Label spc_t as a init initrc daemon * Allow userdomains to run containers - Changes from 2.191.0: * Create container_logwriter_t type - Changes from 2.190.1: * Support BuildKit * container.fc: Set label for kata-agent * support nerdctl - Changes from 2.190.0: * Packit: initial enablement * Allow iptables to list directories labeled as container_file_t - Changes from 2.189.0: * Dont audit searching other processes in /proc. ==== ctags ==== - CVE-2022-4515.patch: fixes arbitrary command execution via a tag file with a crafted filename (bsc#1206543, CVE-2022-4515) - Stop resetting ctags update-alternative priority back to auto. These are admin settings. - Remove u-a links in the correct scriptlet ==== fwupd ==== Subpackages: fwupd-bash-completion libfwupd2 typelib-1_0-Fwupd-2_0 - Fix error generating grub.cfg when an update is available. + uefi-capsule-Do-not-call-grub2-probe-without-argumen.patch ==== git ==== Version update (2.39.0 -> 2.39.1) - git 2.39.1, fixing two security issues that could allow remote code execution when accessing specially crafted repositories: * CVE-2022-41903: log format integer overflow boo#1207033 * CVE-2022-23521: gitattributed parsing integer overflow boo#1207032 ==== gnome-software ==== Subpackages: gnome-software-plugin-packagekit - Also add download.opensuse.org-non-oss (NON-OSS repo) download.opensuse.org-oss (OSS repo), and download.opensuse.org-tumbleweed (Update repo) to software-opensuse.gschema.override, declaring them also official repositories (the names match the ones picked by the NET installer). ==== highway ==== Version update (1.0.2 -> 1.0.3) - Update to release 1.0.3 * Add RearrangeToOddPlusEven, Xor3, 8-bit CompressStore, HWY_ASSUME * Add contrib/bit_pack for 8/16-bit lanes * Update for new RVV intrinsics; faster WASM min/max and extmul/q15mul ==== icewm ==== Version update (3.2.2 -> 3.3.0) Subpackages: icewm-config-upstream icewm-default icewm-lang - Update to 3.3.0: * Prevent a derefence of a null-Pixel in xftColor. * Add "getClass" and "setClass" commands to icesh. * Support tabs in task grouping. * Use spaces instead of dots when printing WM_COMMAND. * When a focused window hides or rolls up, focus some other window. * When looking for a focusable window, avoid rolled up windows. * Fix for setting focus on passive motif dialogs * Fallback to rolled up windows in the second pass of getLastFocus. * Use CurrentTime when setting focus to a passive client in the timeout. * On icon not found, report dimensions. * Don't refocus a focused window in focusLastWindow. * Don't activate an active window when receiving an activation message. * Ignore duplicate map requests. * Let icesh implicitly select windows at most once. * Add support for nanosvg for issue #695. * Add preference ToolTipIcon=1 for issue #637. * Add nanosvg to .gitignore. * Remove unneeded logevent from icesh. - Remove unknown options from configure - Rebase icewm-preferences.patch - update to 3.2.3: * Only freeze the task pane layout when a button was removed, * which fixes the KeySysWorkspaceNext+Prev+Last bug. * Ensure that a task button is updated once it is mapped, * which prevents stale task button titles. * Show a big icon in the tooltip of a toolbar button and the tray. * All of the winoptions are now fully tab-aware. * More documentation about tabbing in the icewm manpage. * Document the "workspace" directory for icons on workspace buttons. * Add "loadicon" and "saveicon" commands to icesh. * Updated translations: Catalan, Dutch, Slovak, Japanese, * Portuguese + Brazil, Macedonian. ==== iptables ==== Version update (1.8.8 -> 1.8.9) Subpackages: libip4tc2 libip6tc2 libxtables12 xtables-plugins - Update to release 1.8.9 * arptables-nft: Support --exact flag * Support more chunk types in the "sctp" extension * Print `--` in ip6tables' "opt" column for consistency with iptables * More verbose error messages if iptables-nft-restore fails * Support `-p Length` with ebtables-nft, needed for 802_3 extension. ==== kernel-firmware ==== Subpackages: kernel-firmware-all kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-ath11k kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-prestera kernel-firmware-qcom kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network - Correct alias list for ACPI entries (bsc#1207211) ==== libeconf ==== Version update (0.5.0 -> 0.5.1) - Update to version 0.5.1: * Reading files in /usr/_vendor_/_example_._suffix_.d/* regardless there is a /etc/_example_._suffix_ file. (#175) ==== libinput ==== Version update (1.22.0 -> 1.22.1) Subpackages: libinput-udev libinput10 - Update to release 1.22.1: * This version includes quirks for laptops from Apple and Dell, as well as for the Glorious Model 0 mouse. It also backports a meson fix for use of libinput as subproject and a fix for libinput debug-events not flushing the output, resulting in truncated information. * Finally, the tablet touch arbitration rectangle was increased by 50mm in both directions to reduce the number of misdetected touches. - Use ldconfig_scriptlets macro for post(un) handling. ==== libxmlb ==== - build hwcaps optimized libraries ==== libzypp-plugin-appdata ==== Version update (1.0.1+git.20220816 -> 1.0.1+git.20230117) - Update to version 1.0.1+git.20230117: * InstallAppdata: use subprocess.run instead of os.system (CVE-2023-22643) - Update to version 1.0.1+git.20220909: * Add dist directory, for openSUSE packaging ==== llvm15 ==== Version update (15.0.6 -> 15.0.7) - Update to version 15.0.7. * This release contains bug-fixes for the LLVM 15.0.0 release. This release is API and ABI compatible with 15.0.0. - Rebase llvm-do-not-install-static-libraries.patch. - Build stage 2 with -fno-plt on x86_64: since building with - Wl,-z,now the PLT stubs are basically dead code, so eliminating the indirection reduces the number of branches and improves code locality for the quite frequent cross-DSO calls. - Add llvm-workaround-superfluous-branches.patch: hints LLVM to eliminate branches until gh#llvm/llvm-project#28804 is solved. ==== mozilla-nss ==== Version update (3.85 -> 3.86) Subpackages: libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss-certs - update to NSS 3.86 * bmo#1803190 - conscious language removal in NSS * bmo#1794506 - Set nssckbi version number to 2.60 * bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates * bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS * bmo#1797559 - Remove EC-ACC root cert from NSS * bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS * bmo#1794495 - Remove Network Solutions Certificate Authority * bmo#1802331 - compress docker image artifact with zstd * bmo#1799315 - Migrate nss from AWS to GCP * bmo#1800989 - Enable static builds in the CI * bmo#1765759 - Removing SAW docker from the NSS build system * bmo#1783231 - Initialising variables in the rsa blinding code * bmo#320582 - Implementation of the double-signing of the message for ECDSA * bmo#1783231 - Adding exponent blinding for RSA. ==== mozjs102 ==== Version update (102.6.0 -> 102.7.0) - Update to version 102.7.0: + Various stability, functionality, and security fixes. + CVE-2022-46871: libusrsctp library out of date. + CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux. + CVE-2023-23599: Malicious command could be hidden in devtools output on Windows. + CVE-2023-23601: URL being dragged from cross-origin iframe into same tab triggers navigation. + CVE-2023-23602: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers. + CVE-2022-46877: Fullscreen notification bypass. + CVE-2023-23603: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive. + CVE-2023-23605: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7. ==== multipath-tools ==== Subpackages: kpartx libmpath0 - Fix "rpm --verify" (bsc#1207232) ==== netpbm ==== Subpackages: libnetpbm11 - Drop patch big-endian.patch, already in upstream since 10.87.00 ==== raspberrypi-firmware ==== Version update (2022.12.12 -> 2023.01.18) - Update to 2578acb89 (2023-01-18): * kernel: overlays: i2c-sensor: Add mpu6050 and mpu9250 See: raspberrypi/linux#5325 * firmware: arm_dispmanx: Correct support for NV21, and add support for YV16 See: #1767 * firmware: arm_dispmanx: Fix FKMS to adopt pre-multiplied alpha See: #1773 * firmware: hdmi_2711: Make some clock setup unconditional so booting without hdmi setup is possible See: https://forums.raspberrypi.com/viewtopic.php?t=345362 * firmware: Actually rebuild firmware described in previous commit * firmware: Add D flag to video= cmdline option when hotplug is forced See: https://forums.raspberrypi.com/viewtopic.php?p=2067109#p2067109 ==== raspberrypi-firmware-config ==== Version update (2022.12.12 -> 2023.01.18) - Update to 2578acb89 (2023-01-18): * kernel: overlays: i2c-sensor: Add mpu6050 and mpu9250 See: raspberrypi/linux#5325 * firmware: arm_dispmanx: Correct support for NV21, and add support for YV16 See: #1767 * firmware: arm_dispmanx: Fix FKMS to adopt pre-multiplied alpha See: #1773 * firmware: hdmi_2711: Make some clock setup unconditional so booting without hdmi setup is possible See: https://forums.raspberrypi.com/viewtopic.php?t=345362 * firmware: Actually rebuild firmware described in previous commit * firmware: Add D flag to video= cmdline option when hotplug is forced See: https://forums.raspberrypi.com/viewtopic.php?p=2067109#p2067109 ==== raspberrypi-firmware-dt ==== Version update (2022.12.21 -> 2023.01.20) - Update to 194f76d49a89 (2023-01-20) ==== rubygem-ruby-dbus ==== Version update (0.18.1 -> 0.19.0) - 0.19.0 API: * Added a ObjectManager mix-in to implement the service-side ObjectManager interface. Bug fixes: * dbus_attr_accessor and friends validate the signature * (gh#mvidner/ruby-dbus#120). * Declare the Introspectable interface in exported * objects (gh#mvidner/ruby-dbus#99). * Do reply with an error when calling a nonexisting object with an existing path prefix (gh#mvidner/ruby-dbus#121). ==== tpm2-0-tss ==== Subpackages: libtss2-esys0 libtss2-fapi1 libtss2-mu0 libtss2-rc0 libtss2-sys1 libtss2-tcti-device0 libtss2-tctildr0 - add 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch: fixes CVE-2023-22745 (bsc#1207325): Buffer Overlow in TSS2_RC_Decode. Overly large RC values passed to the TSS2 function could lead to memory overread or memory overread. This patch is not yet part of any upstream git tag. ==== translation-update ==== - Update translation list (add az, ms and oc). ==== u-boot-rpiarm64 ==== Version update (2022.10 -> 2023.01) Subpackages: u-boot-rpiarm64-doc - Remove obsolete riscv64 libgcc hack - Update to 2023.01: * Full changelog available at: https://source.denx.de/u-boot/u-boot/-/compare/v2022.10...v2023.01 ==== xfsprogs ==== Version update (6.1.0 -> 6.1.1) - update to 6.1.1: - scrub: fix warnings/errors due to missing include - debian: Add missing pkg version to the changelog ==== yast2 ==== Version update (4.5.21 -> 4.5.22) Subpackages: yast2-logs - Replace transitional %usrmerged macro with regular version check (boo#1206798) - 4.5.22 ==== yast2-network ==== Version update (4.5.11 -> 4.5.12) - Copy only the specific backend configuration to the target system having a clean installation (bsc#1206723) - 4.5.12 ==== zlib ==== Version update (1.2.12 -> 1.2.13) Subpackages: libminizip1 libz1 - Update to 1.13: * Fix configure issue that discarded provided CC definition * Correct incorrect inputs provided to the CRC functions * Repair prototypes and exporting of new CRC functions * Fix inflateBack to detect invalid input with distances too far * Have infback() deliver all of the available output up to any error * Fix a bug when getting a gzip header extra field with inflate() * Fix bug in block type selection when Z_FIXED used * Tighten deflateBound bounds * Remove deleted assembler code references * Various portability and appearance improvements - Added patches: * zlib-1.2.13-IBM-Z-hw-accelerated-deflate-s390x.patch * zlib-1.2.13-fix-bug-deflateBound.patch * zlib-1.2.13-optimized-s390.patch - Refreshed patches: * zlib-1.2.12-add-optimized-slide_hash-for-power.patch * zlib-1.2.12-add-vectorized-longest_match-for-power.patch * zlib-1.2.12-s390-vectorize-crc32.patch - Removed patches: * zlib-1.2.12-fix-configure.patch * zlib-1.2.12-IBM-Z-hw-accelerated-deflate-s390x.patch * zlib-1.2.12-optimized-crc32-power8.patch * zlib-1.2.12-correct-inputs-provided-to-crc-func.patch * zlib-1.2.12-fix-CVE-2022-37434.patch * zlib-1.2.11-optimized-s390.patch