Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20180207 When you reply to report some issues, make sure to change the subject. It is not helpful to keep the release announcement subject in a thread while discussing a specific problem. Packages changed: MozillaFirefox (57.0.4 -> 58.0.1) autoyast2 (4.0.28 -> 4.0.29) evolution (3.26.4 -> 3.26.5) evolution-data-server (3.26.4 -> 3.26.5) evolution-ews (3.26.4 -> 3.26.5) gnome-music (3.26.1 -> 3.26.2) gnome-photos gupnp-igd (0.2.4 -> 0.2.5) gvfs (1.34.1 -> 1.34.2) hugin (2017.0.0 -> 2018.0.0) libgexiv2 (0.10.6 -> 0.10.7) libstorage-ng (3.3.145 -> 3.3.149) mysql-connector-cpp perl-MIME-Types (2.14 -> 2.17) texlive texlive-specs-m (2017.133.20170101_pl1svn43813 -> 2017.136.20170101_pl1svn43813) texlive-specs-n (2017.133.2.004svn28119 -> 2017.136.2.004svn28119) tracker (2.0.2 -> 2.0.3) tracker-miners (2.0.3 -> 2.0.4) vala (0.38.6 -> 0.38.7) xdg-desktop-portal-kde (5.11.95 -> 5.12.0) yast2-bootloader (4.0.14 -> 4.0.15) yast2-firewall (4.0.10 -> 4.0.11) yast2-installation (4.0.30 -> 4.0.31) yast2-kdump (4.0.0 -> 4.0.1) yast2-nis-client (4.0.1 -> 4.0.2) yast2-storage-ng (4.0.82 -> 4.0.84) === Details === ==== MozillaFirefox ==== Version update (57.0.4 -> 58.0.1) Subpackages: MozillaFirefox-translations-common - Added patch: * mozilla-alsa-sandbox.patch: Fix bmo#1430274, ALSA sound (still or again?) not working in Firefox 58 due to sandboxing. - update to Firefox 58.0.1 MFSA 2018-05 * Arbitrary code execution through unsanitized browser UI (bmo#1432966) - use correct language packs - readd mozilla-enable-csd.patch as it only lands for FF59 upstream - allow larger number of nested elements (mozilla-bmo256180.patch) - update to Firefox 58.0 (bsc#1077291) * Added Nepali (ne-NP) locale * Added support for form autofill for credit card * Optimize page load by caching JavaScript internal representation MFSA 2018-02 * CVE-2018-5091 (bmo#1423086) Use-after-free with DTMF timers * CVE-2018-5092 (bmo#1418074) Use-after-free in Web Workers * CVE-2018-5093 (bmo#1415291) Buffer overflow in WebAssembly during Memory/Table resizing * CVE-2018-5094 (bmo#1415883) Buffer overflow in WebAssembly with garbage collection on uninitialized memory * CVE-2018-5095 (bmo#1418447) Integer overflow in Skia library during edge builder allocation * CVE-2018-5097 (bmo#1387427) Use-after-free when source document is manipulated during XSLT * CVE-2018-5098 (bmo#1399400) Use-after-free while manipulating form input elements * CVE-2018-5099 (bmo#1416878) Use-after-free with widget listener * CVE-2018-5100 (bmo#1417405) Use-after-free when IsPotentiallyScrollable arguments are freed from memory * CVE-2018-5101 (bmo#1417661) Use-after-free with floating first-letter style elements * CVE-2018-5102 (bmo#1419363) Use-after-free in HTML media elements * CVE-2018-5103 (bmo#1423159) Use-after-free during mouse event handling * CVE-2018-5104 (bmo#1425000) Use-after-free during font face manipulation * CVE-2018-5105 (bmo#1390882) WebExtensions can save and execute files on local file system without user prompts * CVE-2018-5106 (bmo#1408708) Developer Tools can expose style editor information cross-origin through service worker * CVE-2018-5107 (bmo#1379276) Printing process will follow symlinks for local file access * CVE-2018-5108 (bmo#1421099) Manually entered blob URL can be accessed by subsequent private browsing tabs * CVE-2018-5109 (bmo#1405599) Audio capture prompts and starts with incorrect origin attribution * CVE-2018-5110 (bmo#1423275) (affects only OS X) Cursor can be made invisible on OS X * CVE-2018-5111 (bmo#1321619) URL spoofing in addressbar through drag and drop * CVE-2018-5112 (bmo#1425224) Extension development tools panel can open a non-relative URL in the panel * CVE-2018-5113 (bmo#1425267) WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow * CVE-2018-5114 (bmo#1421324) The old value of a cookie changed to HttpOnly remains accessible to scripts * CVE-2018-5115 (bmo#1409449) Background network requests can open HTTP authentication in unrelated foreground tabs * CVE-2018-5116 (bmo#1396399) WebExtension ActiveTab permission allows cross-origin frame content access * CVE-2018-5117 (bmo#1395508) URL spoofing with right-to-left text aligned left-to-right * CVE-2018-5118 (bmo#1420049) Activity Stream images can attempt to load local content through file: * CVE-2018-5119 (bmo#1420507) Reader view will load cross-origin content in violation of CORS headers * CVE-2018-5121 (bmo#1402368) (affects only OS X) OS X Tibetan characters render incompletely in the addressbar * CVE-2018-5122 (bmo#1413841) Potential integer overflow in DoCrypt * CVE-2018-5090 Memory safety bugs fixed in Firefox 58 * CVE-2018-5089 Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6 - requires NSS 3.34.1 - requires rust 1.21 - removed obsolete patches: mozilla-bindgen-systemlibs.patch mozilla-bmo1360278.patch mozilla-bmo1399611-csd.patch mozilla-rust-1.23.patch - rebased patches - updated man-page ==== autoyast2 ==== Version update (4.0.28 -> 4.0.29) Subpackages: autoyast2-installation - fate#323460 - support for disabling edit action per module. Currently used mainly by the new firewall module - 4.0.29 ==== evolution ==== Version update (3.26.4 -> 3.26.5) Subpackages: evolution-lang evolution-plugin-bogofilter evolution-plugin-pst-import evolution-plugin-spamassassin - Update to version 3.26.5: + Crash under message-list.c:free_message_info_data(). + Indentation in plain text adds unwanted spaces around links. + Composer-autosave: Use-after-free during snapshot save to file. + Bugs fixed: bgo#339675, bgo#792343, bgo#792385, bgo#792480, bgo#792781, bgo#792736, bgo#792909, bgo#788589, bgo#788823, bgo#720387. + Updated translations. ==== evolution-data-server ==== Version update (3.26.4 -> 3.26.5) Subpackages: evolution-data-server-lang libcamel-1_2-60 libebackend-1_2-10 libebook-1_2-19 libebook-contacts-1_2-2 libecal-1_2-19 libedata-book-1_2-25 libedata-cal-1_2-28 libedataserver-1_2-22 libedataserverui-1_2-1 - Update to version 3.26.5: + Prevent early free of an ESource when it has pending operations. + IMAPx: - Select destination mailbox only when permanentflags not known yet. - Sort array of UIDs before syncing changes to the server. + Prevent passing NULL ldap handle into LDAP functions ][. + Bugs fixed: bgo#792513, bgo#789522. ==== evolution-ews ==== Version update (3.26.4 -> 3.26.5) Subpackages: evolution-ews-lang - Update to version 3.26.5: + Bugs fixed: bgo#793037. ==== gnome-music ==== Version update (3.26.1 -> 3.26.2) Subpackages: gnome-music-lang - Update to version 3.26.2: + Bugs fixed: - Block spotify plugin (glgo#gnome-music#132). - DiscListBoxWidget: Update favorites playlist (bgo#784998). - Albumartcache: Fix order in method call. - Flatpak: Update music repository URL (glgo#gnome-music#138). - Misc flatpak fixes. + Updated translations. ==== gnome-photos ==== Subpackages: gnome-photos-lang gnome-shell-search-provider-gnome-photos - Add gnome-photos-Dont-leak-thumbnailer-path-string.patch: thumbnail-factory: Don't leak the thumbnailer path string. - Add gnome-photos-application-fixes.patch: application: Avoid CRITICALs. - Add gnome-photos-Check-RDF-type-before-using-it.patch: utils: Check the RDF type before using it, not the MIME type. ==== gupnp-igd ==== Version update (0.2.4 -> 0.2.5) - Update to version 0.2.5: + Update gtk-doc to newer version to fix build failures. - Update Url to https://wiki.gnome.org/Projects/GUPnP: current GUPnP's web page. ==== gvfs ==== Version update (1.34.1 -> 1.34.2) Subpackages: gvfs-backend-afc gvfs-backend-samba gvfs-backends gvfs-fuse gvfs-lang - Update to version 1.34.2: + Recent: Prevent crash when recent file changed. + Trash: Fix trash::orig-path for relative paths. + Mtp: - Handle read-past-EOF ourselves to prevent hangs. - Fix volume removal with current udev behavior. + Gphoto2: Fix volume removal with current udev behavior. + Updated translations. - Drop gvfs-fix-mtp-volume-removal.patch and gvfs-mtp-handle-read-past-eof.patch: Fixed upstream. ==== hugin ==== Version update (2017.0.0 -> 2018.0.0) - update to version 2018.0.0 The version 2018.0 is mainly a bug fix release and introduce some minor new features. Several improvements for optimizer tabs: * mark deselected images * allow changing optimizer variables for all selected images at once * option to ignore line cp * hugin_stacker: New tool to stack overlapping images with several averaging modes (e.g. mean, median). * Hugin: Added option to disable auto-rotation of images in control point and mask editor. * Nona, verdandi and hugin_stacker can now write BigTIFF images * Added expression parser to GUI: This allows to manipulate several image variables at once. (This is the same as running pto_var - -set from the command line.) This can be used e.g. to prealigns the images in a given setup and then run cpfind --prealigned to search control points only in overlapping images. * Add user-defined assistant and expose it in the GUI. It allows to set up different assistant strategies without the need to recompiling. Provide also some examples (scanned images, multi-row panoramas with orphaned images, single-shot panorama cameras). - drop python dependencies ==== libgexiv2 ==== Version update (0.10.6 -> 0.10.7) - Update to version 0.10.7: + Add meson build support. + Use glib-mkenums for enum types. + Fix make check when running out of tree. + Use version script to clean up exported functions. + Fix --disable-vala. + Bugs fixed: bgo#784045, bgo#787455. ==== libstorage-ng ==== Version update (3.3.145 -> 3.3.149) Subpackages: libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#450 - Ensure not to write malformed /etc/fstab entries (bsc#1066763) - 3.3.149 - merge gh#openSUSE/libstorage-ng#451 - work on error handling - 3.3.148 - merge gh#openSUSE/libstorage-ng#449 - fixed default value - 3.3.147 - merge gh#openSUSE/libstorage-ng#448 - Add GraphvizFlags::DISPLAYNAME to Devicegraph - merge gh#openSUSE/libstorage-ng#447 - allow finer control of flags in write_graphviz - merge gh#openSUSE/libstorage-ng#446 - use sid as vertex id - Translated using Weblate (Hungarian) - Translated using Weblate (Hungarian) - Translated using Weblate (Afrikaans) - merge gh#openSUSE/libstorage-ng#444 - added Mountable::remove_mount_point() - merge gh#openSUSE/libstorage-ng#443 - added PRETTY_CLASSNAME to GraphvizFlags - Translated using Weblate (Chinese (Taiwan)) - merge gh#openSUSE/libstorage-ng#442 - renamed integration tests - added integration tests - Translated using Weblate (Chinese (Taiwan)) - merge gh#openSUSE/libstorage-ng#441 - added integration test - added udevadm settle call - Translated using Weblate (Korean) - Translated using Weblate (Korean) ==== mysql-connector-cpp ==== - add mysql-connector-cpp-mariadb.patch to fix compatibility with MariaDB, not supported options removed ==== perl-MIME-Types ==== Version update (2.14 -> 2.17) - updated to 2.17 see /usr/share/doc/packages/perl-MIME-Types/ChangeLog ==== texlive ==== - drop freetype-devel buildrequires, we use freetype2 here. ==== texlive-specs-m ==== Version update (2017.133.20170101_pl1svn43813 -> 2017.136.20170101_pl1svn43813) - Avoid broken scripts due former env correction, only repair those scripts where the shebang exists - Switch over to python 3 (boo#1077170) - Avoid nasty warning about missing batchmode in ENVironment ==== texlive-specs-n ==== Version update (2017.133.2.004svn28119 -> 2017.136.2.004svn28119) - Avoid broken scripts due former env correction, only repair those scripts where the shebang exists - Switch over to python 3 (boo#1077170) - Avoid nasty warning about missing batchmode in ENVironment ==== tracker ==== Version update (2.0.2 -> 2.0.3) Subpackages: libtracker-common-2_0 libtracker-control-2_0-0 libtracker-miner-2_0-0 libtracker-sparql-2_0-0 tracker-lang typelib-1_0-Tracker-2_0 typelib-1_0-TrackerControl-2_0 - Update to version 2.0.3: + build: - Improvements in meson support. - Remove stale dependencies after Tracker miners split. + tests: - Many fixes to functional tests. - Remove old checks for maemo-specific features. + libtracker-miner: Small code improvements. + libtracker-sparql: use gint32 to unpack 'i' GVariant format. + Updated translations. - Drop tracker-nb-translations.patch: Fixed upstream. - Minor spec-clean, use autosetup and make_build macros. ==== tracker-miners ==== Version update (2.0.3 -> 2.0.4) Subpackages: tracker-miner-files tracker-miners-lang - Update to version 2.0.4: + build: Allow building tracker repo as a meson subproject. + libtracker-common: Rename to libtracker-miners-common. + libtracker-miners-common: Whitelist arm_fadvise64_64, getegid and getegid32 syscalls. + tracker-extract: - Add GExiv2-based extractor module for RAW files. - Blacklist gstreamer modules via plugin instead of via feature. - Blacklist video4linux2 gstreamer plugin. - Use enumerations for EXIF values. - Fix image pixel density conversions. + tracker-miner-fs: Avoid setting rdf:types on empty files. + meson: dependency check fixes. + Updated translations. - Drop tracker-miners-nb-translations.patch: Fixed upstream. ==== vala ==== Version update (0.38.6 -> 0.38.7) Subpackages: libvala-0_38-0 - Update to version 0.38.7: + Regression fix: codegen: Don't try to infer error argument on async begin methods (bgo#793158). This was a regression introduced by (bgo#614294). ==== xdg-desktop-portal-kde ==== Version update (5.11.95 -> 5.12.0) Subpackages: xdg-desktop-portal-kde-lang - Add patch to fix build with latest Qt dev version where QCUPSSupport::cupsOptionsList was removed from the private API (kde#389825): * 0001-Fix-build-with-Qt-dev-branch-where-QCUPSSupport-cups.patch - Update to 5.12.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.12.0.php - Changes since 5.11.95: * None ==== yast2-bootloader ==== Version update (4.0.14 -> 4.0.15) - Fix activating partition by UUID or label (bsc#1077427, bsc#1076424) - 4.0.15 ==== yast2-firewall ==== Version update (4.0.10 -> 4.0.11) - AutoYaST: When a profile using the SuSEFirewall2 schema is used, the user is reported with an error if some property is not supported or with a warning in other case. (fate#323460) - 4.0.11 ==== yast2-installation ==== Version update (4.0.30 -> 4.0.31) - Added requirement iproute2 to spec file. This is needed by the VNC AutoYaST installation in the second stage. (Follow up of bnc#1077236) - 4.0.31 ==== yast2-kdump ==== Version update (4.0.0 -> 4.0.1) - added supplements for yast2 and kdump (bsc#1070423) - 4.0.1 ==== yast2-nis-client ==== Version update (4.0.1 -> 4.0.2) - Replace SuSEFirewall2 by firewalld (fate#323460) - 4.0.2 ==== yast2-storage-ng ==== Version update (4.0.82 -> 4.0.84) - Partitioner: fixed 'Device Graph' section (part of fate#318196). - 4.0.84 - Added a new 'disk' client, alias for 'partitioner' (bsc#1078900). - 4.0.83 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org