Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=15.0&build=247.1&groupid=50 https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&query_format=advanced&resolution=---&version=Leap%2015.0 When you reply to discuss some issues, make sure to change the subject. Please use the test plan at https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3m... to record your testing efforts and use bugzilla to report bugs. Packages changed: MozillaFirefox (59.0.2 -> 60.0) NetworkManager-openvpn yast2 (4.0.72 -> 4.0.73) yast2-bootloader (4.0.29 -> 4.0.31) yast2-installation (4.0.57 -> 4.0.58) yast2-network (4.0.30 -> 4.0.31) yast2-storage-ng (4.0.175 -> 4.0.178) yast2-update (4.0.13 -> 4.0.14) === Details === ==== MozillaFirefox ==== Version update (59.0.2 -> 60.0) Subpackages: MozillaFirefox-translations-common MozillaFirefox-translations-other - update to Firefox 60.0esr * Added a policy engine that allows customized Firefox deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file * Applied Quantum CSS to render browser UI * Added support for Web Authentication, allowing the use of USB tokens for authentication to web sites * Locale added: Occitan (oc) MFSA 2018-11 (bsc#1092548) * CVE-2018-5154 (bmo#1443092) Use-after-free with SVG animations and clip paths * CVE-2018-5155 (bmo#1448774) Use-after-free with SVG animations and text paths * CVE-2018-5157 (bmo#1449898) Same-origin bypass of PDF Viewer to view protected PDF files * CVE-2018-5158 (bmo#1452075) Malicious PDF can inject JavaScript into PDF Viewer * CVE-2018-5159 (bmo#1441941) Integer overflow and out-of-bounds write in Skia * CVE-2018-5160 (bmo#1436117) Uninitialized memory use by WebRTC encoder * CVE-2018-5152 (bmo#1415644, bmo#1427289) WebExtensions information leak through webRequest API * CVE-2018-5153 (bmo#1436809) Out-of-bounds read in mixed content websocket messages * CVE-2018-5163 (bmo#1426353) Replacing cached data in JavaScript Start-up Bytecode Cache * CVE-2018-5164 (bmo#1416045) CSP not applied to all multipart content sent with multipart/x-mixed-replace * CVE-2018-5166 (bmo#1437325) WebExtension host permission bypass through filterReponseData * CVE-2018-5167 (bmo#1447969) Improper linkification of chrome: and javascript: content in web console and JavaScript debugger * CVE-2018-5168 (bmo#1449548) Lightweight themes can be installed without user interaction * CVE-2018-5169 (bmo#1319157) Dragging and dropping link text onto home button can set home page to include chrome pages * CVE-2018-5172 (bmo#1436482) Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer * CVE-2018-5173 (bmo#1438025) File name spoofing of Downloads panel with Unicode characters * CVE-2018-5174 (bmo#1447080) (Windows-only) Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update * CVE-2018-5175 (bmo#1432358) Universal CSP bypass on sites using strict-dynamic in their policies * CVE-2018-5176 (bmo#1442840) JSON Viewer script injection * CVE-2018-5177 (bmo#1451908) Buffer overflow in XSLT during number formatting * CVE-2018-5165 (bmo#1451452) Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox * CVE-2018-5180 (bmo#1444086) heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced * CVE-2018-5181 (bmo#1424107) Local file can be displayed in noopener tab through drag and drop of hyperlink * CVE-2018-5182 (bmo#1435908) Local file can be displayed from hyperlink dragged and dropped on addressbar * CVE-2018-5151 Memory safety bugs fixed in Firefox 60 * CVE-2018-5150 Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 - removed obsolete patches 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch mozilla-bmo1005535.patch - requires NSPR 4.19 and NSS 3.36.1 - requires rust 1.24 or higher - use upstream source archive and detached signature for source verification - Fix armv7 build by: * adding RUSTFLAGS="-Cdebuginfo=0" * updating _constraints for %arm - do not try CSD on kwin (boo#1091592) - fix build in openSUSE:Leap:42.3:Update, use gcc7 - Mozilla Firefox 59.0.3: * fixes for platforms other than GNU/Linux - Add 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch in order to fix boo#1090362. - Add back mozilla-enable-csd.patch: New rebased version from Fedora for version 59.0.x. ==== NetworkManager-openvpn ==== Subpackages: NetworkManager-openvpn-gnome NetworkManager-openvpn-lang - Unconditionally enable translation-update-upstream: on Tumbleweed, this results in a NOP and for Leap in SLE paid translations being used (boo#1086036). ==== yast2 ==== Version update (4.0.72 -> 4.0.73) - CWM: allow to define back handler for CWM#show. - CWM: define default handlers for back and abort in CWM::Dialog. - Needed for Expert Partitioner fate#318196. - 4.0.73 ==== yast2-bootloader ==== Version update (4.0.29 -> 4.0.31) - Use "none" bootloader when the boot filesystem is nfs (bsc#1090752). - 4.0.31 - Make unit tests architecture agnostic (related to bsc#1091284). - 4.0.30 ==== yast2-installation ==== Version update (4.0.57 -> 4.0.58) - disable mdadm auto assembly for installation (bsc#1090690) - 4.0.58 ==== yast2-network ==== Version update (4.0.30 -> 4.0.31) - Fix the check for adjusting ifcfg configuration in case of network based root filesystem when saving the network at the end of the installation (bsc#1090752). - 4.0.31 ==== yast2-storage-ng ==== Version update (4.0.175 -> 4.0.178) - AutoYaST: do not crash when size is set to 'auto' for a partition without a mount point (bsc#1092414). - 4.0.178 - Add note to YAML files for devices not supported in YAML (part of fate#318196) - 4.0.177 - Dump devicegraphs and actions in better strategic places (part of fate#318196) - Make sure not to write LUKS passwords to YAML dump files - 4.0.176 ==== yast2-update ==== Version update (4.0.13 -> 4.0.14) - Fixed unmounting /mnt/dev when going back to the partition selection dialog (fix up for the bsc#1089643) - 4.0.14 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org