Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20181206 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: inxi (3.0.27 -> 3.0.28) python-M2Crypto python-asn1crypto python-backports python-certifi python-configparser python-decorator python-docutils python-entrypoints rubygem-actioncable-5.2 (5.2.1 -> 5.2.1.1) rubygem-actionmailer-5.2 (5.2.1 -> 5.2.1.1) rubygem-actionpack-5.2 (5.2.1 -> 5.2.1.1) rubygem-actionview-5.2 (5.2.1 -> 5.2.1.1) rubygem-activejob-5.2 (5.2.1 -> 5.2.1.1) rubygem-activemodel-5.2 (5.2.1 -> 5.2.1.1) rubygem-activerecord-5.2 (5.2.1 -> 5.2.1.1) rubygem-activestorage-5.2 (5.2.1 -> 5.2.1.1) rubygem-activesupport-5.2 (5.2.1 -> 5.2.1.1) rubygem-passenger (5.3.7 -> 6.0.0) rubygem-rails-5.2 (5.2.1 -> 5.2.1.1) rubygem-railties-5.2 (5.2.1 -> 5.2.1.1) shim-leap === Details === ==== inxi ==== Version update (3.0.27 -> 3.0.28) - Update to version 3.0.28: * See /usr/share/doc/packages/inxi/inxi.changelog ==== python-M2Crypto ==== Subpackages: python2-M2Crypto python3-M2Crypto - Whoops! Here -devel dependency certainly should stay - Remove superfluous devel dependency for noarch package ==== python-asn1crypto ==== Subpackages: python2-asn1crypto python3-asn1crypto - Remove superfluous devel dependency for noarch package ==== python-backports ==== - Remove superfluous devel dependency for noarch package ==== python-certifi ==== Subpackages: python2-certifi python3-certifi - Remove superfluous devel dependency for noarch package ==== python-configparser ==== - Remove superfluous devel dependency for noarch package ==== python-decorator ==== Subpackages: python2-decorator python3-decorator - Remove superfluous devel dependency for noarch package ==== python-docutils ==== - Remove superfluous devel dependency for noarch package ==== python-entrypoints ==== - Remove superfluous devel dependency for noarch package ==== rubygem-actioncable-5.2 ==== Version update (5.2.1 -> 5.2.1.1) - updated to version 5.2.1.1 (boo#1118076) * No changes / Just a version bump to match with Rails 5.2.1.1 ==== rubygem-actionmailer-5.2 ==== Version update (5.2.1 -> 5.2.1.1) - updated to version 5.2.1.1 (boo#1118076) * No changes / Just a version bump to match with Rails 5.2.1.1 ==== rubygem-actionpack-5.2 ==== Version update (5.2.1 -> 5.2.1.1) - updated to version 5.2.1.1 (boo#1118076) * No changes / Just a version bump to match with Rails 5.2.1.1 ==== rubygem-actionview-5.2 ==== Version update (5.2.1 -> 5.2.1.1) - updated to version 5.2.1.1 (boo#1118076) * No changes / Just a version bump to match with Rails 5.2.1.1 ==== rubygem-activejob-5.2 ==== Version update (5.2.1 -> 5.2.1.1) - updated to version 5.2.1.1 (boo#1118076) - addresses a security vulnerability (CVE-2018-16476, bsc#1117632) Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have. Vulnerable code will look something like this: MyJob.perform_later(user_input) All users running an affected release should either upgrade or use one of the workarounds immediately. ==== rubygem-activemodel-5.2 ==== Version update (5.2.1 -> 5.2.1.1) - updated to version 5.2.1.1 (boo#1118076) * No changes / Just a version bump to match with Rails 5.2.1.1 ==== rubygem-activerecord-5.2 ==== Version update (5.2.1 -> 5.2.1.1) - updated to version 5.2.1.1 (boo#1118076) * No changes / Just a version bump to match with Rails 5.2.1.1 ==== rubygem-activestorage-5.2 ==== Version update (5.2.1 -> 5.2.1.1) - updated to version 5.2.1.1 (boo#1118076) - addresses a security vulnerability (CVE-2018-16477, boo#1117641) Signed download URLs generated by `ActiveStorage` for Google Cloud Storage service and Disk service include `content-disposition` and `content-type` parameters that an attacker can modify. This can be used to upload specially crafted HTML files and have them served and executed inline. Combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. Vulnerable apps are those using either GCS or the Disk service in production. Other storage services such as S3 or Azure aren't affected. All users running an affected release should either upgrade or use one of the workarounds immediately. For those using GCS, it's also recommended to run the following to update existing blobs: ``` ActiveStorage::Blob.find_each do |blob| blob.send :update_service_metadata end ``` ==== rubygem-activesupport-5.2 ==== Version update (5.2.1 -> 5.2.1.1) - updated to version 5.2.1.1 (boo#1118076) * No changes / Just a version bump to match with Rails 5.2.1.1 ==== rubygem-passenger ==== Version update (5.3.7 -> 6.0.0) Subpackages: ruby2.5-rubygem-passenger rubygem-passenger-apache2 - updated to version 6.0.0 (boo#1117900) * Introduces support for *all* programming languages. Yes that's right... Java, Elixir, Go ? Passenger now supports them all! This effort is called "generic language support". * Bumps the preferred Nginx version to 1.15.7. * Introduces anonymous usage telemetry, which helps us improve Passenger. Please read the docs on what data is collected and how to disable this. * [Nginx] Introduces a new option "passenger_request_buffering on|off", to allow disabling request body buffering. This is only supported in Nginx >= 1.15.3. Closes GH-2121. * Updated various library versions used in precompiled binaries (used for e.g. gem installs): - OpenSSL: 1.0.2q (was: 1.0.2p) - libcurl: 7.62.0 (was: 7.61.1) - Ruby: 2.3.8 (was: 2.3.7) ==== rubygem-rails-5.2 ==== Version update (5.2.1 -> 5.2.1.1) - updated to version 5.2.1.1 (boo#1118076) * No changelog in Rails itself. The actual changes can be found in Rails submodules: rubygem-activejob-5.2: Fixes CVE-2018-16476 rubygem-activestorage-5.2: Fixes CVE-2018-16477 It is advised to update to fix the security vulnerabilities. ==== rubygem-railties-5.2 ==== Version update (5.2.1 -> 5.2.1.1) - updated to version 5.2.1.1 (boo#1118076) * No changes / Just a version bump to match with Rails 5.2.1.1 ==== shim-leap ==== - Update shim-install to set the grub2-install target explicitly for some special cases. (bsc#1118363) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org