Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20190225 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MozillaFirefox (65.0 -> 65.0.1) crash gcal gsl hugin i4l-base joe ksshaskpass5 (5.15.0 -> 5.15.1) libblockdev libhangul (0.1.0+git20150224.78e9d89 -> 0.1.1~git20180606.42f7640) libyui-qt-pkg (2.45.25 -> 2.45.26) metis openssh openssh-askpass-gnome podofo python-argcomplete (1.9.2 -> 1.9.4) python-decorator (4.3.0 -> 4.3.2) qemu qemu-linux-user qqc2-desktop-style squid (4.5 -> 4.6) sysconfig (0.85.1 -> 0.85.2) === Details === ==== MozillaFirefox ==== Version update (65.0 -> 65.0.1) Subpackages: MozillaFirefox-translations-common - Update _constraints to avoid 'no space left' error seen on aarch64 - Mozilla Firefox 65.0.1 * Fixed accidental requests to addons.mozilla.org when an addon recommendation doorhanger is shown (bmo#1526387) * Improved playback of interactive Netflix videos (bmo#1524500) * Fixed incorrect sizing of the "Clear Recent History" window in some situations (bmo#1523696) * Fixed audio & video delays while making WebRTC calls (bmo#1521577, bmo#1523817) * Fixed video sizing problems during some WebRTC calls (bmo#1520200) * Fixed looping CONNECT requests when using WebSockets over HTTP/2 from behind a proxy server (bmo#1523427) * Fixed the "Enter" key not working on password entry fields for certain Linux distributions (bmo#1523635) MFSA 2019-04 (bsc#1125330) * CVE-2018-18356 bmo#1525817 Use-after-free in Skia * CVE-2019-5785 bmo#1525433 Integer overflow in Skia * CVE-2018-18511 bmo#1526218 Cross-origin theft of images with ImageBitmapRenderingContext - Enable LTO only for latest new toolchain (boo#1125038) for x86_64 (with increased memory constraints) ==== crash ==== - With a xen 4.11 dump crash will fail to start reporting "cannot fill pcpu struct" and "cannot read cpu_info" due to xen changes not tracked by crash updates. Fixed by including: crash-xen-invalid-pcpu-vaddr-use-hardware-domain-symbol.patch (bsc#1122594) ==== gcal ==== Subpackages: gcal-lang - add patches (parts of git commits from gnulib): - gnulib-4af4a4a71827c0bc5e0ec67af23edef4f15cee8e-excerpt.patch - gnulib-74d9d6a293d7462dea8f83e7fc5ac792e956a0ad-excerpt.patch to fix compilation on current glibc (fflush: adjust to glibc 2.28 libio.h removal) (fflush: be more paranoid about libio.h change) ==== gsl ==== Subpackages: libgsl23 libgslcblas0 - mark examples as a noarch package - install license for examples and remove unnecessary dependencies - add an examples sub package to test in production env - Simplify package naming for HPC. - Fix dependencies for HPC. - Library directory is always available when module file is installed, do not hide it. - Properly create and tear down default version links when the HPC master packages are installed/uninstalled. - Create pkgconfig file for gslcblas as well. - Add missing env variables to modules file: MANPATH, INFOPATH, PKG_CONFIG_PATH. ==== hugin ==== - Don't skip rpath (bsc#1125178). ==== i4l-base ==== Subpackages: i4l-isdnlog libcapi20-3 - add divactrl_2.1-sysmacros.diff to fix build - buildrequires groff to fix documentation build ==== joe ==== - Dropped .desktop files to follow openSUSE guidelines regarding console applications: https://lists.opensuse.org/opensuse-factory/2019-02/msg00377.html - Dropped obsolete patch joe-4.6-desktop_files.patch ==== ksshaskpass5 ==== Version update (5.15.0 -> 5.15.1) Subpackages: ksshaskpass5-lang - Update to 5.15.1 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.15.1.php - No code changes since 5.15.0 - Do not require openssh-askpass simply provide another password asking interface for openssh ==== libblockdev ==== Subpackages: libbd_btrfs2 libbd_crypto2 libbd_fs2 libbd_loop2 libbd_mdraid2 libbd_part2 libbd_swap2 libbd_utils2 libblockdev2 - Explain VDO. Fix grammar mishaps. ==== libhangul ==== Version update (0.1.0+git20150224.78e9d89 -> 0.1.1~git20180606.42f7640) - Update to version 0.1.1~git20180606.42f7640: * no english changelog ==== libyui-qt-pkg ==== Version update (2.45.25 -> 2.45.26) - Fix icon display to new libyui-qt function (boo#1125424) - 2.45.26 ==== metis ==== - add a examples subpackage which include graphs* file to test Metis - Set default module version correctly when installing master package, unset when deinstalling the default library package. - Fix %%post and %%postun scripts for HPC. - Fix dependencies for HPC. - Fix HPC modulefile: * Aibraries are always there when module file is installed. * Set PKG_CONFIG_PATH. - Fix package group names. ==== openssh ==== Subpackages: openssh-helpers - Handle brace expansion in scp when checking that filenames sent by the server side match what the client requested [bsc#1125687] * openssh-7.9p1-brace-expansion.patch - Updated security fixes: * [bsc#1121816, CVE-2019-6109] Sanitize scp filenames via snmprintf and have progressmeter force an update at the beginning and end of each transfer. Added patches: - openssh-CVE-2019-6109-sanitize-scp-filenames.patch - openssh-CVE-2019-6109-force-progressmeter-update.patch * [bsc#1121821, CVE-2019-6111] Check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. Added patch: - openssh-CVE-2019-6111-scp-client-wildcard.patch * Removed openssh-7.9p1-scp-name-validator.patch - Change the askpass wrapper to not use x11 interface: * by default we use the -gnome UI (which is gtk3 only, no gnome dep) * if desktop is KDE/LxQt we use ksshaskpass ==== openssh-askpass-gnome ==== - Supplement the openssh and libx11 together to ensure this package is installed on machines where there is X stack ==== podofo ==== - Add patches from upstream to fix several CVEs: * r1933-Really-fix-CVE-2017-7381.patch to fix a null pointer dereference (bsc#1032020, CVE-2017-7381) * r1936-Really-fix-CVE-2017-7382.patch to fix a null pointer dereference (bsc#1032021, CVE-2017-7382) * r1937-Really-fix-CVE-2017-7383.patch to fix a null pointer dereference (bsc#1032022, CVE-2017-7383) * r1938-Fix-CVE-2018-11256-PdfError-info-gives-not-found-page-0-based.patch to fix a null pointer dereference Denial of Service (bsc#1096889, CVE-2018-11256) * r1941-Fix-CVE-2017-8054-and-other-issues-keeping-binary-compat.patch This patch was rebased from the one upstream so that it applies correctly and modified so it doesn't break binary compatibility. (CVE-2017-8054, boo#1035596) * r1945-Fix-possible-incompatibility-of-PdfAESStream-with-OpenSSL-1.1.0g.patch * r1948-Fix-CVE-2018-12982-implementing-inline-PdfDictionary-MustGetKey.patch This patch was rebased from the one upstream so that it applies correctly. (CVE-2018-12982, boo#1099720) * r1949-Fix-CVE-2018-5783-by-introducing-singleton-limit-for-indirect-objects-keeping-binary-compat.patch This patch was rebased from the one upstream so that it applies correctly and modified so it doesn't break binary compatibility. (CVE-2018-5783, boo#1076962) * r1950-Fix-null-pointer-dereference-in-PdfTranslator-setTarget.patch * r1952-Fix-CVE-2018-11255-Null-pointer-dereference-in-PdfPage-GetPageNumber.patch (CVE-2018-11255, boo#1096890) * r1953-Fix-CVE-2018-14320-Possible-undefined-behaviour-in-PdfEncoding-ParseToUnicode.patch (CVE-2018-14320, boo#1108764) * r1954-Fix-CVE-2018-20751-null-pointer-dereference-in-crop_page-of-tools-podofocrop.patch (CVE-2018-20751, boo#1124357) * r1961-EncryptTest-Fix-buffer-overflow-in-decrypted-out-buffer-in-TestEncrypt.patch This patch was rebased from the one upstream so that it applies correctly. * r1963-Fix-heap-based-buffer-overflow-vulnerability-in-PoDoFo-PdfVariant-DelayedLoad.patch - Renamed fix-build.patch to r1942-Fix-build-with-cmake-ge-3.12.patch to keep its name consistent with the other upstream patches. ==== python-argcomplete ==== Version update (1.9.2 -> 1.9.4) - Trim unnecessary build dependencies using trim-test-deps.patch - Simplify skip_tcsh_tests.patch so it is easier to read and update - Update to v1.9.4 * Use the correct interpreter when checking wrappers * Provide shellcode as a module function (#237) - from v1.9.3 * Fix handling of COMP\_POINT * Fix crash when writing unicode to debug\_stream in Python 2 ==== python-decorator ==== Version update (4.3.0 -> 4.3.2) - update to version 4.3.2 * now the decorator module can decorate generator functions by preserving their being generator functions * Set `python_requires='>=2.6, !=3.0.*, !=3.1.*'` in setup.py - update to version 4.3.1 * Added a section "For the impatient" to the README, addressing an issue raised by Amir Malekpour. * Added support for Python 3.7. * Now the path to the decorator module appears in the tracebacks, as suggested by a user at EuroPython 2018. ==== qemu ==== Subpackages: qemu-arm qemu-block-curl qemu-block-dmg qemu-block-gluster qemu-block-iscsi qemu-block-nfs qemu-block-rbd qemu-block-ssh qemu-extra qemu-guest-agent qemu-ipxe qemu-ksm qemu-kvm qemu-lang qemu-ppc qemu-s390 qemu-seabios qemu-sgabios qemu-tools qemu-ui-curses qemu-ui-gtk qemu-ui-sdl qemu-vgabios qemu-x86 - Package and cross-build rom files for aarch64 from SLE15/Leap15.0 to fix boo#1125964 - Add patch to fix seabios cross-compilation: * seabios-fix_cross_compilation.patch - Add patch to fix sgabios cross-compilation: * sgabios-fix-cross-build.patch - Fix _constraints to include all architectures for disk size (fix aarch64) - Revert upstream patch which declares x86 vmx feature a migration blocker. Given the proliferation of using vm's with host features passed through and the general knowledge that nested virtualization has many usage caveats, but still gets put in use in restricted scenarios, this patch did more harm than good, I feel. So despite this relaxation, please consider yourself warned that nested virtualization is not yet a supportable feature. (bsc#1121604) 0058-Revert-target-i386-kvm-add-VMX-migr.patch - Fix SEV VM device assignment (bsc#1123205) 0059-memory-Fix-the-memory-region-type-a.patch 0060-target-i386-sev-Do-not-pin-the-ram-.patch - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 - Remove 71-sev.rules, which modifies the default permissions of /dev/sev by adding the kvm group as reader/writer. Upstream decided to take a different approach for libvirt to manage SEV due to security concerns which I agree overrides the convenience of providing /dev/sev access to all the kvm group (bsc#1124842 bsc#1102604) ==== qemu-linux-user ==== - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 * Patches added: 0058-Revert-target-i386-kvm-add-VMX-migr.patch 0059-memory-Fix-the-memory-region-type-a.patch 0060-target-i386-sev-Do-not-pin-the-ram-.patch ==== qqc2-desktop-style ==== - Add 0001-Fix-MobileTextActionsToolBar.qml-with-Qt-5.9.patch (by Fabian Vogt) to fix an issue with Qt 5.9 - Downgrade the Qt version requirement to build with 5.9 ==== squid ==== Version update (4.5 -> 4.6) - Update to squid 4.6: + master commit b599471 leaks memory (#4919) + SourceFormat Enforcement (#367) + Detect IPv6 loopack binding errors (#355) + Do not call setsid() in --foreground mode (#354) + Fail Rock swapout if the disk dropped write reqs (#352) + Initialize StoreMapSlice when reserving a new cache slot (#350) + Fixed disker-to-worker queue overflows (#353) + Fix OpenSSL builds that define OPENSSL_NO_ENGINE (#349) + Fix BodyPipe/Sink memory leaks associated with auto-consumption + Exit when GoIntoBackground() fork() call fails (#344) + GCC-8 compile errors with -O3 optimization (#4875) + Initial translations to ka/georgian language (#345) + basic_ldap_auth: Return BH on internal errors (#347) ==== sysconfig ==== Version update (0.85.1 -> 0.85.2) Subpackages: sysconfig-netconfig - version 0.85.2 - Fixed changes file to mention relevant github pull requests. - Removed remaining preun rpm hook from EOL openSUSE versions - Merged /var/adm/netconfig move revert from openSUSE:Factory causing to not find md5 sums from previous netconfig version due to incorrectly merged hook in spec file and trouble on transactional systems without writeable /var/lib/netconfig. Removed obsoletes revert-var-adm-lib-netconfig-move.patch. (bsc#1124152,bsc#1124340). - Merged rpm spec bash section marks (gh#openSUSE/sysconfig#23) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org