Mailinglist Archive: opensuse-factory (439 mails)

< Previous Next >
[opensuse-factory] Leap 15.1 Build 441.4 released!

Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.

Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&version=15.1&build=441.4&groupid=50
https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&query_format=advanced&resolution=---&version=Leap%2015.1

When you reply to discuss some issues, make sure to change the subject.
Please use the test plan at
https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3m1p6gXPc/edit#gid=94909276
to record your testing efforts and use bugzilla to report bugs.

Packages changed:
ImageMagick
LibVNCServer
NetworkManager
chromium (72.0.3626.121 -> 73.0.3683.75)
dracut (044.1 -> 044.2)
gd
gnome-control-center
kwalletmanager5
libcaca
liblouis
libmspack
libnettle (3.4 -> 3.4.1)
libstorage-ng (4.1.102 -> 4.1.103)
libzypp (17.11.2 -> 17.11.3)
open-vm-tools (10.3.5 -> 10.3.10)
rpm
sqlite3 (3.23.1 -> 3.27.2)
tiff
timezone (2018i -> 2019a)
timezone-java (2018i -> 2019a)
transactional-update (2.13.1 -> 2.14.1)
translation-update
wavpack
xfce4-screenshooter (1.9.4 -> 1.9.5)
yast2 (4.1.66 -> 4.1.67)
yast2-bootloader (4.1.22 -> 4.1.23)
yast2-firewall (4.1.10 -> 4.1.11)
yast2-iscsi-client (4.1.6 -> 4.1.7)
yast2-packager (4.1.33 -> 4.1.35)
yast2-printer (4.1.0 -> 4.1.1)
yast2-storage-ng (4.1.75 -> 4.1.77)
zypper (1.14.26 -> 1.14.27)

=== Details ===

==== ImageMagick ====
Subpackages: libMagick++-7_Q16HDRI4 libMagickCore-7_Q16HDRI6
libMagickWand-7_Q16HDRI6

- security update
- added patches
CVE-2019-7175 [bsc#1128649]
+ ImageMagick-CVE-2019-7175.patch
- security update (pdf.c):
* CVE-2019-7397 [bsc#1124366]
+ ImageMagick-CVE-2019-7397.patch
- security update (psd.c):
* CVE-2019-7395 [bsc#1124368]
+ ImageMagick-CVE-2019-7395.patch
- security update (sixel.c):
* CVE-2019-7396 [bsc#1124367]
+ ImageMagick-CVE-2019-7396.patch
- security update (dib.c)
* CVE-2019-7398 [bsc#1124365]
+ ImageMagick-CVE-2019-7398.patch
- clamp after edge [bsc#1106415]
+ ImageMagick-clamp-after-edge.patch
- security update (bmp.c):
* CVE-2018-20467 [bsc#1120381]
+ ImageMagick-CVE-2018-20467.patch
- security update (msl.c):
* CVE-2018-18544 [bsc#1113064]
+ ImageMagick-CVE-2018-18544.patch
- asan_build: build ASAN included
- debug_build: build more suitable for debugging

==== LibVNCServer ====

- Add BuildRequire libgnutls-devel: Remmina needs it for VNC
connections (boo#1123805)

==== NetworkManager ====
Subpackages: NetworkManager-lang libnm-glib-vpn1 libnm-glib4 libnm-util2 libnm0
typelib-1_0-NM-1_0 typelib-1_0-NMClient-1_0 typelib-1_0-NetworkManager-1_0

- Modify NM-add-wifi-scan-polkit-rule.patch: Use polkit action
"org.freedesktop.NetworkManager.wifi.scan" instead of
"org.freedesktop.NetworkManager.wifi-scan" to sync with upstream
(bsc#1128560).

==== chromium ====
Version update (72.0.3626.121 -> 73.0.3683.75)

- Update to 73.0.3683.75 bsc#1129059:
* CVE-2019-5787: Use after free in Canvas.
* CVE-2019-5788: Use after free in FileAPI.
* CVE-2019-5789: Use after free in WebMIDI.
* CVE-2019-5790: Heap buffer overflow in V8.
* CVE-2019-5791: Type confusion in V8.
* CVE-2019-5792: Integer overflow in PDFium.
* CVE-2019-5793: Excessive permissions for private API in Extensions.
* CVE-2019-5794: Security UI spoofing.
* CVE-2019-5795: Integer overflow in PDFium.
* CVE-2019-5796: Race condition in Extensions.
* CVE-2019-5797: Race condition in DOMStorage.
* CVE-2019-5798: Out of bounds read in Skia.
* CVE-2019-5799: CSP bypass with blob URL.
* CVE-2019-5800: CSP bypass with blob URL.
* CVE-2019-5801: Incorrect Omnibox display on iOS.
* CVE-2019-5802: Security UI spoofing.
* CVE-2019-5803: CSP bypass with Javascript URLs'.
* CVE-2019-5804: Command line command injection on Windows.
- Update patches:
* chromium-buildname.patch
* chromium-non-void-return.patch
* chromium-old-glibc.patch
* chromium-old-libva.patch
* chromium-vaapi.patch
- Removed patches:
* chromium-crashpad-fix_aarch64.patch
* chromium-webrtc-includes.patch
- Added patches:
* chromium-gcc.patch
* chromium-fix_crashpad.patch

==== dracut ====
Version update (044.1 -> 044.2)

- Bump version to 044.2 to provide a version to lock on to (bsc#1127891)
- Check SUSE kernel module dependencies recursively (bsc#1127891)
* adds 0594-Check-SUSE-kernel-module-dependencies-recursively.patch
- Avoid "Failed to chown ... Operation not permitted" when run from non-root,
by not copying xattrs. (osc#1092178)
* adds 0593-dracut-only-copy-xattr-if-root.patch
- Handle non-versioned dependency in purge-kernels.

==== gd ====

- security update
* CVE-2019-6978 [bsc#1123522]
+ gd-CVE-2019-6978.patch
* CVE-2019-6977 [bsc#1123361]
+ gd-CVE-2019-6977.patch

==== gnome-control-center ====
Subpackages: gnome-control-center-color gnome-control-center-goa
gnome-control-center-lang gnome-control-center-user-faces

- Modify gnome-control-center-bring-back-firewall-zone.patch,
Add control-center-network-fix-ce-apply-button.patch:
network: disable the "Apply" button until a change has been made
(glgo#GNOME/gnome-control-center!402 bsc#1040054).

==== kwalletmanager5 ====
Subpackages: kwalletmanager5-lang

- Provide/Obsolete kwalletmanager, it can access the KDE4 kwallet
too since a while

==== libcaca ====

- Prevent overflow of arithmetic of large (unsigned) ints by
* declaring fields as size_t
* casting intermediate results to uint64_t
[CVE-2018-20544, bsc#1120502,
CVE-2018-20545, bsc#1120584,
CVE-2018-20546, bsc#1120503,
CVE-2018-20547, bsc#1120504,
CVE-2018-20548, bsc#1120589,
CVE-2018-20549, bsc#1120470,
libcaca-prevent-overflow.patch]

==== liblouis ====
Subpackages: liblouis-data liblouis14 python3-louis

- Add CVE-2018-17294.patch: fix a buffer overflow translating
strings, backported from upstream (boo#1109319 CVE-2018-17294).
- Add several security fixes:
CVE-2018-11410.patch (boo#1094685 CVE-2018-11410)
CVE-2018-11440.patch (boo#1095189 CVE-2018-11440)
CVE-2018-11577.patch (boo#1095945 CVE-2018-11577)
CVE-2018-11683.patch (boo#1095827 CVE-2018-11683)
CVE-2018-11684.patch (boo#1095826 CVE-2018-11684)
CVE-2018-11685.patch (boo#1095825 CVE-2018-11685)
CVE-2018-12085.patch (boo#1097103 CVE-2018-12085)

==== libmspack ====

- Added patches:
* libmspack-resize-buffer.patch -- CAB block input buffer is one
byte too small for maximal Quantum block.
* libmspack-fix-bounds-checking.patch -- Fix off-by-one bounds
check on CHM PMGI/PMGL chunk numbers and reject empty filenames.
* libmspack-reject-blank-filenames.patch -- Avoid returning CHM
file entries that are "blank" because they have embedded null
bytes.
* (the last two patches were modified by removing unneeded part
in order to make them more independent)
- Fixed bugs:
* CVE-2018-18584 (bsc#1113038)
* CVE-2018-18585 (bsc#1113039)

==== libnettle ====
Version update (3.4 -> 3.4.1)
Subpackages: libhogweed4 libhogweed4-32bit libnettle6 libnettle6-32bit

- Update to 3.4.1 - FATE#327114 (bsc#1129598)
* Fix CVE-2018-16869 (bsc#1118086)
libnettle-CVE-2018-16869-3.4.patch (removed)
All functions using RSA private keys are now side-channel
silent, meaning that they try hard to avoid any branches or
memory accesses depending on secret data. This applies both to
the bignum calculations, which now use GMP's mpn_sec_* family
of functions, and the processing of PKCS#1 padding needed for
RSA decryption.
* Changes in behavior:
The functions rsa_decrypt and rsa_decrypt_tr may now clobber
all of the provided message buffer, independent of the
actual message length. They are side-channel silent, in that
branches and memory accesses don't depend on the validity or
length of the message. Side-channel leakage from the
caller's use of length and return value may still provide an
oracle useable for a Bleichenbacher-style chosen ciphertext
attack. Which is why the new function rsa_sec_decrypt is
recommended.
* New features:
A new function rsa_sec_decrypt.
* Bug fixes:
- Fix bug in pkcs1-conv, missing break statements in the
parsing of PEM input files.
- Fix link error on the pss-mgf1-test test, affecting builds
without public key support.

==== libstorage-ng ====
Version update (4.1.102 -> 4.1.103)
Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1

- Translated using Weblate (Arabic)
- Translated using Weblate (Catalan)
- Translated using Weblate (Chinese (China))
- Translated using Weblate (Chinese (Taiwan))
- Translated using Weblate (Czech)
- Translated using Weblate (Dutch)
- Translated using Weblate (French)
- Translated using Weblate (German)
- Translated using Weblate (Hungarian)
- Translated using Weblate (Italian)
- Translated using Weblate (Japanese)
- Translated using Weblate (Korean)
- Translated using Weblate (Polish)
- Translated using Weblate (Portuguese (Brazil))
- Translated using Weblate (Russian)
- Translated using Weblate (Slovak)
- Translated using Weblate (Spanish)
- Translated using Weblate (Swedish)
- 4.1.103

==== libzypp ====
Version update (17.11.2 -> 17.11.3)

- KeyManager: Work around bsc#1127220 [libgpgme] no error upon
incomplete import due to signal received.
- MediaCurl: add hint to check SCC for an expired regcode on
http error 403 (bsc#965786)
- version 17.11.3 (9)

==== open-vm-tools ====
Version update (10.3.5 -> 10.3.10)
Subpackages: libvmtools0 open-vm-tools-desktop

- Update to 10.3.10 (build 12406962) (boo#1130898)
+ Resolved - In certain cases, quiesced snapshots on Linux guests do not
include backup manifests.
- Drop unnecessary patch:
- include_log_h_for_g_info.patch
- no_manifest_on_aborted_snapshot.patch
- send_vmbackup_event_generic_manifest.patch
- vmtoolsd_bailout_on_rpc_errors.patch

==== rpm ====
Subpackages: rpm-32bit

- Backport changelog cutoff date change from Factory (bnc#1129753)
modified: macrosin.diff
- Translate dashes to underscores in kmod provides (FATE#326579,
jsc#SLE-4117, jsc#SLE-3853, bsc#1119414).
refresh: findksyms.diff
add: find-provides.ksyms, find-requires.ksyms
- Re-add symset-table from SLE 12 (bsc#1126327).
add: symset-table

==== sqlite3 ====
Version update (3.23.1 -> 3.27.2)
Subpackages: libsqlite3-0

- CVE-2018-20346, bsc#1119687: Upgrade to the most recent version
to fix a remote code execution vulnerability in FTS3 (Magellan).
- Drop sqlite-fts5-link.patch and do it in the spec file instead.
- Version 3.27.2:
* Add the VACUUM INTO command
* Issue an SQLITE_WARNING message on the error log if a
double-quoted string literal is used
* Add the remove_diacritics=2 option to FTS3 and FTS5.
* Add the SQLITE_PREPARE_NO_VTAB option to sqlite3_prepare_v3().
Use that option to prevent circular references to shadow tables
from causing resource leaks.
* Enhancements to the sqlite3_deserialize() interface
* Enhancements to the CLI, mostly to support testing and debugging
of the SQLite library itself
* Increased robustness against malicious SQL that is run against
a maliciously corrupted database
- Version 3.26.0:
* Optimization: When doing an UPDATE on a table with indexes on
expressions, do not update the expression indexes if they do
not refer to any of the columns of the table being updated.
* Allow the xBestIndex() method of virtual table implementations
to return SQLITE_CONSTRAINT to indicate that the proposed query
plan is unusable and should not be given further consideration.
* Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the
ability to create corrupt database files using ordinary SQL.
* Added support for read-only shadow tables when the
SQLITE_DBCONFIG_DEFENSIVE option is enabled.
* Added the PRAGMA legacy_alter_table command, which if enabled
causes the ALTER TABLE command to behave like older version of
SQLite (prior to version 3.25.0) for compatibility.
* Added PRAGMA table_xinfo that works just like PRAGMA table_info
except that it also shows hidden columns in virtual tables.
* Added the explain virtual table as a run-time loadable
extension.
* Add a limit counter to the query planner to prevent excessive
sqlite3_prepare() times for certain pathological SQL inputs.
* Added support for the sqlite3_normalized_sql() interface, when
compiling with SQLITE_ENABLE_NORMALIZE.
* Enhanced triggers so that they can use table-valued functions
that exist in schemas other than the schema where the trigger
is defined.
* Improvements to the ".help" command in the CLI.
* The SQLITE_HISTORY environment variable, if it exists,
specifies the name of the command-line editing history file.
* The --deserialize option associated with opening a new database
in the CLI cause the database file to be read into memory and
accessed using the sqlite3_deserialize() API. This simplifies
running tests on a database without modifying the file on disk.
- Version 3.25.2:
* Add the PRAGMA legacy_alter_table=ON command that causes the
"ALTER TABLE RENAME" command to behave as in 3.24.0 and earlier
* Fix issue with some expressions with windows functions in views
- Version 3.25.1:
* Avoid false-positive error checks on ALTER TABLE
* Further ORDER BY LIMIT optimization fixes for window functions
- Version 3.25.0:
* Add support for window functions
* Add support for renaming columns within a table
* Query optimizer improvements
* slightly better concurrency in multi-threaded environments
* The ORDER BY LIMIT optimization might have caused an infinite
loop in the byte code of the prepared statement under very
obscure circumstances, due to a confluence of minor defects in
the query optimizer
- Version 3.24.0:
* Add support for PostgreSQL-style UPSERT
* Add support for auxiliary columns in r-tree tables
* Add C-language APIs for discovering SQL keywords used by SQLite
* Add C-language APIs for dynamic strings based on sqlite3_str
* Enhance ALTER TABLE so that it recognizes "true" and "false" as
valid arguments to DEFAULT
* Add the sorter-reference optimization as a compile-time option
* Improve the format of the EXPLAIN QUERY PLAN raw output, so that
it gives better information about the query plan and about the
relationships between the various components of the plan
* Added the SQLITE_DBCONFIG_RESET_DATABASE option to the
sqlite3_db_config() API.
* Automatically intercept the raw EXPLAIN QUERY PLAN output an
reformat it into an ASCII-art graph.
* Lines that begin with "#" and that are not in the middle of an
SQL statement are interpreted as comments
* Add the --append option to the ".backup" command
* Add the ".dbconfig" command
* various performance improvements
* various bug fixes

==== tiff ====

- security update
* CVE-2019-7663 [bsc#1125113]
+ tiff-CVE-2019-7663.patch
- security update
* CVE-2019-6128 [bsc#1121626]
+ tiff-CVE-2019-6128.patch
- extend tiff-CVE-2018-19210.patch and rename it to
tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11]
* solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606]

==== timezone ====
Version update (2018i -> 2019a)

- timezone update 2019a:
* Palestine "springs forward" on 2019-03-30 instead of 2019-03-23
* Metlakatla "fell back" to rejoin Alaska Time on 2019-01-20 at
02:00
* Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
* zic now has an -r option to limit the time range of output data

==== timezone-java ====
Version update (2018i -> 2019a)

- timezone update 2019a:
* Palestine "springs forward" on 2019-03-30 instead of 2019-03-23
* Metlakatla "fell back" to rejoin Alaska Time on 2019-01-20 at
02:00
* Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
* zic now has an -r option to limit the time range of output data

==== transactional-update ====
Version update (2.13.1 -> 2.14.1)
Subpackages: transactional-update-zypp-config

- Update to version 2.14.1
- Improve non-root fs changes checker based on feedback
- Disable snapper's zypper plugin during transactional-update run
- Allow parallel installation with snapper's zypper plugin (useful on
read-write systems).
- Update to version 2.14
- Warn user if contents of /var have been changed during update
- Noteworthy: swapped position of upperdir and lowerdir in fstab for better
readability
- Major update to the transactional-update guide
- Update to version 2.13.2
- add hooks for telemetrics

==== translation-update ====
Subpackages: translation-update-ar translation-update-bg translation-update-ca
translation-update-cs translation-update-da translation-update-de
translation-update-el translation-update-en_GB translation-update-en_US
translation-update-eo translation-update-es translation-update-et
translation-update-fa translation-update-fi translation-update-fr
translation-update-hu translation-update-id translation-update-it
translation-update-ja translation-update-ko translation-update-lt
translation-update-nb translation-update-nl translation-update-pl
translation-update-pt translation-update-pt_BR translation-update-ru
translation-update-sk translation-update-sl translation-update-sv
translation-update-uk translation-update-zh_CN translation-update-zh_TW

- Refresh from
translation-update-from-translation-update-upstream-20190327.tar.bz2:
* Translation updates.
* Adds 2 language subpackages.

==== wavpack ====

- Fix denial-of-service (resource exhaustion caused by an infinite
loop; bsc#1120930, CVE-2018-19840, CVE-2018-19840.patch).
- Fix denial-of-service (out-of-bounds read and application crash;
bsc#1120929, CVE-2018-19841, CVE-2018-19841.patch).

==== xfce4-screenshooter ====
Version update (1.9.4 -> 1.9.5)
Subpackages: xfce4-screenshooter-lang

- Update to version 1.9.5
* Bug fixed:
- Panel plugin: allow it to save files (bxo#15187)

==== yast2 ====
Version update (4.1.66 -> 4.1.67)
Subpackages: yast2-logs

- Firewall: Zone name has been removed from the common attributes
declaration as it cannot be modified through the firewalld API.
(bsc#1130354)
- 4.1.67

==== yast2-bootloader ====
Version update (4.1.22 -> 4.1.23)

- Removed double "smt" entry from *.rnc file (bsc#1128707).
- 4.1.23

==== yast2-firewall ====
Version update (4.1.10 -> 4.1.11)

- Autoyast: Export zone name explicitly as it has been removed from
the common attributes list (bsc#1130354)
- Fixed textdomain names
- 4.1.11

==== yast2-iscsi-client ====
Version update (4.1.6 -> 4.1.7)

- further fixes of iscsiadm output parsing (bsc#1129946)
- 4.1.7

==== yast2-packager ====
Version update (4.1.33 -> 4.1.35)

- Fix malformed rpm commands (bsc#1129422).
- 4.1.35
- Use correct method name mount_path, not nonexistent mountpoint
(bsc#1130287)
- 4.1.34

==== yast2-printer ====
Version update (4.1.0 -> 4.1.1)

- Security hardening (bsc#1118291)
- 4.1.1

==== yast2-storage-ng ====
Version update (4.1.75 -> 4.1.77)

- Improve unit tests: mocking architecture for Bcache is not needed
anymore (fix regression tests for bsc#1129787).
- 4.1.77
- Fix boot disk detection (bsc#1129787).
- 4.1.76

==== zypper ====
Version update (1.14.26 -> 1.14.27)
Subpackages: zypper-aptitude zypper-log zypper-needs-restarting

- Add Requires: libaugeas0 >= 1.10.0 (fixes #265)
- bash-completion: add package completion for addlock (bsc#1047962)
- bash-completion: fix incorrect detection of command names (bsc#1049826)
- version 1.14.27


--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages