Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20190718 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: harfbuzz (2.3.1 -> 2.5.3) kdevelop5 libpng12 (1.2.57 -> 1.2.59) spec-cleaner (1.1.3 -> 1.1.4) squid (4.7 -> 4.8) tracker udisks2 virt-manager (2.1.0 -> 2.2.1) xclock (1.0.8 -> 1.0.9) === Details === ==== harfbuzz ==== Version update (2.3.1 -> 2.5.3) Subpackages: libharfbuzz-icu0 libharfbuzz0 libharfbuzz0-32bit - Update to version 2.5.3: + Fix UCD script data for Unicode 10+ scripts. This was broken since 2.5.0. + More optimizations for HB_TINY. - Changes from version 2.5.2: + More hb-config.hh facilities to shrink library size, namely when built as HB_TINY. + New documentation of custom configurations in CONFIG.md. + Fix build on gcc 4.8. That's supported again. + Universal Shaping Engine improvements. + API Changes: Undeprecate some horizontal-kerning API and re-enable in hb-ft, such that Type1 fonts will continue kerning. - Changes from version 2.5.1: + Fix build with various versions of Visual Studio. + Improved documentation. + Bugfix in subsetting glyf table. + Improved scripts for cross-compiling for Windows using mingw. + Rename HB_MATH_GLYPH_PART_FLAG_EXTENDER to HB_OT_MATH_GLYPH_PART_FLAG_EXTENDER. A deprecated macro is added for backwards-compatibility. - Changes from version 2.5.0: + This release does not include much functional changes, but includes major internal code-base changes. We now require C++11. Support for gcc 4.8 and earlier has been dropped. + New hb-config.hh facility for compiling smaller library for embedded and web usecases. + New Unicode Character Databse implementation that is half the size of previously-used UCDN. + Subsetter improvements. + Improved documentation. + isc shaping fixes. - Changes from version 2.4.0: + Unicode 12. + Misc fixes. + Subsetter improvements. + New API: HB_BUFFER_FLAG_DO_NOT_INSERT_DOTTED_CIRCLE and hb_directwrite_face_create(). ==== kdevelop5 ==== Subpackages: kdevelop5-lang kdevplatform kdevplatform-lang libkdevplatform53 - Add fix-crash-on-undocking-toolviews.patch to fix crash when undocking toolviews with Qt 5.13 (kde#409790) ==== libpng12 ==== Version update (1.2.57 -> 1.2.59) - version update to 1.2.59 Added png_check_chunk_length() function, and check all chunks except IDAT against the default 8MB limit; check IDAT against the maximum size computed from IHDR parameters (Fixes CVE-2017-12652). Initialize memory allocated by png_inflate to zero, using memset, to stop an oss-fuzz "use of uninitialized value" detection in png_set_text_2() due to truncated iTXt or zTXt chunk. ==== spec-cleaner ==== Version update (1.1.3 -> 1.1.4) - Update to 1.1.4 bsc#1099674: * Exclude stuff from openstack macros * Replace 'http' with 'https' in URL * Replace legacy packageand() with 'and' expression * Replace pwdutils with shadow in Requires * Add openstack_cleanup_prep to bracketing excludes * Do not curlify yast_metainfo and yast_check * Fixup the eating of Source lines with whitespace * Document '#nospeccleaner' tag * Add docstrings to the functions and classes. * Use type hints for the most important functions * Update README and licences * Various small fixes - add a temporary patch spec-cleaner-1.1.4_test_https.patch that fixes a test that fails if there is no internet connection ==== squid ==== Version update (4.7 -> 4.8) - Update to squid 4.8: + Ignore ECONNABORTED in accept(2) + RFC 7230 forbids generation of userinfo subcomponent of https URL + cachemgr.cgi: unallocated memory access resulting in a potential denial of service. (bsc#1141442, CVE-2019-12854) + terminating c-strings beyond BASE64_DECODE_LENGTH + Replace uudecode with libnettle base64 decoder fixing a denial of service vulnerability (bsc#1141329, CVE-2019-12529) + fix to_localhost does not include :: + Fix GCC-9 build issues + Fix Digest auth parameter parsing preventing a potential denial of service (bsc#1141332, CVE-2019-12525) + Update HttpHeader::getAuth to SBuf which prevents a potential heap overflowing allowing a possible remote code execution attack when processing HTTP Authentication credentials (bsc#1141330, CVE-2019-12527) + Add the NO_TLSv1_3 option to available tls-options values + Fix handling of tiny invalid responses + Fix Memory leak when http_reply_access uses external_acl + Fix Multiple XSS issues in cachemgr.cgi (bsc#1140738, CVE-2019-13345) - use unbundled version of libnettle - disable LTO as a workaround to tests failing ==== tracker ==== Subpackages: libtracker-common-2_0 libtracker-control-2_0-0 libtracker-miner-2_0-0 libtracker-sparql-2_0-0 tracker-lang typelib-1_0-Tracker-2_0 typelib-1_0-TrackerControl-2_0 - Add fix-tracker-miner-fs-lto-crash.patch and enable again LTO (boo#1141201). ==== udisks2 ==== Subpackages: libudisks2-0 libudisks2-0_btrfs udisks2-lang - don't call systemd uninstall macro for clean-mount-point@.service template (boo#1139996) ==== virt-manager ==== Version update (2.1.0 -> 2.2.1) Subpackages: virt-install virt-manager-common - Upstream bug fix (bsc#1027942) 3c6e8537-guest-fix-warning-message-when-machine-type-is-changed-for-secure-boot.patch - Update to virt-manager 2.2.1 (fate#326786) virt-manager-2.2.1.tar.bz2 * CVE-2019-10183: Replace ?unattended user-password and admin-password with user-password-file and admin-password-file (Fabiano Fidêncio) * Consistent ?memballoon default across non-x86 (Andrea Bolognani) * virt-install: add ?numatune memnode.* (Athina Plaskasoviti) * Drop hard dep on gtksourceview4, gtksourceview3 is fine as well - Drop patches no longer needed 033e9702-xmleditor-Handle-gtksourceview3-as-well-as-gtksourceview4.patch 51d28f04-unattended-Dont-log-user-admin-passwords.patch 5312a961-virt-install-Revive-wait-0-as-alias-for-noautoconsole.patch 58c68764-unattended-Read-the-passwords-from-a-file.patch - bsc#1140211 - VUL-1: CVE-2019-10183: virt-manager: unattended option leaks password via command line argument 58c68764-unattended-Read-the-passwords-from-a-file.patch 51d28f04-unattended-Dont-log-user-admin-passwords.patch - Upstream bug fix (bsc#1027942) 5312a961-virt-install-Revive-wait-0-as-alias-for-noautoconsole.patch - Update to virt-manager 2.2.0 (fate#326786) virt-manager-2.2.0.tar.bz2 * libvirt XML viewing and editing UI for new and existing domain, pools, volumes, networks * virt-install: libosinfo ?unattended support (Fabiano Fidêncio, Cole Robinson) * Improve CPU model security defaults (Pavel Hrdina) * virt-install: new ?install option. Ex: virt-install ?install fedora29 * virt-install: new ?install kernel=,initrd= * virt-install: ?disk, ?memory, ?name defaults from libosinfo (Fabiano Fidêncio, Cole Robinson) * virt-install: add device suboption aliases which consistently match libvirt XML naming * virt-xml: new ?start, ?no-define options (Marc Hartmayer) * virt-install: Add driver_queues argument to ?controller (Vasudeva Kamath) * RISC-V support (Andrea Bolognani) * Device default improvements for non-x86 KVM (Andrea Bolognani) * Redesigned ?New Network? wizard * libguestfs inspection improvements (Pino Toscano) * virt-install: Add support for xenbus controller (Jim Fehlig) * cli: Add ?disk wwn=,rawio= (Athina Plaskasoviti) * cli: Add ?memballoon autodeflate=,stats.period= (Athina Plaskasoviti) * cli: Add ?iothreads (Athina Plaskasoviti) * cli: Add ?numatune memory.placement (Athina Plaskasoviti) * cli: Add ?launchSecurity option (Erik Skultety) * cli: Fill in ?memorybacking options * cli: ?smartcard: support database= and certificate[0-9]*= * cli: ?sysinfo: Add chasis suboptions * cli: ?metadata: add genid= and genid_enable= * cli: ?vcpus: add vcpus.vcpu[0-9]* config * cli: fill in all common char source options for ?serial, ?parellel, ?console, ?channel, ?smartcard, ?rng, ?redirdev 033e9702-xmleditor-Handle-gtksourceview3-as-well-as-gtksourceview4.patch virtman-dont-specify-gtksource-version.patch - Drop patches no longer needed f7508d02-addhardware-Fix-setting-optimal-default-net-model.patch 1018ab44-inspection-handle-failures-in-application-listing.patch ae8a4f3d-engine-Fix-first-run-startup-error.patch 57db4185-virt-clone-fix-force-copy-of-empty-cdrom-or-floppy-disk.patch 26a433fc-virtManager-clone-check-which-storage-pools-supports-volume-cloning.patch 4f66c423-cloner-Handle-nonsparse-for-qcow2-images.patch a02fc0d0-virtManager-clone-build-default-clone-path-if-we-know-how.patch 1856c1fa-support-Fix-minimum-version-check.patch 001-adf30349-cli-refactor-get_prop.patch 002-60c7e778-xmlapi-add-set_prop.patch 003-5bad22e8-tests-Use-get-set_prop.patch 004-ee5f3eab-support-Add-SUPPORT_CONN_DEVICE_BOOT_ORDER.patch 005-7768eb17-cli-Add-check-if-device-boot-order-is-supported.patch 006-ecc0861c-tests-xmlparse-refactor-method-for-generating-out-file-path.patch 007-c9d070da-guest-Add-reorder_boot_order-method.patch 008-1b535940-tests-Add-test-case-for-reorder_boot_order-method.patch 009-b83a0a61-cli-Use-reorder_boot_order-for-setting-the-boot-order.patch 010-c896d19d-tests-cli-Add-boot.order-tests.patch 011-29f9f2ac-virt-xml-Add-no-define-argument.patch 012-c2bff509-tests-cli-Add-test-case-for-no-define-argument.patch 013-90b1a3ab-virt-xml-Add-support-for-starting-the-domain.patch 014-908b8e8d-tests-virt-xml-Add-test-cases-for-start-option.patch 5bc847eb-virt-install-Do-not-warn-about-consoles-on-s390x.patch 74bbc3db-urldetect-Check-also-for-treeinfo.patch 708af01c-osdict-Add-supports_virtioinput.patch f23b01be-guest-Add-VirtIO-input-devices-to-s390x-guests-with-graphics.patch 7afbb90b-virt-xml-Handle-VM-names-that-look-like-id-uuid.patch 8d9743d6-virt-install-Add-support-for-xenbus-controller.patch a0ca387a-cli-Fix-pool-default-when-path-belongs-to-another-pool.patch 578451fe-urldetect-Dont-run-regex-against-None-SUSE-product-name.patch virtman-default-guest-from-host-os.patch virtman-prevent-double-click-starting-vm-twice.patch ==== xclock ==== Version update (1.0.8 -> 1.0.9) - Update to version 1.0.9 * Use _CONST_X_STRING to make libXt declare String as const char * * Clear -Wsign-compare warning from gcc 7.3 * Consistently use X_GETTIMEOFDAY * Fix logic sourrouning && and || * Use fabsf when dealing with floating point numbers