Packages changed: MozillaFirefox (118.0.1 -> 119.0) dracut (059+suse.503.g41e99e72 -> 059+suse.511.g0bdb16ac) glibc glslang (13.0.0 -> 13.1.1) gnome-text-editor (45.0 -> 45.1) gpgme (1.23.0 -> 1.23.1) grub2 hiredis (1.1.0 -> 1.2.0) kernel-default-base libbluray ncurses (6.4.20231007 -> 6.4.20231021) open-lldp (1.1+58.8ca361bab766 -> 1.1+77.75e83b6fb98e) open-vm-tools (12.3.0 -> 12.3.5) podman poppler (23.09.0 -> 23.10.0) poppler-qt5 (23.09.0 -> 23.10.0) protobuf python-jsonschema (4.19.1 -> 4.19.2) python-pyudev qpdf (11.6.2 -> 11.6.3) selinux-policy (20231012 -> 20231030) shadow (4.14.1 -> 4.14.2) sssd strace (6.5 -> 6.6) suse-module-tools (16.0.37 -> 16.0.38) systemd toolbox (2.3+git20220622.32785f7 -> 2.3+git20231030.3a6ef35) vulkan-loader (1.3.261.0 -> 1.3.268.0) vulkan-tools (1.3.261.0 -> 1.3.268.0) webrtc-audio-processing wireplumber === Details === ==== MozillaFirefox ==== Version update (118.0.1 -> 119.0) - Mozilla Firefox 119.0 https://www.mozilla.org/en-US/firefox/119.0/releasenotes MFSA 2023-45 (bsc#1216338) * CVE-2023-5721 (bmo#1830820) Queued up rendering could have allowed websites to clickjack * CVE-2023-5722 (bmo#1738426) Cross-Origin size and header leakage * CVE-2023-5723 (bmo#1802057) Invalid cookie characters could have led to unexpected errors * CVE-2023-5724 (bmo#1836705) Large WebGL draw could have led to a crash * CVE-2023-5725 (bmo#1845739) WebExtensions could open arbitrary URLs * CVE-2023-5726 (bmo#1846205) Full screen notification obscured by file open dialog on macOS * CVE-2023-5727 (bmo#1847180) Download Protections were bypassed by .msix, .msixbundle, .appx, and .appxbundle files on Windows * CVE-2023-5728 (bmo#1852729) Improper object tracking during GC in the JavaScript engine could have led to a crash. * CVE-2023-5729 (bmo#1823720) Fullscreen notification dialog could have been obscured by WebAuthn prompts * CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694, bmo#1848833, bmo#1850191, bmo#1850259, bmo#1852596, bmo#1853201, bmo#1854002, bmo#1855306, bmo#1855640, bmo#1856695) Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1 * CVE-2023-5731 (bmo#1690111, bmo#1721904, bmo#1851803, bmo#1854068) Memory safety bugs fixed in Firefox 119 - requires NSS 3.94 - Mozilla Firefox 118.0.2 * Fix games not loading on betsoft.com (bmo#1856145) * Fix printing issues for some SVG images (bmo#1853727) * Fix CORS XHR with authentication no longer working (bmo#1855650) * Fix h264 WebRTC video not working in some contexts (bmo#1855636) * Fix Firefox Translations not working on some pages (bmo#1841656, bmo#1855307) * Stability fixes (bmo#1851991, bmo#1799326, bmo#1856637) - Activate KDE integration again, included rebased and updated patches, firefox-kde.patch and mozilla-kde.patch, (upstream removed special files handling for preferences but that has no effect since we haven't shipped obsolete kde.js for a while) (boo#1216027) ==== dracut ==== Version update (059+suse.503.g41e99e72 -> 059+suse.511.g0bdb16ac) Subpackages: dracut-ima - Update to version 059+suse.511.g0bdb16ac: * fix(pkcs11): delete trailing dot on libcryptsetup-token-systemd-pkcs11.so * fix(systemd-repart): correct undefined $libdir * fix(dracut-systemd): use `DRACUT_VERSION` instead of `VERSION` * fix(dracut.sh): abort if Bash is in POSIX mode * fix(dracut-initramfs-restore.sh): do not set selinux labels if disabled * fix(network): correct network device naming (bsc#1192986) ==== glibc ==== Subpackages: glibc-extra glibc-locale glibc-locale-base nscd - gb18030-2022.patch: add GB18030-2022 charmap (jsc#PED-4908, BZ #30243) ==== glslang ==== Version update (13.0.0 -> 13.1.1) - Update to release 13.1.1 * Support GL_EXT_texture_shadow_lod, GL_NV_displacement_micromap * Add --no-link option - Drop merged 0001-Revert-CMake-Make-glslang-default-resource-limits-ST.patch ==== gnome-text-editor ==== Version update (45.0 -> 45.1) - Update to version 45.1: + Use proper etag when comparing document for changes after a Save As operation occurs. + Fix row styling in preferences. + Fix memory leak of GtkNativeDialog. + Updated translations. ==== gpgme ==== Version update (1.23.0 -> 1.23.1) Subpackages: libgpgme11 libgpgmepp6 python311-gpg - update to 1.23.1: * fixes for other platforms ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-snapper-plugin grub2-systemd-sleep-plugin - Fix fadump not working with 1GB/2GB/4GB LMB[P10] (bsc#1216253) * 0001-kern-ieee1275-init-Restrict-high-memory-in-presence-.patch ==== hiredis ==== Version update (1.1.0 -> 1.2.0) - hiredis 1.2.0: * Add sdevent adapter * Allow specifying the keepalive interval * Add RedisModule adapter * Helper for setting TCP_USER_TIMEOUT socket option * bug fixes ==== kernel-default-base ==== - Add dummy (boo#1216647) ==== libbluray ==== - Added patch: * libbluray-java18plus.patch + allow building with JDK 18 and newer (using source/target levels 8) + fixes build with the new OpenJDK 21 LTSS ==== ncurses ==== Version update (6.4.20231007 -> 6.4.20231021) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20231021 + use oldxterm+sm+1006 in vte-2014 (report by Benno Schulenberg) -TD + add ansi+apparrows -TD + change defaults for configure opaque and widec options (prompted by discussion with Branden Robinson). + minor cleanup of compiler- and manpage-warnings. - Correct offsets off some hunks in patches * ncurses-5.9-ibm327x.dif * ncurses-6.4.dif - Add ncurses patch 20231016 + make the recent change to setupterm optional "--enable-check-size" (Debian #1054022). - Add ncurses patch 20231014 + improve formatting/style of manpages (patches by Branden Robinson). + updated configure script macro CF_XOPEN_SOURCE, for uClibc-ng + update config.guess, config.sub ==== open-lldp ==== Version update (1.1+58.8ca361bab766 -> 1.1+77.75e83b6fb98e) Subpackages: liblldp_clif1 - Update to version latest Intel upstream (v1.1+77.75e83b6fb98e, jsc#PED-6852): * lldpad: dcbx: prevent null dereference in dcbx_free_data * dcbx: Fix use-after-free * dcbx: Fix NULL pointer dereference * dcbx: Fix leak when receiving legacy TLVs with mismatched mode * lldp: Reject frames with duplicate TLVs * dcbx: Free manifest in rchange callback * dcbx: Avoid memory leak if ifup is called twice * ctrl_iface: Fix a memory leak in ctrl_iface_deinit * lldp: Avoid sending uninitialized data * lldptool: fix null pointer deference * Revert "Use interface index instead of name in libconfig" * Avoiding null pointer dereference * agent: reset frame status on message delete * basman: use return address when pulling address * 8021Qaz: check for rx block validity * 8021qaz: squelch initialization errors * macvtap: fix error condition * vdp22: convert command parsing to null term ==== open-vm-tools ==== Version update (12.3.0 -> 12.3.5) Subpackages: libvmtools0 open-vm-tools-desktop - Update to 12.3.5 (build 22544099) (boo#1216670) - There are no new features in the open-vm-tools 12.3.5 release. This is primarily a maintenance release that addresses a few critical problems, including: - This release resolves CVE-2023-34058. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html. - This release resolves CVE-2023-34059 which only affects open-vm-tools. For more information on this vulnerability, please see the Resolved Issues section of the Release Notes. - A GitHub issue has been handled. Please see the Resolved Issues section of the Release Notes. - An update to the deployPkg plugin to coordinate with recent releases of cloud-init for improvement for guest VM customization. - For issues resolved in this release, see the Resolved Issues section of the Release Notes. - For complete details, see: https://github.com/vmware/open-vm-tools/releases/tag/stable-12.3.5 - Release Notes are available at https://github.com/vmware/open-vm-tools/blob/stable-12.3.5/ReleaseNotes.md - The granular changes that have gone into the 12.3.5 release are in the ChangeLog at https://github.com/vmware/open-vm-tools/blob/stable-12.3.5/open-vm-tools/ChangeLog - Drop patch now contained in 12.3.5: - CVE-2023-34058.patch - CVE-2023-34059.patch ==== podman ==== - Use crun on Tumbleweed & ALP for WASM support ==== poppler ==== Version update (23.09.0 -> 23.10.0) Subpackages: libpoppler-cpp0 libpoppler-glib8 poppler-tools - Add patch to let it build with the heavily patched tiff 4.0.9 we have in SLE 15: * reduce-libtiff-required-version.patch - version update to 23.10.0 core: * cairo: update type 3 fonts for cairo 1.18 api * Fix crash on malformed files build system: * Make a few more dependencies soft-mandatory * Add more supported gnupg releases * Check if linker supports version scripts - modified patches % reduce-boost-required-version.patch (refreshed) ==== poppler-qt5 ==== Version update (23.09.0 -> 23.10.0) - Add patch to let it build with the heavily patched tiff 4.0.9 we have in SLE 15: * reduce-libtiff-required-version.patch - version update to 23.10.0 core: * cairo: update type 3 fonts for cairo 1.18 api * Fix crash on malformed files build system: * Make a few more dependencies soft-mandatory * Add more supported gnupg releases * Check if linker supports version scripts - modified patches % reduce-boost-required-version.patch (refreshed) ==== protobuf ==== Subpackages: libprotobuf-lite23_4_0 libprotobuf23_4_0 python311-protobuf - Build with source and target levels 8 * fixes build with JDK21 - Install the pom file with the new %%mvn_install_pom macro - Do not install the pom-only artifacts, since the %%mvn_install_pom macro resolves the variables at the install time ==== python-jsonschema ==== Version update (4.19.1 -> 4.19.2) - update tp 4.19.2: * Fix the error message for additional items when used with heterogeneous arrays. * Don't leak the additionalItems keyword into JSON Schema draft 2020-12, where it was replaced by items. ==== python-pyudev ==== - update hypothesis_settings.patch: * Extend deadline for test_child_of_parents that fails on ppc64le (bsc#1216607) ==== qpdf ==== Version update (11.6.2 -> 11.6.3) - update to 11.6.3: * Tweak linearization code to better handle files between 2 GB and 4 GB in size. Fixes #1023. * Fix data loss bug: qpdf could discard a the character after an escaped octal string consisting of less than three digits. For content, this would only happen with QDF or when normalizing content. Outside of content, it could have happened in any binary string, such as /ID, if the encoding software used octal escape strings with less than three digits. This bug was introduced between 10.6.3 and 11.0.0. ==== selinux-policy ==== Version update (20231012 -> 20231030) Subpackages: selinux-policy-targeted - Update to version 20231030: * Allow system_mail_t manage exim spool files and dirs * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t * Label /run/pcsd.socket with cluster_var_run_t * ci: Run cockpit tests in PRs * Add map_read map_write to kernel_prog_run_bpf * Allow systemd-fstab-generator read all symlinks * Allow systemd-fstab-generator the dac_override capability * Allow rpcbind read network sysctls * Support using systemd containers * Allow sysadm_t to connect to iscsid using a unix domain stream socket * Add policy for coreos installer * Add policy for nvme-stas * Confine systemd fstab,sysv,rc-local * Label /etc/aliases.lmdb with etc_aliases_t * Create policy for afterburn * Make new virt drivers permissive * Split virt policy, introduce virt_supplementary module * Allow apcupsd cgi scripts read /sys * Allow kernel_t to manage and relabel all files * Add missing optional_policy() to files_relabel_all_files() * Allow named and ndc use the io_uring api * Deprecate common_anon_inode_perms usage * Improve default file context(None) of /var/lib/authselect/backups * Allow udev_t to search all directories with a filesystem type * Implement proper anon_inode support * Allow targetd write to the syslog pid sock_file * Add ipa_pki_retrieve_key_exec() interface * Allow kdumpctl_t to list all directories with a filesystem type * Allow udev additional permissions * Allow udev load kernel module * Allow sysadm_t to mmap modules_object_t files * Add the unconfined_read_files() and unconfined_list_dirs() interfaces * Set default file context of HOME_DIR/tmp/.* to <> * Allow kernel_generic_helper_t to execute mount(1) * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t * Allow systemd-localed create Xserver config dirs * Allow sssd read symlinks in /etc/sssd * Label /dev/gnss[0-9] with gnss_device_t * Allow systemd-sleep read/write efivarfs variables * ci: Fix version number of packit generated srpms * Dontaudit rhsmcertd write memory device * Allow ssh_agent_type create a sockfile in /run/user/USERID * Set default file context of /var/lib/authselect/backups to <> * Allow prosody read network sysctls * Allow cupsd_t to use bpf capability * Allow sssd domain transition on passkey_child execution conditionally * Allow login_userdomain watch lnk_files in /usr * Allow login_userdomain watch video4linux devices * Change systemd-network-generator transition to include class file * Revert "Change file transition for systemd-network-generator" * Allow nm-dispatcher winbind plugin read/write samba var files * Allow systemd-networkd write to cgroup files * Allow kdump create and use its memfd: objects * Allow fedora-third-party get generic filesystem attributes * Allow sssd use usb devices conditionally * Update policy for qatlib * Allow ssh_agent_type manage generic cache home files * Change file transition for systemd-network-generator * Additional support for gnome-initial-setup * Update gnome-initial-setup policy for geoclue * Allow openconnect vpn open vhost net device * Allow cifs.upcall to connect to SSSD also through the /var/run socket * Grant cifs.upcall more required capabilities * Allow xenstored map xenfs files * Update policy for fdo * Allow keepalived watch var_run dirs * Allow svirt to rw /dev/udmabuf * Allow qatlib to modify hardware state information. * Allow key.dns_resolve connect to avahi over a unix stream socket * Allow key.dns_resolve create and use unix datagram socket * Use quay.io as the container image source for CI * ci: Move srpm/rpm build to packit * .copr: Avoid subshell and changing directory * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t * Make insights_client_t an unconfined domain * Allow insights-client manage user temporary files * Allow insights-client create all rpm logs with a correct label * Allow insights-client manage generic logs * Allow cloud_init create dhclient var files and init_t manage net_conf_t * Allow insights-client read and write cluster tmpfs files * Allow ipsec read nsfs files * Make tuned work with mls policy * Remove nsplugin_role from mozilla.if * allow mon_procd_t self:cap_userns sys_ptrace * Allow pdns name_bind and name_connect all ports * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh * ci: Move to actions/checkout@v3 version * .copr: Replace chown call with standard workflow safe.directory setting * .copr: Enable `set -u` for robustness * .copr: Simplify root directory variable * Allow rhsmcertd dbus chat with policykit * Allow polkitd execute pkla-check-authorization with nnp transition * Allow user_u and staff_u get attributes of non-security dirs * Allow unconfined user filetrans chrome_sandbox_home_t * Allow svnserve execute postdrop with a transition * Do not make postfix_postdrop_t type an MTA executable file * Allow samba-dcerpc service manage samba tmp files ... changelog too long, skipping 64 lines ... * Allow sendmail manage its runtime files ==== shadow ==== Version update (4.14.1 -> 4.14.2) Subpackages: libsubid4 login_defs - Update to 4.14.2: * libshadow: + Fix build with musl libc. + Avoid NULL dereference. + Update utmp at an initial login * useradd(8): + Set proper SELinux labels for def_usrtemplate * Manual: + Document --prefix in chage(1), chpasswd(8), and passwd(1) - Drop upstreamed shadow-4.14.0-selinux-labels.patch ==== sssd ==== Subpackages: libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 sssd-krb5-common sssd-ldap - Update dependencies to require the same subpackages version and release - Fix /usr/etc migration fragment in wrong "%pre kcm" instead of "%pre" - Move sss_analyze to sssd-tools package - Default config is unworkable, just stop installing it altogether [boo#1216739] ==== strace ==== Version update (6.5 -> 6.6) - Update to strace 6.6 * Implemented --kill-on-exit option that instructs the tracer to set PTRACE_O_EXITKILL option to all tracee processes and not to detach them on cleanup so they will not be left running after the tracer exit. * Implemented automatic activation of --kill-on-exit option when - -seccomp-bpf is enabled and -p/--attach option is not used. * Implemented decoding of map_shadow_stack syscall. * Implemented decoding of FSCONFIG_CMD_CREATE_EXCL fsconfig command. * Implemented decoding of IFLA_BRPORT_BACKUP_NHID netlink attribute. * Implemented decoding of SECCOMP_IOCTL_NOTIF_SET_FLAGS ioctl. * Implemented decoding of UFFDIO_CONTINUE, UFFDIO_POISON, and UFFDIO_WRITEPROTECT ioctls. * Updated lists of ARCH_*, BPF_*, DEVCONF_*, IORING_*, KEXEC_*, MAP_*, NT_*, PTRACE_*, QFMT_*, SEGV_*, UFFD_*, V4L2_*, and XDP_* constants. * Updated lists of ioctl commands from Linux 6.6. - Remove haveged build requirement and usage in test suite as it is not needed anymore (jsc#PED-6184). ==== suse-module-tools ==== Version update (16.0.37 -> 16.0.38) Subpackages: suse-module-tools-scriptlets - Update to version 16.0.38: * modprobe.d: use softdep to load sd_mod and sg (boo#1216070) ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-boot systemd-coredump systemd-doc udev - Fix typo in /etc/systemd/user.confd.d (bsc#1216676) ==== toolbox ==== Version update (2.3+git20220622.32785f7 -> 2.3+git20231030.3a6ef35) - Update to version 2.3+git20231030.3a6ef35: * Mount /dev/pts as mount type=devpts instead of --volume * fix typo creat -> create * Remove trailing whitespace * Fix bash error when container cannot be pulled ==== vulkan-loader ==== Version update (1.3.261.0 -> 1.3.268.0) - Update to release SDK-1.3.268.0 * Add VK_LOADER_LAYERS_ALLOW environment variable. * Add Debug extension support to test layer ==== vulkan-tools ==== Version update (1.3.261.0 -> 1.3.268.0) - Update to release SDK-1.3.268.0 * icd: Add VkSurfacePresentModeCompatibilityEXT support * icd: Add second VkCooperativeMatrixPropertiesKHR field * vulkaninfo: Support VK_EXT_surface_maintenance1 properly * icd: Add VkPhysicalDeviceDriverProperties ==== webrtc-audio-processing ==== - ExcludeArch s390, s390x and ppc64 since big endian support is not implemented. ==== wireplumber ==== Subpackages: libwireplumber-0_4-0 wireplumber-audio - Add patch from upstream that fixes too many matches for property interest: * 0001-object-manager-reduce-the-amount-of-globals-that-initially.patch - Add patch from upstream that fixes an odd failure of a test after applying the previous patch: * 0002-object-manager-use-an-idle-callback-to-expose-tmp-globals.patch - Add patch from upstream that adds ability to hide parent nodes, which is useful to prevent hardware misuse or damage by poorly behaved/configured clients: * 0001-policy-dsp-add-ability-to-hide-parent-nodes.patch