Packages changed: MozillaFirefox (122.0.1 -> 123.0) c-ares (1.26.0 -> 1.27.0) cdparanoia chrony (4.4 -> 4.5) containerd cronie dhcp dmidecode docbook_4 docker dump fcitx fcitx-chewing fcitx-configtool fcitx-zhuyin fcoe-utils fltk gcin giflib (5.2.1 -> 5.2.2) git (2.43.2 -> 2.44.0) gnutls libksba (1.6.5 -> 1.6.6) libunistring (1.1 -> 1.2) mokutil mozilla-nss multipath-tools (0.9.8~1+82+suse.dcd98a3 -> 0.9.8+83+suse.bcae610) npth (1.6 -> 1.7) openssh (9.3p2 -> 9.6p1) openssh-askpass-gnome (9.3p2 -> 9.6p1) openvpn podman python-PyYAML sazanami-fonts sha1collisiondetection sof-firmware sord soundtouch speex susepaste syslogd system-config-printer sysvinit thin-provisioning-tools (1.0.11 -> 1.0.12) tigervnc usbutils vlc xauth xdm xf86-input-evdev xf86-input-vmmouse xf86-input-wacom xf86-video-vesa xinit xkeyboard-config xorg-x11-server xrandr yast2-trans (84.87.20240219.f6e4117fe0 -> 84.87.20240224.f7ab2886c1) === Details === ==== MozillaFirefox ==== Version update (122.0.1 -> 123.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 123.0 https://www.mozilla.org/en-US/firefox/123.0/releasenotes/ MFSA 2024-05 (bsc#1220048) * CVE-2024-1546 (bmo#1843752) Out-of-bounds memory read in networking channels * CVE-2024-1547 (bmo#1877879) Alert dialog could have been spoofed on another site * CVE-2024-1554 (bmo#1816390) fetch could be used to effect cache poisoning * CVE-2024-1548 (bmo#1832627) Fullscreen Notification could have been hidden by select element * CVE-2024-1549 (bmo#1833814) Custom cursor could obscure the permission dialog * CVE-2024-1550 (bmo#1860065) Mouse cursor re-positioned unexpectedly could have led to unintended permission grants * CVE-2024-1551 (bmo#1864385) Multipart HTTP Responses would accept the Set-Cookie header in response parts * CVE-2024-1555 (bmo#1873223) SameSite cookies were not properly respected when opening a website from an external browser * CVE-2024-1556 (bmo#1870414) Invalid memory access in the built-in profiler * CVE-2024-1552 (bmo#1874502) Incorrect code generation on 32-bit ARM devices * CVE-2024-1553 (bmo#1855686, bmo#1867982, bmo#1871498, bmo#1872296, bmo#1873521, bmo#1873577, bmo#1873597, bmo#1873866, bmo#1874080, bmo#1874740, bmo#1875795, bmo#1875906, bmo#1876425, bmo#1878211, bmo#1878286) Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 * CVE-2024-1557 (bmo#1746471, bmo#1848829, bmo#1864011, bmo#1869175, bmo#1869455, bmo#1869938, bmo#1871606) Memory safety bugs fixed in Firefox 123 - requires NSS 3.97 ==== c-ares ==== Version update (1.26.0 -> 1.27.0) - c-ares 1.27.0 Security: * Moderate. CVE-2024-25629. Reading malformatted /etc/resolv.conf, /etc/nsswitch.conf or the HOSTALIASES file could result in a crash. GHSA-mg26-v6qh-x48q (CVE-2024-25629, bsc#1220279) Features: * New function ares_queue_active_queries() to retrieve number of in-flight queries. PR #712 * New function ares_queue_wait_empty() to wait for the number of in-flight queries to reach zero. PR #710 * New ARES_FLAG_NO_DEFLT_SVR for ares_init_options() to return a failure if no DNS servers can be found rather than attempting to use 127.0.0.1. This also introduces a new ares status code of ARES_ENOSERVER. PR #713 Changes: * EDNS Packet size should be 1232 as per DNS Flag Day. PR #705 Bugfixes: * Fix warning due to ignoring return code of write(). PR #709 * CMake: don't override target output locations if not top-level. Issue #708 * Fix building c-ares without thread support. PR #700 ==== cdparanoia ==== Subpackages: libcdda_interface0 libcdda_paranoia0 - Use %patch -P N instead of deprecated %patchN. ==== chrony ==== Version update (4.4 -> 4.5) Subpackages: chrony-pool-openSUSE - Use %patch -P N instead of deprecated %patchN. - Update to version 4.5: * Add support for AES-GCM-SIV in GnuTLS * Add support for corrections from PTP transparent clocks * Add support for systemd socket activation * Fix presend in interleaved mode * Fix reloading of modified sources from sourcedir ==== containerd ==== - Use %patch -P N instead of deprecated %patchN. ==== cronie ==== Subpackages: cron - Use %patch -P N instead of deprecated %patchN. ==== dhcp ==== Subpackages: dhcp-client - Use %patch -P N instead of deprecated %patchN. ==== dmidecode ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== docbook_4 ==== - Use %patch -P N instead of deprecated %patchN. ==== docker ==== Subpackages: docker-bash-completion docker-rootless-extras - Allow to disable apparmor support (ALP supports only SELinux) ==== dump ==== - Use %patch -P N instead of deprecated %patchN. ==== fcitx ==== Subpackages: fcitx-branding-openSUSE fcitx-gtk2 fcitx-gtk3 fcitx-pinyin fcitx-table fcitx-table-cn-wubi fcitx-table-cn-wubi-pinyin libfcitx-config4 libfcitx-core0 libfcitx-gclient1 libfcitx-utils0 - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== fcitx-chewing ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== fcitx-configtool ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== fcitx-zhuyin ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== fcoe-utils ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== fltk ==== - Use %patch -P N instead of deprecated %patchN. ==== gcin ==== Subpackages: gcin-gtk2 gcin-gtk3 gcin-qt5 libgcin-im-client1 - Use %autosetup macro. Allows to eliminate the usage of deprecated %patchN. ==== giflib ==== Version update (5.2.1 -> 5.2.2) - Update to version 5.2.2 * Fixes for CVE-2023-48161 (bsc#1217390), CVE-2022-28506 (bsc#1198880) * Address SF issue #138 Documentation for obsolete utilities still installed * Address SF issue #139: Typo in "LZW image data" page ("110_2 = 4_10") * Address SF issue #140: Typo in "LZW image data" page ("LWZ") * Address SF issue #141: Typo in "Bits and bytes" page ("filed") * Note as already fixed SF issue #143: cannot compile under mingw * Address SF issue #144: giflib-5.2.1 cannot be build on windows and other platforms using c89 * Address SF issue #145: Remove manual pages installation for binaries that are not installed too * Address SF issue #146: [PATCH] Limit installed man pages to binaries, move giflib to section 7 * Address SF issue #147 [PATCH] Fixes to doc/whatsinagif/ content * Address SF issue #148: heap Out of Bound Read in gif2rgb.c:298 DumpScreen2RGB * Declared no-info on SF issue #150: There is a denial of service vulnerability in GIFLIB 5.2.1 * Declared Won't-fix on SF issue 149: Out of source builds no longer possible * Address SF issue #151: A heap-buffer-overflow in gif2rgb.c:294:45 * Address SF issue #152: Fix some typos on the html documentation and man pages * Address SF issue #153: Fix segmentation faults due to non correct checking for args * Address SF issue #154: Recover the giffilter manual page * Address SF issue #155: Add gifsponge docs * Address SF issue #157: An OutofMemory-Exception or Memory Leak in gif2rgb * Address SF issue #158: There is a null pointer problem in gif2rgb * Address SF issue #159 A heap-buffer-overflow in GIFLIB5.2.1 DumpScreen2RGB() in gif2rgb.c:298:45 * Address SF issue #163: detected memory leaks in openbsd_reallocarray giflib/openbsd-reallocarray.c * Address SF issue #164: detected memory leaks in GifMakeMapObject giflib/gifalloc.c * Address SF issue #166: a read zero page leads segment fault in getarg.c and memory leaks in gif2rgb.c and gifmalloc.c * Address SF issue #167: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function at Line 321 of gif2rgb.c - Added patch: * giflib-5.2.2-no-imagemagick.patch + do not use ImageMagick to resize one gif file. It creates a build cycle. * 0001-Clean-up-memory-better-at-end-of-run-CVE-2021-40633.patch + upstream fix for CVE-2021-40633 (bsc#1200551) - Modified patches: * PIE.patch * reproducible.patch + rediff to changed context ==== git ==== Version update (2.43.2 -> 2.44.0) - update to 2.44.0: * "git checkout -B " now longer allows switching to a branch that is in use on another worktree. The users need to use "--ignore-other-worktrees" option. * Faster server-side rebases with git replay * Faster pack generation with multi-pack reuse * rebase auto-squashing now works in non-interactive mode * pathspec now understands attr, e.g. ':(attr:~binary) for selecting non-binaries, or builtin_objectmode for selecting items by file mode or other properties * Many other cli UI and internal improvements and extensions ==== gnutls ==== - Remove some if..endif that do not affect any result - Split documentation (some 1100 files) to separate subpackage ==== libksba ==== Version update (1.6.5 -> 1.6.6) - Update to 1.6.6: * Fix a possible wrong error return from the DER builder. [T6992] * Release-info: https://dev.gnupg.org/T7009 * Update upstream libksba.keyring ==== libunistring ==== Version update (1.1 -> 1.2) - update to 1.2: * Support Unicode 15.1.0 * Improve UTF-8 decoder Unicode Standard compliance * The *printf functions no longer support the %n directive, for security reasons. * Fixed a bug in the *printf functions: In the %U, %lU, %llU directives, a negative width given as an argument did not trigger left-justification. * The functions u16_strstr and u32_strstr now operate in worst-case linear time. * Useful API function extensions ==== mokutil ==== - Use %patch -P N instead of deprecated %patchN. ==== mozilla-nss ==== Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-sysinit - Use %patch -P N instead of deprecated %patchN. ==== multipath-tools ==== Version update (0.9.8~1+82+suse.dcd98a3 -> 0.9.8+83+suse.bcae610) Subpackages: kpartx libmpath0 - Remove libmpathpersist-example-old.c, which has been obsolete since multipath-tools 0.8.6. - Update to version 0.9.8+83+suse.bcae610 (bsc#1220374) * multipath-tools: added NEWS.md ==== npth ==== Version update (1.6 -> 1.7) - Update to 1.7: * The npth-config command is not installed by default, because it is now replaced by use of pkg-config/gpgrt-config with npth.pc. Supply --enable-install-npth-config configure option, if needed. * Support for legacy systems w/o pthread_rwlock_t support. [T4306] * New functions npth_poll and npth_ppoll for Unix. [T5748] * Fixes to improve support for 64 bit Windows. * Fix declaration conflict using newer mingw versions. [T5889] * Fix build problems on Solaris 11. [T4491] * Fix detecting of the pthread library. [rPTH6629a4b801] * Clean up handling of unsafe semaphores on AIX. [T6947] * Link without -flat_namespace to support macOS 11. [T5610] * Release-info: https://dev.gnupg.org/T7010 * Update spec file * Update upstream npth.keyring ==== openssh ==== Version update (9.3p2 -> 9.6p1) Subpackages: openssh-clients openssh-common openssh-server - Update to openssh 9.6p1: = Security * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. = Potentially incompatible changes * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this limit was exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH 9.6, ssh(1)/sshd(8) will now terminate the connection if a peer exceeds the window limit by more than a small grace factor. This change should have no effect of SSH implementations that follow the specification. = New features * ssh(1): add a %j token that expands to the configured ProxyJump hostname (or the empty string if this option is not being used) that can be used in a number of ssh_config(5) keywords. bz3610 * ssh(1): add ChannelTimeout support to the client, mirroring the same option in the server and allowing ssh(1) to terminate quiescent channels. * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH private key format was supported. * ssh(1), sshd(8): introduce a protocol extension to allow renegotiation of acceptable signature algorithms for public key authentication after the server has learned the username being used for authentication. This allows varying sshd_config(5) PubkeyAcceptedAlgorithms in a "Match user" block. * ssh-add(1), ssh-agent(1): add an agent protocol extension to allow specifying certificates when loading PKCS#11 keys. This allows the use of certificates backed by PKCS#11 private keys in all OpenSSH tools that support ssh-agent(1). Previously only ssh(1) supported this use-case. = Bugfixes * ssh(1): when deciding whether to enable the keystroke timing obfuscation, enable it only if a channel with a TTY is active. * ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals before checking flags set in signal handler. Avoids potential race condition between signaling ssh to exit and polling. bz3531 * ssh(1): when connecting to a destination with both the AddressFamily and CanonicalizeHostname directives in use, the AddressFamily directive could be ignored. bz5326 * sftp(1): correct handling of the limits@openssh.com option when the server returned an unexpected message. * A number of fixes to the PuTTY and Dropbear regress/integration tests. * ssh(1): release GSS OIDs only at end of authentication, avoiding unnecessary init/cleanup cycles. bz2982 * ssh_config(5): mention "none" is a valid argument to IdentityFile in the manual. bz3080 * scp(1): improved debugging for paths from the server rejected for not matching the client's glob(3) pattern in old SCP/RCP protocol mode. * ssh-agent(1): refuse signing operations on destination-constrained keys if a previous session-bind operation has failed. This may prevent a fail-open situation in future if a user uses a mismatched ssh(1) client and ssh-agent(1) where the client supports a key type that the agent does not support. - Update to openssh 9.5p1: = Potentially incompatible changes * ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys are very convenient due to their small size. Ed25519 keys are specified in RFC 8709 and OpenSSH has supported them since version 6.5 (January 2014). * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. This may change behaviour for exotic configurations, but the most common subsystem configuration (sftp-server) is unlikely to be affected. = New features * ssh(1): add keystroke timing obfuscation to the client. This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword. * ssh(1), sshd(8): Introduce a transport-level ping facility. This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0". ... changelog too long, skipping 104 lines ... * openssh-8.0p1-gssapi-keyex.patch ==== openssh-askpass-gnome ==== Version update (9.3p2 -> 9.6p1) - Update to openssh 9.6p1: * No changes for askpass, see main package changelog for details. ==== openvpn ==== Subpackages: openvpn-auth-pam-plugin - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== podman ==== - Allow to disable apparmor support (ALP supports only SELinux) ==== python-PyYAML ==== - Switch to pyproject and autosetup macros. - Drop patch setuptools.patch, we can now cope. ==== sazanami-fonts ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== sha1collisiondetection ==== - Use %patch -P N instead of deprecated %patchN. ==== sof-firmware ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== sord ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== soundtouch ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== speex ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== susepaste ==== Subpackages: susepaste-screenshot - Use %patch -P N instead of deprecated %patchN. ==== syslogd ==== - Use %patch -P N instead of deprecated %patchN. ==== system-config-printer ==== Subpackages: python3-cupshelpers system-config-printer-common system-config-printer-common-lang system-config-printer-dbus-service udev-configure-printer - remove dependency on /usr/bin/python3 using %python3_fix_shebang_path macro, [bsc#1212476] ==== sysvinit ==== - Use %patch -P N instead of deprecated %patchN. ==== thin-provisioning-tools ==== Version update (1.0.11 -> 1.0.12) - Update to version 1.0.12: * [thin_dump] Do not print error messages on BrokenPipe (EPIPE) * Bump version to 1.0.12 * [build] Update dependencies * [commands] Fix version string compatibility issue with LVM * [thin_dump] Do not print error messages on BrokenPipe (EPIPE) * [build] Update license to SPDX identifier ==== tigervnc ==== Subpackages: libXvnc1 xorg-x11-Xvnc xorg-x11-Xvnc-module - remove dependency on /usr/bin/python3 using %python3_fix_shebang macro, [bsc#1212476] ==== usbutils ==== - remove dependency on /usr/bin/python3 using %python3_fix_shebang macro, [bsc#1212476] ==== vlc ==== Subpackages: libvlc5 libvlccore9 vlc-codec-gstreamer vlc-lang vlc-noX - Add vlc-taglib-2.0.patch: Fix build against taglib 2.0 (based on upstream commit ec29dfca, d2663d6c, ac59d0ba, c404fdb2). - Use %patch -P N instead of deprecated %patchN. ==== xauth ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== xdm ==== - Use %patch -P N instead of deprecated %patchN. ==== xf86-input-evdev ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== xf86-input-vmmouse ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== xf86-input-wacom ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== xf86-video-vesa ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== xinit ==== - Use %patch -P N instead of deprecated %patchN. - revert previous change; cpp is not needed for xinit, but only for xdm package - since xrdb no longer requires cpp, it needs to be reqired here now ==== xkeyboard-config ==== Subpackages: xkeyboard-config-lang - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== xorg-x11-server ==== Subpackages: xorg-x11-server-Xvfb xorg-x11-server-extra - Use %patch -P N instead of deprecated %patchN. ==== xrandr ==== - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN. ==== yast2-trans ==== Version update (84.87.20240219.f6e4117fe0 -> 84.87.20240224.f7ab2886c1) Subpackages: yast2-trans-cs yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-fr yast2-trans-hu yast2-trans-it yast2-trans-ja yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ru yast2-trans-zh_CN yast2-trans-zh_TW - Update to version 84.87.20240224.f7ab2886c1: * Translated using Weblate (Ukrainian) * Translated using Weblate (Ukrainian) * Translated using Weblate (Ukrainian) * Translated using Weblate (Catalan) * Translated using Weblate (Catalan) * Translated using Weblate (Catalan) * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Spanish)