Packages changed: ImageMagick (7.1.0.51 -> 7.1.0.52) bash (5.2.2 -> 5.2.9) dhcp elfutils elfutils-debuginfod fwupd (1.8.6 -> 1.8.7) icewm (3.0.1 -> 3.2.0) irqbalance jhead kernel-source (6.0.7 -> 6.0.8) lcms2 (2.13.1 -> 2.14) libX11 (1.8.1 -> 1.8.2) libslirp ovmf postgresql15 (15.0 -> 15.1) python python-base python-pytz (2022.5 -> 2022.6) python-testtools python-unicodedata2 (14.0.0 -> 15.0.0) python-zope.interface (5.5.0 -> 5.5.1) python310 python310-core quagga rpm shadow (4.12.3 -> 4.13) === Details === ==== ImageMagick ==== Version update (7.1.0.51 -> 7.1.0.52) Subpackages: ImageMagick-config-7-SUSE ImageMagick-extra libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - update to 7.1.0.52: * coders: Enable opening https files in mingw #5727 * utilities: Enable support for unicode paths in mingw #5713 upstream changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#710-52---2022-11-06 ==== bash ==== Version update (5.2.2 -> 5.2.9) Subpackages: bash-doc bash-lang bash-sh - Add upstream patches * bash52-003 Command substitutions need to preserve newlines instead of replacing them with semicolons, especially in the presence of multiple here-documents. * bash52-004 Bash needs to keep better track of nested brace expansions to avoid problems with quoting and POSIX semantics. * bash52-005 Null pattern substitution replacement strings can cause a crash. * bash52-006 In interactive shells, interrupting the shell while entering a command substitution can inhibit alias expansion. * bash52-007 This patch fixes several problems with alias expansion inside command substitutions when in POSIX mode. * bash52-008 Array subscript expansion can inappropriately quote brackets if the expression contains < or >. * bash52-009 Bash arithmetic expansion should allow `@' and `*' to be used as associative array keys in expressions. ==== dhcp ==== Subpackages: dhcp-relay dhcp-server - Use %_rundir ==== elfutils ==== Subpackages: elfutils-lang libasm1 libdw1 libelf1 - align patches section - remove date/time handling weirdness, elfutils does no longer use __DATE__ or __TIME__ (as proven by the newly added -Werror=date-time) ==== elfutils-debuginfod ==== Subpackages: debuginfod-profile libdebuginfod1 - align patches section - remove date/time handling weirdness, elfutils does no longer use __DATE__ or __TIME__ (as proven by the newly added -Werror=date-time) ==== fwupd ==== Version update (1.8.6 -> 1.8.7) Subpackages: fwupd-bash-completion fwupd-lang libfwupd2 typelib-1_0-Fwupd-2_0 - Update to version 1.8.7: + This release adds the following features: - Add a new HSI check for the leaked Lenovo 'Key Manifest' hashes - Measure system integrity when installing UEFI updates - Record more host DMI data when submitting a report for dbx failures - Use xz-compressed metadata to reduce bandwidth used by ~25% + This release fixes the following bugs: - Add documentation for three existing HSI attributes - Add re-insert requirement for Analogix devices - Allow parsing metadata more than 1MB in size - Do not follow symlinks when searching for ESP devices - Ensure the config file permission is correct for built-in plugins - Fix a compile failure when compiling without efiboot - Fix a regression when using fwuptool install-blob with FMAP firmware - Only count the Microsoft hashes when getting the dbx version - Only use the IFD when the system is Intel-based - Support loading CoSWID when only one role has been set + This release adds support for the following hardware: - Anker Thunderbolt 4 Mini Hub - ELAN haptic hardware - Fingerprint lenfy devices - Goodix GF3258WNC - Intel discrete GPUs (experimental) - More Star Labs laptops - QSI Godzilla Creek Reference Hub - Stop passing conditional plugin_amt=disabled, no longer needed, nor recognized. ==== icewm ==== Version update (3.0.1 -> 3.2.0) Subpackages: icewm-config-upstream icewm-default icewm-lang icewm-lite - Update to version 3.2.0: * Fix for fullscreen wine programs where taskbar would not hide. * Ensure KeySysWinNext and KeySysWinPrev always work for rolled up windows which use the Globally Active focus model. * Give the Alt+Tab a 30 second history. * The next Alt+Tab will continue where the previous one left off. * Add "tabto" command to icesh move windows as tabs to a new frame. * Add "untab" command to icesh to move each tab to its own frame. * Add "stacking" and "reverse" commands to icesh. * Let icesh check all atoms in the -Property filter. * Support edge switching when dragging a window. * When switching to a tab with size limitations, adapt the frame geometry. * Fix maximize and fullscreen for tabs with different normal sizes. * Prevent the flashing when switching tabs. * Only popup the grouping menu on a task button on the first button click without key modifiers. This makes it easier to immediately select or minimize the active application by using the shift or control modifier. * Update the title bar shape when changing tabs. * Set common properties when adding another tab to a frame. * Always update the window list and _NET_CLIENT_LIST when adding more tabs. * Add special filtered view and flat rendering options to icewm-menu-fdo. * Updated translations. - from version 3.1.0: * Add a winoption "frame" to automatically group application windows with the same "frame" value as tabs in a single frame. * Show indicators for the presence of tabs on the title bar. * Click on the title bar tab indicators to change tabs. * Give each tab its own set of winoptions. * Fix for merging a transient window as a tab to its owner window. * Preserve tray hints across restarts. * Preserve tabs across restarts. * Improve the Alt+Tab for tabbed frames. * When switching tabs, ensure that focus is preserved. * Add a MouseWinTabbing preference to merge tabs. * Let the window list support tabs. * Various improvements to the CMake build. * Updated translations. ==== irqbalance ==== Subpackages: irqbalance-ui - add irqbalance-systemd-netlink.patch (related to bsc#1205308) ==== jhead ==== - Added jhead-CVE-2021-34055.patch * Fix out of bounds write in ClearOrientation() due to unchecked error * [bsc#1205167] * CVE-2021-34055 ==== kernel-source ==== Version update (6.0.7 -> 6.0.8) - Linux 6.0.8 (bsc#1012628). - usb: dwc3: gadget: Force sending delayed status during soft disconnect (bsc#1012628). - usb: dwc3: gadget: Don't delay End Transfer on delayed_status (bsc#1012628). - RDMA/cma: Use output interface for net_dev check (bsc#1012628). - IB/hfi1: Correctly move list in sc_disable() (bsc#1012628). - RDMA/hns: Disable local invalidate operation (bsc#1012628). - RDMA/hns: Fix NULL pointer problem in free_mr_init() (bsc#1012628). - docs/process/howto: Replace C89 with C11 (bsc#1012628). - RDMA/rxe: Fix mr leak in RESPST_ERR_RNR (bsc#1012628). - NFSv4: Fix a potential state reclaim deadlock (bsc#1012628). - NFSv4.1: Handle RECLAIM_COMPLETE trunking errors (bsc#1012628). - NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot (bsc#1012628). - SUNRPC: Fix null-ptr-deref when xps sysfs alloc failed (bsc#1012628). - NFSv4.2: Fixup CLONE dest file size for zero-length count (bsc#1012628). - nfs4: Fix kmemleak when allocate slot failed (bsc#1012628). - net: dsa: Fix possible memory leaks in dsa_loop_init() (bsc#1012628). - RDMA/core: Fix null-ptr-deref in ib_core_cleanup() (bsc#1012628). - RDMA/qedr: clean up work queue on failure in qedr_alloc_resources() (bsc#1012628). - tools/nolibc: Fix missing strlen() definition and infinite loop with gcc-12 (bsc#1012628). - net: dsa: fall back to default tagger if we can't load the one from DT (bsc#1012628). - nfc: fdp: Fix potential memory leak in fdp_nci_send() (bsc#1012628). - nfc: nxp-nci: Fix potential memory leak in nxp_nci_send() (bsc#1012628). - nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send() (bsc#1012628). - nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send() (bsc#1012628). - net: fec: fix improper use of NETDEV_TX_BUSY (bsc#1012628). - ata: pata_legacy: fix pdc20230_set_piomode() (bsc#1012628). - ata: palmld: fix return value check in palmld_pata_probe() (bsc#1012628). - net: sched: Fix use after free in red_enqueue() (bsc#1012628). - net: tun: fix bugs for oversize packet when napi frags enabled (bsc#1012628). - netfilter: nf_tables: netlink notifier might race to release objects (bsc#1012628). - netfilter: nf_tables: release flow rule object from commit path (bsc#1012628). - sfc: Fix an error handling path in efx_pci_probe() (bsc#1012628). - nfsd: fix nfsd_file_unhash_and_dispose (bsc#1012628). - nfsd: fix net-namespace logic in __nfsd_file_cache_purge (bsc#1012628). - net: lan966x: Fix the MTU calculation (bsc#1012628). - net: lan966x: Adjust maximum frame size when vlan is enabled/disabled (bsc#1012628). - net: lan966x: Fix FDMA when MTU is changed (bsc#1012628). - net: lan966x: Fix unmapping of received frames using FDMA (bsc#1012628). - ipvs: use explicitly signed chars (bsc#1012628). - ipvs: fix WARNING in __ip_vs_cleanup_batch() (bsc#1012628). - ipvs: fix WARNING in ip_vs_app_net_cleanup() (bsc#1012628). - rose: Fix NULL pointer dereference in rose_send_frame() (bsc#1012628). - mISDN: fix possible memory leak in mISDN_register_device() (bsc#1012628). - isdn: mISDN: netjet: fix wrong check of device registration (bsc#1012628). - btrfs: fix inode list leak during backref walking at resolve_indirect_refs() (bsc#1012628). - btrfs: fix inode list leak during backref walking at find_parent_nodes() (bsc#1012628). - btrfs: fix ulist leaks in error paths of qgroup self tests (bsc#1012628). - netfilter: ipset: enforce documented limit to prevent allocating huge memory (bsc#1012628). - Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu (bsc#1012628). - Bluetooth: hci_conn: Fix CIS connection dst_type handling (bsc#1012628). - Bluetooth: virtio_bt: Use skb_put to set length (bsc#1012628). - Bluetooth: L2CAP: Fix memory leak in vhci_write (bsc#1012628). - Bluetooth: hci_conn: Fix not restoring ISO buffer count on disconnect (bsc#1012628). - net: mdio: fix undefined behavior in bit shift for __mdiobus_register (bsc#1012628). - ibmvnic: Free rwi on reset success (bsc#1012628). - stmmac: dwmac-loongson: fix invalid mdio_node (bsc#1012628). - net/smc: Fix possible leaked pernet namespace in smc_init() (bsc#1012628). - net, neigh: Fix null-ptr-deref in neigh_table_clear() (bsc#1012628). - bridge: Fix flushing of dynamic FDB entries (bsc#1012628). - ipv6: fix WARNING in ip6_route_net_exit_late() (bsc#1012628). - vsock: fix possible infinite sleep in vsock_connectible_wait_data() (bsc#1012628). - iio: adc: stm32-adc: fix channel sampling time init ... changelog too long, skipping 246 lines ... - commit 0d318d5 ==== lcms2 ==== Version update (2.13.1 -> 2.14) - Added reverse-0001-fix-memory-leaks-on-testbed.patch to fix colord's i586 build failure - Update to 2.14: * lcms2 now implements ICC specification 4.4 * New multi-threaded plug-in * Several fixes to keep fuzzers happy * Removed check on DLL when CMS_NO_REGISTER_KEYWORD is used * Added more validation against broken profiles * Added more help to several tools * Revised documentation ==== libX11 ==== Version update (1.8.1 -> 1.8.2) Subpackages: libX11-6 libX11-6-32bit libX11-data libX11-xcb1 - Update to version 1.8.2 * This is primarily a bug fix release, including further work on improving the thread-safety-constructor and making it work with software which had incorrectly called libX11 functions from inside X*IfEvent() calls. - supersedes U_fix-a-memory-leak-in-XRegisterIMInstantiateCallback.patch ==== libslirp ==== - added patches fix https://gitlab.freedesktop.org/slirp/libslirp/-/issues/64 + libslirp-semicolon.patch ==== ovmf ==== Subpackages: qemu-ovmf-x86_64 - Change the size of ovmf-x86_64 back to 2MB, and remove EFI shell to reduce the fv image size. - Originally the reason of changing the size of ovmf-x86_64 to 4MB is for preventing OBS exposes the following error: [ 266s] GenFv: ERROR 3000: Invalid [ 266s] the required fv image size 0x1afed8 exceeds the set fv image size 0x1ac000 The fv image size is too big. But we found that change ovmf-x86_64 to 4MB causes live migration problem on qemu. (bsc#1204220) - So let's change the size of ovmf_x86_64 back to 2MB and remove EFI shell to reduce the fv image size. If user wants to use EFI shell, they should move to ovmf-x86_64-4m image. So we add the "-D EXCLUDE_SHELL" build option to ovmf-x86_64 flavor in ovmf.spec. (bsc#1204220) ==== postgresql15 ==== Version update (15.0 -> 15.1) Subpackages: libpq5 postgresql15-contrib postgresql15-llvmjit postgresql15-server - Update to 15.1: * https://www.postgresql.org/about/news/2543/ * https://www.postgresql.org/docs/15/release-15-1.html ==== python ==== - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding extremely long domain names. ==== python-base ==== Subpackages: libpython2_7-1_0 python-xml - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding extremely long domain names. ==== python-pytz ==== Version update (2022.5 -> 2022.6) - Update to 2022.6 * IANA 2022f * Squashed 'tz/' changes from c4eb3fcf2..623631d84 * Upgrade unittest asserts * Bump GitHub Actions * Add support for Python 3.11 ==== python-testtools ==== - silent rpmlint - python-six is not required ==== python-unicodedata2 ==== Version update (14.0.0 -> 15.0.0) - Update to 15.0.0 * Upgrade to Unicode 15.0.0 ==== python-zope.interface ==== Version update (5.5.0 -> 5.5.1) - Update to version 5.5.1 * Add support for final Python 3.11 release. ==== python310 ==== Subpackages: python310-curses python310-dbm python310-tk - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding extremely long domain names. ==== python310-core ==== Subpackages: libpython3_10-1_0 python310-base - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding extremely long domain names. ==== quagga ==== Subpackages: libospf0 libospfapiclient0 libzebra1 - Remove attempts to correct configuration file ownership and permissions in service files, that may lead to local privilege escalation from quagga to root (bsc#1191890,CVE-2021-44038). [+ remove-chown-chmod.service.patch] - Correct hardening patches adding ReadWritePaths=/etc/quagga - Add update-messages that quagga is not developed for years, is about to get dropped from Factory/Tumbleweed soon and users should migrate to FRR (https://frrouting.org/). ==== rpm ==== Subpackages: librpmbuild9 - Add selinux_transactional_update.patch to ignore errors when setting file labels during transactional updates. They will be set upon reboot once the new policy is loaded (bsc#1204605) ==== shadow ==== Version update (4.12.3 -> 4.13) Subpackages: libsubid4 login_defs - Update to 4.13: * useradd.8: fix default group ID * Revert drop of subid_init() * Georgian translation * useradd: Avoid taking unneeded space: do not reset non-existent data in lastlog * relax username restrictions * selinux: check MLS enabled before setting serange * copy_tree: use fchmodat instead of chmod * copy_tree: don't block on FIFOs * add shell linter * copy_tree: carefully treat permissions * lib/commonio: make lock failures more detailed * lib: use strzero and memzero where applicable * Update Dutch translation * Don't test for NULL before calling free * Use libc MAX() and MIN() * chage: Fix regression in print_date * usermod: report error if homedir does not exist * libmisc: minimum id check for system accounts * fix usermod -rG x y wrongly adding a group * man: add missing space in useradd.8.xml * lastlog: check for localtime() return value * Raise limit for passwd and shadow entry length * Remove adduser-old.c * useradd: Fix buffer overflow when using a prefix * Don't warn when failed to open /etc/nsswitch.conf - Remove patches we took from upstream pre-release: * shadow-copytree-usermod-fifo.patch * shadow-chage-format.patch * shadow-prefix-overflow.patch - Remove chkname-regex.patch: Upstream now also relaxed the usernames requirements. They don't use regex for this but the result is similar. Plus they also check that the name is less than 32 characters long. - Rebase useradd-userkeleton.patch