Packages changed: avahi btrfsprogs (5.15 -> 5.16) busybox (1.34.1 -> 1.35.0) flatpak (1.12.2 -> 1.12.3) frameworkintegration gdm (41.0 -> 41.3) ghostscript gnome-session (40.1.1 -> 41.3) grub2 iproute2 (5.15 -> 5.16) libqt5-qtwebengine (5.15.7 -> 5.15.8) nautilus (41.1 -> 41.2) patterns-base perl-HTTP-Message (6.35 -> 6.36) podman poppler (21.12.0 -> 22.01.0) poppler-qt5 (21.12.0 -> 22.01.0) qemu yast2 (4.4.34 -> 4.4.36) === Details === ==== avahi ==== Subpackages: libavahi-client3 libavahi-common3 libavahi-core7 - Move sftp-ssh and ssh services to the doc directory. They allow a host's up/down status to be easily discovered and should not be enabled by default (boo#1179060). ==== btrfsprogs ==== Version update (5.15 -> 5.16) Subpackages: btrfsprogs-udev-rules libbtrfs0 - Update to 5.16 * rescue: new subcommand clear-uuid-tree to fix failed mount due to bad uuid subvolume keys, caught by tree-checker * fi du: skip inaccessible files * prop: properly resolve to symlink targets * send, receive: fix crash after parent subvolume lookup errors * build: * fix build on 5.12+ kernels due to changes in linux/kernel.h * fix build on musl with old kernel headers * other: * error handling fixes, cleanups, refactoring * extent tree v2 preparatory work * lots of RST documentation updates (last release with asciidoc sources), https://btrfs.readthedocs.io - Update to 5.15.1 * fi usage: fix wrongly reported space of used or unallocated space * fix detection of block device discard capability * check: add more sanity checks for checksum items * build: make sphinx optional backend for documentation ==== busybox ==== Version update (1.34.1 -> 1.35.0) - Update to 1.35.0 - Adjust busybox.config for new features in find, date and cpio - Annotate CVEs already fixed in upstream, but not mentioned in .changes: * CVE-2017-16544 (bsc#1069412): Insufficient sanitization of filenames when autocompleting * CVE-2015-9261 (bsc#1102912): huft_build misuses a pointer, causing segfaults * CVE-2016-2147 (bsc#970663): out of bounds write (heap) due to integer underflow in udhcpc * CVE-2016-2148 (bsc#970662): heap-based buffer overflow in OPTION_6RD parsing * CVE-2016-6301 (bsc#991940): NTP server denial of service flaw * CVE-2017-15873 (bsc#1064976): The get_next_block function in archival/libarchive/decompress_bunzip2.c has an Integer Overflow * CVE-2017-15874 (bsc#1064978): archival/libarchive/decompress_unlzma.c has an Integer Underflow * CVE-2019-5747 (bsc#1121428): out of bounds read in udhcp components * CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376, CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386 (bsc#1192869) : v1.34.0 bugfixes - CVE-2021-28831 (bsc#1184522): invalid free or segmentation fault via malformed gzip data - CVE-2018-20679 (bsc#1121426): out of bounds read in udhcp - CVE-2018-1000517 (bsc#1099260): Heap-based buffer overflow in the retrieve_file_data() - CVE-2011-5325 (bsc#951562): tar directory traversal - CVE-2018-1000500 (bsc#1099263): wget: Missing SSL certificate validation ==== flatpak ==== Version update (1.12.2 -> 1.12.3) Subpackages: libflatpak0 system-user-flatpak - Update to 1.12.3: + CVE-2021-43860: a malicious repository could have sent invalid application metadata in a way that hides some of the app permissions displayed during installation (boo#1194610) + flatpak-builder could allow --mirror-screenshots-url commands to create directories outside of the build directory (boo#1194611) + Extra-data downloading now properly handles compressed content-encodings which fixes checksum verification + Note: In some corner case server setups this may require the extra-data checksum to be changed + Avoid unnecessary policy-kit dialog due to auto-pinning when installing runtimes + Better handling of updates of extensions that exist in multiple repositories + Fixed (initial) installation apps with renamed ids + Fixed regression in updates from no-enumerate remotes + We now verify checksums of summary caches, to better handle local file corruption + Improved cli output for non-terminal targets + Flatpak run --session-bus now works + Fix build with PyParsing >= 3.0.4 + Fixed "Since" annotations on FlatpakTransaction signals + bash auto completion now doesn't complete on command name aliases + Minor improvements to the search command + Minor improvements to the list command + Minor improvements to the repair command + Add more tests + Updated translations. - Drop support-new-pyparsing.patch: Fixed upstream. ==== frameworkintegration ==== Subpackages: frameworkintegration-plugin libKF5Style5 - Add upstream change to fix a regression in 5.90.0 (kde#448237) * 0001-Fix-wrong-porting-of-KNSCore-Engine-configSearchLoca.patch ==== gdm ==== Version update (41.0 -> 41.3) Subpackages: gdm-schema gdmflexiserver libgdm1 typelib-1_0-Gdm-1_0 - Update to version 41.3: + Juggle Xorg's -listen/-nolisten command line change better. + Fix session type selection. + Fix crash. + Drop vestigial gdm-pin service. + XDMCP fixes. + Wayland nvidia udev updates. + Updated translations. - Rebase gdm-disable-wayland-on-mgag200-chipsets.patch. - Drop gdm-daemon-Infer-session-type-from-desktop-file.patch and gdm-restart-greeter-session-after-crash.patch: fixed upstream. ==== ghostscript ==== - CVE-2021-45949.patch fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml (bsc#1194304) - CVE-2021-45944 use-after-free in sampled_data_sample is already fixed in the Ghostscript 9.54.0 upstream sources (bsc#1194303) ==== gnome-session ==== Version update (40.1.1 -> 41.3) Subpackages: gnome-session-core gnome-session-default-session gnome-session-wayland - Update to version 41.3: + No changes, just version synching. - Changes from version 40.8: + data: Install GNOME on Wayland session for X11 preferred setups + Don't spew as much into log when falling back to non-systemd sessions + Work better with certain versions of meson + Correct screwed up check for gnome-shell + Various cleanups and leak fixes + Updated translations. - Rebase gnome-session-better-handle-empty-xdg_session_type.patch. - Drop gnome-session-exit-when-lost-name-on-bus.patch: no longer applicable. ==== grub2 ==== Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi - Power guest secure boot with static keys: GRUB2 signing portion (jsc#SLE-18271) (bsc#1192764) * 0001-grub-install-Add-SUSE-signed-image-support-for-power.patch - Power guest secure boot with static keys: GRUB2 signing portion (jsc#SLE-18271) (bsc#1192764) * grub2.spec - Power guest secure boot with static keys: GRUB2 portion (jsc#SLE-18144) (bsc#1192686) * 0001-ieee1275-Drop-HEAP_MAX_ADDR-and-HEAP_MIN_SIZE-consta.patch * 0002-ieee1275-claim-more-memory.patch * 0003-ieee1275-request-memory-with-ibm-client-architecture.patch * 0004-Add-suport-for-signing-grub-with-an-appended-signatu.patch * 0005-docs-grub-Document-signing-grub-under-UEFI.patch * 0006-docs-grub-Document-signing-grub-with-an-appended-sig.patch * 0007-dl-provide-a-fake-grub_dl_set_persistent-for-the-emu.patch * 0008-pgp-factor-out-rsa_pad.patch * 0009-crypto-move-storage-for-grub_crypto_pk_-to-crypto.c.patch * 0010-posix_wrap-tweaks-in-preparation-for-libtasn1.patch * 0011-libtasn1-import-libtasn1-4.18.0.patch * 0012-libtasn1-disable-code-not-needed-in-grub.patch * 0013-libtasn1-changes-for-grub-compatibility.patch * 0014-libtasn1-compile-into-asn1-module.patch * 0015-test_asn1-test-module-for-libtasn1.patch * 0016-grub-install-support-embedding-x509-certificates.patch * 0017-appended-signatures-import-GNUTLS-s-ASN.1-descriptio.patch * 0018-appended-signatures-parse-PKCS-7-signedData-and-X.50.patch * 0019-appended-signatures-support-verifying-appended-signa.patch * 0020-appended-signatures-verification-tests.patch * 0021-appended-signatures-documentation.patch * 0022-ieee1275-enter-lockdown-based-on-ibm-secure-boot.patch * 0023-x509-allow-Digitial-Signature-plus-other-Key-Usages.patch - Fix no menuentry is found if hibernation on btrfs RAID1 (bsc#1193090) * grub2-systemd-sleep-plugin ==== iproute2 ==== Version update (5.15 -> 5.16) - remove routef from links; it doesn't exist anymore - update to 5.16: * devlink: Fix cmd_dev_param_set() to check configuration mode * ip: add AMT support * iplink_can: fix configuration ranges in print_usage() and add unit * tc: flower: Fix buffer overflow on large labels * ip/ipnexthop: fix unsigned overflow in parse_nh_group_type_res() * tc/m_vlan: fix print_vlan() conditional on TCA_VLAN_ACT_PUSH_ETH * iplink_can: add new CAN FD bittiming parameters: Transmitter Delay Compensation (TDC) ==== libqt5-qtwebengine ==== Version update (5.15.7 -> 5.15.8) - Update to version 5.15.8: * Update Chromium: [Backport] CVE-2021-3517: libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c [Backport] CVE-2021-3541 libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms [Backport] CVE-2021-37984 : Heap buffer overflow in PDFium [Backport] CVE-2021-37987 : Use after free in Network APIs [Backport] CVE-2021-37989 : Inappropriate implementation in Blink [Backport] CVE-2021-37992 : Out of bounds read in WebAudio [Backport] CVE-2021-37993 : Use after free in PDF Accessibility [Backport] CVE-2021-37996 : Insufficient validation of untrusted input in Downloads [Backport] CVE-2021-38001 : Type Confusion in V8 [Backport] CVE-2021-38003 : Inappropriate implementation in V8 [Backport] CVE-2021-38005: Use after free in loader (1/3) [Backport] CVE-2021-38005: Use after free in loader (2/3) [Backport] CVE-2021-38005: Use after free in loader (3/3) [Backport] CVE-2021-38007: Type Confusion in V8 [Backport] CVE-2021-38009: Inappropriate implementation in cache [Backport] CVE-2021-38010: Inappropriate implementation in serviceworkers [Backport] CVE-2021-38012: Type Confusion in V8 [Backport] CVE-2021-38015: Inappropriate implementation in input [Backport] CVE-2021-38017: Insufficient policy enforcement in iframe sandbox [Backport] CVE-2021-38018: Inappropriate implementation in navigation [Backport] CVE-2021-38019: Insufficient policy enforcement in CORS [Backport] CVE-2021-38021: Inappropriate implementation in referrer [Backport] CVE-2021-38022: Inappropriate implementation in WebAuthentication [Backport] CVE-2021-4057: Use after free in file API [Backport] CVE-2021-4058: Heap buffer overflow in ANGLE (1/2) [Backport] CVE-2021-4058: Heap buffer overflow in ANGLE (2/2) [Backport] CVE-2021-4059: Insufficient data validation in loader [Backport] CVE-2021-4062: Heap buffer overflow in BFCache [Backport] CVE-2021-4078: Type confusion in V8 [Backport] CVE-2021-4079: Out of bounds write in WebRTC [Backport] CVE-2021-4098: Insufficient data validation in Mojo [Backport] CVE-2021-4099: Use after free in Swiftshader [Backport] CVE-2021-4101: Heap buffer overflow in Swiftshader. [Backport] CVE-2021-4102: Use after free in V8 [Backport] Dependency for CVE-2021-37989 [Backport] Dependency for CVE-2021-38009 [Backport] Security bug 1245870 [Backport] Security bug 1252858 [Backport] Security bug 1259899 Bump V8_PATCH_LEVEL Compile with GCC 11 -std=c++20 Fix stack overflow on gpu channel recreate with an error Use wglSetPixelFormat directly only if in software mode [Backport] Handle long SIGSTKSZ in glibc > 2.33 [Backport] abseil-cpp: Fixes build with latest glibc * Handle qtpdf compilation with static runtime * Add bitcode support for qtpdf on ios * Do not access accessibility from qt post routines * Blacklist javascriptClipboard test on ubuntu 20.04 * Re-enable network-service-in-process * Bump version from 5.15.7 to 5.15.8 * Update patch level * Fix pinch gesture * Fix leak of properties after XkbRF_GetNamesProp * Fix leak on getDefaultScreeenId - Drop patch: * 0001-Fix-build-with-glibc-2.34.patch ==== nautilus ==== Version update (41.1 -> 41.2) Subpackages: gnome-shell-search-provider-nautilus libnautilus-extension1 - Update to version 41.2: + Avoid cropping format popover in Compress dialog. + Fix "Move to"/"Copy to" from Starred. + Fix memory leak on tab switch. + Updated translations. ==== patterns-base ==== Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11 - Install PAM manual pages instead of the PDFs - specfile cleanup - Don't recommend ntfs-3g by default on TW, the kernel module got improved ==== perl-HTTP-Message ==== Version update (6.35 -> 6.36) - updated to 6.36 see /usr/share/doc/packages/perl-HTTP-Message/Changes 6.36 2022-01-05 14:39:42Z - Fix examples in HTTP::Request::Common synopsis: HTTP::Request::Common does not put headers in an arrayref, unlike HTTP::Request (GH#170) (Karen Etheridge) - Update to contributing information (GH#171) (Håkon Hægland) ==== podman ==== Subpackages: podman-cni-config - Add: Provides: podman:/usr/bin/podman-remote subpackage for a clearer upgrade path from podman < 3.1.2 ==== poppler ==== Version update (21.12.0 -> 22.01.0) Subpackages: libpoppler-cpp0 libpoppler-glib8 - Update to 22.01.0: core: * Allow local (relative to dll) fonts dir on Windows * TextOutputDev: require more spacing between columns. Issue #1093 * Fix crash in Splash::gouraudTriangleShadedFill. Issue #1183 * Fix crash when calling Form::reset() * GfxSeparationColorSpace: Check validity of colorspace and function. Issue #1184 * Minor code improvements glib: * Include glib.h before using defines from it * Close file descriptors on error * Plug some memory leaks * Replace use of deprecated g_memdup/g_time_zone_new * Remove FD-taking functions on windows utils: * pdfsig: Add support for documents with passwords * pdfsig: Fix signing with -sign if nss password is needed ==== poppler-qt5 ==== Version update (21.12.0 -> 22.01.0) - Update to 22.01.0: core: * Allow local (relative to dll) fonts dir on Windows * TextOutputDev: require more spacing between columns. Issue #1093 * Fix crash in Splash::gouraudTriangleShadedFill. Issue #1183 * Fix crash when calling Form::reset() * GfxSeparationColorSpace: Check validity of colorspace and function. Issue #1184 * Minor code improvements glib: * Include glib.h before using defines from it * Close file descriptors on error * Plug some memory leaks * Replace use of deprecated g_memdup/g_time_zone_new * Remove FD-taking functions on windows utils: * pdfsig: Add support for documents with passwords * pdfsig: Fix signing with -sign if nss password is needed ==== qemu ==== - It's time to really start requiring -F when using -b in qemu-img for us as well. Users/customers have been warned in the relevant release notes (bsc#1190135) * Patches dropped: Revert-qemu-img-Improve-error-for-rebase.patch Revert-qemu-img-Require-F-with-b-backing.patch ==== yast2 ==== Version update (4.4.34 -> 4.4.36) - Adapted Report.yesno_popup to Ruby 3 (bsc#1193192) - 4.4.36 - Simplify slide show to support future parallel installations (jsc#SLE-20437) - 4.4.35