Packages changed: Mesa Mesa-drivers MozillaFirefox (106.0.2 -> 106.0.3) autoyast2 (4.5.6 -> 4.5.8) btrfsprogs (5.19.1 -> 6.0) dbus-1-glib fwupd keylime (6.5.2 -> 6.5.3) libnvme (1.1 -> 1.2) nvme-cli (2.1.2 -> 2.2.1) openssl (1.1.1q -> 1.1.1s) openssl-1_1 (1.1.1q -> 1.1.1s) openssl-3 (3.0.5 -> 3.0.7) patterns-microos pipewire polkit-default-privs (1550+20221018.7616c25 -> 1550+20221102.9f111fa) qemu sudo xorg-x11-server xwayland (22.1.4 -> 22.1.5) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - u_nouveau-corrupted-colors-boo1203949.patch * fixes corrupted colors in videos on nouveau with Kepler in Firefox (boo#1203949, issue#7416) - moved drirc.d config snippets from Mesa to Mea-dri package; radv driver specific conf was missing completely (boo#1204866) ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-gallium Mesa-libva - u_nouveau-corrupted-colors-boo1203949.patch * fixes corrupted colors in videos on nouveau with Kepler in Firefox (boo#1203949, issue#7416) - moved drirc.d config snippets from Mesa to Mea-dri package; radv driver specific conf was missing completely (boo#1204866) ==== MozillaFirefox ==== Version update (106.0.2 -> 106.0.3) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 106.0.3 * Fixes for other platforms ==== autoyast2 ==== Version update (4.5.6 -> 4.5.8) - Log the profile/rules/classes file SHA1 sum so we can later verify that a particular file was or was not used by YaST (related to bsc#1204175) - 4.5.8 - Allow empty values in ask/default, ask/selection/label and ask/selection/value elements (bsc#1204448). - 4.5.7 ==== btrfsprogs ==== Version update (5.19.1 -> 6.0) Subpackages: btrfsprogs-udev-rules libbtrfs0 - update to 6.0 * fi usage: in tabular output, print total size and slack size * mkfs: * option -O now accepts values from -R to unify the interface (-R will continue to work) * zone reset and discard is done in parallel on all devices * removed option --leafsize, deprecated long time ago * corrupt-block: recalculate checksum when changing generation * fixes: * convert: fix reserved range detection and overlaps * mkfs: fix creating files with reserved inode numbers with --rootdir * receive: escape filenames in command attributes * fix extent buffer leaks after transaction abort * experimental: * mkfs: support for block-group-tree (kernel 6.1) * fsverity in send (protocol v3, WIP) * btrfstune -b converts to block-group-tree * other: * cleanups, refactoring * new and updated tests * update documentation ==== dbus-1-glib ==== - Try to guard against incomplete update stacks (boo#1202241): + Add split-provides to libdbus-1-glib and bash-completion sub-package. + Add explicit conflict to bash-completion subpackage against dbus-1-glib < 0.112 (when the package split happened) + Ensure dbus-1-glib-tool gets the correct library version installed. ==== fwupd ==== Subpackages: fwupd-bash-completion fwupd-lang libfwupd2 typelib-1_0-Fwupd-2_0 - For pushing fwupd-1.8.6 to 15-SP5 (fwupd-1.7.3), sync change log: (jsc#PED-1232) - fwupd-bsc1193921-nvme-ignore-non-PCI-NVMe-devices.patch be merged to fwupd-1.7.3 ==== keylime ==== Version update (6.5.2 -> 6.5.3) Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tenant keylime-tpm_cert_store keylime-verifier python310-keylime - Update to version v6.5.3: * crypto: Provide input as bytes to encrypt * Revert "Revert "Revert "tenant: open file to send utf-8 encoded" (#1136)" (#1141)" * Update runtime_ima.rst ==== libnvme ==== Version update (1.1 -> 1.2) - Update to version 1.2: * Add more details for return code of MI admin cmds * Parse dhchap_host_key on controller level * Update json config schema for missing dhchap host key * fabrics: Add new TP8010 definitions * fabrics: Add nvmf_get_discovery_wargs() * fabrics: Duplicate strings when merging configs * fabrics: Filter out empty strings in add_argument() * fabrics: Use fallthrough statement * ioctl: Set log page offset for nvme_get_log_telemetry_host * json-schema: add dhchap_key details to host section * json: Enforce correctly formatted JSON config files * json: Verify JSON config file starts with an array * mi: Add Get Log Page helpers * mi: Add Identify function for secondary controller list * mi: Add Identify helper for ns-descs and primary-ctrl-caps * mi: Add firmware download and commit commands * mi: Add identify helper for nsid-capable Controller List * mi: Add identify helpers for namespace lists * mi: Add identify helpers for namespaces * mi: Allow Admin-message sized More Processing Required responses * mi: Distinguish MI status from NVMe (CDW3) status * mi: Fix C++ compiler errors * mi: Implement Format NVM command * mi: Implement Get & Set Features Admin commands * mi: Implement NS attach command and helpers * mi: Implement Namespace Management command and create/delete helpers * mi: Implement Sanitize command * mi: Init ctrl_id within xfer * mi: Introduce a helper for response status, unify values with ioctls * mi: Set log page offset for nvme_get_log_telemetry_host * mi: add nvme_mi_status_to_string() * mi: fix a memory leak in nvme_mi_open_mctp() * mi: fix get_log_page chunked offset check * nvme-tree: avoid segfault if auth keys are unavailable * python: Use nvmf_get_discovery_wargs() * tree: rename controller 'dhchap_key' to 'dhchap_ctrl_key' * types: Move enum nvme_data_tfr to types * util: Add LINE_MAX define * util: Add get feature length 2 API to support direction parameter * util: Add simple UUID type * util: Do not expose fallthrough defines - Make man page build conditiional. Install man page location has been fixed upstream. - Mark the Python directory own by the libnvme3-python package - Use fixed manpage build date (boo#1047218) ==== nvme-cli ==== Version update (2.1.2 -> 2.2.1) Subpackages: nvme-cli-bash-completion - Update to version 2.2.1: * Added parsing for Solidigm telemetry observable data. * add item ddr_ecc_err_cnt in smart-log-add * build: Drop dependency on libuuid * build: Fix endian check for cross build * build: Remove unused uuid.wrap file * build: Remove unusned uuid.h include * completions: Add show-topology tab completion * fabrics: Honor JSON config file in connect-all command * fabrics: Trigger auto connect if config.json exists * fabrics: fix 'persistent' handling during connect-all with JSON file * fabrics: nvme config --modify depends on -n and -t argument * fabrics: re-read the discovery log page when a discovery controller reconnected * json: Support uint64 types serialization for older json-c versions * nvme, plugins: fix __u64 -> unsigned long long assumptions * nvme-print: Add missing values in id-ctrl for JSON output * nvme-print: Handle NULL hostid in JSON output * nvme-print: Output 128bit values as uint128 type instead of double * nvme-print: Print fguid as a UUID * nvme-print: Use uint128 JSON function for media_units_written * nvme-print: decode MI status values * nvme-print: decode status types * nvme-print: fix wrong json key * nvme: Add helper function to parse 16-bit comma separated list * nvme: Add nvme_cmd wrapper for get_features * nvme: Add show-topology command * nvme: Add wrapper for Format NVM * nvme: Add wrapper for Sanitize NVM * nvme: Add wrappers for Get Log page helpers * nvme: Add wrappers for Identify controller lists * nvme: Add wrappers for NS attach/detach * nvme: Add wrappers for NS management functions * nvme: Add wrappers for basic NS identify * nvme: Add wrappers for firmware commands * nvme: Fix set feature command to get feature identifier 0Dh length as zero * nvme: Introduce a union in struct nvme_dev for different transport types * nvme: Introduce nvme_cli_ wrappers, wrap identify and identify_ctrl * nvme: Make static nvme_dev private to open_dev(), use locals elsewhere * nvme: Masks SSTAT in sanize-log output * nvme: Remove static nvme_dev, allocate on open instead * nvme: Use correct print format specifier for sizeof arguments * nvme: Use local struct nvme_dev for show_registers & map_registers * nvme: check if cfg.metadata is NULL before passing it to strlen() * nvme: use helpers for checking status types * plugins/innogrit: Include timer.h * plugins/innogrit: add smart items for smart-log-add * plugins/micron-nvme: Use correct print format specifier for sizeof arguments * plugins/ocp: Include timer.h * plugins/ocp: Output 128bit values as uint128 type instead of double * plugins/ocp: pass struct nvme_dev to internal functions * plugins/seagate: Add support for OCP * plugins/toshiba: pass struct nvme_dev rather than fd + name * plugins/virtium: Output 128bit values as uint128 type instead of double * plugins/wdc: Add support for SN660 drive * plugins/wdc: Add type case for feature id * plugins/wdc: Output 128bit values as uint128 type instead of double * plugins/wdc: pass a struct nvme_dev around rather than a fd * plugins/wdc: pass struct nvme_dev rather than using global nvme_dev * plugins/ytmc: pass struct nvme_dev rather than fd + name * plugins: Use PRIu64 format specifier for 64bit types * print: Add Controller Ready Timeout Exceeded HW error code * solidgm: fix initialization warning * solidigm: Added parsing for telemetry customer screenable data * solidigm: Fix printf format for size_t variable * solidigm: Updated Telemetry parsing code to MIT license. * subprojects/libnvme: update for MI admin command coverage * tests: Update license to GPL-2.0-or-later * tree: Add NVMe-MI support * tree: Add dev_fd() helper * tree: Change nvme_dev from global to static * tree: Combine NVMe file descriptor into struct nvme_dev * tree: Move global device info to a single struct * tree: fail on non-negative return values from parse_and_open * udev: Add HOST_IFACE to udev rule * util/json.h: Add json_object_get_uint64 fallback implementation * util/json: Add 128 bit JSON helpers * util/types: Add 128 bit conversion helpers * util: Fix le128_to_cpu on big-endian * util: Fix le128_to_cpu on little-endian * util: Move common type conversion helpers into util section * utils/json: Add json_object_new_uint64 for json-c < 0.14 * utils: Fix uint128_t usage * wdc: OCP Log page updates and fixes * zns.c: report zones should be started after retrieved zone - Handle suse-missing-rclink lint warnings by providing the symlinks - Drop rpmlintrc as it is not needed anymore ==== openssl ==== Version update (1.1.1q -> 1.1.1s) - updated to 1.1.s release ==== openssl-1_1 ==== Version update (1.1.1q -> 1.1.1s) Subpackages: libopenssl1_1 - Updated openssl.keyring with key A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C - Update to 1.1.1s: * Fixed a regression introduced in 1.1.1r version not refreshing the certificate data to be signed before signing the certificate. - Update to 1.1.1r: * Fixed the linux-mips64 Configure target which was missing the SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that platform. * Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was causing incorrect results in some cases as a result. * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to report correct results in some cases * Fixed a regression introduced in 1.1.1o for re-signing certificates with different key sizes * Added the loongarch64 target * Fixed a DRBG seed propagation thread safety issue * Fixed a memory leak in tls13_generate_secret * Fixed reported performance degradation on aarch64. Restored the implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode") for 64bit targets only, since it is reportedly 2-17% slower and the silicon errata only affects 32bit targets. The new algorithm is still used for 32 bit targets. * Added a missing header for memcmp that caused compilation failure on some platforms ==== openssl-3 ==== Version update (3.0.5 -> 3.0.7) - Temporary disable tests test_ssl_new and test_sslapi because they are failing in openSUSE_Tumbleweed - Update to 3.0.7: [bsc#1204714, CVE-2022-3602,CVE-2022-3786] * Fixed two buffer overflows in punycode decoding functions. A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. An attacker can craft a malicious email address to overflow an arbitrary number of bytes containing the `.` character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). ([CVE-2022-3786]) An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution depending on stack layout for any given platform/compiler. ([CVE-2022-3602]) * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT parameters in OpenSSL code. Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR, OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT. Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead. Using these invalid names may cause algorithms to use slower methods that ignore the CRT parameters. * Fixed a regression introduced in 3.0.6 version raising errors on some stack operations. * Fixed a regression introduced in 3.0.6 version not refreshing the certificate data to be signed before signing the certificate. * Added RIPEMD160 to the default provider. * Ensured that the key share group sent or accepted for the key exchange is allowed for the protocol version. - Update to 3.0.6: [bsc#1204226, CVE-2022-3358] * OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. * OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. * Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. ([CVE-2022-3358]) * Fix LLVM vs Apple LLVM version numbering confusion that caused build failures on MacOS 10.11 * Fixed the linux-mips64 Configure target which was missing the SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that platform. * Fix handling of a ticket key callback that returns 0 in TLSv1.3 to not send a ticket * Correctly handle a retransmitted ClientHello in DTLS * Fixed detection of ktls support in cross-compile environment on Linux * Fixed some regressions and test failures when running the 3.0.0 FIPS provider against 3.0.x * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to report correct results in some cases * Fix UWP builds by defining VirtualLock * For known safe primes use the minimum key length according to RFC 7919. Longer private key sizes unnecessarily raise the cycles needed to compute the shared secret without any increase of the real security. This fixes a regression from 1.1.1 where these shorter keys were generated for the known safe primes. * Added the loongarch64 target * Fixed EC ASM flag passing. Flags for ASM implementations of EC curves were only passed to the FIPS provider and not to the default or legacy provider. * Fixed reported performance degradation on aarch64. Restored the implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode") for 64bit targets only, since it is reportedly 2-17% slower and the silicon errata only affects 32bit targets. The new algorithm is still used for 32 bit targets. * Added a missing header for memcmp that caused compilation failure on some platforms ==== patterns-microos ==== Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-base-microdnf patterns-microos-base-packagekit patterns-microos-base-zypper patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-desktop-common patterns-microos-desktop-gnome patterns-microos-desktop-kde patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-ra_agent patterns-microos-ra_verifier patterns-microos-selinux patterns-microos-sssd_ldap - cups-pk-helper shouldn't be linked to PackageKit, as "pk" stands for PolicyKit in this case (boo#1204949) ==== pipewire ==== Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-lang pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Fix regression with Dell WD15 Dock and others (bsc#1204719): 0002-spa-support-the-speakers-output-only-case-in-report_.patch ==== polkit-default-privs ==== Version update (1550+20221018.7616c25 -> 1550+20221102.9f111fa) - Update to version 1550+20221102.9f111fa: * allow local logged in users to change NetworkManager configuration, keyboard layout and locale settings without entering a password (in the easy profile). ==== qemu ==== - qtests test are not realiable when run inside OBS builders, so let's disable that part of the testsuite for now. There is work ongoing to run it somewhere else (on dedicated hosts) to avoid loosing coverage. (bsc#1204566) - Improve dependency handling (e.g., what's recommended vs. what's required. - Add a subpackage (qemu-headless) that brings in all the packages that are needed for creating VMs with tools like virt-install or VirtManager, run either locally or from a remote host. (bsc#1202166) - Build fails due to exceeding 10 GB disk limit (10430 MB): raise disk space contraint to 12 GB ==== sudo ==== Subpackages: sudo-plugin-python - Modified sudo-sudoers.patch * [bsc#1203978 jsc#PED-260] * Remove uncommented "Defaults targetpw" portion of /etc/sudo-sudoers file. * Sudo now asks for the password of the user calling sudo instead of the target (i.e. root) user. ==== xorg-x11-server ==== Subpackages: xorg-x11-server-Xvfb xorg-x11-server-extra - removed N_Disable-HW-Cursor-for-cirrus-and-mgag200-kernel-modules.patch * meanwhile cirrus and mgag200 Kernel drivers have been rewritten multiple times and no longer have (broken) hardware cursor - u_xf86-Accept-devices-with-the-kernels-ofdrm-driver.patch * Add workaround to support ofdrm ==== xwayland ==== Version update (22.1.4 -> 22.1.5) - Update to version 22.1.5 * This is a follow-up release to address a couple of regressions which found their way into the recent xwayland-22.1.4 release, namely: + Double scroll wheel events with some Wayland compositors https://gitlab.freedesktop.org/xorg/xserver/-/issues/1392 + Key keeps repeating when a window is closed while a key is pressed https://gitlab.freedesktop.org/xorg/xserver/-/issues/1395 - supersedes U_Do-not-ignore-leave-events.patch