Packages changed: MozillaFirefox (117.0.1 -> 118.0.1) argyllcms (2.3.1 -> 3.0.0) glibc gnome-music gstreamer (1.22.5 -> 1.22.6) gstreamer-plugins-bad (1.22.5 -> 1.22.6) gstreamer-plugins-base (1.22.5 -> 1.22.6) gstreamer-plugins-good (1.22.5 -> 1.22.6) gstreamer-plugins-libav (1.22.5 -> 1.22.6) gstreamer-plugins-rs (0.10.11 -> 1.22.6) gstreamer-plugins-ugly (1.22.5 -> 1.22.6) libqt5-qtbase libssh libvpx mpg123 (1.31.3 -> 1.32.2) open-vm-tools openssl-3 (3.1.2 -> 3.1.3) openssl (3.1.2 -> 3.1.3) perl-HTTP-Message (6.44 -> 6.450.0) perl-Net-DNS (1.39 -> 1.400.0) python-greenlet (2.0.2 -> 3.0.0~rc3) python-qt5-sip (12.12.1 -> 12.12.2) rubygem-agama (3.devel43 -> 4) sddm sdl12_compat (1.2.64 -> 1.2.68) smartmontools xf86-video-siliconmotion (1.7.9 -> 1.7.10) yast2-python-bindings (4.6.0 -> 5.0.1) === Details === ==== MozillaFirefox ==== Version update (117.0.1 -> 118.0.1) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 118.0.1 MFSA 2023-44 (bsc#1215814) * CVE-2023-5217 (bmo#1855550), Heap buffer overflow in libvpx - Mozilla Firefox 118.0 MFSA 2023-41 (bsc#1215575) * CVE-2023-5168 (bmo#1846683) Out-of-bounds write in FilterNodeD2D1 * CVE-2023-5169 (bmo#1846685) Out-of-bounds write in PathOps * CVE-2023-5170 (bmo#1846686) Memory leak from a privileged process * CVE-2023-5171 (bmo#1851599) Use-after-free in Ion Compiler * CVE-2023-5172 (bmo#1852218) Memory Corruption in Ion Hints * CVE-2023-5173 (bmo#1823172) Out-of-bounds write in HTTP Alternate Services * CVE-2023-5174 (bmo#1848454) Double-free in process spawning on Windows * CVE-2023-5175 (bmo#1849704) Use-after-free of ImageBitmap during process shutdown * CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824, bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983, bmo#1851195) Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 - requires NSS 3.93 - add mozilla-bmo1822730.patch - deactivated KDE integration temporarily (removed mozilla-kde.patch and firefox-kde.patch for now) ==== argyllcms ==== Version update (2.3.1 -> 3.0.0) - Update to 3.0.0: * Updated ccast/axTLS to get ChromCast working again with latest Google CC operating software. * Extensive re-write/re-factor of icclib to make it more future-proof. See https://www.argyllcms.com/doc/ChangesSummary.html for details. * Added ref/ColorCheckerPassport.ti2 and ref/ColorCheckerHalfPassport.ti2 to allow measuring ColorCheckerPassport with instrument. * Fixed bug in Munki spectro hi-res mode with some instruments. Luminance matching between normal and hi-res was sometimes quite poor. * Added ARGYLL_CREATE_DISPLAY_PROFILE_WITHOUT_CHAD environment variable. * Changed colprof -U flag to -u. Changed dispcal -J flag to -K to accommodate a potential new flag for colprof and dispcal. * Added workaround for bug in madHcNet64.dll32/64.dll which sometimes causes failure. * Added delay after USB set_config on OS X to help Spyder 3/4 on Ventura OS. * Added -Y parameter to dispwin to override automatic patch delay. * Changed i1d3 driver to cope with Rev. B "0x83" error robustly. This should fix any issues measuring low level Red only patch values on OLED displays, but with slower measurements when this occurs. * Added spotread -Y S option to save spectral sensitivity curves and added corresponding support in i1d3 driver. This allows for comparison of different instruments factory calibrations. * Added a -h scale parameter to dispread, to allow the automatic instrument calibration test patch values to be scaled down from their default 100% value. This is useful with HDR displays. * Added manifest to MSWindows executables to use UTF-8 code pages on Windows 1903 and later. This should improve non-ASCII filename and path handling. * Added a Violet colorant to the targen colorant list. * Fixed problem with OS X 64 bit backwards compatibility where it failed to locate serial instruments when the binaries are run on OS X V12 or latter machines. * Fixed bug in i1Pro3 driver where it was not returning the correct measurement conditions enum. * Fixed spotread so that ambient measure for monochrome sources doesn't error out due to bad CCT/VCT/VDT. Also change -T so that it suppresses CCT etc. if ambient mode is used. * Added hacky workaround to strange Mac M2/rosetta bug in del_i1proimp(). - Make the argyllcms-doc package noarch. ==== glibc ==== Subpackages: glibc-32bit glibc-devel glibc-extra glibc-lang glibc-locale glibc-locale-base nscd - fstat-implementation.patch: io: Do not implement fstat with fstatat - getaddrinfo-memory-leak.patch: Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 (CVE-2023-5156, bsc#1215714, BZ #30884) - getcanonname-use-after-free.patch: getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806, bsc#1215281, BZ #30843) - Do not build any cross packages in SLES - no-aaaa-read-overflow.patch: Stack read overflow with large TCP responses in no-aaaa mode (CVE-2023-4527, bsc#1215280, BZ #30842) - Add systemd to passwd, group and shadow lookups (jsc#PED-5188) - ppc64-flock-fob64.patch: io: Fix record locking contants for powerpc64 with __USE_FILE_OFFSET64 (BZ #30804) - libio-io-vtables.patch: libio: Fix oversized __io_vtables - call-init-proxy-objects.patch: elf: Do not run constructors for proxy objects - dtors-reverse-ctor-order.patch: elf: Always call destructors in reverse constructor order (BZ #30785) - intl-c-utf-8-like-c-locale.patch: intl: Treat C.UTF-8 locale like C locale (BZ #16621) - glibc-disable-gettext-for-c-utf8.patch: Removed ==== gnome-music ==== Subpackages: gnome-music-lang - Explicitly create the pycache/.pyc files, not relying on the generation done by meson. Should make the package reproducible. ==== gstreamer ==== Version update (1.22.5 -> 1.22.6) Subpackages: gstreamer-lang gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.22.6: + Highlighted bugfixes: - Security fixes for the MXF demuxer and H.265 video parser - Fix latency regression in H.264 hardware decoder base class - androidmedia: fix HEVC codec profile registration and fix coded_data handling - decodebin3: fix switching from a raw stream to an encoded stream - gst-inspect: prettier and more correct signal and action signals printing - rtmp2: Allow NULL flash version, omitting the field, for better RTMP server compatibility - rtspsrc: better compatibility with buggy RTSP servers that don't set a clock-rate - rtpjitterbuffer: fix integer overflow that led to more packets being declared lost than have been lost - v4l2: fix video encoding regression on RPi and fix support for left and top padding - waylandsink: Crop surfaces to their display width height - cerbero: Recognise Manjaro; add Rust support for MSVC ARM64; cmake detection fixes - Various bug fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - gst-inspect: prettier and more correct signal printing, and print action signals in g_signal_emit_by_name() format - gst-launch: Disable fault signal handlers on macOS - Rebase reduce-required-meson.patch ==== gstreamer-plugins-bad ==== Version update (1.22.5 -> 1.22.6) Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.22.6: + audiolatency: Forward latency query and event upstream + av1parser: Fix segmentation params update + codecparsers: Fix MPEG-1 aspect ratio table + d3d11convert: Passthrough allocation query on same caps + h264decoder: Update latency dynamically + h265parser: - Allow partially broken hvcC data - Fix possible overflow using max_sub_layers_minus1 + hlssink2: Always use forward slash separator + mdns: Fix a crash on context error + mxfdemux: Fix integer overflow causing out of bounds writes when handling invalid uncompressed video and check channels for AES3 + nvencoder: Fix negotiation error when interlace-mode is unspecified + rtmp2: Allow NULL flash version, omitting the field + rtmp2sink: fix crash if message conversion failed + transcodebin: Fixes for upstream selectable support + va: Fix in error logs functions mismatches + waylandsink: - Crop surfaces to their display width height - Fix cropping for video with non-square aspect ratio + webrtc: Fix docs for create-data-channel action signal - Rebase reduce-required-meson.patch ==== gstreamer-plugins-base ==== Version update (1.22.5 -> 1.22.6) Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.22.6: + audio: Make sure to stop ringbuffer on error + decodebin3: - Avoid identity, sinkpad, parsebin leakage when reset input - Ensure the slot is unlinked before linking to decoder + sdp: - Fix wrong debug log error message for missing clock-rate in caps - Parse zero clock-rate as default - Rebase reduce-required-meson.patch ==== gstreamer-plugins-good ==== Version update (1.22.5 -> 1.22.6) Subpackages: gstreamer-plugins-good-extra gstreamer-plugins-good-gtk gstreamer-plugins-good-jack gstreamer-plugins-good-lang gstreamer-plugins-good-qtqml - Update to version 1.22.6: + adaptivedemux2: fix memory leak + pulsedeviceprovider: fix incorrect usage of GST_ELEMENT_ERROR + qt: - Unbreak build with qt-egl enabled but viv_fb missing - Fix searching of qt5/qt6 tools with qmake in Meson + qtdemux: - Fix premature EOS when some files are played in push mode - Attach cbcs crypt info at the right moment + rtpjitterbuffer: Avoid integer overflow in max saveable packets calculation with negative offset + videoflip: fix concurrent access when modifying the tag list + v4l2: - allocator: Don't close foreign dmabuf - bufferpool: . Fix large encoded stream regression . Problems when checking for truncated buffer - Fix support for left and top padding + v4l2object: clear format lists if source change event is received - Rebase reduce-required-meson.patch - Add libqt5-linguist BuildRequires: New dependency. ==== gstreamer-plugins-libav ==== Version update (1.22.5 -> 1.22.6) - Update to version 1.22.6: + No changes, stable bump only. - Rebase reduce-required-meson.patch. ==== gstreamer-plugins-rs ==== Version update (0.10.11 -> 1.22.6) - Update to version 1.22.6: + fallbackswitch: locking/deadlock fixes + onvifmetadataparse: Skip metadata frames with unrepresentable UTC time + transcriberbin: Configure audioresample in front of transcriber + webrtcsink: - Propagate GstContext messages - Add support for d3d11 memory and qsvh264enc - Fix TWCC extension adding - Don't forget to setup encoders for discoveries - NVIDIA V4L2 encoders always require NVMM memory + meson: Fix handling of optional deps, and don't require Python-3.8 - Switch service to do the tag released with the other gstreamer packages. Gstreamer-plugins-rs are now released at the same time as the gstreamer main packages. - Switch compression to zst both in service and tarball produced. ==== gstreamer-plugins-ugly ==== Version update (1.22.5 -> 1.22.6) Subpackages: gstreamer-plugins-ugly-lang - Update to version 1.22.6: + No changes, stable bump only. - Rebase reduce-required-meson.patch. ==== libqt5-qtbase ==== Subpackages: libQt5Concurrent5 libQt5Core5 libQt5DBus5 libQt5Gui5 libQt5Network5 libQt5OpenGL5 libQt5PrintSupport5 libQt5Sql5 libQt5Sql5-mysql libQt5Sql5-sqlite libQt5Test5 libQt5Widgets5 libQt5Xml5 libqt5-qtbase-platformtheme-gtk3 - switch icu-devel requires to pkgconfig to allow switching libicu versions ==== libssh ==== Subpackages: libssh-config libssh4 - Enable crypto-policies support: [bsc#1211301] * Rebase libssh_client.config libssh_server.config ==== libvpx ==== - Fixing CVE-2023-5217 heap buffer overflow (boo#1215778) added CVE-2023-5217.patch ==== mpg123 ==== Version update (1.31.3 -> 1.32.2) Subpackages: libmpg123-0 mpg123-openal - Update to version 1.32.2 * libmpg123: Re-introduce _64 symbols on native 64 bit offset platforms. This was a regression since 1.31 series. Sorry, too much cleanup, not enough testing. * build: + Better O_LARGEFILE logic, avoiding redefintion. * ports/cmake: + Require C99 (bug 360, among other points, thanks to Ozkan Sezer). + Fix broken O_LARGEFILE logic (bug 360). + Typo fix and cleanup, also manual SSE switch for Android on old x86 (bug 359). - Update to version 1.32.1 * Include man pages again in tarball and install. We cannot avoid the empty man directory when disabling programs with autoconf. * Fix signal handler prototype, avoiding some justified warnings. * ports/cmake: + Include CheckTypeSize, which seems to be needed sometimes + Avoid O_LARGEFILE redefinition, logic closer to autoconf. - Update to version 1.32.0 * build + Move version handling out of configure.ac to ease other build systems. + Include "fmt123.h" instead of in main API headers to make it more likely the correct one is included (at least gcc picks the one in the same directory as the including header first). + All headers are build-independent now. + Fix build for picky linkers by avoiding definition of wrap_getcpuflags() where it is not used (spurious linker error to non-exitent getcpuflags(), bug 353). + Handle deprecation of C99 detection macro in autoconf 2.70. + No use of AC_SYS_LARGEFILE anymore for explicit handling and differing choice for the libraries and frontend programs. + Added --enable-portable and --disable-largefile to configure, removing the other largefile-related options. + Added --disable-components --enable-libmpg123 to only build libmpg123 (and likewise --enable-libout123, - -enable-libout123-modules, --enable-libsyn123) to autoconf build. CMake build has something similar with BUILD_PROGRAMS and BUILD_LIBOUT123, which leave only libmpg123 and libsyn123 if disabled). + Consistent formatting of ./configure --help with AS_HELP_STRING(). * mpg123 + Added --libversion. + Added proper A-B looping with terminal control key 'o', renamed --pauseloop to --presetloop. + Really get rid of mpg123_position() usage. (It was all lies before!) + Fix terminal progress info when seeking in stopped mode (1.31 regression). + Patch up interaction of output buffer with generic remote control, adding non-interruptible drain after P 3, and dropping buffer on QUIT. + Uppercase some generic control replies for consinstency: SILENCE, PROGRESS, MUTE, UNMUTE * libmpg123, libout123, libsyn123 + Bumped API version for version query functions. + Replaced nearly all symbol renames with explicit INT123_ prefix declarations (intsym.h close to empty now). * libout123 + Add sleep builtin output module (silent, but proper timing). * libsyn123 + Introduced SYN123_PORTABLE_API for an API without off_t and ssize_t (see NEWS.libsyn123). * libmpg123 + Internal I/O using explicit largefile support via off64_t, lseek64, fallback to plain 32 bit off_t. + Added explicit 64 bit API with 64 suffix (mpg123_tell64(), not mpg123_tell_64()). This allows full avoidance of ambiguus off_t. The API is always using 64 bit integers, regardless of internal implementation. + Introduced MPG123_PORTABLE_API for an API subset without off_t and ssize_t. + Made mpg123_seek() and friends ignore offset sign for SEEK_END (always seeking towards beginning, assuming negative offset) to make lseek()-conforming usage possible. Seeking beyond the end never made sense, so no loss of valid functionality. * Overall use of INT123_strerror(), trying to use thread-safe strerror_l() if possible. ==== open-vm-tools ==== Subpackages: libvmtools0 open-vm-tools-desktop - 15 sp4 currently uses open-vm-tools rpms from 15 sp3. As such, enable the spec file fix for bug (bsc#1205927) for 15 sp3 onwards. ==== openssl-3 ==== Version update (3.1.2 -> 3.1.3) Subpackages: libopenssl3 libopenssl3-32bit - Update to 3.1.3: * Fix POLY1305 MAC implementation corrupting XMM registers on Windows (CVE-2023-4807) ==== openssl ==== Version update (3.1.2 -> 3.1.3) - Update to 3.1.3 ==== perl-HTTP-Message ==== Version update (6.44 -> 6.450.0) - updated to 6.45 see /usr/share/doc/packages/perl-HTTP-Message/Changes 6.45 2023-09-27 14:27:31Z - Allow for file ownership conflicts with Docker and GitHub Actions (GH#193) (Olaf Alders) - Add the 'status_code' function for getting all status codes as hash (GH#194) (Dai Okabayashi) ==== perl-Net-DNS ==== Version update (1.39 -> 1.400.0) - updated to 1.40 see /usr/share/doc/packages/perl-Net-DNS/Changes ==== python-greenlet ==== Version update (2.0.2 -> 3.0.0~rc3) - update to 3.0.0~rc3: * Fix an intermittent error during process termination on some platforms (GCC/Linux/libstdc++). * Fix some potential bugs (assertion failures and memory leaks) in previously-untested error handling code. In some cases, this means that the process will execute a controlled ``abort()`` after severe trouble when previously the process might have continued for some time with a corrupt state. It is unlikely those errors occurred in practice. * Fix some assertion errors and potential bugs with re-entrant switches. * Fix a potential crash when certain compilers compile greenlet with high levels of optimization. The symptom would be that switching to a greenlet for the first time immediately crashes. * Fix a potential crash when the callable object passed to the greenlet constructor (or set as the ``greenlet.run`` attribute) has a destructor attached to it that switches. Typically, triggering this issue would require an unlikely subclass of ``greenlet.greenlet``. * Python 3.11+: Fix rare switching errors that could occur when a garbage collection was triggered during the middle of a switch, and Python-level code in ``__del__`` or weakref callbacks switched to a different greenlet and ultimately switched back to the original greenlet. This often manifested as a ``SystemError``: "switch returned NULL without an exception set." * Python 3.12: Fix walking the frame stack of suspended greenlets. Previously accessing ``glet.gr_frame.f_back`` would crash due to `changes in CPython's undocumented internal frame handling * Make the platform-specific low-level C/assembly snippets stop using the ``register`` storage class. Newer versions of standards remove this storage class, and it has been generally ignored by many compilers for some time. See `PR 347 `_ from Khem Raj. * Add initial support for Python 3.12. See `issue `_ and `PR `_; thanks go to (at least) Michael Droettboom, Andreas Motl, Thomas A Caswell, raphaelauv, Hugo van Kemenade, Mark Shannon, and Petr Viktorin. * Remove support for end-of-life Python versions, including Python 2.7, Python 3.5 and Python 3.6. * Require a compiler that supports ``noinline`` directives. See `issue 271 `_. * Require a compiler that supports C++11. ==== python-qt5-sip ==== Version update (12.12.1 -> 12.12.2) - Update to ABI version 12.12.2 * Match python-sip6-devel 6.7.10+ ==== rubygem-agama ==== Version update (3.devel43 -> 4) - Version 4 - Do not automatically probe after selecting a new product (gh#openSUSE/agama#748). - Use a single D-Bus service to expose the manager and the users settings (gh#openSUSE/agama#753, follow-up of gh#openSUSE/agama#729). - Do not crash when it is not possible to handle a product change in the manager service (related to bsc#1215197). - When selecting the product, do not perform any change if the product is still the same. - The software and the storage services do not dispatch actions during progress reporting anymore (related to bsc#1215197). - New storage proposal settings (gh#openSUSE/agama#738). - Extend the Ruby-based services logs with information about each step (gh#openSUSE/agama#732). - Raise the D-Bus service start timeout for troubleshoting purposes (related to bsc#1214737). - Adapt the locale and questions clients to use the same D-Bus service (gh#openSUSE/agama#729). - Respect UI locale in dbus services (gh#openSUSE/agama#725) - Copy the proxy configuration to the target system when needed (bsc#1212677, gh#openSUSE/agama#711). - Install the ppc64-diag package when running on ppc64le (related to bsc#1206898). - Set the manager service as busy during the startup phase (bsc#1213194). - Add proxy setup support (bsc#1212677, gh#openSUSE/agama#696). ==== sddm ==== Subpackages: sddm-branding-openSUSE - Remove unnecessary Requires(post*) - Config file changes: * No longer own sddm.conf. The migration for this conflicts with the other migration code, so: * Drop code for migrating from Current=maui (Leap <= 42.2) and the monolithic /etc/sddm.conf (Leap <= 42.3) - Add patch and drop unnecessary BuildRequirements of extra-cmake-modules and kf5-filesystem: * 0001-Drop-unnecessary-ECM-dependency-and-dead-uninstall-t.patch - Split the greeter into a subpackage and use _multibuild to build both daemon and greeter for Qt 5 and Qt 6. Add patches to allow for greeter coinstallation: * 0002-Make-sddm-greeter-for-Qt-5-and-Qt-6-coinstallable.patch * 0003-Let-themes-specify-the-used-version-of-Qt.patch - Refresh 0001-Read-the-DISPLAYMANAGER_AUTOLOGIN-value-from-sysconf.patch - Don't set CMAKE_BUILD_TYPE=Release - Make branding packages noarch - Add %check ==== sdl12_compat ==== Version update (1.2.64 -> 1.2.68) - Update to release 1.2.68 * sync dr_mp3 with mainstream * Add null check to SDL_LoadWAV_RW to avoid crashes * Add quirk entry: deactivate GL scaling for Trine (2011 Humble Bundle version) and Mark of the Ninja (HB) * Add quirk entry: set Hyperspace Delivery Boy to run in 16bpp mode * Add quirk handling: add ability to force XInitThreads before main() * Allocate the video surface object statically as a global * Add a hint to clamp the reported screen bit depth ==== smartmontools ==== - Do not quit with an error when no drives to monitor are available (bsc#990406 bsc#1167051). - Add smartd_service_dont_quit.patch - Refresh harden_smartd.service.patch - Run through spec-cleaner, use autosetup ==== xf86-video-siliconmotion ==== Version update (1.7.9 -> 1.7.10) - Update to version 1.7.10 * Update README for gitlab migration * Update configure.ac bug URL for gitlab migration * Build xz tarballs instead of bzip2 * Fix spelling/wording issues * gitlab CI: add a basic build test * gitlab CI: stop requiring Signed-off-by in commits * constify some char * declarations * Quiet -Wempty-body warning * Replace malloc()+snprintf() with Xasprintf() * Replace malloc()+memset() with calloc() * Remove "All rights reserved" from Oracle copyright notices * gitlab CI: ensure libtool is installed in build container * autogen.sh: Implement GNOME Build API * autogen.sh: use quoted string variables * autogen: add default patch prefix * configure: Drop AM_MAINTAINER_MODE * autogen.sh: use exec instead of waiting for configure to finish ==== yast2-python-bindings ==== Version update (4.6.0 -> 5.0.1) - Fix inspect.getargspec() removed in python3.11; (bsc#1215226); - 5.0.1 - 5.0.0 (#bsc1185510)