Packages changed: cups (2.4.2 -> 2.4.7) curl (8.5.0 -> 8.6.0) fillup kexec-tools libbs2b libssh (0.10.5 -> 0.10.6) libunwind (1.7.2 -> 1.8.0) patterns-base permissions python-pygit2 (1.13.3 -> 1.14.0) python-rpm (4.18.0 -> 4.19.1) qt6-base rpm (4.18.0 -> 4.19.1) suse-module-tools (16.0.42 -> 16.0.43) vala-panel-appmenu virtiofsd (1.7.2 -> 1.10.1) vsftpd xz (5.4.5 -> 5.4.6) === Details === ==== cups ==== Version update (2.4.2 -> 2.4.7) Subpackages: cups-client cups-config libcups2 libcupsimage2 - Version upgrade to 2.4.7: See https://github.com/openprinting/cups/releases CUPS 2.4.7 is released to ship the fix for CVE-2023-4504 and several other changes, among them it is adding OpenSSL support for cupsHashData function and bug fixes. Detailed list: * CVE-2023-4504 - Fixed Heap-based buffer overflow when reading Postscript in PPD files * Added OpenSSL support for cupsHashData (Issue #762) * Fixed delays in lpd backend (Issue #741) * Fixed extensive logging in scheduler (Issue #604) * Fixed hanging of lpstat on IBM AIX (Issue #773) * Fixed hanging of lpstat on Solaris (Issue #156) * Fixed printing to stderr if we can't open cups-files.conf (Issue #777) * Fixed purging job files via cancel -x (Issue #742) * Fixed RFC 1179 port reserving behavior in LPD backend (Issue #743) * Fixed a bug in the PPD command interpretation code (Issue #768) Issues are those at https://github.com/OpenPrinting/cups/issues - Version upgrade to 2.4.6: See https://github.com/openprinting/cups/releases CUPS 2.4.6 is released to ship the fix for CVE-2023-34241 and two other bug fixes. Detailed list: * Fix linking error on old MacOS (Issue #715) * Fix printing multiple files on specific printers (Issue #643) * Fix use-after-free when logging warnings in case of failures in cupsdAcceptClient() (fixes CVE-2023-34241) Issues are those at https://github.com/OpenPrinting/cups/issues - Version upgrade to 2.4.5: See https://github.com/openprinting/cups/releases CUPS 2.4.5 is a hotfix release for a bug which corrupted locally saved certificates, which broke secured printing via TLS after the first print job. - Version upgrade to 2.4.4: See https://github.com/openprinting/cups/releases CUPS 2.4.4 release is created as a hotfix for segfault in cupsGetNamedDest(), when caller tries to find the default destination and the default destination is not set on the machine. - Version upgrade to 2.4.3: See https://github.com/openprinting/cups/releases CUPS 2.4.3 brings fix for CVE-2023-32324, several improvements and many bug fixes. CUPS now implements fallback for printers with broken firmware, which is not capable of answering to IPP request get-printer-attributes with all, media-col-database - this enables driverless support for bunch of printers which don't follow IPP Everywhere standard. Aside from the CVE fix the most important fixes are around color settings, printer application support fixes and OpenSSL support. Detailed list of changes: * Added a title with device uri for found network printers (Issues #402, #393) * Added new media sizes defined by IANA (Issues #501) * Added quirk for GoDEX label printers (Issue #440) * Fixed --enable-libtool-unsupported (Issue #394) * Fixed configuration on RISC-V machines (Issue #404) * Fixed the device_uri invalid pointer for driverless printers with .local hostname (Issue #419) * Fixed an OpenSSL crash bug (Issue #409) * Fixed a potential SNMP OID value overflow issue (Issue #431) * Fixed an OpenSSL certificate loading issue (Issue #465) * Fixed Brazilian Portuguese translations (Issue #288) * Fixed cupsd default keychain location when building with OpenSSL (Issue #529) * Fixed default color settings for CMYK printers as well (Issue #500) * Fixed duplicate PPD2IPP media-type names (Issue #688) * Fixed possible heap buffer overflow in _cups_strlcpy() (fixes CVE-2023-32324) * Fixed InputSlot heuristic for photo sizes smaller than 5x7" if there is no media-source in the request (Issue #569) * Fixed invalid memory access during generating IPP Everywhere queue (Issue #466) * Fixed lprm if no destination is provided (Issue #457) * Fixed memory leaks in create_local_bg_thread() (Issue #466) * Fixed media size tolerance in ippeveprinter (Issue #487) * Fixed passing command name without path into ippeveprinter (Issue #629) * Fixed saving strings file path in printers.conf (Issue #710) * Fixed TLS certificate generation bugs (Issue #652) * ippDeleteValues would not delete the last value (Issue #556) * Ignore some of IPP defaults if the application sends its PPD alternative (Issue #484) * Make Letter the default size in ippevepcl (Issue #543) * Now accessing Admin page in Web UI requires authentication (Issue #518) * Now look for default printer on network if needed (Issue #452) * Now we poll media-col-database separately if we fail at first (Issue #599) * Now report fax attributes and values as needed (Issue #459) * Now localize HTTP responses using the Content-Language value (Issue #426) * Raised file size limit for importing PPD via Web UI (Issue #433) * Raised maximum listen backlog size to INT MAX (Issue #626) * Update print-color-mode if the printer is modified ... changelog too long, skipping 14 lines ... see the above CUPS 2.4.3 changes ==== curl ==== Version update (8.5.0 -> 8.6.0) Subpackages: libcurl4 - Update to 8.6.0: [bsc#1219149, CVE-2024-0853] * Security fixes: - CVE-2024-0853: OCSP verification bypass with TLS session reuse * Changes: - add CURLE_TOO_LARGE, CURLINFO_QUEUE_TIME_T * Bugfixes: - altsvc: free 'as' when returning error - asyn-ares: with modern c-ares, use its default timeout - cf-socket: show errno in tcpkeepalive error messages - cmdline-opts: update availability for the *-ca-native options - configure: when enabling QUIC, check that TLS supports QUIC - content_encoding: change return code to typedef'ed enum - curl: show ipfs and ipns as supported "protocols" - CURLINFO_REFERER.3: clarify that it is the *request* header - dist: add tests/errorcodes.pl to the tarball - gen.pl: support ## for doing .IP in table-like lists - GHA: bump ngtcp2, gnutls, mod_h2, quiche - hostip: return error immediately when Curl_ip2addr() fails - http3/quiche: fix result code on a stream reset - http3: initial support for OpenSSL 3.2 QUIC stack - http: check for "Host:" case insensitively - http: fix off-by-one error in request method length check - http: only act on 101 responses when they are HTTP/1.1 - lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT - lib: error out on multissl + http3 - lib: fix variable undeclared error caused by `infof` changes - lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding - lib: strndup/memdup instead of malloc, memcpy and null-terminate - libssh2: use `libssh2_session_callback_set2()` with v1.11.1 - ngtcp2: put h3 at the front of alpn - openldap: fix an LDAP crash - openldap: fix STARTTLS - openssl: re-match LibreSSL deinit with init - rtsp: deal with borked server responses - sasl: make login option string override http auth - tool: prepend output_dir in header callback - tool_getparam: stop supporting `@filename` style for --cookie - transfer: fix upload rate limiting, add test cases - url: don't set default CA paths for Secure Transport backend - url: for disabled protocols, mention if found in redirect - vquic: extract TLS setup into own source - websockets: check for negative payload lengths * Remove patches fixed upstream: - curl-adjust-pollset-fix.patch - curl-tests-errorcodes.patch * Rebase dont-mess-with-rpmoptflags.patch ==== fillup ==== - remove bin symlink for non-suse distributions ==== kexec-tools ==== - add kexec-dont-use-kexec_file_load-on-xen.patch: kexec: don't use kexec_file_load on xen (bsc#1218590) ==== libbs2b ==== - Add libbs2b-clipping.patch to remove clipping of overloaded samples. Patch is taken from: https://github.com/alexmarsev/libbs2b For more details see: https://github.com/strawberrymusicplayer/strawberry/issues/1320 ==== libssh ==== Version update (0.10.5 -> 0.10.6) Subpackages: libssh-config libssh4 - Fix regression parsing IPv6 addresses provided as hostname * Added libssh-fix-ipv6-hostname-regression.patch - Update to version 0.10.6 https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/ - Fix CVE-2023-6004: ProxyCommand/ProxyJump features allow injection of malicious code through hostname (bsc#1218209) - Fix CVE-2023-48795: prefix truncation breaking ssh channel integrity (bsc#1218126) - Fix CVE-2023-6918: Added Missing checks for return values for digests (bsc#1218186) ==== libunwind ==== Version update (1.7.2 -> 1.8.0) - Update to 1.8.0: * Improve unwinding through a bad function pointer on x86_64 * Fix UMRs indicated by valgrind (x86_64) * fix byte_order_is_valid function logic * Use size_t to match R.H.S * Move get_proc_info_in_range under dwarf/ * Bump actions/checkout@v2 to @V3 * dwarf_find_unwind_table: Find load_base correctly when current segment does not start at segbase * Add introspection for march=armv8-a+sve * Linux: Make get_elf_image guaranteed AS-safe * Provide syscall wrappers for mmap and munmap * Allow to use a custom dl_iterate_phdr implementation * aarch64: unw_step() validates address before calling dwarf_get * Provide AS-safe allocator to LZMA * Rework register load in aarch64_local_resume() * Fix arm postdecrement * Added support for unwinding through PPC64 PLT entries * Fix array indexing bug in dwarf_search_unwind_table * Fix unaligned memory accesses in */Ginit.c * Get filename and offset from ip * Fix maps leak if caller's pathlen is too small * Adjust DYNAMIC addrs in loaded image * Fix crash in elf_w(valid_object) * Fix segfault on QNX ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-transactional_base patterns-base-x11 patterns-base-x11_enhanced - patterns-base-fips: Require openssl-fips-provider when libopenssl is installed (meta package and libopenssl3) (boo#1219384). ==== permissions ==== Subpackages: chkstat permissions-config - Create directory /usr/share/permissions/permissions.d for packages to place their drop-ins. ==== python-pygit2 ==== Version update (1.13.3 -> 1.14.0) - update to 1.14.0: * Drop support for Python 3.8 * New `Repository.submodules` namespace * New `Repository.listall_mergeheads()`, `Repository.message`, `Repository.raw_message` and `Repository.remove_message()` * New `pygit2.enums` supersedes the `GIT_` constants * Now `Repository.status()`, `Repository.status_file()`, `Repository.merge_analysis()`, `DiffFile.flags`, `DiffFile.mode`, `DiffDelta.flags` and `DiffDelta.status` return enums * Now repository\'s `merge()`, `merge_commits()` and `merge_trees()` take enums/flags for their `favor`, `flags` and `file_flags` arguments. * Fix crash in filter cleanup * Documentation fixes * Remove deprecated `Repository.create_remote(...)` function, use instead `Repository.remotes.create(...)` * Deprecate `Repository.add_submodule(...)`, use `Repository.submodules.add(...)` * Deprecate `Repository.lookup_submodule(...)`, use `Repository.submodules[...]` * Deprecate `Repository.init_submodules(...)`, use `Repository.submodules.init(...)` * Deprecate `Repository.update_submodule(...)`, use `Repository.submodules.update(...)` * Deprecate `GIT_*` constants, use `pygit2.enums` * Passign dicts to repository\'s `merge(...)`, `merge_commits(...)` and `merge_trees(...)` is deprecated. Instead pass `MergeFavor` for the `favor` argument, `MergeFlag` for `flags`, and `MergeFileFlag` for `file_flags`. ==== python-rpm ==== Version update (4.18.0 -> 4.19.1) - Modernize python-rpm.spec to stop using deprecated macros (%python_build and %python_install). - update to rpm-4.19.1 ==== qt6-base ==== Subpackages: libQt6Core6 libQt6DBus6 libQt6Gui6 libQt6Network6 libQt6OpenGL6 libQt6Sql6 libQt6Test6 libQt6Widgets6 qt6-network-tls qt6-networkinformation-glib qt6-networkinformation-nm qt6-platformtheme-gtk3 - Switch to the latest GCC version available in Leap - Replace 0001-Require-GCC-12.patch with 0001-Use-newer-GCC-on-Leap.patch ==== rpm ==== Version update (4.18.0 -> 4.19.1) - fix Source url to match what is listed on https://rpm.org/download.html - disable sysusers handling for now - update to rpm-4.19.1 * new spec snippet support for dynamic spec generation * new sysusers.d integration for automated user and group handling * new CMake build system * removal of various deprecated and/or unused APIs * various internal code cleanups - refreshed patches: * brp-compress-no-img.patch * brp.diff * brpcompress.diff * build.diff * enable-postin-scripts-error.diff * fileattrs.diff * findlang.diff * findsupplements.diff * langnoc.diff * macrosin.diff * platformin.diff * posttrans.diff * refreshtestarch.diff * rpm-findlang-inject-metainfo.patch * rpmqpack.diff * rpmrc.diff * selinux_transactional_update.patch * localetag.diff * weakdepscompat.diff * zstdpool.diff - deleted patches: * cpuid_lzcnt.patch * libmagic-exceptions.patch * remove-awk-dependency.patch * whatrequires-doc.diff * x86_64-microarchitectures.patch - new patches: * python_setup.diff * rpmsort_reverse.diff * canongnu.diff - new file: * build-aux.tar.bz2 (taken from rpm-4.18) - fix --runposttrans not working correctly with the --root option [bnc#1216091] ==== suse-module-tools ==== Version update (16.0.42 -> 16.0.43) Subpackages: suse-module-tools-scriptlets - Update to version 16.0.43: * macros.initrd: %regenerate_initrd_post: don't fail if mkdir is unavailable (boo#1217979) * Don't rebuild existing initramfs imagees if the environment variable SKIP_REGENERATE_ALL=1 is set (boo#1192014) * README: Update blacklist description (gh#openSUSE/suse-module-tools#71) ==== vala-panel-appmenu ==== Subpackages: appmenu-gtk-module-common appmenu-gtk2-module appmenu-gtk3-module libappmenu-gtk2-parser0 libappmenu-gtk3-parser0 - Fix CFLAGS and CXXFLAGS to use distro flags ==== virtiofsd ==== Version update (1.7.2 -> 1.10.1) - Fix CVE-2023-50711: vmm-sys-util: out of bounds memory accesses (bsc#1218502, bsc#1218500) - Update to version 1.10.1: * Bump version to v1.10.1 * Fix mandatory user namespaces * Don't drop supplemental groups in unprivileged user namespace * Bump version to v1.10.0 * Update rust-vmm dependencies (bsc#1218500) * Bump version to v1.9.0 - Spec: switch to using the upstream virtio-fs config file for qemu - Spec: switch back to greedy cargo updates of vendored dependencies ==== vsftpd ==== - Fix location of ftpusers in /usr/lib/pam.d/vsftpd (boo#1219362) ==== xz ==== Version update (5.4.5 -> 5.4.6) Subpackages: liblzma5 liblzma5-32bit liblzma5-x86-64-v3 xz-lang - Build static library on SLE - update to 5.4.6: * Fixed a bug involving internal function pointers in liblzma not being initialized to NULL. The bug can only be triggered if lzma_filters_update() is called on a LZMA1 encoder, so it does not affect xz or any application known to us that uses liblzma. * Fixed a regression introduced in 5.4.2 that caused encoding in the raw format to unnecessarily fail if --suffix was not used. For instance, the following command no longer reports that --suffix must be used: echo foo | xz --format=raw --lzma2 | wc -c * Fixed an issue on MinGW-w64 builds that prevented reading from or writing to non-terminal character devices like NUL. * Added a new test.