Packages changed: MozillaFirefox (125.0.3 -> 126.0) file-roller (44.2 -> 44.3) fwupd (1.9.19 -> 1.9.20) grub2 kirigami-addons6 (1.2.0 -> 1.2.1) ktextaddons (1.5.3 -> 1.5.4) libgit2 (1.8.0 -> 1.8.1) libostree (2024.5 -> 2024.6) openSUSE-release (20240520 -> 20240521) postfix python-attrs ruby3.3 salt webkit2gtk3 (2.44.1 -> 2.44.2) xdg-desktop-portal (1.18.2 -> 1.18.4) xfsprogs (6.7.0 -> 6.8.0) yast2-trans (84.87.20240511.9a3bd96575 -> 84.87.20240518.c88399d6be) === Details === ==== MozillaFirefox ==== Version update (125.0.3 -> 126.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 126.0 https://www.mozilla.org/en-US/firefox/126.0/releasenotes MFSA 2024-21 (bsc#1224056) * CVE-2024-4764 (bmo#1879093) Use-after-free when audio input connected with multiple consumers * CVE-2024-4367 (bmo#1893645) Arbitrary JavaScript execution in PDF.js * CVE-2024-4765 (bmo#1871109) Web application manifests could have been overwritten via hash collision * CVE-2024-4766 (bmo#1871214, bmo#1871217) Fullscreen notification could have been obscured on Firefox for Android * CVE-2024-4767 (bmo#1878577) IndexedDB files retained in private browsing mode * CVE-2024-4768 (bmo#1886082) Potential permissions request bypass via clickjacking * CVE-2024-4769 (bmo#1886108) Cross-origin responses could be distinguished between script and non-script content-types * CVE-2024-4770 (bmo#1893270) Use-after-free could occur when printing to PDF * CVE-2024-4771 (bmo#1893891) Failed allocation could lead to use-after-free * CVE-2024-4772 (bmo#1870579) Use of insecure rand() function to generate nonce * CVE-2024-4773 (bmo#1875248) URL bar could be cleared after network error * CVE-2024-4774 (bmo#1886598) Undefined behavior in ShmemCharMapHashEntry() * CVE-2024-4775 (bmo#1887332) Invalid memory access in the built-in profiler * CVE-2024-4776 (bmo#1887343) Window may remain disabled after file dialog is shown in full-screen * CVE-2024-4777 (bmo#1878199, bmo#1893340) Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 * CVE-2024-4778 (bmo#1838834, bmo#1889291, bmo#1889595, bmo#1890204, bmo#1891545) Memory safety bugs fixed in Firefox 126 - requires NSS 3.100 - removed obsolete mozilla-libproxy-fix.patch ==== file-roller ==== Version update (44.2 -> 44.3) Subpackages: file-roller-lang - Update to version 44.3: + Fixed filename not changed when creating a new archive. + 7z: error when creating archives with volumes. ==== fwupd ==== Version update (1.9.19 -> 1.9.20) Subpackages: fwupd-bash-completion fwupd-lang libfwupd2 typelib-1_0-Fwupd-2_0 - Update to version 1.9.20: + This release adds the following features: - Add some API to allow uploading reports for use in gnome-firmware - Allow the user to upload the entire devicelist to the LVFS + This release fixes the following bugs: - Correctly detect Synaptics Cayenne and Spyder firmware - Do not offer the UEFI DBX update on Lenovo ideacentre 300-20ISH - Explicitly enable shadow stack support in fwupd.service - Fix a potential buffer overread when reading the algoltek-usb version number - Fix the CET HSI test by rewriting it in assembly - Fix using --verbose in fwupdmgr - Ignore --p2p when downloading the metadata signature + This release adds support for the following hardware: - FPC FF2 fingerprint devices ==== grub2 ==== Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-xen - Only enable grub-protect for EFI systems * 0001-util-enable-grub-protect-only-for-EFI-systems.patch ==== kirigami-addons6 ==== Version update (1.2.0 -> 1.2.1) Subpackages: kirigami-addons6-lang - Update to 1.2.1 * Fix regression with double accept * Update maintainer name * Define minimum requirement on framework ==== ktextaddons ==== Version update (1.5.3 -> 1.5.4) Subpackages: ktextaddons-lang libKF6TextAddons1 - Update to 1.5.4. No changelog ==== libgit2 ==== Version update (1.8.0 -> 1.8.1) - update to 1.8.1: * In v1.8, libgit2 introduced the `report_unchanged ` member in the `git_fetch_options` structure. We mistakenly introduced this as a bitfield, which is not suitable for our public API. To correct this mistake, we have _removed_ the `report_unchanged ` member. To support the report unchanged tips option, users can set the `update_fetchhead` member to include the `GIT_REMOTE_UPDATE_REPORT_UNCHANGED` value. * The libgit2 projects regrets the API change, but this was required to support cross-platform compatibility. * commit: Fix git_commit_create_from_stage without author and * committer * process.c: fix environ * Bounds check for pack index read * transport: provide a useful error message during cancellation * transport: support sha256 oids * Revparse: Correctly accept ref with '@' at the end * remote: drop bitfields in git_remote_fetch_options * examples: fix memory leak in for-each-ref.c * xdiff: use proper free function * rand: avoid uninitialized loadavg warnings * cli: include alloca on illumos / solaris / sunos * Update git_array allocator to obey strict aliasing rules * tree: avoid mixed signedness comparison by @ethomson in ==== libostree ==== Version update (2024.5 -> 2024.6) Subpackages: libostree-1-1 - update to 2024.6: + prepare-root: Handle non-AB aboot properly + various bug fixes and developer visible fixes + ostree-prepare-root.service: add OnFailureJobMode=isolate + ostree-sysroot-deploy: check if deployments are in the same stateroot ==== openSUSE-release ==== Version update (20240520 -> 20240521) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== postfix ==== - Update update_chroot.systemd * Add missing checks for DKIM (openDKIM) - keep spec and changes files in sync ==== python-attrs ==== - Add patch pytest8.patch to adapt the tests to the new pytest ==== ruby3.3 ==== Subpackages: libruby3_3-3_3 - Backport for fix segfault caused by stack pointers not saved/restored properly when yielding execution from Ruby to C. https://bugs.ruby-lang.org/issues/20493 https://github.com/ruby/ruby/pull/10798 Adds fix-gvl-save-restore.patch - fix typo in the macros file. this only affected people building without the OBS as this macro was shadowed by the macro that is in the prjconf ==== salt ==== Subpackages: python3-salt salt-master salt-minion salt-transactional-update - Mark python3-CherryPy as recommended package for the testsuite - Make "man" a recommended package instead of required ==== webkit2gtk3 ==== Version update (2.44.1 -> 2.44.2) Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update to version 2.44.2: + Make gamepads visible on axis movements, and not only on button presses. + Disable the gst-libav AAC decoder. + Make user scripts and style sheets visible in the Web Inspector. + Use the geolocation portal where available, with the existing geoclue as fallback if the portal is not usable. + Use the printing portal when running sandboxed. + Use the file transfer portal for drag and drop when running sandboxed. + Avoid notifying an empty cursor rectangle to input methods. + Remove empty bar shown in detached inspector windows. + Consider keycode when activating application accelerators. + Fix the build with ENABLE_WEBAUDIO disabled. + Fix several crashes and rendering issues. - Update keyring (taken from rawhide). ==== xdg-desktop-portal ==== Version update (1.18.2 -> 1.18.4) Subpackages: xdg-desktop-portal-lang - update to 1.18.4: + Don't allow commandline arrays when the first commandline item starts with whitespace or hyphen. (CVE-2024-32462, boo#1223110) + Do not store device access permission if it returned an error + Fix crash with config files without a default backend set - includes changes from 1.18.3: + Don't try to read D-Bus object properties of Request objects on construction + Fix various memory and file descriptor leaks. + Minuscule optimization to the ScreenCast portal so that it stores restoration data with a single D-Bus call, instead of two. + Fix a crash in the OpenURI file when trying to open a non- existing file + Fix a bug in PipeWire that prevented cameras from being reported reliably. + Various smaller bug fixes. ==== xfsprogs ==== Version update (6.7.0 -> 6.8.0) Subpackages: libhandle1 - update to 6.8.0 - xfs_repair: Dump both inode details in Phase 6 duplicate file check - libxfs: print the device name if flush-on-close fails - xfs_db: fix leak in flist_find_ftyp() - xfs_repair: support more than INT_MAX block maps - xfs_repair: constrain attr fork extent count - xfs_repair: support more than 2^32 owners per physical block - xfs_repair: support more than 2^32 rmapbt records per AG - xfs_db: add a bmbt inflation command - xfs_scrub: scan whole-fs metadata files in parallel - mkfs: allow sizing internal logs for concurrency - mkfs: allow sizing allocation groups for concurrency - mkfs: use a sensible log sector size default - xfs_io: add linux madvise advice codes - xfs_scrub: fix threadcount estimates for phase 6 - xfs_db: improve number extraction in getbitval - xfs_repair: adjust btree bulkloading slack computations to match online repair - xfs: make rextslog computation consistent with mkfs - mkfs: fix log sunit rounding when external logs are in use - libxfs: kernel sync ==== yast2-trans ==== Version update (84.87.20240511.9a3bd96575 -> 84.87.20240518.c88399d6be) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20240518.c88399d6be: * Translated using Weblate (Slovenian) * Translated using Weblate (Slovenian) * Translated using Weblate (Slovenian) * Translated using Weblate (Slovenian) * Translated using Weblate (Slovenian) * Translated using Weblate (Slovenian) * Translated using Weblate (Lithuanian) * Translated using Weblate (Slovenian) * Translated using Weblate (Lithuanian) * Translated using Weblate (Lithuanian) * Translated using Weblate (Lithuanian) * Translated using Weblate (Lithuanian) * Translated using Weblate (Lithuanian) * Translated using Weblate (Lithuanian) * Translated using Weblate (Lithuanian) * Translated using Weblate (Lithuanian) * Translated using Weblate (Lithuanian) * Translated using Weblate (Lithuanian) * Translated using Weblate (Lithuanian) * Translated using Weblate (Slovenian) * New POT for text domain 'control'. * Translated using Weblate (Romanian) * Translated using Weblate (Slovenian) * Translated using Weblate (Romanian) * Translated using Weblate (Romanian) * Translated using Weblate (Romanian) * Translated using Weblate (Romanian)