Removed rpms
============
- aaa_base-malloccheck
- python3-fixtures
- python3-linecache2
- python3-pbr
- python3-python-mimeparse
- python3-testtools
- python3-traceback2
- python3-unittest2
Added rpms
==========
Package Source Changes
======================
avahi
+- Add avahi-CVE-2023-1981.patch: emit error if requested service
+ is not found (boo#1210328 CVE-2023-1981).
+
+- switch to use _multibuild
+- delete _avahi_spec-prepare.sh, pre_checkin.sh: obsolete
+- use https urls
+
dmidecode
+- use-read_file-to-read-from-dump.patch: Fix an old harmless bug
+ which would prevent root from using the --from-dump option since
+ the latest security fixes (bsc#1210418).
+
+Security fixes (CVE-2023-30630)
+- dmidecode-split-table-fetching-from-decoding.patch: dmidecode:
+ Clean up function dmi_table so that it does only one thing
+ (bsc#1210418).
+- dmidecode-write-the-whole-dump-file-at-once.patch: When option
+ - -dump-bin is used, write the whole dump file at once, instead of
+ opening and closing the file separately for the table and then
+ for the entry point (bsc#1210418).
+- dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch:
+ Make sure that the file passed to option --dump-bin does not
+ already exist (bsc#1210418).
+- ensure-dev-mem-is-a-character-device-file.patch: Add a safety
+ check on the type of the mem device file we are asked to read
+ from, if we are root (bsc#1210418).
+ 3 recommended fixes from upstream:
+- dmioem-typo-fix-virutal-virtual.patch: Simple typo fix in a
+ user-visible string.
+- dmidecode-fortify-entry-point-length-checks.patch: Ensure that
+ the SMBIOS entry point is long enough to include all the fields
+ we need.
+- dmioem-hpe-oem-record-237-firmware-change.patch: Properly decode
+ the last field of HPE OEM record type 237.
+
grub2
+- Fix PowerVS deployment fails to boot with 90 cores (bsc#1208581)
+ * 0001-kern-ieee1275-init-Convert-plain-numbers-to-constant.patch
+ * 0002-kern-ieee1275-init-Extended-support-in-Vec5.patch
+
kernel-64kb
+- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386
+ bsc#1209615).
+- commit 92426ca
+
+- vmxnet3: use gro callback when UPT is enabled (bsc#1209739).
+- commit 507557e
+
+- Update CVE reference to
+ patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch
+ (git-fixes bsc#1210454 CVE-2023-2019).
+- commit 75fc91b
+
+- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch
+ (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218
+ jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453
+ CVE-2023-2008).
+- commit 342d08e
+
+- nfc: st-nci: Fix use after free bug in ndlc_remove due to race
+ condition (git-fixes bsc#1210337 CVE-2023-1990).
+- commit 12594bd
+
kernel-default
+- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386
+ bsc#1209615).
+- commit 92426ca
+
+- vmxnet3: use gro callback when UPT is enabled (bsc#1209739).
+- commit 507557e
+
+- Update CVE reference to
+ patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch
+ (git-fixes bsc#1210454 CVE-2023-2019).
+- commit 75fc91b
+
+- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch
+ (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218
+ jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453
+ CVE-2023-2008).
+- commit 342d08e
+
+- nfc: st-nci: Fix use after free bug in ndlc_remove due to race
+ condition (git-fixes bsc#1210337 CVE-2023-1990).
+- commit 12594bd
+
libxml2
+- Security update:
+ * [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings
+ isn't deterministic
+ - Added patch libxml2-CVE-2023-29469.patch
+ * [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in
+ xmlSchemaFixupComplexType
+ - Added patch libxml2-CVE-2023-28484-1.patch
+ - Added patch libxml2-CVE-2023-28484-2.patch
+
+- Remove unneeded dependency (bsc#1209918).
+
libxml2:python
+- Security update:
+ * [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings
+ isn't deterministic
+ - Added patch libxml2-CVE-2023-29469.patch
+ * [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in
+ xmlSchemaFixupComplexType
+ - Added patch libxml2-CVE-2023-28484-1.patch
+ - Added patch libxml2-CVE-2023-28484-2.patch
+
+- Remove unneeded dependency (bsc#1209918).
+
mariadb
+- Update to 10.6.12:
+ https://mariadb.com/kb/en/library/mariadb-10612-release-notes
+ https://mariadb.com/kb/en/library/mariadb-10612-changelog
+ https://mariadb.com/kb/en/library/mariadb-10611-release-notes
+ https://mariadb.com/kb/en/library/mariadb-10611-changelog
+ * fixes for the following security vulnerabilities:
+ 10.6.12: none
+ 10.6.11: none
+- Update mariadb.keyring
+- Update list of skipped tests
+
mozilla-nss
+- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) with
+ fixes to PBKDF2 parameter validation.
+
+- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) to
+ validate extra PBKDF2 parameters according to FIPS 140-3.
+
+- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546) to
+ update session->lastOpWasFIPS before destroying the key after
+ derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE,
+ CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256,
+ CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases.
+- Update nss-fips-pct-pubkeys.patch (bsc#1207209) to remove some
+ excess code.
+
+- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546).
+
+- Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency
+ checks. Thanks to Martin for the DHKey parts.
+
+- Add manpages to mozilla-nss-tools (bsc#1208242)
+
newt
-- Make it build with latest TeXLive 2012 with new package layout
-
-- update to 0.52.14:
- + fix returning strings in whiptail and whiptcl (rh#752818)
- + fix configure to work with multiple python versions (rh#737998)
-- removed newt-0.52.13-python_version.patch : fixed upstream
-- compile with fPIC - fixes problems with _snackmodule.so
- thanks to Joerg Steffens (bnc#734171)
-- newt-doc recommends the main package as the examples need it
-- added newt-0.52.14-incorrect-fsf-address.patch
-
-- Remove redundant tags/sections per specfile guideline suggestions
-
-- update to 0.52.13:
- + add support for changing colors in individual labels, scrollbars, entries,
- textboxes and scales, add custom colorsets
- + add support for NEWT_COLORS and NEWT_COLORS_FILE variables (rh#689903)
- + allow resizing of form
- + fix errors found by coverity
- + fix va_list usage (Gwenole Beauchesne)
- + fix building and installing on Mac OS X (rh#652479)
- + check for slang.h header, support DESTDIR variable, add --without-python
- option (Otavio Salvador)
- + add Persian, Low German translations
-- added newt-0.52.13-python_version.patch to fix detection of
- python version in configure script
-
-- add comment to keep static lib
-
-- fix baselibs.conf
- o newt > libnewt0_52
-- fix naming
- o define libname libnewt
- o define libsoname {libname}0_52
-- fix deps
- o add pkg-config
- o move {py_requires} to subpkg python-newt
-- remove Author from description
-
-- update to 0.52.12:
- + fix whiptail --gauge and its description in man page (#620083)
- + remove space after \n in whiptail texts (#620083)
- + remove NLS code from snack (#599608)
- + expose more keys to python as shortcuts in dialogs (Jakob Kemi)
- + release python global-thread-lock during dialog displays (Jakob Kemi)
- + fix warnings in whiptcl.c and include Tcl_PkgProvide() call (Mikhail T.)
- + don't NULL deref when an invalid array is specified in checkboxtree
- (Arnaldo Carvalho de Melo)
-- build on older distributions by owning locale/as
-
-- package baselibs.conf
-
-- update to 0.52.11
- * fix buffer overflow in textbox when reflowing (#523955, CVE-2009-2905)
- * use full textbox width when reflowing and allow minimal width 1
- * fix writing lines longer than width in textbox
- * don't use va_list in newtvwindow more than once (#523696)
- * bind \E[Z to back-tab in built-in keymap (#468046)
- * terminate string after reading file in whiptail
- * add newtRadioSetCurrent function (Thomas Jarosch)
- * add pkgconfig support (Thomas Jarosch)
- * add Malay, Malayalam, Assamese, Gujarati, Bengali India, Kannada, Telugu
- translations
- * include tutorial in txt format
- * include debian patches
- - fix crash in textbox SetText when topLines != 0
- - don't link modules with libraries already linked with libnewt
- - add Asturian and Marathi translations
-- cleanup spec
- * sorted TAGS
- * macros __make, __install, ...
- name -> {name}
- version -> {version}
- buildroot -> {buildroot}
- _defaultdocdir -> {_defaultdocdir}
- ....
-- removed obsolete newt-CVE-2009-2905.patch
-
-- fix heap-based buffer overflow in function doReflow in textbox.c
- (fix bnc#540930 and CVE-2009-2905 : newt-CVE-2009-2905.patch)
-
ovmf
+- Add ovmf-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch
+ to check result of GetEfiGlobalVariable2 (CVE-2019-14560, bsc#1174246)
+
+- Add ovmf-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch
+ for MdeModulePkg/PiSmmCore: SmmEntryPoint underflow (CVE-2021-38578)
+ (bsc#1196741)
+
sddm
+- Add patch to fix delays on shutdown (boo#1210391):
+ * 0001-Avoid-starting-a-new-session-on-exit.patch
+
+- Replace proper_pam.diff with installation of source files:
+ * sddm.pam, sddm-autologin.pam, sddm-greeter.pam
+- PAM services:
+ * Make use of substack for common-*
+ * Include postlogin-*
+ * Run pam_keyinit before common-session
+ * Deny password in sddm-greeter
+- /run/sddm is owned by root:root
+- Add patch to fix possible deadlock:
+ * 0001-Process-all-available-auth-messages-in-a-loop.patch
+- Add missing dependencies on update-alternatives
+
+- Migration of PAM settings to /usr/lib/pam.d.
+
+- Honor /etc/nologin like login, sshd, xdm and gdm do
+ * added: auth requisite pam_nologin.so to proper_pam.diff
+ * see: man 5 nologin
+
slang
-- add automake as buildrequire to avoid implicit dependency
-
-- fix baselibs.conf
-
-- disabled parallel build again, still broken
-
-- updated to version 2.2.2
- + new languag features
- * ternary expressions
- * break and condition statements can now work on several levels
- of loops
- * multiline strings
- * List_Type objects can now also be indexed using an array of
- indices
- + new modules: zlib, fork, sysconf
- + new intrinsic functions: sumsq, expm1, log1p, list_to_array,
- string_matches, _close, _fileno, dup2, getsid, killpg,
- getpriority, setpriority, ldexp, frexp
- + provides pkg-info file
- + many bugfixes
-- split package to conform to library naming policy
-- rebased patches, removed obsolete slang-2.2.1-format.patch
-- added patch slang-2.2.2-makefile.patch from Fedora which fixes
- shared libs permissions, the slang shared library symlink, and
- parallel build dependency issues and removes rpath
-- build pcre, png, and zlib modules
-- removed incorrect license information
-- more accurate summary and description
-- further cleanup
-
-- unbreak occasional build failures by disabling parallel make.
-
-- fixed better
-
-- include headers to fix build
-
-- add baselibs.conf as a source
-- enable parallel build
-