Removed rpms
============
Added rpms
==========
- arping2
- jq
- libjq1
- libnet9
- libonig4
- libpcap1
- man-pages-ru
- poppler-data
Package Source Changes
======================
MozillaFirefox
+- Firefox Extended Support Release 102.7.0 ESR
+ Placeholder changelog-entry (bsc#1207119)
+
- Placeholder changelog-entry (bsc#1206242)
+ * Fixed: Various stability, functionality, and security fixes.
+ MFSA 2022-52 (bsc#1206242)
+ * CVE-2022-46880 (bmo#1749292)
+ Use-after-free in WebGL
+ * CVE-2022-46872 (bmo#1799156)
+ Arbitrary file read from a compromised content process
+ * CVE-2022-46881 (bmo#1770930)
+ Memory corruption in WebGL
+ * CVE-2022-46874 (bmo#1746139)
+ Drag and Dropped Filenames could have been truncated to
+ malicious extensions
+ * CVE-2022-46875 (bmo#1786188)
+ Download Protections were bypassed by .atloc and .ftploc
+ files on Mac OS
+ * CVE-2022-46882 (bmo#1789371)
+ Use-after-free in WebGL
+ * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
+ bmo#1801102, bmo#1801315, bmo#1802395)
+ Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
bind
+- Update to release 9.16.35
+ Bug Fixes:
+ * A crash was fixed that happened when a dnssec-policy zone that
+ used NSEC3 was reconfigured to enable inline-signing.
+ * In certain resolution scenarios, quotas could be erroneously
+ reached for servers, including any configured forwarders,
+ resulting in SERVFAIL answers being sent to clients.
+ * rpz-ip rules in response-policy zones could be ineffective in
+ some cases if a query had the CD (Checking Disabled) bit set to
+ 1.
+ * Previously, if Internet connectivity issues were experienced
+ during the initial startup of named, a BIND resolver with
+ dnssec-validation set to auto could enter into a state where it
+ would not recover without stopping named, manually deleting the
+ managed-keys.bind and managed-keys.bind.jnl files, and starting
+ named again.
+ * The statistics counter representing the current number of
+ clients awaiting recursive resolution results (RecursClients)
+ could overflow in certain resolution scenarios.
+ * Previously, BIND failed to start on Solaris-based systems with
+ hundreds of CPUs.
+ * When a DNS resource record’s TTL value was equal to the
+ resolver’s configured prefetch “eligibility†value, the record
+ was erroneously not treated as eligible for prefetching.
+ [jsc#SLE-24600]
+
+- Update to release 9.16.34
+ New Features:
+ * Support for parsing and validating the dohpath service
+ parameter in SVCB records was added.
+ * named now logs the supported cryptographic algorithms during
+ startup and in the output of named -V.
+ Bug Fixes:
+ * Changing just the TSIG key names for primaries in catalog
+ zones’ member zones was not effective. This has been fixed.
+ Known Issues:
+ * Upgrading from BIND 9.16.32 or any older version may require a
+ manual configuration change. The following configurations are
+ affected:
+ - type primary zones configured with dnssec-policy but without
+ either allow-update or update-policy,
+ - type secondary zones configured with dnssec-policy.
+ In these cases please add inline-signing yes; to the individual
+ zone configuration(s). Without applying this change, named will
+ fail to start. For more details, see
+ https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+ [jsc#SLE-24600]
+
bubblewrap
+- update to v0.7.0:
+ * --size option controls the size of a subsequent --tmpfs (#509)
+ * Better error messages if a mount operation fails (#472)
+ * Better error message if creating the new user namespace fails with
+ ENOSPC (#487)
+ * When building as a Meson subproject, a RUNPATH can be set on the
+ executable to make it easier to bundle its libcap dependency
+ * Fix test failures when running as uid 0 but with limited capabilities
+ (#510)
+ * Use POSIX command -v in preference to non-standard which (#527)
+ * Fix a copy/paste error in --help (#531)
+
+- Update to version 0.6.2:
+ + New features in Meson build:
+ - Auto-detect whether the man page can be generated.
+ - -Dbwrapdir=... changes the installation directory (useful
+ when being used as a subproject).
+ - -Dtests=false disables unit tests.
+ + Bug fixes:
+ - Add --add-seccomp-fd to shell completions
+ - Document --add-seccomp-fd, --json-status-fd and --share-net
+ in the man page
+ - Add attributes to silence various compiler warnings
+ - Allow compilation of tests with musl on mips architectures
+ - Allow compilation with older glibc
+ - Disable sanitizers for a test helper whose seccomp profile
+ breaks the instrumentation
+ - Disable AddressSanitizer leak detection where it interferes
+ with unit testing
+
+- Update to 0.6.1:
+ - Add a release checklist
+ - completions: Make zsh completion non-executable
+ The Autotools build system installed it with 0644 permissions because
+ it's listed as DATA, but the Meson build system installs executable
+ files as executable by default.
+ zsh completions don't need to be executable to work, and this one doesn't
+ have the `#!` marker that should start an executable script.
+- update to 0.6.0:
+ - meson: Improve compatibility with Meson 0.49
+ That version doesn't allow more than two arguments for define_variable.
+ - Disable test-specifying-pidns.sh under 'meson dist' while I investigate
+ This test is hanging when run under 'meson dist' for some reason, but
+ not when run under 'meson test', and not locally, only in the Github
+ Workflow-based CI. Disable it for now.
+ - meson: Actually build and run the tests
+ - tests: Fix compiler warnings for unused arguments
+ - meson: Run test scripts from $srcdir
+ - meson: Make G_TEST_SRCDIR, G_TEST_BUILDDIR match Autotools
+ - meson: Run the Python test script with Python, not bash
+ The python build option can be used to swap to a different interpreter,
+ for environments like the Steam Runtime where the python3 executable in
+ the PATH is extremely old but there is a better interpreter available.
+ This is treated as non-optional, because Meson is written in Python,
+ so the situation where there is no Python interpreter at build-time
+ shouldn't arise.
+ - meson: Build the try-syscall helper
+ - meson: Build tests with equivalent of -I$(top_srcdir) -I$(top_builddir)
+ - meson.build: Remove unnecessary check for sh
+ - Add a Meson build system
+ This allows bwrap to be built as a subproject in larger Meson projects.
+ When built as a subproject, we install into the --libexecdir and
+ require a program prefix to be specified: for example, Flatpak would use
+ program_prefix=flatpak- to get /usr/libexec/flatpak-bwrap. Verified to
+ be backwards-compatible as far as Meson 0.49.0 (Debian 9 backports).
+ Loosely based on previous work by Jussi Pakkanen (see #133).
+ Differences between the Autotools and Meson builds:
+ The Meson build requires a version of libcap that has pkg-config
+ metadata (introduced in libcap 2.23, in 2013).
+ The Meson build has no equivalent of --with-priv-mode=setuid. On
+ distributions like Debian <= 10 and RHEL <= 7 that require a setuid bwrap
+ executable, the sysadmin or distribution packaging will need to set the
+ correct permissions on the bwrap executable; Debian already did this via
+ packaging rather than the upstream build system.
+ The Meson build supports being used as a subproject, and there is CI
+ for this. It automatically disables shell completions and man pages,
+ moves the bubblewrap executable to ${libexecdir}, and renames the
+ bubblewrap executable according to a program_prefix option that the
+ caller must specify (for example, Flatpak would use
+ - Dprogram_prefix=flatpak- to get /usr/libexec/flatpak-bwrap). See the
+ tests/use-as-subproject/ directory for an example.
+ - Use HEAD to refer to other projects' default branches in documentation
+ This makes the URL independent of the name they have chosen for their
+ default branches.
+ - workflows: Update for rename of default branch to main
+ - tests: Exercise seccomp filters
+ - Allow loading more than one seccomp program
+ This will allow Flatpak to combine an allow-list (default-deny) of
+ known system calls with a deny-list (default-allow) of system calls
+ that are undesired.
+ Resolves: https://github.com/containers/bubblewrap/issues/453
+ - Generalize linked lists of LockFile and SetupOp
+ I'm about to add a third linked list, for seccomp programs, which would
+ seem like too much duplication.
+ - Handle argc == 0 better
+ Unfortunately it's possible for argc to be 0, so error out pretty early
+ on in that case. I don't think this is a security issue in this case.
+ - Fix typo
+ - Remove trailing whitespace
+ - Fix spelling
+ - bash: Fix shellcheck warnings
+ - bash: Invoke bash using /usr/bin/env
+ - bubblewrap: Avoid a -Wjump-misses-init false-positive
+ When building with -Wjump-misses-init as part of a larger project, gcc
+ reports that we jump past initialization of cover_proc_dirs. This is
+ technically true, but we only use this variable in the case where it's
+ initialized, so that's harmless.
+ However, we can avoid this altogether by making the array static and
+ constant, which allows it to be moved from initialized data to read-only
+ data.
+ - bind-mount: Be more const-correct
+ When compiled with -Wwrite-strings as part of a larger project, gcc and
+ clang both warn that we're assigning a string constant to a mutable
+ struct member. There's actually no reason why it should be mutable, so
+ make it const.
+ - die_with_error: Save errno sooner
+ We need to save errno immediately, otherwise it could be overwritten
+ by a failing library call somewhere in the implementation of fprintf.
+ - main: Warn when non-repeatable options are repeated
+ A user might reasonably expect that `bwrap --seccomp 3 --seccomp 4 ...`
+ would load seccomp programs from both fds 3 and 4, but in fact it only
+ loads the program from fd 4.
+ Helps: https://github.com/containers/bubblewrap/issues/453
+ Resolves: https://github.com/containers/bubblewrap/issues/454
+ - utils: Add warn()
+ - Add SPDX-License-Identifier for files that already specify license
+ This is a step towards REUSE compliance. Third-party files that we do
+ not otherwise edit (git.mk, m4/attributes.m4) are excluded here.
+ - tests: Use preferred spelling for SPDX license identifiers
+ - Remove obsolete .travis.yml
+ We no longer use Travis-CI.
+ - Remove obsolete papr CI
+ We no longer use this.
+
+- Update to version 0.5.0:
+ + New features:
+ - --chmod changes permissions
+ - --clearenv unsets every environment variable (except PWD)
+ - --perms sets permissions for one subsequent --bind-data,
+ - -dir, --file, --ro-bind-data or --tmpfs
+ + Other enhancements:
+ - Better diagnostics when a --bind or other bind-mount fails
+ - zsh tab-completion
+ - Better test coverage
+ + Bug fixes:
+ - Use Python 3 for tests and examples
+ - Mount points for non-directories are created with permissions
+ - r--r--r-- instead of -rw-rw-rw-
+ - Don't remount items in /proc read-only if already EROFS,
+ required to run under Docker
+ - Allow mounting an non-directory over an existing
+ non-directory, e.g. --bind "$XDG_RUNTIME_DIR/my-log-socket"
+ /dev/log
+ - Silence kernel messages for our bind-mounts
+ - Make sure pkg-config is checked for, regardless of build
+ options
+ - Improve ability to bind-mount directories on case-insensitive
+ filesystems
+ - Fix -Wshadow warnings
+ - Fix deprecation warnings with newer SELinux
+- Add new subpackage bubblewrap-zsh-completion
+
dracut
+- Update to version 055+suse.343.g0113f4b9:
+ A series of changes for the NVMeoF boot feature (jsc#PED-1449):
+ * fix(dracut.spec): require jq for nvmf
+ * fix(suse/dracut.spec): require program for duplicate IP address detection
+ * fix(iscsi): install 8021q module unconditionally
+ * fix(nvmf): install 8021q module unconditionally
+ * feat(nvmf): enable module if NBFT exists
+ * feat(nvmf): add NBFT connect support, and fix configuration priority
+ * feat(nvmf): add code for parsing the NBFT
+ * fix(dracut.spec): require libopenssl1_1-hmac for dracut-fips (bsc#1206439)
+
gnutls
+- FIPS: Change all the 140-2 references to FIPS 140-3 in order to
+ account for the new FIPS certification [bsc#1207346]
+ * Add gnutls-FIPS-140-3-references.patch
+
+- FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183]
+ * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch
+
libXpm
+- U_regression2-bug1207029_1207030_1207031.patch
+ * second regression fix: Use gzip -d instead of gunzip
+
+- U_regression-bug1207029_1207030_1207031.patch
+ * regression fix for above patches
+
+- U_0000-Update-README-for-gitlab-migration.patch
+ * needed by U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch
+- U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch
+ * needed by U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
+- U_0002-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
+ * libXpm: Infinite loop on unclosed comments (CVE-2022-46285,
+ bsc#1207029)
+- U_0004-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
+ * libXpm: Runaway loop on width of 0 and enormous height
+ (CVE-2022-44617, bsc#1207030)
+- U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
+ * libXpm: compression commands depend on $PATH (CVE-2022-4883,
+ bsc#1207031)
+
-- libXpm 3.5.9
- * This minor maintenance release provides a large collection of
- build configuration improvements and other janitorial
- cleanups.
-
-- libXpm 3.5.8
-- bumped version number to 7.5
-
-- add baselibs.conf as a source
-
-- revert static library and .la file removal
- for SUSE versions <= 11.1.
-
-- remove static libraries and "la" files
-- run ldconfig in postun
-
man-pages-ja
+- Update to release 20220815
+ * Improved manual pages
+
manpages-l10n
+- Update to version 4.17.0:
+ * Updated many translations.
+ * Swedish is now actively maintained.
+ * New language: Russian.
+
mozilla-nss
+- Add upstream patch nss-fix-bmo1774654.patch to fix CVE-2022-3479
+ (bsc#1204272)
+
+- update to NSS 3.79.3 (bsc#1207038)
+ * Bug 1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
+ CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
+ (CVE-2022-23491)
+
poppler
+- Add patch to reduce the boost dependencies (which isn't really
+ needed) so we can build poppler 23.01.0 in SLE-15-SP4/SP5:
+ * reduce-boost-required-version.patch
+
+- update to 23.01.0:
+ core:
+ * PDFDoc::sign: Fix crash if font can't be found
+ * PDFDoc::sign: Try Arial to sign if Helvetica isn't found
+ * FoFiType1::parse: Be more flexible parsing the encoding content. Issue #1324
+ * Gfx::opBeginMarkedContent: Support Span with Name. Issue #1327
+ * Splash: Avoid color issues due to implicit rounding
+ * Splash: Fix crash on malformed file.
+ * CairoOutputDev: Ignore text rendering mode for type3 fonts
+ * Remove unused FoFiType1::load function
+ build system:
+ * Increase minimum required versions of several dependencies
+ * Improve include path handling
+ qt6:
+ * Use less deprecated functions
+
procps
+- Extend patch procps-3.3.17-library-bsc1181475.patch (bsc#1206412)
+- Make sure that correct library version is installed (bsc#1206412)
+
python-certifi
+- remove all TrustCor CAs, as TrustCor issued multiple man-in-the-middle
+ certs (bsc#1206212 CVE-2022-23491)
+ - TrustCor RootCert CA-1
+ - TrustCor RootCert CA-2
+ - TrustCor ECA-1
+- Add removeTrustCor.patch
+
python-py
+- Remove all traces of py._path.svn{url,wc}. (bsc#1204364, CVE-2022-42969)
+- Add patch remove-svn-remants.patch to help with that goal.
+- Refresh pr_222.patch as needed for above.
+
python-setuptools
+- Add CVE-2022-40897-ReDos.patch to fix Regular Expression Denial of Service
+ (ReDoS) in package_index.py.
+ bsc#1206667
+
qemu
+- Fixes jsc#PED-1716
+ * Patches added:
+ configure-Add-Wno-gnu-variable-sized-typ.patch
+ s390x-pci-add-routine-to-get-host-functi.patch
+ s390x-pci-don-t-fence-interpreted-device.patch
+ s390x-pci-enable-adapter-event-notificat.patch
+ s390x-pci-enable-for-load-store-interpre.patch
+ s390x-pci-let-intercept-devices-have-sep.patch
+ s390x-pci-reflect-proper-maxstbl-for-gro.patch
+ Update-linux-headers-to-v6.0-rc4.patch
+
systemd
+- Make sure that /lib/udev exists and is a symlink to /usr/lib/udev when the
+ testsuite is run.
+
+- Import commit 1bfa716e7fb6d7169cece864e75dfe9e52914c99 (merge of v249.14)
+ For a complete list of changes, visit:
+ https://github.com/openSUSE/systemd/compare/540e0bd5374f9f42f1e645eb15971431ebb4b8c8...1bfa716e7fb6d7169cece864e75dfe9e52914c99
+- Rebase 1001-udev-use-lock-when-selecting-the-highest-priority-de.patch
+
+- Don't overwrite /etc/pam.d/systemd-user on update (bsc#1207264)
+ Regression introduced when systemd was forked for 15.4.
+
+- Ship systemd-pstore with udev (jsc#PED-2663)
+
+- Import commit 540e0bd5374f9f42f1e645eb15971431ebb4b8c8
+ 29fb8a2dd0 core/unit: try to submit stop_when_unneeded queue on removing dependencies
+ bd63eab381 core/device: start units specified in SYSTEMD_WANTS if it is not running
+ e0898fa873 coredump: do not allow user to access coredumps with changed uid/gid/capabilities (bsc#1205000 CVE-2022-4415)
+ 119424f96e coredump: adjust whitespace
+ 3833d5a408 coredump: drop an unused variable
+ 36728edcfd coredump: Fix format string type mismatch
+ 34f6867a8a analyze: use DumpUnitsMatchingPatternsByFileDescriptor
+ e67a7087ec manager: add DumpUnitsMatchingPatternsByFileDescriptor()
+ feb8f2a983 manager: rename dbus method
+ 98fed27339 analyze: extend the dump command to accept patterns
+ a06d9470af man: document the Dump() calls of the PID 1 D-Bus interface, and what they are
+ 79eb37a5e0 cryptsetup: retry TPM2 unseal operation if it fails with TPM2_RC_PCR_CHANGED (bsc#1204944)
+- Drop 5000-coredump-Fix-format-string-type-mismatch.patch
+ 5001-coredump-drop-an-unused-variable.patch
+ 5002-coredump-adjust-whitespace.patch
+ 5003-coredump-do-not-allow-user-to-access-coredumps-with-.patch
+ They have been merged into SUSE/v249 branch.
+
tar
+- Fix hang when unpacking test tarball, bsc#1202436
+ * bsc1202436.patch
+
xdg-dbus-proxy
+- BuildRequire dbus-1 in SLE-15 where the dbus-1 package is not
+ splitted to generate a dbus-1-daemon package.
+
+- Update to version 0.1.4:
+ + Add a Meson build system, with support for being used as a
+ subproject. The original Autotools build system remains
+ available for now, but might be removed in future.
+ + Fix movement through multiline auth messages.
+ + Fix an unintended fallthrough if the message bus replies to
+ Hello() with a non-REPLY such as an ERROR.
+ + Fix compiler warnings.
+ + Update AX_CODE_COVERAGE from autoconf-archive.
+ + Bundle a copy of AX_CHECK_GNU_MAKE from autoconf-archive,
+ required by AX_CODE_COVERAGE.
+- Switch to meson buildsystem, add meson BuildRequires and replace
+ autotools macros with meson ones.
+- Add dbus-1-daemon BuildRequires and check section: Run meson_test
+ macro during build.
+
+- Update to version 0.1.3:
+ + Silence compiler warnings.
+ + Fix build with musl.
+
xdg-utils
+- xdg-open: convert usage of obsolete egrep to grep -E
+ add xdg-utils-egrep.patch, boo#1203092
+
+- Update to version 1.1.3+20210805:
+ * xdg-email fails on kde with desktop files #187
+- switch to obs_scm
+
zlib
+- Update to 1.13:
+ * Fix configure issue that discarded provided CC definition
+ * Correct incorrect inputs provided to the CRC functions
+ * Repair prototypes and exporting of new CRC functions
+ * Fix inflateBack to detect invalid input with distances too far
+ * Have infback() deliver all of the available output up to any error
+ * Fix a bug when getting a gzip header extra field with inflate()
+ * Fix bug in block type selection when Z_FIXED used
+ * Tighten deflateBound bounds
+ * Remove deleted assembler code references
+ * Various portability and appearance improvements
+- Added patches:
+ * zlib-1.2.13-IBM-Z-hw-accelerated-deflate-s390x.patch
+ * zlib-1.2.13-fix-bug-deflateBound.patch
+ * zlib-1.2.13-optimized-s390.patch
+- Refreshed patches:
+ * zlib-1.2.12-add-optimized-slide_hash-for-power.patch
+ * zlib-1.2.12-add-vectorized-longest_match-for-power.patch
+ * zlib-1.2.12-s390-vectorize-crc32.patch
+- Removed patches:
+ * zlib-1.2.12-fix-configure.patch
+ * zlib-1.2.12-IBM-Z-hw-accelerated-deflate-s390x.patch
+ * zlib-1.2.12-optimized-crc32-power8.patch
+ * zlib-1.2.12-correct-inputs-provided-to-crc-func.patch
+ * zlib-1.2.12-fix-CVE-2022-37434.patch
+ * zlib-1.2.11-optimized-s390.patch
+
+- build zlib with optflags again
+