Removed rpms
============
Added rpms
==========
Package Source Changes
======================
MozillaFirefox
+- Firefox Extended Support Release 102.11.0 ESR
+ Placeholder changelog-entry (bsc#1211175)
+
- Placeholder changelog-entry (bsc#1210212)
+ * Fixed: Various security fixes.
+ MFSA 2023-14 (bsc#1210212)
+ * CVE-2023-29531 (bmo#1794292)
+ Out-of-bound memory access in WebGL on macOS
+ * CVE-2023-29532 (bmo#1806394)
+ Mozilla Maintenance Service Write-lock bypass
+ * CVE-2023-29533 (bmo#1798219, bmo#1814597)
+ Fullscreen notification obscured
+ * CVE-2023-1999 (bmo#1819244)
+ Double-free in libwebp
+ * CVE-2023-29535 (bmo#1820543)
+ Potential Memory Corruption following Garbage Collector
+ compaction
+ * CVE-2023-29536 (bmo#1821959)
+ Invalid free from JavaScript code
+ * CVE-2023-29539 (bmo#1784348)
+ Content-Disposition filename truncation leads to Reflected
+ File Download
+ * CVE-2023-29541 (bmo#1810191)
+ Files with malicious extensions could have been downloaded
+ unsafely on Linux
+ * CVE-2023-29542 (bmo#1810793, bmo#1815062)
+ Bypass of file download extension restrictions
+ * CVE-2023-29545 (bmo#1823077)
+ Windows Save As dialog resolved environment variables
+ * CVE-2023-1945 (bmo#1777588)
+ Memory Corruption in Safe Browsing Code
+ * CVE-2023-29548 (bmo#1822754)
+ Incorrect optimization result on ARM64
+ * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498,
+ bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493,
+ bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413,
+ bmo#1824828)
+ Memory safety bugs fixed in Firefox 112 and Firefox ESR
+ 102.10
MozillaThunderbird
+- Mozilla Thunderbird 102.10.1
+ * fixed: Messages with missing or corrupt "From:" header did
+ not display message header buttons (bmo#1793918)
+ * fixed: Composer repeatedly prompted for S/MIME smartcard
+ signing/encryption password (bmo#1828366)
+ * fixed: Address Book integration did not work with macOS 11.4
+ Bug Sur (bmo#1720257)
+ * fixed: Mexico City DST fix in Thunderbird 102.10.0 (bug
+ 1826146) was incomplete (bmo#1827503)
+- Mozilla Thunderbird 102.10
+ * changed: New messages will automatically select S/MIME if
+ configured and OpenPGP is not (bmo#1793278)
+ * fixed: Calendar events with timezone America/Mexico_City
+ incorrectly applied Daylight Savings Time (bmo#1826146)
+ * fixed: Security fixes
+ MFSA 2023-15 (bsc#1210212)
+ * CVE-2023-29531 (bmo#1794292)
+ Out-of-bound memory access in WebGL on macOS
+ * CVE-2023-29532 (bmo#1806394)
+ Mozilla Maintenance Service Write-lock bypass
+ * CVE-2023-29533 (bmo#1798219, bmo#1814597)
+ Fullscreen notification obscured
+ * CVE-2023-1999 (bmo#1819244)
+ Double-free in libwebp
+ * CVE-2023-29535 (bmo#1820543)
+ Potential Memory Corruption following Garbage Collector
+ compaction
+ * CVE-2023-29536 (bmo#1821959)
+ Invalid free from JavaScript code
+ * CVE-2023-0547 (bmo#1811298)
+ Revocation status of S/Mime recipient certificates was not
+ checked
+ * CVE-2023-29479 (bmo#1824978)
+ Hang when processing certain OpenPGP messages
+ * CVE-2023-29539 (bmo#1784348)
+ Content-Disposition filename truncation leads to Reflected
+ File Download
+ * CVE-2023-29541 (bmo#1810191)
+ Files with malicious extensions could have been downloaded
+ unsafely on Linux
+ * CVE-2023-29542 (bmo#1810793, bmo#1815062)
+ Bypass of file download extension restrictions
+ * CVE-2023-29545 (bmo#1823077)
+ Windows Save As dialog resolved environment variables
+ * CVE-2023-1945 (bmo#1777588)
+ Memory Corruption in Safe Browsing Code
+ * CVE-2023-29548 (bmo#1822754)
+ Incorrect optimization result on ARM64
+ * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498,
+ bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493,
+ bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413,
+ bmo#1824828)
+ Memory safety bugs fixed in Thunderbird 102.10
+
autofs
+- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch
+ Fix off-by-one error in recursive map handling. (bsc#1209653)
+
chromium
+- Chromium 113.0.5672.126 (boo#1211442):
+ * CVE-2023-2721: Use after free in Navigation
+ * CVE-2023-2722: Use after free in Autofill UI
+ * CVE-2023-2723: Use after free in DevTools
+ * CVE-2023-2724: Type Confusion in V8
+ * CVE-2023-2725: Use after free in Guest View
+ * CVE-2023-2726: Inappropriate implementation in WebApp Installs
+ * Various fixes from internal audits, fuzzing and other initiatives
+
+- Chromium 113.0.5672.92 (boo#1211211)
+- Multiple security fixes (boo#1211036):
+ * CVE-2023-2459: Inappropriate implementation in Prompts
+ * CVE-2023-2460: Insufficient validation of untrusted input in Extensions
+ * CVE-2023-2461: Use after free in OS Inputs
+ * CVE-2023-2462: Inappropriate implementation in Prompts
+ * CVE-2023-2463: Inappropriate implementation in Full Screen Mode
+ * CVE-2023-2464: Inappropriate implementation in PictureInPicture
+ * CVE-2023-2465: Inappropriate implementation in CORS
+ * CVE-2023-2466: Inappropriate implementation in Prompts
+ * CVE-2023-2467: Inappropriate implementation in Prompts
+ * CVE-2023-2468: Inappropriate implementation in PictureInPicture
+- drop chromium-94-sql-no-assert.patch
+- drop no-location-leap151.patch
+- add chromium-113-webview-namespace.patch
+- add chromium-113-webauth-include-variant.patch
+- add chromium-113-typename.patch
+- add chromium-113-workaround_clang_bug-structured_binding.patch
+
cronie
+- Allow to define the logger info and warning priority, fixes
+ jsc#PED-2551
+ * run-crons
+ * sysconfig.cron
+
ffmpeg
+- Add ffmpeg-CVE-2022-48434.patch: Backport from upstream to fix
+ use after free in libavcodec/pthread_frame.c (bsc#1209934).
+
ffmpeg-4
+- Add ffmpeg-CVE-2022-48434.patch: Backport from upstream to fix
+ use after free in libavcodec/pthread_frame.c (bsc#1209934).
+
grantlee5
+- Add patch to fix test failures on Leap 15:
+ * 0001-Add-a-call-to-registerComparators-in-testbuiltins.patch
+
highway
+- Add memory-constraints to build
+
+- Add no-forced-inline.diff [boo#1211093]
+
+- Update to release 1.0.4
+ * Add PPC8..10, SSE2, AVX3_ZEN4, NEON_WITHOUT_AES targets
+ * Add Expand, LoadExpand, integer AbsDiff, SumsOf8AbsDiff
+ * Improved Half/Twice support, codegen for Shift*Same
+ * Faster KV128 sorting
+ * Update RISC-V V intrinsics for 1.0-draft
+- Remove arm-disable-runtime-dispatch.patch (appears merged)
+
kernel-default
+- x86: don't use REP_GOOD or ERMS for small memory clearing
+ (bsc#1211140).
+- x86/cpufeatures: Add macros for Intel's new fast rep string
+ features (bsc#1211140).
+- commit ff3ce03
+
+- wifi: brcmfmac: slab-out-of-bounds read in
+ brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380).
+- commit 39854dd
+
kernel-kvmsmall
+- x86: don't use REP_GOOD or ERMS for small memory clearing
+ (bsc#1211140).
+- x86/cpufeatures: Add macros for Intel's new fast rep string
+ features (bsc#1211140).
+- commit ff3ce03
+
+- wifi: brcmfmac: slab-out-of-bounds read in
+ brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380).
+- commit 39854dd
+
ldb
+- Update to version 2.6.2
+ + CVE-2023-0614: Not-secret but access controlled LDAP attributes
+ can be discovered; (bso#15270); (bsc#1209485).
+
libfastjson
+- fix CVE-2020-12762 integer overflow and out-of-bounds write via a
+ large JSON file (bsc#1171479)
+ add 0001-Fix-CVE-2020-12762.patch
+
libqt5-qtbase
+- Amend patch to fix mouse grabbing as well (bsc#1211024):
+ * big-endian-scroll.patch
+
ncurses
+- Modify patch ncurses-6.1.dif
+ * Secure writing terminfo entries by setfs[gu]id in s[gu]id
+ (boo#1210434, CVE-2023-29491)
+ * Reading is done since 2000/01/17
+
open-iscsi
+- Remove "--strip" in SPEC file for meson build, so that
+ debuginfo is generated. (from mwilck) (bsc#1210536)
+
+- Build system: meson builds were ignoring optflags, and other
+ passed in compiler options.
+
+- Update iscsid.service so it starts iscsid.socket, if needed
+ (bsc#1206132).
+
open-vm-tools
+- As per jsc-PED-1344, update spec file to only build the containerinfo
+ plugin for TW/SLES 15 SP5 and newer.
+
+- Update to 12.2.0 (build 21223074) (boo#1209128)
+ - There are no new features in the open-vm-tools 12.2.0 release. This is
+ primarily a maintenance release that addresses a few critical problems,
+ including:
+ - Linux quiesced snapshots have been updated to avoid intermittent hangs of
+ the vmtoolsd process.
+ - Updated the guestOps to handle some edge cases when File_GetSize() fails
+ or returns -1.
+ - A number of Coverity reported issues have been addressed.
+ - Detect the proto files for the containerd grpc client in alternate
+ locations. Pull request #626
+ - FreeBSD: Support newer releases and code clean-up for earlier versions.
+ Pull request #584
+ - Please refer to the release notes at
+ https://github.com/vmware/open-vm-tools/blob/stable-12.2.0/ReleaseNotes.md
+ - The granular changes that have gone into the 12.2.0 release are in the
+ ChangeLog at https://github.com/vmware/open-vm-tools/blob/stable-12.2.0/
+ open-vm-tools/ChangeLog
+- Update detect-suse-location.patch to remove upstream accepted portion of the
+ patch (jsc-PED-1344).
+
+- Migration of PAM settings to /usr/lib/pam.d.
+
+- Don't list libgrpc++, libgrpc, and libprotobuf in the containerinfo Requires
+ section. The dependencies will be added automatically.
+
+- Don't use new LDFLAGS, -labsl_synchronization -lgpr, when building for SLE.
+
+- Add containerInfo plugin (jsc-PED-1344)
+ - Add dependencies on grpc, protobuf, and containerd for container
+ introspection
+- Added patches (jsc-PED-1344)
+ + detect-suse-location.patch
+
+- Add _service to handle open-vm-tools sources
+- Update to 12.1.5 (build 20735119) (boo#1205962)
+ - A number of Coverity reported issues have been addressed.
+ - The deployPkg plugin may prematurely reboot the guest VM before cloud-init
+ has completed user data setup. If both the Perl based Linux customization
+ script and cloud-init run when the guest VM boots, the deployPkg plugin
+ may reboot the guest before cloud-init has finished. The deployPkg
+ plugin has been updated to wait for a running cloud-init process to
+ finish before the guest VM reboot is initiated. This issue is fixed in
+ this release.
+ - A SIGSEGV may be encountered when a non-quiesing snapshot times out.
+ This issue is fixed in this release.
+ - Unwanted vmtoolsd service error message if not on a VMware hypervisor.
+ When open-vm-tools comes preinstalled in a base Linux release, the vmtoolsd
+ services are started automatically at system start and desktop login.
+ If running on physical hardware or in a non-VMware hypervisor, the services
+ will emit an error message to the Systemd's logging service before stopping.
+ This issue is fixed in this release.
+
openssh
+- Revert addition of openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish:
+ This caused invalid and irrelevant environment assignments (bsc#1207014).
+
procps
+- Add patch bsc1209122-a6c0795d.patch
+ * Fix for bsc#1209122 to allow `-´ as leading character to ignore
+ possible errors on systctl entries
+
protobuf-c
+- ec3d9000.patch: fixes unsigned integer overflow
+ (bsc#1210323, CVE-2022-48468)
+
-- update to 0.15
- - make protobuf_c_message_init() into a function (Issue #49, daveb)
- - Fix for freeing memory after unpacking bytes w/o a default-value.
- (Andrei Nigmatulin)
- - minor windows portability issues (use ProtobufC_FD) (Pop Stelian)
- - --with-endianness={little,big} (Pop Stelian)
- - bug setting up values of has_idle in public dispatch,
- make protobuf_c_dispatch_run() use only public members (daveb)
- - provide cmake support and some Windows compatibility (Nikita Manovich)
-
samba
+- Update to 4.17.7
+ * CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords
+ in cleartext; (bso#15315); (bsc#1209481).
+ * CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be
+ deleted by unprivileged authenticated users; (bso#15276);
+ (bsc#1209483).
+ * CVE-2023-0614: samba: Access controlled AD LDAP attributes can
+ be discovered; (bso#15270); (bsc#1209485).
+ * large_ldap test is inefficient; (bso#15332).
+ * CVE-2020-25720 [SECURITY] Create Child permission should not
+ allow full write to all attributes (additional changes);
+ (bso#14810).
+- Update to 4.17.6
+ * streams_xattr is creating unexpected locks on folders;
+ (bso#15314).
+ * Use of the Azure AD Connect cloud sync tool is now supported
+ for password hash synchronisation, allowing Samba AD Domains
+ to synchronise passwords with this popular cloud environment;
+ (bso#10635).
+ * Spotlight doesn't work with latest macOS Ventura;
+ (bso#15299).
+ * New samba-dcerpc architecture does not scale gracefully;
+ (bso#15310).
+ * vfs_ceph incorrectly uses fsp_get_io_fd() instead of
+ fsp_get_pathref_fd() in close and fstat; (bso#15307).
+ * With clustering enabled samba-bgqd can core dump due to use
+ after free; (bso#15293).
+ * fd_load() function implicitly closes the fd where it should
+ not; (bso#15311).
+- Update to 4.17.5
+ * smbc_getxattr() return value is incorrect; (bso#14808).
+ * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not
+ handled correctly; (bso#15172).
+ * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210).
+ * samba-tool gpo listall fails IPv6 only - finddcs() fails to
+ find DC when there is only an AAAA record for the DC in DNS;
+ (bso#15226).
+ * smbd crashes if an FSCTL request is done on a stream handle;
+ (bso#15236).
+ * DFS links don't work anymore on Mac clients since 4.17;
+ (bso#15277).
+ * vfs_virusfilter segfault on access, directory edgecase
+ (accessing NULL value); (bso#15283).
+ * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
+ based SChannel on NETLOGON (additional changes); (bso#15240).
+ * %U for include directive doesn't work for share listing
+ (netshareenum); (bso#15243).
+ * Shares missing from netshareenum response in samba 4.17.4;
+ (bso#15266).
+ * ctdb: use-after-free in run_proc; (bso#15269).
+ * irpc_destructor may crash during shutdown; (bso#15280).
+ * auth3_generate_session_info_pac leaks wbcAuthUserInfo;
+ (bso#15286).
+ * smbclient segfaults with use after free on an optimized
+ build; (bso#15268).
+ * smbstatus leaking files in msg.sock and msg.lock;
+ (bso#15282).
+ * Leak in wbcCtxPingDc2; (bso#15164).
+ * Access based share enum does not work in Samba 4.16+;
+ (bso#15265).
+ * Crash during share enumeration; (bso#15267).
+ * rep_listxattr on FreeBSD does not properly check for reads
+ off end of returned buffer; (bso#15271).
+ * Avoid relying on C89 features in a few places; (bso#15281).
+
shadow
+- bsc#1210507 (CVE-2023-29383):
+ Check for control characters
+- Add shadow-CVE-2023-29383.patch
+
shim
+- Updated shim.changes to add CVE-2022-28737 number for bsc#1198458.
+ The issue be fixed by upgrade to shim 15.7. (bsc#1198458, CVE-2022-28737)
+
+- Sometimes SLE shim signature be Microsoft updated before openSUSE shim
+ signature. When submit request on IBS for updating SLE shim, the submitreq
+ project be generated, but it always be blocked by checking the signature
+ of openSUSE shim.
+ It doesn't make sense checking openSUSE shim signature when building
+ SLE shim on SLE platform, and vice versa. So the following change adds the
+ logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse).
+ When and only when hash mismatch and distro_id match with suffix, stop
+ building.
+ [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse)
+ [#] when hash mismatch and distro_id match with suffix, stop building
+
+- Upgrade shim-install for bsc#1210382
+ After closing Leap-gap project since Leap 15.3, openSUSE Leap direct
+ uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot
+ CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no,
+ so all files in /boot/efi/EFI/boot are not updated.
+ The 86b73d1 patch added the logic that using ID field in os-release for
+ checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure
+ Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated.
+- https://github.com/SUSE/shim-resources (git log --oneline)
+ 86b73d1 Fix that bootx64.efi is not updated on Leap
+ f2e8143 Use the long name to specify the grub2 key protector
+ 7283012 cryptodisk: support TPM authorized policies
+ 49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst
+ 26c6bd5 Have grub take a snapshot of "relevant" TPM PCRs
+ 5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot
+ a5c5734 Introduce --no-grub-install option
+
- signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458)
+ signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458, CVE-2022-28737)
snapper
+- avoid stale btrfs qgroups on transactional systems (bsc#1210151)
+ * added pr805.patch
+- wait for existing btrfs quota rescans to finish (bsc#1210150)
+ * added pr790.patch
+
vim
+- Fixing bsc#1211144 - [Build 96.1] openQA test fails in zypper_migration - conflict between xxd and vim
+ * Revert the creation standalone xxd packages
+
+- Updated to version 9.0 with patch level 1443, fixes the following security problems
+ * Fixing bsc#1209042 (CVE-2023-1264) - VUL-0: CVE-2023-1264: vim: NULL Pointer Dereference vim prior to 9.0.1392
+ * Fixing bsc#1209187 (CVE-2023-1355) - VUL-0: CVE-2023-1355: vim: NULL Pointer Dereference prior to 9.0.1402.
+ * Fixing bsc#1208828 (CVE-2023-1127) - VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown()
+- drop vim-8.0-ttytype-test.patch as it changes test_options.vim which we
+ remove during %prep anyway. And this breaks quilt setup.
+- for the complete list of changes see
+ https://github.com/vim/vim/compare/v9.0.1386...v9.0.1443
+
webkit2gtk3
+- Update to version 2.38.6 (boo#1210295 boo#1210731):
+ + Enable the Asynchronous Clipboard API to make certain pages
+ work (e.g. GithHub started recently requiring it).
+ + Support :has() CSS selectors in content filters.
+ + Apply basic font properties as font variation settings.
+ + The Bubblewrap sandbox no longer requires setting an
+ application identifier via GApplication to operate correctly.
+ Using GApplication is still recommended, but optional.
+ + Improvements to the GStreamer multimedia playback, in
+ particular around MSE, WebRTC, and seeking.
+ + Fix the build with journald support enabled when using elogind
+ instead of the systemd libraries.
+ + Fix the build with Link-Time Optimization enabled (-flto=auto).
+ + Fix context menus not working in the remote Web Inspector.
+ + Fix usage of the remote Web Inspector over HTTP.
+ + Fix debug logs not being emitted in release builds.
+ + Fix several crashes and rendering issues.
+ + Security fixes: CVE-2022-0108, CVE-2023-28205, CVE-2022-32885,
+ CVE-2023-27932, CVE-2023-27954.
+
- + Security fixes: CVE-2022-32886, CVE-2022-32912.
+ + Security fixes: CVE-2022-32886, CVE-2022-32912, CVE-2023-25358,
+ CVE-2023-25360, CVE-2023-25361, CVE-2023-25362, CVE-2023-25363.
yast2-network
+- Do not write the EAP auth attribute when writing a wireless
+ wicked configuration using the EAP mode as TLS (bsc#1211026)
+- 4.5.20
+
+- Fix summary crash when there is no interface available
+ (bsc#1209589, bsc#1211161).
+- 4.5.19
+
zlib
+- Fix deflateBound() before deflateInit(), bsc#1210593, bsc#1211005
+ bsc1210593.patch
+