Removed rpms
============


Added rpms
==========

 - libhwy1
 - libjxl0_8

Package Source Changes
======================

MozillaFirefox
+- Firefox Extended Support Release 102.11.0 ESR
+  Placeholder changelog-entry (bsc#1211175)
+
-  Placeholder changelog-entry (bsc#1210212)
+  * Fixed: Various security fixes.
+  MFSA 2023-14 (bsc#1210212)
+  * CVE-2023-29531 (bmo#1794292)
+    Out-of-bound memory access in WebGL on macOS
+  * CVE-2023-29532 (bmo#1806394)
+    Mozilla Maintenance Service Write-lock bypass
+  * CVE-2023-29533 (bmo#1798219, bmo#1814597)
+    Fullscreen notification obscured
+  * CVE-2023-1999 (bmo#1819244)
+    Double-free in libwebp
+  * CVE-2023-29535 (bmo#1820543)
+    Potential Memory Corruption following Garbage Collector
+    compaction
+  * CVE-2023-29536 (bmo#1821959)
+    Invalid free from JavaScript code
+  * CVE-2023-29539 (bmo#1784348)
+    Content-Disposition filename truncation leads to Reflected
+    File Download
+  * CVE-2023-29541 (bmo#1810191)
+    Files with malicious extensions could have been downloaded
+    unsafely on Linux
+  * CVE-2023-29542 (bmo#1810793, bmo#1815062)
+    Bypass of file download extension restrictions
+  * CVE-2023-29545 (bmo#1823077)
+    Windows Save As dialog resolved environment variables
+  * CVE-2023-1945 (bmo#1777588)
+    Memory Corruption in Safe Browsing Code
+  * CVE-2023-29548 (bmo#1822754)
+    Incorrect optimization result on ARM64
+  * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498,
+    bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493,
+    bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413,
+    bmo#1824828)
+    Memory safety bugs fixed in Firefox 112 and Firefox ESR
+    102.10
MozillaThunderbird
+- Mozilla Thunderbird 102.10.1
+  * fixed: Messages with missing or corrupt "From:" header did
+    not display message header buttons (bmo#1793918)
+  * fixed: Composer repeatedly prompted for S/MIME smartcard
+    signing/encryption password (bmo#1828366)
+  * fixed: Address Book integration did not work with macOS 11.4
+    Bug Sur (bmo#1720257)
+  * fixed: Mexico City DST fix in Thunderbird 102.10.0 (bug
+    1826146) was incomplete (bmo#1827503)
+- Mozilla Thunderbird 102.10
+  * changed: New messages will automatically select S/MIME if
+    configured and OpenPGP is not (bmo#1793278)
+  * fixed: Calendar events with timezone America/Mexico_City
+    incorrectly applied Daylight Savings Time (bmo#1826146)
+  * fixed: Security fixes
+  MFSA 2023-15 (bsc#1210212)
+  * CVE-2023-29531 (bmo#1794292)
+    Out-of-bound memory access in WebGL on macOS
+  * CVE-2023-29532 (bmo#1806394)
+    Mozilla Maintenance Service Write-lock bypass
+  * CVE-2023-29533 (bmo#1798219, bmo#1814597)
+    Fullscreen notification obscured
+  * CVE-2023-1999 (bmo#1819244)
+    Double-free in libwebp
+  * CVE-2023-29535 (bmo#1820543)
+    Potential Memory Corruption following Garbage Collector
+    compaction
+  * CVE-2023-29536 (bmo#1821959)
+    Invalid free from JavaScript code
+  * CVE-2023-0547 (bmo#1811298)
+    Revocation status of S/Mime recipient certificates was not
+    checked
+  * CVE-2023-29479 (bmo#1824978)
+    Hang when processing certain OpenPGP messages
+  * CVE-2023-29539 (bmo#1784348)
+    Content-Disposition filename truncation leads to Reflected
+    File Download
+  * CVE-2023-29541 (bmo#1810191)
+    Files with malicious extensions could have been downloaded
+    unsafely on Linux
+  * CVE-2023-29542 (bmo#1810793, bmo#1815062)
+    Bypass of file download extension restrictions
+  * CVE-2023-29545 (bmo#1823077)
+    Windows Save As dialog resolved environment variables
+  * CVE-2023-1945 (bmo#1777588)
+    Memory Corruption in Safe Browsing Code
+  * CVE-2023-29548 (bmo#1822754)
+    Incorrect optimization result on ARM64
+  * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498,
+    bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493,
+    bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413,
+    bmo#1824828)
+    Memory safety bugs fixed in Thunderbird 102.10
+
autofs
+- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch
+  Fix off-by-one error in recursive map handling. (bsc#1209653)
+
cronie
+- Allow to define the logger info and warning priority, fixes
+  jsc#PED-2551
+  * run-crons
+  * sysconfig.cron
+
editorconfig-core-c
+- editorconfig-core-c 0.12.6:
+  * CVE-2023-0341: A buffer overflow in ec_blob (boo#1211032)
+  * Update property key, value length limits per spec change
+
ffmpeg
+- Add ffmpeg-CVE-2022-48434.patch: Backport from upstream to fix
+  use after free in libavcodec/pthread_frame.c (bsc#1209934).
+
ffmpeg-4
+- Add ffmpeg-CVE-2022-48434.patch: Backport from upstream to fix
+  use after free in libavcodec/pthread_frame.c (bsc#1209934).
+
grantlee5
+- Add patch to fix test failures on Leap 15:
+  * 0001-Add-a-call-to-registerComparators-in-testbuiltins.patch
+
kernel-64kb
+- x86: don't use REP_GOOD or ERMS for small memory clearing
+  (bsc#1211140).
+- x86/cpufeatures: Add macros for Intel's new fast rep string
+  features (bsc#1211140).
+- commit ff3ce03
+
+- wifi: brcmfmac: slab-out-of-bounds read in
+  brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380).
+- commit 39854dd
+
kernel-default
+- x86: don't use REP_GOOD or ERMS for small memory clearing
+  (bsc#1211140).
+- x86/cpufeatures: Add macros for Intel's new fast rep string
+  features (bsc#1211140).
+- commit ff3ce03
+
+- wifi: brcmfmac: slab-out-of-bounds read in
+  brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380).
+- commit 39854dd
+
kimageformats
+- Add support for RAW image formats
+
+- Update to 5.102.0
+  * New feature release
+  * For more details please see:
+  * https://kde.org/announcements/frameworks/5/5.102.0
+- Changes since 5.101.0:
+  * raw: tweak seek implementation
+  * heif: fix error handling
+  * heif: rewrite plugin to use only libheif C API
+
+- Update to 5.101.0
+  * New feature release
+  * For more details please see:
+  * https://kde.org/announcements/frameworks/5/5.101.0
+- Changes since 5.100.0:
+  * Fix missing DCI-P3 color space set
+  * minor tweaks in HEIF and AVIF plugins
+  * raw: LibRaw_QIODevice::read: fixed possible partial reading of an item
+  * PSD multichannel testcases
+  * Support to MCH with 4+ channels (treat as CMYK)
+  * avif: Check if encoder/decoder is available in capabilities()
+  * Fix condition for installing desktop files
+
+- Update to 5.100.0
+  * New feature release
+  * For more details please see:
+  * https://kde.org/announcements/frameworks/5/5.100.0
+- Changes since 5.99.0:
+  * Don't install desktop files for image formats when building against Qt6
+  * raw: Don't seek back if we were asked to read too much
+  * jxl: indicate when all frames have been read
+  * avif: minor fixes
+  * avif: indicate when all frames have been read
+  * avif: always indicate endless loop
+  * avif: return `false` in `canRead()` when `imageIndex >= imageCount` (kde#460085)
+  * Add JXL test files corresponding to 8 EXIF orientation values
+  * Add AVIF test files with rotation and mirror operations
+  * Auto-rotate input images in readtest
+  * jxl: remove C-style casts
+  * avif: Use reinterpret_cast instead C cast
+  * avif: revert 9ac923a commit
+  * heif: replace C cast with static_cast
+  * heif: use heif_init/heif_deinit with libheif 1.13.0+
+  * FindLibRaw: fix include dir, should not contain prefix libraw/ (kde#460105)
+  * Fix duplicated tests
+  * ANI partial test and PIC test added
+  * PSD: impreved support to sequential access device
+  * Fix messages
+  * CMakeLists: enable EXR test
+  * Added EXR test image
+  * Fixes for sequential devices
+- Drop patches, merged upstream:
+  * 0001-avif-return-false-in-canRead-when-imageIndex-imageCo.patch
+  * 0001-avif-always-indicate-endless-loop.patch
+  * 0001-avif-revert-9ac923ad09316dcca0fc11e0be6b3dfc6cce6ca0.patch
+
+- Add upstream changes:
+  * 0001-avif-return-false-in-canRead-when-imageIndex-imageCo.patch (kde#460085)
+  * 0001-avif-always-indicate-endless-loop.patch
+  * 0001-avif-revert-9ac923ad09316dcca0fc11e0be6b3dfc6cce6ca0.patch
+
+- Enable JPEG-XL plugin
+
+- Update to 5.99.0
+  * New feature release
+  * For more details please see:
+  * https://kde.org/announcements/frameworks/5/5.99.0
+- Changes since 5.98.0:
+  * Add Qt6 windows CI support
+  * pcx: Do not support sequential devices (kde#459541)
+  * Fix maximum number of channels (testcase added)
+  * LibRaw_QIODevice::seek() avoid seek on a sequential device
+  * LibRaw_QIODevice::seek() bounding checks
+  * Camera RAW images plugin
+  * .gitlab-ci.yml: enable static builds
+  * Enables opening of XCF files with Width and/or Height greater than 32K
+  * Replace C cast with reinterpret_cast
+  * avif: adjust for libavif breaking change in YUV<->RGB conversion
+  * Fix image allocation with Qt 6
+
+- Update to 5.98.0
+  * New feature release
+  * For more details please see:
+  * https://kde.org/announcements/frameworks/5/5.98.0
+- Changes since 5.97.0:
+  * Add FreeBSD Qt6 CI support
+  * Protect against too big resize for a QByteArray
+
+- Update to 5.97.0
+  * New feature release
+  * For more details please see:
+  * https://kde.org/announcements/frameworks/5/5.97.0
+- Changes since 5.96.0:
+  * Use right type on enums
+  * PSD: Improve alpha detection (kde#182496)
+  * PSD: LAB support
+
+- Update to 5.96.0
+  * New feature release
+  * For more details please see:
+  * https://kde.org/announcements/frameworks/5/5.96.0
+- Changes since 5.95.0:
+  * PSD header checks according to specifications
+  * Improved detection of alpha channel on CMYK images
+  * Minor code optimization
+  * Minor code improvements (tested on all my MCYK PSD/PSB files)
+  * Fix Alpha + testcase images
+  * Fix regression
+  * Basic support to CMYK 8/16 bits (not fully tested)
+  * Require passing tests for the CI to pass
+  * jxl: support both old 0.6.1 and new 0.7.0 libjxl API
+  * Remove extra ';'
+  * avif: read performance improvements
+
+- Enable AVIF plugin also on Leap 15.4
+
+- Update to 5.95.0
+  * New feature release
+  * For more details please see:
+  * https://kde.org/announcements/frameworks/5/5.95.0
+- Changes since 5.94.0:
+  * psd: Fix segfault on architectures where char is unsigned (like ARM)
+
+- Update to 5.94.0
+  * New feature release
+  * For more details please see:
+  * https://kde.org/announcements/frameworks/5/5.94.0
+- Changes since 5.93.0:
+  * avif: prepare for breaking change in libavif
+  * XCF: Support to QImageIOHandler::Size option
+  * Support to QImageIOHandler::Size option
+  * QByteArray resize removal
+  * psd: Fix crash on broken files
+  * psd: duotone read
+  * psd: Don't crash with broken images
+  * psd: Header depth has to be 8 for CM_INDEXED color_mode
+  * psd: Protect against broken images
+  * psd: Don't abort on broken images
+  * avif: lossless support
+  * psd: Don't assert on broken files
+  * Add windows CI
+  * PSD: Performance improvements and support to missing common formats
+
+- Update to 5.93.0
+  * New feature release
+  * For more details please see:
+  * https://kde.org/announcements/frameworks/5/5.93.0
+- Changes since 5.92.0:
+  * Fix XCF parasites metadata in QImage and support to ICC profile
+  * avif: encoder speed 7->6
+  * avif: fix jumpToImage
+  * avif: warn about non-recommended libavif configuration
+
+- Update to 5.92.0
+  * New feature release
+  * For more details please see:
+  * https://kde.org/announcements/frameworks/5/5.92.0
+- Changes since 5.91.0:
+  * Add Qt6 Android CI
+  * Add write tests for heif/avif/jxl
+  * jxl: encoding improvements
+  * avif: adjust dimension and memory limits
+
+- Update to 5.91.0
+  * New feature release
+  * For more details please see:
+  * https://kde.org/announcements/frameworks/5/5.91.0
+- Changes since 5.90.0:
+  * Check executables exist in PATH before passing them to QProcess
+  * Fix handling of null terminated ANI metadata with Qt6
+  * Add CI qt6 support
+
ldb
+- Update to version 2.6.2
+  + CVE-2023-0614: Not-secret but access controlled LDAP attributes
+    can be discovered; (bso#15270); (bsc#1209485).
+
libfastjson
+- fix CVE-2020-12762 integer overflow and out-of-bounds write via a
+  large JSON file (bsc#1171479)
+  add 0001-Fix-CVE-2020-12762.patch
+
libqt5-qtbase
+- Amend patch to fix mouse grabbing as well (bsc#1211024):
+  * big-endian-scroll.patch
+
ncurses
+- Modify patch ncurses-6.1.dif
+  * Secure writing terminfo entries by setfs[gu]id in s[gu]id
+    (boo#1210434, CVE-2023-29491)
+  * Reading is done since 2000/01/17
+
open-iscsi
+- Remove "--strip" in SPEC file for meson build, so that
+  debuginfo is generated. (from mwilck) (bsc#1210536)
+
+- Build system: meson builds were ignoring optflags, and other
+  passed in compiler options.
+
+- Update iscsid.service so it starts iscsid.socket, if needed
+  (bsc#1206132).
+
openssh
+- Revert addition of openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish:
+  This caused invalid and irrelevant environment assignments (bsc#1207014).
+
procps
+- Add patch bsc1209122-a6c0795d.patch
+  * Fix for bsc#1209122 to allow `-´ as leading character to ignore
+    possible errors on systctl entries
+
protobuf-c
+- ec3d9000.patch: fixes unsigned integer overflow
+  (bsc#1210323, CVE-2022-48468)
+
-- update to 0.15
-  - make protobuf_c_message_init() into a function (Issue #49, daveb)
-  - Fix for freeing memory after unpacking bytes w/o a default-value.
-    (Andrei Nigmatulin)
-  - minor windows portability issues (use ProtobufC_FD) (Pop Stelian)
-  - --with-endianness={little,big} (Pop Stelian)
-  - bug setting up values of has_idle in public dispatch,
-    make protobuf_c_dispatch_run() use only public members (daveb)
-  - provide cmake support and some Windows compatibility (Nikita Manovich)
-
samba
+- Update to 4.17.7
+  * CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords
+    in cleartext; (bso#15315); (bsc#1209481).
+  * CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be
+    deleted by unprivileged authenticated users; (bso#15276);
+    (bsc#1209483).
+  * CVE-2023-0614: samba: Access controlled AD LDAP attributes can
+    be discovered; (bso#15270); (bsc#1209485).
+  * large_ldap test is inefficient; (bso#15332).
+  * CVE-2020-25720 [SECURITY] Create Child permission should not
+    allow full write to all attributes (additional changes);
+    (bso#14810).
+- Update to 4.17.6
+  * streams_xattr is creating unexpected locks on folders;
+    (bso#15314).
+  * Use of the Azure AD Connect cloud sync tool is now supported
+    for password hash synchronisation, allowing Samba AD Domains
+    to synchronise passwords with this popular cloud environment;
+    (bso#10635).
+  * Spotlight doesn't work with latest macOS Ventura;
+    (bso#15299).
+  * New samba-dcerpc architecture does not scale gracefully;
+    (bso#15310).
+  * vfs_ceph incorrectly uses fsp_get_io_fd() instead of
+    fsp_get_pathref_fd() in close and fstat; (bso#15307).
+  * With clustering enabled samba-bgqd can core dump due to use
+    after free; (bso#15293).
+  * fd_load() function implicitly closes the fd where it should
+    not; (bso#15311).
+- Update to 4.17.5
+  * smbc_getxattr() return value is incorrect; (bso#14808).
+  * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not
+    handled correctly; (bso#15172).
+  * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210).
+  * samba-tool gpo listall fails IPv6 only - finddcs() fails to
+    find DC when there is only an AAAA record for the DC in DNS;
+    (bso#15226).
+  * smbd crashes if an FSCTL request is done on a stream handle;
+    (bso#15236).
+  * DFS links don't work anymore on Mac clients since 4.17;
+    (bso#15277).
+  * vfs_virusfilter segfault on access, directory edgecase
+    (accessing NULL value); (bso#15283).
+  * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
+    based SChannel on NETLOGON (additional changes); (bso#15240).
+  * %U for include directive doesn't work for share listing
+    (netshareenum); (bso#15243).
+  * Shares missing from netshareenum response in samba 4.17.4;
+    (bso#15266).
+  * ctdb: use-after-free in run_proc; (bso#15269).
+  * irpc_destructor may crash during shutdown; (bso#15280).
+  * auth3_generate_session_info_pac leaks wbcAuthUserInfo;
+    (bso#15286).
+  * smbclient segfaults with use after free on an optimized
+    build; (bso#15268).
+  * smbstatus leaking files in msg.sock and msg.lock;
+    (bso#15282).
+  * Leak in wbcCtxPingDc2; (bso#15164).
+  * Access based share enum does not work in Samba 4.16+;
+    (bso#15265).
+  * Crash during share enumeration; (bso#15267).
+  * rep_listxattr on FreeBSD does not properly check for reads
+    off end of returned buffer; (bso#15271).
+  * Avoid relying on C89 features in a few places; (bso#15281).
+
shadow
+- bsc#1210507 (CVE-2023-29383):
+  Check for control characters
+- Add shadow-CVE-2023-29383.patch
+
shim
+- Updated shim.changes to add CVE-2022-28737 number for bsc#1198458.
+  The issue be fixed by upgrade to shim 15.7. (bsc#1198458, CVE-2022-28737)
+
+- Sometimes SLE shim signature be Microsoft updated before openSUSE shim
+  signature. When submit request on IBS for updating SLE shim, the submitreq
+  project be generated, but it always be blocked by checking the signature
+  of openSUSE shim.
+  It doesn't make sense checking openSUSE shim signature when building
+  SLE shim on SLE platform, and vice versa. So the following change adds the
+  logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse).
+  When and only when hash mismatch and distro_id match with suffix, stop
+  building.
+    [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse)
+    [#] when hash mismatch and distro_id match with suffix, stop building
+
+- Upgrade shim-install for bsc#1210382
+  After closing Leap-gap project since Leap 15.3, openSUSE Leap direct
+  uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot
+  CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no,
+  so all files in /boot/efi/EFI/boot are not updated.
+  The 86b73d1 patch added the logic that using ID field in os-release for
+  checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure
+  Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated.
+- https://github.com/SUSE/shim-resources (git log --oneline)
+  86b73d1 Fix that bootx64.efi is not updated on Leap
+  f2e8143 Use the long name to specify the grub2 key protector
+  7283012 cryptodisk: support TPM authorized policies
+  49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst
+  26c6bd5 Have grub take a snapshot of "relevant" TPM PCRs
+  5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot
+  a5c5734 Introduce --no-grub-install option
+
-  signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458)
+  signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458, CVE-2022-28737)
snapper
+- avoid stale btrfs qgroups on transactional systems (bsc#1210151)
+  * added pr805.patch
+- wait for existing btrfs quota rescans to finish (bsc#1210150)
+  * added pr790.patch
+
vim
+- Fixing bsc#1211144 - [Build 96.1] openQA test fails in zypper_migration - conflict between xxd and vim
+  * Revert the creation standalone xxd packages
+
+- Updated to version 9.0 with patch level 1443, fixes the following security problems
+  * Fixing bsc#1209042 (CVE-2023-1264) - VUL-0: CVE-2023-1264: vim: NULL Pointer Dereference vim prior to 9.0.1392
+  * Fixing bsc#1209187 (CVE-2023-1355) - VUL-0: CVE-2023-1355: vim: NULL Pointer Dereference prior to 9.0.1402.
+  * Fixing bsc#1208828 (CVE-2023-1127) - VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown()
+- drop vim-8.0-ttytype-test.patch as it changes test_options.vim which we
+  remove during %prep anyway. And this breaks quilt setup.
+- for the complete list of changes see
+  https://github.com/vim/vim/compare/v9.0.1386...v9.0.1443
+
webkit2gtk3
+- Update to version 2.38.6 (boo#1210295 boo#1210731):
+  + Enable the Asynchronous Clipboard API to make certain pages
+    work (e.g. GithHub started recently requiring it).
+  + Support :has() CSS selectors in content filters.
+  + Apply basic font properties as font variation settings.
+  + The Bubblewrap sandbox no longer requires setting an
+    application identifier via GApplication to operate correctly.
+    Using GApplication is still recommended, but optional.
+  + Improvements to the GStreamer multimedia playback, in
+    particular around MSE, WebRTC, and seeking.
+  + Fix the build with journald support enabled when using elogind
+    instead of the systemd libraries.
+  + Fix the build with Link-Time Optimization enabled (-flto=auto).
+  + Fix context menus not working in the remote Web Inspector.
+  + Fix usage of the remote Web Inspector over HTTP.
+  + Fix debug logs not being emitted in release builds.
+  + Fix several crashes and rendering issues.
+  + Security fixes: CVE-2022-0108, CVE-2023-28205, CVE-2022-32885,
+    CVE-2023-27932, CVE-2023-27954.
+
-  + Security fixes: CVE-2022-32886, CVE-2022-32912.
+  + Security fixes: CVE-2022-32886, CVE-2022-32912, CVE-2023-25358,
+    CVE-2023-25360, CVE-2023-25361, CVE-2023-25362, CVE-2023-25363.
yast2-network
+- Do not write the EAP auth attribute when writing a wireless
+  wicked configuration using the EAP mode as TLS (bsc#1211026)
+- 4.5.20
+
+- Fix summary crash when there is no interface available
+  (bsc#1209589, bsc#1211161).
+- 4.5.19
+
zlib
+- Fix deflateBound() before deflateInit(), bsc#1210593, bsc#1211005
+  bsc1210593.patch
+