Removed rpms ============ - libBasicUsageEnvironment1 Added rpms ========== - libBasicUsageEnvironment2 - wicked-nbft Package Source Changes ====================== ImageMagick + fix CVE-2022-44267 [bsc#1207982], denial of service when parsing a PNG image + fix CVE-2022-44268 [bsc#1207983], arbitrary file disclosure when parsing a PNG image + + ImageMagick-CVE-2022-44267,44268.patch + +- security update +- added patches NetworkManager-applet +- Add meson-0.61-build-fix.patch to fix the build on meson >= 0.61 + (jsc#PED-2644, glgo#GNOME/network-manager-applet!107) + apr-util +- security fix CVE-2022-25147, bsc#1207866: buffer overflow + possible with specially crafted input + + added patch apr-util-CVE-2022-25147.patch + bind +- Update to release 9.16.37 + Security Fixes: + * An UPDATE message flood could cause named to exhaust all + available memory. This flaw was addressed by adding a new + update-quota option that controls the maximum number of + outstanding DNS UPDATE messages that named can hold in a queue + at any given time (default: 100). (CVE-2022-3094) + * named could crash with an assertion failure when an RRSIG query + was received and stale-answer-client-timeout was set to a + non-zero value. This has been fixed. (CVE-2022-3736) + * named running as a resolver with the + stale-answer-client-timeout option set to any value greater + than 0 could crash with an assertion failure, when the + recursive-clients soft quota was reached. This has been fixed. + (CVE-2022-3924) + New Features: + * The new update-quota option can be used to control the number + of simultaneous DNS UPDATE messages that can be processed to + update an authoritative zone on a primary server, or forwarded + to the primary server by a secondary server. The default is + 100. A new statistics counter has also been added to record + events when this quota is exceeded, and the version numbers for + the XML and JSON statistics schemas have been updated. + Feature Changes: + * The Differentiated Services Code Point (DSCP) feature in BIND + has been deprecated. Configuring DSCP values in named.conf now + causes a warning to be logged. Note that this feature has only + been partly operational since the new Network Manager was + introduced in BIND 9.16.0. + * The catalog zone implementation has been optimized to work with + hundreds of thousands of member zones. + Bug Fixes: + * In certain query resolution scenarios (e.g. when following + CNAME records), named configured to answer from stale cache + could return a SERVFAIL response despite a usable, non-stale + answer being present in the cache. This has been fixed. + [bsc#1207471, bsc#1207473, bsc#1207475, jsc#SLE-24600] + +- Update to release 9.16.36 + Feature Changes: + * The auto-dnssec option has been deprecated and will be removed + in a future BIND 9.19.x release. Please migrate to + dnssec-policy. + Bug Fixes: + * When a catalog zone was removed from the configuration, in some + cases a dangling pointer could cause the named process to + crash. + * When a zone was deleted from a server, a key management object + related to that zone was inadvertently kept in memory and only + released upon shutdown. This could lead to constantly + increasing memory use on servers with a high rate of changes + affecting the set of zones being served. + * In certain cases, named waited for the resolution of + outstanding recursive queries to finish before shutting down. + * The zone <name>/<class>: final reference detached log message + was moved from the INFO log level to the DEBUG(1) log level to + prevent the named-checkzone tool from superfluously logging + this message in non-debug mode. + [jsc#SLE-24600] + curl +- Security Fix: [bsc#1207992, CVE-2023-23916] + * HTTP multi-header compression denial of service + * Add curl-CVE-2023-23916.patch + +- Security Fixes: + * HSTS ignored on multiple requests [bsc#1207990, CVE-2023-23914] + * HSTS amnesia with --parallel [bsc#1207991, CVE-2023-23915] + * Add curl-CVE-2023-23914-23915.patch + f2fs-tools +- Replace transitional %usrmerged macro with regular version check (boo#1206798) + freerdp +- Multiple CVE fixes (bsc#1205512) + + Add freerdp-Added-missing-length-checks-in-zgfx_decompress_segme.patch + * Fixes CVE-2022-39316 & CVE-2022-39317 + + Add freerdp-CVE-2022-39320.patch + * Added missing length check in urb_control_transfer + + Add freerdp-CVE-2022-39347.patch + * Fix path validation in drive channel + + Add freerdp-CVE-2022-41877.patch + * Fixed missing stream length check in drive_file_query_directory + gnome-chess +- Update to version 43.1: + + Fix build with latest valac. + + Fix keyboard shortcuts dialog. + + Updated translations. + gnome-sudoku +- Update to version 43.1: + + Revert "Fix redundant undo stack entries for earmarks". + + Warnings when solution to puzzle is violated no longer consider + earmarks. + + Updated translations. + graphite2 +- fixed license string [bsc#1207676]: + LGPL-2.1-or-later OR MPL-2.0 OR GPL-2.0-or-later + -- Remove harfbuzz dep. Breaks another buildcycle. - This effectively means we are not running tests. No functional - changes otherwise. - -- Remove texlive dep to remove dep circle. - -- Use rpath so the tests work. - -- Enable the tests. They work on 13.1 but fail on Factory... - -- Version bump to 1.2.4: - * Various bugfixes - * Expanded testsuite -- Remove graphite2-arm.patch - applied upstream -- Add patches from debian: - * soname.diff - * no-specific-nunit-version.diff -- Run^Wdocument tests and generate documentation - -- Use cmake macros for nice and tidy setup. - -- Add baselibs.conf and provide libgraphite2-3-32bit, which is at - this moment required by harfbuzz. - -- graphite2-arm.patch :Fix build in arm and possible other platforms, we should - notuse -nodefaultlibs as a linker flag and let the system - do its job automatically. -- freetype-devel should be freetype2-devel - -- license update: LGPL-2.1+ or GPL-2.0+ or MPL-1.1 - See License file (most source code notices concur) - -- Whitespace trying to figure out why spec file is interpreted as - binary. - -- Fix desc not to mention libexttextcat. - -- Initial commit version 1.2.0. - kernel-default +- aquantia: Do not purge addresses when setting the number of + rings (jsc#PED-1530). +- commit 39a03b2 + +- net: atlantic: macsec: clear encryption keys from the stack + (jsc#PED-1530). +- commit 643f719 + +- atlantic: fix deadlock at aq_nic_stop (jsc#PED-1530). +- commit 4a9a64f + +- net: atlantic: fix potential memory leak in aq_ndev_close() + (jsc#PED-1530). +- commit 719db2f + +- net: atlantic: remove aq_nic_deinit() when resume + (jsc#PED-1530). +- commit ff2f581 + +- net: atlantic: remove deep parameter on suspend/resume functions + (jsc#PED-1530). +- commit 9e96b4d + +- net: atlantic:fix repeated words in comments (jsc#PED-1530). +- commit d6d4ffb + +- net: atlantic: verify hw_head_ lies within TX buffer ring + (jsc#PED-1530). +- commit 7059ede + +- net: atlantic: add check for MAX_SKB_FRAGS (jsc#PED-1530). +- commit e719b81 + +- net: atlantic: reduce scope of is_rsc_complete (jsc#PED-1530). +- commit b04c254 + +- net: atlantic: fix "frag[0] not initialized" (jsc#PED-1530). +- commit 0263576 + +- Update + patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch + (bsc#1207361 bsc#1207036 CVE-2023-23454). +- commit 521fdca + +- Update + patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch + (bsc#1207361 bc#1207125 CVE-2023-23455). +- commit c8b6243 + +- io_uring/poll: fix poll_refs race with cancelation (bsc#1207511 + CVE-2023-0468). +- io_uring: make poll refs more robust (bsc#1207511 + CVE-2023-0468). +- io_uring: cmpxchg for poll arm refs release (bsc#1207511 + CVE-2023-0468). +- io_uring: fix tw losing poll events (bsc#1207511 CVE-2023-0468). +- io_uring: update res mask in io_poll_check_events (bsc#1207511 + CVE-2023-0468). +- commit 4fe9bfe + +- io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and + wakeups (bsc#1207100). +- eventfd: provide a eventfd_signal_mask() helper (bsc#1207100). +- eventpoll: add EPOLL_URING_WAKE poll wakeup flag (bsc#1207100). +- commit 9e5a117 + +- fbdev: Fix invalid page access after closing deferred I/O + devices (bsc#1207284). +- commit 6a8d940 + +- ipmi:ssif: Add 60ms time internal between write retries + (bsc#1206459). +- ipmi:ssif: Increase the message retry time (bsc#1206459). +- commit 14626c0 + kernel-kvmsmall +- aquantia: Do not purge addresses when setting the number of + rings (jsc#PED-1530). +- commit 39a03b2 + +- net: atlantic: macsec: clear encryption keys from the stack + (jsc#PED-1530). +- commit 643f719 + +- atlantic: fix deadlock at aq_nic_stop (jsc#PED-1530). +- commit 4a9a64f + +- net: atlantic: fix potential memory leak in aq_ndev_close() + (jsc#PED-1530). +- commit 719db2f + +- net: atlantic: remove aq_nic_deinit() when resume + (jsc#PED-1530). +- commit ff2f581 + +- net: atlantic: remove deep parameter on suspend/resume functions + (jsc#PED-1530). +- commit 9e96b4d + +- net: atlantic:fix repeated words in comments (jsc#PED-1530). +- commit d6d4ffb + +- net: atlantic: verify hw_head_ lies within TX buffer ring + (jsc#PED-1530). +- commit 7059ede + +- net: atlantic: add check for MAX_SKB_FRAGS (jsc#PED-1530). +- commit e719b81 + +- net: atlantic: reduce scope of is_rsc_complete (jsc#PED-1530). +- commit b04c254 + +- net: atlantic: fix "frag[0] not initialized" (jsc#PED-1530). +- commit 0263576 + +- Update + patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch + (bsc#1207361 bsc#1207036 CVE-2023-23454). +- commit 521fdca + +- Update + patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch + (bsc#1207361 bc#1207125 CVE-2023-23455). +- commit c8b6243 + +- io_uring/poll: fix poll_refs race with cancelation (bsc#1207511 + CVE-2023-0468). +- io_uring: make poll refs more robust (bsc#1207511 + CVE-2023-0468). +- io_uring: cmpxchg for poll arm refs release (bsc#1207511 + CVE-2023-0468). +- io_uring: fix tw losing poll events (bsc#1207511 CVE-2023-0468). +- io_uring: update res mask in io_poll_check_events (bsc#1207511 + CVE-2023-0468). +- commit 4fe9bfe + +- io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and + wakeups (bsc#1207100). +- eventfd: provide a eventfd_signal_mask() helper (bsc#1207100). +- eventpoll: add EPOLL_URING_WAKE poll wakeup flag (bsc#1207100). +- commit 9e5a117 + +- fbdev: Fix invalid page access after closing deferred I/O + devices (bsc#1207284). +- commit 6a8d940 + +- ipmi:ssif: Add 60ms time internal between write retries + (bsc#1206459). +- ipmi:ssif: Increase the message retry time (bsc#1206459). +- commit 14626c0 + less +- Apply "cve-2022-46663.patch" to fix a vulnerability in less that + could be exploited for denial-of-service attacks or even remote + code execution by printing specially crafted escape sequences to + the terminal. [CVE-2022-46663, bsc#1207815] + libmwaw +- update to 0.3.21 (jsc#PED-1785): + * add debug code to read some private rsrc data + + allow to read some MacWrite which does not have printer informations + * add a parser for Scoop files + * add a parser for ScriptWriter files + * add a parser for ReadySetGo 1-4 files + libreoffice +- Update to 7.4.3.2 (jsc#PED-1785): + You can check for 7.4 release notes here: + https://wiki.documentfoundation.org/ReleaseNotes/7.4 + You can check for each minor release notes here: + https://wiki.documentfoundation.org/Releases/7.4.3/RC2 + https://wiki.documentfoundation.org/Releases/7.4.3/RC1 + https://wiki.documentfoundation.org/Releases/7.4.2/RC3 + https://wiki.documentfoundation.org/Releases/7.4.2/RC2 + https://wiki.documentfoundation.org/Releases/7.4.2/RC1 + https://wiki.documentfoundation.org/Releases/7.4.1/RC2 + https://wiki.documentfoundation.org/Releases/7.4.1/RC1 + https://wiki.documentfoundation.org/Releases/7.4.0/RC3 + https://wiki.documentfoundation.org/Releases/7.4.0/RC2 + https://wiki.documentfoundation.org/Releases/7.4.0/RC1 +- Updated bundled dependencies: + * boost_1_77_0.tar.xz -> boost_1_79_0.tar.xz + * curl-7.83.1.tar.xz -> curl-7.86.0.tar.xz + * icu4c-70_1-data.zip -> icu4c-71_1-data.zip + * icu4c-70_1-src.tgz -> icu4c-71_1-src.tgz + * pdfium-4699.tar.gz2 -> pdfium-5058.tar.bz2 + * poppler-21.11.0.tar.xz -> poppler-22.09.0.tar.xz + * poppler-data-0.4.10.tar.gz -> poppler-data-0.4.11.tar.gz + * skia-m97-a7230803d64ae9d44f4e1282444801119a3ae967.tar.xz + - > skia-m103-b301ff025004c9cd82816c86c547588e6c24b466.tar.xz +- Added patches: + * fix_harfbuzz_on_sle12_sp5.patch + * fix_webp_on_sle12_sp5.patch + * use-fixmath-shared-library.patch +- Refresh fix_gtk_popover_on_3.20.patch +- Removed upstreamed patches: + * bsc1197498.patch + * bsc1200009.patch + * bsc1201093.patch + * bsc1202032.patch + * bsc1202114.patch + * CVE-2022-3140-4.patch + live555 +- update to 2023.01.19: + - By default, we no longer compile "groupsock/NetAddress.cpp" for Windows to use + "gethostbyname()", because of a report that this breaks IPv6 name resolution. + +- update to 2023.01.11: + * Updated the "BasicTaskScheduler"/"DelayQueue" implementation to make the 'token counter' + a field of the task scheduler object, rather than having it be a static variable. + This avoids potential problems if an application uses more than one thread (with each thread + having its own task scheduler). + mozilla-nss +- update to NSS 3.79.4 (bsc#1208138) + * Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. + (CVE-2023-0767) + tiff + * CVE-2022-48281 [bsc#1207413] + + tiff-CVE-2022-48281.patch + +- security update: transmission +- Apply downstream patch from Gentoo to fix a crash with openSSL 3 + (boo#1207914): + * transmission-3.00-openssl-3.patch + +- boo#1207555: Transmission can't open Bittorrent v2 torrents + Add transmission-hybrid-torrent-length.patch + xf86-input-joystick +- Update to version 1.6.4 + * Fix quoting in man page synopsis section + * Update README for gitlab migration + * Update configure.ac bug URL for gitlab migration + * Fix spelling/wording issues + * gitlab CI: add a basic build test + * gitlab CI: stop requiring Signed-off-by in commits + * autogen.sh: Implement GNOME Build API + * autogen.sh: use quoted string variables + * Adapt to USB HID header changes on NetBSD-8.99.9. + * autogen: add default patch prefix + * configure: Drop AM_MAINTAINER_MODE + * autogen.sh: use exec instead of waiting for configure to finish + xf86-video-voodoo +- update to 1.2.6: + * Remove miInitializeBackingStore + Stop using deprecated xf86PciInfo.h + Fix spelling/wording issues + Build xz tarballs instead of bzip2 + Update configure.ac bug URL for gitlab migration + autogen: add default patch prefix + autogen.sh: use quoted string variables + autogen.sh: use exec instead of waiting for configure to finish + autogen.sh: Honor NOCONFIGURE=1 + configure: Drop AM_MAINTAINER_MODE + don't use PCITAG in struct anymore +- drop U_don-t-use-PCITAG-in-struct-anymore.patch (upstream) + yast2-bootloader +- make secure boot for ppc64 consistent with how secure boot works + on other architectures (bsc#1206295) +- 4.5.8 + yast2-iscsi-client +- Expose all core functionality from IscsiClientLib, with options + to suppress usage of pop-ups (related t gh#yast/d-installer#402). + +- Finish client: copy the content of both /etc/iscsi and + /var/lib/iscsi (bsc#1207374). +- Finish client: never enable both the iscsid socket and the + service (partial fix for bsc#1207839). +- 4.5.7 + yast2-network +- Fix calling method read on nil crash in bootloader caused by + not restoring SCR chroot in save_network client when running + in autoyast (bsc#1207968) +- 4.5.16 + yast2-packager +- Prevent crash if nil dependencies instead of [] (bsc#1208068) +- 4.5.14 +