Packages changed: MozillaFirefox (134.0 -> 134.0.1) apache2-mod_php8 (8.3.15 -> 8.3.16) gnome-control-center libgee (0.20.6 -> 0.20.8) libsoup (3.6.3 -> 3.6.4) llvm19 (19.1.6 -> 19.1.7) meson openSUSE-release (20250117 -> 20250118) php8 (8.3.15 -> 8.3.16) python-httpx rsync (3.3.0 -> 3.4.1) suse-module-tools (16.0.55 -> 16.0.56) === Details === ==== MozillaFirefox ==== Version update (134.0 -> 134.0.1) Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common - Mozilla Firefox 134.0.1 * Fixed UI hangs happening on YouTube and Google Docs in some situations (bmo#1939295) * Fixed a startup crash affecting some users upgrading from Firefox 133 (bmo#1941134) * Fixed an issue where search engines selection menus and context menus could be broken if a user had previously reverted to an earlier version (bmo#1940533) - raised required rust version to 1.81 ==== apache2-mod_php8 ==== Version update (8.3.15 -> 8.3.16) - version update to 8.3.16 Core: Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization). Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF). Fixed bug GH-17101 (AST->string does not reproduce constructor property promotion correctly). Fixed bug GH-17211 (observer segfault on function loaded with dl()). Fixed bug GH-17216 (Trampoline crash on error). Date: Fixed bug GH-14709 DatePeriod::__construct() overflow on recurrences. DBA: Skip test if inifile is disabled. DOM: Fixed bug GH-17224 (UAF in importNode). Embed: Make build command for program using embed portable. FFI: Fixed bug #79075 (FFI header parser chokes on comments). Fix memory leak on ZEND_FFI_TYPE_CHAR conversion failure. Fixed bug GH-16013 and bug #80857 (Big endian issues). Filter: Fixed bug GH-16944 (Fix filtering special IPv4 and IPv6 ranges, by using information from RFC 6890). FPM: Fixed bug GH-13437 (FPM: ERROR: scoreboard: failed to lock (already locked)). Fixed bug GH-17112 (Macro redefinitions). Fixed bug GH-17208 (bug64539-status-json-encoding.phpt fail on 32-bits). GD: Fixed bug GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c). Ported fix for libgd bug 276 (Sometimes pixels are missing when storing images as BMPs). Gettext: Fixed bug GH-17202 (Segmentation fault ext/gettext/gettext.c bindtextdomain()). Iconv: Fixed bug GH-17047 (UAF on iconv filter failure). LDAP: Fixed bug GH-17280 (ldap_search() fails when $attributes array has holes). LibXML: Fixed bug GH-17223 (Memory leak in libxml encoding handling). MBString: Fixed bug GH-17112 (Macro redefinitions). Opcache: opcache_get_configuration() properly reports jit_prof_threshold. Fixed bug GH-17246 (GC during SCCP causes segfault). PCNTL: Fix memory leak in cleanup code of pcntl_exec() when a non stringable value is encountered past the first entry. PgSql: Fixed bug GH-17158 (pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument). Fixed further ArgumentCountError for calls with flexible number of arguments. Phar: Fixed bug GH-17137 (Segmentation fault ext/phar/phar.c). SimpleXML: Fixed bug GH-17040 (SimpleXML's unset can break DOM objects). Fixed bug GH-17153 (SimpleXML crash when using autovivification on document). Sockets: Fixed bug GH-16276 (socket_strerror overflow handling with INT_MIN). Fixed overflow on SO_LINGER values setting, strengthening values check on SO_SNDTIMEO/SO_RCVTIMEO for socket_set_option(). SPL: Fixed bug GH-17225 (NULL deref in spl_directory.c). Streams: Fixed bug GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling). Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value). Fixed bug GH-17067 (glob:// wrapper doesn't cater to CWD for ZTS builds). Windows: Hardened proc_open() against cmd.exe hijacking. XML: Fixed bug GH-1718 (unreachable program point in zend_hash). - modified patches % php-build-reproducible-phar.patch (refreshed) ==== gnome-control-center ==== Subpackages: gnome-control-center-color gnome-control-center-goa gnome-control-center-lang gnome-control-center-user-faces gnome-control-center-users - Recommend ppd-server instead of power-profiles-daemon: there is also tuned-ppd, which provides the same dbus interface. If the user does not chose between the two, we suggest the original power-profiles-daemon. - Fix escaping of commented out patch: with RPM 4.20, %patch becomes a standard, expandable macro, that can span more than one line. Commenting out with #%patch can thus lead to invalid results. ==== libgee ==== Version update (0.20.6 -> 0.20.8) - Update to version 0.20.8: + Fixes for newer valac. - Drop patches fixed upstream: + ce8461ff6ea8ed79ce06b4241cb4fbb6d3d314f1.patch + b33a6627f4fc96938b6015e05849867c472160a8.patch + 2f0bbe8987e5eb1390b23ac531c971b202c2ef77.patch - Add check section and run make check during build. ==== libsoup ==== Version update (3.6.3 -> 3.6.4) Subpackages: libsoup-3_0-0 libsoup-lang typelib-1_0-Soup-3_0 - Update to version 3.6.4: + http2: Fix regression on 32bit systems when reading response data. ==== llvm19 ==== Version update (19.1.6 -> 19.1.7) Subpackages: clang-tools clang19 libLLVM19 libclang-cpp19 libclang13 libclang_rt19 llvm19-gold - Update to version 19.1.7. * This release contains bug-fixes for the LLVM 19.1.0 release. This release is API and ABI compatible with 19.1.0. - Rebase llvm-do-not-install-static-libraries.patch. ==== meson ==== Subpackages: meson-vim - Drop the bcond on setuptools, its primary flavor will live in Ring 0. - Drop patch meson-distutils.patch, not required. - Instruct autosetup macro to apply all patches. ==== openSUSE-release ==== Version update (20250117 -> 20250118) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== php8 ==== Version update (8.3.15 -> 8.3.16) Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter - version update to 8.3.16 Core: Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization). Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF). Fixed bug GH-17101 (AST->string does not reproduce constructor property promotion correctly). Fixed bug GH-17211 (observer segfault on function loaded with dl()). Fixed bug GH-17216 (Trampoline crash on error). Date: Fixed bug GH-14709 DatePeriod::__construct() overflow on recurrences. DBA: Skip test if inifile is disabled. DOM: Fixed bug GH-17224 (UAF in importNode). Embed: Make build command for program using embed portable. FFI: Fixed bug #79075 (FFI header parser chokes on comments). Fix memory leak on ZEND_FFI_TYPE_CHAR conversion failure. Fixed bug GH-16013 and bug #80857 (Big endian issues). Filter: Fixed bug GH-16944 (Fix filtering special IPv4 and IPv6 ranges, by using information from RFC 6890). FPM: Fixed bug GH-13437 (FPM: ERROR: scoreboard: failed to lock (already locked)). Fixed bug GH-17112 (Macro redefinitions). Fixed bug GH-17208 (bug64539-status-json-encoding.phpt fail on 32-bits). GD: Fixed bug GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c). Ported fix for libgd bug 276 (Sometimes pixels are missing when storing images as BMPs). Gettext: Fixed bug GH-17202 (Segmentation fault ext/gettext/gettext.c bindtextdomain()). Iconv: Fixed bug GH-17047 (UAF on iconv filter failure). LDAP: Fixed bug GH-17280 (ldap_search() fails when $attributes array has holes). LibXML: Fixed bug GH-17223 (Memory leak in libxml encoding handling). MBString: Fixed bug GH-17112 (Macro redefinitions). Opcache: opcache_get_configuration() properly reports jit_prof_threshold. Fixed bug GH-17246 (GC during SCCP causes segfault). PCNTL: Fix memory leak in cleanup code of pcntl_exec() when a non stringable value is encountered past the first entry. PgSql: Fixed bug GH-17158 (pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument). Fixed further ArgumentCountError for calls with flexible number of arguments. Phar: Fixed bug GH-17137 (Segmentation fault ext/phar/phar.c). SimpleXML: Fixed bug GH-17040 (SimpleXML's unset can break DOM objects). Fixed bug GH-17153 (SimpleXML crash when using autovivification on document). Sockets: Fixed bug GH-16276 (socket_strerror overflow handling with INT_MIN). Fixed overflow on SO_LINGER values setting, strengthening values check on SO_SNDTIMEO/SO_RCVTIMEO for socket_set_option(). SPL: Fixed bug GH-17225 (NULL deref in spl_directory.c). Streams: Fixed bug GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling). Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value). Fixed bug GH-17067 (glob:// wrapper doesn't cater to CWD for ZTS builds). Windows: Hardened proc_open() against cmd.exe hijacking. XML: Fixed bug GH-1718 (unreachable program point in zend_hash). - modified patches % php-build-reproducible-phar.patch (refreshed) ==== python-httpx ==== - Use libalternatives instead of update-alternatives, bsc#1235784 - don't run tests in strict async mode, upstream doesn't either - disable flaky test ==== rsync ==== Version update (3.3.0 -> 3.4.1) - Update to 3.4.1 * BUG FIXES: - fixed handling of -⁠H flag with conflict in internal flag values - fixed a user after free in logging of failed rename - fixed build on systems without openat() - removed dependency on alloca() in bundled popt * DEVELOPER RELATED: - fix to permissions handling in the developer release script - Drop 705.patch, because now in upstream. - update to 3.4.1 * fixed handling of -H flag with conflict in internal flag values (replaces 705.patch) * fixed a user after free in logging of failed rename * fixed build on systems without openat() * removed dependency on alloca() in bundled popt - Backport patch from PR 705 to fix broken handling of hashes and hard links: * Add 705.patch - Update to 3.4 * Bump to protocol 32 Drop CVE patches: * Drop rsync-gcc14.patch * Removed rsync-CVE-2024-12084-overflow-01.patch * Removed rsync-CVE-2024-12084-overflow-02.patch * Removed rsync-CVE-2024-12085.patch * Removed rsync-CVE-2024-12086_01.patch * Removed rsync-CVE-2024-12086_02.patch * Removed rsync-CVE-2024-12086_03.patch * Removed rsync-CVE-2024-12086_04.patch * Removed rsync-CVE-2024-12087_01.patch * Removed rsync-CVE-2024-12087_02.patch * Removed rsync-CVE-2024-12088.patch * Removed rsync-CVE-2024-12747.patch - Security update,CVE-2024-12747, bsc#1235475 race condition in handling symbolic links * Added rsync-CVE-2024-12747.patch - Security update, fix multiple vulnerabilities: * CVE-2024-12084, bsc#1234100 - Heap Buffer Overflow in Checksum Parsing * CVE-2024-12085, bsc#1234101 - Info Leak via uninitialized Stack contents defeats ASLR * CVE-2024-12086, bsc#1234102 - Server leaks arbitrary client files * CVE-2024-12087, bsc#1234103 - Server can make client write files outside of destination directory using symbolic links * CVE-2024-12088, bsc#1234104 - --safe-links Bypass * Added rsync-CVE-2024-12084-overflow-01.patch * Added rsync-CVE-2024-12084-overflow-02.patch * Added rsync-CVE-2024-12085.patch * Added rsync-CVE-2024-12086_01.patch * Added rsync-CVE-2024-12086_02.patch * Added rsync-CVE-2024-12086_03.patch * Added rsync-CVE-2024-12086_04.patch * Added rsync-CVE-2024-12087_01.patch * Added rsync-CVE-2024-12087_02.patch * Added rsync-CVE-2024-12088.patch ==== suse-module-tools ==== Version update (16.0.55 -> 16.0.56) Subpackages: suse-module-tools-scriptlets - Update to version 16.0.56: * rpm-script: create /boot/vmlinuz and /boot/initrd in kiwi environment (bsc#1234275, bsc#1234759)