Packages changed: MozillaFirefox cabextract (1.10 -> 1.11) elfutils-debuginfod exempi (2.6.2 -> 2.6.3) geoclue2 (2.6.0 -> 2.7.0) gptfdisk grep (3.8 -> 3.9) hwdata (0.367 -> 0.368) iproute2 (6.1 -> 6.2) libopenraw (0.3.1 -> 0.3.4) liborcus libplacebo libsndfile (1.1.0 -> 1.2.0) libtpms (0.9.5 -> 0.9.6) polkit-default-privs (1550+20230303.7726e9f -> 1550+20230307.7f42172) poppler (23.02.0 -> 23.03.0) poppler-qt5 (23.02.0 -> 23.03.0) python-anyio python-pytz (2022.7 -> 2022.7.1) re2 (20230201 -> 20230301) rubygem-actionpack-7.0 (7.0.4 -> 7.0.4.1) rubygem-actionview-7.0 (7.0.4 -> 7.0.4.1) rubygem-activemodel-7.0 (7.0.4 -> 7.0.4.1) rubygem-activerecord-7.0 (7.0.4 -> 7.0.4.1) rubygem-activesupport-7.0 (7.0.4 -> 7.0.4.1) rubygem-loofah (2.19.0 -> 2.19.1) rubygem-rails-html-sanitizer (1.4.3 -> 1.5.0) rubygem-yast-rake (0.2.47 -> 0.2.48) smartmontools swtpm (0.7.3 -> 0.8.0) wireless-regdb (20221205 -> 20230213) xterm (378 -> 379) yast2-auth-client (4.6.0 -> 4.6.1) yast2-auth-server (4.6.0 -> 4.6.1) yast2-nfs-client (4.5.1 -> 4.6.1) === Details === ==== MozillaFirefox ==== - Limit memory use on riscv64 ==== cabextract ==== Version update (1.10 -> 1.11) - update to 1.11: * Fixed bug in creating directories given in archives, e.g. extracting file ==== elfutils-debuginfod ==== Subpackages: debuginfod-profile libdebuginfod1 - Fix file listing for 15.x builds. ==== exempi ==== Version update (2.6.2 -> 2.6.3) - update to 2.6.3: * Fix null to int assignement error. ==== geoclue2 ==== Version update (2.6.0 -> 2.7.0) Subpackages: system-user-srvGeoClue typelib-1_0-Geoclue-2_0 - Update to version 2.7.0: + Multiple config files named *.conf are now read from the config directory at @sysconfdir@/geoclue/conf.d. + HTTP requests are now made via libsoup3.0 instead of libsoup2.4. + A static location can now be set in @sysconfdir@/geolocation for immobile systems. + Web source requests are now submitted with combined WiFi and 3GPP tower data. + Web source now checks connectivity in a way that allows location and submission servers running on localhost. + Web source submissions are now made using /v2/geosubmit API. + Web source cell tower submissions now have the correct radio type. + Web source requests now submit the BSS age property. + Web source submissions now contain the location speed. + Web source cache now respects WiFi signal tolerance strictly. + NMEA source now supports both '\n' and '\r' NMEA delimiters. + NMEA source can now be made the Web source submit source. + ModemManager now use signaled calls to get cached location information to avoid performing explicit modem query. + Location description now contains information about its source. + GSettings backend no longer complains about being run from a read-only filesystem. + Many small improvements and fixes, some memory safety related. - Drop 129.patch: Fixed upstream. ==== gptfdisk ==== - Add gptfdisk-fix-null-pointer-dereference.patch: Fix NULL pointer dereference in pervious patch, poptGetArg can return NULL so we should not pass it to strdup directly (bsc#1208877). ==== grep ==== Version update (3.8 -> 3.9) - Update to grep 3.9 * With -P, some non-ASCII UTF8 characters were not recognized as word-constituent due to our omission of the PCRE2_UCP flag. * When given multiple patterns the last of which has a back-reference, grep no longer sometimes mistakenly matches lines in some cases ==== hwdata ==== Version update (0.367 -> 0.368) - update to 0.368: * Update pci, usb and vendor ids ==== iproute2 ==== Version update (6.1 -> 6.2) Subpackages: iproute2-bash-completion - Update to release 6.2 * f_flower: Introduce L2TPv3 support * bridge: fdb: Add support for locked FDB entries * bridge: link: Add MAC Authentication Bypass (MAB) support * ip: Support --json on `ip neigh get` * tc: Add JSON output to tc-class ==== libopenraw ==== Version update (0.3.1 -> 0.3.4) Subpackages: gdk-pixbuf-loader-libopenraw libopenraw9 - Update to version 0.3.4: * Added Canon R8 and R50. * Added Panasonic G95D* and S5M2. * Added Canon 200D Mk II*, EOS R6 MKII*, EOS R7* and EOS R10*. * Added DJI Mini 3 Pro / FC-3582 (DNG). * Added Fujifilm X-H2*, X-H2S*, X-T5*, S6000fd*, SL1000* and HS50EXR*. * Added Hasselblad L2D-20c / DJI Mavic 3 Cine (DNG). * Added Olympus C5060WZ*, SP570UZ* and E-P7*. * Added OM Systems OM-5*. * Added Panasonic FZ38*, FZ300*, FZ70, FZ72*, G6*, G70*, G81*, G90*, GM1S*, GX7 Mk3*, GX85*, LF1*, TZ71*, TZ81*, TZ90*, TZ96*, TZ101*, ZS40*/TZ60*/TZ61*. * Added Sony 7RM5*. * Added Leica D-LUX 6*. * Added Nikon Z 30*. * Added Epson RD-1X*. * Added Leica DIGILUX3*. * Added Nikon D1H*, D7500*, D850* and P7800*. * Added Olympus E30*, E420*, E450*, E520*, E600* and E-P5*. * Added Pentax K2000* and K-m* (PEF). * Ensure that RawFile::init() is never called twice. This would cause crashes if it was called concurrently. * Properly detect compressed data for Panasonic. * Fix the linkage of the mp4parse library with libtool. * Fixed the demo/ccfa to output properly the byte stream. * Fixed BitIterator code to peek past the number of bits for Olympus decoding. * Fixed decompression of packed Olympus ORF files. * Fixed over reported size of Panasonic compressed Raw data. ==== liborcus ==== - Add include fix gcc13-fix.patch for GCC 13 compiler. ==== libplacebo ==== - Correct BR from python3-jinja2 to python3-Jinja2, fixes dependency resolving on older distro ==== libsndfile ==== Version update (1.1.0 -> 1.2.0) - update to 1.2.0: * Searching for LAME dependency with CMake build system (issue #821). * CMake build from Autotools tarball (issue #816). * Build on UWP platform (issue #824). * Fix signed integer overflow (issue #785). * Skipping large wav chunks on stdin (PR #819). ==== libtpms ==== Version update (0.9.5 -> 0.9.6) - Update to 0.9.6: * CVE-2023-1018: tpm2: Fixed out of bounds read in CryptParameterDecryption (bsc#1206023) * CVE-2023-1017: tpm2: Fixed out of bounds write in CryptParameterDecryption (bsc#1206022) ==== polkit-default-privs ==== Version update (1550+20230303.7726e9f -> 1550+20230307.7f42172) - Update to version 1550+20230307.7f42172: * Whitelist kde-inotify-survey (bsc#1208689) ==== poppler ==== Version update (23.02.0 -> 23.03.0) Subpackages: libpoppler-cpp0 libpoppler-glib8 libpoppler126 poppler-tools - update to 23.03.0: core: * PngWriter: Fix potential uninitialized memory use ==== poppler-qt5 ==== Version update (23.02.0 -> 23.03.0) - update to 23.03.0: core: * PngWriter: Fix potential uninitialized memory use ==== python-anyio ==== - Add patc support-trio-0.22.patch: * Support trio >= 0.22 just enough for asyncclick. ==== python-pytz ==== Version update (2022.7 -> 2022.7.1) - update to 2022.7.1: * fixes to documentation formatting ==== re2 ==== Version update (20230201 -> 20230301) - update to 2023-03-01: * changes for other platforms ==== rubygem-actionpack-7.0 ==== Version update (7.0.4 -> 7.0.4.1) - Update to version 7.0.4.1 see installed CHANGELOG.md fix CVE-2023-22795 (bsc#1207451) fix CVE-2023-22792 (bsc#1207455) [#]# Rails 7.0.4.1 (January 17, 2023) ## * Fix sec issue with _url_host_allowed? Disallow certain strings from `_url_host_allowed?` to avoid a redirect to malicious sites. [CVE-2023-22797] * Avoid regex backtracking on If-None-Match header [CVE-2023-22795] * Use string#split instead of regex for domain parts [CVE-2023-22792] ==== rubygem-actionview-7.0 ==== Version update (7.0.4 -> 7.0.4.1) updated to version 7.0.4.1 see installed CHANGELOG.md [#]# Rails 7.0.4.1 (January 17, 2023) ## * No changes. ==== rubygem-activemodel-7.0 ==== Version update (7.0.4 -> 7.0.4.1) updated to version 7.0.4.1 see installed CHANGELOG.md [#]# Rails 7.0.4.1 (January 17, 2023) ## * No changes. ==== rubygem-activerecord-7.0 ==== Version update (7.0.4 -> 7.0.4.1) - updated to version 7.0.4.1 see installed CHANGELOG.md fix CVE-2022-44566 (bsc#1207450) [#]# Rails 7.0.4.1 (January 17, 2023) ## * Make sanitize_as_sql_comment more strict Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input. This commit makes the sanitization more robust by replacing any occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal. This also clarifies in the documentation of annotate that it should not be provided user input. [CVE-2023-22794] * Added integer width check to PostgreSQL::Quoting Given a value outside the range for a 64bit signed integer type PostgreSQL will treat the column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan. This behavior is configurable via ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true. [CVE-2022-44566] ==== rubygem-activesupport-7.0 ==== Version update (7.0.4 -> 7.0.4.1) - update to version 7.0.4.1 see installed CHANGELOG.md fix CVE-2023-22796 (bsc#1207454) [#]# Rails 7.0.4.1 (January 17, 2023) ## * Avoid regex backtracking in Inflector.underscore [CVE-2023-22796] ==== rubygem-loofah ==== Version update (2.19.0 -> 2.19.1) - udpated to version 2.19.1 [#]# 2.19.1 / 2022-12-13 [#]## SecurityAddress * Address CVE-2022-23514, inefficient regular expression complexity. See GHSA-486f-hjj9-9vhh for more information. * Address CVE-2022-23515, improper neutralization of data URIs. See GHSA-228g-948r-83gx for more information. * Address CVE-2022-23516, uncontrolled recursion. See GHSA-3x8r-x6xp-q4vm for more information. ==== rubygem-rails-html-sanitizer ==== Version update (1.4.3 -> 1.5.0) - updated to version 1.5.0 * SafeListSanitizer, PermitScrubber, and TargetScrubber now all support pruning of unsafe tags. By default, unsafe tags are still stripped, but this behavior can be changed to prune the elementand its children from the document by passing prune: true to any of these classes' constructors. @seyerian [#]# 1.4.4 / 2022-12-13 * Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer. Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information. _Mike Dalessio_ * Address improper sanitization of data URIs. Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more information. _Mike Dalessio_ * Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information. _Mike Dalessio_ * Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information. _Mike Dalessio_ ==== rubygem-yast-rake ==== Version update (0.2.47 -> 0.2.48) - Allow overriding the submit target using YAST_SUBMIT also when the target is set in the Rakefile (related to bsc#1208913) - Removed support for the yast-rake-ci gem, it is not used anymore - 0.2.48 ==== smartmontools ==== - fix smartctl crash for an NVMe on big endian systems [bsc#1208905] - added patches fix https://www.smartmontools.org/changeset/5448 + smartmontools-smartctl-NVMe-big-endian.patch ==== swtpm ==== Version update (0.7.3 -> 0.8.0) Subpackages: swtpm-selinux - Drop trousers requirement - Update to version 0.8.0: * swtpm: + Implement release-lock-outgoing parameter for --migration option + Introduce --migration option and 'incoming' parameter + Implement terminate parameter for ctrl channel loss + Add a chroot option + Introduce disable-auto-shutdown flag for --flags option + If necessary send TPM2_Shutdown() before TPMLIB_Terminate() + Add some more recent syscalls to seccomp profile + Disable OpenSSL FIPS mode to avoid libtpms failures + Avoid locking directory multiple times + Remove support for pre-v0.1 state files without header + Use uint64_t in tlv_data_append() to avoid integer overflows + Use uint64_t to avoid integer wrap-around when adding a uint32_t + Do not chdir(/) when using --daemon + Check header size indicator against expected size (CVE-2022-23645 bsc#1196240) + Fixes for gcc 12.2.1 -fanalyzer * build-sys: + Fix configure script to support _FORTIFY_SOURCE=3 + Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin) * swtpm-localca: + Re-implement variable resolution for swtpm-localca.conf + Test for available issuercert before creating CA * swtpm_setup: + Configure swtpm to log to stdout/err if needed (glib >=2.74) * tests: + Use ${WORKDIR} in config files to test env. var replacement + Patch IBM TSS2 test suite for OpenSSL 3.x * build-sys: + Add probing for -fstack-protector ==== wireless-regdb ==== Version update (20221205 -> 20230213) - Update to version 20230213: * wireless-regdb: update regulatory database based on preceding changes * wireless-regdb: Update regulatory info for Russia (RU) on 5GHz ==== xterm ==== Version update (378 -> 379) Subpackages: xterm-bin xterm-resize - update to 379: * improve text-cursor (patch by Jan Engelhardt): + allow selecting CURSOR_BAR mode from command- line/Xresources. + draw cursor using filled rectangle instead of rectangle outline to permit thicker underlines/bars. + scale up cursor relative to font size. * improve readline modes (Fedora #2166860): + document readline modes + change the feature to configure by default + replace hard-coded SS3 for cursor movement with current mode + replace hard-coded erase/lnext characters with current values * improve status-line (report by Thomas Wolff): + RIS turns off status-line + Right-margin (DECLRMM and DECSLRM) limits the length of text written/updated in the status-line. + Most controls which affect the whole screen are ignored while updating the status-line. * modify configure check for tgetent to allow for some special cases of ncurses configuration * reduce timeout, improve warning message if resize is run on a terminal which is not VT100-compatible. * reduce compiler warnings in configure script. - drop xterm-enable_libtinfo.patch (obsolete) ==== yast2-auth-client ==== Version update (4.6.0 -> 4.6.1) - Stop using File.exists? which no longer works in Ruby 3.2 (bsc#1206419) - 4.6.1 ==== yast2-auth-server ==== Version update (4.6.0 -> 4.6.1) - Stop using File.exists? which no longer works in Ruby 3.2 (bsc#1206419) - 4.6.1 ==== yast2-nfs-client ==== Version update (4.5.1 -> 4.6.1) - Fixed unit test to not read the values from the current system (bsc#1209007) - 4.6.1 - Bump version to 4.6.0 (bsc#1208913)