Packages changed: ImageMagick (7.1.0.37 -> 7.1.0.44) avahi cockpit codec2 (1.0.3 -> 1.0.5) cups curl (7.83.1 -> 7.84.0) gpg2 (2.3.6 -> 2.3.7) kdump (1.0.2+git13.ge715180 -> 1.0.2+git17.g491c742) kernel-firmware (20220622 -> 20220714) libcap (2.64 -> 2.65) libdmtx (0.7.5 -> 0.7.7) libnettle (3.8 -> 3.8.1) libstorage-ng (4.5.31 -> 4.5.33) libuv (1.44.1 -> 1.44.2) perl polkit poppler (22.06.0 -> 22.07.0) poppler-qt5 (22.06.0 -> 22.07.0) redis (7.0.3 -> 7.0.4) shim yast2-bootloader (4.5.1 -> 4.5.2) === Details === ==== ImageMagick ==== Version update (7.1.0.37 -> 7.1.0.44) Subpackages: ImageMagick-config-7-SUSE libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - version update to 7.1.0.44 upstream changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md - modified patches % ImageMagick-library-installable-in-parallel.patch (refreshed) - update to 7.1.0.42: * incorrect pointer update when computing median @ ImageMagick/ImageMagick#5298 * Added extra check because the flag was removed in 0.21-Beta1. * the -transparent-color option accepts colornames @ ImageMagick/ImageMagick#5297 * fix MVG stroke-opacity issues * map channel parameter to pixel channel offset @ ImageMagick/ImageMagick#5308 * beta release * preserve input depth @ ImageMagick/ImageMagick6#188 * update to latest automake/autoconf release * recognize SVG file if it starts with whitespace @ ImageMagick/ImageMagick#5294 * Removed unused stealth flag. * Removed used path field. * Removed unused target field. * Removed unused exempt field. * Added extra option to the skip spaces to the MagicInfo. * Always start at the start of the string when comparing the magic value. * cosmetic * avoid OMP deadlock @ ImageMagick/ImageMagick#5301 * prevent undefined shift * prevent possible buffer overflow * correct copy/paste error * We need to free the stream ourselves when the call to FT_Open_Face fails. * Added missing call to DestroyString. * MVG requires seekable stream * Added extra malloc method to avoid early calls to the policy checks on Windows. * Removed defines. * Only check for dll's in non static build. * Set the client name and path earlier. * fix background opacity rounding @ ImageMagick/ImageMagick#5264 * empty result on conversion from tiff to pdf @ ImageMagick/ImageMagick#5256 * Corrected patch that was made for #5256. * Pass negative interline_spacing to pango * Also check extension to fix possible stack overflow. * eliminate possible buffer overflow * set group 4 photometric to min-is-white * dasharray requires non-zero values * eliminate compiler warning * only permit one rows/columns keyword * Moved allocation back to the correct spot to avoid bypassing SetImageExtent. * Also restore setting quantum_info to null. * eliminate uninitialized value warning * Make sure all text strings are freed when realloc fails. * Reset primitive_info inside RenderMVGContent because this address could point to another address. * Always check if .text is set instead. * eliminate uninitialized alpha pixel * recognize read-mask & write-mask for -channel option * eliminate compiler warning * fix scrambled image @ ImageMagick/ImageMagick#5291 * yikes, misspelled 'level' * Fixed possible memory leak. * support floating point formats * initialize date:precision in private TimerComponentGenesis() method * check for -1 is not required * refactor date:precision flow * eliminate compiler warning * correct formulation of the phash normalization * phash normalization is conventional RMS calculation * only check shread count once * add private ShredMagickMemory() method to hide contents of memory buffers before they are relinquished * system:shred value has precedence over MAGICK_SHRED_PASSES * support shredding memory pools * update memory pointer * Silenced warning. * Corrected documentation. * first pass is fast for performance, second is crytographically strong * recommend shred value of 1 for performance reasons * only set the # of shred passes one time * if enabled, shred streams * unmap mapped pixels * default mapped member to false * don't shred streaming pixels * rework shred passes * optimize performance * change per lint advisement * typecast per lint advisement * eliminate compiler warning * eliminate lint warnings * eliminate lint warnings * support date:timestamp property * eliminate lint warnings * set timestamp from image->timestamp member * eliminate lint warnings * support MAGICK_DATE_PRECISION and registrydateprecision defines * support registry:precision define * need at least one policy defined * eliminate lint warnings * note, system:precision is deprecated * eliminate icc compiler warnings * eliminate icc compiler warnings * eliminate compiler warning * Reverted incorrect patch when doing auto-orient of an image that is right-top or left-bottom.# * Corrected conversion from flip to Orientation. ... changelog too long, skipping 22 lines ... * Also remove date:timestamp when stripping the image. ==== avahi ==== Subpackages: libavahi-client3 libavahi-common3 libavahi-core7 - Move the dbus-1 system.d file to /usr (bsc#1201345) ==== cockpit ==== Subpackages: cockpit-bridge cockpit-packagekit cockpit-system - Update suse-microos-branding.patch for new /etc/os-release ID. - Add storage-btrfs.patch to enable BTRFS use in cockpit-storage. ==== codec2 ==== Version update (1.0.3 -> 1.0.5) - Update to version 1.0.5 * Bump version to 1.0.5 to clearly delineate from various 1.0.4 tags, otherwise the same as 1.0.4_rc2 - Update to version 1.0.4 * 2020B, * build system and tools maintenance. * This RC fixes FreeDV API backwards compatibility issue in v1.0.4 ==== cups ==== Subpackages: cups-client cups-config libcups2 libcupsimage2 - Move the dbus-1 system.d file to /usr (bsc#1201346) ==== curl ==== Version update (7.83.1 -> 7.84.0) Subpackages: libcurl4 - add tests-for-32bit.patch to fix testsuite on 32bit platforms - Update to 7.84.0: * Security fixes: - (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification - (bsc#1200736, CVE-2022-32207): Unpreserved file permissions - (bsc#1200735, CVE-2022-32206): HTTP compression denial of service - (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service * Changes: - curl: add --rate to set max request rate per time unit - curl: deprecate --random-file and --egd-file - curl_version_info: add CURL_VERSION_THREADSAFE - CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl - lib: make curl_global_init() threadsafe when possible - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION - opts: deprecate RANDOM_FILE and EGDSOCKET - socks: support unix sockets for socks proxy * Bugfixes: - aws-sigv4: fix potentional NULL pointer arithmetic - bindlocal: don't use a random port if port number would wrap - c-hyper: mark status line as status for Curl_client_write() - ci: avoid `cmake -Hpath` - CI: bump FreeBSD 13.0 to 13.1 - ci: update github actions - cmake: add libpsl support - cmake: do not add libcurl.rc to the static libcurl library - cmake: enable curl.rc for all Windows targets - cmake: fix detecting libidn2 - cmake: support adding a suffix to the OS value - configure: skip libidn2 detection when winidn is used - configure: use the SED value to invoke sed - configure: warn about rustls being experimental - content_encoding: return error on too many compression steps - cookie: address secure domain overlay - cookie: apply limits - copyright.pl: parse and use .reuse/dep5 for skips - copyright: make repository REUSE compliant - curl.1: add a few see also --tls-max - curl.1: mention exit code zero too - curl: re-enable --no-remote-name - curl_easy_pause.3: remove explanation of progress function - curl_getdate.3: document that some illegal dates pass through - Curl_parsenetrc: don't access local pwbuf outside of scope - curl_url_set.3: clarify by default using known schemes only - CURLOPT_ALTSVC.3: document the file format - CURLOPT_FILETIME.3: fix the protocols this works with - CURLOPT_HTTPHEADER.3: improve comment in example - CURLOPT_NETRC.3: document the .netrc file format - CURLOPT_PORT.3: We discourage using this option - CURLOPT_RANGE.3: remove ranged upload advice - digest: added detection of more syntax error in server headers - digest: tolerate missing "realm" - digest: unquote realm and nonce before processing - DISABLED: disable 1021 for hyper again - docs/cmdline-opts: add copyright and license identifier to each file - docs/CONTRIBUTE.md: document the 'needs-votes' concept - docs: clarify data replacement policy for MIME API - doh: remove UNITTEST macro definition - examples/crawler.c: use the curl license - examples: remove fopen.c and rtsp.c - FAQ: Clarify Windows double quote usage - fopen: add Curl_fopen() for better overwriting of files - ftp: restore protocol state after http proxy CONNECT - ftp: when failing to do a secure GSSAPI login, fail hard - GHA/hyper: enable debug in the build - gssapi: improve handling of errors from gss_display_status - gssapi: initialize gss_buffer_desc strings - headers api: remove EXPERIMENTAL tag - http2: always debug print stream id in decimal with %u - http2: reject overly many push-promise headers - http: restore header folding behavior - hyper: use 'alt-used' - krb5: return error properly on decode errors - lib: make more protocol specific struct fields #ifdefed - libcurl-security.3: add "Secrets in memory" - libcurl-security.3: document CRLF header injection - libssh: skip the fake-close when libssh does the right thing - links: update dead links to the curl-wiki - log2changes: do not indent empty lines [ci skip] - macos9: remove partial support - Makefile.am: fix portability issues - Makefile.m32: delete obsolete options, improve -On [ci skip] - Makefile.m32: delete two obsolete OpenSSL options [ci skip] - Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] - max-time.d: clarify max-time sets max transfer time - mprintf: ignore clang non-literal format string - netrc: check %USERPROFILE% as well on Windows - netrc: support quoted strings - ngtcp2: allow curl to send larger UDP datagrams - ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types - ngtcp2: enable Linux GSO - ngtcp2: extend QUIC transport parameters buffer - ngtcp2: fix alert_read_func return value - ngtcp2: fix typo in preprocessor condition - ngtcp2: handle error from ngtcp2_conn_submit_crypto_data - ngtcp2: send appropriate connection close error code - ngtcp2: support boringssl crypto backend - ngtcp2: use helper funcs to simplify TLS handshake integration - ntlm: provide a fixed fake host name - projects: fix third-party SSL library build paths for Visual Studio ... changelog too long, skipping 40 lines ... - x509asn1: mark msnprintf return as unchecked ==== gpg2 ==== Version update (2.3.6 -> 2.3.7) Subpackages: dirmngr - GnuPG 2.3.7: * CVE-2022-34903: garbled status messages could trick gpgme and other parsers to accept faked status lines [boo#1201225] * A number of bug fixes to the gpg command line interface * gpgsm gained a number of new options and got some rework on the PKCS#12 parser to support DFN issues keys * The gpg agent got some added options and UI tweaks * smart card support got a number of bug fixes, and improved support for Technology Nexus cards and Yubikey * The Telesec ESIGN application is now supported ==== kdump ==== Version update (1.0.2+git13.ge715180 -> 1.0.2+git17.g491c742) - fix network-related dracut options handling for fadump case - drop the elevator=deadline kernel option (bsc#1193211) - fix broken URL in manpage (bsc#1187312) ==== kernel-firmware ==== Version update (20220622 -> 20220714) Subpackages: kernel-firmware-all kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-ath11k kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-prestera kernel-firmware-qcom kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network - Update to version 20220714 (git commit 84661a3ba62f): * amdgpu: update DMCUB firmware for DCN 3.1.6 * WHENCE: Correct dangling symlinks * Correct WHENCE entry for wfx firmware * bnx2: Drop unsupported Broadcom NetXtremeII firmware * bnx2: drop unsupported firmwares * bnx2: sort firmware names in filesystem order * Remove old Broadcom Everest (bnx2x) v4/5 firmware * drop Token Ring network firmwares * Drop TDA7706 radio firmware * Drop Intel WiMax firmware * Drop Computone IntelliPort Plus serial firmware * Drop ATM Ambassador devices firmware * brocade: drop old unsupported firmware revs * amdgpu: update yellow carp DMCUB firmware * linux-firmware: update firmware for MT7622 WiFi device * linux-firmware: update firmware for MT7922 WiFi device * linux-firmware: update firmware for mediatek bluetooth chip (MT7922) * linux-firmware: Update firmware file for Intel Bluetooth 9462 * linux-firmware: Update firmware file for Intel Bluetooth 9462 * linux-firmware: Update firmware file for Intel Bluetooth 9560 * linux-firmware: Update firmware file for Intel Bluetooth 9560 * linux-firmware: Update firmware file for Intel Bluetooth AX201 * linux-firmware: Update firmware file for Intel Bluetooth AX201 * linux-firmware: Update firmware file for Intel Bluetooth AX211 * linux-firmware: Update firmware file for Intel Bluetooth AX211 * linux-firmware: Update firmware file for Intel Bluetooth AX210 * linux-firmware: Update firmware file for Intel Bluetooth AX200 * linux-firmware: Update firmware file for Intel Bluetooth AX201 * mediatek: Add SCP firmware for MT8186 * rtw88: 8822c: Update normal firmware to v9.9.13 * rtw88: 8822c: Update normal firmware to v9.9.12 - Drop obsoleted temporary patches: wfx-WHENCE-fix.diff brcm-symlink-fixes.diff - Minor update of README.build - Fix missing aliases for qlogic (bsc#1200889) ==== libcap ==== Version update (2.64 -> 2.65) - update to 2.65: * Fix syntax error in DEBUG build of protected code in setcap.c. * Prevent bash from reading the wrong startup files when the capsh --user=xxx argument is used to invoke a shell as the user xxx. This is done by capsh now changing the USER and HOME environment variables when --user is specified. The argument --noenv can be used to suppress this behavior to what used to be the problematic default. (Bug: 215926) * Improved documentation ==== libdmtx ==== Version update (0.7.5 -> 0.7.7) - update to 0.7.7: * bug 9: Prevent edifact barcode encoding '31' from user input * fix compiler warnings and build errors * properly handle error when decoding Base256 scheme * remove dead and irrelevant links in the README * Add validity checks in DecodeSchemeAscii() * Declare variables in DecodeSchemeAscii() locally. * Implement RsFindErrorLocatorPoly fix from shm0nya - drop libdmtx-DmtxPropRowPadBytes.patch (upstream)# ==== libnettle ==== Version update (3.8 -> 3.8.1) Subpackages: libhogweed6 libnettle8 - update to 3.8.1: * Avoid non-posix m4 argument references in the chacha implementation for arm64, powerpc64 and s390x. Reported by Christian Weisgerber, fix contributed by Mamone Tarsha. * Use explicit .machine pseudo-ops where needed in s390x assembly files. Bug report by Andreas K. Huettel, fix contributed by Mamone Tarsha. ==== libstorage-ng ==== Version update (4.5.31 -> 4.5.33) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#892 - continue flushing pending holders if a device cannot be found (see bsc#1201880) - coding style - removed unneeded mockups - 4.5.33 - Translated using Weblate (Czech) (bsc#1149754) - 4.5.32 ==== libuv ==== Version update (1.44.1 -> 1.44.2) - update to 1.44.2: * Add SHA to ChangeLog * aix, ibmi: handle server hang when remote sends TCP RST * process: reset the signal mask if the fork fails * zos: implement cmpxchgi() using assembly * ibmi: Implement UDP disconnect * unix: simplify getpwuid call * process,iOS: fix build breakage in process.c * test: remove unused declarations in tcp_rst test * core: add thread-safe strtok implementation * test: fix flaky file watcher test * unix,win: fix UV_RUN_ONCE + uv_idle_stop loop hang * win: fix unexpected ECONNRESET error on TCP socket * doc: make sample cross-platform build * test: separate some static variables by test cases * sunos: fs-event callback can be called after uv_close() * uv: re-register interest in a file after change * uv: register UV_RENAME event for _RFIM_UNLINK * uv: register __rfim_event 156 as UV_RENAME * release: check versions of autogen scripts are newer * test: rewrite embed test * unix: use MSG_CMSG_CLOEXEC where supported * test: remove disabled callback_order test * kqueue: skip EVFILT_PROC when invalidating fds * zos: don't err when killing a zombie process * zos: avoid fs event callbacks after uv_close() * zos: correctly format interface addresses names * zos: add uv_interface_addresses() netmask support * zos: improve memory management of ip addresses * tcp,pipe: fail `bind` or `listen` after `close` * zos: implement uv_available_parallelism() * udp,win: fix UDP compiler warning * zos: fix early exit of epoll_wait() * unix,tcp: fix errno handling in uv__tcp_bind() * shutdown,unix: reduce code duplication * unix: fix c99 comments * unix: retry tcgetattr/tcsetattr() on EINTR * unix,stream: optimize uv_shutdown() codepath * unix,tcp: allow EINVAL errno from setsockopt in uv_tcp_close_reset() * win,shutdown: improve how shutdown is dispatched ==== perl ==== Subpackages: perl-base - fix build on ppc * updated patch: perl_skip_flaky_tests_powerpc.patch ==== polkit ==== Subpackages: libpolkit-agent-1-0 libpolkit-gobject-1-0 typelib-1_0-Polkit-1_0 - split out pkexec into seperate package to make system hardening easier (to avoid installing it jsc#PED-132 jsc#PED-148). ==== poppler ==== Version update (22.06.0 -> 22.07.0) Subpackages: libpoppler-cpp0 libpoppler-glib8 libpoppler122 poppler-tools - update to 22.07.0: * Fix crash when filling in forms in some files. Issue #1258 * Fix first lines of Annotations sometimes being cut off. Issue #1246 * Signatures: Don't crash if the signature doesn't have a common name * CairoFontEngine: increment font_face reference when retrieving from the cache * Add ToUnicode support for lessorequalslant and greaterorequalslant glib: * Add support for stamp annotation - add gpg keyring validation for the release tarball - drop da226d346e691f7545d995d6761d43e08855a3b7.patch (upstream) - Add da226d346e691f7545d995d6761d43e08855a3b7.patch -- CairoFontEnginer: increment font_face reference when retrieving from the cache; this fixes crashes with certain pdfs [glgo#GNOME/evince#1808, glfo#poppler/poppler#1212]. ==== poppler-qt5 ==== Version update (22.06.0 -> 22.07.0) - update to 22.07.0: * Fix crash when filling in forms in some files. Issue #1258 * Fix first lines of Annotations sometimes being cut off. Issue #1246 * Signatures: Don't crash if the signature doesn't have a common name * CairoFontEngine: increment font_face reference when retrieving from the cache * Add ToUnicode support for lessorequalslant and greaterorequalslant glib: * Add support for stamp annotation - add gpg keyring validation for the release tarball - drop da226d346e691f7545d995d6761d43e08855a3b7.patch (upstream) - Add da226d346e691f7545d995d6761d43e08855a3b7.patch -- CairoFontEnginer: increment font_face reference when retrieving from the cache; this fixes crashes with certain pdfs [glgo#GNOME/evince#1808, glfo#poppler/poppler#1212]. ==== redis ==== Version update (7.0.3 -> 7.0.4) - Security update to version 7.0.4 (CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream key in a specific state may result with heap overflow, and potentially remote code execution. The problem affects Redis versions 7.0.0 or newer. ==== shim ==== - Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282) - Revoked the change in shim.spec for "use common SBAT values (boo#1193282)" - we need to build openSUSE Tumbleweed's shim on Leap 15.4 because Factory is unstable for building out a stable shim binary for signing. (bsc#1198458) - But the rpm-config-suse package in Leap 15.4 is direct copied from SLE 15.4 because closing-the-leap-gap. So sbat_distro_* variables are SLE version, not for openSUSE. (bsc#1198458) ==== yast2-bootloader ==== Version update (4.5.1 -> 4.5.2) - Execute the command grub2-mkpasswd-pbkdf2 in the target system so the module can run in a minimal container (bsc#1199840). - 4.5.2