Packages changed: MozillaFirefox bind brasero freerdp kernel-source (5.16.1 -> 5.16.2) mozilla-nss (3.73.1 -> 3.74) paprefs (1.1 -> 1.2) patterns-gnome pciutils python-py (1.10.0 -> 1.11.0) python-xarray rsyslog samba (4.15.3+git.219.40cc1cd8591 -> 4.15.4+git.224.dea2f6dc836) selinux-policy (20211111 -> 20220124) vim (8.2.4063 -> 8.2.4186) vsftpd wpa_supplicant (2.9 -> 2.10) xf86-input-libinput (1.2.0 -> 1.2.1) xlockmore (5.67 -> 5.68) === Details === ==== MozillaFirefox ==== Subpackages: MozillaFirefox-translations-common - Enable -fimplicit-constexpr for GCC 12+. ==== bind ==== Subpackages: bind-doc bind-utils python3-bind - Add now working CONFIG parameter to sysusers generator ==== brasero ==== Subpackages: libbrasero-burn3-1 libbrasero-media3-1 libbrasero-utils3-1 - Add 9b3f451e72cfa3bac700517a036faab61f683b3f.patch: libbrasero-media: Fix duplicated if. - Disable nautilus integration for now, does not work with gtk4 based nautilus. Disable pkgconfig(libnautilus-extension) BuildRequires and pass disable-nautilus to configure via bcond. - Modernize post(un) handling and Supplements, use ldconfig_scriptlets macro. ==== freerdp ==== Subpackages: libfreerdp2-2 libwinpr2-2 - Enable FFmpeg support for Leap-15.2+ ==== kernel-source ==== Version update (5.16.1 -> 5.16.2) Subpackages: kernel-default kernel-docs - Update patches.kernel.org/5.16.2-005-vfs-fs_context-fix-up-param-length-parsing-in-.patch (bsc#1012628 CVE-2022-0185 bsc#1194517). Add CVE reference. - commit 0d710a8 - s390/mm: fix 2KB pgtable release race (bsc#1188896). - commit 6f62d73 - HID: wacom: Avoid using stale array indicies to read contact count (bsc#1194667). - HID: wacom: Ignore the confidence flag when a touch is removed (bsc#1194667). - HID: wacom: Reset expected and received contact counts at the same time (bsc#1194667). - commit 07a970c - Linux 5.16.2 (bsc#1012628). - ALSA: hda/realtek: Re-order quirk entries for Lenovo (bsc#1012628). - ALSA: hda/realtek: Add quirk for Legion Y9000X 2020 (bsc#1012628). - ALSA: hda/tegra: Fix Tegra194 HDA reset failure (bsc#1012628). - ALSA: hda: ALC287: Add Lenovo IdeaPad Slim 9i 14ITL5 speaker quirk (bsc#1012628). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master after reboot from Windows (bsc#1012628). - ALSA: hda/realtek: Use ALC285_FIXUP_HP_GPIO_LED on another HP laptop (bsc#1012628). - ALSA: hda/realtek: Add speaker fixup for some Yoga 15ITL5 devices (bsc#1012628). - perf annotate: Avoid TUI crash when navigating in the annotation of recursive functions (bsc#1012628). - firmware: qemu_fw_cfg: fix kobject leak in probe error path (bsc#1012628). - firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries (bsc#1012628). - firmware: qemu_fw_cfg: fix sysfs information leak (bsc#1012628). - rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts enabled (bsc#1012628). - media: uvcvideo: fix division by zero at stream start (bsc#1012628). - video: vga16fb: Only probe for EGA and VGA 16 color graphic cards (bsc#1012628). - 9p: fix enodata when reading growing file (bsc#1012628). - 9p: only copy valid iattrs in 9P2000.L setattr implementation (bsc#1012628). - NFSD: Fix zero-length NFSv3 WRITEs (bsc#1012628). - remoteproc: qcom: pas: Add missing power-domain "mxc" for CDSP (bsc#1012628). - KVM: s390: Clarify SIGP orders versus STOP/RESTART (bsc#1012628). - KVM: x86: don't print when fail to read/write pv eoi memory (bsc#1012628). - KVM: x86: Register Processor Trace interrupt hook iff PT enabled in guest (bsc#1012628). - KVM: x86: Register perf callbacks after calling vendor's hardware_setup() (bsc#1012628). - perf: Protect perf_guest_cbs with RCU (bsc#1012628). - vfs: fs_context: fix up param length parsing in legacy_parse_param (bsc#1012628). - remoteproc: qcom: pil_info: Don't memcpy_toio more than is provided (bsc#1012628). - orangefs: Fix the size of a memory allocation in orangefs_bufmap_alloc() (bsc#1012628). - drm/amd/display: explicitly set is_dsc_supported to false before use (bsc#1012628). - devtmpfs regression fix: reconfigure on each mount (bsc#1012628). - commit 6fa29ec - kernel-binary.spec: Do not use the default certificate path (bsc#1194943). Using the the default path is broken since Linux 5.17 - commit 68b36f0 - disable the Bluetooth patch again The kernel is currently tested whether the patch is needed at all. As 95655456e7ce in upstream might fix the issue too (but differently). - commit c3bbaae - series.conf: cleanup - move mainline patches into sorted section: - patches.suse/mwifiex-Fix-skb_over_panic-in-mwifiex_usb_recv.patch - patches.suse/0001-usb-Add-Xen-pvUSB-protocol-description.patch - patches.suse/0002-usb-Introduce-Xen-pvUSB-frontend-xen-hcd.patch - update upstream references and move into sorted section: - patches.suse/ALSA-usb-audio-Add-minimal-mute-notion-in-dB-mapping.patch - patches.suse/ALSA-usb-audio-Fix-dB-level-of-Bose-Revolve-SoundLin.patch - patches.suse/ALSA-usb-audio-Use-int-for-dB-map-values.patch No effect on expanded tree. - commit 607f978 - Refresh and reenable patches.suse/Bluetooth-Apply-initial-command-workaround-for-more-.patch. - commit a7b7c0d - series.conf: Add sorted section header/footer Even though we don't carry many patches in the stable or master branches, having the sorted section header/footer allows the automated tools to work. - commit 05f8150 ==== mozilla-nss ==== Version update (3.73.1 -> 3.74) Subpackages: libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss-certs mozilla-nss-tools - update to NSS 3.74 * bmo#966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses * bmo#1553612 - Ensure clients offer consistent ciphersuites after HRR * bmo#1721426 - NSS does not properly restrict server keys based on policy * bmo#1733003 - Set nssckbi version number to 2.54 * bmo#1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate * bmo#1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate * bmo#1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate * bmo#1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate * bmo#1735407 - Replace GlobalSign ECC Root CA R4 * bmo#1733560 - Remove Expired Root Certificates - DST Root CA X3 * bmo#1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates * bmo#1741930 - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate * bmo#1740095 - Add iTrusChina ECC root certificate * bmo#1740095 - Add iTrusChina RSA root certificate * bmo#1738805 - Add ISRG Root X2 root certificate * bmo#1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate * bmo#1738028 - Avoid a clang 13 unused variable warning in opt build * bmo#1735028 - Check for missing signedData field * bmo#1737470 - Ensure DER encoded signatures are within size limits - enable key logging option (boo#1195040) ==== paprefs ==== Version update (1.1 -> 1.2) Subpackages: paprefs-lang - Update to version 1.2: + Compatibility with PulseAudio 16.0 module paths + Crash bug fix + Updated translations. ==== patterns-gnome ==== Subpackages: patterns-gnome-gnome patterns-gnome-gnome_basic patterns-gnome-gnome_basis patterns-gnome-gnome_basis_opt patterns-gnome-gnome_games patterns-gnome-gnome_imaging patterns-gnome-gnome_internet patterns-gnome-gnome_multimedia patterns-gnome-gnome_office patterns-gnome-gnome_utilities patterns-gnome-gnome_x11 patterns-gnome-gnome_yast patterns-gnome-sw_management_gnome - Do not require gnome-packagekit by gnome_x11: we have a specific sw_management_gnome pattern, which supplements the generic sw_management plus the basic gnome pattern, and that's where we also should (and do) recommend gnome-packagekit. - Do not recommend speech-dispatcher-module-espeak: we recommend speech-dispatcher, the rest is handled by dependencies from the packages (recommends and supplements). - No longer recommend gnome-menus: GNOME 3 is not using menu structures. This package is used by extension-classic, and if that extension is installed, gnome-menus comes in as a dep. - Stop recommending samba: samba is the server, which makes no sense to be recommended by the desktop pattern. ==== pciutils ==== Subpackages: libpci3 - Set sbindir to /usr/bin to fix Steam issues (rh#1858437, gh#ValveSoftware/steam-for-linux#3306) - Add symlinks from /usr/sbin to /usr/bin ==== python-py ==== Version update (1.10.0 -> 1.11.0) - update to 1.11.0: * Support Python 3.11 * Support ``NO_COLOR`` environment variable * Update vendored apipkg: 1.5 => 2.0 ==== python-xarray ==== - Don't test with dask and distributed in python310: not supported yet ==== rsyslog ==== - add service dependencies for remote logging (bsc#1194669) - update config example in remote.conf to match upstream documentation ==== samba ==== Version update (4.15.3+git.219.40cc1cd8591 -> 4.15.4+git.224.dea2f6dc836) Subpackages: libsamba-policy0-python3 samba-ad-dc-libs samba-client samba-client-32bit samba-client-libs samba-client-libs-32bit samba-doc samba-gpupdate samba-ldb-ldap samba-libs samba-libs-python3 samba-python3 samba-winbind samba-winbind-libs samba-winbind-libs-32bit - Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945); ==== selinux-policy ==== Version update (20211111 -> 20220124) Subpackages: selinux-policy-targeted - Update to version 20220124. Refreshed: * fix_hadoop.patch * fix_init.patch * fix_kernel_sysctl.patch * fix_systemd.patch * fix_systemd_watch.patch - Added fix_hypervkvp.patch to fix issues with hyperv labeling (bsc#1193987) ==== vim ==== Version update (8.2.4063 -> 8.2.4186) Subpackages: gvim vim-data vim-data-common - Updated to version 8.2.4186, fixes the following problems * Vim9: exported function in autoload script not found. (Yegappan Lakshmanan) * Foam files are not detected. * Computation overflow with large count for :yank. * Vim9: imported autoload script loaded again. * Vim9: cannot call imported function with :call. (Drew Vogel) * Vim9: import test fails. * Vim9: import test fails on MS-Windows. * Using uninitialized memory when reading empty file. * Vim9: no detection of return in try/endtry. (Dominique Pellé) * Vim9: compiling function fails when autoload script is not loaded yet. * Coverity warns for using NULL pointer. * Going over the end of NameBuff. * Test failures. * Memory leak in autoload import. * Not all Libsensors files are recognized. * Terminal test for current directory not used on FreeBSD. * MS-Windows: "gvim --version" didn't work when build with VIMDLL. * Not sufficient test coverage for xxd. * CodeQL reports problem in if_cscope causing it to fail. * Check for autoload file name and prefix fails. (Christian J. Robinson) * Vim9: no test for "vim9script autoload' and using script variable in the same script. * Memory leak when looking for autoload prefixed variable. * Vim9: no test for using import in legacy script. * "cctx" argument of find_func_even_dead() is unused. * Cannot test items from an autoload script easily. * Xxd cannot output everything in one line. * Terminal test for current directory fails on FreeBSD. * After restoring a session buffer order can be quite different. * Virtcol is recomputed for statusline unnecessarily. * MacOS CI: unnecessarily doing "Install packages". * Cached breakindent values not initialized properly. * 'virtualedit' is window-local but using buffer-local enum. * Sed script not recognized by the first line. * Linux CI: unnecessarily installing packages * Wrong number in error message on 32 bit system. (John Paul Adrian Glaubitz) * Typing "interrupt" at debug prompt may keep exception around, causing function calls to fail. * Vim9: cannot use Vim9 syntax in mapping. * Early return when getting the 'formatlistpat' value. * Warning for unused argument in tiny version. * Vim9: import cannot be used after method. * Vim9: variable declared in for loop not initialzed. * Vim9: lower casing the autoload prefix causes problems. * Translation related comment in the wrong place. * Going over the end of the w_lines array. * Script context not restored after using . * Going over the end of the w_lines array. * MS-Windows: high dpi support is outdated. * Coverity warns for using NULL pointer. * Potential proglem when map is deleted while executing. * Function not deleted at end of test. * Typo on DOCMD_RANGEOK results in not recognizing command. * Vim9: type checking for a funcref does not work for when it is used in a method. * Cannot use a method with a complex expression. * Vim9: cannot use a method with a complex expression in a :def function. * Vim9: wrong white space error after using imported item. * Using UNUSED for argument that is used. * Build failure when disabling the channel feature. * Block insert goes over the end of the line. * Visual test fails on MS-Windows. * ":command Cmd" does not show custom completion argument. * Complete function cannot be import.Name. * Vim9: method in compiled function may not see script item. * Completion tests fail. * Crash on exit when built with dynamic Tcl and EXITFREE is defined. (Dominique Pellé) * Build failure without the +eval feature. * Crash when method cannot be found. (Christian J. Robinson) * Building with +sound but without +eval fails. (Dominique Pellé) * MS-Windows: MSVC build may have libraries duplicated. * Vim9: calling function in autoload import does not work in a :def function. * Vim9: wrong error message when autoload script can't be found. * output of ":scriptnames" goes into the message history, while this des not happen for other commands, such as ":ls". * MS-Windows: test for import with absolute path fails. * Vim9: ":scriptnames" shows unloaded imported autoload script. * Vim9: the "autoload" argument of ":vim9script" is not useful. * Vim9: calling import with and without method is inconsistent. * Vim9: no error for return with argument when the function does not return anything. * Using freed memory if an expression abbreviation deletes the abbreviation. * maparg() does not indicate the type of script where it was defined. * Vim9 builtin functions test fails. * Build failure with normal features without persistent undo. * MS-Windows: IME support for Win9x is obsolete. * Cannot load libsodium dynamically. * Confusing error when using name of import for a function. * Vim9: shadowed function can be used in compiled function but not at script level. * E464 does not always include the offending command. * Deleting any mapping may cause to not set the script context. * Test override not restored, autocommand left behind. * Coverity warns for using pointer after free. * Reading beyond the end of a line. * Block insert with double wide character fails. * MS-Windows: Global IME is no longer supported. * ml_get error when exchanging windows in Visual mode. * Translating strftime() argument results in check error. * Fileinfo message overwrites echo'ed message. * Terminal test fails because Windows sets the title. * MS-Windows: memory leak in :browse. * MS-Windows: _WndProc() is very long. * Cannot change the register used for Select mode delete. * Vim9: warning for missing white space after imported variable. * Vim9: no error for redefining function with export. * No error for omitting function name after autoload prefix. * Error in legacy code for function shadowing variable. * The nv_g_cmd() function is too long. * Undo synced when switching buffer in another window. * Vim9: error message for old style import. * Disallowing empty function name breaks existing plugins. * MS-Windows: unnessary casts and other minor things. * MS-Windows: still using old message API calls. * Cannot invoke option function using autoload import. * Filetype detection for BASIC is not optimal. * Cannot use an import in 'foldexpr'. * Vim9: can use an autoload name in normal script. * MS-Windows: runtime check for multi-line balloon is obsolete. * Vim9: cannot use imported function with call(). * Vim9: autoload script not loaded after "vim9script noclear". * Vim9: invalid error for return type of lambda when debugging. * 'foldtext' is evaluated in the current script context. * 'balloonexpr' is evaluated in the current script context. * Vim9: cannot use an import in 'diffexpr'. * Memory leak when evaluating 'diffexpr'. * Cannot use an import in 'formatexpr'. * Cannot use an import in 'includeexpr'. * Cannot use an import in 'indentexpr'. * Cannot use an import in 'patchexpr'. ==== vsftpd ==== - Added hardening to systemd service(s) (bsc#1181400). Modified: * vsftpd.service ==== wpa_supplicant ==== Version update (2.9 -> 2.10) Subpackages: wpa_supplicant-gui - update to 2.10.0: * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch: upstream - refresh config from 2.10 defconfig, re-enable CONFIG_WEP ==== xf86-input-libinput ==== Version update (1.2.0 -> 1.2.1) - Enable tarball sig url too, verify tarball via keyring. - Update to version 1.2.1 * few typos and misc minor fixes * property added to turn off new high-resolution wheel scrolling API ==== xlockmore ==== Version update (5.67 -> 5.68) - update to 5.68: * Updated xscreensaver port for xscreensaver-6.02. * Various NetBsd install issues fixed including config.cygport. * pam vulnerabiliy patch added thanks to Elmar Hoffmann, elho AT elho.net. Card vulnerability may remain, see README. * module fixes for deluxe, eyes, starfish, swirl, text3d2, module use is still experimental. * biof mode removed again (though was not building by default).