Packages changed: ImageMagick (7.1.1.20 -> 7.1.1.21) adobe-sourcehanserif-fonts (2.001 -> 2.002) aria2 (1.36.0 -> 1.37.0) dhcp kernel-source (6.6.1 -> 6.6.2) libX11 libfido2 (1.13.0 -> 1.14.0) librdkafka (2.1.1 -> 2.3.0) llvm17 (17.0.4 -> 17.0.5) mcelog (195 -> 196) mdadm openvpn (2.6.7 -> 2.6.8) ovmf xen yast2-trans (84.87.20231104.b73ad6fbc9 -> 84.87.20231117.f12231d4de) === Details === ==== ImageMagick ==== Version update (7.1.1.20 -> 7.1.1.21) Subpackages: ImageMagick-config-7-SUSE ImageMagick-extra libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - version update to 7.1.1.21 https://github.com/ImageMagick/Website/blob/main/ChangeLog.md - modified patches [bsc#1217014][bsc#1216811] % ImageMagick-s390x-disable-tests.patch (refreshed) - deleted patches - ImageMagick-correct-time-to-live.patch (upstreamed) - added patches https://github.com/ImageMagick/ImageMagick/commit/8f3c56fabc619c1672865257e5aafe33cbfaaf3e https://github.com/ImageMagick/ImageMagick/commit/3a7b915d9a810ce742987b37c935f6ae8b36df10 + ImageMagick-infinite-resource-time-limit.patch ==== adobe-sourcehanserif-fonts ==== Version update (2.001 -> 2.002) Subpackages: adobe-sourcehanserif-cn-fonts adobe-sourcehanserif-tw-fonts - Remove old specfile constructs, update descriptions - Update to 2.002R * The copyright year was changed to “2017–2023.” * Addition of ㋿ Square Era Name Reiwa uni32FF-JP was omitted in previous release notes Issue #163. * The following glyphs were added to support GB 18030 2022 Implementation Level 2: uni4DB6-CN, uni4DB7-CN, uni4DB8-CN, uni4DBA-CN, uni4DBB-CN, uni4DBC-CN, uni4DBD-CN, uni4DBE-CN, uni4DBF-CN, uni5CB8-JP, uni9FEB-CN, uni9FEB-TW, uni9FEC-CN, uni9FED-CN, uni9FEE-JP, uni9FEF-JP, uni9FF0-CN, uni9FF1-CN, uni9FF2-CN, uni9FF3-CN, uni9FF4-CN, uni9FF5-CN, uni9FF6-CN, uni9FF7-CN, uni9FF8-CN, uni9FF9-CN, uni9FFA-CN, uni9FFB-CN, uni9FFC-CN, uni9FFD-CN, uni9FFE-CN, and uni9FFF-CN. * Fixed aj16-kanji.txt per Issue #125. * Fixed position of uni309B-V and uni309C-V per Issue #157. * Fixed HK mapping for U+752D 甭 per Issue #159. * Fixed CN mapping for U+5141 允 and U+535A 博 per Issue #162. * Remapped TW glyph for U+7239 爹 per Issue #167. * Restored JP glyph for U+5CB8 岸 per Issue #169. * Fixed mapping for U+F9DC 隆 per Issue #165. * Fixed interpolation bug in uni2299 ⊙ per Issue #181. * Fixed interpolation bugs in uni4B4C-CN 䭌 and uni4B55-CN 䭕 per Issue #193. ==== aria2 ==== Version update (1.36.0 -> 1.37.0) Subpackages: aria2-lang libaria2-0 - Update to version 1.37.0 * Fix header in --http-accept-gzip documentation * Allow empty dist name in bencode which is needed for hybrid torrent * Fix undefined behavior/crash in GZipEncoder * Fix Metalink4 parsing with foreign namespaces * fix wrong dht.dat binary file structure in docs * Increase ByteArrayDiskWriter maximum size * Logger: Fix format string overflow in writeHeader() * Cap infoHashLength in .aria2 file * Various documentation fixes and rewords ==== dhcp ==== Subpackages: dhcp-relay dhcp-server - Remove dhclient-script (boo#1216822). ==== kernel-source ==== Version update (6.6.1 -> 6.6.2) - Linux 6.6.2 (bsc#1012628). - hwmon: (nct6775) Fix incorrect variable reuse in fan_div calculation (bsc#1012628). - numa: Generalize numa_map_to_online_node() (bsc#1012628). - sched/topology: Fix sched_numa_find_nth_cpu() in CPU-less case (bsc#1012628). - sched/topology: Fix sched_numa_find_nth_cpu() in non-NUMA case (bsc#1012628). - sched/fair: Fix cfs_rq_is_decayed() on !SMP (bsc#1012628). - iov_iter, x86: Be consistent about the __user tag on copy_mc_to_user() (bsc#1012628). - sched/uclamp: Set max_spare_cap_cpu even if max_spare_cap is 0 (bsc#1012628). - sched/uclamp: Ignore (util == 0) optimization in feec() when p_util_max = 0 (bsc#1012628). - objtool: Propagate early errors (bsc#1012628). - sched: Fix stop_one_cpu_nowait() vs hotplug (bsc#1012628). - nfsd: Handle EOPENSTALE correctly in the filecache (bsc#1012628). - vfs: fix readahead(2) on block devices (bsc#1012628). - writeback, cgroup: switch inodes with dirty timestamps to release dying cgwbs (bsc#1012628). - x86/srso: Fix SBPB enablement for (possible) future fixed HW (bsc#1012628). - x86/srso: Print mitigation for retbleed IBPB case (bsc#1012628). - x86/srso: Fix vulnerability reporting for missing microcode (bsc#1012628). - x86/srso: Fix unret validation dependencies (bsc#1012628). - futex: Don't include process MM in futex key on no-MMU (bsc#1012628). - x86/numa: Introduce numa_fill_memblks() (bsc#1012628). - ACPI/NUMA: Apply SRAT proximity domain to entire CFMWS window (bsc#1012628). - cgroup/cpuset: Fix load balance state in update_partition_sd_lb() (bsc#1012628). - x86/sev-es: Allow copy_from_kernel_nofault() in earlier boot (bsc#1012628). - x86/boot: Fix incorrect startup_gdt_descr.size (bsc#1012628). - cpu/SMT: Make SMT control more robust against enumeration failures (bsc#1012628). - x86/apic: Fake primary thread mask for XEN/PV (bsc#1012628). - srcu: Fix callbacks acceleration mishandling (bsc#1012628). - drivers/clocksource/timer-ti-dm: Don't call clk_get_rate() in stop function (bsc#1012628). - x86/nmi: Fix out-of-order NMI nesting checks & false positive warning (bsc#1012628). - pstore/platform: Add check for kstrdup (bsc#1012628). - perf: Optimize perf_cgroup_switch() (bsc#1012628). - selftests/x86/lam: Zero out buffer for readlink() (bsc#1012628). - PCI/MSI: Provide stubs for IMS functions (bsc#1012628). - string: Adjust strtomem() logic to allow for smaller sources (bsc#1012628). - genirq/matrix: Exclude managed interrupts in irq_matrix_allocated() (bsc#1012628). - irqchip/sifive-plic: Fix syscore registration for multi-socket systems (bsc#1012628). - wifi: ath12k: fix undefined behavior with __fls in dp (bsc#1012628). - wifi: cfg80211: add flush functions for wiphy work (bsc#1012628). - wifi: mac80211: move radar detect work to wiphy work (bsc#1012628). - wifi: mac80211: move scan work to wiphy work (bsc#1012628). - wifi: mac80211: move offchannel works to wiphy work (bsc#1012628). - wifi: mac80211: move sched-scan stop work to wiphy work (bsc#1012628). - wifi: mac80211: fix RCU usage warning in mesh fast-xmit (bsc#1012628). - wifi: cfg80211: fix off-by-one in element defrag (bsc#1012628). - wifi: mac80211: fix # of MSDU in A-MSDU calculation (bsc#1012628). - wifi: iwlwifi: honor the enable_ini value (bsc#1012628). - wifi: iwlwifi: don't use an uninitialized variable (bsc#1012628). - i40e: fix potential memory leaks in i40e_remove() (bsc#1012628). - iavf: Fix promiscuous mode configuration flow messages (bsc#1012628). - selftests/bpf: Correct map_fd to data_fd in tailcalls (bsc#1012628). - bpf, x64: Fix tailcall infinite loop (bsc#1012628). - wifi: cfg80211: fix kernel-doc for wiphy_delayed_work_flush() (bsc#1012628). - udp: introduce udp->udp_flags (bsc#1012628). - udp: move udp->no_check6_tx to udp->udp_flags (bsc#1012628). - udp: move udp->no_check6_rx to udp->udp_flags (bsc#1012628). - udp: move udp->gro_enabled to udp->udp_flags (bsc#1012628). - udp: add missing WRITE_ONCE() around up->encap_rcv (bsc#1012628). - udp: move udp->accept_udp_{l4|fraglist} to udp->udp_flags (bsc#1012628). - udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO (bsc#1012628). - udp: annotate data-races around udp->encap_type (bsc#1012628). - udplite: remove UDPLITE_BIT (bsc#1012628). - udplite: fix various data-races (bsc#1012628). - selftests/bpf: Skip module_fentry_shadow test when bpf_testmod is not available (bsc#1012628). - tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed (bsc#1012628). ... changelog too long, skipping 987 lines ... - commit 9ecdaa5 ==== libX11 ==== Subpackages: libX11-6 libX11-data libX11-xcb1 - this update is needed due to jsc#PED-7282; it includes the security fix for CVE-2022-3555 (bsc#1204425, bsc#1208881) and a fix for a race condition in libX11 that causes various applications to crash randomly (boo#1181963) ==== libfido2 ==== Version update (1.13.0 -> 1.14.0) - update to 1.14.0: * fido2-cred -M, fido2-token -G: support raw client data via -w flag. * New API calls: * * fido_assert_authdata_raw_len; * * fido_assert_authdata_raw_ptr; * * fido_assert_set_winhello_appid. - add keyring for gpg validation ==== librdkafka ==== Version update (2.1.1 -> 2.3.0) - update to 2.3.0: * Partial support of topic identifiers. Topic identifiers in metadata response available through the new `rd_kafka_DescribeTopics` function * KIP-117 Add support for AdminAPI `DescribeCluster()` and `DescribeTopics()` * Return authorized operations in Describe Responses. * KIP-580: Added Exponential Backoff mechanism for retriable requests with `retry.backoff.ms` as minimum backoff and `retry.backoff.max.ms` as the maximum backoff, with 20% jitter (#4422). * Fixed ListConsumerGroupOffsets not fetching offsets for all the topics in a group with Apache Kafka version below 2.4.0. * Add missing destroy that leads to leaking partition structure memory when there are partition leader changes and a stale leader epoch is received (#4429). * Fix a segmentation fault when closing a consumer using the cooperative-sticky assignor before the first assignment * Fix for insufficient buffer allocation when allocating rack information (@wolfchimneyrock, #4449). * Fix for infinite loop of OffsetForLeaderEpoch requests on quick leader changes. (#4433). * Fix for stored offsets not being committed if they lacked the leader epoch (#4442). * Upgrade OpenSSL to v3.0.11 (while building from source) with various security fixes, check the release notes * Fix to ensure permanent errors during offset validation continue being retried and don't cause an offset reset (#4447). * Fix to ensure max.poll.interval.ms is reset when rd_kafka_poll is called with consume_cb (#4431). * Fix for idempotent producer fatal errors, triggered after a possibly persisted message state (#4438). * Fix `rd_kafka_query_watermark_offsets` continuing beyond timeout expiry (#4460). * Fix `rd_kafka_query_watermark_offsets` not refreshing the partition leader after a leader change and subsequent `NOT_LEADER_OR_FOLLOWER` error (#4225). ==== llvm17 ==== Version update (17.0.4 -> 17.0.5) - Update to version 17.0.5. * This release contains bug-fixes for the LLVM 17.0.0 release. This release is API and ABI compatible with 17.0.0. - Rebase llvm-do-not-install-static-libraries.patch. - Also test clang-tools-extra (at least most parts) and lld. - Adapt test in lld-default-sha1.patch. - Don't disable testing if qemu_user_space_build has been set to 0. ==== mcelog ==== Version update (195 -> 196) - Update to version 196: * mcelog: Add second model number for Arrowlake ==== mdadm ==== - No longer recommend smtp-daemon: this was a remainder from the cron configuration, which was removed back in 2018. ==== openvpn ==== Version update (2.6.7 -> 2.6.8) - update to 2.6.8: * SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF state - the new sanity check function introduced in 2.6.7 sometimes tried to use a NULL pointer after an unsuccessful TLS handshake * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration in some circumstances, leading to a division by zero when --fragment is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash. * DCO: warn if DATA_V1 packets are sent by the other side - this a hard incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use --disable-dco. * Remove OpenSSL Engine method for loading a key. This had to be removed because the original author did not agree to relicensing the code with the new linking exception added. This was a somewhat obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support. * add warning if p2p NCP client connects to a p2mp server - this is a combination that used to work without cipher negotiation (pre 2.6 on both ends), but would fail in non-obvious ways with 2.6 to 2.6. * add warning to --show-groups that not all supported groups are listed (this is due the internal enumeration in OpenSSL being a bit weird, omitting X448 and X25519 curves). * --dns: remove support for exclude-domains argument (this was a new 2.6 option, with no backend support implemented yet on any platform, and it turns out that no platform supported it at all - so remove option again) * warn user if INFO control message too long, do not forward to management client (safeguard against protocol-violating server implementations) * DCO-WIN: get and log driver version (for easier debugging). * print "peer temporary key details" in TLS handshake * log OpenSSL errors on failure to set certificate, for example if the algorithms used are in acceptable to OpenSSL (misleading message would be printed in cryptoapi / pkcs11 scenarios) * add CMake build system for MinGW and MSVC builds * remove old MSVC build system * improve cmocka unit test building for Windows ==== ovmf ==== Subpackages: qemu-ovmf-x86_64 - Sync change log to prepare for sending edk2-stable202308 ovmf to SLE15-SP6 (jsc#PED-6233, jsc#PED-5523) - Removed the following backported patches because they are merged to edk2 mainline: - ovmf-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch 494127613b SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2 (CVE-2019-14560, bsc#1174246) ==== xen ==== Subpackages: xen-libs xen-tools xen-tools-domU - Pass XEN_BUILD_DATE + _TIME to override build date (boo#1047218) ==== yast2-trans ==== Version update (84.87.20231104.b73ad6fbc9 -> 84.87.20231117.f12231d4de) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20231117.f12231d4de: * New POT for text domain 'cc'.