Removed rpms ============ - p11-kit-nss-trust Added rpms ========== - mozilla-nss-certs Package Source Changes ====================== MozillaThunderbird +- Mozilla Thunderbird 91.8 + * changed: Google accounts using password authentication will + be migrated to OAuth2. See KB Article. + * fixed: OpenPGP ECC keys created by Thunderbird could not be + imported into GnuPG + * fixed: Exporting multiple public PGP keys from Thunderbird + was not possible + * fixed: Replying to a newsgroup message erroneously displayed + a "No-reply" popup warning + * fixed: Opening `mid:` URLs on macOS failed + * fixed: Address books stored in older formats were loaded as + SQLite files, causing a crash + * fixed: Replicated LDAP directories were lost after switching + Thunderbird to "Offline"`mode + * fixed: Importing webcals from the commandline failed if the + URI ended with an `.ics` file extension + * fixed: Various security fixes + MFSA 2022-15 (bsc#1197903) + * CVE-2022-1097 (bmo#1745667) + Use-after-free in NSSToken objects + * CVE-2022-28281 (bmo#1755621) + Out of bounds write due to unexpected WebAuthN Extensions + * CVE-2022-1197 (bmo#1754985) + OpenPGP revocation information was ignored + * CVE-2022-1196 (bmo#1750679) + Use-after-free after VR Process destruction + * CVE-2022-28282 (bmo#1751609) + Use-after-free in DocumentL10n::TranslateDocument + * CVE-2022-28285 (bmo#1756957) + Incorrect AliasSet used in JIT Codegen + * CVE-2022-28286 (bmo#1735265) + iframe contents could be rendered outside the border + * CVE-2022-24713 (bmo#1758509) + Denial of Service via complex regular expressions + * CVE-2022-28289 (bmo#1663508, bmo#1744525, bmo#1753508, + bmo#1757476, bmo#1757805, bmo#1758549, bmo#1758776) + Memory safety bugs fixed in Thunderbird 91.8 + +- Add cpu-flag `asimdrdm` to aarch64 constraints, to select newer, + faster buildhosts, as the others struggle to build TB. + branding-openSUSE +- Skip *.tr files in /etc/bootsplash/themes/openSUSE/bootloader + dnsmasq +- bsc#1197872, CVE-2022-0934, dnsmasq-CVE-2022-0934.patch: + Heap use after free in dhcp6_no_relay + hwdata +- Update to version 0.357 (bsc#1196332): + + Updated pci, usb and vendor ids. + +- Update to version 0.356: + + Updated pci, usb and vendor ids. + hwinfo +- merge gh#openSUSE/hwinfo#112 +- fix bug in determining serial console device name (bsc#1198043) +- 21.81 + +- merge gh#openSUSE/hwinfo#109 +- fix logic around cdrom detection +- 21.80 + +- merge gh#openSUSE/hwinfo#108 +- Donot close the open tray after read_cdrom_info. +- Donot close the open tray after read. +- 21.79 + +- merge gh#openSUSE/hwinfo#106 +- Always read numerical 32bit serial number from EDID header. + Override this with ASCII serial number from display descriptor, + if available. +- Display numerical 32bit serial number for monitors without serial + number display descriptor +- 21.78 + +- merge gh#openSUSE/hwinfo#105 +- Use license file from gnu.org +- Fix spelling +- Add missing final newline +- Trim excess whitespace +- Simple maintenance improvements +- 21.77 + +- merge gh#openSUSE/hwinfo#104 +- Fix timezone issue in SOURCE_DATE_EPOCH code +- 21.76 + +- merge gh#openSUSE/hwinfo#100 +- recognize loongarch64 architecture +- 21.75 + +- merge gh#openSUSE/hwinfo#98 +- update pci and usb ids +- 21.74 + +- merge gh#openSUSE/hwinfo#95 +- don't rely on select() updating its timeout arg (bsc#1184339) +- 21.73 + kernel-default +- intel_idle: add core C6 optimization for SPR (bsc#1198602). +- commit d6fb753 + +- intel_idle: add 'preferred_cstates' module argument + (bsc#1198602). +- commit 0bc7d2b + +- intel_idle: add SPR support (bsc#1198602). +- commit 2bc31de + +- Move upstreamed patches into sorted section +- commit e93d073 + +- SCSI: iscsi: fix iscsi_endpoint changes (bsc#1197685). +- SCSI: iscsi: fix iscsi_cls_conn changes (bsc#1197685). +- scsi: qedi: Fix failed disconnect handling (bsc#1197685). +- scsi: iscsi: Fix NOP handling during conn recovery + (bsc#1197685). +- scsi: iscsi: Fix unbound endpoint error handling (bsc#1197685). +- scsi: iscsi: Fix conn cleanup and stop race during iscsid + restart (bsc#1197685). +- scsi: iscsi: Fix endpoint reuse regression (bsc#1197685). +- scsi: iscsi: Release endpoint ID when its freed (bsc#1197685). +- scsi: iscsi: Fix offload conn cleanup when iscsid restarts + (bsc#1197685). +- scsi: iscsi: Move iscsi_ep_disconnect() (bsc#1197685). +- commit d5cdaca + +- Sorted using series_sort.py + Since sequence_patch required it. +- commit 6bf7976 + +- PCI: hv: Remove unused hv_set_msi_entry_from_desc() + (bsc#1198228). +- commit b61cd71 + +- x86/platform/uv: Log gap hole end size (bsc#1198417). +- commit 8618bf4 + +- x86/platform/uv: Update TSC sync state for UV5 (bsc#1198417). +- commit 3d0fd26 + +- x86/platform/uv: Update NMI Handler for UV5 (bsc#1198417). +- commit 76ba15c + +- powerpc/numa: Handle partially initialized numa nodes + (bsc#1197658). +- commit 061e1c6 + +- SUNRPC: Ensure we flush any closed sockets before + xs_xprt_free() (bsc#1198330 CVE-2022-28893). +- commit d2a1b78 + +- Drivers: hv: vmbus: Replace smp_store_mb() with virt_store_mb() + (bsc#1198228). +- Drivers: hv: balloon: Disable balloon and hot-add accordingly + (bsc#1198228). +- Drivers: hv: balloon: Support status report for larger page + sizes (bsc#1198228). +- Drivers: hv: vmbus: Prevent load re-ordering when reading ring + buffer (bsc#1198228). +- PCI: hv: Propagate coherence from VMbus device to PCI device + (bsc#1198228). +- Drivers: hv: vmbus: Propagate VMbus coherence to each VMbus + device (bsc#1198228). +- Drivers: hv: vmbus: Fix initialization of device object in + vmbus_device_register() (git-fixes). +- Drivers: hv: vmbus: Deactivate sysctl_record_panic_msg by + default in isolated guests (bsc#1183682). +- PCI: hv: Avoid the retarget interrupt hypercall in irq_unmask() + on ARM64 (bsc#1198228). +- x86/hyperv: Output host build info as normal Windows version + number (git-fixes). +- commit 0c3a755 + +- additional reference for arm64 erratum 1418040 (bsc#1198228). +- commit 7a1dfd5 + +- supported.conf: move kmem and dax_hmem to support list + Moved kmem and dax_hmem to support list. (bsc#1195953) +- commit fdf232f + +- btrfs: fix lzo_decompress_bio() kmap leakage (bsc#1193852). +- Revert "btrfs: compression: drop kmap/kunmap from lzo" + (bsc#1193852). +- Revert "btrfs: compression: drop kmap/kunmap from zlib" + (bsc#1193852). +- Revert "btrfs: compression: drop kmap/kunmap from zstd" + (bsc#1193852). +- Revert "btrfs: compression: drop kmap/kunmap from generic + helpers" (bsc#1193852). +- commit c24af5b + kexec-tools +- kexec-tools-print-error-if-kexec_file_load-fails.patch: print + error if kexec_file_load fails (bsc#1197176). + libgcrypt +- FIPS: extend the service indicator [bsc#1190700] + * introduced a pk indicator function + * adapted the approved and non approved ciphersuites + * Add libgcrypt_indicators_changes.patch + * Add libgcrypt-indicate-shake.patch + libglvnd +- provide/obsolete Mesa-libGLESv1_CM1 and Mesa-libGLESv2-2 packages + (bsc#1196576) + libtirpc +- add option to enforce connection via protocol version 2 first + (bsc#1196647) + add 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch + libxml2 +- Security fix: [bsc#1196490, CVE-2022-23308] + * Use-after-free of ID and IDREF attributes. +- Add libxml2-CVE-2022-23308.patch + mozilla-nss +- Add nss-fips-pbkdf-kat-compliance.patch (bsc#1192079). This + makes the PBKDF known answer test compliant with NIST SP800-132. + +- Mozilla NSS 3.68.3 (bsc#1197903) + This release improves the stability of NSS when used in a multi-threaded + environment. In particular, it fixes memory safety violations that + can occur when PKCS#11 tokens are removed while in use (CVE-2022-1097). + We presume that with enough effort these memory safety violations are exploitable. + * Remove token member from NSSSlot struct (bmo#1756271). + * Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots + (bmo#1755555). + * Check return value of PK11Slot_GetNSSToken (bmo#1370866). + net-snmp +- Decouple snmp-mibs from net-snmp version to allow major version + upgrade (bsc#1196955). + open-iscsi +- Updated to latest upstream, including bug fixes and cleanups. + Changes included: + * add handling name/value pairs for firmware login (bsc#1196113), + including man page update for same + * Fix bug where some package parts were installed using + DESTDIR twice + * general build cleanup (in prep for removing DB files from + /etc/iscsi some day soon) + Also, now delivering a "package config" file for libopeniscsiusr. + openjpeg2 +- Add security fixes: + openjpeg2-CVE-2018-5727.patch (CVE-2018-5727, bsc#1076314), + openjpeg2-CVE-2018-5785.patch (CVE-2018-5785, bsc#1076967), + openjpeg2-CVE-2018-6616.patch (CVE-2018-6616, bsc#1079845), + openjpeg2-CVE-2018-14423.patch (CVE-2018-14423, bsc#1102016), + openjpeg2-CVE-2018-16375.patch (CVE-2018-16375, bsc#1106882), + openjpeg2-CVE-2018-16376.patch (CVE-2018-16376, bsc#1106881), + openjpeg2-CVE-2018-20845.patch (CVE-2018-20845, bsc#1140130), + openjpeg2-CVE-2020-6851.patch (CVE-2020-6851, bsc#1160782), + openjpeg2-CVE-2020-8112.patch (CVE-2020-8112, bsc#1162090), + openjpeg2-CVE-2020-15389.patch (CVE-2020-15389, bsc#1173578), + openjpeg2-CVE-2020-27823.patch (CVE-2020-27823, bsc#1180457), + openjpeg2-CVE-2021-29338.patch (CVE-2021-29338, bsc#1184774), + openjpeg2-CVE-2022-1122.patch (CVE-2022-1122, bsc#1197738). + -- add libopenjp2.pc (demand introduced by ImageMagick 6.8.8-5) - patterns-base +- Backports fips pattern from SLE15 SP4 + * Since patterns_base has huge different compared to SLE ones, + backport fips pattern from SLE then fips pattern is not missing + s390-tools +- Updated the cputype script to include the model number of IBM's + recently announced z16 processor. + +- Added the following patches for bsc#1198285: + s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch + s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch + The certificate verification of check_hostkeydoc is too strict and + doesn't match the checking performed by genprotimg. +- Added the following patch for bsc#1198284: + s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch + When re-enciphering the identity key and/or wrapping key of the + zkey KMIP plugin via 'zkey kms reencipher', the operation + completes without an error, but the secure keys are left + un-reenciphered. + systemd +- Import commit 2bc0b2c447319a9156e7c5a18fe971f946554a6b + 6256b14446 test: adapt install_pam() for openSUSE + 3ea5b7e295 test: add test checking tmpfiles conf file precedence + e63e641ee8 test tmpfiles: add a test for 'w+' + b531758614 tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090) + ea98492c53 cryptsetup: fall back to traditional unlocking if any TPM2 operation fails +- Move coredumpctl completion files into systemd-coredump sub-package. + webkit2gtk3:gtk3-soup2 -- Update to version 2.34.6: +- Update to version 2.36.0 (boo#1198290): + + Add new accessibility implementation using ATSPI DBus + interfaces instead of ATK. + + Add support for requestVideoFrameCallback. + + Change hardware-acceleration-policy setting default value to + always. + + Add support for media session. + + Add new API to set HTTP response information to custom uri + schemes. + + Make user interactive threads (event handler, scrolling, …) + real time in linux. + + Security fixes: CVE-2022-22624, CVE-2022-22628, CVE-2022-22629. +- Rebase no-forced-sse.patch. +- Drop fix-warnings.patch and webkit2gtk3-link-fix.patch: fixed upstream. +- Add webkit2gtk3-old-ruby.patch: fix a build failure. + +- Update to version 2.34.6 (boo#1196133): + + Security fixes: CVE-2022-22620. - CVE-2022-22594. + CVE-2022-22594, CVE-2022-22637. wicked +- version 0.6.69 +- redfish: decode smbios and setup host interface + Add initial support to decode the SMBIOS Management Controller Host + Interface (Type 42) structure and expose it as wicked `firmware:redfish` + configuration to setup a Host Network Interface (to the BMC) using the + `Redfish over IP` protocol allowing access to the Redfish Service (via + redfish-localhost in /etc/hosts) used to manage the computer system. + Tech Preview (jsc#SLE-17762). +- buffer: fix size_t length downcast to uint, add guards to init functions +- wireless: fix to not expect colons in 64byte long wpa-psk hex hash string +- xml-schema: reference counting fix to not crash at exit on schema errors +- compat-suse: match sysctl.d /etc vs. /run read order with systemd-sysctl, + remove obsolete (sle11/sysconfig) lines about ifup-sysctl from ifsysctl.5. +- compat-suse: fix reading of sysctl addr_gen_mode to wrong variable +- auto6: fix to apply DNS from RA rdnss after ifdown/ifup (bsc#1181429) +- removed obsolete patch included in the master sources (bsc#1194392) + [- 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch] +