Packages changed: MozillaThunderbird (78.4.3 -> 78.5.0) c-ares (1.16.1 -> 1.17.0) distribution-logos-openSUSE (20190414 -> 20201117) drbd-utils fwupd gnome-documents gpg2 (2.2.23 -> 2.2.24) gpgme (1.14.0 -> 1.15.0) gpgmeqt (1.14.0 -> 1.15.0) java-11-openjdk (11.0.9.0 -> 11.0.9.1) libfido2 mariadb (10.5.6 -> 10.5.8) mozilla-nss (3.57 -> 3.58) ovmf pam_mount (2.16 -> 2.17) polkit-default-privs (1550+20201103.994a5ed -> 1550+20201119.2c1dce4) python-qt5 rubygem-rubocop-ast (1.1.0 -> 1.1.1) samba (4.13.0+git.138.ff2d5480c67 -> 4.13.2+git.176.0a5e55b510c) sudo (1.9.2 -> 1.9.3p1) systemd-presets-branding-openSUSE tigervnc ucode-intel (20201110 -> 20201118) xlockmore (5.65 -> 5.66) xtables-addons (3.11_k5.9.8_2 -> 3.12_k5.9.8_2) === Details === ==== MozillaThunderbird ==== Version update (78.4.3 -> 78.5.0) Subpackages: MozillaThunderbird-translations-common - Mozilla Thunderbird 78.5.0 MFSA 2020-52 (bsc#1178894) * CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without displaying the security UI * CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard API) * CVE-2020-26958 (bmo#1669355) Requests intercepted through ServiceWorkers lacked MIME type restrictions * CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService * CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of nsTArray * CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype * CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP Addresses * CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered typed passwords * CVE-2020-26966 (bmo#1663571) Single-word search queries were also broadcast to local network * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs fixed in Thunderbird 78.5 - removed obsolete mozilla-rust-1.47.patch ==== c-ares ==== Version update (1.16.1 -> 1.17.0) - ares_dns.h, missing_header.patch: re-add missing header in last release - Version update to 1.17.0 Security: * avoid read-heap-buffer-overflow in ares_parse_soa_reply found during fuzzing * Avoid theoretical buffer overflow in RC4 loop comparison * Empty hquery->name could lead to invalid memory access * ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was passed in (bsc#1178882, CVE-2020-8277) Changes: * Update help information for adig, acountry, and ahost * Test Suite now uses dynamic system-assigned ports rather than hardcoded ports to prevent failures in containers * Detect remote DNS server does not support EDNS using rules from RFC 6891 * Source tree has been reorganized to use a more modern layout * Allow parsing of CAA Resource Record Bug fixes: * readaddrinfo bad sizeof() * Test cases should honor HAVE_WRITEV flag, not depend on WIN32 * FQDN with trailing period should be queried first * ares_getaddrinfo() was returning members of the struct as garbage values if unset, and was not honoring ai_socktype and ai_protocol hints. * ares_gethostbyname() with AF_UNSPEC and an ip address would fail * Properly document ares_set_local_ip4() uses host byte order For details, see https://c-ares.haxx.se/changelog.html - add missing upstream sources, to be removed for next release - remove unnecessary BuildRequires - fix building on SLE12 systems ==== distribution-logos-openSUSE ==== Version update (20190414 -> 20201117) - Add favicon.ico format - Remove obsolete Groups tag (fate#326485) ==== drbd-utils ==== - prepare usrmerge (boo#1029961) ==== fwupd ==== Subpackages: fwupd-lang libfwupd2 libfwupdplugin1 typelib-1_0-Fwupd-2_0 - Obsoletes and Provides dbxtool since fwupd 1.5.0+ now embeds dbxtool in the dbxtool plugin ==== gnome-documents ==== Subpackages: gnome-documents-lang gnome-shell-search-provider-documents - Remove BuildRequires pkgconfig(libgepub-0.6), no longer needed since epub support is in gnome-books now. ==== gpg2 ==== Version update (2.2.23 -> 2.2.24) Subpackages: dirmngr gpg2-lang - GnuPG 2.2.24: * gpg: New command --quick-revoke-sig * gpg: Do not use weak digest algos if selected by recipient preference during sign+encrypt * gpg: Switch to AES256 for symmetric encryption in de-vs mode * gpg: Silence weak digest warnings with --quiet * gpg: Print new status line CANCELED_BY_USER for a cancel during symmetric encryption * gpg: Fix the encrypt+sign hash algo preference selection for ECDSA. This is in particular needed for keys created from existing smartcard based keys * agent: Fix secret key import of GnuPG 2.3 generated Ed25519 keys * agent: Keep some permissions of private-keys-v1.d * dirmngr: Align sks-keyservers.netCA.pem use between ntbtls and gnutls builds * dirmngr: Fix the pool keyserver case for a single host in the pool * scd: Fix the use case of verify_chv2 by CHECKPIN * scd: Various improvements to the ccid-driver * scd: Minor fixes for Yubikey * gpgconf: New option --show-versions * i18n: Complete overhaul and completion of the Italian translation ==== gpgme ==== Version update (1.14.0 -> 1.15.0) Subpackages: libgpgme11 libgpgmepp6 python3-gpg - gpgme 1.15.0: * New function gpgme_op_setexpire to make changing the expiration easier * New function gpgme_op_revsig to revoke key signatures * Support exporting secret keys * cpp: Support for set expire operations in the C++ bindings * cpp: Support for revoking key signatures in the C++ bindings * qt: Extended ChangeExpiryJob to support changing the expiry of subkeys * qt: Extended QuickJob to support revoking of key signatures * qt: Added QDebug stream operator for GpgME::Error. * Require libgpg-error 1.36 ==== gpgmeqt ==== Version update (1.14.0 -> 1.15.0) - gpgme 1.15.0: * New function gpgme_op_setexpire to make changing the expiration easier * New function gpgme_op_revsig to revoke key signatures * Support exporting secret keys * cpp: Support for set expire operations in the C++ bindings * cpp: Support for revoking key signatures in the C++ bindings * qt: Extended ChangeExpiryJob to support changing the expiry of subkeys * qt: Extended QuickJob to support revoking of key signatures * qt: Added QDebug stream operator for GpgME::Error. * Require libgpg-error 1.36 ==== java-11-openjdk ==== Version update (11.0.9.0 -> 11.0.9.1) Subpackages: java-11-openjdk-headless - Update to upstream tag jdk-11.0.9.1-1 * Fix: + JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool) - Removed patch: * JDK-8250861.patch + Integrated upstream ==== libfido2 ==== Subpackages: libfido2-1 libfido2-udev - Add Conflicts: to supersede version 1.0.0. This is needed for a clean upgrade path on SLE. ==== mariadb ==== Version update (10.5.6 -> 10.5.8) Subpackages: libmariadbd19 mariadb-client mariadb-errormessages - Update to 10.5.8 * release notes and changelog: https://mariadb.com/kb/en/library/mariadb-1058-release-notes https://mariadb.com/kb/en/library/mariadb-1058-changelog * fixes for the following security vulnerabilities: 10.5.7: CVE-2020-14812, CVE-2020-14765, CVE-2020-14776, CVE-2020-14789 10.5.8: none - tracker bugs: [bsc#1177472] and [bsc#1178428] - refresh mariadb-10.2.19-link-and-enable-c++11-atomics.patch - update suse_skipped_tests.list ==== mozilla-nss ==== Version update (3.57 -> 3.58) Subpackages: libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss-certs mozilla-nss-tools - update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. ==== ovmf ==== Subpackages: qemu-ovmf-x86_64 qemu-uefi-aarch64 - Add ovmf-jscSLE-16075-SEV-ES-fixes.patch to merge upstream SEV-ES fixes (jsc#SLE-16075) ==== pam_mount ==== Version update (2.16 -> 2.17) Subpackages: libcryptmount0 libcryptmount0-32bit pam_mount-32bit - Update to release 2.17 * Abandon /sbin as a location - Drop pam_mount-2.16-fix-luks2-mount.patch (merged) ==== polkit-default-privs ==== Version update (1550+20201103.994a5ed -> 1550+20201119.2c1dce4) - Update to version 1550+20201119.2c1dce4: - cleanup of dead and inconsistent polkit actions: * profiles: drop the now rather confusing comment from nwfilter-binding actions * profiles: harmonize and normalize profile syntax and style * profiles: harmonize spice-space.lowlevelusbaccess actions * profiles: remove dead pantheon actions * profiles: remove dead org.gnome.DejaDup.duplicity action * profiles: drop dead com.redhat.tuned.gui.run action * profiles: fix brltty action(s) * profiles: remove dead netvisix action * profiles: realmd.discover-realm action: fix restrictive any setting * profiles: remove dead com.redhat.lvm2.* actions * profiles: group together org.kde.powerdevil actions * profiles: remove dead org.kde.powerdevil.backlighthelper actions * profiles: fix FirewallD1.info action in standard profile * profiles: remove dead org.kde.baloo action * profiles: remove dead kwallet actions and fix kwallet5 restrictive setting * profiles: selinux actions: make restrictive profile no weaker than upstream * profiles: remove dead gufw pkexec action * profiles: adjust mate actions better to upstream defaults * profiles: remove dead org.libvirt.api.newfilter.bind-* actions * profiles: clear dead nepomuk.filewatch.raiselimit action * profiles: remove dead kcmlightdm actions * profiles: adjust gnome.controlcenter actions better to upstream defaults * profiles: remove dead org.kde.recorditnow helper * profiles: remove dead de.berlios.smb4k.mounthelper actions * profiles: adjust user-administration action better to upstream defaults * profiles: cleanup urfkill actions * profiles: adjust ModemManager1 actions better to upstream settings * profiles: cleanup ModemManager actions * profiles: sync hp.driveguard.* actions with upstream settings * profiles: gnome settings, xfce backlight-helper actions: sanitize settings * profiles: cleanup dead and sync existing org.gnome actions * profiles: sync timedate1 actions in restrictive profile with standard profile * profiles: remove dead sytemd1.bus-access action * profiles: remove dead org.kde actions * profiles: make org.kde settings no weaker than upstream settings * profiles: remove leftover dead yast actions * profiles: remove dead yast.modules.yapi actions * profiles: remove dead yast.modules.ysr actions * profiles: remove dead yast.modules actions * profiles: remove dead yast.module-manager and yast.scr actions * profiles: remove dead upower actions * profiles: add missing udisks2 actions in restrictive profile * profiles: remove dead udisks (1) actions * profiles: remove dead policykit.lockdown action, harmonize .exec setting * profiles: adjust RealtimeKit actions to upstream settings * profiles: remove dead SuSEfirewall2 zone switcher action * profiles: remove dead backupmanager action * profiles: remove dead smpppd action * profiles: remove dead consolekit actions * profiles: polkit example action run-frobnicate: adjust to upstream settings * profiles: remove dead org.gnome.policykit.examples.* actions * profiles: remove unused pulseaudio realtime actions * profiles: cleanup PackageKit actions * profiles: cleanup gnome-settings-daemon actions * profiles: cleanup network manager actions * profiles: cleanup outdated PolicyKit actions ==== python-qt5 ==== - Fix boo#1178814: migration of old /usr/share/sip/PyQt5 to update-alternatives needs special treatment - add QtRemoteObjects bindings to nonring build ==== rubygem-rubocop-ast ==== Version update (1.1.0 -> 1.1.1) - New upstream release 1.1.1 [#]# 1.1.1 (2020-11-04) [#]## Bug fixes * [#146](https://github.com/rubocop-hq/rubocop-ast/pull/146): Fix `IfNode#branches` to return both branches when called on ternary conditional. ([@fatkodima][]) ==== samba ==== Version update (4.13.0+git.138.ff2d5480c67 -> 4.13.2+git.176.0a5e55b510c) Subpackages: libdcerpc-binding0 libdcerpc-binding0-32bit libdcerpc0 libdcerpc0-32bit libndr-krb5pac0 libndr-krb5pac0-32bit libndr-nbt0 libndr-nbt0-32bit libndr-standard0 libndr-standard0-32bit libndr1 libndr1-32bit libnetapi0 libnetapi0-32bit libsamba-credentials0 libsamba-credentials0-32bit libsamba-errors0 libsamba-errors0-32bit libsamba-hostconfig0 libsamba-hostconfig0-32bit libsamba-passdb0 libsamba-passdb0-32bit libsamba-policy0-python3 libsamba-util0 libsamba-util0-32bit libsamdb0 libsamdb0-32bit libsmbclient0 libsmbconf0 libsmbconf0-32bit libsmbldap2 libsmbldap2-32bit libtevent-util0 libtevent-util0-32bit libwbclient0 libwbclient0-32bit samba-client samba-client-32bit samba-doc samba-libs samba-libs-32bit samba-libs-python3 samba-python3 samba-winbind samba-winbind-32bit - Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); - Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469). - Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355); - Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245) - Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency ==== sudo ==== Version update (1.9.2 -> 1.9.3p1) Subpackages: sudo-plugin-python - Update to 1.9.3p1 * Fixed a regression introduced in sudo 1.9.3 where the configure script would not detect the crypt(3) function if it was present in the C library, not an additional library. * Fixed a regression introduced in sudo 1.8.23 with shadow passwd file authentication on OpenBSD. BSD authentication was not affected. * Sudo now logs when a user-specified command-line option is rejected by a sudoers rule. Previously, these conditions were written to the audit log, but the default sudo log file. Affected command line arguments include -C (--close-from), -D (--chdir), - R (--chroot), -g (--group) and -u (--user). - News in 1.9.3 * Fixed building the Python plugin on systems with a compiler that doesn't support symbol hiding. * Sudo now uses a linker script to hide symbols even when the compiler has native symbol hiding support. This should make it easier to detect omissions in the symbol exports file, regardless of the platform. * Fixed the libssl dependency in Debian packages for older releases that use libssl1.0.0. * Sudo and visudo now provide more detailed messages when a syntax error is detected in sudoers. The offending line and token are now displayed. If the parser was generated by GNU bison, additional information about what token was expected is also displayed. Bug #841. * Sudoers rules must now end in either a newline or the end-of-file. Previously, it was possible to have multiple rules on a single line, separated by white space. The use of an end-of-line terminator makes it possible to display accurate error messages. * Sudo no longer refuses to run if a syntax error in the sudoers file is encountered. The entry with the syntax error will be discarded and sudo will continue to parse the file. This makes recovery from a syntax error less painful on systems where sudo is the primary method of superuser access. The historic behavior can be restored by add "error_recovery=false" to the sudoers plugin's optional arguments in sudo.conf. Bug #618. * Fixed the sample_approval plugin's symbol exports file for systems where the compiler doesn't support symbol hiding. * Fixed a regression introduced in sudo 1.9.1 where arguments to the "sudoers_policy" plugin in sudo.conf were not being applied. The sudoers file is now parsed by the "sudoers_audit" plugin, which is loaded implicitly when "sudoers_policy" is listed in sudo.conf. Starting with sudo 1.9.3, if there are plugin arguments for "sudoers_policy" but "sudoers_audit" is not listed, those arguments will be applied to "sudoers_audit" instead. * The user's resource limits are now passed to sudo plugins in the user_info[] list. A plugin cannot determine the limits itself because sudo changes the limits while it runs to prevent resource starvation. * It is now possible to set the working directory or change the root directory on a per-command basis using the CWD and CHROOT options. There are also new Defaults settings, runchroot and runcwd, that can be used to set the working directory or root directory on a more global basis. * New -D (--chdir) and -R (--chroot) command line options can be used to set the working directory or root directory if the sudoers file allows it. This functionality is not enabled by default and must be explicitly enabled in the sudoers file. - add sudo-1.9.3p1-pam_xauth.patch to stay setuid until just before executing the command. Fixes a problem with pam_xauth which checks effective and real uids to get the real identity of the user [bsc#1174593] ==== systemd-presets-branding-openSUSE ==== - Fix package description mention of 'systemd-presets-common-SUSE' ==== tigervnc ==== Subpackages: libXvnc1 xorg-x11-Xvnc xorg-x11-Xvnc-module - xvnc@.service: fixed path for %libexecdir (boo#1178601) ==== ucode-intel ==== Version update (20201110 -> 20201118) - Updated Intel CPU Microcode to 20201118 official release. (bsc#1178971) - Removed TGL/06-8c-01/80 due to functional issues with some OEM platforms. ==== xlockmore ==== Version update (5.65 -> 5.66) - update to 5.66: GL mode atunnels, juggler3d, atlantis, lament, invert, solitaire, text3d, and text3d2 fixed up by EoflaOE ViceCity and myself to build in xscreensaver. bomb, helix, lightning, penrose, petal, scooter fixes for xscreensaver port (clear screen issue). Clock fixed to run by changing a spot from "Clock" to "CLOCK". A few updates from xscreensaver-5.44/hacks/xlockmore.c for xscreensaver port. Duplicate resources and unloadable resources for xscreensaver port fixed by EoflaOE. Double free removed for xscreensaver port fixed by EoflaOE and myself. Removed some warnings in xscreensaver port in fzort, rubik, skewb, and sproingies. Xpm textures added to xscreensaver ports that need them. image, puzzle, decay, bat now work but use xscreensaver bitmap/pixmap in xscreensaver port. Bug fix in qix and toneclock for xscreensaver port, xlock was not affected by negative NRAND input. euler2d synced up with xscreensaver version. Change to fzort to use __asm__ instead of asm as its probably more likely to work. Fixed solitaire so deckPile changes just a little bit as it doles out cards. Updated bomb to use size 18 font when USE_MB is not set as it seems 34 is not widely available anymore. pacman now has different colored ghosts (no green ghost) and also oscillating dress and eyes. See README for a notice for this mode. Fixed some bad drawings in solitaire and pacman noticed on Windows side. Warnings removed for -Wstrict-prototypes -Wmissing-prototypes - Wdeclaration-after-statement ==== xtables-addons ==== Version update (3.11_k5.9.8_2 -> 3.12_k5.9.8_2) - Update to release 3.12 * Support for Linux 5.10 and the API/ABI change in 5.9.9