Removed rpms ============ Added rpms ========== Package Source Changes ====================== MozillaFirefox +- Firefox Extended Support Release 115.10.0 ESR + Placeholder changelog-entry (bsc#1222535) + ca-certificates +- Update to version 2+git20240416.98ae794 (bsc#1221184): + * Use flock to serialize calls (boo#1188500) + * Make certbundle.run container friendly + * Create /var/lib/ca-certificates if needed + emacs +- Again fix %{%ext_info} to %{ext_info} (boo#1221769) + +- Modify patch CVE-2024-30205.patch (bsc#1222050) + * Add backport of (org--should-fetch-remote-resource-p) to be + sure that remote file locations will be checked by the user + * Use this in (org-file-contents) + +- Modify patch CVE-2024-30204.patch + * Backport the variable definition untrusted-content in lisp/files.el + +- Add patch CVE-2024-30203.patch + * Fix bsc#1222053 -- Gnus treats inline MIME contents as trusted +- Add patch CVE-2024-30204.patch + * Fix bsc#1222052 -- LaTeX preview is enabled by default for e-mail attachments +- Add patch CVE-2024-30205.patch + * Fix bsc#1222050 -- Org mode considers contents of remote files to be trusted + +- fix typo in %{ext_info} macro usage + graphviz +- VUL-0: CVE-2023-46045: graphviz: out-of-bounds read via a crafted config6a file + bsc#1219491 + A gvc-detect-plugin-installation-failure-and-display-an-error.patch + ibus-pinyin +- Add ibus-pinyin-avoid-superkey-conflict.patch: + Make system could respond to Super key to swith input engine after + input Chinese in ibus-pinyin. + (bsc#1220235) + +- Add ibus-pinyin-use-single-quote-for-sqlite-3.41.0.patch: + Backporting ffe471c9 from upstream, Use single quote inside SQL to + avoid the sqlite latest than 3.41.0's syntax fault during building + process. + -- ibus-pinyin-support-set-content-type-method.patch: - Fix visible password entry in GNOME lock screen (CVE-2013-4509, - bnc#847718); taken from Fedora package - -- add python-xdg as Requires - libzypp +- Fix creation of sibling cache dirs with too restrictive mode + (bsc#1222398) + Some install workflows in YAST may lead to too restrictive (0700) + raw cache directories in case of newly created repos. Later + commands running with user privileges may not be able to access + these repos. +- version 17.32.4 (32) + +- Update RepoStatus fromCookieFile according to the files mtime + (bsc#1222086) +- TmpFile: Don't call chmod if makeSibling failed. +- version 17.32.3 (32) + +- Fixup New VendorSupportOption flag VendorSupportSuperseded + (jsc#OBS-301, jsc#PED-8014) + Fixed the name of the keyword to "support_superseded" as it was + agreed on in jsc#OBS-301. +- version 17.32.2 (32) + +- Add resolver option 'removeUnneeded' to file weak remove jobs + for unneeded packages (bsc#1175678) +- version 17.32.1 (32) + +- Add resolver option 'removeOrphaned' for distupgrade + (bsc#1221525) +- New VendorSupportOption flag VendorSupportSuperseded + (jsc#OBS-301, jsc#PED-8014) +- Tests: fix vsftpd.conf where SUSE and Fedora use different + defaults (fixes #522) +- Add default stripe minimum (#529) +- Don't expose std::optional where YAST/PK explicitly use c++11. +- Digest: Avoid using the deprecated OPENSSL_config. +- version 17.32.0 (32) + +- ProblemSolution::skipsPatchesOnly overload to handout the + patches. +- Remove https->http redirection exceptions for + download.opensuse.org. +- version 17.31.32 (22) + manpages-l10n +- Remove conflicting files with xz-lang(from SLE15) +- Remove conflicting files with procps-lang(from SLE15) + polkit +- Change permissions for rules folders (bsc#1209282) + python-idna +- Add CVE-2024-3651.patch, backported from upstream commit + gh#kjd/idna#172/commits/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7 + (bsc#1222842, CVE-2024-3651) + shim -- Updated shim.changes to add CVE-2022-28737 number for bsc#1198458. - The issue be fixed by upgrade to shim 15.7. (bsc#1198458, CVE-2022-28737) +- update public keys of shim-15.8 after it has been signed back + from Microsoft. + +- Sometimes SLE shim signature be Microsoft updated before openSUSE shim + signature. When submit request on IBS for updating SLE shim, the submitreq + project be generated, but it always be blocked by checking the signature + of openSUSE shim. + It doesn't make sense checking openSUSE shim signature when building + SLE shim on SLE platform, and vice versa. So the following change adds the + logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse). + When and only when hash mismatch and distro_id match with suffix, stop + building. + [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse) + [#] when hash mismatch and distro_id match with suffix, stop building +- Sync the changelog between openSUSE:Factory/shim with SLE-15-SP3/shim + - Add CVE-2022-28737 number to "Mon Mar 27 09:26:02 UTC 2023" record + - Add "Thu Apr 13 05:28:10 UTC 2023" record for updating shim-install + for bsc#1210382. + - Add "Thu Apr 13 09:13:22 UTC 2023" record for changing the logic of + checking shim signature. + +- Update shim-install to set the TPM2 SRK algorithm (bsc#1213945) + 92d0f4305df73 Set the SRK algorithm for the TPM2 protector + +- Limit the requirement of fde-tpm-helper-macros to the distro with + suse_version 1600 and above (bsc#1219460) + +-- Update to version 15.8 + - Various CVE fixes are already merged into this version + mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546) + avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547) + Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548) + Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549) + pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550) + pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551) + - remove shim-Enable-the-NX-compatibility-flag-by-default.patch + The codes in this patch are already existing in shim-15.8 + The NX flag is disable which is same as the default value of shim-15.8, + hence, not need to enable it by this patch now. + - Patches (git log --oneline --reverse 15.7..15.8) + 657b248 Make sbat_var.S parse right with buggy gcc/binutils + 7c76425 Enable the NX compatibility flag by default. + 89972ae CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper + c7b3051 pe: Align section size up to page size for mem attrs + e4f40ae pe: Add IS_PAGE_ALIGNED macro + f23883c Don't loop forever in load_certs() with buggy firmware + 1f38cb3 Optionally allow to keep shim protocol installed + 102a658 Drop invalid calls to `CRYPTO_set_mem_functions` + aae3df0 test-sbat: Fix exit code + cca3933 Block Debian grub binaries with SBAT < 4 + cf59f34 Further improve load_certs() for non-compliant drivers/firmwares + 0601f44 SBAT-related documents formatting and spelling + 0640e13 Add a security contact email address in README.md + 0bfc397 Work around malformed path delimiters in file paths from DHCP + a8b0b60 pe: only process RelocDir->Size of reloc section + f7a4338 Skip testing msleep() + 549d346 Rename 'msecs' to 'usecs' to avoid potential confusion + 908c388 Change type of fallback_verbose_wait from int to unsigned long + 05eae92 Add SbatLevel_Variable.txt to document the various revocations + 243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL + 89d25a1 Add a make rule for compile_commands.json + 118ff87 Add gnu-stack notes + f132655 test: Make our fake dprintf be a statement. + be00279 Remove CentOS 7 test builds. + 9964960 Split pe.c up even more. + 569270d Test (and fix) ImageAddress() + 61e9894 Verify signature before verifying sbat levels + 1578b55 Add libFuzzer support for csv.c + a0673e3 Fix a 1-byte memory leak in .sbat parsing. + e246812 Add libFuzzer support to the .sbat parser. + fd43eda Work around ImageAddress() usage mistake + 1e985a3 Correctly free memory allocated in handle_image() + dbbe3c8 mok: Avoid underflow in maximum variable size calculation + 04111d4 Make some of the static analysis tools a little easier to run + 7ba7440 compile_commands.json: remove stuff clang doesn't like + 66e6579 CVE-2023-40546 mok: fix LogError() invocation + f271826 Add primitives for overflow-checked arithmetic operations. + 8372147 pe-relocate: Add a fuzzer for read_header() + 5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries + e912071 pe-relocate: make read_header() use checked arithmetic operations. + 93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() + e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550 + afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds. + 96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system + dae82f6 Further mitigations against CVE-2023-40546 as a class + ea0f9df Allow SbatLevel data from external binary + b078ef2 Always clear SbatLevel when Secure Boot is disabled + 7dfb687 BS Variables for bootmgr revocations + a967c0e shim should not self revoke + 577cedd Print message when refusing to apply SbatLevel + e801b0d sbat revocations: check the full section name + 0226b56 CVE-2023-40547 - avoid incorrectly trusting HTTP headers + 6f0c8d2 Print errors when setting/clearing memory attrs + 57c0eed Updated Revocations for January 2024 CVEs + 49c6d95 Fix some minor ia32 build issues. + be8ff7c post-process-pe: Don't set the NX_COMPAT flag by default after all. + 13abd9f pe-relocate: Avoid __builtin_add_overflow() on GCC < 5 + c46c975 Suppress "Failed to open <..>\revocations.efi" when file does not exist + 30a4f37 Rename "previous" revocations to "automatic" + 6f395c2 Build time selectable automatic SBATLevel revocations + a23e2f0 netboot read_image() should not hardcode DEFAULT_LOADER + 993a345 Try to load revocations.efi even if directory read fails + 1770a03 gitmodules: use shim-15.8 for gnu-efi branch + 5914984 (HEAD -> main, tag: latest-release, tag: 15.8, origin/main, origin/HEAD) Bump version to 15.8 + +- Generate dbx during build so we don't include binary files in sources + +- Don't require grub so shim can still be used with systemd-boot + +- Update shim-install to fix boot failure of ext4 root file system + on RAID10 (bsc#1205855) + 226c94ca5cfca Use hint in looking for root if possible + +- Adopt the macros from fde-tpm-helper-macros to update the + signature in the sealed key after a bootloader upgrade + +- Update shim-install to amend full disk encryption support + b540061e041b Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector + f2e8143ce831 Use the long name to specify the grub2 key protector + 72830120e5ea cryptodisk: support TPM authorized policies + 49e7a0d307f3 Do not use tpm_record_pcrs unless the command is in command.lst -- Updated shim signature after shim 15.7 be signed back: +- Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to + enable the NX compatibility flag when using post-process-pe after + discussed with grub2 experts in mail. It's useful for further development + and testing. (bsc#1205588) + +- Updated shim signature after shim 15.7 of SLE be signed back: +- Removed shim-bsc1198101-opensuse-cert-prompt.patch (bsc#1198101) + - Detail discussion is in bugzilla: + https://bugzilla.suse.com/show_bug.cgi?id=1198101 + - The shim community review and challenge this prompt. No other + distro shows prompt (Have checked Fedora 37, CentOS 9 and Ubuntu 22.10). + Currently, it blocked the review process of openSUSE shim. + - Other distros lock-down kernel when secure boot is enabled. Some of + them used different key for signing kernel binary with In-tree kernel + module. And their build service does not provide signed Out-off-tree + module. + +- Modified shim-install, add the following Olaf Kirch's patches to support + full disk encryption: (jsc#PED-922) + a5c57340740c Introduce --no-grub-install option + 5c2c3addc51f Handle different cases of controlling cryptomount volumes during first stage boot + 26c6bd5df7ae Have grub take a snapshot of "relevant" TPM PCRs + systemd-default-settings +- Import 0.10 + 5088997 SLE: Disable pids controller limit under user instances (jsc#SLE-10123) + +- Import 0.9 + bb859bf user@.service: Disable controllers by default (jsc#PED-2276) + +- The usage of drop-ins is now the official way for configuring systemd and its + various daemons on Factory/ALP. Hence the early drop-ins SUSE specific + "feature" has been abandoned. + +- Import 0.8 + f34372f User priority '26' for SLE-Micro + c8b6f0a Revert "Convert more drop-ins into early ones" + +- Import commit 6b8dde1d4f867aff713af6d6830510a84fad58d2 + 6b8dde1 Convert more drop-ins into early ones + tftp +- Allow enabling the service via `systemctl enable tftp` to create + the tftp.socket symlink [bsc#1215520] + -- create capabilites provided by both tftp and atftp - (bnc#801481 or bnc#725378) - vim +- Updated to version 9.1 with patch level 0330, fixes the following problems + * Fixing bsc#1220763 - vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1 +- refreshed vim-7.3-filetype_spec.patch +- refreshed vim-7.3-filetype_ftl.patch +- Update spec.skeleton to use autosetup in place of setup macro. +- for the complete list of changes see + https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330 + +- Updated to version 9.1 with patch level 0111, fixes the following security problems + * Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close() + * Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol() + * Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command + * Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count + * Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing + * Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number + * Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line + * Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute + * Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c + * Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix +- for the complete list of changes see + https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111 + zypper +- Do not try to refresh repo metadata as non-root user + (bsc#1222086) + Instead show refresh stats and hint how to update them. +- man: Explain how to protect orphaned packages by collecting + them in a plaindir repo. +- packages: Add --autoinstalled and --userinstalled options to + list them. +- Don't print 'reboot required' message if download-only or + dry-run (fixes #529) + Instead point out that a reboot would be required if the option + was not used. +- Resepect zypper.conf option `showAlias` search commands + (bsc#1221963) + Repository::asUserString (or Repository::label) respects the + zypper.conf option, while name/alias return the property. +- version 1.14.71 + +- dup: New option --remove-orphaned to remove all orphaned + packages in dup (bsc#1221525) +- version 1.14.70 + +- info,summary: Support VendorSupportOption flag + VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) +- BuildRequires: libzypp-devel >= 17.32.0. + API cleanup and changes for VendorSupportSuperseded. +- Show active dry-run/download-only at the commit propmpt. +- patch: Add --skip-not-applicable-patches option (closes #514) +- Fix printing detailed solver problem description. + The problem description() is one rule out possibly many in + completeProblemInfo() the solver has chosen to represent the + problem. So either description or completeProblemInfo should be + printed, but not both. +- Fix bash-completion to work with right adjusted numbers in the + 1st column too (closes #505) +- Set libzypp shutdown request signal on Ctrl+C (fixes #522) +- lr REPO: In the detailed view show all baseurls not just the + first one (bsc#1218171) +- version 1.14.69 +