Removed rpms ============ - libopenh264-6 - mozilla-openh264 Added rpms ========== Package Source Changes ====================== Mesa +- revert previous change, since it resulted in Xorg and Mesa no + longer being able to load "i965" driver at all! This affects many + if not almost all Intel GPU users. I can't tell why this happens, + but I'm afraid we need to act immediately (boo#1202850); reopened + boo#1200965 for now ... + +- change default driver from 'iris' back to 'i965' for Intel + Gen8-11 hardware; that way we also use the same driver used by X + and Mesa (boo#1200965); related bugs: boo#1197045, boo#1197046 + Mesa-drivers +- revert previous change, since it resulted in Xorg and Mesa no + longer being able to load "i965" driver at all! This affects many + if not almost all Intel GPU users. I can't tell why this happens, + but I'm afraid we need to act immediately (boo#1202850); reopened + boo#1200965 for now ... + +- change default driver from 'iris' back to 'i965' for Intel + Gen8-11 hardware; that way we also use the same driver used by X + and Mesa (boo#1200965); related bugs: boo#1197045, boo#1197046 + audit-secondary +- Update audit-secondary.spec: create symbolic link from + /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519). + btrfsprogs +- Upstream behavior of btrfs compression=none (JSC#PED-1711) + * btrfs-progs_props_dont_translate_value_of_compression_none.patch + dracut +- Update to version 055+suse.294.gc5bc4bb5: + Missing network-manager module fixes (bsc#1201975): + * fix(network-manager): avoid calling unavailable dracut-logger functions + * fix(network-manager): skip non-directories in /sys/class/net + * fix(network-manager): disable tty output if the console is not usable + * fix(network-manager): show output on console only with rd.debug enabled + * fix(network-manager): write DHCP filename option to dhcpopts file + * fix(network-manager): ensure safe content of /tmp/dhclient."$ifname".dhcpopts + * fix(network-manager): include nm-daemon-helper binary + * fix(network-manager): don't pull in systemd-udev-settle + * fix(network-manager): support teaming under NM+systemd + * fix(network-manager): pull in network.target in nm-initrd.service + +- Update to version 055+suse.283.ge98ece25: + * fix(network-manager): check for nm-initrd-generator in both /usr/{libexec,lib} (bsc#1201975) + * fix(network-legacy): add auto timeout to wicked DHCP test (bsc#1198709) + emacs-apel +- Add emacs-apel-fix-build-error.patch: fix emacs-apel build error + on SLE-15-SP4 (bsc#1197714). + -- Add suse-start-apel.el. - gnutls +- Security fix: [bsc#1202020, CVE-2022-2509] + * Fixed double free during verification of pkcs7 signatures + * Add gnutls-CVE-2022-2509.patch + +- FIPS: + * Modify gnutls-FIPS-force-self-test.patch [bsc#1198979] + - gnutls_fips140_run_self_tests now properly releases fips_context + +- FIPS: + * Add gnutls_ECDSA_signing.patch [bsc#1190698] + - Check minimum keylength for symmetric key generation + - Only allows ECDSA signature with valid set of hashes + (SHA2 and SHA3) + * Add gnutls-FIPS-force-self-test.patch [bsc#1198979] + - Provides interface for running library self tests on-demand + - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 + libnettle +- update to 3.8.1: + * Avoid non-posix m4 argument references in the chacha + implementation for arm64, powerpc64 and s390x. Reported by + Christian Weisgerber, fix contributed by Mamone Tarsha. + * Use explicit .machine pseudo-ops where needed in s390x + assembly files. Bug report by Andreas K. Huettel, fix + contributed by Mamone Tarsha. + +- update to 3.8: + This release includes a couple of new features, and many + performance improvements. It adds assembly code for two more + architectures: ARM64 and S390x. + The new version is intended to be fully source and binary + compatible with Nettle-3.6. The shared library names are + libnettle.so.8.5 and libhogweed.so.6.5, with sonames + libnettle.so.8 and libhogweed.so.6. + New features: + * AES keywrap (RFC 3394), contributed by Nicolas Mora. + * SM3 hash function, contributed by Tianjia Zhang. + * New functions cbc_aes128_encrypt, cbc_aes192_encrypt, + cbc_aes256_encrypt. + On processors where AES is fast enough, e.g., x86_64 with + aesni instructions, the overhead of using Nettle's general + cbc_encrypt can be significant. The new functions can be + implemented in assembly, to do multiple blocks with reduced + per-block overhead. + Note that there's no corresponding new decrypt functions, + since the general cbc_decrypt doesn't suffer from the same + performance problem. + Bug fixes: + * Fix fat builds for x86_64 windows, these appear to never + have worked. + Optimizations: + * New ARM64 implementation of AES, GCM, Chacha, SHA1 and + SHA256, for processors supporting crypto extensions. Great + speedups, and fat builds are supported. Contributed by + Mamone Tarsha. + * New s390x implementation of AES, GCM, Chacha, memxor, SHA1, + SHA256, SHA512 and SHA3. Great speedups, and fat builds are + supported. Contributed by Mamone Tarsha. + * New PPC64 assembly for ecc modulo/redc operations, + contributed by Amitay Isaacs, Martin Schwenke and Alastair + DĀ“Silva. + * The x86_64 AES implementation using aesni instructions has + been reorganized with one separate function per key size, + each interleaving the processing of two blocks at a time + (when the caller processes multiple blocks with each call). + This gives a modest performance improvement on some + processors. + * Rewritten and faster x86_64 poly1305 assembly. +- drop libnettle-s390x-CPACF-SHA-AES-support.patch (included in 3.8) + +- Make shared libraries executable + mozilla-nss +- update to NSS 3.79.1 (bsc#1202645) + * bmo#1366464 - compare signature and signatureAlgorithm fields in legacy certificate verifier. + * bmo#1771498 - Uninitialized value in cert_ComputeCertType. + * bmo#1759794 - protect SFTKSlot needLogin with slotLock. + * bmo#1760998 - avoid data race on primary password change. + * bmo#1330271 - check for null template in sec_asn1{d,e}_push_state. + +- Update nss-fips-approved-crypto-non-ec.patch to unapprove the + rest of the DSA ciphers, keeping signature verification only + (bsc#1201298). +- Update nss-fips-constructor-self-tests.patch to fix compiler + warning. + openldap2 +- bsc#1198341 - Prevent memory reuse which may lead to instability + * 0243-Change-malloc-to-use-calloc-to-prevent-memory-reuse-.patch + perl-HTTP-Daemon +- Fix request smuggling in HTTP::Daemon + (CVE-2022-31081, bsc#1201157) + * CVE-2022-31081.patch + * CVE-2022-31081-2.patch + * CVE-2022-31081-Add-new-test-for-Content-Length-issues.patch + procps +- Add the patches + * procps-3.3.17-library-bsc1181475.patch + * procps-3.3.17-top-bsc1181475.patch + which are backports of current newlib tree to solve bug bsc#1181475 + * 'free' command reports misleading "used" value + systemd +- Don't replace /etc/systemd/system/tmp.mount symlink with a dangling one + pointing to /usr/lib/systemd/ (bsc#1201795) + +- Update 1009-Drop-or-soften-some-of-the-deprecation-warnings.patch (jsc#PED-944) + To decrease log level of messages about use of KillMode=none from warning to + debug. SAP still uses this deprecated option and the warnings emitted by PID1 + confuse both SAP customers and support. + +- Import commit 7b70d88264a588fdba36c6e7655d1feea2b0e0a0 (merge of v249.12) + For a complete list of changes, visit: + https://github.com/openSUSE/systemd/compare/4949659dd6ce81845e13034504fe06b85a02f08b...7b70d88264a588fdba36c6e7655d1feea2b0e0a0 + +- Import commit 4949659dd6ce81845e13034504fe06b85a02f08b + 0f096f16ba tmpfiles: check the directory we were supposed to create, not its parent + 82c3793e43 stat-util: replace is_dir() + is_dir_fd() by single is_dir_full() call + 2191a9ae95 logind: don't delay login for root even if systemd-user-sessions.service is not activated yet (bsc#1195059) + systemd-presets-common-SUSE +- enable ignition-delete-config by default (bsc#1199524) + +- Modify branding-preset-states to fix systemd-presets-common-SUSE + not enabling new user systemd service preset configuration just + as it handles system service presets. By passing an (optional) + second parameter "user", the save/apply-changes commands now + work with user services instead of system ones (boo#1200485) + +- Add the wireplumber user service preset to enable it by default + in SLE15-SP4 where it replaced pipewire-media-session, but keep + pipewire-media-session preset so we don't have to branch the + systemd-presets-common-SUSE package for SP4 (boo#1200485) + timezone +- Update to reflect new Chile DST change, bsc#1202310 + * bsc1202310.patch + transactional-update +- Version 4.0.1 + - create_dirs_from_rpmdb: Just warn if no default SELinux context found + [gh#openSUSE/transactional-update#88], [bsc#1188215] + - create_dirs_from_rpmdb: Don't update the rpmdb cookie on failure + [gh#openSUSE/transactional-update#88] + - Handle directories owned by multiple packages + [gh#openSUSE/transactional-update#90], [bsc#1188215] + util-linux +- agetty: Resolve tty name even if stdin is specified (bsc#1197178, + util-linux-agetty-resolve-tty-if-stdin-is-specified.patch). +- libmount: When moving a mount point, update all sub mount entries + in utab (bsc#1198731, + util-linux-libmount-moving-mount-point-sub-mounts.patch, + util-linux-libmount-fix-and-improve-utab-on-ms_move.patch). + util-linux-systemd +- agetty: Resolve tty name even if stdin is specified (bsc#1197178, + util-linux-agetty-resolve-tty-if-stdin-is-specified.patch). +- libmount: When moving a mount point, update all sub mount entries + in utab (bsc#1198731, + util-linux-libmount-moving-mount-point-sub-mounts.patch, + util-linux-libmount-fix-and-improve-utab-on-ms_move.patch). + yast2 +- On transactional systems, inform the user that packages are + required to be installed manually (related to bsc#1199840) +- 4.5.11 + yast2-security +- Do not crash when reading active LSM modules returns nil + (related to jsc#SLE-22069) +- 4.5.1 + yast2-tune +- Added runtime dependency on hwinfo (bsc#1202651) +- 4.5.1 + yast2-users +- AY: Fix writing ssh keys for user without specified home + (bsc#1201185) +- 4.5.2 + zlib +- Fix heap-based buffer over-read or buffer overflow in inflate via + large gzip header extra field (bsc#1202175, CVE-2022-37434, + CVE-2022-37434-extra-header-1.patch, + CVE-2022-37434-extra-header-2.patch). +