Packages changed: GraphicsMagick (1.3.27 -> 1.3.28) MozillaThunderbird (52.5.2 -> 52.6) cryptsetup (1.7.5 -> 2.0.0) dracut installation-images-Kubic (14.355 -> 14.358) kernel-source libetpan libnss_nis (1.3 -> 3.0) llvm4 nut open-iscsi python-cairocffi python-matplotlib yast2-python-bindings (4.0.0 -> 4.0.2) === Details === ==== GraphicsMagick ==== Version update (1.3.27 -> 1.3.28) Subpackages: GraphicsMagick-devel libGraphicsMagick-Q16-3 libGraphicsMagick3-config libGraphicsMagickWand-Q16-2 - upate to 1.3.28: * Security Fixes: BMP: Fix non-terminal loop due to unexpected bit-field mask value (DOS opportunity). PALM: Fix heap buffer underflow in builds with QuantumDepth=8. SetNexus() Fix heap overwrite under certain conditions due to using a wrong destination buffer. This issue impacts all 1.3.X releases. TIFF: Fix heap buffer read overflow in LocaleNCompare() when parsing NEWS profile. * Bug fixes: DescribeImage(): Eliminate possible use of null pointer. GIF: Fix memory leak of global colormap in error path. GZ: Writing to gzip files with the extension ".gz" was not working with Zlib 1.2.8. JNG: Fix buffer read overflow (a tiny fixed overflow of just one byte). JPEG: Promoting certain libjpeg warnings to errors caused much more problems than expected. The promotion of warnings to errors is removed. Claimed pixel dimensions are validated by file size before allocating memory for the pixels. IntegralRotateImage(): Assure that reported error in rotate by 270 case does immediately terminate processing. MNG: Fix possible null pointer reference related to DEFI chunk parsing. Fix minor heap read overflow (constrained to just one byte) due to an ordering issue in a limit check. Fix memory leaks in error path. WebP: Fix stack buffer overflow in WriteWEBPImage() which occurs with libwebp 0.5.0 or newer due to a structure type change in the structure passed to the progress monitor callback. WPG: Memory leaks fixed. * API Updates: InterpolateViewColor(): This function now returns MagickPassFail (an unsigned int) rather than void so that errors can be efficiently reported. The magick/pixel_cache.h header is updated to add deprecation attributes such that code using GetPixels(), GetIndexes(), and GetOnePixel() will produce deprecation warnings for compilers which support them. These functions will not be removed in the 1.3.X release series and when they are removed, pre-processor macros will be added so a replacement function is used instead. There is a long-term objective to eliminate functionally-redundant pixel cache functions to only the ones with the best properties since this reduces maintenance and may reduce the depth of the call stack (improving performance). * removed unneded GraphicsMagick-release-date-missing-quote.patch ==== MozillaThunderbird ==== Version update (52.5.2 -> 52.6) Subpackages: MozillaThunderbird-translations-common - update to Thunderbird 52.6 (bsc#1077291) * Searching message bodies of messages in local folders, including filter and quick filter operations, not working reliably: Content not found in base64-encode message parts, non-ASCII text not found and false positives found. * Defective messages (without at least one expected header) not shown in IMAP folders but shown on mobile devices * Calendar: Unintended task deletion if numlock is enabled * Mozilla platform security fixes MFSA 2018-04 * CVE-2018-5095 (bmo#1418447) Integer overflow in Skia library during edge builder allocation * CVE-2018-5096 (bmo#1418922) Use-after-free while editing form elements * CVE-2018-5097 (bmo#1387427) Use-after-free when source document is manipulated during XSLT * CVE-2018-5098 (bmo#1399400) Use-after-free while manipulating form input elements * CVE-2018-5099 (bmo#1416878) Use-after-free with widget listener * CVE-2018-5102 (bmo#1419363) Use-after-free in HTML media elements * CVE-2018-5103 (bmo#1423159) Use-after-free during mouse event handling * CVE-2018-5104 (bmo#1425000) Use-after-free during font face manipulation * CVE-2018-5117 (bmo#1395508) URL spoofing with right-to-left text aligned left-to-right * CVE-2018-5089 Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6 - dropped obsolete mozilla-ucontext.patch ==== cryptsetup ==== Version update (1.7.5 -> 2.0.0) - Update to version 2.0.0: * Add support for new on-disk LUKS2 format * Enable to use system libargon2 instead of bundled version * Install tmpfiles.d configuration for LUKS2 locking directory * New command integritysetup: support for the new dm-integrity kernel target * Support for larger sector sizes for crypt devices * Miscellaneous fixes and improvements ==== dracut ==== - support validating the IMA policy file signature, needed since Kernel 4.7 * Adds 0552-98integrity-support-validating-the-IMA-policy-file-s.patch - IMA: improve support for evm key loading (bsc#1077359, fate#323906) * Adds 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch * Adds 0554-98integrity-support-X.509-only-EVM-configuration.patch - FIPS: Adjust dependencies to work for cryptsetup 2.0 (bsc#1077070) - Added a few more patch annotations - Fix typo for ima dependency (evmtcl vs evmctl) (bsc#1073466) - Updated Patch annotation regarding their upstream state - FIPS: Try to fetch list of fips modules from the kernel's modules dir (bsc#1074984) * Adds 0551-fips-use-lib-modules-uname-r-modules.fips.patch - Annotated patches regarding their upstream state - dracut-ima requires evmctl and keyutils (bsc#1073466) ==== installation-images-Kubic ==== Version update (14.355 -> 14.358) - merge gh#openSUSE/installation-images#233 - add missing drivers for ppc (bsc#1077546) - 14.358 - merge gh#openSUSE/installation-images#232 - add full open-iscsi package to zenworks image (bsc# 1077301) - 14.357 ==== kernel-source ==== Subpackages: kernel-default kernel-default-devel kernel-devel kernel-docs kernel-macros kernel-syms - Revert "module: Add retpoline tag to VERMAGIC" (fix loading of KMPs). - commit 9a6fca5 - Refresh patches.suse/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch. - Refresh patches.suse/netfilter-xt_osf-Add-missing-permission-checks.patch. - Refresh patches.suse/scsi-libfc-fix-ELS-request-handling.patch. Update upstream status. - commit 12e5c10 - x86/ibrs: Add new helper macros to save/restore MSR_IA32_SPEC_CTRL fix (bsc#1068032 CVE-2017-5753). - commit 6f87133 ==== libetpan ==== - Rename %soname to %sover to better reflect its use. ==== libnss_nis ==== Version update (1.3 -> 3.0) Subpackages: libnss_nis2 libnss_nis2-32bit - Update to version 3.0 - get ride of GLIBC_PRIVATE symbols ==== llvm4 ==== Subpackages: clang4-checker libLLVM4 libclang4 - Cleanup %ifarch conditions, remove targets unintentionally added to s390/s390x. (bnc#1078436) - Limit the amount of parallel link jobs, but no longer limit compile jobs. This should prevent running out of memory during linking while not longer slowing down compilation. - Remove build dependency on procps - Reduce disk size requirement to 30GB in _constraints. We no longer need that much since we stopped building static libraries. ==== nut ==== Subpackages: libupsclient1 nut-cgi - Fix clash between Group and %define GROUP by renaming the latter to NUT_GROUP (and USER to NUT_USER) - Replace duplicate man files by soft links ==== open-iscsi ==== Subpackages: iscsiuio - Removed the "rpm/" source directory from both the open-iscsi-2.0.876-suse.tar.bz2 and open-iscsi-SUSE-latest.diff.bz2 files, since they are not needed for building and are not part of the upstream sources. They are still available under the git repository at github.com/hreinecke/open-iscsi.git. This means that changes to the spec file or the changes file will no longer require a change to the "*SUSE-latest*" file. - Update to latest upstream vesion 2.0.876, with very few SUSE-specific modifications, namely around things upstream does not care about, like SUSE-specific systemd files. Also, version number modified to add "-suse", as usual. See the Changelog file for more details on changes in this upstream version. This replaces open-iscsi-2.0.875-suse.tar.bz2 with open-iscsi-2.0.876-suse.tar.bz2, and resets open-iscsi-SUSE-latest.diff.bz2 to contain only changes since the 2.0.876-suse tag. These changes added a new libopeniscsiusr.so library, as well as include files under a new open-iscsi-dev package, if you want to link against this library. The SPEC file was also cleaned up using spec-cleaner. ==== python-cairocffi ==== - Add xcffib support - Spec file cleaned ==== python-matplotlib ==== Subpackages: python3-matplotlib python3-matplotlib-cairo python3-matplotlib-gtk3 python3-matplotlib-tk - Update versions of required packages. ==== yast2-python-bindings ==== Version update (4.0.0 -> 4.0.2) - Build both python2 and python3 versions of the bindings; (bsc#1074696). - Convert the bindings into python3; (bsc#1074696). - Fix some code examples; (bsc#1070212). - Add example code ported from ruby examples; (bsc#1070212). - Fixes based on findings from example code