Packages changed: MozillaFirefox (79.0 -> 80.0) ark autoyast2 (4.3.35 -> 4.3.43) ceph (15.2.4.89+g583fe198f6 -> 16.0.0.4862+g8ac6038555) corosync dracut (050+suse.67.g28be2f36 -> 050+suse.75.g266a76d9) fetchmail gstreamer-plugins-base intel-vaapi-driver libdrm libglvnd libmfx libmysofa (1.0 -> 1.1) libqmi (1.24.14 -> 1.26.4) libstorage-ng (4.3.39 -> 4.3.40) libteam (1.29 -> 1.31) libva libva-gl libyui-ncurses (2.56.1 -> 2.56.2) libzypp (17.24.1 -> 17.24.2) mlterm (3.8.9 -> 3.9.0) mozilla-nspr (4.26 -> 4.27) mozilla-nss (3.54 -> 3.55) mozjs68 open-vm-tools (11.1.0 -> 11.1.5) openvpn perl-HTML-Parser (3.72 -> 3.75) procps python-sip (4.19.19 -> 4.19.24) python3-qt5 (5.13.2 -> 5.15.0) qemu syslogd tracker (2.3.4 -> 2.3.5) tracker-miners (2.3.3 -> 2.3.4) xfce4-notifyd (0.6.1 -> 0.6.2) xorg-x11-server (1.20.8+0 -> 1.20.9) yast2 (4.3.19 -> 4.3.24) yast2-network (4.3.15 -> 4.3.17) yast2-online-update-configuration (4.3.1 -> 4.3.2) yast2-pkg-bindings (4.2.9 -> 4.3.0) yast2-services-manager (4.3.4 -> 4.3.5) yast2-storage-ng (4.3.14 -> 4.3.15) zypper (1.14.37 -> 1.14.38) === Details === ==== MozillaFirefox ==== Version update (79.0 -> 80.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 80.0 MFSA 2020-36 (bsc#1175686) * CVE-2020-15663 (bmo#1643199) Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege * CVE-2020-15664 (bmo#1658214) Attacker-induced prompt for extension installation * CVE-2020-12401 (bmo#1631573) Timing-attack on ECDSA signature generation * CVE-2020-6829 (bmo#1631583) P-384 and P-521 vulnerable to an electro-magnetic side channel attack on signature generation * CVE-2020-12400 (bmo#1623116) P-384 and P-521 vulnerable to a side channel attack on modular inversion * CVE-2020-15665 (bmo#1651636) Address bar not reset when choosing to stay on a page after the beforeunload dialog is shown * CVE-2020-15666 (bmo#1450853) MediaError message property leaks cross-origin response status * CVE-2020-15667 (bmo#1653371) Heap overflow when processing an update file * CVE-2020-15668 (bmo#1651520) Data Race when reading certificate information * CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626, bmo#1656957) Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2 - requires * NSPR 4.27 * NSS 3.55 - added mozilla-system-nspr.patch (bmo#1661096) - exclude ga-IE locale as it's failing to build - rollback parallelize locale build because it breaks bookmarks (boo#1167976) - preserve original default bookmark file during langpack build (boo#1167976) - add some ccache output during build - Use new memoryperjob _constraints instead of %limit_build macro. - use ccache for build - replace versioned RPM deps with requires_ge - parallelize locale build - Change *.appdata.xml location to latest AppStream standard ==== ark ==== Subpackages: ark-lang libkerfuffle20 - Add patch to prevent path traversal (boo#1175857, CVE-2020-24654): * 0001-Pass-the-ARCHIVE_EXTRACT_SECURE_SYMLINKS-flag-to-lib.patch ==== autoyast2 ==== Version update (4.3.35 -> 4.3.43) Subpackages: autoyast2-installation - Recognize installed_product and installed_product_version as legal elements of rules.xml files (boo#1176089). - 4.3.43 - Add to erb templates more helpers (bsc#1175735) - Use