Packages changed: Mesa Mesa-drivers MozillaFirefox (106.0.5 -> 107.0) bluez (5.65 -> 5.66) curl ffmpeg-4 lcms2 libXft (2.3.6 -> 2.3.7) libalternatives libappindicator open-iscsi systemd (251.8 -> 252.1) webkit2gtk3 webkit2gtk3-soup2 xfsprogs (5.19.0 -> 6.0.0) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - try to fix build on ppc64le due to running OOM (boo#1205441) * let's request 20G of physical memory via _constraints file ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-gallium Mesa-libva libxatracker2 - try to fix build on ppc64le due to running OOM (boo#1205441) * let's request 20G of physical memory via _constraints file ==== MozillaFirefox ==== Version update (106.0.5 -> 107.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 107.0 MFSA 2022-47 (bsc#1205270) * CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files * CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass * CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation * CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm * CVE-2022-45407 (bmo#1793314) Loading fonts on workers was not thread-safe * CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName * CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection * CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy * CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers * CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers * CVE-2022-45413 (bmo#1791201) SameSite=Strict cookies could have been sent cross-site via intent URLs * CVE-2022-40674 (bmo#1791598) Use-after-free vulnerability in expat * CVE-2022-45415 (bmo#1793551) Downloaded file may have been saved with malicious extension * CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage * CVE-2022-45417 (bmo#1794508) Service Workers in Private Browsing Mode may have been written to disk * CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn over browser UI * CVE-2022-45419 (bmo#1716082) Deleting a security exception did not take effect immediately * CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside the iframe * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 - requires * NSS >= 3.84 * rust = 1.64 ==== bluez ==== Version update (5.65 -> 5.66) Subpackages: bluez-auto-enable-devices bluez-cups bluez-zsh-completion libbluetooth3 - update to 5.66: * Fix issue with A2DP and transport connection collisions. * Fix issue with allowing application specific error codes. * Fix issue with not setting initiator flag correctly. * Fix issue with HoG Report MAP size handling. * Add initial support for Basic Audio Profile. * Add initial support for Volume Control Profile. - remove RPi-Move-the-43xx-firmware-into-lib-firmware.patch (does not apply anymore), replace with CPPFLAGS define ==== curl ==== Subpackages: libcurl4 - Add 1.50.0 as the minimum libnghttp2 build requirement version as a bandaid. Curl's 7.86.0 release introduces the use of nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, introduced by nghttp2 1.50.0 release, without introducing a check for the function/right version in their build scripts. This will make Zypper/cURL unusable in some corner cases where users installing something that requires libcurl4 before doing full system upgrade, thus updating the cURL stack, but not libnghttp2's. Background: boo#1204983, Factory mailing list threadd: "? broken dependency in curl and/or *zyp* ?", and forums thread: Curl-is-broken-after-an-update-which-subsequently-breaks-zypper. ==== ffmpeg-4 ==== Subpackages: libavcodec58_134 libavfilter7_110 libavformat58_76 libavresample4_0 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9 - Add ffmpeg-CVE-2022-3964.patch: Backport from upstream to fix out of bounds read in update_block_in_prev_frame() (bsc#1205388). ==== lcms2 ==== - Removed reverse-0001-fix-memory-leaks-on-testbed.patch and added 0001-fix-memory-corruption-when-unregistering-plugins.patch as final fix for https://github.com/hughsie/colord/issues/145 ==== libXft ==== Version update (2.3.6 -> 2.3.7) Subpackages: libXft2 libXft2-32bit - Update to version 2.3.7 * libxft issue #15 https://gitlab.freedesktop.org/xorg/lib/libxft/-/issues/15 XftFontLoadGlyphs for mono font returns wrong info in extents from XftTextExtentsUtf8 for variable chars Patch by Scott Mcdermott, based on https://github.com/googlefonts/Inconsolata/issues/42 * fix compiler warning * libxft issue #16 https://gitlab.freedesktop.org/xorg/lib/libxft/-/issues/16 Stack gets smashed in fonts with colors when calling XftGlyphRender BGRA changes made incorrect comparison for local vs allocated buffer in XftGlyphSpecRender * stdint.h header is needed for SIZE_MAX ==== libalternatives ==== Subpackages: alts libalternatives1 - switch to a manual service rather than a buildtime tar service which introduces a bootstrap cycle between python and tar_scm ==== libappindicator ==== Subpackages: libappindicator3-1 typelib-1_0-AppIndicator3-0_1 - Let the rpm provide libappindicator-gtk3 for EL8 compat ==== open-iscsi ==== Subpackages: libopeniscsiusr0_2_0 - Updated to latest upstream. Changes: * scsid/iscsiuio: fix OOM adjustment (github issue #377) ==== systemd ==== Version update (251.8 -> 252.1) Subpackages: libsystemd0 libsystemd0-32bit libudev1 libudev1-32bit systemd-32bit systemd-container systemd-lang udev - Upgrade to v252.1 (commit 64dc546913525e33e734500055a62ed0e963c227) See https://github.com/openSUSE/systemd/blob/SUSE/v252/NEWS for details. * Rebased 0001-conf-parser-introduce-early-drop-ins.patch 1000-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch * The new tools systemd-measure and systemd-pcrphase have been added to the experimental sub-package for now. * Add temporarly 6000-meson-install-test-kernel-install-only-when-Dkernel-.patch until this patch is mainstreamed. ==== webkit2gtk3 ==== Subpackages: WebKit2GTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update _constraints for webkit2gtk3:gtk3-soup2 on aarch64 to avoid slow workers and OOM ==== webkit2gtk3-soup2 ==== Subpackages: WebKit2GTK-4.0-lang libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 webkit2gtk-4_0-injected-bundles - Update _constraints for webkit2gtk3:gtk3-soup2 on aarch64 to avoid slow workers and OOM ==== xfsprogs ==== Version update (5.19.0 -> 6.0.0) Subpackages: libhandle1 xfsprogs-scrub - update to 6.0.0: - libxfs: kernel sync - xfs_db: use preferable macro to seek offset for local dir3 - xfs_quota: optimize -L/-U calls for dump/report