Packages changed: liborcus libsemanage nodejs20 (20.3.1 -> 20.5.1) openSUSE-repos-Tumbleweed (20230804.41e41a9 -> 20230810.a7534f6) python-semanage python311 python311-core qtkeychain-qt5 (0.13.2 -> 0.14.1) re2c (3.0 -> 3.1) salt virtualbox virtualbox-kmp xen (4.17.1_06 -> 4.17.2_02) xz (5.4.3 -> 5.4.4) yast2-country (4.6.2 -> 4.6.3) === Details === ==== liborcus ==== - Clean up the spec file and require gcc-c++ >= 7, since that is the first version that supports C++17 - Run tests on all distributions and architectures * Allow disabling them on command line by specifying "--without tests" - Changed patch: * no-std-filesystem.patch -> liborcus-filesystem.patch + rework the patch to detect std::filesystem, std::experimental::filesystem and boost::filesystem (in that order, and use them if found) - Added patch: * liborcus-tests.patch + fix tests on all platforms + do not use C++20 features with the boost::filesystem::directory_iterator + do not assume that pathlib integrates seamlessly with open and do not use f-string formating, both being python 3.6+ features ==== libsemanage ==== Subpackages: libsemanage-conf libsemanage-migrate-store libsemanage2 - Add _multibuild to define additional spec files as additional flavors. Eliminates the need for source package links in OBS. - Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because of LTO - Enable LTO now (boo#1138812). ==== nodejs20 ==== Version update (20.3.1 -> 20.5.1) Subpackages: npm20 - Update to version 20.5.1: * (CVE-2023-32002, bsc#1214150): Policies can be bypassed via Module._load (High) * (CVE-2023-32558, bsc#1214155): process.binding() can bypass the permission model through path traversal (High) * (CVE-2023-32004, bsc#1214152): Permission model can be bypassed by specifying a path traversal sequence in a Buffer (High) * (CVE-2023-32006, bsc#1214156): Policies can be bypassed by module.constructor.createRequire (Medium) * (CVE-2023-32559, bsc#1214154): Policies can be bypassed via process.binding (Medium) * (CVE-2023-32005, bsc#1214153): fs.statfs can bypass the permission model (Low) * (CVE-2023-32003, bsc#1214151): fs.mkdtemp() and fs.mkdtempSync() can bypass the permission model (Low) - Changes in 20.5.0: * events: allow safely adding listener to abortSignal * fs: add a fast-path for readFileSync utf-8 * test_runner: add shards support - Changes in 20.4.0: * tls: add ALPNCallback server option for dynamic ALPN negotiation * adds support for ECMAScript Explicit Resource Management * adds Mock Timer support to test module For details see, https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.5.1 versioned.patch: refreshed ==== openSUSE-repos-Tumbleweed ==== Version update (20230804.41e41a9 -> 20230810.a7534f6) - Update to version 20230810.a7534f6: * Disable NVIDIA pkg building on LeapMicro. Fixes #34 PM confirmed that NVIDIA related deployments are expected to have all drivers/tools inside of container. * Fix incorrect with_nvidia usage ==== python-semanage ==== - Add _multibuild to define additional spec files as additional flavors. Eliminates the need for source package links in OBS. - Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because of LTO - Enable LTO now (boo#1138812). ==== python311 ==== Subpackages: python311-curses python311-dbm - restrict PEP668 to ALP/Tumbleweed - add externally_managed.in to label this build as PEP-668 managed ==== python311-core ==== Subpackages: libpython3_11-1_0 python311-base - restrict PEP668 to ALP/Tumbleweed - add externally_managed.in to label this build as PEP-668 managed ==== qtkeychain-qt5 ==== Version update (0.13.2 -> 0.14.1) Subpackages: libqt5keychain1 libqt5keychain1-lang - Update to 0.14.1: * Many build system fixes and build fixes for recent Qt 6 releases * Add QtQuick client example * Added Dutch translation * Add API to check whether a secure backend is available at all * Export QKeychain::isAvailable() to make it usable in a shared build * Protect against creating the QtKeychain::QtKeychain alias target twice - Drop patch, merged upstream: * 0001-Define-a-poper-exported-CMake-target-instead-of-intr.patch - Add missing dependency to the -devel packages ==== re2c ==== Version update (3.0 -> 3.1) - Update to 3.1: * new options --leftmost-captures option and re2c:leftmost-captures on capturing groups * new syntax (! ...) for non-capturing groups * It is also possible to flip defaults with --invert-captures option or re2c:invert_captures configuration, so that (...) is a capturing group and (! ...) is a non-capturing one * TDFA paper and removal of experimental algorithms * internal codebase , build system and CI improvements see details at https://re2c.org/releases/release_notes.html#release-3-1 ==== salt ==== Subpackages: python3-salt salt-master salt-minion salt-transactional-update - Create minion_id with reproducible mtime - Fix detection of Salt codename by "salt_version" execution module - Fix regression: multiple values for keyword argument 'saltenv' (bsc#1212844) - Fix the regression of user.present state when group is unset (bsc#1212855) - Fix zypper repositories always being reconfigured - Fix utf8 handling in 'pass' renderer and make it more robust - Prevent _pygit2.GitError: error loading known_hosts when $HOME is not set (bsc#1210994) - Fix ModuleNotFoundError and other issues raised by salt-support module (bsc#1211591) - tornado: Fix an open redirect in StaticFileHandler (CVE-2023-28370, bsc#1211741) - Make master_tops compatible with Salt 3000 and older minions (bsc#1212516) (bsc#1212517) - Avoid failures due transactional_update module not available in Salt 3006.0 (bsc#1211754) - Avoid conflicts with Salt dependencies versions (bsc#1211612) - Added: * fix-utf8-handling-in-pass-renderer-and-make-it-more-.patch * fix-the-regression-of-user.present-state-when-group-.patch * make-master_tops-compatible-with-salt-3000-and-older.patch * avoid-conflicts-with-dependencies-versions-bsc-12116.patch * tornado-fix-an-open-redirect-in-staticfilehandler-cv.patch * fix-regression-multiple-values-for-keyword-argument-.patch * zypper-pkgrepo-alreadyconfigured-585.patch * mark-salt-3006-as-released-586.patch * fix-some-issues-detected-in-salt-support-cli-module-.patch * define-__virtualname__-for-transactional_update-modu.patch * 3006.0-prevent-_pygit2.giterror-error-loading-known_.patch ==== virtualbox ==== - Fix build for kernel 6.5 Add file "fixes_for_6.5.patch" Reworked patches for various Leap versions: Added file "fixes_for_leap.patch" Deleted file "fixes_for_leap15.2.patch" Deleted file "fixes_for_leap15.3.patch" Deleted file "fixes_for_leap15.4.patch" Deleted file "fixes_for_leap15.5.patch" ==== virtualbox-kmp ==== - Fix build for kernel 6.5 Add file "fixes_for_6.5.patch" Reworked patches for various Leap versions: Added file "fixes_for_leap.patch" Deleted file "fixes_for_leap15.2.patch" Deleted file "fixes_for_leap15.3.patch" Deleted file "fixes_for_leap15.4.patch" Deleted file "fixes_for_leap15.5.patch" ==== xen ==== Version update (4.17.1_06 -> 4.17.2_02) Subpackages: xen-libs xen-tools xen-tools-domU - bsc#1212684 - xentop fails with long interface name 64d33a57-libxenstat-Linux-nul-terminate-string.patch - Update to Xen 4.17.2 bug fix release (bsc#1027519) xen-4.17.2-testing-src.tar.bz2 * No upstream changelog found in sources or webpage - bsc#1214082 - VUL-0: CVE-2023-20569: xen: x86/AMD: Speculative Return Stack Overflow (XSA-434) - bsc#1214083 - VUL-0: CVE-2022-40982: xen: x86/Intel: Gather Data Sampling (XSA-435) - Dropped patches contained in new tarball 64525c61-tools-libs-guest-assist-gcc13s-realloc-analyzer.patch 645dec48-AMD-IOMMU-assert-boolean-enum.patch 64639e84-amd-fix-legacy-setting-of-SSBD-on-AMD-Family-17h.patch 646b782b-PCI-pci_get_pdev-respect-segment.patch 647dfb0e-x86-missing-unlock-in-microcode_update_helper.patch 648863fc-AMD-IOMMU-Invalidate-All-check.patch 64bea1b2-x86-AMD-Zenbleed.patch - Handle potential off-by-one errors in libxc-sr-xg_sr_bitmap.patch A bit is an index in bitmap, while bits is the allocated size of the bitmap. ==== xz ==== Version update (5.4.3 -> 5.4.4) Subpackages: liblzma5 liblzma5-32bit xz-lang - Update to version 5.4.4: * liblzma and xzdec can now build against WASI SDK when threading support is disabled. xz and tests don't build yet. * documentation update * translations update ==== yast2-country ==== Version update (4.6.2 -> 4.6.3) Subpackages: yast2-country-data - Allow changing date to a later year than 2032 (bsc#1214144) - 4.6.3