Packages changed: akonadi-server apparmor bind (9.16.25 -> 9.18.2) gnome-shell-extensions (42.0 -> 42.1) gnutls gtk4 (4.6.2 -> 4.6.4) hplip (3.21.10 -> 3.22.4) libapparmor libproxy libproxy-plugins lirc memcached (1.6.14 -> 1.6.15) open-iscsi plymouth python-Pygments (2.11.2 -> 2.12.0) python-stack-data (0.1.3 -> 0.2.0) rubygem-concurrent-ruby (1.1.9 -> 1.1.10) rubygem-nokogiri (1.13.4 -> 1.13.6) squashfs u-boot-rpiarm64 yast2-iscsi-client (4.5.1 -> 4.5.3) yast2-trans (84.87.20220507.8ff263ce4d -> 84.87.20220513.26f6bfaa16) === Details === ==== akonadi-server ==== Subpackages: libKF5AkonadiAgentBase5 libKF5AkonadiCore5 libKF5AkonadiPrivate5 libKF5AkonadiWidgets5 libKF5AkonadiXml5 - Add akonadiserver-apparmor-typos-mr94.patch to ensure mariadbd_akonadi AppArmor profile actually gets used ==== apparmor ==== Subpackages: apparmor-abstractions apparmor-docs apparmor-parser apparmor-profiles apparmor-utils pam_apparmor python3-apparmor - add dovecot-profiles-boo1199535-mr881.diff: update dovecot profiles for latest dovecot (boo#1199535) ==== bind ==== Version update (9.16.25 -> 9.18.2) Subpackages: bind-doc bind-utils - Add upstream patch bind-prevent-buffer-overflow.patch. - The named-checkconf had been moved from /usr/sbin to /usr/bin but that had not been reflected in scripts that called this, eg named.prep. So these scripts failed. Some installations still have "createNamedConfInclude" in the NAMED_INITIALIZE_SCRIPTS in /etc/sysconfig/named. The named.prep will now report this but continue. [bsc#1199044, vendor-files.tar.bz2] - Upgrade to 9.18.2: Most important bugs fixed: * The "starting maxtime timer" message related to outgoing zone transfers was incorrectly logged at the ERROR level instead of DEBUG(1). * Ensure that zone maintenance queries have a retry limit. * When using both the `+qr` and `+y` options `dig` could crash if the connection to the first server was not successful. * dig could hang in some cases involving multiple servers in a lookup, when a request fails and the next one refuses to start for some reason, for example if it was an IPv4 mapped IPv6 address. * dig +nssearch was hanging until manually interrupted. * When an UPDATE targets a zone that is not configured, the requested zone name is now logged in the "not authoritative" error message, so that it is easier to track down problematic update clients. * Quote the dns64 prefix in error messages that complain about problems with it, to avoid confusion with the following dns64 ACLs. * When encountering socket error while trying to initiate a TCP connection to a server, dig could hang indefinitely, when there were more servers to try. * When timing-out or having other types of socket errors during a query, dig wasn't trying to perform the lookup using other servers, in case they exist. * Resending a UDP request in the result of a timeout could cause an assertion failure when the resent query's result was SERVFAIL. * Replace single TCP write timer with per-TCP write timers. * Invalid dnssec-policy definitions were being accepted where the defined keys did not cover both KSK and ZSK roles for a given algorithm. This is now checked for and the dnssec-policy is rejected if both roles are not present for all algorithms in use. * Fix query context management issues in the TCP part of dig. Noteworthy functional changes: * Add new "reuseport" option to enable/disable load balancing of sockets. * Set the minimum MTU on UDPv6 and TCPv6 sockets and limit TCP maximum segment size (TCP_MAXSEG) to (1220) for both TCPv4 and TCPv6 sockets. Needed to define two macros in contrib code: FALLTHOUGH is a copy of how it is defined in UNREACHABLE follows the model used in MacOS /usr/include/c++/v1/cstdlib to determine if __builtin_ureachable is available [bind-9.18.2.tar.xz, bind-9.18.2.tar.xz.sha512.asc, bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch] - * When using forwarders, bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers. [CVE-2021-25220] * TCP connection slots may be consumed for an indefinite time frame via a specifically crafted TCP stream sent from a client. This issue can only be triggered on BIND servers which have keep-response-order enabled, which is not the default configuration. The keep-response-order option is an ACL block, and as such, any hosts specified within it will be able to trigger this issue on affected versions. [CVE-2022-0396] * The RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature (synth-from-dnssec) had been refactored and the default has been changed so that is now automatically enabled for dnssec-validating resolvers. Subsequently it was found that repeated patterns of specific queries to servers with this feature enabled could cause an INSIST failure in query.c:query_dname which causes named to terminate unexpectedly. The vulnerability affects BIND resolvers running 9.18.0 that have both dnssec-validation and synth-from-dnssec enabled. (Note that dnssec-validation auto; is the default setting unless configured otherwise in named.conf and that enabling dnssec-validation automatically enables synth-from-dnssec unless explicitly disabled) [CVE-2022-0635] * The refactoring of the recursive client code introduced a "backstop lifetime timer." While BIND is processing a request for a DS record that needs to be forwarded, it waits until this processing is complete or until the backstop lifetime timer has timed out. When the resume_dslookup() function is called as a result of such a timeout, the function does not test whether the fetch has previously been shut down. This introduces the possibility of triggering an assertion failure, which could cause the BIND process to terminate. [CVE-2022-0667] * Reset client TCP connection when data received cannot be parsed as a valid DNS request. For a complete list of changes, see * Bind Release Notes https://downloads.isc.org/isc/bind9/9.18.1/doc/arm/html/notes.html * The CHANGES file in the source RPM This obsoletes bind-define-missing-threads.patch Also, removed bind-python3 from the spec file as it is not build any longer. [bind.spec, bind-9.18.1.tar.xz, bind-9.18.1.tar.xz.sha512.asc, bind-define-missing-threads.patch] - Update to new MAJOR VERSION 9.18.0. This has many enhnancements, bug fixes and changes. The spec file also has mechanisms to run the integrated test suite. MAJOR CHANGES: * Support for securing DNS traffic using Transport Layer Security (TLS). TLS is used by both DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). * Support for zone transfers over TLS (XFR-over-TLS, XoT) for both incoming and outgoing zone transfers. * The dig tool is now able to send DoT queries (+tls option). * Support for OpenSSL 3.0 APIs was added. A number of utilities have been removed: dnssec-checkds, dnssec-coverage, dnssec-keymgr, which have been deprecated in favor of dnssec-policy feature, as well as python support (package python3-bind). A number of utilities have been moved from (/usr)/sbin to (/usr)/bin The DLZ modules have been put into seperate sub-packages to keep unwanted dependencies out of the main package: * bind-modules-perl: dlz_perl_driver.so * bind-modules-mysql: dlz_mysql_dynamic.so, dlz_mysqldyn_mod.so * bind-modules-ldap: dlz_ldap_dynamic.so * bind-modules-bdbhpt: dlz_bdbhpt_dynamic.so * bind-modules-sqlite3: dlz_sqlite3_dynamic.so * bind-modules-generic: dlz_filesystem_dynamic.so, dlz_wildcard_dynamic.so For a complete list of changes, see * Bind Release Notes https://downloads.isc.org/isc/bind9/9.18.0/doc/arm/html/notes.html * The CHANGES file in the source RPM [bind.spec, bind-9.18.0.tar.xz, bind-9.18.0.tar.xz.sha512.asc, bind-avoid-fallthrough-warning-error.patch, bind-contrib-pthread.patch, named-bootconf.diff, bind-define-missing-threads.patch] - Old-style DLZ drivers have been deprecated in favor of DLZ modules. The DLZ drivers configuration option will be removed from the next major BIND 9 release. The option to use the DLZ modules is already available in BIND 9; please see the ARM section on DLZ modules. The dynamically lodable driver modules are stored in /usr/lib64/bind-plugins Example configurations for ldap and mysql are provided in named.conf. [bind.spec, vendor-files/config/named.conf] ==== gnome-shell-extensions ==== Version update (42.0 -> 42.1) Subpackages: gnome-shell-classic gnome-shell-extensions-common - Update to version 42.1: + Misc. bug fixes and cleanups. + Updated translations. ==== gnutls ==== Subpackages: libgnutls-dane0 libgnutls30 libgnutls30-hmac - disable kcapi usage for now, as kernel-obs-build not adjusted to contain the algorithms. bsc#1189283 ==== gtk4 ==== Version update (4.6.2 -> 4.6.4) Subpackages: gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0 - Update to version 4.6.4: + GtkFileChooser: - Fix select button sensitivity in select_folder mode. - Fix some fallout from list model porting. + GtkListView, GtkColumnView: Optimize scrolling. + print-to-file: Handle nonexisting files better in the dialog. + Avoid infinite loops in size allocation. + CSS: Optimize a case of reparenting that is important in GtkListView. + GSK: Check for half-float support before using it. + Wayland: - Ignore empty preedit updates This fixes a problem with textview scrolling. - Freeze popups when hidden. This addresses a frame rate drop- + Updated translations. - Update to version 4.6.3: + GtkOverlay: Bring back positional style classes. + GtkFileChooser: - Prevent unwanted completion popups. - Fix small problems in save mode. - Fix buildable suport of GtkFileFilter. + GtkPopover: Fix button positions in right-to-left locales. + GtkLabel: Fix small issues with link handling. + Tooltips: Don't restrict the minimum tooltip length. + Theme: - Don't use opacity for overlay scrollbars. - Fix selection text color in vertical spin buttons. + GSK: - Accept textures that are generated by webkit. - Align offscreen rendering to the pixel grid. + Accessibility: Fix a crash in startup when orca is running. + Input: - Fix display changes in GtkIMMultiContext. - Fix activating on-screen keyboards. - Always propagate hold events in GtkEventControllerScroll. + Windows: - Fix a critical warning in clipboard handling. - Report serial numbers for events. + MacOS: Prevent fullscreen transition reentrancy. + Updated translations. - Drop gtkimmulticontext-Handle-switches-between-displays.patch: fixed upstream. ==== hplip ==== Version update (3.21.10 -> 3.22.4) Subpackages: hplip-hpijs hplip-sane - Update to 3.22.4 Added support for following new Distro's: * Manjaro 21.2 Added support for the following new Printers: * HP LaserJet Pro 4001ne * HP LaserJet Pro 4001n * HP LaserJet Pro 4001dne * HP LaserJet Pro 4001dn * HP LaserJet Pro 4001dwe * HP LaserJet Pro 4001dw * HP LaserJet Pro 4001d * HP LaserJet Pro 4001de * HP LaserJet Pro 4002ne * HP LaserJet Pro 4002n * HP LaserJet Pro 4002dne * HP LaserJet Pro 4002dn * HP LaserJet Pro 4002dwe * HP LaserJet Pro 4002dw * HP LaserJet Pro 4002d * HP LaserJet Pro 4002de * HP LaserJet Pro 4003dn * HP LaserJet Pro 4003dw * HP LaserJet Pro 4003n * HP LaserJet Pro 4003d * HP LaserJet Pro 4004d * HP LaserJet Pro 4004dn * HP LaserJet Pro 4004dw * HP LaserJet Pro MFP 4101dwe * HP LaserJet Pro MFP 4101dw * HP LaserJet Pro MFP 4101fdn * HP LaserJet Pro MFP 4101fdne * HP LaserJet Pro MFP 4101fdw * HP LaserJet Pro MFP 4101fdwe * HP LaserJet Pro MFP 4102dwe * HP LaserJet Pro MFP 4102dw * HP LaserJet Pro MFP 4102fdn * HP LaserJet Pro MFP 4102fdw * HP LaserJet Pro MFP 4102fdwe * HP LaserJet Pro MFP 4102fdne * HP LaserJet Pro MFP 4102fnw * HP LaserJet Pro MFP 4102fnwe * HP LaserJet Pro MFP 4103dw * HP LaserJet Pro MFP 4103dn * HP LaserJet Pro MFP 4103fdn * HP LaserJet Pro MFP 4103fdw * HP LaserJet Pro MFP 4104dw * HP LaserJet Pro MFP 4104fdw * HP LaserJet Pro MFP 4104fdn * HP ScanJet Pro 3600 f1 * HP ScanJet Pro N4600 fnw1 * HP ScanJet Pro 2600 f1 * HP ScanJet Enterprise Flow N6600 fnw1 - Changes from 3.22.2 Added support for following new Distro's: * Elementary OS 6.1 * RHEL 8.5 * Linux Mint 20.3 Added support for the following new Printers: * HP LaserJet Tank MFP 1602a * HP LaserJet Tank MFP 1602w * HP LaserJet Tank MFP 1604w * HP LaserJet Tank MFP 2602dn * HP LaserJet Tank MFP 2602sdn * HP LaserJet Tank MFP 2602sdw * HP LaserJet Tank MFP 2602dw * HP LaserJet Tank MFP 2604dw * HP LaserJet Tank MFP 2604sdw * HP LaserJet Tank MFP 2603dw * HP LaserJet Tank MFP 2603sdw * HP LaserJet Tank MFP 2605sdw * HP LaserJet Tank MFP 2606dn * HP LaserJet Tank MFP 2606sdn * HP LaserJet Tank MFP 2606sdw * HP LaserJet Tank MFP 2606dw * HP LaserJet Tank MFP 2606dc * HP LaserJet Tank MFP 1005 * HP LaserJet Tank MFP 1005w * HP LaserJet Tank MFP 1005nw * HP LaserJet Tank 1502a * HP LaserJet Tank 1502w * HP LaserJet Tank 1504w * HP LaserJet Tank 2502dw * HP LaserJet Tank 2502dn * HP LaserJet Tank 2504dw * HP LaserJet Tank 2503dw * HP LaserJet Tank 2506dw * HP LaserJet Tank 2506d * HP LaserJet Tank 2506dn * HP LaserJet Tank 1020 * HP LaserJet Tank 1020w * HP LaserJet Tank 1020nw - Changes from 3.21.12 Added support for following new Distro's: * MX Linux 21 * Elementary OS 6 * Fedora 35 - Drop photocard-fix-import-error-for-pcardext.patch, because now in upstream. - Rebase Use-lsb_release-fallback-code-if-import-distro-fails.patch, bacause some is in upstream now. - Reabse hplip-missing-drivers.patch ==== libapparmor ==== - add dovecot-profiles-boo1199535-mr881.diff: update dovecot profiles for latest dovecot (boo#1199535) ==== libproxy ==== - Add libproxy-python-310.patch: Detect python 3.10. ==== libproxy-plugins ==== Subpackages: libproxy1-config-gnome3 libproxy1-config-kde libproxy1-networkmanager libproxy1-pacrunner-webkit - Add libproxy-python-310.patch: Detect python 3.10. ==== lirc ==== - Add lirc-autoconf-py310.patch: Output of autoreconf in order to find the correct python version when Tumbleweed switches to Python 3.10. ==== memcached ==== Version update (1.6.14 -> 1.6.15) - update to 1.6.15: * proxy: Fix buffer overflow and prevent recv() of 0 byte * proxy: allow await() to be called recursively * proxy: mcp.request(cmd, [val | resp]) * proxy: hacky method of supporting noreply/quiet * proxy: add ring_hash builtin * proxy: fix logger entry memory corruption * storage: parameterize the compaction thread sleep * proxy: pull chunks into individual c files * proxy: documentation updates * proxy: "stats settings" for proxy * proxy: await improvements * proxy: trivial support for SO_KEEPALIVE on backend * mcmc: upstream update for SO_KEEPALIVE * proxy: fix crash on stats proxy sans user stats * proxy: enable backend_total stat * proxy: track in-flight requests * proxy: add some basic logging for backend errors * proxy: logging improvements + lua mcp.log() * proxy: add stats for commands seen ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0_2_0 - Set initiatorname in %post (at end of install), for cases where root is read-only at startup time (bsc#1198457) ==== plymouth ==== Subpackages: libply-splash-core5 libply-splash-graphics5 libply5 plymouth-dracut plymouth-lang plymouth-plugin-label plymouth-plugin-two-step plymouth-scripts plymouth-theme-bgrt plymouth-theme-spinner - Add code to plymouth-watermark-config.patch in order to install the Watermark image file to initrd - Refresh patches to apply cleanly - Remove plymouth-keep-KillMode-none.patch: With the iteration of tumbleweed, system could boot with the systemd recommanding option KillMode=mixed, So it's the time to remove this patch (bsc#1177082 bsc#1184087 boo#1182145). ==== python-Pygments ==== Version update (2.11.2 -> 2.12.0) - update to 2.12.0: - Added lexers: * Cplint (#2045) * Macaulay2 (#1791) * Minecraft (#2107) * Qlik (#1925) * ``UnixConfigLexer`` for "colon-separated" config files, like ``/etc/passwd`` (#2112) - Updated lexers: * Agda: Update keyword list (#2017) * C family: Fix identifiers after ``case`` statements (#2084) * Clojure: Highlight ratios (#2042) * Csound: Update to 6.17 (#2064) * CSS: Update the list of properties (#2113) * Elpi: - Fix catastrophic backtracking (#2053, #2061) - Fix handling of ``->`` (#2028) * Futhark: Add missing tokens (#2118) * Gherkin: Add ``But`` (#2046) * Inform6: Update to 6.36 (#2050) * LilyPond: - Fix incorrect lexing of names containing a built-in (#2071) - Fix properties containing dashes (#2099) * PHP: Update builtin function and keyword list (#2054, #2056) * Scheme: Various improvements (#2060) * Spice: Update the keyword list, add new types (#2063, #2067) * Terraform: - Support non-idiomatic comments (#2065, #2066) - Fix class name lexing (#2097) - Add ``plugins`` argument to ``get_all_lexers()``. - Bump minimal Python version to 3.6 (#2059) - Fix multiple lexers marking whitespace as ``Text`` (#2025) - Remove various redundant uses of ``re.UNICODE`` (#2058) - Associate ``.resource`` with the Robot framework (#2047) - Associate ``.cljc`` with Clojure (#2043) - Associate ``.tpp`` with C++ (#2031) - Remove traces of Python 2 from the documentation (#2039) - The ``native`` style was updated to meet the WCAG AAA contrast guidelines (#2038) - Fix various typos (#2030) - Fix ``Groff`` formatter not inheriting token styles correctly (#2024) - Various improvements to the CI (#2036) - The Ada lexer has been moved to a separate file (#2117) - drop elpi_fix_catastrophic_backtracking.patch: upstream ==== python-stack-data ==== Version update (0.1.3 -> 0.2.0) - Update to 0.2.0: - Fallback to basic Source.pieces when there is no Source.tree. - Handle nodes inside f-strings missing location info from asttokens - Add 29-Pygments-2-12.patch (gh#alexmojaki/stack_data#29) making the package compabile with Pygments 2.12. ==== rubygem-concurrent-ruby ==== Version update (1.1.9 -> 1.1.10) - updated to version 1.1.10 * (#951) Set the Ruby compatibility version at 2.2 * (#939, #933) The `caller_runs` fallback policy no longer blocks reads from the job queue by worker threads * (#938, #761, #652) You can now explicitly `prune_pool` a thread pool (Sylvain Joyeux) * (#937, #757, #670) We switched the Yahoo stock API for demos to Alpha Vantage (Gustavo Caso) * (#932, #931) We changed how `SafeTaskExecutor` handles local jump errors (Aaron Jensen) * (#927) You can use keyword arguments in your initialize when using `Async` (Matt Larraz) * (#926, #639) We removed timeout from `TimerTask` because it wasn't sound, and now it's a no-op with a warning (Jacob Atzen) * (#919) If you double-lock a re-entrant read-write lock, we promote to locked for writing (zp yuan) * (#915) `monotonic_time` now accepts an optional unit parameter, as Ruby's `clock_gettime` (Jean Boussier) ==== rubygem-nokogiri ==== Version update (1.13.4 -> 1.13.6) - updated to version 1.13.6 [#]# 1.13.6 / 2022-05-08 [#]## Security * [CRuby] Address [CVE-2022-29181](https://nvd.nist.gov/vuln/detail/CVE-2022-29181), improper handling of unexpected data types, related to untrusted inputs to the SAX parsers. See [GHSA-xh29-r2w5-wx8m](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m) for more information. [#]## Improvements * `{HTML4,XML}::SAX::{Parser,ParserContext}` constructor methods now raise `TypeError` instead of segfaulting when an incorrect type is passed. [#]# 1.13.5 / 2022-05-04 [#]## Security * [CRuby] Vendored libxml2 is updated to address [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824). See [GHSA-cgx6-hpwq-fhv5](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5) for more information. [#]## Dependencies * [CRuby] Vendored libxml2 is updated from v2.9.13 to [v2.9.14](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14). [#]## Improvements * [CRuby] The libxml2 HTML parser no longer exhibits quadratic behavior when recovering some broken markup related to start-of-tag and bare `<` characters. [#]## Changed * [CRuby] The libxml2 HTML parser in v2.9.14 recovers from some broken markup differently. Notably, the XML CDATA escape sequence ` 4.5.3) - Fix a crash when opening the main dialog (bsc#1199552). - 4.5.3 - Internal cleanup in several parts to turn the auto-converted YCP code into something closer to common Ruby. - Enable iscsiuio during installation only if there is any card in the system using the bnx2i or qedi modules (bsc#1194432). - 4.5.2 ==== yast2-trans ==== Version update (84.87.20220507.8ff263ce4d -> 84.87.20220513.26f6bfaa16) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20220513.26f6bfaa16: * New POT for text domain 'nfs'. * New POT for text domain 'iscsi-client'. * New POT for text domain 'kdump'.