Packages changed: MozillaFirefox (66.0.5 -> 67.0) kernel-firmware (20190502 -> 20190514) opus (1.3 -> 1.3.1) pipewire (0.2.5 -> 0.2.6) polkit-default-privs (13.2+20190520.a67a2af -> 13.2+20190523.efe368f) python-kiwi (9.17.37 -> 9.17.39) python-pexpect (4.6.0 -> 4.7.0) python-pyasn1-modules (0.2.4 -> 0.2.5) python-requests (2.21.0 -> 2.22.0) ruby2.6 spandsp webkit2gtk3 (2.24.1 -> 2.24.2) wireshark (3.0.1 -> 3.0.2) yast2-add-on (4.1.11 -> 4.1.12) === Details === ==== MozillaFirefox ==== Version update (66.0.5 -> 67.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 67.0 * Firefox 67 will be able to run different Firefox installs side by side https://blog.nightly.mozilla.org/2019/01/14/moving-to-a-profile-per-install-architecture/ * Tabs can now be pinned from the Page Actions menu in the address bar * Users can block known cryptominers and fingerprinters in the Custom settings or their Content Blocking preferences * The Import Data from Another Browser feature is now also available from the File menu * Firefox will now protect you against running older versions which can lead to data corruption and stability issues * Easier access to your list of saved logins from the main menu and login autocomplete * We?ve added a toolbar menu for your Firefox Account to provide more transparency for when you are synced, sharing data across devices and with Firefox. Personalize the appearance of the menu with your own avatar * Enable FIDO U2F API, and permit registrations for Google Accounts * Enabled AV1 support on Linux MFSA 2019-13 (boo#1135824) * CVE-2019-9815 (bmo#1546544) Disable hyperthreading on content JavaScript threads on macOS * CVE-2019-9816 (bmo#1536768) Type confusion with object groups and UnboxedObjects * CVE-2019-9817 (bmo#1540221) Stealing of cross-domain images using canvas * CVE-2019-9818 (bmo#1542581) (Windows only) Use-after-free in crash generation server * CVE-2019-9819 (bmo#1532553) Compartment mismatch with fetch API * CVE-2019-9820 (bmo#1536405) Use-after-free of ChromeEventHandler by DocShell * CVE-2019-9821 (bmo#1539125) Use-after-free in AssertWorkerThread * CVE-2019-11691 (bmo#1542465) Use-after-free in XMLHttpRequest * CVE-2019-11692 (bmo#1544670) Use-after-free removing listeners in the event listener manager * CVE-2019-11693 (bmo#1532525) Buffer overflow in WebGL bufferdata on Linux * CVE-2019-7317 (bmo#1542829) Use-after-free in png_image_free of libpng library * CVE-2019-11694 (bmo#1534196) (Windows only) Uninitialized memory memory leakage in Windows sandbox * CVE-2019-11695 (bmo#1445844) Custom cursor can render over user interface outside of web content * CVE-2019-11696 (bmo#1392955) Java web start .JNLP files are not recognized as executable files for download prompts * CVE-2019-11697 (bmo#1440079) Pressing key combinations can bypass installation prompt delays and install extensions * CVE-2019-11698 (bmo#1543191) Theft of user history data through drag and drop of hyperlinks to and from bookmarks * CVE-2019-11700 (bmo#1549833) (Windows only) res: protocol can be used to open known local files * CVE-2019-11699 (bmo#1528939) Incorrect domain name highlighting during page navigation * CVE-2019-11701 (bmo#1518627) webcal: protocol default handler loads vulnerable web page * CVE-2019-9814 (bmo#1527592, bmo#1534536, bmo#1520132, bmo#1543159, bmo#1539393, bmo#1459932, bmo#1459182, bmo#1516425) Memory safety bugs fixed in Firefox 67 * CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136, bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108, bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097, bmo#1532465, bmo#1533554, bmo#1541580) Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 - requires * rust/cargo >= 1.32 * mozilla-nspr >= 4.21 * mozilla-nss >= 3.43 * rust-cbindgen >= 0.8.2 - rebased patches - KDE integration for default browser detection is broken in this revision - Fix armv7 build with: * mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch ==== kernel-firmware ==== Version update (20190502 -> 20190514) Subpackages: ucode-amd - Update to version 20190514: * linux-firmware: Update firmware file for Intel Bluetooth 8265 * linux-firmware: Update firmware file for Intel Bluetooth 9260 * linux-firmware: Update firmware file for Intel Bluetooth 9560 * linux-firmware: Update firmware file for Intel Bluetooth 22161 * amlogic: add video decoder firmwares * iwlwifi: update -46 firmwares for 22260 and 9000 series * iwlwifi: add firmware for 22260 and update 9000 series -46 firmwares * iwlwifi: add -46.ucode firmwares for 9000 series ==== opus ==== Version update (1.3 -> 1.3.1) - Update to version 1.3.1 * This release fixes an issue with the analysis on files with digital silence (all zeros), especially on x87 builds (mostly affects 32-bit builds). * Two new features: + A new OPUS_GET_IN_DTX query to know if the encoder is in DTX mode (last frame was either a comfort noise frame or not encoded at all) + A new (and still experimental) CMake-based build system that is eventually meant to replace the VS2015 build system (the autotools one will stay). ==== pipewire ==== Version update (0.2.5 -> 0.2.6) Subpackages: libpipewire-0_2-1 pipewire-modules pipewire-spa-plugins pipewire-spa-tools pipewire-tools - Update to version 0.2.6: + Improve error checking for threads. + Fix some memory and fd leaks. + Fix compilation with C++ compilers and clang. + DISABLE_RTKIT should now not try to use dbus at all. + Camera Portal fixes: - add Camera media.role. - Rename module-flatpak to module-portal. - Use the portal permissions store for camera checks. + Actually use the passed fd in pipewiresrc. + Make properties with "pipewire." prefix read-only. + Add security label to client object. + Enforce link permissions. + Permissions of objects are now combined with parent permissions. + Remove libv4l2 dependency, it is not used. + Improve format negotiation in autolink #146. + Try to avoid list corruption with event emmission #143. + Fix destroy of client-node memory corruption. + Various small improvements. - Remove pkgconfig(libv4l2) BuildRequires: follow upstreams cleanup of build dependencies. - Drop avoid-invalid-conversion-error-with-C++.patch: fixed upstream. ==== polkit-default-privs ==== Version update (13.2+20190520.a67a2af -> 13.2+20190523.efe368f) - Update to version 13.2+20190523.efe368f: * polkit profiles: whitelist lightdm-gtk-greeter-settings (bsc#1135695) ==== python-kiwi ==== Version update (9.17.37 -> 9.17.39) - Bump version: 9.17.38 ? 9.17.39 - Update obs docs per review by Tom - Disable check-valid-until with repository_gpgcheck This commit is two fold: * From one side fixes a wrong use of the `trusted` option for apt repositories. `trusted=no` does not force to run the gpg checks it just forces the repository to be considered untrusted regardless the result of the security checks. * From the other side it disables the option `check-valid-until` in case gpg checks are disabled using the `repository_gpgcheck`. It works at repository level. This enables using unmaintained or expired repositories for the build. Fixes #1028 - Simplify shell pipe expression with shell builtin Replace "echo $var | sed ..." expression with ${var//SEARCH/REPLACE} shell builtin as suggested by Codacy - Make mediacheck runtime check arch independent The check_mediacheck_only_for_x86_arch runtime check fails on non x86 architectures but the tagmedia toolchain exists independent of the platform architecture. This Fixes #1091 - Set home as protected path Along with adding home to the protection list, cleanup the prepare instance cleanup code in a way that it only runs if a root_bind object exists which needs to call its cleanup path - Extend docs about building multiple profiles on OBS - Remove FIXME from the runtime configuration file example - Improve the documentation about building in the Build Service Co-Authored-By: Thomas Schraitle <tom_schr@web.de> - Turn sphinx warnings into errors Modify the sphinx Makefile to treat warnings like undefined references as errors - kiwi-live-lib: mount live ISO as read-only During the boot process of a live image, dracut shows this WARNING: dracut-initqueue: mount: /run/initramfs/live: WARNING: device write-protected, mounted read-only This is not a problem, as the live ISO image is, indeed, read-only. This patch fix this cosmetic issue being explicit in the mount options in `mountIso` function. - Call isolinux-config only on supported archs - Discard default dependencies for sysroot.mount This commit makes default dependencies from sysroot.mount to be explicitly omitted. This fixes potential inconsistencies in ordering pre-mount.service with local-fs.target. This change is also applied to upstream sysroot.mount generator here: https://github.com/systemd/systemd/pull/12281 Fixes #1015 - Fix locale setting For pre-Leap 15 openSUSE versions KIWI >= 9.12.0 was not completely setting locale, as it was missingto set the RC_LANG variable from `/etc/sysconfig/language` file. Current commit enforces to update locale in `/etc/sysconfig/language` (if the file exists) at the same time it applies systemd-firstboot configurations. Fixes #1081 - Cleanup TODO & FIXME from xml_description.rst - Add GitLab CI pipeline badge to README.rst - Extend the development documentation Co-Authored-By: Thomas Schraitle <tom_schr@web.de> - Log thrown exceptions in Compress.get_format() - Fix documentation of Compress.get_format() - log exception in SystemPrepare.__del__ - Use yaml.safe_load instead of yaml.load yaml.load is relatively dangerous when the loaded data comes from untrusted sources, as it can allow for arbitrary code execution, see: https://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML safe_load limits the created python objects to the basic Python types like integers and strings, which is all that we need for the runtime configuration file. - Fixing doc source for broken refs and xml syntax - Document the usage of profiles via the CLI and OBS - Apply suggestions from @tomschr Co-Authored-By: dcermak <45594031+dcermak@users.noreply.github.com> - Improve the documentation of the runtime configuration file Co-Authored-By: Thomas Schraitle <tom_schr@web.de> - Apply suggestions from @tomschr Co-Authored-By: dcermak <45594031+dcermak@users.noreply.github.com> - Extend the documentation of Custom Disk Volumes - Add documentation of the XML schema in a tutorial like fashion Co-Authored-By: Thomas Schraitle <tom_schr@web.de> - Add documentation how to configure VMX build types - Cleanup warnings in utils/size.py - use a raw string for the regexp search string - improve the readability of the returned value - Make the user.password attribute mandatory Not providing a user password results in an error when usermod or openssl is later called by kiwi (depending on the value of `pwdformat`). This fixes #1061. - Fixed repo setup for cloud integration test builds Using the devel:languages:python repos leads to inconsistencies on the module dependencies - Bump version: 9.17.37 ? 9.17.38 - Delete obsolete repository types Deleted red-carpet, slack-site, up2date-mirrors, urpmi and yast2 from the allowed values list of the repository type attribute. This Fixes #1029 - Fixed build_in_buildservice stale references Fixed style issues reported on sphinx build. Also deleted pointers to non existing references - Delete suseRemovePackagesMarkedForDeletion Any package removal is controlled by kiwi itself. There is no need to provide a shell helper method that is rpm specific. This Fixes #1054 - Preserve licenses/other txt files by baseStripFirmware (bsc#1132455) (Fixes #1063) LICENSES are usually not large and should be kept alongside of the binaries. Also some firmware files sideload additional txt files (like for example brcmfmac43430 needs the sdio description txt files). We should just always include them because they're not listed as needed files. Co-Authored-By: Dan ?ermák <dcermak@suse.com> - Split overview/workflow.rst into multiple files Co-Authored-By: Thomas Schraitle <tom_schr@web.de> - Update doc/source/building/build_in_buildservice.rst Co-Authored-By: dcermak <45594031+dcermak@users.noreply.github.com> - Rework documentation about building on OBS - Added integration test guest image for OpenStack - Update suse integration tests per Factory changes The way plymouth themes are provided has changed on suse. The package plymouth-branding-openSUSE is no longer providing the theme named openSUSE. In fact the plan is to switch to the upstream bgrt theme which is provided in another package. This commit adapts to the changes in the distribution - Bump copyright year in the docs ==== python-pexpect ==== Version update (4.6.0 -> 4.7.0) - Update to 4.7.0: * The :meth:`.pxssh.login` method now no longer requires a username if an ssh config is provided and will raise an error if neither are provided. (:ghpull:`562`). * The :meth:`.pxssh.login` method now supports providing your own ssh command via the cmd parameter. (:ghpull:`528`) (:ghpull:`563`). * :class:`.pxssh` now supports the use_poll parameter which is passed into :meth:`.pexpect.spawn` (:ghpull:`542`). * Minor bug fix with ssh_config. (:ghpull:`498`). * :meth:`.replwrap.run_command` now has async support via an async_ parameter. (:ghpull:`501`). * :meth:`.pexpect.spawn` will now read additional bytes if able up to a buffer limit. (:ghpull:`304`). - Drop merged patch fix-test.patch ==== python-pyasn1-modules ==== Version update (0.2.4 -> 0.2.5) - Update to 0.2.5: - Added RFC3560 providing RSAES-OAEP Key Transport Algorithm in CMS - Added RFC6019 providing BinaryTime - an alternate format for representing Date and Time - RFC3565 superseded by RFC5649 - Added RFC5480 providng Elliptic Curve Cryptography Subject Public Key Information - Added RFC8520 providing X.509 Extensions for MUD URL and MUD Signer - Added RFC3161 providing Time-Stamp Protocol support - Added RFC3709 providing Logotypes in X.509 Certificates - Added RFC3274 providing CMS Compressed Data Content Type - Added RFC4073 providing Multiple Contents protection with CMS - Execute testsuite ==== python-requests ==== Version update (2.21.0 -> 2.22.0) - Update to 2.22.0: * Requests now supports urllib3 v1.25.2. (note: 1.25.0 and 1.25.1 are incompatible) - Rebase requests-no-hardcoded-version.patch ==== ruby2.6 ==== Subpackages: libruby2_6-2_6 ruby2.6-devel - Move RPM macros to %_rpmmacrodir. ==== spandsp ==== - Disable LTO (boo#1136056). ==== webkit2gtk3 ==== Version update (2.24.1 -> 2.24.2) Subpackages: libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 libwebkit2gtk3-lang typelib-1_0-JavaScriptCore-4_0 typelib-1_0-WebKit2-4_0 webkit2gtk-4_0-injected-bundles - Update to version 2.24.2: + Fix rendering of emojis copy-pasted from GTK emoji chooser. + Fix space characters not being rendered with some CJK fonts. + Fix adaptive streaming playback with older GStreamer versions. + Set a maximum zoom level for pinch zooming gesture. + Fix navigation gesture to not interfere with scrolling. + Fix SSE2 detection at compile time, ensuring the right flags are passed to the compiler. + Fix several crashes and rendering issues. + Security fixes: CVE-2019-8595, CVE-2019-8607, CVE-2019-8615. + Updated translations. - Drop webkit2gtk3-fix-i586-build.patch: Fixed upstream. ==== wireshark ==== Version update (3.0.1 -> 3.0.2) Subpackages: libwireshark12 libwiretap9 libwscodecs2 libwsutil10 wireshark-ui-qt - Wireshark 3.0.2 (bsc#1136021) * Wireshark dissection engine crash. - Further features, bug fixes and updated protocol support as listed in: https://www.wireshark.org/docs/relnotes/wireshark-3.0.2.html ==== yast2-add-on ==== Version update (4.1.11 -> 4.1.12) - Fix: Update repository will be registered while installing an add-on on a running system (bsc#1055126). - 4.1.12