Packages changed: cheese ffmpeg-4 libguestfs libstorage-ng (4.5.202 -> 4.5.203) llvm18 (18.1.4 -> 18.1.5) openSUSE-release (20240508 -> 20240509) openssl-3 osinfo-db taglib transactional-update (4.6.6 -> 4.6.8) unbound (1.19.3 -> 1.20.0) virt-manager wicked (0.6.74 -> 0.6.75) wtmpdb (0.11.0 -> 0.12.0+git.20240508) yast2-installation (5.0.9 -> 5.0.10) yast2-storage-ng (5.0.13 -> 5.0.14) === Details === ==== cheese ==== Subpackages: cheese-lang libcheese-common libcheese-gtk25 libcheese8 typelib-1_0-Cheese-3_0 - Add cheese-c99.patch: fix cast to invalid pointer type (glgo#GNOME/cheese!70). ==== ffmpeg-4 ==== Subpackages: libavcodec58_134 libavformat58_76 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9 - Add ffmpeg-CVE-2023-50010.patch: Backporting e4d2666b from upstream, fixes the out of array access. (CVE-2023-50010 bsc#1223256) ==== libguestfs ==== Subpackages: libguestfs-appliance libguestfs-winsupport libguestfs-xfs libguestfs0 - Set Recommends on zerofree and ntfsprogs for libguestfs-appliance ==== libstorage-ng ==== Version update (4.5.202 -> 4.5.203) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#992 - fixed typos - added .codespellrc - 4.5.203 ==== llvm18 ==== Version update (18.1.4 -> 18.1.5) Subpackages: clang-tools clang18 libLLVM18 libclang-cpp18 libclang13 llvm18-gold - Update to version 18.1.5. * This release contains bug-fixes for the LLVM 18.1.0 release. This release is API and ABI compatible with 18.1.0. - Rebase llvm-do-not-install-static-libraries.patch. ==== openSUSE-release ==== Version update (20240508 -> 20240509) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openssl-3 ==== Subpackages: libopenssl3 libopenssl3-32bit libopenssl3-x86-64-v3 - Add ktls capability [bsc#1216950] Already added in January, but not mentioned in this changelog. - Security fix: [bsc#1222548, CVE-2024-2511] * Fix unconstrained session cache growth in TLSv1.3 * Add openssl-CVE-2024-2511.patch ==== osinfo-db ==== - bsc#1222738 - virt-manager shows SLE Micro 6.0 in suggested OS version should be SL Micro 6.0 add-slm6.0-support.patch Drop add-slem6.0-support.patch ==== taglib ==== Subpackages: libtag2 libtag_c2 - USe %autosetup macro: allows us to eliminate usage of deprecated %patchN syntax. ==== transactional-update ==== Version update (4.6.6 -> 4.6.8) Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit - Version 4.6.8 - tukit: Properly handle overlay syncing failures: If the system would not be rebooted and several snapshots accumulated in the meantime, it was possible that the previous base snapshot - required for /etc syncing - was deleted already. In that case changes in /etc might have been reset. [gh#openSUSE/transactional-update#116] [gh#kube-hetzner/terraform-hcloud-kube-hetzner#1287] - soft-reboot: Log requested reboot type - soft-reboot: Don't force hard reboot on version change only - Version 4.6.7 - Add support for snapper 0.11.0; also significantly decreases cleanup time [boo#1223504] ==== unbound ==== Version update (1.19.3 -> 1.20.0) Subpackages: libunbound8 unbound-anchor - Update to 1.20.0: Features: * The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. * Merge GH#1027: Introduce 'cache-min-negative-ttl' option. * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream. * Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response. * Fix GH#876: [FR] can unbound-checkconf be silenced when configuration is valid? Bug Fixes: * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li from the Network and Information Security Lab of Tsinghua University for reporting it. * Update doc/unbound.doxygen with 'doxygen -u'. Fixes option deprecation warnings and updates with newer defaults. * Remove unused portion from iter_dname_ttl unit test. * Fix validator classification of qtype DNAME for positive and redirection answers, and fix validator signature routine for dealing with the synthesized CNAME for a DNAME without previously encountering it and also for when the qtype is DNAME. * Fix qname minimisation for reply with a DNAME for qtype CNAME that answers it. * Fix doc test so it ignores but outputs unsupported doxygen options. * Fix GH#1021 Inconsistent Behavior with Changing rpz-cname-override and doing a unbound-control reload. * Merge GH#1028: Clearer documentation for tcp-idle-timeout and edns-tcp-keepalive-timeout. * Fix GH#1029: rpz trigger clientip and action rpz-passthru not working as expected. * Fix rpz that the rpz override is taken in case of clientip triggers. Fix that the clientip passthru action is logged. Fix that the clientip localdata action is logged. Fix rpz override action cname for the clientip trigger. * Fix to unify codepath for local alias for rpz cname action override. * Fix rpz for cname override action after nsdname and nsip triggers. * Fix that addrinfo is not kept around but copied and freed, so that log-destaddr uses a copy of the information, much like NSD does. * Merge GH#1030: Persist the openssl and expat directories for repeated Windows builds. * Fix that rpz CNAME content is limited to the max number of cnames. * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets the reply query_info values, that is better for debug logging. * Fix rpz that copies the cname override completely to the temp region, so there are no references to the rpz region. * Add rpz unit test for nsip action override. * Fix rpz for qtype CNAME after nameserver trigger. * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that clientip and nsip can give a CNAME. * Fix localdata and rpz localdata to match CNAME only if no direct type match is available. * Merge GH#831 from Pierre4012: Improve Windows NSIS installer script (setup.nsi). * For GH#831: Format text, use exclamation icon and explicit label names. * Fix name of unit test for subnet cache response. * Fix GH#1032: The size of subnet_msg_cache calculation mistake cause memory usage increased beyond expectations. * Fix for GH#1032, add safeguard to make table space positive. * Fix comment in lruhash space function. * Fix to add unit test for lruhash space that exercises the routines. * Fix that when the server truncates the pidfile, it does not follow symbolic links. * Fix that the server does not chown the pidfile. * Fix GH#1034: DoT forward-zone via unbound-control. * Fix for crypto related failures to have a better error string. * Fix GH#1035: Potential Bug while parsing port from the "stub-host" string; also affected forward-zones and remote-control host directives. * Fix GH#369: dnstap showing extra responses; for client responses right from the cache when replying with expired data or prefetching. * Fix GH#1040: fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c. * For GH#1040: adjust error text and disallow negative ports in other parts of cfg_mark_ports. * Fix comment syntax for view function views_find_view. * Fix GH#595: unbound-anchor cannot deal with full disk; it will now first write out to a temp file before replacing the original one, like Unbound already does for auto-trust-anchor-file. * Fixup compile without cachedb. * Add test for cachedb serve expired. * Extended test for cachedb serve expired. * Fix makefile dependencies for fake_event.c. * Fix cachedb for serve-expired with serve-expired-reply-ttl. * Fix to not reply serve expired unless enabled for cachedb. ... changelog too long, skipping 32 lines ... * Fix doxygen comment for errinf_to_str_bogus. ==== virt-manager ==== Subpackages: virt-install virt-manager-common - bsc#1222738 - virt-manager shows SLE Micro 6.0 in suggested OS version should be SL Micro 6.0 virtinst-add-slm-detection-support.patch ==== wicked ==== Version update (0.6.74 -> 0.6.75) Subpackages: wicked-service - Update to version 0.6.75: - cleanup: fix ni_fsm_state_t enum-int-mismatch warnings - cleanup: fix overflow warnings in a socket testcase on i586 - ifcheck: report new and deleted configs as changed (bsc#1218926) - man: improve ARP configuration options in the wicked-config.5 - bond: add ports when master is UP to avoid port MTU revert (bsc#1219108) - cleanup: fix interface dependencies and shutdown order (bsc#1205604) - Remove port arrays from bond,team,bridge,ovs-bridge (redundant) and consistently use config and state info attached to the port interface as in rtnetlink(7). - Cleanup ifcfg parsing, schema configuration and service properties - Migrate ports in xml config and policies already applied in nanny - Remove "missed config" generation from finite state machine, which is completed while parsing the config or while xml config migration. - Issue a warning when "lower" interface (e.g. eth0) config is missed while parsing config depending on it (e.g. eth0.42 vlan). - Resolve ovs master to the effective bridge in config and wickedd - Implement netif-check-state require checks using system relations from wickedd/kernel instead of config relations for ifdown and add linkDown and deleteDevice checks to all master and lower references. - Add a `wicked <ifup|ifdown|ifreload> --dry-run âŚ` option to show the system/config interface hierarchies as notice with +/- marked interfaces to setup and/or shutdown. - Removed patches included in the source archive: [- 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch] [- 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch] [- 0003-move-all-attribute-definitions-to-compiler-h.patch] [- 0004-hide-secrets-in-debug-log-bsc-1221194.patch] [- 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch] ==== wtmpdb ==== Version update (0.11.0 -> 0.12.0+git.20240508) Subpackages: libwtmpdb0 - Update to version 0.12.0+git.20240508: - boot: Query systemd if soft-reboot was done ==== yast2-installation ==== Version update (5.0.9 -> 5.0.10) - Added encryption_method and encryption_pbkdf in the product description file (section partitioning/proposal) in order to set the encryption method/pbkdf in the Guided Setup of partitioning (related to bsc#1185291). - 5.0.10 ==== yast2-storage-ng ==== Version update (5.0.13 -> 5.0.14) - Proposal: Make the encryption method and the key derivation function configurable by product. - Partitioner: LUKS2 is always available and used by default, with PBKDF2 as default derivation function (related to bsc#1185291). - 5.0.14