Packages changed: 389-ds MozillaFirefox (92.0.1 -> 93.0) MozillaThunderbird (91.1.2 -> 91.2.0) atkmm1_6 ca-certificates (2+git20210723.27a0476 -> 2+git20211004.3efbea9) evince (40.4 -> 41.2) fetchmail (6.4.21 -> 6.4.22) flatpak (1.11.3 -> 1.12.1) fwupd (1.5.8 -> 1.6.2) gc (8.0.4 -> 8.0.6) gegl (0.4.30 -> 0.4.32) gjs glibmm2_4 (2.66.1 -> 2.66.2) glusterfs (9.1 -> 9.3) gnome-shell gnome-shell-extensions grilo (0.3.13 -> 0.3.14) grilo-plugins (0.3.13 -> 0.3.14) libaom (3.1.2 -> 3.1.3) librsvg (2.52.0 -> 2.52.1) libstorage-ng (4.4.43 -> 4.4.44) libzypp-plugin-appdata nano (5.8 -> 5.9) ntp open-vm-tools (11.3.0 -> 11.3.5) pam-config (1.4 -> 1.5) pangomm1_4 perl-Image-ExifTool postfix postgresql (13 -> 14) postgresql14 (13.4 -> 14.0) rubygem-ffi (1.15.3 -> 1.15.4) rubygem-nokogiri (1.12.3 -> 1.12.5) rubygem-parallel (1.20.1 -> 1.21.0) rubygem-unf_ext (0.0.7.7 -> 0.0.8) rubygem-yast-rake (0.2.41 -> 0.2.42) sscep (0.9.1 -> 0.10.0) xdg-desktop-portal (1.10.0 -> 1.10.1) xfsprogs yast2-installation (4.4.19 -> 4.4.20) yast2-python-bindings (4.4.1 -> 4.4.2) === Details === ==== 389-ds ==== Subpackages: lib389 libsvrcore0 - Add missing dependency on iproute2 for lib389 ==== MozillaFirefox ==== Version update (92.0.1 -> 93.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 93.0 * supports the new AVIF image format * PDF viewer now supports filling more forms (XFA-based forms) * now blocks downloads that rely on insecure connections, protecting against potentially malicious or unsafe downloads * Improved web compatibility for privacy protections with SmartBlock 3.0 * Introducing a new referrer tracking protection in Strict Tracking Protection and Private Browsing * TLS ciphersuites that use 3DES have been disabled. Such ciphersuites can only be enabled when deprecated versions of TLS are also enabled * The download panel now follows the Firefox visual styles MFSA 2021-43 (bsc#1191332) * CVE-2021-38496 (bmo#1725335) Use-after-free in MessageTask * CVE-2021-38497 (bmo#1726621) Validation message could have been overlaid on another origin * CVE-2021-38498 (bmo#1729642) Use-after-free of nsLanguageAtomService object * CVE-2021-32810 (bmo#1729813) https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw) Data race in crossbeam-deque * CVE-2021-38500 (bmo#1725854, bmo#1728321) Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 * CVE-2021-38499 (bmo#1667102, bmo#1723170, bmo#1725356, bmo#1727364) Memory safety bugs fixed in Firefox 93 - removed obsolete mozilla-bmo1708709.patch - require NSS >= 3.70 - allow to override wayland detection by defining MOZ_ENABLE_WAYLAND explicitely as 0 or 1 - fix aarch64 build by updating constraints - add mozilla-bmo1725828.patch to fix widevine (bsc#1190842) - add mozilla-bmo531915.patch to fix build for i586 ==== MozillaThunderbird ==== Version update (91.1.2 -> 91.2.0) Subpackages: MozillaThunderbird-translations-common - Mozilla Thunderbird 91.2.0 * Saving a single message as .eml now uses a unique filename * New mail notifications did not properly take subfolders into account * Decrypting binary attachments when using an external GnuPG configuration failed * Account name fields in the account manager were not big enough for long names * LDAP searches using an extensibleMatch filter returned no results * Read-only CalDAV calendars and CardDAV address books were not detected * Multipart messages containing a calendar invite did not display any of the human-readable alternatives * Some calendar days were displayed incorrectly or duplicated (eg. two "29th" days of a particular month) * Phantom event was shown at the end of each day in Calendar week view MFSA 2021-46 (bsc#1191332) * CVE-2021-38496 (bmo#1725335) Use-after-free in MessageTask * CVE-2021-38497 (bmo#1726621) Validation message could have been overlaid on another origin * CVE-2021-38498 (bmo#1729642) Use-after-free of nsLanguageAtomService object * CVE-2021-32810 (bmo#1729813, https://github.com/crossbeam- rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw) Data race in crossbeam-deque * CVE-2021-38500 (bmo#1725854, bmo#1728321) Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 ==== atkmm1_6 ==== - turn off doc build, it does not work with new doxygen ==== ca-certificates ==== Version update (2+git20210723.27a0476 -> 2+git20211004.3efbea9) - Update to version 2+git20211004.3efbea9: * Ensure --root option propagates prefix properly to other scripts ==== evince ==== Version update (40.4 -> 41.2) Subpackages: evince-lang evince-plugin-comicsdocument evince-plugin-djvudocument evince-plugin-dvidocument evince-plugin-pdfdocument evince-plugin-tiffdocument evince-plugin-xpsdocument libevdocument3-4 libevview3-3 nautilus-evince typelib-1_0-EvinceDocument-3_0 typelib-1_0-EvinceView-3_0 - Update to version 41.2: + data: Remove alphanumeric version from AppStream. + Include subproject (libhandy) as part of the tarball. - Update to version 41.1: + build: Revert project name capitalization. - Changes from version 41.0: + backends: - Add format attribute to stop warning on string literal - Make function static as only used in this file - Simplify metadata tags getters - Use SaveToBufferData only with "struct" before + browser-plugin: Remove browser-plugin support + build: - Add option to control internal vs external synctex - Allow building without libhandy-1 available - Bump version requirement for Poppler - Fix conversion to match new version scheme - Modernize and simplify meson files - Remove Changelog target - Update build libtiff-4 dependency - Use devel icon for unstable version installed - Remove c++ dependency, and use only C - Fix compilation error when DBus is disabled + data: - Update URL to submit issues - Fix AppData urls for issues - Add new-window desktop action - Fix donation link + help: - Fix 404 link to on-wiki bug reporting guidelines - Update Evince icon as svg - Correct Window action + libview: - Open new annotation window only for text annotation - Fix dual page option ignored for single page documents + shell: - Add mnemonics to annotations contextual menus - Added mnemonic for highlight option in context menu - Adding padding to improve readability - Always show the annotation window on new annotations - Enable annotation actions only in document that supports them - Enable odd pages left when dual page is on - Expand sidebar annotations by default - Fix libhandy includes - Implemented headerbar for Annotation Properties dialog - Reload annotation sidebar on annotation properties changes - Reload the annotation sidebar when the type changes - Show annotation contents in sidebar when available - Show content in tooltip popup in annotations sidebar - Fix g_critical about removing non-existant timer - Show filename in recent view when title has only spaces - Show None when missing creation/modification date - Add comment about logic of 'first_iteration' - Use a constant for GString init size - Support duration in decimal value - Be able to collapse/expand all entries + Updated translations. - Replace c++_compiler with c_compiler BuildRequires. - Replace libtiff-devel with pkgconfig(libtiff-4) BuildRequires. - Remove obsolete translation-update-upstream support (jsc#SLE-21105). - Update to version 41.alpha: + Backends: - Add format attribute to stop warning on string literal. - Make function static as only used in this file. - Simplify metadata tags getters. - Use SaveToBufferData only with "struct" before. + browser-plugin: Remove browser-plugin support. + Help: - Update Evince icon as svg. - Correct Window action. + libview: dual page option is ignored for single page documents. + Shell: - Add mnemonics to annotations contextual menus. - Added mnemonic for highlight option in context menu. - Adding padding to improve readability. - Always show the annotation window on new annotations. - Enable odd pages left when dual page is on. - Expand sidebar annotations by default. - Implemented headerbar for Annotation Properties dialog. - Reload annotation sidebar on annotation properties changes. - Reload the annotation sidebar when the type changes. - Show annotation contents in sidebar when available. - Show content in tooltip popup in annotations sidebar. - Show filename in recent view when title has only spaces. - Support duration in decimal value. - Be able to collapse/expand all entries. - Fix g_critical about removing non-existant timer. - Fix compilation error when DBus is disabled. - Add new-window desktop action. - Show None when missing creation/modification date. + Updated translations. ==== fetchmail ==== Version update (6.4.21 -> 6.4.22) Subpackages: fetchmailconf - Update to 6.4.22: [bsc#1190069, CVE-2021-39272] * OPENSSL AND LICENSING NOTE: - fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0. OpenSSL's licensing changed between these releases from dual OpenSSL/SSLeay license to Apache License v2.0, which is considered incompatible with GPL v2 by the FSF. For implications and details, see the file COPYING. * SECURITY FIXES: - CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. Now, log the error and abort the connection. --Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. - On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS negotiation. - On IMAP connections, fetchmail does not permit overriding a server-side LOGINDISABLED with --auth password any more. - On POP3 connections, the possibility for RPA authentication (by probing with an AUTH command without arguments) no longer prevents STARTTLS negotiation. - For POP3 connections, only attempt RPA if the authentication type is "any". * BUG FIXES: - On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the tagged (= final) response, do not send "*". - On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send a "=" for protocol compliance. - On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4 has not supported and does not support the separate challenge/response with command continuation) - On IMAP connections, when --auth external is requested but not advertised by the server, log a proper error message. - Fetchmail no longer crashes when attempting a connection with - -plugin "" or --plugout "". - Fetchmail no longer leaks memory when processing the arguments of --plugin or --plugout on connections. - On POP3 connections, the CAPAbilities parser is now caseblind. - Fix segfault on configurations with "defaults ... no envelope". This is a regression in fetchmail 6.4.3 and happened when plugging memory leaks, which did not account for that the envelope parameter is special when set as "no envelope". The segfault happens in a constant strlen(-1), triggered by trusted local input => no vulnerability. - Fix program abort (SIGABRT) with "internal error" when invalid sslproto is given with OpenSSL 1.1.0 API compatible SSL implementations. * CHANGES: - IMAP: When fetchmail is in not-authenticated state and the server volunteers CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail must and will re-probe explicitly.) - For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option do not match, emit a warning and continue. - fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997 recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer, placing --sslproto tls1.2+ more prominently. The defaults shall not change between 6.4.X releases for compatibility. * Rebase patches: fetchmail-add-imap-oauthbearer-support.patch fetchmail-add-query_to64_outsize-utility-function.patch fetchmail-support-oauthbearer-xoauth2-with-pop3.patch ==== flatpak ==== Version update (1.11.3 -> 1.12.1) Subpackages: libflatpak0 system-user-flatpak - Update to version 1.12.1: + The security fix in the 1.12.0 release failed when used with some older versions of libseccomp (that don't know about the new syscalls). - Update to version 1.12.0: + This is the first stable release in the 1.12.x series. The major changes in this series is the support for better control of sub-sandboxes, as used by the steam flatpak. + In addition, this release fixes a security vulnerability in the portal support. Some recently added syscalls were not blocked by the seccomp rules which allowed the application to create sub-sandboxes which can confuse the sandboxing verification mechanisms of the portal. This has been fixed by extending the seccomp rules (boo#1191507, CVE-2021-41133) + Some test fixes + Support for specifying the flatpak binary to use during exports + Install translations for all languages in the locale, not just the ones in LC_MESSAGES. + Fix progress reporting in flatpak fsck + Handle cases where /var/tmp is a symlink + Expose /etc/gai.conf to the sandbox + Fix the parental control checks for root + Handle missing /etc/ld.so.cache (musl) + Updated translations ==== fwupd ==== Version update (1.5.8 -> 1.6.2) Subpackages: fwupd-lang libfwupd2 typelib-1_0-Fwupd-2_0 - Update to version 1.6.2 - The fwupd efi program be separated to fwupd-efi package. - Removed pesign-obs-integration, moved needssslcertforbuild , SBAT and EFI signing stuff to fwupd-efi. - Moved libfwupdplugin1 to libfwupdplugin2 - Change log from upstream: https://github.com/fwupd/fwupd/blob/main/data/org.freedesktop.fwupd.metainfo.xml - This release adds the following features: * Add a plugin to check Lenovo firmware settings * Add initial support for the powerd daemon * Add support for CapsuleOnDisk * Add support for installing UEFI updates from GRUB * Add support for soft-requirements that can be ignored with --force * Allow devices to only accept version upgrades * Allow discovery of Redfish BMCs specified by VID-PID or MAC * Allow the daemon to request interactive action from the end user * Automatically connect the BMC network interface at startup * Show the build timestamp if set on the device * Show the user how to switch out of Wacom tablet Android-mode - This release fixes the following bugs: * Add the alternate vendor name into the 8BitDo allowlist * Allow multiple devices to set WAIT_FOR_REPLUG * Allow the client to watch for more property changes * Always ensure the SuperIO version string is NUL terminated * Automatically clear the update error as required * Disable all UX capsules for Lenovo hardware * Do not assume the metainfo file is NUL-terminated * Do not save invalid files on LVFS server error * Fix a VLI regression in enumerating the PD device * Fix a VLI regression when installing VL820Q7 firmware * Fix enumeration of the Synaptics Prometheus config child * Fix parsing Redfish USB/PCI network VID/PIDs * Fix the fwupdmgr progressbar spinner to actually work * Fix version number for legacy Wacom Bluetooth modules * Ignore virtual M.2 ATA devices * Preserve NEEDS_REBOOT on successful update * Prevent a corrupt PHAT table from allocating lots of memory * Read the Redfish SMBIOS table when required * Remove the vendor string from the device name where required * Save the update state to the database correctly all of the time * Switch from sysctl to ioctl for ESRT on FreeBSD * Try reading from /sys/class/dmi if SMBIOS direct access fails * Watch for children added or removed after setup has been completed * Work around a XCC-ism on Lenovo hardware - This release adds support for the following hardware: * ModemManager devices supporting Firehose or MBIM QDU * More models of RTS54HUB * More Poly DFU devices * Parade LSPCON * PixArt receiver and wireless hardware * Realtek MST with RTD2142 * SuperIO IT5570 * USB4 Dell dock ==== gc ==== Version update (8.0.4 -> 8.0.6) - Update to release 8.0.6 * Allocate start_info struct on the stack in GC_pthread_create. * Allow GC_PAUSE_TIME_TARGET environment variable values smaller than 5 ms. * Disable mprotect-based incremental GC if /proc roots are used. * Enable sbrk-to-mmap fallback on major supported Unix-like platforms. * Ensure process is running on one CPU core if AO ops are emulated with locks. * Fix data race regarding *rlh value in generic_malloc_many. * Fix handling of areas smaller than page size in GC_scratch_recycle. * Limit number of unmapped regions. ==== gegl ==== Version update (0.4.30 -> 0.4.32) Subpackages: gegl-0_4 gegl-0_4-lang libgegl-0_4-0 - disable docs until the upstream bug is solved https://gitlab.gnome.org/GNOME/gegl/-/issues/294#note_1281553 ==== gjs ==== Subpackages: libgjs0 typelib-1_0-GjsPrivate-1_0 - Add upstream crash fixer patches from stable branch: + b9e122044a7ccc1e2a3374c680b6ea82066bfa59.patch: arg: Replace gsize with size_t + 62025d4a2738a36ea5f1a7cebef08b22b5eef613.patch: Handle optional out parameters in callbacks - Stop disabling lto: Following this, stop passing dtrace=true and systemtap=true to meson, aswell as dropping systemtap-sdt-devel BuildRequires, follow upstream default. - Add optional pkgconfig(gtk4) BuildRequires: meson checks for it. ==== glibmm2_4 ==== Version update (2.66.1 -> 2.66.2) Subpackages: libgiomm-2_4-1 libglibmm-2_4-1 - Update to version 2.66.2: + Glib, Gio: Replace all g_quark_from_static_string() by g_quark_from_string() + Gio: - FileEnumerator: Remove refreturn to avoid memory leak - ListModel::get_object(): Make it work for interface classes + Build: MSVC build: Remove extraneous GLIBMM_API in Glib::ustring ==== glusterfs ==== Version update (9.1 -> 9.3) Subpackages: libgfapi0 libgfrpc0 libgfxdr0 libglusterfs0 - Update to release 9.3 * New reset-brick command * Ability to get node level status of a cluster * Multi-threaded self-heal for Disperse volumes * Lock revocation feature * On-demand scrubbing for bitrot detection * Real time Cluster notifications using Events APIs - Move mount helper to /usr/sbin [boo#1191062] ==== gnome-shell ==== Subpackages: gnome-extensions gnome-shell-calendar gnome-shell-lang - Add 380d2db1d9047ecffcef7d78f00184963b403efc.patch: inputMethod: Clear preeditStr before reset. Previously, these were performed in a different order before GNOME 41. During some other changes they were swapped. However, this causes both GTK 3 and GTK 4 applications to scroll to incorrect positions from the preedit change. ==== gnome-shell-extensions ==== Subpackages: gnome-shell-classic gnome-shell-extensions-common gnome-shell-extensions-common-lang - Update sle-classic to version 41 + Update gse-sle-classic-ext.patch + Update sle-classic@suse.com.tar.gz ==== grilo ==== Version update (0.3.13 -> 0.3.14) Subpackages: grilo-lang libgrilo-0_3-0 libgrlnet-0_3-0 libgrlpls-0_3-0 typelib-1_0-Grl-0_3 - Update to version 0.3.14: + CVE-2021-39365: Fix TLS cert validation not being done for any network call. + Fix double-free when using GrlNet in Python. + Load config from GRL_CONFIG_PATH if set. + Clarify LGPLv2.1 or later license. + Handle numeric limits for GrlOperationOptions. + Updated translations. - Drop grilo-CVE-2021-39365.patch: fixed upstream. ==== grilo-plugins ==== Version update (0.3.13 -> 0.3.14) Subpackages: grilo-plugin-tracker grilo-plugin-youtube grilo-plugins-lang - Update to version 0.3.14: + Fix lua-factory crash on >= 5.4.3. + Clarify LGPLv2.1 or later license. + tracker3: Make resolve async. + euronews: Use YouTube feeds. + Updated translations. - Drop 108.patch: fixed upstream. ==== libaom ==== Version update (3.1.2 -> 3.1.3) - Update to version 3.1.3: * Update CHANGELOG for v3.1.3-rc2 * Detect chroma subsampling more directly * Detect chroma subsampling more directly * image2yuvconfig() should calculate uv_crop_width * aom/aom_encoder.h: remove configure option reference * aom_encoder.h: fix rc_overshoot_pct range * Update AUTHORS,CHANGELOG,CMakeLists.txt for v3.1.3 * aom_install: don't exclude msvc from install * aom_install: use relpath for install * aom_install: Install lib dlls to bindir ==== librsvg ==== Version update (2.52.0 -> 2.52.1) Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 typelib-1_0-Rsvg-2_0 - Update to version 2.52.1: + Fix ordering of tspan inside text elements for right-to-left languages. + Fix text-anchor positioning for right-to-left languages. + Fix regression in computing sizes when an SVG has only one of width/height and a viewBox. + Spec compliance - the writing-mode property applies only to text elements, no to individual tspan elements. + Fix build on big-endian platforms. + Clarify documentation for the rsvg_handle_write() / rsvg_handle_close() deprecated APIs. ==== libstorage-ng ==== Version update (4.4.43 -> 4.4.44) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#836 - added non-const versions of several existing functions - added detect_remove_info() - 4.4.44 ==== libzypp-plugin-appdata ==== - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_appstream-sync-cache.service.patch ==== nano ==== Version update (5.8 -> 5.9) Subpackages: nano-lang - GNU nano 5.9: * The extension of a filename is added to the name of a corresponding temporary file, so that spell checking a C file, for example, will check only the comments and strings (when using 'aspell'). * The process number is added to the name of an emergency save file, so that when multiple nanos die they will not fight over a filename. * Undoing a cutting operation will restore an anchor that was located in the cut area to its original line. * When using --locking, saving a new buffer will create a lock file. * Syntax highlighting for YAML files has been added ==== ntp ==== - Added hardening to systemd service(s) (bsc#1181400). Modified: * conf.ntp-wait.service * conf.ntpd.service ==== open-vm-tools ==== Version update (11.3.0 -> 11.3.5) Subpackages: libvmtools0 open-vm-tools-desktop - Update to 11.3.5 (build 18557794) (boo#1190987) + New/Updated features: - Added a configurable logging capability to the network script. The network script has been updated to: use vmware-toolbox-cmd to query any network logging configuration from the tools.conf file. Use vmtoolsd --cmd "log ..." to log a message to the vmx logfile when the logging handler is configured to "vmx" or when the logfile is full or is not writeable. - The hgfsmounter (mount.vmhgfs) command has been removed from open-vm-tools. The hgfsmounter (mount.vmhgfs) command is no longer used in Linux open-vm-tools. It has been replaced by hgfs-fuse. Therefore, removing all references to the hgfsmounter in Linux builds. + Resolved issues: - Customization: Retry the Linux reboot if telinit is a soft link to systemctl. - Open-vm-tools commands would hang if configured with "--enable-valgrind". + Spec file updates for: - rpmlint errors - arg_xmlsec1 --enable-xmlsec1 for better xmlsec1/libxml2 handling. ==== pam-config ==== Version update (1.4 -> 1.5) - Update to Version 1.5 - Don't print an error message if one of the systemd PAM modules does not exist if creating the *-pc files [bsc#1191528] - Drop pam_systemd_home again [bsc#1191528] ==== pangomm1_4 ==== - turn off doc build, it does not work with new doxygen ==== perl-Image-ExifTool ==== Subpackages: exiftool - require File::RandomAccess otherwise exiftool(1) won't start ==== postfix ==== Subpackages: postfix-doc - config.postfix not updatet after lmdb switch (bsc#1190945) Adapt config.postfix ==== postgresql ==== Version update (13 -> 14) Subpackages: postgresql-contrib postgresql-docs postgresql-llvmjit postgresql-server - Bump version and default to 14. ==== postgresql14 ==== Version update (13.4 -> 14.0) - Let genlists skip non-existing binaries to avoid lots of version conditionals in the file lists. - Remove postgresql-testsuite-int8.sql.patch, because its purpose is unclear. This affects only the test subpackage. - Upgrade to 14.0 https://www.postgresql.org/about/news/postgresql-14-released-2318/ https://www.postgresql.org/docs/14/release-14.html - Let genlists skip non-existing binaries to avoid lots of version conditionals in the file lists. - Upgrade to 14~rc1 https://www.postgresql.org/about/news/postgresql-14-rc-1-released-2309/ https://www.postgresql.org/docs/14/release-14.html https://wiki.postgresql.org/wiki/PostgreSQL_14_Open_Items - Upgrade to 14~beta2 https://www.postgresql.org/about/news/postgresql-14-beta-2-released-2249/ https://www.postgresql.org/docs/14/release-14.html https://wiki.postgresql.org/wiki/PostgreSQL_14_Open_Items - Upgrade to 14~beta1 https://www.postgresql.org/about/news/postgresql-14-beta-1-released-2213/ https://www.postgresql.org/docs/14/release-14.html https://wiki.postgresql.org/wiki/PostgreSQL_14_Open_Items - disable postgresql-testsuite-int8.sql.patch: it seems it is not needed anymore, need to be double checked. - bsc#1185952: llvm12 breaks PostgreSQL 11 and 12 on s390x. Use llvm11 as a workaround. - Upgrade to version 13.3: * https://www.postgresql.org/docs/13/release-13-3.html * CVE-2021-32027, bsc#1185924: Prevent integer overflows in array subscripting calculations. * CVE-2021-32028, bsc#1185925: Fix mishandling of ?junk? columns in INSERT ... ON CONFLICT ... UPDATE target lists. * CVE-2021-32029, bsc#1185926: Fix possibly-incorrect computation of UPDATE ... RETURNING "pg_psql_temporary_savepoint" does not exist?. - Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168). - Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (boo#1183118). - Remove leftover PreReq on chkconfig, we stopped using it long time ago. - boo#1179945: Disable icu for PostgreSQL 10 (and older) on TW. - Upgrade to version 13.2: * https://www.postgresql.org/docs/13/release-13-2.html * Updating stored views and reindexing might be needed after applying this update. * CVE-2021-3393, bsc#1182040: Fix information leakage in constraint-violation error messages. * CVE-2021-20229, bsc#1182039: Fix failure to check per-column SELECT privileges in some join queries. * Obsoletes postgresql-icu68.patch. - Add postgresql-icu68.patch: fix build with ICU 68 - bsc#1178961: %ghost the symlinks to pg_config and ecpg. - boo#1179765: BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. - Upgrade to version 13.1: * CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries. * CVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb. b) When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used. * CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from modifying specially-treated variables. * Fix recently-added timetz test case so it works when the USA is not observing daylight savings time. (obsoletes postgresql-timetz.patch) * https://www.postgresql.org/about/news/2111/ * https://www.postgresql.org/docs/13/release-13-1.html - Fix a DST problem in the test suite: postgresql-timetz.patch https://postgr.es/m/16689-57701daa23b377bf@postgresql.org - Initial packaging of PostgreSQL 13: * https://www.postgresql.org/about/news/2077/ * https://www.postgresql.org/docs/13/release-13.html ==== rubygem-ffi ==== Version update (1.15.3 -> 1.15.4) Subpackages: ruby2.7-rubygem-ffi ruby3.0-rubygem-ffi - updated to version 1.15.4 Fixed: * Fix build for uClibc. #913 * Correct module lookup when including `ffi-module` gem. #912 Changed: * Use ruby code of the ffi gem in JRuby-9.2.20+. #915 ==== rubygem-nokogiri ==== Version update (1.12.3 -> 1.12.5) Subpackages: ruby2.7-rubygem-nokogiri ruby3.0-rubygem-nokogiri - updated to version 1.12.5 [#]# 1.12.5 / 2021-09-27 [#]## Security [JRuby] Address CVE-2021-41098 ([GHSA-2rr5-8q37-2w7h](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h)). In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior. CRuby users are not affected by this CVE. [#]## Fixed * [CRuby] `Document#to_xhtml` properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., `

`) instead of a self-closing tag (e.g., `
`) in previous Nokogiri versions. [[#2324](https://github.com/sparklemotion/nokogiri/issues/2324)] [#]# 1.12.4 / 2021-08-29 [#]## Notable fix: Namespace inheritance Namespace behavior when reparenting nodes has historically been poorly specified and the behavior diverged between CRuby and JRuby. As a result, making this behavior consistent in v1.12.0 introduced a breaking change. This patch release reverts the Builder behavior present in v1.12.0..v1.12.3 but keeps the Document behavior. This release also introduces a Document attribute to allow affected users to easily change this behavior for their legacy code without invasive changes. [#]### Compensating Feature in XML::Document This release of Nokogiri introduces a new `Document` boolean attribute, `namespace_inheritance`, which controls whether children should inherit a namespace when they are reparented. `Nokogiri::XML:Document` defaults this attribute to `false` meaning "do not inherit," thereby making explicit the behavior change introduced in v1.12.0. CRuby users who desire the pre-v1.12.0 behavior may set `document.namespace_inheritance = true` before reparenting nodes. See https://nokogiri.org/rdoc/Nokogiri/XML/Document.html#namespace_inheritance-instance_method for example usage. [#]### Fix for XML::Builder However, recognizing that we want `Builder`-created children to inherit namespaces, Builder now will set `namespace_inheritance=true` on the underlying document for both JRuby and CRuby. This means that, on CRuby, the pre-v1.12.0 behavior is restored. Users who want to turn this behavior off may pass a keyword argument to the Builder constructor like so: ``` ruby Nokogiri::XML::Builder.new(namespace_inheritance: false) ``` See https://nokogiri.org/rdoc/Nokogiri/XML/Builder.html#label-Namespace+inheritance for example usage. [#]### Downstream gem maintainers Note that any downstream gems may want to specifically omit Nokogiri v1.12.0--v1.12.3 from their dependency specification if they rely on child namespace inheritance: ``` ruby Gem::Specification.new do |gem| [#] ... gem.add_runtime_dependency 'nokogiri', '!=1.12.3', '!=1.12.2', '!=1.12.1', '!=1.12.0' [#] ... end ``` [#]## Fixed * [JRuby] Fix NPE in Schema parsing when an imported resource doesn't have a `systemId`. [[#2296](https://github.com/sparklemotion/nokogiri/issues/2296)] (Thanks, [@pepijnve](https://github.com/pepijnve)!) ==== rubygem-parallel ==== Version update (1.20.1 -> 1.21.0) - updated to version 1.21.0 * no changelog found ==== rubygem-unf_ext ==== Version update (0.0.7.7 -> 0.0.8) - updated to version 0.0.8 * No functional change in the library code. * Include Windows binaries for Ruby 3.0. * Drop support for Ruby 2.1 and earlier. * Replace Travis CI with Github Actions. * Fix cross-build after upgrading rake-compiler/rake-compiler-dock to 1.1.1/1.1.0. ==== rubygem-yast-rake ==== Version update (0.2.41 -> 0.2.42) - Fixed running the GitHub Actions locally ("rake actions:run"), allow settting additional Docker options in the YAML config or via DOCKER_OPTIONS environment variable (bsc#1191400) - 0.2.42 ==== sscep ==== Version update (0.9.1 -> 0.10.0) - Update to version 0.10.0 * Added auto-selection of default protection algorithms (-E, -S and -F) based on getcaps, unless specified explicitly. * Added parameter -W sec to wait for network connectivity (default 0). * Engines are now disabled by default and need to be enabled by ./configure --enable-engines or cmake . -DENABLE_ENGINES=ON * Compatible with OpenSSL 3.0.0 * Removed support for OpenSSL < 1.1.0 ==== xdg-desktop-portal ==== Version update (1.10.0 -> 1.10.1) Subpackages: xdg-desktop-portal-lang - Update to version 1.10.1: + Revert a breaking change to the screencast and inhibit portal. ==== xfsprogs ==== Subpackages: libhandle1 xfsprogs-scrub - move fsck.xfs, mkfs.xfs and xfs_repair from /sbin to /usr/sbin (bsc#1191105) The default rpmbuild %configure macro passes --sbindir=/usr/sbin to every configure script, but the xfsprogs configure script ignores it when --exec-prefix is also set. Unset --exec-prefix since it is not really required (all other paths are explicitly passed via the rpm configure macro), so that the --sbindir is respected. ==== yast2-installation ==== Version update (4.4.19 -> 4.4.20) - Fix file copying when using relurl:// and file:// naming schemes (bsc#1191160). - 4.4.20 ==== yast2-python-bindings ==== Version update (4.4.1 -> 4.4.2) - Fix yast2-python-bindings requires Python (bsc#1190890). - 4.4.2