Packages changed: MicroOS-release (20240930 -> 20241001) coreutils coreutils-systemd cups (2.4.10 -> 2.4.11) gnutls libgtop (2.41.3 -> 2.41.3+4) libjpeg-turbo librsvg (2.58.4 -> 2.59.1) ncurses (6.5.20240922 -> 6.5.20240928) selinux-policy (20240925 -> 20240930) sof-firmware (2024.06 -> 2024.09) suse-module-tools (16.0.51 -> 16.0.52) xen (4.19.0_02 -> 4.19.0_04) === Details === ==== MicroOS-release ==== Version update (20240930 -> 20241001) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== coreutils ==== - coreutils-i18n.patch: fold(1): fix fold -b with UTF8 locale. Sync fix in I18N patch from Fedora/Redhat and add a test. (RHEL-60295) Original report: https://access.redhat.com/solutions/3459791 ==== coreutils-systemd ==== - coreutils-i18n.patch: fold(1): fix fold -b with UTF8 locale. Sync fix in I18N patch from Fedora/Redhat and add a test. (RHEL-60295) Original report: https://access.redhat.com/solutions/3459791 ==== cups ==== Version update (2.4.10 -> 2.4.11) Subpackages: cups-client cups-config libcups2 libcupsimage2 - Version upgrade to 2.4.11: See https://github.com/openprinting/cups/releases CUPS 2.4.11 brings several bug fixes regarding IPP response validation, processing PPD values, Web UI support (checkbox support, modifying printers) and others fixes. Detailed list (from CHANGES.md): * Updated the maximum file descriptor limit for `cupsd` to 64k-1 (Issue #989) * Fixed `lpoptions -d` with a discovered but not added printer (Issue #833) * Fixed incorrect error message for HTTP/IPP errors (Issue #893) * Fixed JobPrivateAccess and SubscriptionPrivateAccess support for "all" (Issue #990) * Fixed issues with cupsGetDestMediaByXxx (Issue #993) * Fixed adding and modifying of printers via the web interface (Issue #998) * Fixed HTTP PeerCred authentication for domain users (Issue #1001) * Fixed checkbox support (Issue #1008) * Fixed printer state notifications (Issue #1013) * Fixed IPP Everywhere printer setup (Issue #1033) Issues are those at https://github.com/OpenPrinting/cups/issues In particular CUPS 2.4.11 contains those commit regarding IPP response validation and processing PPD values: * "Quote PPD localized strings" https://github.com/OpenPrinting/cups/commit/1e6ca5913eceee906038bc04cc7ccfbe2923bdfd plus a cleanup to "Fix warnings for unused vars" https://github.com/OpenPrinting/cups/commit/2abe1ba8a66864aa82cd9836b37e57103b8e1a3b - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.11 - avoid_C99_mode_for_loop_initial_declarations.patch is no longer needed because the issue is fixed upstream. ==== gnutls ==== - Build with liboqs to support the X25519Kyber768 post-quantum key exchange algorithm. ==== libgtop ==== Version update (2.41.3 -> 2.41.3+4) - Update to version 2.41.3+4: + Reproducible Builds: Do not embed build-server kernel version on Linux (boo#1230850). + Updated translations. ==== libjpeg-turbo ==== - update to 3.0.4: * Fixed an issue whereby the CPU usage of the default marker processor in the decompressor grew exponentially with the number of markers. This caused an unreasonable slow-down in `jpeg_read_header()` if an application called `jpeg_save_markers()` to save markers of a particular type and then attempted to decompress a JPEG image containing an excessive number of markers of that type. * Hardened the default marker processor in the decompressor to guard against an issue (exposed by 3.0 beta2[6]) whereby attempting to decompress a specially-crafted malformed JPEG image (specifically an image with a complete 12-bit-per-sample Start Of Frame segment followed by an incomplete 8-bit-per-sample Start Of Frame segment) using buffered-image mode and input prefetching caused a segfault if the `fill_input_buffer()` method in the calling application's custom source manager incorrectly returned `FALSE` in response to a prematurely-terminated JPEG data stream. * Fixed an issue in cjpeg whereby, when generating a 12-bit-per-sample or 16-bit-per-sample lossless JPEG image, specifying a point transform value greater than 7 resulted in an error ("Invalid progressive/lossless parameters") unless the `-precision` option was specified before the `-lossless` option. * Fixed a regression introduced by 3.0.3[3] that made it impossible for calling applications to generate 12-bit-per-sample arithmetic-coded lossy JPEG images using the TurboJPEG API. * Fixed an error ("Destination buffer is not large enough") that occurred when attempting to generate a full-color lossless JPEG image using the TurboJPEG Java API's `byte[] TJCompressor.compress()` method if the value of `TJ.PARAM_SUBSAMP` was not `TJ.SAMP_444`. * Fixed a segfault in djpeg that occurred if a negative width was specified with the `-crop` option. Since the cropping region width was read into an unsigned 32-bit integer, a negative width was interpreted as a very large value. With certain negative width and positive left boundary values, the bounds checks in djpeg and `jpeg_crop_scanline()` overflowed and did not detect the out-of-bounds width, which caused a buffer overrun in the upsampling or color conversion routine. Both bounds checks now use 64-bit integers to guard against overflow, and djpeg now checks for negative numbers when it parses the crop specification from the command line. * Fixed an issue whereby the TurboJPEG lossless transformation function and methods checked the specified cropping region against the source image dimensions and level of chrominance subsampling rather than the destination image dimensions and level of chrominance subsampling, which caused some cropping regions to be unduly rejected when performing 90-degree rotation, 270-degree rotation, transposition, transverse transposition, or grayscale conversion. * Fixed an issue whereby the TurboJPEG lossless transformation function and methods did not honor `TJXOPT_COPYNONE`/`TJTransform.OPT_COPYNONE` unless it was specified for all lossless transforms. ==== librsvg ==== Version update (2.58.4 -> 2.59.1) Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 rsvg-thumbnailer typelib-1_0-Rsvg-2_0 - Update to version 2.59.1: + Two mitigations for crashes found throuh fuzz testing: - Cairo is easy to crash by giving it path coordinates that are outside of the range that it can represent internally with its fixed-point arithmetic. Fuzzers usually produce SVGs with very large numbers for coordinates, which overflow Cairo's arithmetic. This is just a *mitigation*, not a complete fix: librsvg will now check if path coordinates are outside of Cairo's supported range, and it will not render shapes with problematic coordinates. However, fuzzers may still produce coordinates that are in range but that still make Cairo crash. I am starting to learn Cairo's code to see if this can be fixed gradually. - Update to version 2.59.0: + The biggest change in this release is that librsvg now uses the Meson build system instead of autotools. + With Meson, librsvg now builds a lot more reliably on Windows and MacOS. + Librsvg now uses Meson instead of Autotools + There is a -Davif meson option to include support for AVIF in the image-rs crate, which librsvg uses to load raster images. + Librsvg now explicitly builds only its supported raster formats for image-rs: JPEG, PNG, GIF, WEBP, and optional compile-time support for AVIF). Other raster image formats are not supported, to minimize the attack surface. + Librsvg now supports cancellable rendering; you can start rendering an RsvgHandle in one thread, and stop it from another thread with a GCancellable. In the C API, you can use the rsvg_handle_set_cancellable_for_rendering() function; in the Rust API, CairoRenderer now has a with_cancellable() method. + For Rust users, there is now a 'librsvg-rebind' crate that binds the C API for use from Rust. Internally this links to the system's librsvg shared library, in contrast with the 'librsvg' crate, which is statically linked and which has a native Rust API. The 'librsvg-rebind' crate is for cases where the additional code size from static linking is not desired. This librsvg-rebind crate is available from crates.io. + A bunch of fixes to bugs found through fuzz testing. - Use ldconfig_scriptlets macro for some of the post(un) handling. - Update to version 2.58.94: + The minimum supported Rust version (MSRV) is 1.77.2. + Fix assertion failures with large Hue value in hsl() or hwb() colors. + Limit the baseFrequency for feTurbulence to avoid integer overflow. + Only make exported symbols visible in the library's binary. + Fix the -Davif=enabled feature; it was not being handled correctly at compilation time. + Ensure compatibility with Binutils < 2.39. + Build fixes for Windows. - Update to version 2.58.92: + Librsvg is now part of Google's oss-fuzz and is fuzz-tested automatically - see https://gnome.pages.gitlab.gnome.org/librsvg/devel-docs/oss_fuzz.html for details. + This release has two bug fixes from fuzz testing, and a new API call: - Don't leak XML entities when the XML document fails to parse. - Fix stack overflow in reference cycle. - Librsvg now supports cancellable rendering; you can start rendering an RsvgHandle in one thread, and stop it from another thread with a GCancellable. In the C API, you can use the rsvg_handle_set_cancellable_for_rendering() function; in the Rust API, CairoRenderer now has a with_cancellable() method. + Many build fixes for Windows, MacOS, iOS, and cross-compilation + Continued refactoring for a render tree. + Many fixes to the documentation. - Update to version 2.58.91: + Librsvg now requires cairo version 1.18.0 or later. + Librsvg now explicitly builds only its supported raster formats for image-rs: JPEG, PNG, GIF, WEBP, and optional compile-time support for AVIF. Other raster image formats are not supported, to minimize the attack surface. + Don't generate gdk-pixbuf loaders cache if DESTDIR is set. + Documentation updates for meson. + Document the fact that the default DPI in the C API for RsvgHandle is 90 DPI, unlike rsvg-convert and the Rust API, which use 96 DPI. + Document the security considerations for the image-rs crate and the raster image formats that librsvg supports. + Fix and fine-tune compilation on Windows (MSVC and msys2), MacOS, and Android. + Fix installation when only compiling the static library. + Update Pango for CI and fix a test file. The test suite now includes the DejaVu Sans font, which supports extra glyphs/languages for the test suite. - Changesfrom version 2.58.90: + librsvg has been ported to the Meson build system. Librsvg no longer uses autotools! + Changes in this release: - Librsvg now uses Meson instead of Autotools. - There is a -Davif meson option to include support for AVIF in the image-rs crate, which librsvg uses to load raster images. - Start revamping the fuzzing infrastructure. - Add cargo-c and pkgconfig(dav1d) BuildRequires: new dependencies. ==== ncurses ==== Version update (6.5.20240922 -> 6.5.20240928) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20240928 + improve error-message from infocmp when a terminal entry cannot be opened (patch by Branden Robinson). + improve filtering of -L options in misc/gen-pkgconfig.in and in misc/ncurses-config.in + add check in wresize() for out-of-range dimensions (report by Peter Bierma). ==== selinux-policy ==== Version update (20240925 -> 20240930) Subpackages: selinux-policy-targeted - Update to version 20240930: * Label yast binaries correctly ==== sof-firmware ==== Version update (2024.06 -> 2024.09) - update to v2024.09: * Add sof-v2.11 binaries * v2.2.x: Update v2.2.11 topology files for Intel platforms * Add sof-v2.11.1 binaries for Intel TGL/ADL/RPL hardware ==== suse-module-tools ==== Version update (16.0.51 -> 16.0.52) Subpackages: suse-module-tools-scriptlets - Update to version 16.0.52: * rpm-script: create vmlinuz and initrd also in image build environments (bsc#1231040, bsc#1230858) * regenerate-initrd-posttrans: Fix SKIP_REGENERATE_INITRD_ALL (bsc#1228929) ==== xen ==== Version update (4.19.0_02 -> 4.19.0_04) - bsc#1230366 - VUL-0: CVE-2024-45817: xen: x86: Deadlock in vlapic_error() (XSA-462) 66f2af41-x86-vLAPIC-undue-recursion-of-vlapic_error.patch Drop xsa462.patch - Upstream bug fixes (bsc#1027519) 66cf737b-x86-Dom0-disable-SMAP-for-PV-only.patch 66d6dca8-libxl-nul-termination-in-xen_console_read_line.patch 66d8690f-SUPPORT-split-XSM-from-Flask.patch 66e29480-x86-HVM-properly-reject-indirect-VRAM-writes.patch 66e44ae2-x86-ucode-AMD-buffer-underrun.patch 66f2fd92-x86-ucode-Intel-stricter-sanity-check.patch - bsc#1230366 - VUL-0: CVE-2024-45817: xen: x86: Deadlock in vlapic_error() (XSA-462) xsa462.patch