Packages changed:
ImageMagick (7.1.1.36 -> 7.1.1.37)
emacs
ffmpeg-4
libaom (3.7.1 -> 3.7.2)
libdrm (2.4.122 -> 2.4.123)
ncurses (6.5.20240817 -> 6.5.20240824)
openSUSE-release (20240828 -> 20240829)
openssh (9.6p1 -> 9.8p1)
openssh-askpass-gnome (9.6p1 -> 9.8p1)
patterns-base
perl-Net-DNS (1.450.0 -> 1.460.0)
python-pip (24.0 -> 24.2)
python-setuptools (70.1.1 -> 72.1.0)
selinux-policy (20240823 -> 20240828)
systemd-presets-common-SUSE
wicked
=== Details ===
==== ImageMagick ====
Version update (7.1.1.36 -> 7.1.1.37)
Subpackages: ImageMagick-config-7-SUSE libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10
- version update to 7.1.1.37
* Bump azure/trusted-signing-action from 0.3.20 to 0.4.0 #7518
* Silence warning and fix HEIC_COMPUTE_NUMERIC_VERSION definition when heic delegate is disabled. #7516
* protect macro arguments with parens 86cb2b1
* eliminate compiler warnings d90d8b4
* correct copyright year 115271e
* Ignore multiple exif and xmp profiles for the same jxl frame and fix reading those profiles per frame. c301208
* read/write in chunks fff3058
* optimize fwrite() arguments ada6785
* Renamed Output folder to Artifacts. 2a69677
* cancel interactive window selection with right button press ea2a2db
* cosmetic 712bde4
* eliminate compiler warning 9a9a25c
* eliminate compiler warning 0bd1687
* Make images mandatory in the issue template. c01fd37
* Added extra header detection for avif files. 9fc0590
* allow SeekBlob() to set an offset beyond the end of the blob 27c3f99
* be less forgiving for invalid image indexes 25db2e5
* Fixed problem with empty macros (#7562) 9fda5f2
* Added missing null checks for RequestOpenCLDevice. f85448e
* Added missing null check for AcquireOpenCLCommandQueue. 295e9c8
* persist app1 jpeg profile (ImageMagick/ImageMagick#4713) f0357c7
* Fixed build error. b3dd431
* Remove some of the dependencies for the macos-13 build. d0bce95
* parentheses is the plural of parenthesis 1fac80a
* distribute quantization error for -dither FloydSteinberg -depth 5b2825b
* release 8a0da9f
* properly set image byte order 40f6599
* set max colormap size for remap 1ffe565
==== emacs ====
Subpackages: emacs-el emacs-eln emacs-info emacs-nox etags
- flymake-tests fails with gcc14 on 32bit architectures ... therefore
use gcc13 here
==== ffmpeg-4 ====
Subpackages: libavcodec58_134 libavformat58_76 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9
- Add 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch
[boo#1229338]
==== libaom ====
Version update (3.7.1 -> 3.7.2)
- Exclude third_party from obscpio
- Update to version 3.7.2:
* aomedia:3520: get_cubic_kernel_dbl: Assertion `0 <= x && x < 1'
failed.
* aomedia:3526: alloc_compressor_data() is called during every
aom_codec_control() call on the encoder. Note that this partially
reverts the fix for bug aomedia:3349.
* b/310457427 and b/310766628: Only use rec_sse in CBR mode.
==== libdrm ====
Version update (2.4.122 -> 2.4.123)
Subpackages: libdrm2 libdrm_amdgpu1 libdrm_intel1 libdrm_nouveau2 libdrm_radeon1
- update to 2.4.123
* amdgpu: add new marketing names
* amdgpu: add new marketing names
* Convert to Android.bp
* libs: Tie DSO minor versions to libdrm version
* readdir_r is deprecated.
* Fix FTBS on undefined clock_gettime() and asprintf()
* Export include dirs with -isystem
* Makes libdrm available on host
* Adds libdrm_headers
* Make libdrm recovery_available
* add crosvm to com.android.virt
* Enable GPU in crosvm
* Android.bp: Add include exports for android dir
* Disable ioctl signed overload for Bionic libc
* build: bump version to 2.4.123
* Delete all Makefile.sources files
* tests: Make modetest and proptest cc_binary in Android.bp
==== ncurses ====
Version update (6.5.20240817 -> 6.5.20240824)
Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen
- Add ncurses patch 20240824
+ modify infocmp and tabs to use actual name in usage and header.
+ modify test/demo_keyok.c to accept ^Q for quit, for consistency.
- Break dependency cycle between libncurses6 which provides "ncurses"
by only let terminfo-base recommending "ncurses"
==== openSUSE-release ====
Version update (20240828 -> 20240829)
Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd
- automatically generated by openSUSE-release-tools/pkglistgen
==== openssh ====
Version update (9.6p1 -> 9.8p1)
Subpackages: openssh-clients openssh-common openssh-server
- Add patch to fix sshd not logging in the audit failed login
attempts (submitted to upstream in
https://github.com/openssh/openssh-portable/pull/516):
* fix-audit-fail-attempt.patch
- Use --enable-dsa-keys when building openssh. It's required if
the user sets the crypto-policy mode to LEGACY, where DSA keys
should be allowed. The option was added by upstream in 9.7 and
set to disabled by default.
- These two changes fix 2 of the 3 issues reported in bsc#1229650.
- Fix a dbus connection leaked in the logind patch that was
missing a sd_bus_unref call (found by Matthias Gerstner):
* logind_set_tty.patch
- Add a patch that fixes a small memory leak when parsing the
subsystem configuration option:
* fix-memleak-in-process_server_config_line_depth.patch
- Update to openssh 9.8p1:
= Security
* 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
A critical vulnerability in sshd(8) was present in Portable
OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
allow arbitrary code execution with root privileges.
Successful exploitation has been demonstrated on 32-bit
Linux/glibc systems with ASLR. Under lab conditions, the attack
requires on average 6-8 hours of continuous connections up to
the maximum the server will accept. Exploitation on 64-bit
systems is believed to be possible but has not been
demonstrated at this time. It's likely that these attacks will
be improved upon.
Exploitation on non-glibc systems is conceivable but has not
been examined. Systems that lack ASLR or users of downstream
Linux distributions that have modified OpenSSH to disable
per-connection ASLR re-randomisation (yes - this is a thing, no
- we don't understand why) may potentially have an easier path
to exploitation. OpenBSD is not vulnerable.
We thank the Qualys Security Advisory Team for discovering,
reporting and demonstrating exploitability of this problem, and
for providing detailed feedback on additional mitigation
measures.
* 2) Logic error in ssh(1) ObscureKeystrokeTiming (bsc#1227318,
CVE-2024-39894).
In OpenSSH version 9.5 through 9.7 (inclusive), when connected
to an OpenSSH server version 9.5 or later, a logic error in the
ssh(1) ObscureKeystrokeTiming feature (on by default) rendered
this feature ineffective - a passive observer could still
detect which network packets contained real keystrokes when the
countermeasure was active because both fake and real keystroke
packets were being sent unconditionally.
This bug was found by Philippos Giavridis and also
independently by Jacky Wei En Kung, Daniel Hugenroth and
Alastair Beresford of the University of Cambridge Computer Lab.
Worse, the unconditional sending of both fake and real
keystroke packets broke another long-standing timing attack
mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke
echo packets for traffic received on TTYs in echo-off mode,
such as when entering a password into su(8) or sudo(8). This
bug rendered these fake keystroke echoes ineffective and could
allow a passive observer of a SSH session to once again detect
when echo was off and obtain fairly limited timing information
about keystrokes in this situation (20ms granularity by
default).
This additional implication of the bug was identified by
Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and
we thank them for their detailed analysis.
This bug does not affect connections when
ObscureKeystrokeTiming was disabled or sessions where no TTY
was requested.
= Future deprecation notice
* OpenSSH plans to remove support for the DSA signature algorithm
in early 2025. This release disables DSA by default at compile
time.
DSA, as specified in the SSHv2 protocol, is inherently weak -
being limited to a 160 bit private key and use of the SHA1
digest. Its estimated security level is only 80 bits symmetric
equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has
retained run-time optional support for them. DSA was the only
mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
because alternative algorithms were encumbered by patents when
the SSHv2 protocol was specified.
This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining
DSA in OpenSSH to be justified and hope that removing it from
OpenSSH can accelerate its wider deprecation in supporting
cryptography libraries.
This release, and its deactivation of DSA by default at
compile-time, marks the second step in our timeline to finally
deprecate DSA. The final step of removing DSA support entirely
is planned for the first OpenSSH release of 2025.
DSA support may be re-enabled in OpenBSD by setting
"DSAKEY=yes" in Makefile.inc. To enable DSA support in
portable OpenSSH, pass the "--enable-dsa-keys" option to
configure.
= Potentially-incompatible changes
* all: as mentioned above, the DSA signature algorithm is now
disabled at compile time.
* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
... changelog too long, skipping 181 lines ...
add "VSOCK VirtIO").
==== openssh-askpass-gnome ====
Version update (9.6p1 -> 9.8p1)
- Update to openssh 9.8p1:
* No changes for askpass, see main package changelog for
details.
==== patterns-base ====
Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-transactional_base patterns-base-x11 patterns-base-x11_enhanced
- Move suggests for libz1 from patterns-base-base to
patterns-base-minimal_base: be nicer with CI consumers.
==== perl-Net-DNS ====
Version update (1.450.0 -> 1.460.0)
- updated to 1.460.0 (1.46)
see /usr/share/doc/packages/perl-Net-DNS/Changes
==== python-pip ====
Version update (24.0 -> 24.2)
- update to 24.2:
* Deprecate pip install --editable falling back to setup.py
develop when using a setuptools version that does not support
PEP 660 (setuptools v63 and older).
* Check unsupported packages for the current platform. (#11054)
* Check unsupported packages for the current platform.
* Use system certificates and certifi certificates to verify
HTTPS connections on Python 3.10+. Python 3.9 and earlier
only use certifi. To revert to previous behaviour, pass the
flag --use-deprecated=legacy-certs. (#11647)
* Use system certificates and certifi certificates to verify
HTTPS connections on Python 3.10+. Python 3.9 and earlier
only use certifi.
* To revert to previous behaviour, pass the flag --use-
deprecated=legacy-certs.
* Improve discovery performance of installed packages when the
importlib.metadata backend is used to load distribution
metadata (used by default under Python 3.11+). (#12656)
* Improve discovery performance of installed packages when the
importlib.metadata backend is used to load distribution
metadata (used by default under Python 3.11+).
* Improve performance when the same requirement string appears
many times during resolution, by consistently caching the
parsed requirement string. (#12663)
* Improve performance when the same requirement string appears
many times during resolution, by consistently caching the
parsed requirement string.
* Minor performance improvement of finding applicable package
candidates by not repeatedly calculating their versions
(#12664)
* Minor performance improvement of finding applicable package
candidates by not repeatedly calculating their versions
* Disable pip's self version check when invoking a pip
subprocess to install PEP 517 build requirements. (#12683)
* Disable pip's self version check when invoking a pip
subprocess to install PEP 517 build requirements.
* Improve dependency resolution performance by caching platform
compatibility tags during wheel cache lookup. (#12712)
* Improve dependency resolution performance by caching platform
compatibility tags during wheel cache lookup.
* wheel is no longer explicitly listed as a build dependency of
pip. setuptools injects this dependency in the
get_requires_for_build_wheel() hook and no longer needs it on
newer versions. (#12728)
* wheel is no longer explicitly listed as a build dependency of
pip. setuptools injects this dependency in the
get_requires_for_build_wheel() hook and no longer needs it on
newer versions.
* Ignore --require-virtualenv for pip check and pip freeze
(#12842)
* Ignore --require-virtualenv for pip check and pip freeze
* Improve package download and install performance. Increase
chunk sizes when downloading (256 kB, up from 10 kB) and
reading files (1 MB, up from 8 kB). This reduces the
frequency of updates to pip's progress bar. (#12810)
* Improve package download and install performance.
* Increase chunk sizes when downloading (256 kB, up from 10 kB)
and reading files (1 MB, up from 8 kB). This reduces the
frequency of updates to pip's progress bar.
* Improve pip install performance. Files are now extracted in
1MB blocks, or in one block matching the file size for
smaller files. A decompressor is no longer instantiated when
extracting 0 bytes files, it is not necessary because there
is no data to decompress. (#12803)
* Improve pip install performance.
* Files are now extracted in 1MB blocks, or in one block
matching the file size for smaller files. A decompressor is
no longer instantiated when extracting 0 bytes files, it is
not necessary because there is no data to decompress.
* Set no_color to global rich.Console instance.
* Fix resolution to respect --python-version when checking
Requires-Python.
* Perform hash comparisons in a case-insensitive manner.
* Avoid dlopen failure for glibc detection in musl builds
* Avoid keyring logging crashes when pip is run in verbose
mode.
* Fix finding hardlink targets in tar files with an ignored
top-level directory.
* Improve pip install performance by only creating required
parent directories once, instead of before extracting every
file in the wheel.
* Improve pip install performance by calculating installed
packages printout in linear time instead of quadratic time.
* Remove vendored tenacity.
* Update the preload list for the DEBUNDLED case, to replace
pep517 that has been renamed to pyproject_hooks.
* Use tomllib from the stdlib if available, rather than tomli
* Upgrade certifi to 2024.7.4
* Upgrade platformdirs to 4.2.2
* Upgrade pygments to 2.18.0
* Upgrade setuptools to 70.3.0
* Upgrade typing_extensions to 4.12.2
* Correct —-ignore-conflicts (including an em dash) to
- -ignore-conflicts.
* Fix finding hardlink targets in tar files with an ignored
top-level directory.
- add disable-ssl-context-in-buildenv.patch: treat missing
ca-certificates as "ssl not available" for buildenvs
- update to 24.1.1:
... changelog too long, skipping 51 lines ...
variables.
==== python-setuptools ====
Version update (70.1.1 -> 72.1.0)
- Update to 72.1.0:
* Restore the tests command and deprecate access to the module.
* Added return types to typed public functions.
* Removed lingering unused code around Distribution._patched_dist.
* Reset the backports module when enabling vendored packages.
* Include all vendored files in the sdist.
* Restored package data that went missing in 71.0. This change also
incidentally causes tests to be installed once again.
* Now setuptools declares its own dependencies in the core extra.
Dependencies are still vendored for bootstrapping purposes, but
setuptools will prefer installed dependencies if present. The core
extra is used for informational purposes and should *not* be declared
in package metadata (e.g. build-requires).
* Support for loading distutils from the standard library is now
deprecated, including use of SETUPTOOLS_USE_DISTUTILS=stdlib and
importing distutils before importing setuptools.
* Fix distribution name normalisation for valid versions that are not
canonical (e.g. 1.0-2).
==== selinux-policy ====
Version update (20240823 -> 20240828)
Subpackages: selinux-policy-targeted
- Update to version 20240828:
* Allow systemd-ssh-generator to load net-pf-40 (bsc#1229766)
==== systemd-presets-common-SUSE ====
- Enable soft-reboot-cleanup.service to make soft-reboot possible
with container and/or firewalld.
==== wicked ====
Subpackages: wicked-service
- systemd: Fix wicked start failures because of dependency issue.
With the change to dbus-broker, wicked has to trigger dbus service start.
Use BindsTo= in favor of Requisite= (bsc#1229745,gh#openSUSE/wicked#1032,
gh#openSUSE/wicked#1033).
[+ 0002-systemd-use-Bindsto-in-favor-of-Requisite-bsc-1229745.patch]
- compat-suse: fix dummy interfaces configuration with
INTERFACETYPE=dummy (boo#1229555, gh#openSUSE/wicked#1031)
[+ 0001-compat-suse-repair-dummy-interfaces-boo-1229555.patch]