Packages changed: dbus-1 (1.12.16 -> 1.12.20) dbus-1-x11 (1.12.16 -> 1.12.20) exiv2 (0.27.2 -> 0.27.3) fetchmail fuse (2.9.8 -> 2.9.9) irqbalance (1.6.0+git20200317.0348a3b -> 1.7.0) less (562 -> 563) libbytesize (1.4 -> 2.4) libical (3.0.7 -> 3.0.8) libidn (1.35 -> 1.36) liblangtag (0.6.2 -> 0.6.3) liblrdf (0.5.0 -> 0.6.1) libqxp (0.0.1 -> 0.0.2) libraw1394 (2.1.1 -> 2.1.2) libreoffice (7.0.0.3 -> 7.0.1.1) libressl (3.1.3 -> 3.1.4) libsmbios (2.4.2 -> 2.4.3) libvpx (1.8.2 -> 1.9.0) libwpd (0.10.2 -> 0.10.3) libwpg (0.3.2 -> 0.3.3) libyaml (0.2.4 -> 0.2.5) nvme-cli (1.10.1+git9.872e6b0 -> 1.12) openldap2 osinfo-db (20200529 -> 20200804) privoxy rsync (3.2.2 -> 3.2.3) sqlite3 (3.32.3 -> 3.33.0) xerces-c (3.2.2 -> 3.2.3) === Details === ==== dbus-1 ==== Version update (1.12.16 -> 1.12.20) Subpackages: libdbus-1-3 libdbus-1-3-32bit - Update to 1.12.20 * On Unix, avoid a use-after-free if two usernames have the same numeric uid. In older versions this could lead to a crash (denial of service) or other undefined behaviour, possibly including incorrect authorization decisions if <policy group=...> is used. Like Unix filesystems, D-Bus' model of identity cannot distinguish between users of different names with the same numeric uid, so this configuration is not advisable on systems where D-Bus will be used. Thanks to Daniel Onaca. (dbus#305, dbus!166; Simon McVittie) - From 1.12.18 * CVE-2020-12049: If a message contains more file descriptors than can be sent, close those that did get through before reporting error. Previously, a local attacker could cause the system dbus-daemon (or another system service with its own DBusServer) to run out of file descriptors, by repeatedly connecting to the server and sending fds that would get leaked. Thanks to Kevin Backhouse of GitHub Security Lab. (dbus#294, GHSL-2020-057; Simon McVittie) * Fix a crash when the dbus-daemon is terminated while one or more monitors are active (dbus#291, dbus!140; Simon McVittie) * The dbus-send(1) man page now documents --bus and --peer instead of the old --address synonym for --peer, which has been deprecated since the introduction of --bus and --peer in 1.7.6 (fd.o #48816, dbus!115; Chris Morin) * Fix a wrong environment variable name in dbus-daemon(1) (dbus#275, dbus!122; Mubin, Philip Withnall) * Fix formatting of dbus_message_append_args example (dbus!126, Felipe Franciosi) * Avoid a test failure on Linux when built in a container as uid 0, but without the necessary privileges to increase resource limits (dbus!58, Debian #908092; Simon McVittie) * When building with CMake, cope with libX11 in a non-standard location (dbus!129, Tuomo Rinne) - Run spec-cleaner - Move generation of API docs to a separate package, avoid doxygen dependency for building main package. - Build x11 and devel-doc (API doc) using _multibuild. - Drop no longer required call to autoreconf, remove obsolete BuildRequires for libtool and autoconf-archive. ==== dbus-1-x11 ==== Version update (1.12.16 -> 1.12.20) - Update to 1.12.20 * On Unix, avoid a use-after-free if two usernames have the same numeric uid. In older versions this could lead to a crash (denial of service) or other undefined behaviour, possibly including incorrect authorization decisions if <policy group=...> is used. Like Unix filesystems, D-Bus' model of identity cannot distinguish between users of different names with the same numeric uid, so this configuration is not advisable on systems where D-Bus will be used. Thanks to Daniel Onaca. (dbus#305, dbus!166; Simon McVittie) - From 1.12.18 * CVE-2020-12049: If a message contains more file descriptors than can be sent, close those that did get through before reporting error. Previously, a local attacker could cause the system dbus-daemon (or another system service with its own DBusServer) to run out of file descriptors, by repeatedly connecting to the server and sending fds that would get leaked. Thanks to Kevin Backhouse of GitHub Security Lab. (dbus#294, GHSL-2020-057; Simon McVittie) * Fix a crash when the dbus-daemon is terminated while one or more monitors are active (dbus#291, dbus!140; Simon McVittie) * The dbus-send(1) man page now documents --bus and --peer instead of the old --address synonym for --peer, which has been deprecated since the introduction of --bus and --peer in 1.7.6 (fd.o #48816, dbus!115; Chris Morin) * Fix a wrong environment variable name in dbus-daemon(1) (dbus#275, dbus!122; Mubin, Philip Withnall) * Fix formatting of dbus_message_append_args example (dbus!126, Felipe Franciosi) * Avoid a test failure on Linux when built in a container as uid 0, but without the necessary privileges to increase resource limits (dbus!58, Debian #908092; Simon McVittie) * When building with CMake, cope with libX11 in a non-standard location (dbus!129, Tuomo Rinne) - Run spec-cleaner - Move generation of API docs to a separate package, avoid doxygen dependency for building main package. - Build x11 and devel-doc (API doc) using _multibuild. - Drop no longer required call to autoreconf, remove obsolete BuildRequires for libtool and autoconf-archive. - Remove left overs from blocking restart on update from May 29th 2019 - Use sysusers.d to create messagebus user ==== exiv2 ==== Version update (0.27.2 -> 0.27.3) - Update to 0.27.3: * Bug and security fixes * UNIX suppport * Support for building with C++11 and C++14 * Revised build and test environments * Revised documentation * Improved charset handling in UserComment * Other improvements ==== fetchmail ==== Subpackages: fetchmailconf - Fix invalid usage of libexecdir where %_tmpfilesdir was meant to be used. ==== fuse ==== Version update (2.9.8 -> 2.9.9) Subpackages: libfuse2 - update to 2.9.9: * Added OpenAFS to whitelist (so users can now mount FUSE filesystems on mountpoints within OpenAFS filesystems). * Added a test of seekdir to test_syscalls. * Fixed readdir bug when non-zero offsets are given to filler and the filesystem client, after reading a whole directory, re-reads it from a non-zero offset e. g. by calling seekdir followed by readdir. ==== irqbalance ==== Version update (1.6.0+git20200317.0348a3b -> 1.7.0) Subpackages: irqbalance-ui - update to 1.7.0: * Strlen checking for IRQBALANCE_BANNED_CPU env var * Typo cleanup in SOCKET_TMPFS * consolidation of numa node creation on non-numa systems * fix uninitialized use of package_mask in affinity setup * use num_online_cpus instead of core_count * fix a null ptr crash in do_one_cpu * make list searching common from glib * fix a calloc parameter bug * remove some unused variables * use g_list_free_full * remove redundant call to free_cl_opts * fix some resource leaks in main() * fix some use after free issues in check_for_irq_ban * fix resource leaks in irqballance-ui, and in add_one_node - remove Correct-capitalizing-in-service-file.patch: upstream ==== less ==== Version update (562 -> 563) - update to 563: * Update Unicode tables. * Treat Hangul Jamo medial vowels and final consonants as zero width. * Display error message immediately when -o is toggled and input is not a pipe. * Fix regression: make screen repaint when "squished" and a no-movement command is given. * Fix erroneous EOF calculation when F command is interrupted. * Make WIN32C version include this fix from 551: Don't count lines in initial screen if using -X with -F. * Fix display bug in WIN32C version. * Fix memory corruption when built with libtermcap. * Support libtinfow. ==== libbytesize ==== Version update (1.4 -> 2.4) Subpackages: libbytesize-lang libbytesize1 - update to 2.4: * remove msgcat dependency * Translated using Weblate (Bengali (India)) * Add Travis build status badge * Update translation files * add translation platform widget * Translated using Weblate (Turkish) * Fix memory leak in bs_size_new_from_str * Update translation files * src/gettext: fix warning if gettext is already present * fix build on shells where test == fails * Require the same version of python3-bytesize in libbytesize-tools * New minor release of the libbytesize library. There are only two bugfixes in this release. * Full list of changes * fix out of tree build failure * Fix return value for round_to_nearest when using Size * New bytesize calculator bssize has been added. * Code has been ported from PCRE to PCRE2. * Python 2 support has been removed. * Run all libbytesize tests from one script * Add all "public" python API symbols to __init__.py * Allow running tests using installed library * Remove Python 2 support * Port to pcre2 * Add support for floor division by a non-integer number in Python * Add a simple bytesize calculator tool * Add tools to autotools and packaging * Exit with 1 from configure if there were failures * Add a summary to the end of ./configure output * Only support modulo between two Size instances * Fix parsing of exponential representations of real numbers * Add the '--version' option to bs_calc.py * Add a man page for the bscalc tool * Assume the given expression is in bytes if no unit is given ==== libical ==== Version update (3.0.7 -> 3.0.8) - Update to version 3.0.8: * Fix for icalattach_new_from_data() and the 'free_fn' argument. * Fix if recurrencetype contains both COUNT and UNTIL (only output UNTIL in the RRULE). - Replace gcc-c++ with generic c++_compiler BuildRequires. - Use cmake_build macro, forcing single thread building is no longer needed. This breaks support for SLE12SP4, but that one is superseeded by SP5 anyway. ==== libidn ==== Version update (1.35 -> 1.36) - update to 1.36: * * Fix unlikely memory leak in idna_to_unicode_4z4z(). * * Check codepoint validity in punycode_decode() and punycode_decode(). * * tld: Add U+00EF to .nl TLD table. * * Indent code. * * Translation fixes. * * Update gnulib files. * * API and ABI is backwards compatible with the previous version. - remove disable-rwlock-test.patch (builds fine again) ==== liblangtag ==== Version update (0.6.2 -> 0.6.3) - update to 0.6.3: Fix possible null argument for %s directive Add ax_check_enable_debug.m4 to satisfy requirement enable round tripping ca@valencia locale string back to ca@valencia again coverity: fix memory leaks on failure coverity: fix more memory leaks ==== liblrdf ==== Version update (0.5.0 -> 0.6.1) - update to 0.6.1: - resolve license and build issues ==== libqxp ==== Version update (0.0.1 -> 0.0.2) - update to 0.0.2 - Improve handling of groups that span over facing pages. - Fix a couple of issues found by oss-fuzz. ==== libraw1394 ==== Version update (2.1.1 -> 2.1.2) - update to 2.1.2 - Fix build with some alternative C libraries and with some older build environments. No functional changes. ==== libreoffice ==== Version update (7.0.0.3 -> 7.0.1.1) Subpackages: libreoffice-base libreoffice-base-drivers-firebird libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-l10n-cs libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-el libreoffice-l10n-en libreoffice-l10n-en_GB libreoffice-l10n-es libreoffice-l10n-fr libreoffice-l10n-hu libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-pl libreoffice-l10n-pt_BR libreoffice-l10n-ru libreoffice-l10n-zh_CN libreoffice-l10n-zh_TW libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-qt5 libreoffice-writer libreofficekit - Update to 7.0.1.1: * RC1 of 7.0.1 release ==== libressl ==== Version update (3.1.3 -> 3.1.4) Subpackages: libcrypto46 libssl48 libtls20 - Update to release 3.1.4 * TLS 1.3 client improvements: * Improve client certificate selection to allow EC certificates instead of only RSA certificates. * Do not error out if a TLSv1.3 server requests an OCSP response as part of a certificate request. * Fix SSL_shutdown behavior to match the legacy stack. The previous behaviour could cause a hang. * Fix a memory leak and add a missing error check in the handling of the key update message. * Fix a memory leak in tls13_record_layer_set_traffic_key. * Avoid calling freezero with a negative size if a server sends a malformed plaintext of all zeroes. * Ensure that only PSS may be used with RSA in TLSv1.3 in order to avoid using PKCS1-based signatures. * Add the P-521 curve to the list of curves supported by default in the client. ==== libsmbios ==== Version update (2.4.2 -> 2.4.3) Subpackages: libsmbios-lang libsmbios_c2 python3-smbios python3-smbios-utils - update to 2.4.3 * Fixes for WMI based communications * Fixes for battery controls * Fixes for some segfaults and error handling ==== libvpx ==== Version update (1.8.2 -> 1.9.0) - Update to 1.9.0 This release adds support for NV12, a separate library for rate control, as well as incremental improvements. - Upgrading: NV12 support is added to this release. A new interface is added for VP9 rate control. The new library libvp9rc.a must be linked by applications. Googletest is updated to v1.10.0. simple_encode.cc is compiled into a new library libsimple_encode.a with CONFIG_RATE_CTRL. - Enhancement: Various changes to improve VP9 SVC, rate control, quality and speed to real time encoding. - Bug fixes: Fix key frame update refresh simulcast flexible svc. Fix to disable_16x16part speed feature for real time encoding. Fix some signed integer overflows for VP9 rate control. Fix initialization of delta_q_uv. Fix condition in regulate_q for cyclic refresh. Various fixes to dynamic resizing for VP9 SVC. ==== libwpd ==== Version update (0.10.2 -> 0.10.3) - update to 0.10.3: - Drop outdated MSVC project files. - Fix a couple of issues found by oss-fuzz. - Fix some potential memory leaks. - Use a bit less memory when parsing WP5/WP6 documents with images. - Switch from --enable-werror to --disable-werror as configure default. - Fix a potential out-of-bounds data access. (rhbz#1643752) - remove 0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch (upstream) ==== libwpg ==== Version update (0.3.2 -> 0.3.3) - update to 0.3.3: - Drop obsolete MSVC project files. - Use --disable-werror instead of --enable-werror as configure default. - Fix parsing of 24-bit RGB and 32-bit RGBA bitmaps in WPG2 files. (tdf#78105) ==== libyaml ==== Version update (0.2.4 -> 0.2.5) - update to 0.2.5: * Allow question marks in plain scalars in flow collections * Emitter: Don't output trailing space for empty scalar nodes * Emitter: Output space after an alias mapping key * Add -h and --flow (on|off|keep) to run-*-test-suite * Remove unnecessary include and malloc * Add specific files back to .gitignore * Output error position in run-parser-test-suite.c * A couple patches to improve test suite support ==== nvme-cli ==== Version update (1.10.1+git9.872e6b0 -> 1.12) - update to 1.12 * Corrected text output in FW activation history * nvme: allow addr family to recognize loop * Add log page CA parsing * nvme status code updates based nvme spec v1.4 * Provide documentation for log page directory WDC plugin command * Fix status displayed by vs-telemetry-controller-option wdc plugin * fabrics: ignore hostnqn file if its empty ==== openldap2 ==== Subpackages: libldap-2_4-2 libldap-2_4-2-32bit libldap-data openldap2-client - Drop obsolete, not working DB_CONFIG - Remove init.d header from start script, does not work - Use bash for start script as syntax is not POSIX sh supported - Remove UPDATE_NEEDED section in start script, does never match - Remove remaining rc.status usage in start script ==== osinfo-db ==== Version update (20200529 -> 20200804) - Update database to version 20200804 - Drop patches included in new tarball add-opensuse-leap-15.2-support.patch add-sle15sp2-support.patch ==== privoxy ==== - Stop trying to mangle _unitdir: this is defined in all supported distros. ==== rsync ==== Version update (3.2.2 -> 3.2.3) - Updated to version 3.2.3 * Fixes a memory usage regression introduced in 3.2.2 * Too many changes to list, see included NEWS.md file. - acls.diff, time-limit.diff and xattrs.diff are now upstream. - Drop rsync-add_back_use_slp_directive.patch, included in upstream slp.diff - Add BR on c++_compiler needed for SIMD support - Add --enable-simd configure option on x86_64 - Change BR on xxhash-devel to pkgconfig(libxxhash) and depend on xxhash >= 0.8.0 since this is needed for XXH3 - Use xxhash only on suse_version >= 1550 since xxhash 0.8.0 is not available elsewhere. ==== sqlite3 ==== Version update (3.32.3 -> 3.33.0) Subpackages: libsqlite3-0 - SQLite 3.33.0: * Support for UPDATE FROM following the PostgreSQL syntax * Increase the maximum size of database files to 281 TB * Extend the PRAGMA integrity_check statement so that it can optionally be limited to verifying just a single table and its indexes, rather than the entire database file. * Add the decimal extension for doing arbitrary-precision decimal arithmetic * Enhancements to the ieee754 extension for working with IEEE 754 binary64 numbers * cli: Add four new output modes: "box", "json", "markdown", and "table" * cli: The "column" output mode automatically expands columns to contain the longest output row and automatically turns ".header" on if it has not been previously set * cli: The "quote" output mode honors ".separator" * cli: The decimal extension and the ieee754 extension are built-in to the CLI * multiple query planner improvements ==== xerces-c ==== Version update (3.2.2 -> 3.2.3) - update to 3.2.3: * Custom HTTP headers missing with CURL NetAccessor * Type Confusion from DTDGrammar to SchemaGrammar * Patch to build with older GCC * fix build without pthread * XMLUTF8Transcoder: One multibyte UTF8 character is swallowed from the srcData when the resulting surrogate pair does not fit in toFill at the end * Postpone freeing the memory being used by CURL * Memory leak in ValueVectorOf * There is an error in the parameters of the ThreadTtest8 script in Apache xerces-c++ XML's tests/script * Incorrect symbolic links created for Linux static library and MacOS static and shared libraries * invalid windows version check for `onXPOrLater` * Handle surrogate pairs when reading a QName instead of ASSERTing * Janitor.hpp fails to compile on Solaris with Solaris Studio 12.2 and 12.4 * undef symbols on HPUX for ArrayJanitor * DOM tests crash on AIX * XMLChar with NEED_TO_GEN_TABLE has 2 buffer out of bounds reads * Including Xerces_autoconf_config.hpp on Windows fails due to undefined ssize_t