Packages changed:
  apache2-mod_php8 (8.1.15 -> 8.1.16)
  bind (9.18.11 -> 9.18.12)
  gnome-desktop (43.1 -> 43.2)
  gstreamer-plugins-bad
  inkscape (1.2.1 -> 1.2.2)
  jhead
  ovmf
  perl-Mail-DKIM (1.20220520 -> 1.20230212)
  php8 (8.1.15 -> 8.1.16)
  poppler (23.01.0 -> 23.02.0)
  poppler-qt5 (23.01.0 -> 23.02.0)
  postfix
  samba (4.17.4+git.314.7b07e3c51a6 -> 4.17.5+git.320.c38ca0f84a)
  sudo (1.9.12p2 -> 1.9.13)
  tigervnc (1.12.0 -> 1.13.0)
  tpm2-0-tss (3.2.0 -> 4.0.1)
  webkit2gtk3 (2.38.4 -> 2.38.5)
  webkit2gtk3-soup2 (2.38.4 -> 2.38.5)
  yast2-packager (4.5.14 -> 4.5.15)

=== Details ===

==== apache2-mod_php8 ====
Version update (8.1.15 -> 8.1.16)

- version update to 8.1.16
  * This is a security release that addresses CVE-2023-0567,
    CVE-2023-0568, and CVE-2023-0662.
  * https://www.php.net/ChangeLog-8.php#8.1.16

==== bind ====
Version update (9.18.11 -> 9.18.12)
Subpackages: bind-doc bind-utils

- Update to release 9.18.12
  Removed Features:
  * Specifying a port when configuring source addresses (i.e., as
    an argument to query-source, query-source-v6, transfer-source,
    transfer-source-v6, notify-source, notify-source-v6,
    parental-source, or parental-source-v6, or in the source or
    source-v6 arguments to primaries, parental-agents, also-notify,
    or catalog-zones) has been deprecated. In addition, the
    use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, and
    avoid-v6-udp-ports options have also been deprecated.
    Warnings are now logged when any of these options are
    encountered in named.conf. In a future release, they will be
    made nonfunctional.
  Bug Fixes:
  * A constant stream of zone additions and deletions via rndc
    reconfig could cause increased memory consumption due to
    delayed cleaning of view memory. This has been fixed.
  * The speed of the message digest algorithms (MD5, SHA-1, SHA-2),
    and of NSEC3 hashing, has been improved.
  * Pointing parental-agents to a resolver did not work because the
    RD bit was not set on DS requests. This has been fixed.
  * Building BIND 9 failed when the --enable-dnsrps switch for
    ./configure was used. This has been fixed.
- Updated keyring and signature

==== gnome-desktop ====
Version update (43.1 -> 43.2)
Subpackages: gnome-desktop-lang libgnome-desktop-3-20 libgnome-desktop-3_0-common libgnome-desktop-4-2 typelib-1_0-GnomeDesktop-3_0 typelib-1_0-GnomeDesktop-4_0

- Update to version 43.2:
  + Fix idle monitor watch leak.
  + Updated translations.

==== gstreamer-plugins-bad ====
Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0

- Remove sys/decklink since that contains a non-standard license
  and disable the decklink plugin

==== inkscape ====
Version update (1.2.1 -> 1.2.2)
Subpackages: inkscape-extensions-extra inkscape-extensions-gimp inkscape-lang

- Update to version 1.2.2:
  + 4 crash fixes, over 25 bug fixes, 5 fixes for extension bugs
    and 13 improved user interface translations
  + 2f3101417.patch merged upstream
  + See the full release notes for Inkscape 1.2.2 at
    https://media.inkscape.org/media/doc/release_notes/1.2.2/Inkscape_1.2.2.html

==== jhead ====

- Remove hunk that enables -fsanitize=address (bsc#1208386), note it's
  already removed in the upstream project:
  https://github.com/Matthias-Wandel/jhead/commit/34f61c3f1408e6b00f6f65dd3d7832f4f8e9318b

==== ovmf ====
Subpackages: qemu-ovmf-x86_64

- Add ovmf-Revert-OvmfPkg-OvmfXen-Set-PcdFSBClock.patch to revert
  71cdb91f313380152d7bf38cfeebe76f5b2d39ac patch (bsc#1205613)
  - 71cdb91f313380152d7bf38cfeebe76f5b2d39ac OvmfPkg/OvmfXen: Set PcdFSBClock
  - We are waiting better upsteam patch, revert the issue patch first.
    Then PcdFSBClock will back to fixed variable.
  - Reference: https://edk2.groups.io/g/devel/topic/94891128#96077
  https://bugzilla.tianocore.org/show_bug.cgi?id=4340

==== perl-Mail-DKIM ====
Version update (1.20220520 -> 1.20230212)

- updated to 1.20230212
  see /usr/share/doc/packages/perl-Mail-DKIM/Changes
  1.20230212 2023-02-12 UTC
    + Fix typo in ARC signer example code.
    Thanks to @dev-aaront-org

==== php8 ====
Version update (8.1.15 -> 8.1.16)
Subpackages: php8-cli php8-ctype php8-dom php8-gd php8-gettext php8-iconv php8-mbstring php8-mysql php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter

- version update to 8.1.16
  * This is a security release that addresses CVE-2023-0567,
    CVE-2023-0568, and CVE-2023-0662.
  * https://www.php.net/ChangeLog-8.php#8.1.16

==== poppler ====
Version update (23.01.0 -> 23.02.0)
Subpackages: libpoppler-cpp0 libpoppler-glib8 libpoppler126 poppler-tools

- Update to version 23.02.0:
  + core:
  * CairoOutputDev:
    . Fix rendering of color type 3 fonts
    . Add handling matte entry
  * Fix segfault on wrong nssdir
  * Fix "NSS could not shutdown"
  + utils: pdfsig: Point out supports PKCS#11 URIs as nickname

==== poppler-qt5 ====
Version update (23.01.0 -> 23.02.0)

- Update to version 23.02.0:
  + core:
  * CairoOutputDev:
    . Fix rendering of color type 3 fonts
    . Add handling matte entry
  * Fix segfault on wrong nssdir
  * Fix "NSS could not shutdown"
  + utils: pdfsig: Point out supports PKCS#11 URIs as nickname

==== postfix ====

- SELinux: postfix denied to access /var/spool/postfix/pid/master.pid
  (bsc#1207177) Apply proposed changes in postfix.service
- remove patch included into the source:
    harden_postfix.service.patch

==== samba ====
Version update (4.17.4+git.314.7b07e3c51a6 -> 4.17.5+git.320.c38ca0f84a)
Subpackages: libsamba-policy0-python3 samba-ad-dc-libs samba-ad-dc-libs-32bit samba-client samba-client-32bit samba-client-libs samba-client-libs-32bit samba-gpupdate samba-ldb-ldap samba-libs samba-libs-32bit samba-libs-python3 samba-python3 samba-winbind samba-winbind-libs samba-winbind-libs-32bit

- Update to 4.17.5
  * smbc_getxattr() return value is incorrect; (bso#14808);
  * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
    correctly; (bso#15172);
  * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210);
  * samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC
    when there is only an AAAA record for the DC in DNS; (bso#15226);
  * smbd crashes if an FSCTL request is done on a stream handle; (bso#15236);
  * DFS links don't work anymore on Mac clients since 4.17; (bso#15277);
  * vfs_virusfilter segfault on access, directory edgecase
    (accessing NULL value); (bso#15283);
  * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based
    SChannel on NETLOGON (additional changes); (bso#15240);
  * %U for include directive doesn't work for share listing
    (netshareenum); (bso#15243);
  * Shares missing from netshareenum response in samba 4.17.4;
    (bso#15266);
  * ctdb: use-after-free in run_proc; (bso#15269);
  * irpc_destructor may crash during shutdown; (bso#15280);
  * auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286);
  * smbclient segfaults with use after free on an optimized build;
    (bso#15268);
  * smbstatus leaking files in msg.sock and msg.lock; (bso#15282);
  * Leak in wbcCtxPingDc2; (bso#15164);
  * Access based share enum does not work in Samba 4.16+; (bso#15265);
  * Crash during share enumeration; (bso#15267);
  * rep_listxattr on FreeBSD does not properly check for reads off
    end of returned buffer; (bso#15271);
  * Avoid relying on C89 features in a few places; (bso#15281);
- named crashes on DLZ zone update; (bso#14030); (bsc#1206996);
- Drop libnsl build requirement; (bsc#1208220);

==== sudo ====
Version update (1.9.12p2 -> 1.9.13)
Subpackages: sudo-plugin-python

- Update to 1.9.13:
  * Changes in 1.9.13:
    Fixed a bug running relative commands via sudo when log_subcmds
    is enabled. GitHub issue #194.
    Fixed a signal handling bug when running sudo commands in a shell
    script. Signals were not being forwarded to the command when the
    sudo process was not run in its own process group.
    Fixed a bug in the cvtsudoers LDIF parsing when the file ends without
    a newline and a backslash is the last character of the file.
    Fixed a potential use-after-free bug with cvtsudoers filtering.
    GitHub issue #198.
    Added a reminder to the default lecture that the password will not
    echo. This line is only displayed when the pwfeedback option is
    disabled. GitHub issue #195.
    Fixed potential memory leaks in error paths. GitHub issue #199.
    GitHub issue #202.
    Fixed potential NULL dereferences on memory allocation failure.
    GitHub issue #204. GitHub issue #211.
    Sudo now uses C23-style attributes in function prototypes instead
    of gcc-style attributes if supported.
    Added a new list pseudo-command in sudoers to allow a user to list
    another user’s privileges. Previously, only root or a user with
    the ability to run any command as either root or the target user
    on the current host could use the -U option. This also includes a
    fix to the log entry when a user lacks permission to run
    sudo -U otheruser -l command. Previously, the logs would indicate
    that the user tried to run the actual command, now the log entry
    includes the list operation.
    JSON logging now escapes control characters if they happen to
    appear in the command or environment.
    New Albanian translation from translationproject.org.
    Regular expressions in sudoers or logsrvd.conf may no longer contain
    consecutive repetition operators. This is implementation- specific
    behavior according to POSIX, but some implementations will allocate
    excessive amounts of memory. This mainly affects the fuzzers.
    Sudo now builds AIX-style shared libraries and dynamic shared
    objects by default instead of svr4-style. This means that the
    default sudo plugins are now .a (archive) files that contain a .so
    shared object file instead of bare .so files. This was done to
    improve compatibility with the AIX Freeware ecosystem, specifically,
    the AIX Freeware build of OpenSSL. Sudo will still load
    svr4-style .so plugins and if a .so file is requested, either via
    sudo.conf or the sudoers file, and only the .a file is present,
    sudo will convert the path from plugin.so to plugin.a(plugin.so)
    when loading it. This ensures compatibility with existing
    configurations. To restore the old, pre-1.9.13 behavior, run
    configure using the –with-aix-soname=svr4 option.
    Sudo no longer checks the ownership and mode of the plugins that
    it loads. Plugins are configured via either the sudo.conf or
    sudoers file which are trusted configuration files. These checks
    suffered from time-of-check vs. time-of-use race conditions and
    complicate loading plugins that are not simple paths. Ownership
    and mode checks are still performed when loading the sudo.conf
    and sudoers files, which do not suffer from race conditions.
    The sudo.conf developer_mode setting is no longer used.
    Control characters in sudo log messages and sudoreplay -l output
    are now escaped in octal format. Space characters in the command
    path are also escaped. Command line arguments that contain spaces
    are surrounded by single quotes and any literal single quote or
    backslash characters are escaped with a backslash. This makes it
    possible to distinguish multiple command line arguments from a
    single argument that contains spaces.
    Improved support for DragonFly BSD which uses a different
    struct procinfo than either FreeBSD or 4.4BSD.
    Fixed a compilation error on Linux arm systems running older
    kernels that may not define EM_ARM in linux/elf-em.h.
    GitHub issue #232.
    Fixed a compilation error when LDFLAGS contains -Wl,–no-undefined.
    Sudo will now link using -Wl,–no-undefined by default if possible.
    GitHub issue #234.
    Fixed a bug executing a command with a very long argument vector
    when log_subcmds or intercept is enabled on a system where
    intercept_type is set to trace. GitHub issue #194.
    When sudo is configured to run a command in a pseudo-terminal but
    the standard input is not connected to a terminal, the command
    will now be run as a background process. This works around a problem
    running sudo commands in the background from a shell script where
    changing the terminal to raw mode could interfere with the interactive
    shell that ran the script. GitHub issue #237.
    A missing include file in sudoers is no longer a fatal error unless
    the error_recovery plugin argument has been set to false.

==== tigervnc ====
Version update (1.12.0 -> 1.13.0)
Subpackages: libXvnc1 xorg-x11-Xvnc xorg-x11-Xvnc-module

- A little cleanup of specfile
- Update to tigervnc 1.13.0
  * The servers and native viewer now support RealVNC's RSA-AES authentication methods and encryption
  * The native viewer is now translated to Romanian and Georgian
  * The native viewer now (optionally) supports PiKVM's H.264 encoding
  * The display settings for the native viewer have been overhauled to make them easier to understand
  * The native viewer now supports adding exceptions for expired certificates
  * Resolved an issue where full-screen mode didn't work in the native viewer on macOS 13
  * Lock key synchronization has been re-enabled in the native viewer after being accidentally disabled in 1.11.0
  * Xvnc/libvnc.so can now be built with Xorg 1.21
  * x0vncserver is a bit better at handling differing server and client keyboard layout
  * x0vncserver now correctly handles zaphod mode
- Removed patches (no longer needed):
  * tigervnc-newfbsize.patch (https://github.com/TigerVNC/tigervnc/pull/13)
  * n_utilize-system-crypto-policies.patch (https://github.com/TigerVNC/tigervnc/pull/1262)
  * xserver211.patch & u_tigervnc-211.patch (https://github.com/TigerVNC/tigervnc/pull/1383)
- Refreshed patches:
  * n_tigervnc-date-time.patch
  * n_vncserver.patch
  * u_change-button-layout-in-ServerDialog.patch

==== tpm2-0-tss ====
Version update (3.2.0 -> 4.0.1)
Subpackages: libtss2-esys0 libtss2-mu0 libtss2-rc0 libtss2-sys1 libtss2-tctildr0

- Drop 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch as was
  already merged upstream
- Update to 4.0.1
  + Fixed:
  * A buffer overflow in tss2-rc as CVE-2023-22745.
- Update to 4.0.0
  + Fixed:
  * tcti-ldr: Use heap instead of stack when tcti initialize
  * Fix usage of NULL pointer if Esys_TR_SetAuth is calles with
    ESYS_TR_NONE.
  * Conditionally check user/group manipulation commands.
  * Store VERSION into the release tarball.
  * When using DESTDIR for make einstall, do not invoke
    systemd-sysusers and systemd-tmpfiles.
  * esys_iutil: fix possible NPD.
  * Tss2_Sys_Flushcontext: flushHandle was encoded as a handleArea
    handle and not as parameter one, this affected the contents of
    cpHash.
  * esys: fix allow usage of HMAC sessions for
    Esys_TR_FromTPMPublic.
  * fapi: fix usage of policy_nv with a TPM nv index.
  * linking tcti for libtpms against tss2-tctildr. It should be
    linked against tss2-mu.
  * build: Remove erroneous trailing comma in linker option. Bug
    [#2391].
  * fapi: fix encoding of complex tpm2bs in authorize nv,
    duplication select and policy template policies. Now the complex
    and TPMT or TPMS representations can be used. Bug #2383
  * The error message for unsupported FAPI curves was in hex without
    a leading 0x, make it integer output to clarify.
  * Documentation that had various scalar out pointers as "callee
    allocated".
  * test: build with opaque FILE structure like in musl libc.
  * Transient endorsement keys were not recreated according to the
    EK credential profile.
  * Evict control for a persistent EK failed during provisioning if
    an auth value for the storage hierarchy was set.
  * The authorization of the storage hierarchy is now added. Fixes
    FAPI: Provisioning error if an auth value is needed for the
    storage hierarchy #2438.
  * Usage of a second profile in a path was not possible because the
    default profile was always used.
  * The setting of an empty auth value for Fapi_Provision was fixed.
  * JSON encoding of a structure TPMS_POLICYAUTHORIZATION used the
    field keyPEMhashAlg instead of hashAlg as defined in "TCG TSS
    2.0 JSON Data Types and Policy Language Specification". Rename
    to hashAlg but preserve support for reading keyPEMhashAlg for
    backwards compatibility.
  * fapi: PolicySecret did not work with keys as secret object.
  * Esys_PCR_SetAuthValue: remembers the auth like other SetAutg
    ESAPI functions.
  * tests: esys-pcr-auth-value.int moved to destructive tests.
  * FAPI: Fix double free if keystore is corrupted.
  * Marshaling of TPMU_CAPABILITIES data, only field
    intelPttProperty was broken before.a
  * Spec deviation in Fapi_GetDescription caused description to be
    NULL when it should be empty string. This is API breaking but
    considered a bug since it deviated from the FAPI spec.
  * FAPI: undefined reference to curl_url_strerror when using curl
    less than 7.80.0.
  * FAPI: Fixed support for EK templates in NV inidices per the
    spec, see #2518 for details.
  * FAPI: fix NPD in ifapi_curl logging.
  * FAPI: Improve documentation fapi-profile
  * FAPI: Fix CURL HTTP handling.
  * FAPI: Return FAPI_RC_IO_ERROR if a policy does not exist in
    keystore.
  + Added:
  * TPM version 1.59 support.
  * ci: ubuntu-22.04 added.
  * mbedTLS 3.0 is supported by ESAPI.
  * Add CreationHash to JSON output for usage between applications
    not using the FAPI keystore, like command line tools.
  * Reduced code size for SAPI.
  * Support for Runtime Switchable ESAPI Crypto Backend via
    Esys_SetCryptoCallbacks.
  * Testing for TCG EK Credential Profile TPM 2.0, Version 2.4
    Rev. 3, 2021 for the low and high address range of EK templates.
  * tss2-rc: Tss2_RC_DecodeInfo function for parsing TSS2_RC into
    the various bit fields.
  * FAPI support for P_ECC384 profile.
  * tss2-rc: Tss2_RC_DecodeInfoError: Function to get a human
    readable error from a TSS2_RC_INFO returned by
    Tss2_RC_DecodeInfo
  * tcti: Generic SPI driver, implementors only need to connect to
    acquire/release, transmit/receive, and sleep/timeout functions.
  * FAPI: Add event logging for Firmware and IMA Events. See #2170
    for details.
  * FAPI: Fix Fapi_ChangeAuth updates on hierarchy objects not being
    reflected across profiles.
  * FAPI: Allow keyedhash keys in PolicySigned.
  * ESAPI: Support sha512 for mbedtls crypto backend.
  * TPM2B_MAX_CAP_BUFFER and mu routines
  * vendor field to TPMU_CAPABILTIIES
  * FAPI: support for PolicyTemplate
  + Changed
  * libmu soname from 0:0:0 to 0:1:0.
  * tss2-sys soname from 1:0:0 to 1:1:0
  * tss2-esys: from 0:0:0 to 0:1:0
    ... changelog too long, skipping 6 lines ...
  * Dead code Tss2_MU_TPMS_ALGORITHM_DESCRIPTION_Unmarshal

==== webkit2gtk3 ====
Version update (2.38.4 -> 2.38.5)
Subpackages: WebKit2GTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles

- Update to version 2.38.5 (boo#1208328):
  + Fix large memory allocation when uploading content.
  + Fix scrolling after a history navigation with PSON enabled.
  + Always update the active uri of WebKitFrame.
  + Fix the build on Ubuntu 20.04.
  + Fix several crashes and rendering issues.
  + Security fixes: CVE-2023-23529.

==== webkit2gtk3-soup2 ====
Version update (2.38.4 -> 2.38.5)
Subpackages: WebKit2GTK-4.0-lang libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 webkit2gtk-4_0-injected-bundles

- Update to version 2.38.5 (boo#1208328):
  + Fix large memory allocation when uploading content.
  + Fix scrolling after a history navigation with PSON enabled.
  + Always update the active uri of WebKitFrame.
  + Fix the build on Ubuntu 20.04.
  + Fix several crashes and rendering issues.
  + Security fixes: CVE-2023-23529.

==== yast2-packager ====
Version update (4.5.14 -> 4.5.15)

- Ruby 3.2: Change a test to treat dir:///foo equal to dir:/foo
  (bsc#1207239)
- 4.5.15