Packages changed:
  bind (9.18.16 -> 9.18.17)
  elfutils-debuginfod
  hwinfo (23.1 -> 23.2)
  kernel-source (6.4.3 -> 6.4.4)
  libva (2.18.0 -> 2.19.0)
  libva-gl (2.18.0 -> 2.19.0)
  nghttp2 (1.54.0 -> 1.55.1)
  openssh (9.3p1 -> 9.3p2)
  openssh-askpass-gnome (9.3p1 -> 9.3p2)
  openssl-3
  python-jsonschema-specifications (2023.6.1 -> 2023.7.1)
  python-rich
  qalculate (4.6.1 -> 4.7.0)
  sof-firmware (2.2.5 -> 2.2.6)
  systemd (253.5 -> 253.7)
  sysuser-tools
  tar
  update-alternatives (1.21.8 -> 1.21.22)
  webkit2gtk3 (2.40.3 -> 2.40.4)
  webkit2gtk4 (2.40.3 -> 2.40.4)

=== Details ===

==== bind ====
Version update (9.18.16 -> 9.18.17)

- Update to release 9.18.17
  Feature Changes:
  * If a response from an authoritative server has its RCODE set to
    FORMERR and contains an echoed EDNS COOKIE option that was
    present in the query, named now retries sending the query to
    the same server without an EDNS COOKIE option.
  * The relaxed QNAME minimization mode now uses NS records. This
    reduces the number of queries named makes when resolving, as it
    allows the non-existence of NS RRsets at non-referral nodes to
    be cached in addition to the normally cached referrals.
  Bug Fixes:
  * The ability to read HMAC-MD5 key files, which was accidentally
    lost in BIND 9.18.8, has been restored.
  * Several minor stability issues with the catalog zone
    implementation have been fixed.

==== elfutils-debuginfod ====
Subpackages: debuginfod-profile libdebuginfod1

- Replace libdebuginfo1 sub-package's debuginfod-profile Recommends
  with config(debuginfod-profile) Requires, but on the debuginfod-\
  client sub-package, instead. And add binutils, bpftrace-tools,
  elfutils, gdb, perf, systemd-coredump, and valgrind Supplements
  to debuginfod-client sub-package. This should make installation
  of debuginfod-client more consistent, along with debuginfod-\
  profile, with software/packages that have debuginfod support.

==== hwinfo ====
Version update (23.1 -> 23.2)
Subpackages: libhd23

- merge gh#openSUSE/hwinfo#128
- Add support for loongarch cpu
- 23.2

==== kernel-source ====
Version update (6.4.3 -> 6.4.4)

- Linux 6.4.4 (bsc#1012628).
- start_kernel: Add __no_stack_protector function attribute
  (bsc#1012628).
- USB: serial: option: add LARA-R6 01B PIDs (bsc#1012628).
- usb: dwc3: gadget: Propagate core init errors to UDC during
  pullup (bsc#1012628).
- phy: tegra: xusb: Clear the driver reference in usb-phy dev
  (bsc#1012628).
- extcon: usbc-tusb320: Unregister typec port on driver removal
  (bsc#1012628).
- dt-bindings: iio: ad7192: Add mandatory reference voltage source
  (bsc#1012628).
- iio: addac: ad74413: don't set DIN_SINK for functions other
  than digital input (bsc#1012628).
- iio: adc: ad7192: Fix null ad7192_state pointer access
  (bsc#1012628).
- iio: adc: ad7192: Fix internal/external clock selection
  (bsc#1012628).
- iio: accel: fxls8962af: errata bug only applicable for
  FXLS8962AF (bsc#1012628).
- iio: accel: fxls8962af: fixup buffer scan element type
  (bsc#1012628).
- Revert "drm/amd/display: edp do not add non-edid timings"
  (bsc#1012628).
- fs: pipe: reveal missing function protoypes (bsc#1012628).
- s390/kasan: fix insecure W+X mapping warning (bsc#1012628).
- blk-mq: don't queue plugged passthrough requests into scheduler
  (bsc#1012628).
- block: Fix the type of the second bdev_op_is_zoned_write()
  argument (bsc#1012628).
- block/rq_qos: protect rq_qos apis with a new lock (bsc#1012628).
- splice: Fix filemap_splice_read() to use the correct inode
  (bsc#1012628).
- erofs: kill hooked chains to avoid loops on deduplicated
  compressed images (bsc#1012628).
- x86/resctrl: Only show tasks' pid in current pid namespace
  (bsc#1012628).
- fsverity: use shash API instead of ahash API (bsc#1012628).
- fsverity: don't use bio_first_page_all() in
  fsverity_verify_bio() (bsc#1012628).
- blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost
  (bsc#1012628).
- x86/sev: Fix calculation of end address based on number of pages
  (bsc#1012628).
- blk-cgroup: Reinit blkg_iostat_set after clearing in
  blkcg_reset_stats() (bsc#1012628).
- virt: sevguest: Add CONFIG_CRYPTO dependency (bsc#1012628).
- blk-mq: fix potential io hang by wrong 'wake_batch'
  (bsc#1012628).
- lockd: drop inappropriate svc_get() from locked_get()
  (bsc#1012628).
- nvme-core: fix memory leak in dhchap_secret_store (bsc#1012628).
- nvme-core: fix memory leak in dhchap_ctrl_secret (bsc#1012628).
- nvme-core: add missing fault-injection cleanup (bsc#1012628).
- nvme-core: fix dev_pm_qos memleak (bsc#1012628).
- md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
  (bsc#1012628).
- md/raid10: fix overflow of md/safe_mode_delay (bsc#1012628).
- md/raid10: fix wrong setting of max_corr_read_errors
  (bsc#1012628).
- md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request
  (bsc#1012628).
- md/raid10: fix io loss while replacement replace rdev
  (bsc#1012628).
- md/raid1-10: factor out a helper to add bio to plug
  (bsc#1012628).
- md/raid1-10: factor out a helper to submit normal write
  (bsc#1012628).
- md/raid1-10: submit write io directly if bitmap is not enabled
  (bsc#1012628).
- block: fix blktrace debugfs entries leakage (bsc#1012628).
- irqchip/loongson-eiointc: Fix irq affinity setting during resume
  (bsc#1012628).
- splice: don't call file_accessed in copy_splice_read
  (bsc#1012628).
- irqchip/stm32-exti: Fix warning on initialized field overwritten
  (bsc#1012628).
- irqchip/jcore-aic: Fix missing allocation of IRQ descriptors
  (bsc#1012628).
- svcrdma: Prevent page release when nothing was received
  (bsc#1012628).
- erofs: fix compact 4B support for 16k block size (bsc#1012628).
- posix-timers: Prevent RT livelock in itimer_delete()
  (bsc#1012628).
- tick/rcu: Fix bogus ratelimit condition (bsc#1012628).
- tracing/timer: Add missing hrtimer modes to
  decode_hrtimer_mode() (bsc#1012628).
- btrfs: always read the entire extent_buffer (bsc#1012628).
- btrfs: don't use btrfs_bio_ctrl for extent buffer reading
  (bsc#1012628).
- btrfs: return bool from lock_extent_buffer_for_io (bsc#1012628).
- btrfs: submit a writeback bio per extent_buffer (bsc#1012628).
- btrfs: fix range_end calculation in extent_write_locked_range
  (bsc#1012628).
- btrfs: don't fail writeback when allocating the compression
  context fails (bsc#1012628).
- btrfs: only call __extent_writepage_io from
  extent_write_locked_range (bsc#1012628).
- btrfs: don't treat zoned writeback as being from an async
    ... changelog too long, skipping 1321 lines ...
- commit f6ca0bc

==== libva ====
Version update (2.18.0 -> 2.19.0)
Subpackages: libva-drm2 libva-x11-2 libva2

- Update to 2.19.0:
  * add: Add mono_chrome to VAEncSequenceParameterBufferAV1
  * add: Enable support for license acquisition of multiple protected
    playbacks
  * fix: use secure_getenv instead of getenv
  * trace: Improve and add VA trace log for AV1 encode
  * trace: Unify va log message, replace va_TracePrint with va_TraceMsg.

==== libva-gl ====
Version update (2.18.0 -> 2.19.0)

- Update to 2.19.0:
  * add: Add mono_chrome to VAEncSequenceParameterBufferAV1
  * add: Enable support for license acquisition of multiple protected
    playbacks
  * fix: use secure_getenv instead of getenv
  * trace: Improve and add VA trace log for AV1 encode
  * trace: Unify va log message, replace va_TracePrint with va_TraceMsg.

==== nghttp2 ====
Version update (1.54.0 -> 1.55.1)

- update to 1.55.1:
  * Fix memory leak
    This commit fixes memory leak that happens when
    PUSH_PROMISE or HEADERS frame cannot be sent, and
    nghttp2_on_stream_close_callback fails with a fatal error.
    For example, if GOAWAY frame has been received, a
    HEADERS frame that opens new stream cannot be sent.
    This issue has already been made public via CVE-2023-35945
    by envoyproxy/envoy project.  During embargo period, the
    patch to fix this bug was accidentally submitted to
    nghttp2/nghttp2 repository [2]. And they decided to
    disclose CVE early.  I was notified just 1.5 hours
    before disclosure.  I had no time to respond.
    PoC described in [1] is quite simple, but I think it is
    not enough to trigger this bug.  While it is true that
    receiving GOAWAY prevents a client from opening new stream,
    and nghttp2 enters error handling branch, in order to cause
    the memory leak, nghttp2_session_close_stream function
    must return a fatal error.
    NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of
    memory.  It is unlikely that a process gets short of
    memory with this simple PoC scenario unless application
    does something memory heavy processing.
  * NGHTTP2_ERR_CALLBACK_FAILURE is returned from application
    defined callback function (nghttp2_on_stream_close_callback, in
    this case), which indicates something fatal happened inside a
    callback, and a connection must be closed immediately without
    any further action.  As nghttp2_on_stream_close_error_callback
    documentation says, any error code other than 0 or
    NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
    error code.  More specifically, it is treated as if
    NGHTTP2_ERR_CALLBACK_FAILURE is returned.  I guess that
    envoy returns
    NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is
    translated into NGHTTP2_ERR_CALLBACK_FAILURE.
    https://github.com/envoyproxy/envoy/security/advisories/GHSA-
    jfxv-29pc-x22r

==== openssh ====
Version update (9.3p1 -> 9.3p2)
Subpackages: openssh-clients openssh-common openssh-server

- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
  Security
  ========
  Fix CVE-2023-38408 - a condition where specific libaries loaded via
  ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
  code execution via a forwarded agent socket if the following
  conditions are met:
  * Exploitation requires the presence of specific libraries on
    the victim system.
  * Remote exploitation requires that the agent was forwarded
    to an attacker-controlled system.
  Exploitation can also be prevented by starting ssh-agent(1) with an
  empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
  an allowlist that contains only specific provider libraries.
  This vulnerability was discovered and demonstrated to be exploitable
  by the Qualys Security Advisory team.
  In addition to removing the main precondition for exploitation,
  this release removes the ability for remote ssh-agent(1) clients
  to load PKCS#11 modules by default (see below).
  Potentially-incompatible changes
  - -------------------------------
  * ssh-agent(8): the agent will now refuse requests to load PKCS#11
    modules issued by remote clients by default. A flag has been added
    to restore the previous behaviour "-Oallow-remote-pkcs11".
    Note that ssh-agent(8) depends on the SSH client to identify
    requests that are remote. The OpenSSH >=8.9 ssh(1) client does
    this, but forwarding access to an agent socket using other tools
    may circumvent this restriction.

==== openssh-askpass-gnome ====
Version update (9.3p1 -> 9.3p2)

- Update to openssh 9.3p2
  * No changes for askpass, see main package changelog for
    details

==== openssl-3 ====
Subpackages: libopenssl3

- Security fix: [bsc#1213487, CVE-2023-3446]
  * Fix DH_check() excessive time with over sized modulus.
  * The function DH_check() performs various checks on DH parameters.
    One of those checks confirms that the modulus ("p" parameter) is
    not too large. Trying to use a very large modulus is slow and
    OpenSSL will not normally use a modulus which is over 10,000 bits
    in length.
    However the DH_check() function checks numerous aspects of the
    key or parameters that have been supplied. Some of those checks
    use the supplied modulus value even if it has already been found
    to be too large.
    A new limit has been added to DH_check of 32,768 bits. Supplying
    a key/parameters with a modulus over this size will simply cause
    DH_check() to fail.
  * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch
- Security fix: [bsc#1213383, CVE-2023-2975]
  * AES-SIV implementation ignores empty associated data entries
  * Add openssl-CVE-2023-2975.patch

==== python-jsonschema-specifications ====
Version update (2023.6.1 -> 2023.7.1)

- update to 2023.7.1:
  no changelog, only diff available at
  https://github.com/python-jsonschema/jsonschema-specifications/compare/v2023.06.1...v2023.07.1

==== python-rich ====

- %{?sle15_python_module_pythons} mut be at beginning to work.

==== qalculate ====
Version update (4.6.1 -> 4.7.0)
Subpackages: libqalculate22 qalculate-data

- version update to 4.7.0
  * Support for custom default angle unit, e.g. turn, arcsec, arcmin
  * Append default angle unit (instead of always radians) when converting
    value without unit to angle unit
  * More consistent addition and removal of angle unit from function arguments
  * Always interpret ./, .*, and .^ as entrywise operators if user intention is unclear
  * Change order of operations to place entrywise and ordinary operators on
    the same precedence level
  * Add function, kron(), for Kronecker product, and constants for Pauli matrices
  * Add radius to planets dataset and update other properties
  * Support replacement of unknown variables within variable values
  * Fix besselj(0, 0)
  * Fix incomplete calculation in tan() with try exact approximation
  * Fix 0/0=0 equality (do not return true) and output of 2/0 (and similar)
  * Fixes and improvements for newtonsolve() and secantsolve()
  * Fix segfault when MathStructure is deleted after Calculator, and in destructor
    of calculated DynamicVariable (called from Calculator destructor)
  * Do not save mode on exit if "-defaults" command line switch where used (CLI)
  * Allow multiple actions for keyboard shortcuts (GTK, Qt)
  * Add toggle precision, and min, max, or min and max decimals to available
    shortcut and button actions (GTK, Qt)
  * Add option to exclude units for unformatted ASCII copy (GTK, Qt)
  * Add optional value to copy result action, allowing expression copy and
    formatting selection (GTK, Qt)
  * Fix copy unformatted ASCII when local digit group separator is same as selected
    decimal separator (GTK, Qt)
  * Add option to automatically copy result (Qt)
  * Always set (primary) selection clipboard contents when whole expression is
    selected or selection is cleared, e.g. after calculation (Qt)
  * Improve support dark mode and high contrast modes, and change default style
    to Fusion, on Windows (Qt)
  * Minor bug fixes and feature enhancements

==== sof-firmware ====
Version update (2.2.5 -> 2.2.6)

- Update to version 2.2.6:
  There's no FW binary change. This release adds a few new topology binaries
  for Intel Tiger Lake (TGL), Alder Lake (ADL) and Raptor Lake (RPL) platforms
- Add Notice.NXP

==== systemd ====
Version update (253.5 -> 253.7)
Subpackages: libsystemd0 libudev1 systemd-boot systemd-coredump systemd-doc systemd-lang udev

- Import commit 2dac0aff9ced1eca0cd11c24e264b33095ee5a5e (merge of v253.7)
  For a complete list of changes, visit:
  https://github.com/openSUSE/systemd/compare/6458c066547eaadf0e9709e441ea36ad03faa860...2dac0aff9ced1eca0cd11c24e264b33095ee5a5e
- Import commit 6458c066547eaadf0e9709e441ea36ad03faa860 (merge of v253.6)
  For a complete list of changes, visit:
  https://github.com/openSUSE/systemd/compare/07bb12a282b0ea378850934c4a76008b448b8bad...6458c066547eaadf0e9709e441ea36ad03faa860
- Drop 5002-Revert-core-service-when-resetting-PID-also-reset-kn.patch, it's
  been backported to v253.6.
- Move a bunch of files from systemd to udev. These are pretty useless without
  block devices.

==== sysuser-tools ====

- Add "quilt setup" friendly hint to %sysusers_requires usage
  It is not required to have sysuser-tools installed when working
  with a pkg source which uses sysuser-tools at build time.

==== tar ====
Subpackages: tar-lang tar-rmt

- Update tests-skip-time01-on-32bit-time_t.patch to not run test
  on armv6 either

==== update-alternatives ====
Version update (1.21.8 -> 1.21.22)

- openssl.patch: use openssl library for MD5 calculation instead
  of relying on libmd. libmd is not in Ring0
- require Perl 5.28.1 or later

==== webkit2gtk3 ====
Version update (2.40.3 -> 2.40.4)
Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles

- Update to version 2.40.4:
  + Fix a bug in JavaScript reading variable arguments in a call.

==== webkit2gtk4 ====
Version update (2.40.3 -> 2.40.4)
Subpackages: WebKitGTK-6.0-lang libjavascriptcoregtk6_0-1 libwebkitgtk6_0-4 webkitgtk-6_0-injected-bundles

- Update to version 2.40.4:
  + Fix a bug in JavaScript reading variable arguments in a call.