Packages changed:
  Mesa (23.3.3 -> 23.3.4)
  Mesa-drivers (23.3.3 -> 23.3.4)
  MozillaFirefox (121.0.1 -> 122.0)
  aardvark-dns (1.9.0 -> 1.10.0)
  btrfsprogs (6.6.2 -> 6.7)
  cockpit
  containerd
  gcc13 (13.2.1+git8205 -> 13.2.1+git8250)
  gpg2 (2.4.3 -> 2.4.4)
  inih (57 -> 58)
  kernel-source
  libmaxminddb (1.8.0 -> 1.9.1)
  libqmi
  libsolv (0.7.27 -> 0.7.28)
  man
  perl-Bootloader (1.10 -> 1.11)
  postfix (3.8.4 -> 3.8.5)
  publicsuffix (20240107 -> 20240123)
  tiff
  transactional-update
  webkit2gtk3
  webkit2gtk4
  yast2-installation (5.0.3 -> 5.0.4)
  zbar

=== Details ===

==== Mesa ====
Version update (23.3.3 -> 23.3.4)
Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1

- Update to bugfix release 23.3.4
  - -> https://docs.mesa3d.org/relnotes/23.3.4.html

==== Mesa-drivers ====
Version update (23.3.3 -> 23.3.4)
Subpackages: Mesa-dri Mesa-gallium Mesa-libva

- Update to bugfix release 23.3.4
  - -> https://docs.mesa3d.org/relnotes/23.3.4.html

==== MozillaFirefox ====
Version update (121.0.1 -> 122.0)
Subpackages: MozillaFirefox-translations-common

- Mozilla Firefox 122.0
  https://www.mozilla.org/en-US/firefox/122.0/releasenotes/
  MFSA 2024-01 (bsc#1218955)
  * CVE-2024-0741 (bmo#1864587)
    Out of bounds write in ANGLE
  * CVE-2024-0742 (bmo#1867152)
    Failure to update user input timestamp
  * CVE-2024-0743 (bmo#1867408)
    Crash in NSS TLS method
  * CVE-2024-0744 (bmo#1871089)
    Wild pointer dereference in JavaScript
  * CVE-2024-0745 (bmo#1871838)
    Stack buffer overflow in WebAudio
  * CVE-2024-0746 (bmo#1660223)
    Crash when listing printers on Linux
  * CVE-2024-0747 (bmo#1764343)
    Bypass of Content Security Policy when directive unsafe-inline was set
  * CVE-2024-0748 (bmo#1783504)
    Compromised content process could modify document URI
  * CVE-2024-0749 (bmo#1813463)
    Phishing site popup could show local origin in address bar
  * CVE-2024-0750 (bmo#1863083)
    Potential permissions request bypass via clickjacking
  * CVE-2024-0751 (bmo#1865689)
    Privilege escalation through devtools
  * CVE-2024-0752 (bmo#1866840)
    Use-after-free could occur when applying update on macOS
  * CVE-2024-0753 (bmo#1870262)
    HSTS policy on subdomain could bypass policy of upper domain
  * CVE-2024-0754 (bmo#1871605)
    Crash when using some WASM files in devtools
  * CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701)
    Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7,
    and Thunderbird 115.7
- requires NSS 3.96.1
- rebased patches

==== aardvark-dns ====
Version update (1.9.0 -> 1.10.0)

- Update to version 1.10.0:
  * Release 1.10.0
  * Release notes for 1.10.0
  * chore(deps): update rust crate chrono to 0.4.32
  * chore(deps): update dependency containers/automation_images to v20240102
  * fix(deps): update rust crate futures-util to 0.3.30
  * fix(deps): update rust crate anyhow to 1.0.79
  * fix(deps): update rust crate tokio to 1.35.1
  * chore(deps): update dependency containers/automation_images to v20231208
  * fix(deps): update rust crate tokio to 1.35.0
  * fix duplicated IP CI flake
  * server: remove unused kill switch
  * fix(deps): update rust crate clap to ~4.4.10
  * Bump working version to v1.10.0-dev

==== btrfsprogs ====
Version update (6.6.2 -> 6.7)
Subpackages: btrfsprogs-bash-completion btrfsprogs-udev-rules libbtrfs0 libbtrfsutil1

- update to 6.7
  * mkfs: make 4k sectorsize default, recommended minimum kernel for that is
    6.1 and requires subpage support on architectures with page size > 4k
  * subvolume create: return correct error code when a target already exists
  * tree-checker: dump tree block on error (btrfs-convert, ...)
  * scrub limit: fix reporting of a limit set while there's none
  * fi usage: fix reporting of unallocated data or raid56 profile without root
    privs due to lack of that information
  * convert:
  * align data block group lengths to 64K
  * fix conversion of a large filesystem when there are partial inode items
    present due to caching
  * other:
  * build fixes
  * updated documentation
  * new and updated tests
- update to 6.6.3
  * subvol create: accept multiple arguments
  * subvol delete: print the subvolume id in the output
  * subvol sync: check if the filesystems is still writeable so it does not
    wait indefinitely
  * device delete: add a timeout and warning when deleting multiple devices
  * scrub status: report limit if set in sysfs/../scrub_speed_max
  * scrub limit: new command to show or set the per-device scrub limits
  * scrub start: report the limit if set
  * build:
  * fix CPU feature detection on aarch64
  * support Botan and OpenSSL (3.2+) as crypto backends
  * other:
  * documentation updates, RTD config update
  * new and updated tests
  * CI updates

==== cockpit ====
Subpackages: cockpit-bridge cockpit-packagekit cockpit-system

- suse_docs.patch: replace with suse docs and move docs with out eqiv
  to docs-rh (bsc#1219088)
- hide-docs.patch: obsolete by above, removed
- Provide users/groups cockpit-wsinstance and cockpit-ws: they are
  generated by cockpit-ws %pre script.
- hide-docs.patch: hide RHEL docs in shell/manifest.json

==== containerd ====

- Enable manpage generation
- Make devel package noarch
- adjust rpmlint filters

==== gcc13 ====
Version update (13.2.1+git8205 -> 13.2.1+git8250)
Subpackages: cpp13 libatomic1 libgcc_s1 libgfortran5 libgomp1 libobjc4 libquadmath0 libstdc++6 libstdc++6-locale libstdc++6-pp libubsan1

- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250
  * Includes fix for building TVM.  [boo#1218492]
- Add cross-X-newlib-devel requires to newlib cross compilers.
  [boo#1219031]
- Package m2rte.so plugin in the gcc13-m2 sub-package rather than
  in gcc13-devel.  [boo#1210959]
- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs
  are linked against libstdc++6.

==== gpg2 ====
Version update (2.4.3 -> 2.4.4)
Subpackages: dirmngr gpg2-lang

- Update to 2.4.4: [bsc#1219191]
  * gpg: Do not keep an unprotected smartcard backup key on disk.
    See https://gnupg.org/blog/20240125-smartcard-backup-key.html
    for a security advisory. [T6944]
  * gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit
    platforms. [T6736]
  * gpg: Fix expiration time when Creation-Date is specified. [T5252]
  * gpg: Add support for Subkey-Expire-Date. [rG96b69c1866]
  * gpg: Add option --with-v5-fingerprint. [T6705]
  * gpg: Add sub-option ignore-attributes to --import-options.
  * gpg: Add --list-filter properties sig_expires/sig_expires_d.
  * gpg: Fix validity of re-imported keys. [T6399]
  * gpg: Report BEGIN_ status before examining the input. [T6481]
  * gpg: Don't try to compress a read-only keybox. [T6811]
  * gpg: Choose key from inserted card over a non-inserted card. [T6831]
  * gpg: Allow to create revocations even with non-compliant algos. [T6929]
  * gpg: Fix regression in the Revoker keyword of the parameter file. [T6923]
  * gpg: Improve error message for expired default keys. [T4704]
  * gpgsm: Add --always-trust feature. [T6559]
  * gpgsm: Support ECC certificates in de-vs mode. [T6802]
  * gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
  * gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654]
  * keyboxd: Timeout on failure to get the database lock. [T6838]
  * agent: Update the key stubs only if really modified. [T6829]
  * scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080]
  * scd: Add support for CardOS 5.4 cards. [rG812f988059]
  * scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09]
  * scd: Add support for Smartcafe Expert 7.0 cards. [T6919]
  * scd: Add a length check for a new PIN. [T6843]
  * tpm: Fix keytotpm handling in the agent. [rG9909f622f6]
  * tpm: Fixes for the TPM test suite. [T6052]
  * dirmngr: New option --ignore-crl-extensions. [T6545]
  * dirmngr: Support config value "none" to disable the default
    keyserver. [T6708]
  * dirmngr: Fix handling of the HTTP Content-Length. [rGa5e33618f4]
  * gpgconf: Add commands --lock and --unlock. [rG93b5ba38dc]
  * gpgconf: Add keyword socketdir to gpgconf.ctl. [rG239c1fdc28]
  * gpgconf: Adjust the -X command for the new VERSION file format. [T6918]
  * wkd: Use export-clean for gpg-wks-client's --mirror and --create
    commands. [rG2c7f7a5a278c]
  * wkd: Make --add-revocs the default in gpg-wks-client. New option
  - -no-add-revocs. [rG10c937ee68]
  * Remove duplicated backslashes when setting the homedir. [T6833]
  * Ignore attempts to remove the /dev/null device. [T6556]
  * Improve advisory file lock retry strategy. [T3380]
  * Release-info: https://dev.gnupg.org/T6578
  * Remove patch upstream:
  - gnupg-Report-BEGIN_-status-before-examining-the-input.patch

==== inih ====
Version update (57 -> 58)

- Update to version 58
  * Add ini_ prefix even to static names so inih can be used as an
    [#]include.

==== kernel-source ====

- rpm/constraints.in: add static multibuild packages
  Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for
  constraints on multibuild) added "kernel-source:" prefix to the
  dynamically generated kernels. But there are also static ones like
  kernel-docs. Those fail to build as the constraints are still not
  applied.
  So add the prefix also to the static ones.
  Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it
  will ever be multibuilt...
- commit c2e0681
- Revert "Limit kernel-source build to architectures for which the kernel binary"
  This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132.
  The fix for bsc#1108281 directly causes bsc#1218768, revert.
- commit 2943b8a
- mkspec: Include constraints for both multibuild and plain package always
  There is no need to check for multibuild flag, the constraints can be
  always generated for both cases.
- commit 308ea09
- rpm/mkspec: use kernel-source: prefix for constraints on multibuild
  Otherwise the constraints are not applied with multibuild enabled.
- commit 841012b
- rpm/kernel-source.rpmlintrc: add action-ebpf
  Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf
  plugin) added this precompiled binary blob. Adapt rpmlintrc for
  kernel-source.
- commit b5ccb33
- scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old
  The previous change added the manual entry from kernel-sources.change.old
  to old_changelog.txt unnecessarily.  Let's fix it.
- commit fb033e8
- rpm/kernel-docs.spec.in: fix build with 6.8
  Since upstream commit f061c9f7d058 (Documentation: Document each netlink
  family), the build needs python yaml.
- commit 6a7ece3
- futex: Prevent the reuse of stale pi_state (bsc#1218841).
  Update upstream status (Queued in subsystem maintainer repository).
- commit a3ee207
- Refresh
  patches.rpmify/media-solo6x10-replace-max-a-min-b-c-by-clamp-b-a-c.patch.
  Update usptream status.
- commit 589bdfa
- Update config files, enable CONFIG_IMA_DISABLE_HTABLE in all archs for
  Tumbleweed as SLE15-SP6 kernel does (bsc#1218400).
- commit 020caa6

==== libmaxminddb ====
Version update (1.8.0 -> 1.9.1)

- libmaxminddb 1.9.1:
  * On very large databases, the calculation to determine the search
    tree size could overflow. This was fixed and several additional
    guards against overflows were added
  * build system tweaks

==== libqmi ====
Subpackages: libqmi-glib5 libqmi-tools

- Add patch:
  * 0001-message-fix-16bit-service-on-big-endian.patch
  - Fixes 16-bit service indications on big endian architectures.
    Cherry-picked from upstream qmi-1-34 branch

==== libsolv ====
Version update (0.7.27 -> 0.7.28)
Subpackages: libsolv-tools ruby-solv

- build for multiple python versions [jsc#PED-6218]
- bump version to 0.7.28

==== man ====

- Skip posttrans dependency on systemd to support container without
  systemd (boo#1215538)
- Use %(trans)filetriggerin and %(trans)filetriggerpostun to get
  an uptodate man database for installed manual pages

==== perl-Bootloader ====
Version update (1.10 -> 1.11)

- merge gh#openSUSE/perl-bootloader#162
- handle script exit codes properly (bsc#1218847)
- 1.11

==== postfix ====
Version update (3.8.4 -> 3.8.5)

- update to 3.8.5
  * Security: this release improves support to defend against an email
    spoofing attack (SMTP smuggling) on recipients at a Postfix server.
    For background, see https://www.postfix.org/smtp-smuggling.html.

==== publicsuffix ====
Version update (20240107 -> 20240123)

- Update to version 20240123:
  * util: gTLD data autopull updates for 2024-01-23T15:14:10 UTC (#1921)

==== tiff ====

- security update:
  * CVE-2023-52356 [bsc#1219213]
    Fix segfault in TIFFReadRGBATileExt()
    + tiff-CVE-2023-52356.patch

==== transactional-update ====
Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit

- Use "up" instead of "dup" by default on ALP [bsc#1218861]

==== webkit2gtk3 ====
Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles

- Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue
  (bsc#1219113 CVE-2024-23222).

==== webkit2gtk4 ====
Subpackages: WebKitGTK-6.0-lang libjavascriptcoregtk6_0-1 libwebkitgtk6_0-4 webkitgtk-6_0-injected-bundles

- Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue
  (bsc#1219113 CVE-2024-23222).

==== yast2-installation ====
Version update (5.0.3 -> 5.0.4)

- Keep cio_ignore kernel argument when present in the parmfile or
  use the cio_ignore -k output if not and write it always even
  in zVM and KVM (bsc#1210525).
- 5.0.4

==== zbar ====

- Fix building for Leap