Packages changed:
  GraphicsMagick
  aaa_base (84.87+git20230329.b39efbc -> 84.87+git20230815.cab7b44)
  busybox-links
  coreutils (9.3 -> 9.4)
  crypto-policies
  drbd (9.0.30~1+git.8e9c0812 -> 9.1.16)
  drbd-utils (9.19.0 -> 9.25.0)
  grep
  kdump
  kexec-tools (2.0.26.0 -> 2.0.27)
  lastlog2 (1.1.0 -> 1.2.0)
  libei (1.0.901 -> 1.1.0)
  multipath-tools (0.9.5+68+suse.d1b6a1c -> 0.9.6+71+suse.f07325e)
  open-vm-tools (12.2.0 -> 12.3.0)
  pam-config (2.5 -> 2.8)
  perl-Bootloader (1.6 -> 1.8)
  python-async_timeout (4.0.2 -> 4.0.3)
  python-click (8.1.6 -> 8.1.7)
  python-lxml
  python-outcome
  python-psycopg2 (2.9.6 -> 2.9.7)
  python-zope.event (4.6 -> 5.0)
  python311 (3.11.4 -> 3.11.5)
  python311-core (3.11.4 -> 3.11.5)
  shaderc (2023.4 -> 2023.6)
  sssd (2.9.1 -> 2.9.2)
  unbound (1.17.1 -> 1.18.0)
  wireless-regdb (20230721 -> 20230901)

=== Details ===

==== GraphicsMagick ====
Subpackages: libGraphicsMagick++-Q16-12 libGraphicsMagick-Q16-3 libGraphicsMagick3-config

- revert to 1.3.40 [bsc#1214831]
  https://sourceforge.net/p/graphicsmagick/news/2023/08/because-1341-is-discarded-i-has-been-published-2-builds-for-win32-architecture/
- modified patches
  % GraphicsMagick-disable-insecure-coders.patch (refreshed)
- deleted patches
  - GraphicsMagick-fix-regression-NULL-instead-of-empty-string.patch (not needed)
  - GraphicsMagick-name-key-return-input-file-base-name.patch (not needed)
- fix regression in 1.3.41
  https://sourceforge.net/p/graphicsmagick/bugs/722/
- added patches
  fix 17179:91afa18a6161
  + GraphicsMagick-fix-regression-NULL-instead-of-empty-string.patch
  fix 17180:bb42cd90ce6f
  + GraphicsMagick-name-key-return-input-file-base-name.patch
- version update to 1.3.41
  Bug fixes:
  * Blob: Immediately reject attempts to write blobs to formats which
    can not support blobs.
  * TranslateTextEx(): An empty string argument should return an empty
    string rather than a NULL string.
  * SetImageAttribute(): Fix bounds issue when concatenating string.
  * JPEG: Do not set image resolution if the values provided are outside
    of the valid range.
  * Fixes for NaN when reading formats based on floating point.
  * HEIF: Fix reading images with rotation/transformation.
  * BMP: Do not decode primaries or gamma unless colorspace is
    LCS_CALIBRATED_RGB.  Add/correct bmp_info.size "biSize" logic which
    decides if header chunks are present (or invalid).
  * MNG: Fixes for resizing using X_method 5.
  * GM command (convert, montage, mogrify): Many command-line parser
    fixes/checks for invalid command line syntax which causes unexpected
    behavior, or core dumps.
  * TopoL: Given that a writer is now provided, issues found in the
    reader (and writer) due to continual fuzz-testing have been fixed,
    as encountered.
  * GetImageClippingPathAttribute(): Check for and use clipping path
    name (ID=2999) to get the real attribute name.
  * ReadIPTCProfile(): Fix malformed IPTC data parsing.
  New Features:
  * TopoL: Now provides a writer.
  * WPG: Now provides a writer.
  * gm batch: Implement simple Test Anything Protocol (TAP) test
    counting and "ok N"/"not ok N" messaging.
  * TIFF: Support '-define tiff:photometric=minisblack' and '-define
    tiff:photometric=miniswhite' to be able to adjust the sense used
    when writing bilevel TIFF images.
  * TIFF: Require that TIFFTAG_EXTRASAMPLES be used appropriately to
    indicate the intention of extra channels.
  * utilities/tests/gen-tiff-images/genimages: Script for writing (and
    then reading) thousands (5568 permutations) of TIFF format variants.
  * EXIF and PNG: Retrieve image orientation from EXIF (if present) and
    store in image.
  * HEIF: Retrieve image orientation from EXIF and store in image.
  Behavior Changes:
  * The ability to extend existing image attribute text by calling
    SetImageAttribute() multiple times with the same key is now
    deprecated, and will soon be removed.  In the mean time, the
    annoying message "SetImageAttribute: Extending attribute value text
    is deprecated!"  is printed to the standard error output to help
    expose code which is using this feature.
- modified patches
  % GraphicsMagick-disable-insecure-coders.patch (refreshed)
- deleted patches
  - strlcpy-wrong-sizing.patch (upstreamed)

==== aaa_base ====
Version update (84.87+git20230329.b39efbc -> 84.87+git20230815.cab7b44)
Subpackages: aaa_base-extras

- Update to version 84.87+git20230815.cab7b44:
  * Remove broken autocompletion overrides and restore default bash behavior
  * Add foot to DIR_COLORS
  * files/u/s/sysconf_addword: avoid bashism, fix shellcheck warnings
  * files/u/s/smart_agetty: replace shebang with /bin/sh
  * files/u/s/service: avoid bashism, fix shellcheck warnings
  * files/u/s/refresh_initrd: make POSIX compliant
  * files/u/b/safe-rm: make POSIX compliant
  * aaa_base.post: replace shebang with /usr/sh
  * files/u/b/old: make POSIX compliant

==== busybox-links ====
Subpackages: busybox-bzip2 busybox-coreutils busybox-ed busybox-findutils busybox-gawk busybox-grep busybox-gzip busybox-misc busybox-psmisc busybox-sed busybox-sendmail busybox-tar busybox-which busybox-xz

- Add conflict for coreutils-systemd, package got splitted

==== coreutils ====
Version update (9.3 -> 9.4)
Subpackages: coreutils-lang

- Update to 9.4:
  Bug fixes:
  * b2sum --check will no longer read unallocated memory when
    presented with malformed checksum lines.
    [bug introduced in coreutils-9.2]
  * cp --parents again succeeds when preserving mode for absolute directories.
    Previously it would have failed with a "No such file or directory" error.
    [bug introduced in coreutils-9.1]
  * cp --sparse=never will avoid copy-on-write (reflinking) and copy offloading,
    to ensure no holes present in the destination copy.
    [bug introduced in coreutils-9.0]
  * cksum again diagnoses read errors in its default CRC32 mode.
    [bug introduced in coreutils-9.0]
  * cksum --check now ensures filenames with a leading backslash character
    are escaped appropriately in the status output.
    This also applies to the standalone checksumming utilities.
    [bug introduced in coreutils-8.25]
  * dd again supports more than two multipliers for numbers.
    Previously numbers of the form '1024x1024x32' gave "invalid number" errors.
    [bug introduced in coreutils-9.1]
  * factor, numfmt, and tsort now diagnose read errors on the input.
    [This bug was present in "the beginning".]
  * install --strip now supports installing to files with a leading hyphen.
    Previously such file names would have caused the strip process to fail.
    [This bug was present in "the beginning".]
  * ls now shows symlinks specified on the command line that can't be traversed.
    Previously a "Too many levels of symbolic links" diagnostic was given.
    [This bug was present in "the beginning".]
  * pr --length=1 --double-space no longer enters an infinite loop.
    [This bug was present in "the beginning".]
  * tac now handles short reads on its input.  Previously it may have exited
    erroneously, especially with large input files with no separators.
    [This bug was present in "the beginning".]
  * uptime no longer incorrectly prints "0 users" on OpenBSD,
    and is being built again on FreeBSD and Haiku.
    [bugs introduced in coreutils-9.2]
  * wc -l and cksum no longer crash with an "Illegal instruction" error
    on x86 Linux kernels that disable XSAVE YMM.  This was seen on Xen VMs.
    [bug introduced in coreutils-9.0]
  Changes in behavior:
  * cp -v and mv -v will no longer output a message for each file skipped
    due to -i, or -u.  Instead they only output this information with --debug.
    I.e., 'cp -u -v' etc. will have the same verbosity as before coreutils-9.3.
  * cksum -b no longer prints base64-encoded checksums.  Rather that
    short option is reserved to better support emulation of the standalone
    checksum utilities with cksum.
  * mv dir x now complains differently if x/dir is a nonempty directory.
    Previously it said "mv: cannot move 'dir' to 'x/dir': Directory not empty",
    where it was unclear whether 'dir' or 'x/dir' was the problem.
    Now it says "mv: cannot overwrite 'x/dir': Directory not empty".
    Similarly for other renames where the destination must be the problem.
    [problem introduced in coreutils-6.0]
- Enable systemd-logind support
- Add gnulib-readutmp.patch: Fix seg.fault of who, pinky, uptime [dgo#65617]
- Create -systemd flavor with binaries linked against libsystemd
- Drop coreutils-invalid-ids.patch to get consistent behavior, most tools
  where already removed from that patch.
- coreutils-misc.patch: adjust paths
- coreutils-skip-some-sort-tests-on-ppc.patch: adjust paths
- coreutils-test_without_valgrind.patch: adjust paths
- coreutils-i18n.patch: update from Fedora

==== crypto-policies ====
Subpackages: crypto-policies-scripts

- Tests: Fix pylint versioning for TW and fix the parsing of the
  policygenerators to account for the commented lines correctly.
  * Add crypto-policies-pylint.patch
  * Rebase crypto-policies-policygenerators.patch
- FIPS: Adapt the fips-mode-setup script to use the pbl command
  from the perl-Bootloader package to replace grubby. Add a note
  for transactional systems [jsc#PED-4578].
  * Rebase crypto-policies-FIPS.patch

==== drbd ====
Version update (9.0.30~1+git.8e9c0812 -> 9.1.16)
Subpackages: drbd-kmp-default

- Update DRBD version from 9.0.30+ to 9.1.16 (PED-6362)
  * 9.1.16 (api:genl2/proto:86-121/transport:18)
  * shorten times DRBD keeps IRQs on one CPU disabled. Could lead
    to connection interruption under specific conditions
  * fix a corner case where resync did not start after resync-pause
    state flapped
  * fix online adding of volumes/minors to an already connected resource
  * fix a possible split-brain situation with quorum enabled with
    ping-timeout set to (unusual) high value
  * fix a locking problem that could lead to kernel OOPS
  * ensure resync can continue (bitmap-based) after interruption
    also when it started as a full-resync first
  * correctly handle meta-data when forgetting diskless peers
  * fix a possibility of getting a split-brain although quorum enabled
  * correctly propagate UUIDs after resync following a resize operation.
    Consequence could be a full resync instead of a bitmap-based one
  * fix a rare race condition that can cause a drbd device to end up
    with WFBitMapS/Established replication states
  * 9.1.15 (api:genl2/proto:86-121/transport:18)
  * fix how flush requests are marked when submitted to the Linux IO
    stack on the secondary node
  * when establishing a connection failed with a two-pc timeout, a
    receiver thread deadlocked, causing drbdsetup calls to block on
    that resource (difficult to trigger)
  * fixed a NULL-ptr deref (a OOPS) caused by a rare race condition
    while taking a resource down
  * fix a possible hard kernel-lockup, can only be triggerd when a
    CPU-mask is configured
  * updated kernel compatibility to at least Linux head and also fixed
    a bug in the compat checks/rules that caused OOPSes of the previous
    drbd releases when compiled with Linux-6.2 (or on RHEL 9.2 kernel).
  * fix an aspect of the data-generation (UUID) handling where DRBD
    failed to do a resync when a diskless node in the remaining
    partition promotes and demotes while a diskful node is isolated
  * fix an aspect of the data-generation (UUID) handling where DRBD
    considered a node to have unrelated data; this bug was triggered by
    a sequence involving removing two nodes from a cluster and readding
    one with the "day-0" UUIDs.
  * do not block specific state changes (promote, demote, attach, and
    detach) when only some nodes add a new minor
  * 9.1.14 (api:genl2/proto:86-121/transport:18)
  * fix a race with concurrent promotion and demotion, which can
    lead to an unexpected "split-brain" later on
  * fix a specific case where promotion was allowed where it should not
  * fix a race condition between auto-promote and a second two-phase
    commit that can lead to a DRBD thread locking up in an endless loop
  * fix several bugs with "resync-after":
  - missing resync-resume when minor numbers run in opposite
    direction as the resync-after dependencies
  - a race that might lead to an OOPS in add_timer()
  * fix an OOPS when reading from in_flight_summary in debugfs
  * fix a race that might lead to an endless loop of printing
    "postponing start_resync" while starting a resync
  * fix diskless node with a diskfull with a 4KiB backend
  * simplify remembering two-pc parents, maybe fixing a one-time-seen bug
  * derive abort_local_transaction timeout from ping-timeout
  * 9.1.13 (api:genl2/proto:86-121/transport:18)
  * when calculating if a partition has quorum, take into account if
    the missing nodes might have quorum
  * fix forget-peer for diskless peers
  * clear the resync_again counter upon disconnect
  * also call the unfence handler when no resync happens
  * do not set bitmap bits when attaching to an up-to-date disk (late)
  * work on bringing the out-of-tree DRBD9 closer to DRBD in the upstream
    kernel; Use lru_cahche.ko from the installed kernel whenever possible
  * 9.1.12 (api:genl2/proto:86-121/transport:18)
  * fix a race that could result in connection attempts getting aborted
    with the message "sock_recvmsg returned -11"
  * rate limit messages in case the peer can not write the backing storage
    and it does not finish the necessary state transitions
  * reduced the receive timeout during connecting to the intended 5 seconds
    (ten times ping-ack timeout)
  * losing the connection at a specific point in time during establishing
    a connection could cause a transition to StandAlone; fixed that, so
    that it keeps trying to connect
  * fix a race that could lead to a fence-peer handler being called
    unexpectedly when the fencing policy is changed at the moment before
    promoting
  * 9.1.11 (api:genl2/proto:86-121/transport:18)
  * The change introduced with 9.1.10 created another problem that might
    lead to premature request completion (kernel crash); reverted that
    change and fix it in another way
  * 9.1.10 (api:genl2/proto:86-121/transport:18)
  * fix a regression introduced with 9.1.9; using protocol A on SMP
    with heavy IO can might cause kernel crash
  * 9.1.9 (api:genl2/proto:86-121/transport:18)
  * fix a mistake in the compat generation code; it broke DRBD on
    partitions on kernel older than linux 5.10 (this was introduced
    with drbd-9.1.8; not affected: logical volumes)
  * fix for a bug (introduced with drbd-9.0.0), that caused possible
    inconsistencies in the mirror when using the 'resync-after' option
  * fix a bug that could cause a request to get stuck after an unlucky
    timing with a loss of connection
  * close a very small timing window between connect and promote that
    could lead to the new-current-uuid not being transmitted to the
    concurrently connecting peer, which might lead to denied connections
    later on
  * fix a recently introduced OOPS when adding new volumes to a
    connected resource
    ... changelog too long, skipping 131 lines ...
  - bsc-1206791-09-pmem-use-fs_dax_get_by_bdev-instead-of-dax_get_by_ho.patch

==== drbd-utils ====
Version update (9.19.0 -> 9.25.0)

- Update to 9.25.0 (PED-5842)
  * drbdsetup,v9,show: fix meta disk format for json
  * drbdmeta: {hex,}dump superblock
  * drbdmon: major rewrite
  * build: gcc v12 cleanups
  * misc: put locks into separate dir
  * selinux: add fowner fsetsid, they dropped a global noaudit rule
  * v9: Support user-defined block-size
  * doc,v9: improvements all over the place
  * drbdadm,v9: implement drbdadm role <res:peer>
  * drbdadm,v9: pass --verbose/--statistics to drbdsetup status
  * drbd{adm,meta}: add repair-md subcommand
  * drbdadm,v9,resync-after: fix too strict check
  * drbdadm,v9,floating: fixup fake uname for 9.2.x strict_names=1
  * drbdadm,v9,parser: fixup globs, also rm GNU libc specific extensions
  * drbdadm,v9,parser: allow via outside-address for NATed peers
  * parser,v9: deprecate named connections
  * drbd-selinux: add sub package, minor packaging/spec changes
  * drbdadm: allow files from expanded glob to vanish
  * drbdadm,v9: fix potential segfault in postparse
  * drbdadm,v9: fix sh-ip when set on connection/path
  * drbdmeta: fix apply-al for bitmap sizes > 4GiB
  * drbd-service-shim.sh: add secondary --force
  * ocf: fix for dropped --peer option
  * drbdsetup,v9: show susupend reason in json output
  * drbdsetup,v9: add secondary --force
  * drbdsetup,v9: fix *susp_str() for events2 diff mode
  * drdbdadm,v9: fix sh-resource
  * drdbdadm,v9: rm --peer=connect_to_host
  * ocf: deal with situation where PM node name and actual node name do not
  match
  * notify.sh: deal with unset DRBD_PEER env variable
  * crm-fence-peer: fix timeout with Pacemaker 2.0.5
  * drbdmeta: don't wait for confirmation if not a TTY
  * drbdadm,v9: Pass '--force' to certain drbdmeta commands
  * drbdmeta: do init in chunks; allow different methods
  * build: various minor fixes (udev detection, POSIX,
  compiler flags, allow doc building with asciidoctor,...)
  * drbd.ocf: fix type (relevant for certain pcs versions)
  * crm-fence-peer: fix timeout with Pacemaker 2.1
  * v9,proxy: allow multiple sharing a proxy node
  * v9,drbdsetup: quote resource name in "show"
  * build: allow building for RHEL9.0, minor cleanups
  * reactor/systemd: allow proper actions (e.g., reboot) if
  demotion fails.
- introduce new systemd service:
  drbd-demote-or-escalate@.service
- remove v83 v84 binaries (incompatible with kmp)
- drop patches which are already included in latest code:
  - 0001-crm-fence-peer-fix-timeout-with-Pacemaker-2.1-milli-.patch
  - 0002-crm-fence-peer-fix-timeout-with-Pacemaker-2.0.5-mill.patch
- add upstream patch:
  + 0001-drbdadm-v9-do-not-segfault-when-re-configuring-proxy.patch
  + 0002-user-drbrdmon-add-missing-stdint.h-includes.patch
  + 0003-Introduce-default_types.h-header.patch
- change patch name:
  - 0001-Disable-quorum-in-default-configuration-bsc-1032142.patch
  + bsc-1032142_Disable-quorum-in-default-configuration.patch
- rebase patch:
  + pie-fix.patch
  + rpmlint-build-error.patch

==== grep ====
Subpackages: grep-lang

- export CONFIG_SHELL=/bin/sh before running configure: results in
  the shell script (egrep/fgrep) to receive a /bin/sh shebang
  instead of requiring bash (the local shell used to build).

==== kdump ====

- update calibrate values, newly added SLE15-SP6 values

==== kexec-tools ====
Version update (2.0.26.0 -> 2.0.27)

- update to 2.0.27:
  * ppc64: add --reuse-cmdline parameter support
  * kexec: make -a the default
  * x86: add devicetree support
  * ppc64: document elf-ppc64 options and --dt-no-old-root
  * LoongArch: kdump: set up kernel image segment
  * arm64: zboot support
- Disable Xen support in ALP

==== lastlog2 ====
Version update (1.1.0 -> 1.2.0)
Subpackages: liblastlog2-1

- Version 1.2.0
  - show_lastlogin: Don't read if no database
  - Fix -flto for clang
  - Documentation fixes

==== libei ====
Version update (1.0.901 -> 1.1.0)

- Update to release 1.1
  * Correct documentation for ei_touch_(get|set)_user_data

==== multipath-tools ====
Version update (0.9.5+68+suse.d1b6a1c -> 0.9.6+71+suse.f07325e)
Subpackages: kpartx libmpath0

- Update to version 0.9.6+71+suse.f07325e:
  * avoid changing SCSI timeouts in "multipath -d" (bsc#1213809)
- Update to version 0.9.6+70+suse.63925e8:
  Upstream feature additions and bug fixes:
  * ignore nvme devices by default if nvme native multipath is enabled
  * add "group_by_tpg" path_grouping_policy
  * add config options "detect_pgpolicy" and "detect_pgpolicy_use_tpg"
  * libmultipath: add ALUA tpg path wildcard "%A"
  * make prioritizer timeouts consistent with checker timeouts
  * fix dev_loss_tmo even if not set in configuration (bsc#1212440)
  * libmultipath: fix max_sectors_kb on adding path
  * fix warnings reported by udevadm verify

==== open-vm-tools ====
Version update (12.2.0 -> 12.3.0)
Subpackages: libvmtools0 open-vm-tools-desktop

- Update to 12.3.0 (build 22234872) (boo#1214850)
  - There are no new features in the open-vm-tools 12.3.0 release. This is
    primarily a maintenance release that addresses a few critical problems,
    including:
  - This release integrates CVE-2023-20900 without the need for a patch.
    For more information on this vulnerability and its impact on VMware
    products, see
    https://www.vmware.com/security/advisories/VMSA-2023-0019.html.
  - A tools.conf configuration setting is available to temporaily direct
    Linux quiesced snaphots to restore pre open-vm-tools 12.2.0 behavior
    of ignoring file systems already frozen.
  - Building of the VMware Guest Authentication Service (VGAuth) using
    "xml-security-c" and "xerces-c" is being deprecated.
  - A number of Coverity reported issues have been addressed.
  - A number of GitHub issues and pull requests have been handled.
    Please see the Resolves Issues section of the Release Notes.
  - For issues resolved in this release, see the Resolved Issues section
    of the Release Notes.
  - For complete details, see:
    https://github.com/vmware/open-vm-tools/releases/tag/stable-12.3.0
  - Release Notes are available at
    https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/ReleaseNotes.md
  - The granular changes that have gone into the 12.3.0 release are in the
    ChangeLog at
    https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/open-vm-tools/ChangeLog
- Fix (bsc#1205927) - hv_vmbus module is loaded unnecessarily in VMware guests
- jsc-PED-1344 - reinable building containerinfo plugin for SLES 15 SP4.
- Drop patch now contained in 12.3.0:
  + 0001-build-put-l-specifiers-into-LIBADD-not-LDFLAGS.patch
  + 0002-build-use-grpc-pkgconfig-to-retrieve-flags-libraries.patch
  + 2023-20867-Remove-some-dead-code.patch
  + CVE-20230-20900.patch

==== pam-config ====
Version update (2.5 -> 2.8)

- Update to version 2.8
  - Replace aad module with himmelblau
- Update to version 2.7
  - Add support for aad module
- Update to version 2.6
  - Remove pam_cracklib from config even if no successor is installed
- Run update in %posttrans after all other PAM modules got
  installed/removed
- Both are required for [bsc#1214885]

==== perl-Bootloader ====
Version update (1.6 -> 1.8)

- merge gh#openSUSE/perl-bootloader#158
- skip warning about unsupported options when in compat mode
- 1.8
- merge gh#openSUSE/perl-bootloader#156
- bootloader_entry script can have an optional 'force-default'
  argument (bsc#1215064)
- 1.7

==== python-async_timeout ====
Version update (4.0.2 -> 4.0.3)

- update to 4.0.3:
  * Fixed compatibility with asyncio.timeout() on Python 3.11+.
  * Added support for Python 3.11.
  * Dropped support for Python 3.6.

==== python-click ====
Version update (8.1.6 -> 8.1.7)

- update to 8.1.7:
  * Fix issue with regex flags in shell completion.
  * Bash version detection issues a warning instead of an
    error.
  * Fix issue with completion script for Fish shell.

==== python-lxml ====

- skip html5lib tests - cyclic dependency with html5lib tests
- remove python 2.x from testing

==== python-outcome ====

- drop outdated depndendy on async_generator
  (see https://github.com/python-trio/outcome/issues/12)

==== python-psycopg2 ====
Version update (2.9.6 -> 2.9.7)

- update to 2.9.7:
  * Fix propagation of exceptions raised during module
    initialization
  * Fix building when pg_config returns an empty string

==== python-zope.event ====
Version update (4.6 -> 5.0)

- update to 5.0:
  * Drop support for Python 2.7, 3.5, 3.6.

==== python311 ====
Version update (3.11.4 -> 3.11.5)
Subpackages: python311-curses python311-dbm

- Update to 3.11.5 (bsc#1214692):
  - Security
  - gh-108310: Fixed an issue where instances of ssl.SSLSocket were
    vulnerable to a bypass of the TLS handshake and included
    protections (like certificate verification) and treating sent
    unencrypted data as if it were post-handshake TLS encrypted data.
    Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
    Gregory P. Smith.
  - Core and Builtins
  - gh-104432: Fix potential unaligned memory access on C APIs
    involving returned sequences of char * pointers within the grp
    and socket modules. These were revealed using a
  - fsaniziter=alignment build on ARM macOS. Patch by Christopher
    Chavez.
  - gh-77377: Ensure that multiprocessing synchronization objects
    created in a fork context are not sent to a different process
    created in a spawn context. This changes a segfault into an
    actionable RuntimeError in the parent process.
  - gh-106092: Fix a segmentation fault caused by a use-after-free
    bug in frame_dealloc when the trashcan delays the deallocation
    of a PyFrameObject.
  - gh-106719: No longer suppress arbitrary errors in the
    __annotations__ getter and setter in the type and module types.
  - gh-106723: Propagate frozen_modules to multiprocessing spawned
    process interpreters.
  - gh-105979: Fix crash in _imp.get_frozen_object() due to improper
    exception handling.
  - gh-105840: Fix possible crashes when specializing function calls
    with too many __defaults__.
  - gh-105588: Fix an issue that could result in crashes when
    compiling malformed ast nodes.
  - gh-105375: Fix bugs in the builtins module where exceptions
    could end up being overwritten.
  - gh-105375: Fix bug in the compiler where an exception could end
    up being overwritten.
  - gh-105375: Improve error handling in
    PyUnicode_BuildEncodingMap() where an exception could end up
    being overwritten.
  - gh-105235: Prevent out-of-bounds memory access during
    mmap.find() calls.
  - gh-101006: Improve error handling when read marshal data.
  - Library
  - gh-105736: Harmonized the pure Python version of OrderedDict
    with the C version. Now, both versions set up their internal
    state in __new__. Formerly, the pure Python version did the set
    up in __init__.
  - gh-107963: Fix multiprocessing.set_forkserver_preload() to check
    the given list of modules names. Patch by Dong-hee Na.
  - gh-106242: Fixes os.path.normpath() to handle embedded null
    characters without truncating the path.
  - gh-107845: tarfile.data_filter() now takes the location of
    symlinks into account when determining their target, so it will
    no longer reject some valid tarballs with
    LinkOutsideDestinationError.
  - gh-107715: Fix doctest.DocTestFinder.find() in presence of class
    names with special characters. Patch by Gertjan van Zwieten.
  - gh-100814: Passing a callable object as an option value to a
    Tkinter image now raises the expected TclError instead of an
    AttributeError.
  - gh-106684: Close asyncio.StreamWriter when it is not closed by
    application leading to memory leaks. Patch by Kumar Aditya.
  - gh-107077: Seems that in some conditions, OpenSSL will return
    SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification
    verification has failed, but the error parameters will still
    contain ERR_LIB_SSL and SSL_R_CERTIFICATE_VERIFY_FAILED. We are
    now detecting this situation and raising the appropiate
    ssl.SSLCertVerificationError. Patch by Pablo Galindo
  - gh-107396: tarfiles; Fixed use before assignment of
    self.exception for gzip decompression
  - gh-62519: Make gettext.pgettext() search plural definitions when
    translation is not found.
  - gh-83006: Document behavior of shutil.disk_usage() for
    non-mounted filesystems on Unix.
  - gh-106186: Do not report MultipartInvariantViolationDefect
    defect when the email.parser.Parser class is used to parse
    emails with headersonly=True.
  - gh-106831: Fix potential missing NULL check of d2i_SSL_SESSION
    result in _ssl.c.
  - gh-106774: Update the bundled copy of pip to version 23.2.1.
  - gh-106752: Fixed several bug in zipfile.Path in
    name/suffix/suffixes/stem operations when no filename is present
    and the Path is not at the root of the zipfile.
  - gh-106602: Add __copy__ and __deepcopy__ in enum
  - gh-106530: Revert a change to colorsys.rgb_to_hls() that caused
    division by zero for certain almost-white inputs. Patch by Terry
    Jan Reedy.
  - gh-106052: re module: fix the matching of possessive quantifiers
    in the case of a subpattern containing backtracking.
  - gh-106510: Improve debug output for atomic groups in regular
    expressions.
  - gh-105497: Fix flag mask inversion when unnamed flags exist.
  - gh-90876: Prevent multiprocessing.spawn from failing to import
    in environments where sys.executable is None. This regressed in
    3.11 with the addition of support for path-like objects in
    multiprocessing.
  - gh-106350: Detect possible memory allocation failure in the
    libtommath function mp_init() used by the _tkinter module.
  - gh-102541: Make pydoc.doc catch bad module ImportError when
    output stream is not None.
    ... changelog too long, skipping 124 lines ...
    data: *consumed was not set.

==== python311-core ====
Version update (3.11.4 -> 3.11.5)
Subpackages: libpython3_11-1_0 python311-base

- Update to 3.11.5 (bsc#1214692):
  - Security
  - gh-108310: Fixed an issue where instances of ssl.SSLSocket were
    vulnerable to a bypass of the TLS handshake and included
    protections (like certificate verification) and treating sent
    unencrypted data as if it were post-handshake TLS encrypted data.
    Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
    Gregory P. Smith.
  - Core and Builtins
  - gh-104432: Fix potential unaligned memory access on C APIs
    involving returned sequences of char * pointers within the grp
    and socket modules. These were revealed using a
  - fsaniziter=alignment build on ARM macOS. Patch by Christopher
    Chavez.
  - gh-77377: Ensure that multiprocessing synchronization objects
    created in a fork context are not sent to a different process
    created in a spawn context. This changes a segfault into an
    actionable RuntimeError in the parent process.
  - gh-106092: Fix a segmentation fault caused by a use-after-free
    bug in frame_dealloc when the trashcan delays the deallocation
    of a PyFrameObject.
  - gh-106719: No longer suppress arbitrary errors in the
    __annotations__ getter and setter in the type and module types.
  - gh-106723: Propagate frozen_modules to multiprocessing spawned
    process interpreters.
  - gh-105979: Fix crash in _imp.get_frozen_object() due to improper
    exception handling.
  - gh-105840: Fix possible crashes when specializing function calls
    with too many __defaults__.
  - gh-105588: Fix an issue that could result in crashes when
    compiling malformed ast nodes.
  - gh-105375: Fix bugs in the builtins module where exceptions
    could end up being overwritten.
  - gh-105375: Fix bug in the compiler where an exception could end
    up being overwritten.
  - gh-105375: Improve error handling in
    PyUnicode_BuildEncodingMap() where an exception could end up
    being overwritten.
  - gh-105235: Prevent out-of-bounds memory access during
    mmap.find() calls.
  - gh-101006: Improve error handling when read marshal data.
  - Library
  - gh-105736: Harmonized the pure Python version of OrderedDict
    with the C version. Now, both versions set up their internal
    state in __new__. Formerly, the pure Python version did the set
    up in __init__.
  - gh-107963: Fix multiprocessing.set_forkserver_preload() to check
    the given list of modules names. Patch by Dong-hee Na.
  - gh-106242: Fixes os.path.normpath() to handle embedded null
    characters without truncating the path.
  - gh-107845: tarfile.data_filter() now takes the location of
    symlinks into account when determining their target, so it will
    no longer reject some valid tarballs with
    LinkOutsideDestinationError.
  - gh-107715: Fix doctest.DocTestFinder.find() in presence of class
    names with special characters. Patch by Gertjan van Zwieten.
  - gh-100814: Passing a callable object as an option value to a
    Tkinter image now raises the expected TclError instead of an
    AttributeError.
  - gh-106684: Close asyncio.StreamWriter when it is not closed by
    application leading to memory leaks. Patch by Kumar Aditya.
  - gh-107077: Seems that in some conditions, OpenSSL will return
    SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification
    verification has failed, but the error parameters will still
    contain ERR_LIB_SSL and SSL_R_CERTIFICATE_VERIFY_FAILED. We are
    now detecting this situation and raising the appropiate
    ssl.SSLCertVerificationError. Patch by Pablo Galindo
  - gh-107396: tarfiles; Fixed use before assignment of
    self.exception for gzip decompression
  - gh-62519: Make gettext.pgettext() search plural definitions when
    translation is not found.
  - gh-83006: Document behavior of shutil.disk_usage() for
    non-mounted filesystems on Unix.
  - gh-106186: Do not report MultipartInvariantViolationDefect
    defect when the email.parser.Parser class is used to parse
    emails with headersonly=True.
  - gh-106831: Fix potential missing NULL check of d2i_SSL_SESSION
    result in _ssl.c.
  - gh-106774: Update the bundled copy of pip to version 23.2.1.
  - gh-106752: Fixed several bug in zipfile.Path in
    name/suffix/suffixes/stem operations when no filename is present
    and the Path is not at the root of the zipfile.
  - gh-106602: Add __copy__ and __deepcopy__ in enum
  - gh-106530: Revert a change to colorsys.rgb_to_hls() that caused
    division by zero for certain almost-white inputs. Patch by Terry
    Jan Reedy.
  - gh-106052: re module: fix the matching of possessive quantifiers
    in the case of a subpattern containing backtracking.
  - gh-106510: Improve debug output for atomic groups in regular
    expressions.
  - gh-105497: Fix flag mask inversion when unnamed flags exist.
  - gh-90876: Prevent multiprocessing.spawn from failing to import
    in environments where sys.executable is None. This regressed in
    3.11 with the addition of support for path-like objects in
    multiprocessing.
  - gh-106350: Detect possible memory allocation failure in the
    libtommath function mp_init() used by the _tkinter module.
  - gh-102541: Make pydoc.doc catch bad module ImportError when
    output stream is not None.
    ... changelog too long, skipping 124 lines ...
    data: *consumed was not set.

==== shaderc ====
Version update (2023.4 -> 2023.6)

- Update to release 2023.6
  * Build system updates only

==== sssd ====
Version update (2.9.1 -> 2.9.2)
Subpackages: libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 sssd-krb5-common sssd-ldap

- Update to release 2.9.2
  * sssctl cert-show and cert-show cert-eval-rule can now be run as
    non-root user.
  * New option local_auth_policy is added to control which offline
    authentication methods will be enabled by SSSD.

==== unbound ====
Version update (1.17.1 -> 1.18.0)
Subpackages: libunbound8 unbound-anchor

- Update to 1.18.0:
  * Features:
  - Аdd a metric about the maximum number of collisions in lrushah.
  - Set max-udp-size default to 1232. This is the same default value
    as the default value for edns-buffer-size. It restricts client
    edns buffer size choices, and makes unbound behave similar to
    other DNS resolvers.
  - Add harden-unknown-additional option. It removes unknown records
    from the authority section and additional section.
  - Added new static zone type block_a to suppress all A queries for
    specific zones.
  - [FR] Ability to use Redis unix sockets.
  - [FR] Ability to set the Redis password.
  - Features/dropqueuedpackets, with sock-queue-timeout option that
    drops packets that have been in the socket queue for too long.
    Added statistics num.queries_timed_out and query.queue_time_us.max
    that track the socket queue timeouts.
  - 'eqvinox' Lamparter: NAT64 support.
  - [FR] Use kernel timestamps for dnstap.
  - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
    statistical counter.
  - Add SVCB dohpath support.
  - Add validation EDEs to queries where the CD bit is set.
  - Add prefetch support for subnet cache entries.
  - Add EDE (RFC8914) caching.
  - Add support for EDE caching in cachedb and subnetcache.
  - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
    cookies for clients that send client cookies. This needs to be explicitly
    turned on in the config file with: `answer-cookie: yes`.
  * Bug Fixes
  - Response change to NODATA for some ANY queries since 1.12.
  - Fix not following cleared RD flags potentially enables
    amplification DDoS attacks.
  - Set default for harden-unknown-additional to no. So that it
    does not hamper future protocol developments.
  - Fix to ignore entirely empty responses, and try at another authority.
    This turns completely empty responses, a type of noerror/nodata into
    a servfail, but they do not conform to RFC2308, and the retry can fetch
    improved content.
  - Allow TTL refresh of expired error responses.
  - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
  - Fix unbound-dnstap-socket test program to reply the finish frame over
    a TLS connection correctly.
  - Fix: reserved identifier violation
  - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
    without tls-cert-bundle
  - Extra consistency check to make sure that when TLS is requested,
    either we set up a TLS connection or we return an error.
  - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
  - Fix: Bad interaction with 0 TTL records and serve-expired
  - Fix RPZ IP responses with trigger rpz-drop on cache entries.
  - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
  - Fix dereference of NULL variable warning in mesh_do_callback.
  - Fix ip_ratelimit test to work with dig that enables DNS cookies.
  - Fix for iter_dec_attempts that could cause a hang, part of capsforid
    and qname minimisation, depending on the settings.
  - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
  - Fix stat_values test to work with dig that enables DNS cookies.
  - unbound.service: Main process exited, code=killed, status=11/SEGV.
    Fixes cachedb configuration handling.
  - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.

==== wireless-regdb ====
Version update (20230721 -> 20230901)

- Update to version 20230901:
  * wireless-regdb: update regulatory database based on preceding changes
  * wireless-regdb: Update regulatory rules for Australia (AU) for June 2023