Packages changed: MozillaFirefox (88.0.1 -> 89.0) apparmor at-spi2-core (2.40.1 -> 2.40.2) cups distribution-logos-openSUSE eog (40.1 -> 40.2) gobject-introspection gupnp (1.2.6 -> 1.2.7) libX11 (1.7.1 -> 1.7.2) libapparmor librsvg (2.50.6 -> 2.50.7) mpg123 (1.27.2 -> 1.28.0) openSUSE-build-key openvpn (2.4.10 -> 2.4.11) python-attrs (20.3.0 -> 21.2.0) python-greenlet (1.0.0 -> 1.1.0) python-idna (3.1 -> 3.2) python-more-itertools (8.7.0 -> 8.8.0) python-sortedcontainers (2.3.0 -> 2.4.0) python38 python38-core python38-documentation setools texlive z3 (4.8.10 -> 4.8.11) === Details === ==== MozillaFirefox ==== Version update (88.0.1 -> 89.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 89.0 * UI redesign * The Event Timing API is now supported * The CSS forced-colors media query is now supported MFSA 2021-23 (bsc#1186696) * CVE-2021-29965 (bmo#1709257) Password Manager on Firefox for Android susceptible to domain spoofing * CVE-2021-29960 (bmo#1675965) Filenames printed from private browsing mode incorrectly retained in preferences * CVE-2021-29961 (bmo#1700235) Firefox UI spoof using `<select>` elements and CSS scaling * CVE-2021-29963 (bmo#1705068) Shared cookies for search suggestions in private browsing mode * CVE-2021-29964 (bmo#1706501) Out of bounds-read when parsing a `WM_COPYDATA` message * CVE-2021-29959 (bmo#1395819) Devices could be re-enabled without additional permission prompt * CVE-2021-29962 (bmo#1701673) No rate-limiting for popups on Firefox for Android * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760, bmo#1704722, bmo#1706041) Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 * CVE-2021-29966 (bmo#1660307, bmo#1686154, bmo#1702948, bmo#1708124) Memory safety bugs fixed in Firefox 89 - require NSS >= 3.64 rust-cbindgen >= 0.19.0 - do not rely on nodejs10 packagename anymore - updated mozilla.keyring - switched TW/x86_64 to clang as the last platform due to https://bugs.gentoo.org/792705 - but LTO with clang is broken in TW so disable LTO for it https://bugs.llvm.org/show_bug.cgi?id=47872 ==== apparmor ==== Subpackages: apparmor-abstractions apparmor-docs apparmor-parser apparmor-parser-lang apparmor-profiles apparmor-utils apparmor-utils-lang pam_apparmor pam_apparmor-32bit python3-apparmor - move Requires: python3 back to the python3-apparmor subpackage - readline usage is in the python modules, not in apparmor-utils - Remove python symbols (python means currently python2), work only with python3 ones (fallout from bsc#1185588). ==== at-spi2-core ==== Version update (2.40.1 -> 2.40.2) Subpackages: at-spi2-core-lang libatspi0 typelib-1_0-Atspi-2_0 - Update to version 2.40.2: + README: Remove outdated links. + Key grab fixes for the new API. + registryd: Add a missing call to va_end. ==== cups ==== Subpackages: cups-client cups-config libcups2 libcups2-32bit libcupsimage2 - Provide /usr/share/cups/ppdc/ in the "cups" main package to avoid that "lpinfo -m" results in /var/log/cups/error_log things like "ppdc: Unable to find include file font.defs" or "ppdc: Unable to find include file hp.h" and then "Bad driver information file /usr/share/cups/drv/sample.drv" (bsc#1186843) ==== distribution-logos-openSUSE ==== - Add icons package to handle systemd branding better ==== eog ==== Version update (40.1 -> 40.2) Subpackages: eog-lang - Update to version 40.2: + reload: Remove unused GtkActionGroup member + Critical warning after closing EOG (invalid unclassed pointer; assertion 'EOG_IS_IMAGE (img)' failed) + Updated translations. ==== gobject-introspection ==== Subpackages: girepository-1_0 libgirepository-1_0-1 - gi-find-deps.sh: on Tumbleweed, HOSTTYPE on ppc64/ppc64le reports powerpc64 and powerpc64le: accept those strings as 64bit archs. ==== gupnp ==== Version update (1.2.6 -> 1.2.7) - Update to version 1.2.7: + Fix build with -Wformat-security=error + Bump required GLib version to 2.66 + Fix some introspection annotations + Add missing varargs functions to vapi + Revert fix from 1.2.5 which causes managed control points to live too long ==== libX11 ==== Version update (1.7.1 -> 1.7.2) Subpackages: libX11-6 libX11-6-32bit libX11-data libX11-devel libX11-xcb1 - Update to version 1.7.2 * bug fix release, correcting a regression introduced by and improving the checks from the fix for CVE-2021-31535. - supersedes U_Check-for-NULL-strings-before-getting-their-lengths.patch ==== libapparmor ==== Subpackages: libapparmor1 libapparmor1-32bit - move Requires: python3 back to the python3-apparmor subpackage - readline usage is in the python modules, not in apparmor-utils - Remove python symbols (python means currently python2), work only with python3 ones (fallout from bsc#1185588). ==== librsvg ==== Version update (2.50.6 -> 2.50.7) Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 librsvg-lang rsvg-thumbnailer typelib-1_0-Rsvg-2_0 - Update to version 2.50.7: + Two cairo-related bug fixes: - glgo#GNOME/librsvg#745: Fix mismatched cairo_save/restore when running in inside the Cairo test suite. - glgo#GNOME/librsvg#746: Possible cairo_save() without cairo_restore() in render_layer(). ==== mpg123 ==== Version update (1.27.2 -> 1.28.0) Subpackages: libmpg123-0 mpg123-openal - Update to version 1.28.0 build: * Fix up the build to actually build all library objects with libtool consistently, also ensuring no pointless static archives for output modules. * Adapted things to autoconf 2.71, requiring 2.69 now * Improved configure to be more useful --with-default-audio to define the search order, fix static build for --with-audio being a list (just choosing the first one). * Ensure consistent use of LINK_MPG123_DLL in headers. build (ports/cmake): * Hardcode ports/cmake CPU detection for x64 and ARM as CMAKE_SYSTEM_PROCESSOR is useless crap (bug 298 for real). * Added JACK output, fixed handling of compat_str there libsyn123: * Fix syn123_mix() to actually do intermediate conversion when input and output encoding are the same but non-float. This makes out123 --mix work with s16 input and output, which is not that special! libmpg123: * Fix misguided handling of part2_3_length checks in III_get_scale_factors_1() and III_get_scale_factors_2() which invalidated decoding of a mono source encoded as ms+i-stereo (bug 312). This was a regression introduced with version 1.25.7. libout123: * Print basic module loading errors only for last one in list. This enables use of an output module search list that anticipates module files not installed with the main package. ==== openSUSE-build-key ==== - remove dumpsigs, unused since SLE12+ (rpm 4.x) (bsc#1186827) - add URL - spec-cleaner run - Merge changes from openSUSE Leap 15.3 for rpm-repos-openSUSE (boo#1186593) - Refresh the SLE15 build@suse.de key * Updated gpg-pubkey-39db7c82-5847eb1f.asc ==== openvpn ==== Version update (2.4.10 -> 2.4.11) - update to 2.4.11 (bsc#1185279): * CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements * This bug allows - under very specific circumstances - to trick a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. * In combination with "--auth-gen-token" or an user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. * Fix potential NULL ptr crash if compiled with DMALLOC - drop sysv5 init support, it hasn't build successfully in ages and is build-disabled in devel project ==== python-attrs ==== Version update (20.3.0 -> 21.2.0) - update to 21.2.0: * We had to revert the recursive feature for ``attr.evolve()`` because it broke some use-cases -- sorry! * Python 3.4 is now blocked using packaging metadata because ``attrs`` can't be imported on it anymore. * The long-awaited, much-talked-about, little-delivered ``import attrs`` is finally upon us! * The *cmp* argument to ``attr.s()`` and `attr.ib()` has been **undeprecated** It will continue to be supported as syntactic sugar to set *eq* and *order* in one go. * Further smaller changes, see included Changelog.md ==== python-greenlet ==== Version update (1.0.0 -> 1.1.0) - update to 1.1.0: * Add support for Python 3.10. Pre-built binary wheels for 3.10 are not currently available for all platforms. The greenlet ABI is different on Python 3.10 from all previous versions, but as 3.10 was never supported before, and the ABI has not changed on other Python versions, this is not considered a reason to change greenlet's major version. ==== python-idna ==== Version update (3.1 -> 3.2) - update to 3.2: * Add type hints (Thanks, Seth Michael Larson!) * Remove support for Python 3.4 ==== python-more-itertools ==== Version update (8.7.0 -> 8.8.0) - update to 8.8.0: * :func:`countable` (thanks to krzysieq) * :func:`split_before` was updated to handle empy collections (thanks to TiunovNN) * :func:`unique_everseen` got a performance boost (thanks to Numerlor) * The type hint for :func:`value_chain` was corrected (thanks to vr2262) - %check: use %pyunittest rpm macro ==== python-sortedcontainers ==== Version update (2.3.0 -> 2.4.0) - update to 2.4.0: * Implement SortedDict methods: __or__, __ror__, and __ior__ per PEP 584. ==== python38 ==== Subpackages: python38-curses python38-dbm python38-tk - allow building against sphinx 3.x+ - Stop providing "python" symbol (bsc#1185588), which means python2 currently. ==== python38-core ==== Subpackages: libpython3_8-1_0 python38-base - allow building against sphinx 3.x+ - Stop providing "python" symbol (bsc#1185588), which means python2 currently. ==== python38-documentation ==== - allow building against sphinx 3.x+ - Stop providing "python" symbol (bsc#1185588), which means python2 currently. ==== setools ==== - Fix dependency of python3-setools: require python3, not python (which is python2). ==== texlive ==== Subpackages: libkpathsea6 libsynctex2 - Change to using systemd-sysusers ==== z3 ==== Version update (4.8.10 -> 4.8.11) - update to 4.8.11: * fix soundness issues, invalid models, and crashes for options "tactic.default_tactic=smt sat.euf=true" * centos -> glibc * updated ref to esrp * undo cxx hoist * hoist c++ flags