Packages changed:
  Mesa
  Mesa-drivers
  MozillaFirefox (106.0.5 -> 107.0)
  bluez (5.65 -> 5.66)
  curl
  ffmpeg-4
  lcms2
  libXft (2.3.6 -> 2.3.7)
  libalternatives
  libappindicator
  open-iscsi
  systemd (251.8 -> 252.1)
  webkit2gtk3
  webkit2gtk3-soup2
  xfsprogs (5.19.0 -> 6.0.0)

=== Details ===

==== Mesa ====
Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1

- try to fix build on ppc64le due to running OOM (boo#1205441)
  * let's request 20G of physical memory via _constraints file

==== Mesa-drivers ====
Subpackages: Mesa-dri Mesa-gallium Mesa-libva libxatracker2

- try to fix build on ppc64le due to running OOM (boo#1205441)
  * let's request 20G of physical memory via _constraints file

==== MozillaFirefox ====
Version update (106.0.5 -> 107.0)
Subpackages: MozillaFirefox-translations-common

- Mozilla Firefox 107.0
  MFSA 2022-47 (bsc#1205270)
  * CVE-2022-45403 (bmo#1762078)
    Service Workers might have learned size of cross-origin media files
  * CVE-2022-45404 (bmo#1790815)
    Fullscreen notification bypass
  * CVE-2022-45405 (bmo#1791314)
    Use-after-free in InputStream implementation
  * CVE-2022-45406 (bmo#1791975)
    Use-after-free of a JavaScript Realm
  * CVE-2022-45407 (bmo#1793314)
    Loading fonts on workers was not thread-safe
  * CVE-2022-45408 (bmo#1793829)
    Fullscreen notification bypass via windowName
  * CVE-2022-45409 (bmo#1796901)
    Use-after-free in Garbage Collection
  * CVE-2022-45410 (bmo#1658869)
    ServiceWorker-intercepted requests bypassed SameSite cookie policy
  * CVE-2022-45411 (bmo#1790311)
    Cross-Site Tracing was possible via non-standard override headers
  * CVE-2022-45412 (bmo#1791029)
    Symlinks may resolve to partially uninitialized buffers
  * CVE-2022-45413 (bmo#1791201)
    SameSite=Strict cookies could have been sent cross-site via
    intent URLs
  * CVE-2022-40674 (bmo#1791598)
    Use-after-free vulnerability in expat
  * CVE-2022-45415 (bmo#1793551)
    Downloaded file may have been saved with malicious extension
  * CVE-2022-45416 (bmo#1793676)
    Keystroke Side-Channel Leakage
  * CVE-2022-45417 (bmo#1794508)
    Service Workers in Private Browsing Mode may have been
    written to disk
  * CVE-2022-45418 (bmo#1795815)
    Custom mouse cursor could have been drawn over browser UI
  * CVE-2022-45419 (bmo#1716082)
    Deleting a security exception did not take effect immediately
  * CVE-2022-45420 (bmo#1792643)
    Iframe contents could be rendered outside the iframe
  * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061)
    Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5
- requires
  * NSS >= 3.84
  * rust = 1.64

==== bluez ====
Version update (5.65 -> 5.66)
Subpackages: bluez-auto-enable-devices bluez-cups bluez-zsh-completion libbluetooth3

- update to 5.66:
  * Fix issue with A2DP and transport connection collisions.
  * Fix issue with allowing application specific error codes.
  * Fix issue with not setting initiator flag correctly.
  * Fix issue with HoG Report MAP size handling.
  * Add initial support for Basic Audio Profile.
  * Add initial support for Volume Control Profile.
- remove RPi-Move-the-43xx-firmware-into-lib-firmware.patch (does
  not apply anymore), replace with CPPFLAGS define

==== curl ====
Subpackages: libcurl4

- Add 1.50.0 as the minimum libnghttp2 build requirement version as
  a bandaid. Curl's 7.86.0 release introduces the use of
  nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation,
  introduced by nghttp2 1.50.0 release, without introducing a check
  for the function/right version in their build scripts. This will
  make Zypper/cURL unusable in some corner cases where users
  installing something that requires libcurl4 before doing full
  system upgrade, thus updating the cURL stack, but not
  libnghttp2's. Background: boo#1204983, Factory mailing list
  threadd:
  "? broken dependency in curl and/or *zyp* ?", and forums thread:
  Curl-is-broken-after-an-update-which-subsequently-breaks-zypper.

==== ffmpeg-4 ====
Subpackages: libavcodec58_134 libavfilter7_110 libavformat58_76 libavresample4_0 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9

- Add ffmpeg-CVE-2022-3964.patch: Backport from upstream to fix
  out of bounds read in update_block_in_prev_frame() (bsc#1205388).

==== lcms2 ====

- Removed reverse-0001-fix-memory-leaks-on-testbed.patch and added
  0001-fix-memory-corruption-when-unregistering-plugins.patch as
  final fix for https://github.com/hughsie/colord/issues/145

==== libXft ====
Version update (2.3.6 -> 2.3.7)
Subpackages: libXft2 libXft2-32bit

- Update to version 2.3.7
  * libxft issue #15
    https://gitlab.freedesktop.org/xorg/lib/libxft/-/issues/15
    XftFontLoadGlyphs for mono font returns wrong info in extents from
    XftTextExtentsUtf8 for variable chars
    Patch by Scott Mcdermott, based on
    https://github.com/googlefonts/Inconsolata/issues/42
  * fix compiler warning
  * libxft issue #16
    https://gitlab.freedesktop.org/xorg/lib/libxft/-/issues/16
    Stack gets smashed in fonts with colors when calling XftGlyphRender
    BGRA changes made incorrect comparison for local vs allocated
    buffer in XftGlyphSpecRender
  * stdint.h header is needed for SIZE_MAX

==== libalternatives ====
Subpackages: alts libalternatives1

- switch to a manual service rather than a buildtime tar service
  which introduces a bootstrap cycle between python and tar_scm

==== libappindicator ====
Subpackages: libappindicator3-1 typelib-1_0-AppIndicator3-0_1

- Let the rpm provide libappindicator-gtk3 for EL8 compat

==== open-iscsi ====
Subpackages: libopeniscsiusr0_2_0

- Updated to latest upstream. Changes:
  * scsid/iscsiuio: fix OOM adjustment (github issue #377)

==== systemd ====
Version update (251.8 -> 252.1)
Subpackages: libsystemd0 libsystemd0-32bit libudev1 libudev1-32bit systemd-32bit systemd-container systemd-lang udev

- Upgrade to v252.1 (commit 64dc546913525e33e734500055a62ed0e963c227)
  See https://github.com/openSUSE/systemd/blob/SUSE/v252/NEWS for details.
  * Rebased 0001-conf-parser-introduce-early-drop-ins.patch
    1000-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch
  * The new tools systemd-measure and systemd-pcrphase have been added to the
    experimental sub-package for now.
  * Add temporarly
    6000-meson-install-test-kernel-install-only-when-Dkernel-.patch until this
    patch is mainstreamed.

==== webkit2gtk3 ====
Subpackages: WebKit2GTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles

- Update _constraints for webkit2gtk3:gtk3-soup2 on aarch64 to
  avoid slow workers and OOM

==== webkit2gtk3-soup2 ====
Subpackages: WebKit2GTK-4.0-lang libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 webkit2gtk-4_0-injected-bundles

- Update _constraints for webkit2gtk3:gtk3-soup2 on aarch64 to
  avoid slow workers and OOM

==== xfsprogs ====
Version update (5.19.0 -> 6.0.0)
Subpackages: libhandle1 xfsprogs-scrub

- update to 6.0.0:
  - libxfs: kernel sync
  - xfs_db: use preferable macro to seek offset for local dir3
  - xfs_quota: optimize -L/-U calls for dump/report