Removed rpms
============


Added rpms
==========


Package Source Changes
======================

MozillaFirefox
+- Firefox Extended Support Release 115.10.0 ESR
+  Placeholder changelog-entry (bsc#1222535)
+
ca-certificates
+- Update to version 2+git20240416.98ae794 (bsc#1221184):
+  * Use flock to serialize calls (boo#1188500)
+  * Make certbundle.run container friendly
+  * Create /var/lib/ca-certificates if needed
+
emacs
+- Again fix %{%ext_info} to %{ext_info}  (boo#1221769)
+
+- Modify patch CVE-2024-30205.patch (bsc#1222050)
+  * Add backport of (org--should-fetch-remote-resource-p) to be
+    sure that remote file locations will be checked by the user
+  * Use this in (org-file-contents)
+
+- Modify patch CVE-2024-30204.patch
+  * Backport the variable definition untrusted-content in lisp/files.el
+
+- Add patch CVE-2024-30203.patch
+  * Fix bsc#1222053 -- Gnus treats inline MIME contents as trusted
+- Add patch CVE-2024-30204.patch
+  * Fix bsc#1222052 -- LaTeX preview is enabled by default for e-mail attachments
+- Add patch CVE-2024-30205.patch
+  * Fix bsc#1222050 -- Org mode considers contents of remote files to be trusted
+
+- fix typo in %{ext_info} macro usage
+
graphviz
+- VUL-0: CVE-2023-46045: graphviz: out-of-bounds read via a crafted config6a file
+  bsc#1219491
+  A gvc-detect-plugin-installation-failure-and-display-an-error.patch
+
ibus-pinyin
+- Add ibus-pinyin-avoid-superkey-conflict.patch:
+  Make system could respond to Super key to swith input engine after
+  input Chinese in ibus-pinyin.
+  (bsc#1220235)
+
+- Add ibus-pinyin-use-single-quote-for-sqlite-3.41.0.patch:
+  Backporting ffe471c9 from upstream, Use single quote inside SQL to
+  avoid the sqlite latest than 3.41.0's syntax fault during building
+  process.
+
-- ibus-pinyin-support-set-content-type-method.patch:
-  Fix visible password entry in GNOME lock screen (CVE-2013-4509,
-  bnc#847718); taken from Fedora package
-
-- add python-xdg as Requires
-
libzypp
+- Fix creation of sibling cache dirs with too restrictive mode
+  (bsc#1222398)
+  Some install workflows in YAST may lead to too restrictive (0700)
+  raw cache directories in case of newly created repos. Later
+  commands running with user privileges may not be able to access
+  these repos.
+- version 17.32.4 (32)
+
+- Update RepoStatus fromCookieFile according to the files mtime
+  (bsc#1222086)
+- TmpFile: Don't call chmod if makeSibling failed.
+- version 17.32.3 (32)
+
+- Fixup New VendorSupportOption flag VendorSupportSuperseded
+  (jsc#OBS-301, jsc#PED-8014)
+  Fixed the name of the keyword to "support_superseded" as it was
+  agreed on in jsc#OBS-301.
+- version 17.32.2 (32)
+
+- Add resolver option 'removeUnneeded' to file weak remove jobs
+  for unneeded packages (bsc#1175678)
+- version 17.32.1 (32)
+
+- Add resolver option 'removeOrphaned' for distupgrade
+  (bsc#1221525)
+- New VendorSupportOption flag VendorSupportSuperseded
+  (jsc#OBS-301, jsc#PED-8014)
+- Tests: fix vsftpd.conf where SUSE and Fedora use different
+  defaults (fixes #522)
+- Add default stripe minimum (#529)
+- Don't expose std::optional where YAST/PK explicitly use c++11.
+- Digest: Avoid using the deprecated OPENSSL_config.
+- version 17.32.0 (32)
+
+- ProblemSolution::skipsPatchesOnly overload to handout the
+  patches.
+- Remove https->http redirection exceptions for
+  download.opensuse.org.
+- version 17.31.32 (22)
+
manpages-l10n
+- Remove conflicting files with xz-lang(from SLE15)
+- Remove conflicting files with procps-lang(from SLE15)
+
polkit
+- Change permissions for rules folders (bsc#1209282)
+
python-idna
+- Add CVE-2024-3651.patch, backported from upstream commit
+  gh#kjd/idna#172/commits/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7
+  (bsc#1222842, CVE-2024-3651)
+
shim
-- Updated shim.changes to add CVE-2022-28737 number for bsc#1198458.
-  The issue be fixed by upgrade to shim 15.7. (bsc#1198458, CVE-2022-28737)
+- update public keys of shim-15.8 after it has been signed back
+  from Microsoft.
+
+- Sometimes SLE shim signature be Microsoft updated before openSUSE shim
+  signature. When submit request on IBS for updating SLE shim, the submitreq
+  project be generated, but it always be blocked by checking the signature
+  of openSUSE shim.
+  It doesn't make sense checking openSUSE shim signature when building
+  SLE shim on SLE platform, and vice versa. So the following change adds the
+  logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse).
+  When and only when hash mismatch and distro_id match with suffix, stop
+  building.
+    [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse)
+    [#] when hash mismatch and distro_id match with suffix, stop building
+- Sync the changelog between openSUSE:Factory/shim with SLE-15-SP3/shim
+  - Add CVE-2022-28737 number to "Mon Mar 27 09:26:02 UTC 2023" record
+  - Add "Thu Apr 13 05:28:10 UTC 2023" record for updating shim-install
+    for bsc#1210382.
+  - Add "Thu Apr 13 09:13:22 UTC 2023" record for changing the logic of
+    checking shim signature.
+
+- Update shim-install to set the TPM2 SRK algorithm (bsc#1213945)
+  92d0f4305df73 Set the SRK algorithm for the TPM2 protector
+
+- Limit the requirement of fde-tpm-helper-macros to the distro with
+  suse_version 1600 and above (bsc#1219460)
+
+-- Update to version 15.8
+  - Various CVE fixes are already merged into this version
+    mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546)
+    avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547)
+    Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548)
+    Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549)
+    pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550)
+    pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551)
+  - remove shim-Enable-the-NX-compatibility-flag-by-default.patch
+    The codes in this patch are already existing in shim-15.8
+    The NX flag is disable which is same as the default value of shim-15.8,
+    hence, not need to enable it by this patch now.
+  - Patches (git log --oneline --reverse 15.7..15.8)
+    657b248 Make sbat_var.S parse right with buggy gcc/binutils
+    7c76425 Enable the NX compatibility flag by default.
+    89972ae CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
+    c7b3051 pe: Align section size up to page size for mem attrs
+    e4f40ae pe: Add IS_PAGE_ALIGNED macro
+    f23883c Don't loop forever in load_certs() with buggy firmware
+    1f38cb3 Optionally allow to keep shim protocol installed
+    102a658 Drop invalid calls to `CRYPTO_set_mem_functions`
+    aae3df0 test-sbat: Fix exit code
+    cca3933 Block Debian grub binaries with SBAT < 4
+    cf59f34 Further improve load_certs() for non-compliant drivers/firmwares
+    0601f44 SBAT-related documents formatting and spelling
+    0640e13 Add a security contact email address in README.md
+    0bfc397 Work around malformed path delimiters in file paths from DHCP
+    a8b0b60 pe: only process RelocDir->Size of reloc section
+    f7a4338 Skip testing msleep()
+    549d346 Rename 'msecs' to 'usecs' to avoid potential confusion
+    908c388 Change type of fallback_verbose_wait from int to unsigned long
+    05eae92 Add SbatLevel_Variable.txt to document the various revocations
+    243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL
+    89d25a1 Add a make rule for compile_commands.json
+    118ff87 Add gnu-stack notes
+    f132655 test: Make our fake dprintf be a statement.
+    be00279 Remove CentOS 7 test builds.
+    9964960 Split pe.c up even more.
+    569270d Test (and fix) ImageAddress()
+    61e9894 Verify signature before verifying sbat levels
+    1578b55 Add libFuzzer support for csv.c
+    a0673e3 Fix a 1-byte memory leak in .sbat parsing.
+    e246812 Add libFuzzer support to the .sbat parser.
+    fd43eda Work around ImageAddress() usage mistake
+    1e985a3 Correctly free memory allocated in handle_image()
+    dbbe3c8 mok: Avoid underflow in maximum variable size calculation
+    04111d4 Make some of the static analysis tools a little easier to run
+    7ba7440 compile_commands.json: remove stuff clang doesn't like
+    66e6579 CVE-2023-40546 mok: fix LogError() invocation
+    f271826 Add primitives for overflow-checked arithmetic operations.
+    8372147 pe-relocate: Add a fuzzer for read_header()
+    5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
+    e912071 pe-relocate: make read_header() use checked arithmetic operations.
+    93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
+    e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550
+    afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
+    96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
+    dae82f6 Further mitigations against CVE-2023-40546 as a class
+    ea0f9df Allow SbatLevel data from external binary
+    b078ef2 Always clear SbatLevel when Secure Boot is disabled
+    7dfb687 BS Variables for bootmgr revocations
+    a967c0e shim should not self revoke
+    577cedd Print message when refusing to apply SbatLevel
+    e801b0d sbat revocations: check the full section name
+    0226b56 CVE-2023-40547 - avoid incorrectly trusting HTTP headers
+    6f0c8d2 Print errors when setting/clearing memory attrs
+    57c0eed Updated Revocations for January 2024 CVEs
+    49c6d95 Fix some minor ia32 build issues.
+    be8ff7c post-process-pe: Don't set the NX_COMPAT flag by default after all.
+    13abd9f pe-relocate: Avoid __builtin_add_overflow() on GCC < 5
+    c46c975 Suppress "Failed to open <..>\revocations.efi" when file does not exist
+    30a4f37 Rename "previous" revocations to "automatic"
+    6f395c2 Build time selectable automatic SBATLevel revocations
+    a23e2f0 netboot read_image() should not hardcode DEFAULT_LOADER
+    993a345 Try to load revocations.efi even if directory read fails
+    1770a03 gitmodules: use shim-15.8 for gnu-efi branch
+    5914984 (HEAD -> main, tag: latest-release, tag: 15.8, origin/main, origin/HEAD) Bump version to 15.8
+
+- Generate dbx during build so we don't include binary files in sources
+
+- Don't require grub so shim can still be used with systemd-boot
+
+- Update shim-install to fix boot failure of ext4 root file system
+  on RAID10 (bsc#1205855)
+  226c94ca5cfca  Use hint in looking for root if possible
+
+- Adopt the macros from fde-tpm-helper-macros to update the
+  signature in the sealed key after a bootloader upgrade
+
+- Update shim-install to amend full disk encryption support
+    b540061e041b  Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector
+    f2e8143ce831  Use the long name to specify the grub2 key protector
+    72830120e5ea  cryptodisk: support TPM authorized policies
+    49e7a0d307f3  Do not use tpm_record_pcrs unless the command is in command.lst
-- Updated shim signature after shim 15.7 be signed back:
+- Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to
+  enable the NX compatibility flag when using post-process-pe after
+  discussed with grub2 experts in mail. It's useful for further development
+  and testing. (bsc#1205588)
+
+- Updated shim signature after shim 15.7 of SLE be signed back:
+- Removed shim-bsc1198101-opensuse-cert-prompt.patch (bsc#1198101)
+  - Detail discussion is in bugzilla:
+  https://bugzilla.suse.com/show_bug.cgi?id=1198101
+  - The shim community review and challenge this prompt. No other
+    distro shows prompt (Have checked Fedora 37, CentOS 9 and Ubuntu 22.10).
+    Currently, it blocked the review process of openSUSE shim.
+  - Other distros lock-down kernel when secure boot is enabled. Some of
+    them used different key for signing kernel binary with In-tree kernel
+    module. And their build service does not provide signed Out-off-tree
+    module.
+
+- Modified shim-install, add the following Olaf Kirch's patches to support
+  full disk encryption: (jsc#PED-922)
+    a5c57340740c	Introduce --no-grub-install option
+    5c2c3addc51f	Handle different cases of controlling cryptomount volumes during first stage boot
+    26c6bd5df7ae	Have grub take a snapshot of "relevant" TPM PCRs
+
systemd-default-settings
+- Import 0.10
+  5088997 SLE: Disable pids controller limit under user instances (jsc#SLE-10123)
+
+- Import 0.9
+  bb859bf user@.service: Disable controllers by default (jsc#PED-2276)
+
+- The usage of drop-ins is now the official way for configuring systemd and its
+  various daemons on Factory/ALP. Hence the early drop-ins SUSE specific
+  "feature" has been abandoned.
+
+- Import 0.8
+  f34372f User priority '26' for SLE-Micro
+  c8b6f0a Revert "Convert more drop-ins into early ones"
+
+- Import commit 6b8dde1d4f867aff713af6d6830510a84fad58d2
+  6b8dde1 Convert more drop-ins into early ones
+
tftp
+- Allow enabling the service via `systemctl enable tftp` to create
+  the tftp.socket symlink [bsc#1215520]
+
-- create capabilites provided by both tftp and atftp
-  (bnc#801481 or bnc#725378)
-
vim
+- Updated to version 9.1 with patch level 0330, fixes the following problems
+  * Fixing bsc#1220763 - vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1
+- refreshed vim-7.3-filetype_spec.patch
+- refreshed vim-7.3-filetype_ftl.patch
+- Update spec.skeleton to use autosetup in place of setup macro.
+- for the complete list of changes see
+  https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330
+
+- Updated to version 9.1 with patch level 0111, fixes the following security problems
+  * Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close()
+  * Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol()
+  * Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command
+  * Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count
+  * Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing
+  * Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number
+  * Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line
+  * Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute
+  * Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c
+  * Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix
+- for the complete list of changes see
+  https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111
+
zypper
+- Do not try to refresh repo metadata as non-root user
+  (bsc#1222086)
+  Instead show refresh stats and hint how to update them.
+- man: Explain how to protect orphaned packages by collecting
+  them in a plaindir repo.
+- packages: Add --autoinstalled and --userinstalled options to
+  list them.
+- Don't print 'reboot required' message if download-only or
+  dry-run (fixes #529)
+  Instead point out that a reboot would be required if the option
+  was not used.
+- Resepect zypper.conf option `showAlias` search commands
+  (bsc#1221963)
+  Repository::asUserString (or Repository::label) respects the
+  zypper.conf option, while name/alias return the property.
+- version 1.14.71
+
+- dup: New option --remove-orphaned to remove all orphaned
+  packages in dup (bsc#1221525)
+- version 1.14.70
+
+- info,summary: Support VendorSupportOption flag
+  VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014)
+- BuildRequires:  libzypp-devel >= 17.32.0.
+  API cleanup and changes for VendorSupportSuperseded.
+- Show active dry-run/download-only at the commit propmpt.
+- patch: Add --skip-not-applicable-patches option (closes #514)
+- Fix printing detailed solver problem description.
+  The problem description() is one rule out possibly many in
+  completeProblemInfo() the solver has chosen to represent the
+  problem. So either description or completeProblemInfo should be
+  printed, but not both.
+- Fix bash-completion to work with right adjusted numbers in the
+  1st column too (closes #505)
+- Set libzypp shutdown request signal on Ctrl+C (fixes #522)
+- lr REPO: In the detailed view show all baseurls not just the
+  first one (bsc#1218171)
+- version 1.14.69
+