Packages changed: dbus-1 (1.10.10 -> 1.10.12) dbus-1-x11 (1.10.10 -> 1.10.12) desktop-translations freeipmi (1.5.3 -> 1.5.4) frogr (1.0 -> 1.2) gcin ghostscript (9.19 -> 9.20) gnome-keyring libical libstorage (2.26.9 -> 2.26.10) libvirt-python (2.2.0 -> 2.3.0) libyui-qt (2.46.26 -> 2.46.27) libyui-qt-pkg (2.45.6 -> 2.45.8) libzypp (16.2.5 -> 16.3.0) nautilus perl-Net-SMTP-SSL (1.03 -> 1.04) polkit-default-privs python-dnspython (1.14.0 -> 1.15.0) rubygem-byebug (9.0.5 -> 9.0.6) squid (3.5.20 -> 3.5.22) yast2-network (3.1.171 -> 3.2.4) yast2-packager (3.2.1 -> 3.2.2) yast2-slp (3.1.10 -> 3.1.11) yast2-vpn (3.1.3 -> 3.1.4) zypper (1.13.11 -> 1.13.12) === Details === ==== dbus-1 ==== Version update (1.10.10 -> 1.10.12) Subpackages: dbus-1-devel libdbus-1-3 libdbus-1-3-32bit - Update to 1.10.12 * Security fixes: + Do not treat ActivationFailure message received from root-owned systemd name as a format string. In principle this is a security vulnerability, but we do not believe it is exploitable in practice, because only privileged processes can own the org.freedesktop.systemd1 bus name, and systemd does not appear to send activation failures that contain "%". Please note that this probably *was* exploitable in dbus versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing check which at the time was only thought to be a denial of service vulnerability (CVE-2015-0245). If you are still running one of those versions, patch or upgrade immediately. (fdo#98157, bsc#1003898, Simon McVittie) * Other fixes: + Harden dbus-daemon against malicious or incorrect ActivationFailure messages by rejecting them if they do not come from a privileged process, or if systemd activation is not enabled (fdo#98157, Simon McVittie) + Avoid undefined behaviour when setting reply serial number without going via union DBusBasicValue (fdo#98035, Marc Mutz) + autogen.sh: fail cleanly if autoconf fails (Simon McVittie) ==== dbus-1-x11 ==== Version update (1.10.10 -> 1.10.12) Subpackages: dbus-1 - Update to 1.10.12 * Security fixes: + Do not treat ActivationFailure message received from root-owned systemd name as a format string. In principle this is a security vulnerability, but we do not believe it is exploitable in practice, because only privileged processes can own the org.freedesktop.systemd1 bus name, and systemd does not appear to send activation failures that contain "%". Please note that this probably *was* exploitable in dbus versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing check which at the time was only thought to be a denial of service vulnerability (CVE-2015-0245). If you are still running one of those versions, patch or upgrade immediately. (fdo#98157, bsc#1003898, Simon McVittie) * Other fixes: + Harden dbus-daemon against malicious or incorrect ActivationFailure messages by rejecting them if they do not come from a privileged process, or if systemd activation is not enabled (fdo#98157, Simon McVittie) + Avoid undefined behaviour when setting reply serial number without going via union DBusBasicValue (fdo#98035, Marc Mutz) + autogen.sh: fail cleanly if autoconf fails (Simon McVittie) ==== desktop-translations ==== - Update translations from SVN. ==== freeipmi ==== Version update (1.5.3 -> 1.5.4) - Update to 1.5.4 o Various changes/fixes in libipmiconsole - If user retrieves file descriptor from ipmiconsole_ctx_fd, user is required to close it. ipmiconsole_ctx_destroy no longer closes it. This is to avoid a potential double close which can be a problem for multithreaded applications. This is a change in behavior, but we do not believe this will affect most applications since most users close the file descriptor under most scenarios anyways. - ipmiconsole_ctx_destroy() should now be called to free resources even if ipmiconsole_engine_teardown() has been called. This has been done to create consistent behavior in the API and avoid a former segfault possibility. This is a change in behavior, but we do not believe this will affect most applications since ipmiconsole_engine_teardown() is only called when an application is being shutdown. - The use of IPMICONSOLE_ENGINE_CLOSE_FD has been clarified in the header file. Some of the prior text was unclear. Behavior has not been changed. o In ipmi-oem, support Intel get-bmc-services and set-bmc- services commands. o In ipmi-oem, support Gigabyte get-nic-mode and set-nic-mode commands. o Support Gigabyte MD90-FS0-ZB OEM SEL events. ==== frogr ==== Version update (1.0 -> 1.2) Subpackages: frogr-lang - Update to version 1.2: + Lowered gettext minimum version down to 0.19.7 to make it easier for older distributions to package frogr. - Changes from version 1.1: + Added flatpak support. + Improved content inside the AppData file. + Fix cancellation of the image upload process. + Remove build-dependency on intltool, now relying on gettext only. + Raised gettext minimum version up to 0.19.8. + Updated translations. - Drop intltool and itstool BuildRequires following upstream changes. ==== gcin ==== Subpackages: gcin-gtk2 gcin-gtk3 gcin-qt4 gcin-qt5 libgcin-im-client1 - Amend baselibs.conf to avoid the immodules to require gcin-32bit (boo#1002566) ==== ghostscript ==== Version update (9.19 -> 9.20) Subpackages: ghostscript-devel ghostscript-x11 - Version upgrade to 9.20. Purely a maintenance release. For details see the News.htm and History9.htm files. Highlights in this release include: * The usual round of bug fixes, compatibility changes, and incremental improvements. Incompatible changes: * The planned device API tidy did not happen for this release, due to time pressures, but we still intend to undertake the following: We plan to somewhat tidy up the device API. We intend to remove deprecated device procs (methods/function pointers) and change the device API so every device proc takes a graphics state parameter (rather than the current scheme where only a very few procs take an imager state parameter). This should serve as notice to anyone maintaining a Ghostscript device outside the canonical source tree that you may (probably will) need to update your device(s) when these changes happen. Devices using only the non-deprecated procs should be trivial to update. - Version upgrade to 9.20rc1 (first release candidate for 9.20). For details see the News.htm and History9.htm files. Regarding installing packages (in particular release candidates) from the openSUSE build service development project "Printing" see https://build.opensuse.org/project/show/Printing ==== gnome-keyring ==== Subpackages: gnome-keyring-32bit gnome-keyring-pam gnome-keyring-pam-32bit libgck-modules-gnome-keyring - Update gnome-keyring-bsc932232-use-non-fips-md5.patch to fix issue that was reintroduced (bsc#966229, bsc#966225). ==== libical ==== Subpackages: libical-devel libical2 - Add 0001-build-ICU-must-appear-as-Requires-in-pkgconfig.patch - Fix wrong baselibs provides - Add pkgconfig(icu-i18n) BuildRequires: Build the new RSCALE support. ==== libstorage ==== Version update (2.26.9 -> 2.26.10) Subpackages: libstorage-ruby libstorage7 - Don't accept 'format' flag if volume is in use (bsc#996007) - 2.26.10 ==== libvirt-python ==== Version update (2.2.0 -> 2.3.0) - Update to 2.3.0 - Add all new APIs and constants in libvirt 2.3.0 - spec: drop explicit Requires on libvirt-client package ==== libyui-qt ==== Version update (2.46.26 -> 2.46.27) - Fix high-contrast support (bsc#76811 and related to bsc#780621) - 2.46.27 ==== libyui-qt-pkg ==== Version update (2.45.6 -> 2.45.8) - Use the new QY2Styler usingHighContrastStyleSheet instead of the old usingVisionImpairedPalette (related to bsc#780621) - 2.45.8 - Improve message shown when user want to quit without saving changes (bsc#849084) - 2.45.7 ==== libzypp ==== Version update (16.2.5 -> 16.3.0) - RepoInfo: Allow parsing multiple gpgkey= URLs (bsc#1003748) - version 16.3.0 (0) ==== nautilus ==== Subpackages: gnome-shell-search-provider-nautilus libnautilus-extension1 - Update nautilus-fix-desktop-icon-smash.patch: porting upstream's solution to work out the general aspect (bsc#979072, bgo#765601). ==== perl-Net-SMTP-SSL ==== Version update (1.03 -> 1.04) - updated to 1.04 see /usr/share/doc/packages/perl-Net-SMTP-SSL/Changes 1.04 2016-10-09 - mark this library deprecated, suggest newer Net::SMTP instead ==== polkit-default-privs ==== - add flatpak privileges, but currently auth_admin currently (bsc#984817) ==== python-dnspython ==== Version update (1.14.0 -> 1.15.0) - New upstream release 1.15.0 * IDNA 2008 support is now available if the "idna" module has been installed and IDNA 2008 is requested. The default IDNA behavior is still IDNA 2003. The new IDNA codec mechanism is currently only useful for direct calls to dns.name.from_text() or dns.name.from_unicode(), but in future releases it will be deployed throughout dnspython, e.g. so that you can read a masterfile with an IDNA 2008 codec in force. * By default, dns.name.to_unicode() is not strict about which version of IDNA the input complies with. Strictness can be requested by using one of the strict IDNA codecs. * Add AVC RR support. * Some problems with newlines in various output modes have been addressed. * dns.name.to_text() now returns text and not bytes on Python 3.x * More miscellaneous fixes for the Python 2/3 codeline merge. - Include readme with readme.patch as not included in upstream tarball - Fix a bug in the tests code with 210.patch with upstream pull request #210 ==== rubygem-byebug ==== Version update (9.0.5 -> 9.0.6) - updated to version 9.0.6 see installed CHANGELOG.md [#]# 9.0.6 - 2016-09-29 [#]## Fixed * Error when using `byebug` with a ruby compiled against libedit (#241). * Allow `Byebug.start_server` to yield the block passed to it when the actual port is already known (#277, thanks @cben). * Use a standard license name so it can be more reliably used by tools (#275). ==== squid ==== Version update (3.5.20 -> 3.5.22) - Update Squid to 3.5.22 * HTTP: MUST ignore a [revalidation] response with an older Date header. * Optimized/simplified buffering: Appending nothing is always possible. * Avoid segfaults when debugging section 4 at level 9. * fix #4302 pt2: IPFilter v5 transparent interception * Bug #4471: revalidation doesn't work when expired cached object lacks Last-Modified. * Bug #2833: Collapse internal revalidation requests (SMP-unaware caches) * Bug #3819: "fd >= 0" assertion in file_write() during reconfiguration * Do not leak url_rewrite_extras and store_id_extras on reconfigure/shutdown. * Fix potential ICAP null pointer dereference after rev.14082 * Fix logged request size (%http::>st) and other size-related %codes. - Merge changes from SLE12 SP2 so we have identical packages - Update Squid to 3.5.21 * fix assertion failure in xcalloc when using many cache_dir Squid is documented as supporting up to 64 cache directories, but would crash with a memory allocation error if more than a few were actually configured. * fix authentication credentials IP TTL updated incorrectly This bug caused error in max_user_ip ACL accounting to allow clients to shift IP address more times than configured. Fix may have an effect on IPv6 clients using "proviacy adressing" to rotate IPs. * fix mal-formed Cache-Control:stale-if-error header This bug shows up as incorrect stale-if-error values being relayed by Squid breaking the use of this feature in the recipients. Squid now relays the header values correctly. * fix Proxy-Authenticate problem using ICAP server With this change Squid now treats the ICAP REQMOD adaptation point as a part of itself with regards to proxy authentication. The Proxy-Authentication header received from the client is delivered as part of the HTTP request headers in expectation that the ICAP service may authenticate and/or produce 407 response itself. * fix HTTP: MUST always revalidate Cache-Control:no-cache responses This bug shows up as Squid not revalidating some responses until they became stale according to refresh_pattern heuristic rules (specifically the minimum caching age). Squid now revalidates these objects on every request. * fix HTTP: do not allow Proxy-Connection to override Connection * fix SSL CN wildcard must only match a single domain fragment This bug shows up as incorrect matching (or non-matching) of the ss::server_name ACL against TLS certificate values. Squid now treats the certificate CN fields according to X.509 domain matching requirements instead of HTTP domain matching requirements. - squid-brokenad.patch * propertly capitalize option name * make the conditional if() not a riddle ==== yast2-network ==== Version update (3.1.171 -> 3.2.4) - do not duplicate work of network service at the beginning of AutoYaST's second stage - not loading modules and so on. - 3.2.4 - If an interface is not configured yet then just set the interface link, the backend should handle at least the up event. (bsc#991694) - 3.2.3 - Extra space in the remote administration dialog (bsc#988904) - Use full interface up / down instead of setting just link up / down to allow proper update of interface's configuration. (bsc#991694) - 3.2.2 - If WIFI is configured during installation, make sure the packages required for WIFI to work are installed in the resulting system (bsc#1002700) - 3.2.1 ==== yast2-packager ==== Version update (3.2.1 -> 3.2.2) - Do not ask for a CD when the add-on check box is unchecked (bsc#955186) - 3.2.2 ==== yast2-slp ==== Version update (3.1.10 -> 3.1.11) - Changed text domain to 'slp' (bsc#1004050) - 3.1.11 ==== yast2-vpn ==== Version update (3.1.3 -> 3.1.4) - Instead of creating its own firewall custom-rules, put firewall commands into user's own custom-rules file. Bump version to 3.1.4 for bsc#1002744. - Fix translation in the connection status dialog (bsc#994349) ==== zypper ==== Version update (1.13.11 -> 1.13.12) Subpackages: zypper-aptitude zypper-log - addrepo: show repo priority summary (issue #82) - Color repo priority values - version 1.13.12