Packages changed: MozillaFirefox (115.0.1 -> 115.0.2) audit (3.0.9 -> 3.1.1) audit-secondary (3.0.9 -> 3.1.1) bind cryptsetup glibc iproute2 (6.3 -> 6.4) kernel-source (6.4.2 -> 6.4.3) keylime (7.2.5 -> 7.3.0) libbpf (1.2.0 -> 1.2.2) libnftnl (1.2.5 -> 1.2.6) python-jsonschema (4.18.0 -> 4.18.3) qpdf (11.4.0 -> 11.5.0) redis (7.0.11 -> 7.0.12) rpm-config-SUSE (20220926 -> 20230712) rust-keylime (0.2.1+git.1685699835.3c9d17c -> 0.2.2+git.1689256829.3d2b627) snapper texlive util-linux util-linux-systemd === Details === ==== MozillaFirefox ==== Version update (115.0.1 -> 115.0.2) - Mozilla Firefox 115.0.2 * Fixed a bug with displaying a caret in the text editor on some websites (bmo#1840804) * Fixed a bug with broken audio rendering on some websites (bmo#1841982) * Fixed a bug with patternTransform translate using the wrong units (bmo#1840746) MFSA 2023-26 (bsc#1213230) * CVE-2023-3600 (bmo#1839703) Use-after-free in workers ==== audit ==== Version update (3.0.9 -> 3.1.1) Subpackages: libaudit1 libauparse0 - Update to 3.1.1: * Add user friendly keywords for signals to auditctl * In ausearch, parse up URINGOP and DM_CTRL records * Harden auparse to better handle corrupt logs * Fix a CFLAGS propogation problem in the common directory * Move the audispd af_unix plugin to a standalone program - Add _multibuild to define additional spec files as additional flavors. Eliminates the need for source package links in OBS. - Enable livepatching on main library on x86_64. - Update to 3.1: * Disable ProtectControlGroups in auditd.service by default * Fix rule checking for exclude filter * Make audit_rule_syscallbyname_data work correctly outside of auditctl * Add new record types * Add io_uring support * Add support for new FANOTIFY record fields * Add keyword, this-hour, to ausearch/report start/end options * Add Requires.private to audit.pc file * Try to interpret OPENAT2 fields correctly ==== audit-secondary ==== Version update (3.0.9 -> 3.1.1) Subpackages: audit python3-audit system-group-audit - Update to 3.1.1: * Add user friendly keywords for signals to auditctl * In ausearch, parse up URINGOP and DM_CTRL records * Harden auparse to better handle corrupt logs * Fix a CFLAGS propogation problem in the common directory * Move the audispd af_unix plugin to a standalone program - Add _multibuild to define additional spec files as additional flavors. Eliminates the need for source package links in OBS. - Update to 3.1: * Disable ProtectControlGroups in auditd.service by default * Fix rule checking for exclude filter * Make audit_rule_syscallbyname_data work correctly outside of auditctl * Add new record types * Add io_uring support * Add support for new FANOTIFY record fields * Add keyword, this-hour, to ausearch/report start/end options * Add Requires.private to audit.pc file * Try to interpret OPENAT2 fields correctly ==== bind ==== - Enable dnstap support ==== cryptsetup ==== Subpackages: cryptsetup-doc libcryptsetup12 - luksFormat: Handle system with low memory and no swap space [bsc#1211079] * Check for physical memory available also in PBKDF benchmark. * Try to avoid OOM killer on low-memory systems without swap. * Use only half of detected free memory on systems without swap. * Add patches: - cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch - cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch - cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch ==== glibc ==== Subpackages: glibc-extra glibc-locale glibc-locale-base nscd - gshadow-erange-rhandling.patch: gshadow: Matching sgetsgent, sgetsgent_r ERANGE handling (BZ #30151) - system-sigchld-block.patch: posix: Fix system blocks SIGCHLD erroneously (BZ #30163) - gmon-buffer-alloc.patch: gmon: Fix allocated buffer overflow (BZ #29444) - check-pf-cancel-handler.patch: __check_pf: Add a cancellation cleanup handler (BZ #20975) - powerpc64-fcntl-lock.patch: io: Fix F_GETLK, F_SETLK, and F_SETLKW for powerpc64 - realloc-limit-chunk-reuse.patch: realloc: Limit chunk reuse to only growing requests (BZ #30579) - dl-find-object-return.patch: elf: _dl_find_object may return 1 during early startup (BZ #30515) - Need to build with GCC 12 as minimum - fix-locking-in-_IO_cleanup.patch: Update to final version ==== iproute2 ==== Version update (6.3 -> 6.4) Subpackages: iproute2-bash-completion - Update to release 6.4 * bridge: mdb: added underlay destination IP support, UDP destination port support, destination VNI support, source VNI support, outgoing interface support * macvlan: added the "bclim" parameter ==== kernel-source ==== Version update (6.4.2 -> 6.4.3) - Linux 6.4.3 (bsc#1012628). - mm: call arch_swap_restore() from do_swap_page() (bsc#1012628). - bootmem: remove the vmemmap pages from kmemleak in free_bootmem_page (bsc#1012628). - commit 5fb5b21 ==== keylime ==== Version update (7.2.5 -> 7.3.0) Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tenant keylime-tpm_cert_store keylime-verifier python311-keylime - Drop migrations_use_sa_text_for_raw_SQL.patch, merged upstream - Update to version v7.3.0: * Monthly release (7.3.0) * tenant: log cleanup and output improvements * mba: moving the boot event log parsing to the MBA subdirectory * Add secure mount sanity test to packit testing * templates: Set empty string as default value for tpm_ownerpassword * migrations: use sa.text for raw SQL * ima: only log the accept list on validation failure * ima: remove code used for reading the IMA log from disk * tpm: Move functions from tpm_astract.py to tpm_util.py * tpm: Move splitting of quote string into reusable function * tpm: Change default value of Hash parameter to Hash.SHA256 from None * [tests] Enable basic allowlist/excludelist test * installer.sh: update TPM2TOOLS_VER to 5.5 and cherry-pick patches to fix the bug of parsing for most newer logs with the tpm2_eventlog command. * web_util: Remove check for code being 'None' since it is always an int * verifier: Remove possibility for agent to be None and remove error case * verifier: Remove conversion of agent to dict * verifier: Remove possibility for agent to be None and remove error case * verifier: Remove check for agent is None since it cannot be None - Add migrations_use_sa_text_for_raw_SQL.patch to fix migrations in new SQLAlchemy versions ==== libbpf ==== Version update (1.2.0 -> 1.2.2) - update to v1.2.2: * fix a regression in perf tool caused by libbpf resetting its custom catch-all SEC() handler on explicit bpf_program__set_type() call * fix possible double-free in USDT-related libbpf code, which happens when libbpf runs out of space in __bpf_usdt_specs map due to having too many unique USDT specs ==== libnftnl ==== Version update (1.2.5 -> 1.2.6) - Update to release 1.2.6 * expr: meta: introduce broute meta expression ==== python-jsonschema ==== Version update (4.18.0 -> 4.18.3) - upgrade to 4.18.3: no changelog available, only a diff: https://github.com/python-jsonschema/jsonschema/compare/v4.18.2...v4.18.3 - upgrade to 4.18.2: * Fix an additional regression with the deprecated jsonschema.RefResolver and pointer resolution. - upgrade to 4.18.1: * Fix a regression with jsonschema.RefResolver based resolution when used in combination with a custom validation dialect (via jsonschema.validators.create). ==== qpdf ==== Version update (11.4.0 -> 11.5.0) - Update to 11.5.0: * When copying the same page more than once, ensure that annotations are copied and not shared among multiple pages. * Add new method Buffer::copy and deprecate Buffer copy constructor and assignment operator. Buffer copies are expensive and should be done explicitly. * The source code was reformatted to 100 columns instead of 80. Numerous cosmetic changes and changes suggested by clang-tidy were made. ==== redis ==== Version update (7.0.11 -> 7.0.12) - redis 7.0.12: * (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (bsc#1213193) * (CVE-2023-36824) Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Specifically: using COMMAND GETKEYS* and validation of key names in ACL rules. (bsc#1213249) * Re-enable downscale rehashing while there is a fork child * Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with * Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction * Fix WAIT to be effective after a blocked module command being unblocked * Avoid unnecessary full sync after master restart in a rare case ==== rpm-config-SUSE ==== Version update (20220926 -> 20230712) - Update to version 20230712: * Add more prjconf macros * update comment about _lto_cflags * drop %usrmerged macro (boo#1206798) * Fix SLE sbat macros used on Leap (bsc#1198458) ==== rust-keylime ==== Version update (0.2.1+git.1685699835.3c9d17c -> 0.2.2+git.1689256829.3d2b627) Subpackages: keylime-ima-policy - Update to version 0.2.2+git.1689256829.3d2b627: * Bump version to 0.2.2 * build(deps): bump tempfile from 3.5.0 to 3.6.0 * removing SIGINT stop signals from Dockerfiles and systemd service, as well as adding SIGTERM to IMA emulator as shutdown signal - Update to version 0.2.1+git.1689167094.67ce0cf: * cargo: Bump serde to version 1.0.166 * build(deps): bump libc from 0.2.142 to 0.2.147 * adding release Dockerfiles in 3 flavours: fedora, distroless and wolfi * hash: add more configurable hash algorithm for public key digest * cargo: Update clap to version 4.3.11 * cargo: Bump tokio crate version to 1.28.2 * Add an example of IMA policy * main: Gracefully shutdown on SIGTERM or SIGINT * cargo: Bump proc-macro2 crate version * revocation: Parse revocation actions flexibly * crypto: Add unit tests for x509 functions * crypto: Make internal functions private * config: Add unit test for the list to files mapping * config: Make trusted_client_ca to accept lists * lib: Implement parser for lists from config file * build(deps): bump openssl from 0.10.48 to 0.10.55 * Add secure mount sanity test to packit testing. * [packit] Do not let COPR project expire ==== snapper ==== Subpackages: libsnapper7 snapper-zypp-plugin - document disadvantage of using network users and order services after nss-user-lookup (gh#openSUSE/snapper#823) ==== texlive ==== - The rungs lua script belongs to texlive-scripts(-bin) only ==== util-linux ==== Subpackages: libblkid1 libfdisk1 libmount1 libsmartcols1 libuuid1 - Add patch to detect MD array as container of LUKS properly (boo#1213227, gh#util-linux/util-linux#2373): * 0001-Revert-libblkid-try-LUKS2-first-when-probing.patch ==== util-linux-systemd ==== - Add patch to detect MD array as container of LUKS properly (boo#1213227, gh#util-linux/util-linux#2373): * 0001-Revert-libblkid-try-LUKS2-first-when-probing.patch