Packages changed: MozillaFirefox (83.0 -> 84.0) MozillaThunderbird (78.5.1 -> 78.6.0) SDL2 (2.0.12 -> 2.0.14) akonadi-contact boost-base boost-extra dolphin gtk2 (2.24.32+70 -> 2.24.33) kaddressbook kvm_stat (5.9.12 -> 5.10.1) mozilla-nss (3.58 -> 3.59) openblas_pthreads (0.3.12 -> 0.3.13) orca (3.38.1 -> 3.38.2) plasma5-desktop python-importlib-metadata (3.1.1 -> 3.3.0) python-more-itertools (8.5.0 -> 8.6.0) python-pyOpenSSL sudo (1.9.4 -> 1.9.4p2) timezone (2020d -> 2020e) timezone-java (2020d -> 2020e) wireshark (3.4.1 -> 3.4.2) xmlsec1 (1.2.30 -> 1.2.31) === Details === ==== MozillaFirefox ==== Version update (83.0 -> 84.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 84.0 * Firefox 84 is the final release to support Adobe Flash * WebRender is enabled by default when run on GNOME-based X11 Linux desktops MFSA 2020-54 (bsc#1180039)) * CVE-2020-16042 (bmo#1679003) Operations on a BigInt could have caused uninitialized memory to be exposed * CVE-2020-26971 (bmo#1663466) Heap buffer overflow in WebGL * CVE-2020-26972 (bmo#1671382) Use-After-Free in WebGL * CVE-2020-26973 (bmo#1680084) CSS Sanitizer performed incorrect sanitization * CVE-2020-26974 (bmo#1681022) Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free * CVE-2020-26975 (bmo#1661071) Malicious applications on Android could have induced Firefox for Android into sending arbitrary attacker-specified headers * CVE-2020-26976 (bmo#1674343) HTTPS pages could have been intercepted by a registered service worker when they should not have been * CVE-2020-26977 (bmo#1676311) URL spoofing via unresponsive port in Firefox for Android * CVE-2020-26978 (bmo#1677047) Internal network hosts could have been probed by a malicious webpage * CVE-2020-26979 (bmo#1641287, bmo#1673299) When entering an address in the address or search bars, a website could have redirected the user before they were navigated to the intended url * CVE-2020-35111 (bmo#1657916) The proxy.onRequest API did not catch view-source URLs * CVE-2020-35112 (bmo#1661365) Opening an extension-less download may have inadvertently launched an executable instead * CVE-2020-35113 (bmo#1664831, bmo#1673589) Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 * CVE-2020-35114 (bmo#1607449, bmo#1640416, bmo#1656459, bmo#1669914, bmo#1673567) Memory safety bugs fixed in Firefox 84 - requires NSS >= 3.59 rust >= 1.44 rust-cbindgen >= 0.15.0 - remove revert-795c8762b16b.patch and replace with mozilla-pgo.patch - Add/Enable GNOME search provider ==== MozillaThunderbird ==== Version update (78.5.1 -> 78.6.0) Subpackages: MozillaThunderbird-translations-common - Mozilla Thunderbird 78.6.0 * changes and additions in MailExtensions * several bugfixes * https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/ MFSA 2020-56 (bsc#1180039)) * CVE-2020-16042 (bmo#1679003) Operations on a BigInt could have caused uninitialized memory to be exposed * CVE-2020-26971 (bmo#1663466) Heap buffer overflow in WebGL * CVE-2020-26973 (bmo#1680084) CSS Sanitizer performed incorrect sanitization * CVE-2020-26974 (bmo#1681022) Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free * CVE-2020-26978 (bmo#1677047) Internal network hosts could have been probed by a malicious webpage * CVE-2020-35111 (bmo#1657916) The proxy.onRequest API did not catch view-source URLs * CVE-2020-35112 (bmo#1661365) Opening an extension-less download may have inadvertently launched an executable instead * CVE-2020-35113 (bmo#1664831, bmo#1673589) Memory safety bugs fixed in Thunderbird 78.6 ==== SDL2 ==== Version update (2.0.12 -> 2.0.14) - update to 2.0.14: * Added support for PS5 DualSense and Xbox Series X controllers to the HIDAPI controller driver * Vulkan support to the KMSDRM video driver * see details on https://discourse.libsdl.org/t/sdl-2-0-14-released/28470 ==== akonadi-contact ==== Subpackages: akonadi-contact-lang akonadi-plugin-contacts libKF5AkonadiContact5 libKF5ContactEditor5 - Obsolete kdepim-apps-libs-lang as well to avoid update problems ==== boost-base ==== Subpackages: boost-license1_75_0 libboost_date_time1_75_0 libboost_filesystem1_75_0 libboost_iostreams1_75_0 libboost_locale1_75_0 libboost_regex1_75_0 libboost_thread1_75_0 - libboost_nowide now uses same pattern of Provides/Conflicts and version numbers as other Boost libraries - Add missing conflicts for Boost 1.66 - Boost.Build (jam) implementation is now obsoletes older versions ==== boost-extra ==== - libboost_nowide now uses same pattern of Provides/Conflicts and version numbers as other Boost libraries - Add missing conflicts for Boost 1.66 - Boost.Build (jam) implementation is now obsoletes older versions ==== dolphin ==== Subpackages: dolphin-part dolphin-part-lang libdolphinvcs5 - Add upstream patch to fix crash on launch (kde#429628, kde#430434): * 0001-Fix-access-url-navigator-while-creating-new-tab-in-f.patch ==== gtk2 ==== Version update (2.24.32+70 -> 2.24.33) Subpackages: gtk2-data gtk2-immodule-amharic gtk2-immodule-inuktitut gtk2-immodule-thai gtk2-immodule-tigrigna gtk2-immodule-vietnamese gtk2-immodule-xim gtk2-lang gtk2-tools gtk2-tools-32bit libgtk-2_0-0 libgtk-2_0-0-32bit - Update to version 2.24.33: + This is the final GTK 2.x release. There will be no more updates to GTK 2. All users are encouraged to update to GTK 3 or 4. + Make the output of gtk-query-immodules deterministic. + GtkCalendar: Use %OB if supported. + GtkIconTheme: prefer exact matches. + build: - Support automake 1.16. - Fix compiler warnings with newer gcc. ==== kaddressbook ==== Subpackages: kaddressbook-doc kaddressbook-lang libKPimAddressbookImportExport5 - Obsolete kdepim-apps-libs-lang as well to avoid update problems ==== kvm_stat ==== Version update (5.9.12 -> 5.10.1) - Fix kernel version comparison for selectively applying patches * so that it won't break when, e.g., 5.10.0 hits Factory ==== mozilla-nss ==== Version update (3.58 -> 3.59) Subpackages: libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss-certs mozilla-nss-tools - update to NSS 3.59 Notable changes * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. ==== openblas_pthreads ==== Version update (0.3.12 -> 0.3.13) - Update to version 0.3.13 common: * Added a generic bfloat16 SBGEMV kernel * Fixed a potentially severe memory leak after fork in OpenMP builds that was introduced in 0.3.12 * Added detection of the Fujitsu Fortran compiler * Added detection of the (e)gfortran compiler on OpenBSD * Added support for overriding the default name of the library independently from symbol suffixing in the gmake builds (already supported in cmake) RISC V: * Added a RISC V port optimized for C910V POWER: * Added optimized POWER10 kernels for SAXPY, CAXPY, SDOT, DDOT and DGEMV_N * Improved DGEMM performance on POWER10 * Improved STRSM and DTRSM performance on POWER9 and POWER10 * Fixed segmemtation faults in DYNAMIC_ARCH builds * Fixed compilation with the PGI compiler x86: * Fixed compilation of kernels that require SSE2 intrinsics since 0.3.12 x86_64: * Added an optimized bfloat16 SBGEMV kernel for SkylakeX and Cooperlake * Improved the performance of SASUM and DASUM kernels through parallelization * Improved the performance of SROT and DROT kernels * Improved the performance of multithreaded xSYRK * Fixed OpenMP builds that use the LLVM Clang compiler together with GNU gfortran (where linking of both the LLVM libomp and GNU libgomp could lead to lockups or wrong results) * Fixed miscompilations by old gcc 4.6 * Fixed misdetection of AVX2 capability in some Sandybridge cpus * Fixed lockups in builds combining DYNAMIC_ARCH with TARGET=GENERIC on OpenBSD ARM64: * Fixed segmentation faults in DYNAMIC_ARCH builds MIPS: * Improved kernels for Loongson 3R3 ("3A") and 3R4 ("3B") models, including MSA * Fixed bugs in the MSA kernels for CGEMM, CTRMM, CGEMV and ZGEMV * Added handling of zero increments in the MSA kernels for SSWAP and DSWAP * Added DYNAMIC_ARCH support for MIPS64 (currently Loongson3R3/3R4 only) SPARC: * Fixed building 32 and 64 bit SPARC kernels with the SolarisStudio compilers - Fix invalid symlinks (boo#1179764). ==== orca ==== Version update (3.38.1 -> 3.38.2) Subpackages: orca-lang - Update to version 3.38.2: + Don't treat unknown coordinates as definitely off-screen. Should fix the problem seen with flat review resulting from a change in Gtk+ 3.24.24. ==== plasma5-desktop ==== Subpackages: plasma5-desktop-emojier plasma5-desktop-lang - Add upstream patch to fix keyboard repeat settings not being applied immediately (boo#1164739, kde#418175): * Reparse-the-key-repeat-rate-config-when-we-try-to-load-it.patch ==== python-importlib-metadata ==== Version update (3.1.1 -> 3.3.0) - New version requires typing_extensions for Python < 3.8 (Leap and TW python36 flavor) - update to 3.3.0: * * #265: ``EntryPoint`` objects now expose a ``.dist`` object referencing the ``Distribution`` when constructed from a Distribution. * The object returned by ``metadata()`` now has a formally-defined protocol called ``PackageMetadata`` with declared support for the ``.get_all()`` method. Fixes #126. - add typing-extensions dependency for older python versions ==== python-more-itertools ==== Version update (8.5.0 -> 8.6.0) - update to 8.6.0: * :func:`all_unique` (thanks to brianmaissy) * :func:`nth_product` and :func:`nth_permutation` (thanks to N8Brooks) * :func:`chunked` and :func:`sliced` now accept a ``strict`` parameter (thanks to shlomif and jtwool) * Python 3.5 has reached its end of life and is no longer supported. * Python 3.9 is officially supported. ==== python-pyOpenSSL ==== - Adjust metadata for skip-networked-test.patch and refer to the proper upstream ticket gh#pyca/pyopenssl#68. ==== sudo ==== Version update (1.9.4 -> 1.9.4p2) Subpackages: sudo-plugin-python - Update to 1.9.4p2 * Fixed a bug introduced in sudo 1.9.4p1 which could lead to a crash if the sudoers file contains a runas user-specific Defaults entry. Bug #951. - News in 1.9.4p1 * Fixed a regression introduced in version 1.9.4 where sudo would not build when configured using the --without-sendmail option. Bug #947. * Fixed a problem where if I/O logging was disabled and sudo was unable to connect to sudo_logsrvd, the command would still be allowed to run even when the "ignore_logfile_errors" sudoers option was enabled. * Fixed a crash introduced in version 1.9.4 when attempting to run a command as a non-existent user. Bug #948. * The installed sudo.conf file now has the default sudoers Plugin lines commented out. This fixes a potential conflict when there is both a system-installed version of sudo and a user-installed version. GitHub issue #75. * Fixed a regression introduced in sudo 1.9.4 where sudo would run the command as a child process even when a pseudo-terminal was not in use and the "pam_session" and "pam_setcred" options were disabled. GitHub issue #76. * Fixed a regression introduced in sudo 1.8.9 where the "closefrom" sudoers option could not be set to a value of 3. Bug #950. ==== timezone ==== Version update (2020d -> 2020e) - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ==== timezone-java ==== Version update (2020d -> 2020e) - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ==== wireshark ==== Version update (3.4.1 -> 3.4.2) Subpackages: libwireshark14 libwiretap11 libwsutil12 wireshark-ui-qt - Wireshark 3.4.2 * CVE-2020-26422: QUIC dissector crash (boo#1180232) * Fix IETF QUIC TLS decryption errors when packets are coalesced with random data * QUIC: missing dissection of some coalesced SH packets * Fix false expect error seen on FCoE frames * Updated Protocol Support DOCSIS, FC-dNS, FC-SWILS, FCoE, QUIC, SNMP, and USBHID ==== xmlsec1 ==== Version update (1.2.30 -> 1.2.31) Subpackages: libxmlsec1-1 libxmlsec1-nss1 libxmlsec1-openssl1 - Update to version 1.2.31: + Unload error strings in OpenSSL shutdown. + Make userData available when executing preExecCallback function. + Add an option to use secure memset. - Pass --disable-md5 to configure: The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its use is discouraged at this time. It is not listed as an algorithm in [XMLDSIG-CORE1] https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1