Packages changed:
amarok (2.9.70git.20200505T221221~fd05592cd8 -> 2.9.70git.20200617T113036~a69c9418b4)
chromium (81.0.4044.138 -> 83.0.4103.97)
fonts-config (20160921 -> 20200609+git0.42e2b1b)
mozilla-nspr (4.23 -> 4.25)
mozilla-nss (3.47.1 -> 3.53)
perl
python-Sphinx-doc
=== Details ===
==== amarok ====
Version update (2.9.70git.20200505T221221~fd05592cd8 -> 2.9.70git.20200617T113036~a69c9418b4)
Subpackages: amarok-lang
- Update to version 2.9.70git.20200617T113036~a69c9418b4:
* Fix activeTrackChanged connect in playlist navigators
(kde#418643,kde#389138)
* Fix Increase/Decrease Volume shortcuts (boo#1152751)
* Extract messages from QML
* Make include compatible with mariadb
==== chromium ====
Version update (81.0.4044.138 -> 83.0.4103.97)
- Another attempt on the location handling for Leap 15.1:
* no-location-leap151.patch
- Attempt to build with wayland/ozone enabled
- Enable more system libs on 15.2+
- Remove the chromium-83-gcc-location-revert.patch as it is wrong
approach to fix the problem
- Update _constraints to match up LTO enablement
- With GCC 10 released we should be able to enable LTO again
- Update to 83.0.4103.97 bsc#1172496:
* CVE-2020-6493: Use after free in WebAuthentication.
* CVE-2020-6494: Incorrect security UI in payments.
* CVE-2020-6495: Insufficient policy enforcement in developer tools.
* CVE-2020-6496: Use after free in payments.
- Add patch to not use bundled unrar:
* chromium-norar.patch
- Amend chromium-prop-codecs.patch to allow proprietary_codecs
without building third_party/openh264
- Add revert of location setting commit that broke build on
openSUSE Leap 15.1:
* chromium-83-gcc-location-revert.patch
- Swtich to GCC 9.x on Leaps to avoid gcc bug exposed in gcc8
- Add patch to fix building with new re2:
* chromium-81-re2-0.2020.05.01.patch
- Update _constraints to avoid very slow builds seen on obs-arm-4
(probably due to swap)
- Update to 83.0.4103.61 bsc#1171910:
* CVE-2020-6465: Use after free in reader mode. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-04-21
* CVE-2020-6466: Use after free in media. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-04-26
* CVE-2020-6467: Use after free in WebRTC. Reported by ZhanJia Song on 2020-04-06
* CVE-2020-6468: Type Confusion in V8. Reported by Chris Salls and Jake Corina of Seaside Security, Chani Jindal of Shellphish on 2020-04-30
* CVE-2020-6469: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-04-02
* CVE-2020-6470: Insufficient validation of untrusted input in clipboard. Reported by Micha? Bentkowski of Securitum on 2020-03-30
* CVE-2020-6471: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-03-08
* CVE-2020-6472: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-03-25
* CVE-2020-6473: Insufficient policy enforcement in Blink. Reported by Soroush Karami and Panagiotis Ilia on 2020-02-06
* CVE-2020-6474: Use after free in Blink. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-03-07
* CVE-2020-6475: Incorrect security UI in full screen. Reported by Khalil Zhani on 2019-10-31
* CVE-2020-6476: Insufficient policy enforcement in tab strip. Reported by Alexandre Le Borgne on 2019-12-18
* CVE-2020-6477: Inappropriate implementation in installer. Reported by RACK911 Labs on 2019-03-26
* CVE-2020-6478: Inappropriate implementation in full screen. Reported by Khalil Zhani on 2019-12-24
* CVE-2020-6479: Inappropriate implementation in sharing. Reported by Zhong Zhaochen of andsecurity.cn on 2020-01-14
* CVE-2020-6480: Insufficient policy enforcement in enterprise. Reported by Marvin Witt on 2020-02-21
* CVE-2020-6481: Insufficient policy enforcement in URL formatting. Reported by Rayyan Bijoora on 2020-04-07
* CVE-2020-6482: Insufficient policy enforcement in developer tools. Reported by Abdulrahman Alqabandi (@qab) on 2017-12-17
* CVE-2020-6483: Insufficient policy enforcement in payments. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-05-23
* CVE-2020-6484: Insufficient data validation in ChromeDriver. Reported by Artem Zinenko on 2020-01-26
* CVE-2020-6485: Insufficient data validation in media router. Reported by Sergei Glazunov of Google Project Zero on 2020-01-30
* CVE-2020-6486: Insufficient policy enforcement in navigations. Reported by David Erceg on 2020-02-24
* CVE-2020-6487: Insufficient policy enforcement in downloads. Reported by Jun Kokatsu (@shhnjk) on 2015-10-06
* CVE-2020-6488: Insufficient policy enforcement in downloads. Reported by David Erceg on 2020-01-21
* CVE-2020-6489: Inappropriate implementation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-02-10
* CVE-2020-6490: Insufficient data validation in loader. Reported by Twitter on 2019-12-19
* CVE-2020-6491: Incorrect security UI in site information. Reported by Sultan Haikal M.A on 2020-02-07
- Rebase patch:
* chromium-vaapi.patch
- Remove merged patches:
* icu-v67.patch
* chromium-80-gcc-blink.patch
* chromium-80.0.3987.106-missing-cstddef-header.patch
* chromium-80.0.3987.87-missing-cstdint-header.patch
* chromium-80.0.3987.87-missing-string-header.patch
* chromium-81-gcc-constexpr.patch
* chromium-81-gcc-noexcept.patch
* chromium-old-glibc-noexcept.patch
* fix-vaapi-with-glx.patch
- Add new patches:
* chromium-82-gcc-constexpr.patch
* chromium-82-gcc-incomplete-type.patch
* chromium-82-gcc-iterator.patch
* chromium-82-gcc-noexcept.patch
* chromium-82-gcc-template.patch
* chromium-83-gcc-10.patch
* chromium-83-gcc-include.patch
* chromium-83-gcc-iterator.patch
* chromium-83-gcc-permissive.patch
* chromium-83-gcc-serviceworker.patch
* chromium-83-gcc-template.patch
* chromium-83-icu67.patch
==== fonts-config ====
Version update (20160921 -> 20200609+git0.42e2b1b)
- Add a _service file
- Add code in %post to check the value of
FORCE_MODIFY_DEFAULT_FONT_SETTINGS_IN_NEXT_UPDATE and if it's
set to yes, empty or it doesn't exist, then update the values
of FORCE_HINTSTYLE, USE_LCDFILTER and USE_RGBA in
/etc/sysconfig/fonts-config to use the default settings
established in the 20181211 release (boo#1172022)
- Update to 20200609+git0.42e2b1b:
* Add variable to allow fonts-config to update default settings
* Fix en-US, en-GB font matching
- Update to 20190119
* Allow non-ASCII letters in font names (boo#1049056, bnc#1101985).
- Update to 20181211
* Update subpixel rendering config
* Fix missspelling issue (boo#1111791). so
Drop fonts-config-fix-misspelling.patch
* Fix (boo#1092737).
* other minor tidyups
- Use noun phrasing and user-independent wording.
- Add fonts-config-fix-misspelling.patch: fix misspelling in
configuration file(boo#1111791).
- new upstream: https://github.com/openSUSE/fonts-config
development will continue there.
- drop patch: fontconfig-infinality-generate-tt-groups.patch
* infinality project is dead, we use a static result in upstream
instead of generating it every time.
- update 20180430
* support color emoji
* modern fonts for symbol
* add configurations for Noto Sans/Serif CJK
- Do not create fonts.{dir,scale} in encodings directory
(boo#1106850).
==== mozilla-nspr ====
Version update (4.23 -> 4.25)
- update to version 4.25
* fixed reading files larger than 4 GB on Win32
* added support for Xtensa architecture
- update to version 4.24
* added macro PR_ASSERT_ARG
* removed some declarations
* added support for Nios-II, Nds32 and Microblaze architectures
==== mozilla-nss ====
Version update (3.47.1 -> 3.53)
Subpackages: libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss-certs
- update to NSS 3.53
Notable changes:
* When using the Makefiles, NSS can be built in parallel, speeding up
those builds to more similar performance as the build.sh/ninja/gyp
system. (bmo#290526)
* SEED is now moved into a new freebl directory
freebl/deprecated (Bug 1636389). SEED will be disabled by default in
a future release of NSS. At that time, users will need to set the
compile-time flag (bmo#1622033) to disable that deprecation in order
to use the algorithm.
Algorithms marked as deprecated will ultimately
be removed.
* Several root certificates in the Mozilla program now set
the CKA_NSS_SERVER_DISTRUST_AFTER attribute, which NSS consumers can
query to further refine trust decisions. (bmo#1618404, bmo#1621159)
If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp
before the SCT or NotBefore date of a certificate that builtin
issued, then clients can elect not to trust it. This attribute
provides a more graceful phase-out for certificate authorities than
complete removal from the root certificate builtin store.
Bugs fixed
* Initialize PBE params (ASAN fix) (bmo#1640260)
* Set CKA_NSS_SERVER_DISTRUST_AFTER for Symantec root certs
(bmo#1618404)
* Set CKA_NSS_SERVER_DISTRUST_AFTER for Consorci AOC, GRCA, and SK ID
root certs (bmo#1621159)
* PPC64: Correct compilation error between VMX vs. VSX vector
instructions (bmo#1629414)
* Fix various compile warnings in NSS (bmo#1639033)
* Fix a null pointer in security/nss/lib/ssl/sslencode.c:67
(bmo#1640041)
* Fix a null pointer in security/nss/lib/ssl/sslsock.c:4460
(bmo#1640042)
* Avoid multiple definitions of SHA{256,384,512}_* symbols when linking
libfreeblpriv3.so in Firefox on ppc64le (bmo#1638289)
* Relocate deprecated SEED algorithm (bmo#1636389)
* lib/ckfw: No such file or directory. Stop. (bmo#1637083)
* Additional modular inverse test (bmo#1561331)
* Rework and cleanup gmake builds (bmo#1629553)
* Remove mkdepend and "depend" make target (bmo#1438431)
* Support parallel building of NSS when using the Makefiles (bmo#290526)
* HACL* update after changes in libintvector.h (bmo#1636206)
* Fix building NSS on Debian s390x, mips64el, and riscv64 (bmo#1636058)
* Add option to build without SEED (bmo#1622033)
- Remove upstreamed patches nss-kremlin-ppc64le.patch
and nss-unit-test-fixes.patch
- update to NSS 3.52.1
Notable changes
* Update NSS to support PKCS#11 v3.0 (bmo#1603628)
* Support new PKCS #11 v3.0 Message Interface for AES-GCM and
ChaChaPoly (bmo#1623374)
* Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*
(bmo#1612493)
* CVE-2020-12399 - Force a fixed length for DSA exponentiation
(bmo#1631576, bsc#1171978)
- Set NSS_ENABLE_WERROR=0 in order to fix boo#1169746.
- update to NSS 3.52:
* Update NSS to support PKCS #11 v3.0. (bmo#1603628)
Note: This change modifies the CK_GCM_PARAMS struct to include
the ulIvBits field which, prior to PKCS #11 v3.0, was
ambiguously defined and not included in the NSS definition.
If an application is recompiled with NSS 3.52+, this field
must be initialized to a value corresponding to ulIvLen.
Alternatively, defining NSS_PKCS11_2_0_COMPAT will yield the
old definition. See the bug for more information.
* Support new PKCS #11 v3.0 Message Interface for AES-GCM and
ChaChaPoly (bmo#1623374).
* Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from
HACL* (bmo#1612493).
* Fix unused variable 'getauxval' error on iOS compilation.
(bmo#1633498)
* Add Softoken functions for FIPS. (bmo#1630721)
* Fix problem of GYP MSVC builds not producing debug symbol files.
(bmo#1630458)
* Add IKEv1 Quick Mode KDF. (bmo#1629663)
* MPConfig calls in SSL initialize policy before NSS is initialized.
(bmo#1629661)
* Support temporary session objects in ckfw. (bmo#1629655)
* Add PKCS11 v3.0 functions to module debug logger. (bmo#1629105)
* Fix error in generation of fuzz32 docker image after updates.
(bmo#1626751)
* Fix implicit declaration of function 'getopt' error. (bmo#1625133)
* Allow building of gcm-arm32-neon on non-armv7 architectures.
(bmo#1624864)
* Fix compilation error in Firefox Android. (bmo#1624402)
* Require CK_FUNCTION_LIST structs to be packed. (bmo#1624130)
* Fix clang warning for unknown argument '-msse4'. (bmo#1624377)
* Support new PKCS #11 v3.0 Message Interface for AES-GCM and
ChaChaPoly. (bmo#1623374)
* Fix freebl_cpuid for querying Extended Features. (bmo#1623184)
* Fix argument parsing in lowhashtest. (bmo#1622555)
* Introduce NSS_DISABLE_GCM_ARM32_NEON to build on arm32 without
NEON support. (bmo#1620799)
* Add workaround option to include both DTLS and TLS versions in
DTLS supported_versions. (bmo#1619102)
* Update README: TLS 1.3 is not experimental anymore. (bmo#1619056)
* Fix UBSAN issue in ssl_ParseSessionTicket. (bmo#1618915)
* Don't assert fuzzer behavior in SSL_ParseSessionTicket.
(bmo#1618739)
* Update Delegated Credentials implementation to draft-07.
(bmo#1617968)
* Update HACL* dependencies for libintvector.h (bmo#1617533)
* Add vector accelerated SHA2 for POWER 8+. (bmo#1613238)
* Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from
HACL*. (bmo#1612493)
* Maintain PKCS11 C_GetAttributeValue semantics on attributes that
lack NSS database columns. (bmo#1612281)
* Add Wycheproof RSA test vectors. (bmo#1612260)
* broken fipstest handling of KI_len. (bmo#1608250)
* Consistently handle NULL slot/session. (bmo#1608245)
* Avoid dcache pollution from sdb_measureAccess(). (bmo#1603801)
* Update NSS to support PKCS #11 v3.0. (bmo#1603628)
* TLS 1.3 does not work in FIPS mode. (bmo#1561637)
* Fix overzealous assertion when evicting a cached sessionID or
using external cache. (bmo#1531906)
* Fix issue where testlib makefile build produced extraneous object
files. (bmo#1465613)
* Properly handle multi-block SEED ECB inputs. (bmo#1619959)
* Guard all instances of NSSCMSSignedData.signerInfo to avoid a CMS
crash (bmo#1630925)
* Name Constraints validation: CN treated as DNS name even when
syntactically invalid as DNS name (bmo#1571677)
- update to NSS 3.51.1:
* Update Delegated Credentials implementation to draft-07
(bmo#1617968)
* Add workaround option to include both DTLS and TLS versions in
DTLS supported_versions (bmo#1619102)
* Update README: TLS 1.3 is not experimental anymore
(bmo#1619056)
* Don't assert fuzzer behavior in SSL_ParseSessionTicket
(bmo#1618739)
* Fix UBSAN issue in ssl_ParseSessionTicket (bmo#1618915)
* Consistently handle NULL slot/session (bmo#1608245)
* broken fipstest handling of KI_len (bmo#1608250)
* Update Delegated Credentials implementation to draft-07
(bmo#1617968)
- Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds
- update to NSS 3.51
* Updated DTLS 1.3 implementation to Draft-34. (bmo#1608892)
* Correct swapped PKCS11 values of CKM_AES_CMAC and
CKM_AES_CMAC_GENERAL (bmo#1611209)
* Complete integration of Wycheproof ECDH test cases (bmo#1612259)
* Check if PPC __has_include(<sys/auxv.h>) (bmo#1614183)
* Fix a compilation error for ?getFIPSEnv? "defined but not used"
(bmo#1614786)
* Send DTLS version numbers in DTLS 1.3 supported_versions extension
to avoid an incompatibility. (bmo#1615208)
* SECU_ReadDERFromFile calls strstr on a string that isn't guaranteed
to be null-terminated (bmo#1538980)
* Correct a warning for comparison of integers of different signs:
'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88
(bmo#1561337)
* Add test for mp_int clamping (bmo#1609751)
* Don't attempt to read the fips_enabled flag on the machine unless
NSS was built with FIPS enabled (bmo#1582169)
* Fix a null pointer dereference in BLAKE2B_Update (bmo#1431940)
* Fix compiler warning in secsign.c (bmo#1617387)
* Fix a OpenBSD/arm64 compilation error: unused variable 'getauxval'
(bmo#1618400)
* Fix a crash on unaligned CMACContext.aes.keySchedule when using
AES-NI intrinsics (bmo#1610687)
- update to NSS 3.50
* Verified primitives from HACL* were updated, bringing performance
improvements for several platforms.
Note that Intel processors with SSE4 but without AVX are currently
unable to use the improved ChaCha20/Poly1305 due to a build issue;
such platforms will fall-back to less optimized algorithms.
See bmo#1609569 for details
* Updated DTLS 1.3 implementation to Draft-30.
See bmo#1599514 for details.
* Added NIST SP800-108 KBKDF - PKCS#11 implementation.
See bmo#1599603 for details.
* Several bugfixes and minor changes
- Disable LTO on %arm as LTO fails on neon errors
- update to NSS 3.49.2
Fixed bugs:
* Fix compilation problems with NEON-specific code in freebl
(bmo#1608327)
* Fix a taskcluster issue with Python 2 / Python 3 (bmo#1608895)
- update to NSS 3.49.1
3.49.1
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49.1_release_notes
* Cache the most recent PBKDF2 password hash, to speed up repeated
SDR operations, important with the increased KDF iteration counts (bmo#1606992)
3.49
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes
* The legacy DBM database, libnssdbm, is no longer built by default
when using gyp builds (bmo#1594933)
* several bugfixes
- update to NSS 3.48
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes
Notable Changes
* TLS 1.3 is the default maximum TLS version (bmo#1573118)
* TLS extended master secret is enabled by default, where possible
(bmo#1575411)
* The master password PBE now uses 10,000 iterations by default when
using the default sql (key4.db) storage (bmo#1562671)
Certificate Authority Changes
* Added Entrust Root Certification Authority - G4 Cert (bmo#1591178)
Bugfixes
- requires NSPR 4.24
==== perl ====
Subpackages: perl-base perl-base-32bit
- Fix various security issues in the study_chunk function
[bnc#1171863] [CVE-2020-10543]
[bnc#1171864] [CVE-2020-10878]
[bnc#1171866] [CVE-2020-12723]
new patch: perl-study.diff
- Comment out bad warning in features.ph file [bnc#1172348]
==== python-Sphinx-doc ====
Subpackages: python-Sphinx-doc-man-common python3-Sphinx-doc-man
- Disable test test_correct_year as we no longer match the
range and thus fail the builds on Leap bsc#1172721