Packages changed: ImageMagick (7.0.6.0 -> 7.0.6.7) dd_rescue kernel-source (4.11.8 -> 4.12.7) libzypp (16.14.0 -> 16.15.3) mercurial (4.2.2 -> 4.2.3) mozilla-nspr (4.14 -> 4.15) mozilla-nss (3.30.2 -> 3.31) p7zip python-Pillow zypper (1.13.29 -> 1.13.31) === Details === ==== ImageMagick ==== Version update (7.0.6.0 -> 7.0.6.7) Subpackages: ImageMagick-devel ImageMagick-extra perl-PerlMagick - updated to 7.0.7-7 * Improve EPS aliasing * Added a new option called 'dds:fast-mipmaps' * The mipmaps of a dds image can now be created from a list of images with - define dds:mipmaps=fromlist * Fixed numerous memory leaks * Put UTC time in the PNG tIME chunk instead of local time * Fixed numerous memory leaks * Properly set image->colorspace in the PNG decoder (previously it was setting image->gamma, but only setting image->colorspace for grayscale and gray-alpha images. * Fix improper use of NULL in the JNG decoder * Added "-define png:ignore-crc" option to PNG decoder. When you know your image has no CRC or ADLER32 errors, this can speed up decoding. It is also helpful in debugging bug reports from "fuzzers". * Off by one error for gradient coder * YUV coder no longer renders streaks * Fixed numerous memory leaks * Added experimental PNG orNT chunk, to store image->orientation. * Removed vpAg chunk write support * Fixed numerous memory leaks * Fix memory leaks when reading a malformed JNG image * Fixed numerous memory leaks * The -monochrome option no longer returns a blank canvas * coders/png.c: fixed memory leak of quantum_info * coders/png.c: fixed NULL dereference when trying to write an empty MNG * Added caNv, eXIf, and pHYs to the list of PNG chunks to be removed by the "-strip" option. * Implemented PNG eXIf chunk support * Support new -auto-threshold option. OTSU and Triangle methods are currently supported. Look for the Kapur method in the next release. * Fixed numerous memory leaks * Don't use variable float_t / double_t, bump SO * Support DNG images with libraw delegate library. * Reject PNG file that is too small (under 60 bytes) to contain a valid image. * Reject JPEG file that is too small (under 107 bytes) to contain a valid image. * Reject JNG file that is too small (under 147 bytes) to contain a valid image. * Stop a memory leak in read_user_chunk_callback() - workaround failed test + ImageMagick-relax-filter.t.patch (patch modified) on i586 with sse2 enabled, the Contrast test in filter.t fails ==== dd_rescue ==== Subpackages: dd_rescue-crypt dd_rescue-lzo - Add dd_rescue-i586-sse2.diff to fix dd_rescue compile and runtime problems when GCC defaults to SSE2 also on i586 like with SLE-15. ==== kernel-source ==== Version update (4.11.8 -> 4.12.7) Subpackages: kernel-default kernel-default-devel kernel-devel kernel-docs kernel-macros kernel-syms - Linux 4.12.7 (bnc#1012628). - commit 7dae241 - Refresh patches.fixes/netfilter-expect-fix-crash-when-putting-uninited-exp.patch. Update upstream status. - commit cdb9f49 - Linux 4.12.6 (CVE-2017-7542 CVE-2017-8831 bnc#1012628 bsc#1037994 bsc#1049882). - Delete patches.fixes/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch. - Delete patches.fixes/media-saa7164-fix-double-fetch-PCIe-access-condition. - commit 29b7412 - [media] saa7164: fix double fetch PCIe access condition (CVE-2017-8831 bsc#1037994). - commit 4d38c27 - Linux 4.12.5 (bnc#1012628 bsc#1049483 bsc#1049599). - Delete patches.fixes/dentry-name-snapshots.patch. - Delete patches.suse/0001-md-remove-idx-from-struct-resync_pages.patch. - commit e6109ef - Update config files. Fix vanillas after the orc update. - commit 2a27bf2 - Linux 4.12.4 (bnc#1012628). - commit f2e2c0a - ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542 bsc#1049882). - commit 00c5961 - Refresh patches.suse/0001-md-remove-idx-from-struct-resync_pages.patch. - commit b11fd5b - objtool: Fix sibling call detection logic (bnc#1018348). - x86/kconfig: Make it easier to switch to the new ORC unwinder (bnc#1018348). - x86/kconfig: Consolidate unwinders into multiple choice selection (bnc#1018348). - Refresh - Refresh patches.suse/0001-x86-unwind-Add-the-ORC-unwinder.patch. - Refresh patches.suse/0002-dwarf-do-not-throw-away-unwind-info.patch. - Refresh patches.suse/0002-objtool-x86-Add-several-functions-and-files-to-the-o.patch. - Refresh patches.suse/0002-x86-entry-64-Initialize-the-top-of-the-IRQ-stack-bef.patch. - Refresh patches.suse/0002-x86-kconfig-Make-it-easier-to-switch-to-the-new-ORC-.patch. - Refresh patches.suse/0003-objtool-Implement-stack-validation-2.0.patch. - Refresh patches.suse/0003-x86-kconfig-Consolidate-unwinders-into-multiple-choi.patch. - Refresh patches.suse/0007-x86-entry-64-Add-unwind-hint-annotations.patch. - Refresh patches.suse/0008-x86-asm-Add-unwind-hint-annotations-to-sync_core.patch. - Update config files. Update to version from -tip. ORC is in -tip completely. So make sure we use the upstream version. - commit 34dd0f5 - Refresh patches.suse/0001-mm-kmemleak-slightly-reduce-the-size-of-some-structu.patch. - Refresh patches.suse/0002-mm-kmemleak-factor-object-reference-updating-out-of-.patch. - Refresh patches.suse/0003-mm-kmemleak-treat-vm_struct-as-alternative-reference.patch. - commit f7ebe40 - Refresh patches.suse/0001-mm-kmemleak-slightly-reduce-the-size-of-some-structu.patch. - Refresh patches.suse/0002-mm-kmemleak-factor-object-reference-updating-out-of-.patch. - Refresh patches.suse/0003-mm-kmemleak-treat-vm_struct-as-alternative-reference.patch. - commit eb41516 - Input: ALPS - Fix Alps Touchpad two finger scroll does not work on right side (bsc#1050582). - commit 93ed5e8 - md: remove 'idx' from 'struct resync_pages' (bsc#1049599). - commit 515f14e - Linux 4.12.3 (CVE-2017-7541 bnc#1012628 bsc#1049645). - Refresh patches.suse/pstore-backend-autoaction. - Delete patches.fixes/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80. - commit 409edbf - dentry name snapshots (bsc#1049483). - commit 76ea0ca - debug: fix WARN_ON_ONCE() for modules (bnc#1049599). - commit b1e9bab - brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (CVE-2017-7541,bsc#1049645). - commit 823a643 - rpm/kernel-binary.spec.in: find-debuginfo.sh should not touch build-id This needs rpm-4.14+ (bsc#964063). - commit f622d60 - Refresh patches.suse/0001-x86-entry-64-Refactor-IRQ-stacks-and-make-them-NMI-s.patch. - Refresh patches.suse/0002-x86-entry-64-Initialize-the-top-of-the-IRQ-stack-bef.patch. - Refresh patches.suse/0003-x86-dumpstack-fix-occasionally-missing-registers.patch. - Refresh patches.suse/0004-x86-dumpstack-fix-interrupt-and-exception-stack-boun.patch. - Refresh patches.suse/0005-objtool-add-ORC-unwind-table-generation.patch. - Refresh patches.suse/0006-objtool-x86-add-facility-for-asm-code-to-provide-unw.patch. - Refresh patches.suse/0007-x86-entry-64-add-unwind-hint-annotations.patch. - Refresh patches.suse/0008-x86-asm-add-unwind-hint-annotations-to-sync_core.patch. Update upstream information. - commit 8db850a - Delete patches.fixes/drm-i915-Fix-S4-resume-breakage. The workaround wasn't merged to upstream, and it seems becoming superfluous with the recent i915 driver, so let's drop this one. - commit f5a35ab - Delete patches.rpmify/drm-i915-disable-KASAN-for-handlers.patch. It was never accepted, is under discussion. But we disabled CONFIG_DRM_I915_WERROR in commit 5fc7b327348b, so we are safe anyway. - commit 09fc05f - Delete patches.rpmify/get_builtin_firmware-gcc-7.patch. This was never accepted. Instead this seems to be fixed in gcc. - commit c486b10 - netfilter: expect: fix crash when putting uninited expectation (bnc#1048935). - Delete patches.fixes/netfilter-nf_ct_expect-fix-expect-removal.patch. Replace by upstream fix (from a subsys repo). - commit abad31d - netfilter: nf_ct_expect: fix expect removal (bnc#1048935). - commit 28fe876 - Drop multiversion(kernel) from the KMP template (fate#323189) - commit 71504d8 - Linux 4.12.2 (bnc#1012628). - commit 1b6adc0 - Linux 4.12.1 (bnc#1012628). - commit 77712d8 - rpm/kernel-docs.spec.in: Fix and cleanup for 4.13 doc build (bsc#1048129) The whole DocBook stuff has been deleted. The PDF build still non-working thus the sub-packaging disabled so far. - commit c9542b9 - fs/fcntl: f_setown, avoid undefined behaviour (bnc#1006180). - fs/fcntl: f_setown, allow returning error (bnc#1006180). - commit c67ada2 - x86/entry/64: Refactor IRQ stacks and make them NMI-safe (bnc#1018348). - x86/entry/64: Initialize the top of the IRQ stack before switching stacks (bnc#1018348). - x86/dumpstack: fix occasionally missing registers (bnc#1018348). - x86/dumpstack: fix interrupt and exception stack boundary checks (bnc#1018348). Update ORC to v3. - commit dca9bfc - Refresh patches.suse/0001-objtool-Move-checking-code-to-check.c.patch. - Refresh patches.suse/0002-objtool-x86-Add-several-functions-and-files-to-the-o.patch. - Refresh patches.suse/0003-objtool-Implement-stack-validation-2.0.patch. - Refresh patches.suse/0004-objtool-Silence-warnings-for-functions-which-use-IRE.patch. Update upstream status. - commit f413050 - rpm/kernel-docs.spec.in: temporary fix for 4.12 and later There is a little DocBook in 4.12 and none in 4.13. So remove creating the link. - commit 1d6ee3e - Refresh patches.fixes/tty-handle-the-case-where-we-cannot-restore-a-line-d.patch. Update upstream status. - commit 50443d0 - Update to 4.12-final. - commit f35ee68 - objtool: Silence warnings for functions which use IRET (bnc#1018348). - Update config files. - Refresh patches.suse/0002-dwarf-do-not-throw-away-unwind-info.patch. Push the new version of unDWARF unwinder which is now called Orc. The first 4 patches were accepted to the -tip tree, so they are marked appropriatelly. - commit 48ca048 ==== libzypp ==== Version update (16.14.0 -> 16.15.3) - RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling (bsc#1045735) - Fix repo/pkg checks to follow explicitly defined gpgcheck in a .repo file - version 16.15.3 (0) - Weaken fix for bsc#1038984 if 'gpgcheck=0' in libzypp-16.15.x only. This will allow some already released products to adapt to the behavioral changes introduced by fixing bsc#1038984, while systems with a default configuration (gpgcheck=1) already benefit from the fix in libzypp-16.15.x. For details see section 'Signature checking' in /etc/zypp/zypp.conf. - Fix gpg-pubkey release (creation time) computation (bsc#1036659) - update lsof blacklist (bsc#1046417) - version 16.15.2 (0) - Be sure bad packages do not stay in the cache (bsc#1045735, CVE-2017-9269) - version 16.15.1 (0) - PackageProvider: enforce a signed package if pkgGpgCheckIsMandatory - Add RpmDb::checkPackageSignature to report unsigned packages - Fix repo gpg check workflows, mainly for unsigned repos and packages (bsc#1045735, bsc#1038984, CVE-2017-7435, CVE-2017-7436, CVE-2017-9269) - version 16.15.0 (0) ==== mercurial ==== Version update (4.2.2 -> 4.2.3) Subpackages: mercurial-lang - mercurial 4.2.3: security fix updates for CVE-2017-1000115 and CVE-2017-1000116: * Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository (CVE-2017-1000115) * Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with - oProxyCommand (CVE-2017-1000116, bsc#1052696) ==== mozilla-nspr ==== Version update (4.14 -> 4.15) - update to version 4.15 * added TCP Fast Open functionality * various correctness fixes ==== mozilla-nss ==== Version update (3.30.2 -> 3.31) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-tools - update to NSS 3.31 New functionality * Allow certificates to be specified by RFC7512 PKCS#11 URIs. * Allow querying a certificate object for its temporary or permanent storage status in a thread safe way. New functions * CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a certificate in a thread safe way. * CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a certificate in a thread safe way. * PK11_FindCertFromURI - find a certificate identified by the given URI. * PK11_FindCertsFromURI - find a list of certificates identified by the given URI. * PK11_GetModuleURI - retrieve the URI of the given module. * PK11_GetTokenURI - retrieve the URI of a token based on the given slot information. * PK11URI_CreateURI - create a new PK11URI object from a set of attributes. * PK11URI_DestroyURI - destroy a PK11URI object. * PK11URI_FormatURI - format a PK11URI object to a string. * PK11URI_GetPathAttribute - retrieve a path attribute with the given name. * PK11URI_GetQueryAttribute - retrieve a query attribute with the given name. * PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object. New macros * Several new macros that start with PK11URI_PATTR_ for path attributes defined in RFC7512. * Several new macros that start with PK11URI_QATTR_ for query attributes defined in RFC7512. Notable changes * The APIs that set a TLS version range have been changed to trim the requested range to the overlap with a systemwide crypto policy, if configured. SSL_VersionRangeGetSupported can be used to query the overlap between the library's supported range of TLS versions and the systemwide policy. * Previously, SSL_VersionRangeSet and SSL_VersionRangeSetDefault returned a failure if the requested version range wasn't fully allowed by the systemwide crypto policy. They have been changed to return success, if at least one TLS version overlaps between the requested range and the systemwide policy. An application may call SSL_VersionRangeGet and SSL_VersionRangeGetDefault to query the TLS version range that was effectively activated. * Corrected the encoding of Domain Name Constraints extensions created by certutil. * NSS supports a clean seeding mechanism for *NIX systems now using only /dev/urandom. This is used only when SEED_ONLY_DEV_URANDOM is set at compile time. * CERT_AsciiToName can handle OIDs in dotted decimal form now. - removed obsolete nss-fix-hash.patch ==== p7zip ==== - remove 7zr manpage, fixes boo#899627 ==== python-Pillow ==== - Improve TK handling. - Fix self-obsoletes - python(3)-tk does not exist on SLE ==== zypper ==== Version update (1.13.29 -> 1.13.31) Subpackages: zypper-aptitude zypper-log - Improve signature check callback messages (bsc#1045735) - man: Explain new gpgcheck options - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) - BuildRequires: libzypp-devel >= 16.15.3 - version 1.13.31 - Adapt download callback to report and handle unsigned packages (bsc#1038984, CVE-2017-7436) - BuildRequires: libzypp-devel >= 16.15.0 - version 1.13.30