Packages changed: libcap (2.70 -> 2.73) logrotate (3.21.0 -> 3.22.0) mozjs128 (128.4.0 -> 128.5.1) polkit-default-privs (1550+20241111.762abac -> 1550+20241129.21d7d0b) python311 python311-core selinux-policy (20241105 -> 20241118) systemd (256.7 -> 256.9) === Details === ==== libcap ==== Version update (2.70 -> 2.73) - update to 2.73: * https://sites.google.com/site/fullycapable/release-notes-for-libcap?authuser=0#h.7yd7ab9ppagk ==== logrotate ==== Version update (3.21.0 -> 3.22.0) - Skip test-0110.sh which fails after update in the build chroot but not with identical settings on TW. * Add logrotate-3.22-skip-failing-test.patch - update to 3.22.0: * fix calculations for time differences * fix extension for zip compression * fix omitted copy for logs with `mail` and `rotate 0` * fix wrongly skipping copy with `copytruncate` and `compress` * fix ambiguities between `mode`, `UID` and `GID` parsing when not specifying all options * fix hang when encountering a named pipe * on prerotate failure logs are preserved instead of rotated * in case a configuration file was skipped due to unsafe permissions the * exit status after rotattion will be `1` * the state is no longer written to non-regular files * the systemd timer now correctly utilizes load distribution * add dateformat specifier `%z` for timezone offsets * change default mode for created `olddir` directories to `0755` * support quoted user and group names in `su`, `create`, and `createolddir` - update logroate.keyring: new maintainer ==== mozjs128 ==== Version update (128.4.0 -> 128.5.1) - Update to version 128.5.1: + Fixed an issue that prevented some websites from loading when using SSL Inspection. (bmo#1933747) - Changes from version 128.5.0: + Various security fixes and other quality improvements. + CVE-2024-11691: Out-of-bounds write in Apple GPU drivers via WebGL. + CVE-2024-11692: Select list elements could be shown over another site. + CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility Shims. + CVE-2024-11695: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters. + CVE-2024-11696: Unhandled Exception in Add-on Signature Verification. + CVE-2024-11697: Improper Keypress Handling in Executable File Confirmation Dialog. ==== polkit-default-privs ==== Version update (1550+20241111.762abac -> 1550+20241129.21d7d0b) - Update to version 1550+20241129.21d7d0b: * profiles: adjust tuned settings to new upstream default (bsc#1232412) * profiles: add tuned methods for instance handling / PPD (bsc#1232412) - Add format_spec_file service in manual mode - Update to version 1550+20241127.a20426b: * profiles: whitelist systemd v257 actions (bsc#1233295) - _service: switch from "disabled" mode to "manual" mode, which is a more fitting setting which is available now. ==== python311 ==== - Add add-loongarch64-support.patch to support loongarch64 - Fix changelog ==== python311-core ==== Subpackages: libpython3_11-1_0 python311-base - Add add-loongarch64-support.patch to support loongarch64 - Fix changelog ==== selinux-policy ==== Version update (20241105 -> 20241118) Subpackages: selinux-policy-targeted - Fix minimum policy by readding snapper module (bsc#1234037) - Update to version 20241118: * Add workaround for /run/rpmdb lockfile (bsc#1231127) * Add dedicated health-checker module (bsc#1231127) - Packaging rework: moving all config files to git repository https://gitlab.suse.de/selinux/selinux-policy - Moved booleans to dist/*/booleans.conf and dropped from package: * booleans-minimum.conf - user facing change: boolean settings are now the same as in upstream * booleans-mls.conf - user facing change: boolean settings are now the same as in upstream * booleans-targeted.conf - user facing change: kerberos_enabled boolean was not enabled due to a bug, now it is enabled - Moved booleans.subs_dist to dist/booleans.subs_dist and dropped from package - Moved customizable_types to dist/customizable_types and dropped from package - user facing change: using upstream version - Moved file_contexts.subs_dist to config/file_contexts.subs_dist and dropped from package - user facing change: changed systemd entries in file_contexts.subs_dist: /run/systemd/system -> dropped from file /run/systemd/generator.early /run/systemd/generator /run/systemd/generator.late /run/systemd/generator - Moved modules config to dist//modules.conf and dropped from package: - user facing change: minimum policy: modules base and contrib are merged into modules.lst and modules-enabled.lst was added which contains the enabled modules, replacing modules-minimum-disable.lst * modules-minimum-base.conf * modules-minimum-contrib.conf * modules-minimum-disable.lst * Added: modules-minimum.lst - user facing change: mls policy: modules base + contrib are merged into modules.lst * modules-mls-base.conf * modules-mls-contrib.conf - user facing change: targeted policy: modules base + contrib are merged into modules.lst: * modules-targeted-base.conf * modules-targeted-contrib.conf - Moved securetty config to config/appconfig-/securetty_types and dropped from package - user facing change: using upstream version for all policy types * securetty_types-minimum * securetty_types-mls * securetty_types-targeted - Moved setrans config to dist//setrans.conf and dropped from package * setrans-minimum.conf * setrans-mls.conf * setrans-targeted.conf - Moved users config to dist//users and dropped from package * users-minimum - user facing change: added guest_u and xguest_u * users-mls * users-targeted - Fix debug-build.sh to follow symlinks when creating the tarball - Update embedded container-selinux version to commit: * 3f06c141bebc00a07eec4c0ded038aac4f2ae3f0 - Update to version 20241107: * Re-add kanidm module to dist/targeted/modules.conf * Add SUSE-specific file contexts to file_contexts.subs_dist * Disallow execstack in dist/minimum/booleans.conf * Add SUSE-specific booleans to dist/targeted/booleans.conf * Add SUSE specific modules to targeted modules.conf * Label /var/cache/systemd/home with systemd_homed_cache_t * Allow login_userdomain connect to systemd-homed over a unix socket * Allow boothd connect to systemd-homed over a unix socket * Allow systemd-homed get attributes of a tmpfs filesystem * Allow abrt-dump-journal-core connect to systemd-homed over a unix socket * Allow aide connect to systemd-homed over a unix socket * Label /dev/hfi1_[0-9]+ devices * Remove the openct module sources * Remove the timidity module sources * Enable the slrn module * Remove i18n_input module sources * Enable the distcc module * Remove the ddcprobe module sources * Remove the timedatex module sources * Remove the djbdns module sources * Confine iio-sensor-proxy * Allow staff user nlmsg_write * Update policy for xdm with confined users * Allow virtnodedev watch mdevctl config dirs * Allow ssh watch home config dirs * Allow ssh map home configs files * Allow ssh read network sysctls * Allow chronyc sendto to chronyd-restricted * Allow cups sys_ptrace capability in the user namespace * Add policy for systemd-homed * Remove fc entry for /usr/bin/pump * Label /usr/bin/noping and /usr/bin/oping with ping_exec_t * Allow accountsd read gnome-initial-setup tmp files * Allow xdm write to gnome-initial-setup fifo files * Allow rngd read and write generic usb devices * Allow qatlib search the content of the kernel debugging filesystem * Allow qatlib connect to systemd-machined over a unix socket * mls/modules.conf - fix typo * Use dist/targeted/modules.conf in build workflow * Fix default and dist config files * Allow unprivileged user watch /run/systemd * CI: update to actions/checkout@v4 * Allow boothd connect to kernel over a unix socket * Clean up and sync securetty_types * Bring config files from dist-git into the source repo * Confine gnome-remote-desktop * Allow virtstoraged execute mount programs in the mount domain * Make mdevctl_conf_t member of the file_type attribute ==== systemd ==== Version update (256.7 -> 256.9) Subpackages: libsystemd0 libudev1 systemd-boot systemd-experimental udev - Add 5005-Revert-boot-Make-initrd_prepare-semantically-equival.patch Revert commit d64193a2a652b15db9cb9ed10c6b77a17ca46cd2 until the regression it caused, reported at https://github.com/systemd/systemd/issues/35439, is fixed (see also bsc#1233752 for its downstream counterpart). - Disable EFI support on architectures that are not EFI-compliant - Import commit 290170c8550bf2de4b5085ecdf7f056769944444 (merge of v256.9) This merge includes the following fix: cf7b3cc182 pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary, noone else (bsc#1232227) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/c7671762b39ead7f8f9e70064256f5efaccedeca...290170c8550bf2de4b5085ecdf7f056769944444 - Import commit aee28e4c20a053ea27f8be69f2ea981e43bcb0b6 aee28e4c20 udev-builtin-path_id: SAS wide ports must have num_phys > 1 (bsc#1231610) 280989cfa4 core: when switching root remove /run/systemd before executing the binary specified by init= (bsc#1227580) - Drop 5003-core-when-switching-root-remove-run-systemd-before-e.patch, this patch has been integrated in branch 'SUSE/v256', see above.