- upate to 1.3.28:
* Security Fixes:
BMP: Fix non-terminal loop due to unexpected bit-field mask
value (DOS opportunity).
PALM: Fix heap buffer underflow in builds with QuantumDepth=8.
SetNexus() Fix heap overwrite under certain conditions due to
using a wrong destination buffer. This issue impacts all
TIFF: Fix heap buffer read overflow in LocaleNCompare() when
parsing NEWS profile.
* Bug fixes:
DescribeImage(): Eliminate possible use of null pointer.
GIF: Fix memory leak of global colormap in error path.
GZ: Writing to gzip files with the extension ".gz" was
not working with Zlib 1.2.8.
JNG: Fix buffer read overflow (a tiny fixed overflow of just
JPEG: Promoting certain libjpeg warnings to errors caused
much more problems than expected. The promotion of
warnings to errors is removed. Claimed pixel dimensions
are validated by file size before allocating memory for
IntegralRotateImage(): Assure that reported error in rotate by
270 case does immediately terminate processing.
MNG: Fix possible null pointer reference related to DEFI chunk
parsing. Fix minor heap read overflow (constrained to just
one byte) due to an ordering issue in a limit check. Fix
memory leaks in error path.
WebP: Fix stack buffer overflow in WriteWEBPImage() which
occurs with libwebp 0.5.0 or newer due to a structure type
change in the structure passed to the progress monitor
WPG: Memory leaks fixed.
* API Updates:
InterpolateViewColor(): This function now returns MagickPassFail
(an unsigned int) rather than void so that errors can be
The magick/pixel_cache.h header is updated to add deprecation
attributes such that code using GetPixels(), GetIndexes(),
and GetOnePixel() will produce deprecation warnings for
compilers which support them. These functions will not be
removed in the 1.3.X release series and when they are
removed, pre-processor macros will be added so a replacement
function is used instead. There is a long-term objective to
eliminate functionally-redundant pixel cache functions to
only the ones with the best properties since this reduces
maintenance and may reduce the depth of the call stack
* removed unneded GraphicsMagick-release-date-missing-quote.patch
==== MozillaThunderbird ====
Version update (52.5.2 -> 52.6)
- update to Thunderbird 52.6 (bsc#1077291)
* Searching message bodies of messages in local folders, including
filter and quick filter operations, not working reliably: Content
not found in base64-encode message parts, non-ASCII text not found
and false positives found.
* Defective messages (without at least one expected header) not shown
in IMAP folders but shown on mobile devices
* Calendar: Unintended task deletion if numlock is enabled
* Mozilla platform security fixes
* CVE-2018-5095 (bmo#1418447)
Integer overflow in Skia library during edge builder allocation
* CVE-2018-5096 (bmo#1418922)
Use-after-free while editing form elements
* CVE-2018-5097 (bmo#1387427)
Use-after-free when source document is manipulated during XSLT
* CVE-2018-5098 (bmo#1399400)
Use-after-free while manipulating form input elements
* CVE-2018-5099 (bmo#1416878)
Use-after-free with widget listener
* CVE-2018-5102 (bmo#1419363)
Use-after-free in HTML media elements
* CVE-2018-5103 (bmo#1423159)
Use-after-free during mouse event handling
* CVE-2018-5104 (bmo#1425000)
Use-after-free during font face manipulation
* CVE-2018-5117 (bmo#1395508)
URL spoofing with right-to-left text aligned left-to-right
Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
- dropped obsolete mozilla-ucontext.patch
==== cryptsetup ====
Version update (1.7.5 -> 2.0.0)
- Update to version 2.0.0:
* Add support for new on-disk LUKS2 format
* Enable to use system libargon2 instead of bundled version
* Install tmpfiles.d configuration for LUKS2 locking directory
* New command integritysetup: support for the new dm-integrity kernel target
* Support for larger sector sizes for crypt devices
* Miscellaneous fixes and improvements
==== dracut ====
- support validating the IMA policy file signature, needed since Kernel 4.7
* Adds 0552-98integrity-support-validating-the-IMA-policy-file-s.patch
- IMA: improve support for evm key loading (bsc#1077359, fate#323906)
* Adds 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch
* Adds 0554-98integrity-support-X.509-only-EVM-configuration.patch
- FIPS: Adjust dependencies to work for cryptsetup 2.0 (bsc#1077070)
- Added a few more patch annotations
- Fix typo for ima dependency (evmtcl vs evmctl) (bsc#1073466)
- Updated Patch annotation regarding their upstream state
- FIPS: Try to fetch list of fips modules from the kernel's modules dir (bsc#1074984)
* Adds 0551-fips-use-lib-modules-uname-r-modules.fips.patch
- Annotated patches regarding their upstream state
- dracut-ima requires evmctl and keyutils (bsc#1073466)
==== installation-images-Kubic ====
Version update (14.355 -> 14.358)
- merge gh#openSUSE/installation-images#233
- add missing drivers for ppc (bsc#1077546)
- merge gh#openSUSE/installation-images#232
- add full open-iscsi package to zenworks image (bsc# 1077301)
- Cleanup %ifarch conditions, remove targets unintentionally added
to s390/s390x. (bnc#1078436)
- Limit the amount of parallel link jobs, but no longer limit
compile jobs. This should prevent running out of memory during
linking while not longer slowing down compilation.
- Remove build dependency on procps
- Reduce disk size requirement to 30GB in _constraints. We no
longer need that much since we stopped building static libraries.
==== nut ====
Subpackages: libupsclient1 nut-cgi
- Fix clash between Group and %define GROUP by renaming the latter
to NUT_GROUP (and USER to NUT_USER)
- Replace duplicate man files by soft links
==== open-iscsi ====
- Removed the "rpm/" source directory from both the
open-iscsi-2.0.876-suse.tar.bz2 and open-iscsi-SUSE-latest.diff.bz2
files, since they are not needed for building and are not part
of the upstream sources. They are still available under the
git repository at github.com/hreinecke/open-iscsi.git. This means
that changes to the spec file or the changes file will no longer
require a change to the "*SUSE-latest*" file.
- Update to latest upstream vesion 2.0.876, with very few
SUSE-specific modifications, namely around things upstream
does not care about, like SUSE-specific systemd files. Also,
version number modified to add "-suse", as usual. See
the Changelog file for more details on changes in this
This replaces open-iscsi-2.0.875-suse.tar.bz2 with
open-iscsi-2.0.876-suse.tar.bz2, and resets
open-iscsi-SUSE-latest.diff.bz2 to contain only changes
since the 2.0.876-suse tag.
These changes added a new libopeniscsiusr.so library, as
well as include files under a new open-iscsi-dev package,
if you want to link against this library.
The SPEC file was also cleaned up using spec-cleaner.
==== yast2-python-bindings ====
Version update (4.0.0 -> 4.0.2)
- Build both python2 and python3 versions of the bindings;
- Convert the bindings into python3; (bsc#1074696).
- Fix some code examples; (bsc#1070212).
- Add example code ported from ruby examples; (bsc#1070212).
- Fixes based on findings from example code