Hi, With this update, u-boot should now work again on RPi4 with latest firmware. https://bugzilla.suse.com/show_bug.cgi?id=1207562
Cheers, Guillaume > -----Original Message----- > From: Guillaume Gardet <[email protected]> > Sent: Wednesday, February 22, 2023 7:04 PM > To: [email protected] > Subject: New Arm Tumbleweed snapshot 20230221 released! > > > Please note that this mail was generated by a script. > The described changes are computed based on the aarch64 DVD. > The full online repo contains too many changes to be listed here. > > Please check the known defects of this snapshot before upgrading: > https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=3&vers > ion=Tumbleweed&build=20230221 > > Please do not reply to this email to report issues, rather file a bug on > bugzilla.opensuse.org. For more information on filing bugs please see > https://en.opensuse.org/openSUSE:Submitting_bug_reports > > Packages changed: > NetworkManager > binutils (2.39 -> 2.40) > gnome-contacts > gnome-control-center > java-11-openjdk > lapack > libpaper (2.0.4 -> 2.0.9) > lightsoff > mutter (43.3 -> 43.3+2) > nautilus-share > openblas_openmp > openblas_pthreads > openssl-3 (3.0.7 -> 3.0.8) > openssl (3.0.7 -> 3.0.8) > parole (4.16.0 -> 4.18.0) > pidgin (2.14.10 -> 2.14.12) > procps4 (4.0.2 -> 4.0.3) > qca-qt5 > systemd-presets-common-SUSE > traceroute (2.1.1 -> 2.1.2) > u-boot-rpiarm64 > xfce4-notifyd (0.8.0 -> 0.8.1) > yast2-packager (4.5.15 -> 4.5.16) > zchunk (1.2.3 -> 1.2.4) > > === Details === > > ==== NetworkManager ==== > Subpackages: NetworkManager-bluetooth NetworkManager-pppoe > NetworkManager-tui NetworkManager-wwan libnm0 typelib-1_0-NM-1_0 > > - Add 1539.patch: Fix constructing the IPv4 nameserver variable > (boo#1208371). > - Pass session_tracking=systemd and > session_tracking_consolekit=false to meson, no longer build > support for consolekit as session tracker. > > ==== binutils ==== > Version update (2.39 -> 2.40) > Subpackages: libctf-nobfd0 libctf0 > > - Pack libgprofng only for supported platforms. > - Remove upstreamed patch binutils-maxpagesize.diff. > - Rebase binutils-2.40-branch.diff.gz as it includes fix for PR30043. > - Move libgprofng-related libraries to the proper locations (packages). > - Add --without=bootstrap for skipping of bootstrap (faster testing > of the package). > > ==== gnome-contacts ==== > Subpackages: gnome-shell-search-provider-contacts > > - Drop unneeded nor used pkgconfig(clutter-gtk-1.0) BuildRequires. > > ==== gnome-control-center ==== > Subpackages: gnome-control-center-color gnome-control-center-goa gnome- > control-center-user-faces > > - Drop unneeded nor used pkgconfig(clutter-1.0) BuildRequires. > > ==== java-11-openjdk ==== > Subpackages: java-11-openjdk-headless > > - Remove the accessibility sub-package, since it was never really > working and creates another problems (bsc#1205916). It can > eventually be built as standalone if needed > - Removed patches: > * jaw-jdk10.patch > * jaw-misc.patch > * jaw-nogtk.patch > + not needed after the removal of the accessibility sub-package > > ==== lapack ==== > Subpackages: libblas3 libcblas3 liblapack3 > > - As a configurable option add tmglib code to the LAPACK librarly > and enable TMG in LAPACKE as the header files provide its API > (boo#1207989 & bsc#1087426). > - Restore generic link for update-alternatives. This is usually > set by the update-alternatives and it is '%ghost'ed but rpmlint > complains. > - Move update-alternatives --remove to %%postun to stop rpmlint > from complaining. > - Removed useless - because never executed - %%postrans scriptlets. > - Added missing _%%{_arch} to update-alternative names. > - rpmlint complains anyway - this time about alternative-link-missing > - as it does not understand the _%%{_arch} endings: muffle with > rpmlintrc. > - Make arch-dependent generic names conditional. > > ==== libpaper ==== > Version update (2.0.4 -> 2.0.9) > Subpackages: libpaper-tools libpaper2 > > - update to 2.0.9: > * Tweak the documentation of how paper sizes are set to make it > easier to find and more accurate. > * Removes the requirement for help2man at build time > * Various fixes. > > ==== lightsoff ==== > > - Drop unused nor needed pkgconfig(clutter-1.0) and > pkgconfig(clutter-gtk-1.0) BuildRequires. > > ==== mutter ==== > Version update (43.3 -> 43.3+2) > > - Update to version 43.3+2: > + wayland: Don't overwrite surface offsets. > + x11: Avoid updating focus on wayland compositor (boo#1208494). > > ==== nautilus-share ==== > > - Add 5.patch: Fix `'net usershare' returned error 255` > (bsc#1208375). > > ==== openblas_openmp ==== > > - Make sure pre-existing (arch-independent) update-alternatives > are wiped before registering new ones. > Since update-alternatives has no reliable way to check if > a certain 'generic name' exists, brute-force it and ignore > any error (boo#1208248). > - Remove totally pointless - ie. never executed - %%posttrans > script. > - Restore generic link for update-alternatives. This is usually > set by the update-alternatives and it is '%ghost'ed but rpmlint > complains. > - Add rpmlintrc rules to avoid false positives from consistently > guessing the update-alternatives generic name wrong. > - Make arch dependent generic names conditional. > > ==== openblas_pthreads ==== > > - Make sure pre-existing (arch-independent) update-alternatives > are wiped before registering new ones. > Since update-alternatives has no reliable way to check if > a certain 'generic name' exists, brute-force it and ignore > any error (boo#1208248). > - Remove totally pointless - ie. never executed - %%posttrans > script. > - Restore generic link for update-alternatives. This is usually > set by the update-alternatives and it is '%ghost'ed but rpmlint > complains. > - Add rpmlintrc rules to avoid false positives from consistently > guessing the update-alternatives generic name wrong. > - Make arch dependent generic names conditional. > > ==== openssl-3 ==== > Version update (3.0.7 -> 3.0.8) > Subpackages: libopenssl3 libopenssl3-hmac > > - Update to 3.0.8: > * Fixed NULL dereference during PKCS7 data verification. > A NULL pointer can be dereferenced when signatures are being > verified on PKCS7 signed or signedAndEnveloped data. In case the hash > algorithm used for the signature is known to the OpenSSL library but > the implementation of the hash algorithm is not available the digest > initialization will fail. There is a missing check for the return > value from the initialization function which later leads to invalid > usage of the digest API most likely leading to a crash. > ([bsc#1207541, CVE-2023-0401]) > PKCS7 data is processed by the SMIME library calls and also by the > time stamp (TS) library calls. The TLS implementation in OpenSSL does > not call these functions however third party applications would be > affected if they call these functions to verify signatures on untrusted > data. > * Fixed X.400 address type confusion in X.509 GeneralName. > There is a type confusion vulnerability relating to X.400 address > processing > inside an X.509 GeneralName. X.400 addresses were parsed as an > ASN1_STRING > but the public structure definition for GENERAL_NAME incorrectly specified > the type of the x400Address field as ASN1_TYPE. This field is subsequently > interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE > rather > than an ASN1_STRING. > When CRL checking is enabled (i.e. the application sets the > X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to > pass arbitrary pointers to a memcmp call, enabling them to read memory > contents or enact a denial of service. > ([bsc#1207533, CVE-2023-0286]) > * Fixed NULL dereference validating DSA public key. > An invalid pointer dereference on read can be triggered when an > application tries to check a malformed DSA public key by the > EVP_PKEY_public_check() function. This will most likely lead > to an application crash. This function can be called on public > keys supplied from untrusted sources which could allow an attacker > to cause a denial of service attack. > The TLS implementation in OpenSSL does not call this function > but applications might call the function if there are additional > security requirements imposed by standards such as FIPS 140-3. > ([bsc#1207540, CVE-2023-0217]) > * Fixed Invalid pointer dereference in d2i_PKCS7 functions. > An invalid pointer dereference on read can be triggered when an > application tries to load malformed PKCS7 data with the > d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. > The result of the dereference is an application crash which could > lead to a denial of service attack. The TLS implementation in OpenSSL > does not call this function however third party applications might > call these functions on untrusted data. > ([bsc#1207539, CVE-2023-0216]) > * Fixed Use-after-free following BIO_new_NDEF. > The public API function BIO_new_NDEF is a helper function used for > streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL > to support the SMIME, CMS and PKCS7 streaming capabilities, but may also > be called directly by end user applications. > The function receives a BIO from the caller, prepends a new BIO_f_asn1 > filter BIO onto the front of it to form a BIO chain, and then returns > the new head of the BIO chain to the caller. Under certain conditions, > for example if a CMS recipient public key is invalid, the new filter BIO > is freed and the function returns a NULL result indicating a failure. > However, in this case, the BIO chain is not properly cleaned up and the > BIO passed by the caller still retains internal pointers to the previously > freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO > then a use-after-free will occur. This will most likely result in a crash. > ([bsc#1207536, CVE-2023-0215]) > * Fixed Double free after calling PEM_read_bio_ex. > The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and > decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload > data. If the function succeeds then the "name_out", "header" and "data" > arguments are populated with pointers to buffers containing the relevant > decoded data. The caller is responsible for freeing those buffers. It is > possible to construct a PEM file that results in 0 bytes of payload data. > In this case PEM_read_bio_ex() will return a failure code but will > populate > the header argument with a pointer to a buffer that has already been > freed. > If the caller also frees this buffer then a double free will occur. This > will most likely lead to a crash. > The functions PEM_read_bio() and PEM_read() are simple wrappers around > PEM_read_bio_ex() and therefore these functions are also directly > affected. > These functions are also called indirectly by a number of other OpenSSL > functions including PEM_X509_INFO_read_bio_ex() and > SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL > internal uses of these functions are not vulnerable because the caller > does > not free the header argument if PEM_read_bio_ex() returns a failure code. > ([bsc#1207538, CVE-2022-4450]) > * Fixed Timing Oracle in RSA Decryption. > A timing based side channel exists in the OpenSSL RSA Decryption > implementation which could be sufficient to recover a plaintext across > a network in a Bleichenbacher style attack. To achieve a successful > decryption an attacker would have to be able to send a very large number > of trial messages for decryption. The vulnerability affects all RSA > padding > modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. > ([bsc#1207534, CVE-2022-4304]) > * Fixed X.509 Name Constraints Read Buffer Overflow. > A read buffer overrun can be triggered in X.509 certificate verification, > specifically in name constraint checking. The read buffer overrun might > result in a crash which could lead to a denial of service attack. > In a TLS client, this can be triggered by connecting to a malicious > server. In a TLS server, this can be triggered if the server requests > client authentication and a malicious client connects. > ([bsc#1207535, CVE-2022-4203]) > * Fixed X.509 Policy Constraints Double Locking security issue. > If an X.509 certificate contains a malformed policy constraint and > ... changelog too long, skipping 21 lines ... > 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C (Richard Levitte) > > ==== openssl ==== > Version update (3.0.7 -> 3.0.8) > > - Update to 3.0.8 > > ==== parole ==== > Version update (4.16.0 -> 4.18.0) > Subpackages: parole-lang > > - Update to version 4.18.0 > * Update copyright year > * Update bug report address > * player: Prevent infinite cycle when setting volume (#119) > * Update some icon names (!17) > * Reduce hiding controls to 2 seconds (Fixes #80, !12) > * autoconf: Some updates > * Update `.gitignore` > * build: Replace DATADIRNAME no longer set by xfce4-dev-tools >= 4.17.0 > * build: Bump GLib minimum required to 2.38 > * autoconf: Use AC_CONFIG_MACRO_DIRS (!14) > * Fix memory leak when loading cover image (#98) > * Fix compilation warnings (!11) > * Makefile.am: INCLUDES -> AM_CPPFLAGS > * autoconf: Some updates > * Remove the deprecated keys from desktop file (!9) > * Translation Updates > > ==== pidgin ==== > Version update (2.14.10 -> 2.14.12) > Subpackages: libpurple libpurple-client0 libpurple-plugin-sametime > libpurple-tcl > libpurple0 > > - update to 2.14.12: > * Remove a string from the Romanian translation that's breaks > the creation of the Windows installer. > * Add Markus "ivanhoe" Fischer to the Crazy Patch Writers! > * Fix a crash when closing a group chat with spellchk plugin > enabled. > * Fix network interface detection on Windows to fix broken file > transfers. > * Update the about box to point people to Discourse instead of > the mailing lists. > > ==== procps4 ==== > Version update (4.0.2 -> 4.0.3) > Subpackages: libproc2-0 > > - Update to procps-ng-4.0.3 > * library > Only changes were in copyright headers and tests > * docs: Don't install English manpages twice > * pgrep: Add -H match on userspace signal handler merge #165 > * pgrep: make --terminal respect other criteria > * ps: c flag shows command name again Debian #1026326 > * ps.1: Match drs description from top.1 merge #156 > * skill: Match on -p again Debian #1025915 > * top: E/P-core toggle ('5' key) added to help > * vmstat: Referesh memory statistics Debian #1027963 > * vmstat: Fix initial si,so,bi,bo,in & cs values issue #15 > Debian #668580 > * vmstat: Fix conversion errors due to precision merge #75 > * w: Add --pids option merge #159 > * watch: Pass through beep issue #104 > * watch: -r option to not re-exec on SIGWINCH merge #125 > * watch: find eol with --no-linewrap merge #157 > - Drop patches now upstream > * linguas.patch > * 82d8e3fa.patch > - Port patches > * procps-ng-3.3.10-errno.patch > * procps-ng-3.3.10-slab.patch > * procps-ng-3.3.10-xen.dif > * procps-ng-3.3.11-pmap4suse.patch > * procps-ng-3.3.8-ignore-scan_unevictable_pages.patch > * procps-ng-3.3.8-petabytes.patch > * procps-ng-3.3.8-readeof.patch > * procps-ng-3.3.8-vmstat-terabyte.dif > * procps-ng-3.3.9-w-notruncate.diff > * procps-v3.3.3-columns.dif > * procps-v3.3.3-ia64.diff > * procps-v3.3.3-pwdx.patch > * procps-v3.3.3-read-sysctls-also-from-boot-sysctl.conf-kernelversion.diff > > ==== qca-qt5 ==== > Subpackages: libqca-qt5-2 qca-qt5-plugins > > - Disable the pgp test. It fails randomly. > - Remove test that openssl has decided it's wrong [boo#1208393] > * Add 0001-Remove-test-that-openssl-has-decided-it-s-wrong.patch > > ==== systemd-presets-common-SUSE ==== > > - Enable spice-vdagent.service and xdg-user-dirs.service by default > (boo#1201728) > > ==== traceroute ==== > Version update (2.1.1 -> 2.1.2) > > - update to version 2.1.2: > * Fix unprivileged ICMP tracerouting with Linux kernel >= 6.1 > > ==== u-boot-rpiarm64 ==== > Subpackages: u-boot-rpiarm64-doc > > Patch queue updated from https://github.com/openSUSE/u-boot.git > tumbleweed-2023.01 > Use new upstream solution to fix boo#1207562 > * Patches dropped: > 0017-Backport-https-patchwork.ozlabs.org.patch > * Patches added: > 0017-Bump-LMB_MAX_REGIONS-default-to-16.patch > 0018-lmb-Treat-a-region-which-is-a-subse.patch > > ==== xfce4-notifyd ==== > Version update (0.8.0 -> 0.8.1) > Subpackages: xfce4-notifyd-lang > > - Update to 0.8.1: > * Set 1.5s timeouts for the log dbus proxy > * Move log dbus server to its own object/file > * Wrap queue item struct creation with a function > * Improve old log migration error reporting > * Delete old log file if it was empty > * Clean up old log action parsing loop > * Print a message if log db is busy or locked > * Plug memleak when not sending log changed signal > * Use GStrvBuilder instead of constructing one manually > * Handle empty strings from DBus > * Limit notification body to 2 lines in plugin menu > * Remove old legacy support options from configure > * Ensure gdbus-codegen doesn't generate too-new code > * Clean up generate code and deprecate Quit method > * Make all notification log access go through dbus > * Drop old gtk 3.0 themes (3.20 themes are always used) > * Clean up build system > * Add hidden setting to restore override-redirect behavior > * Remove ChangeLog make target > * Markdownify and update the readme > * Disconnect from GtkIconTheme::changed when plugin destroyed > * Load main panel icon with _load_symbolic() variant > * Restore log viewer's scrolled window shadow-type > * Update icon when icon-theme changes > * Fix incorrect signal handler connections in settings dialog > * Translation Updates > > ==== yast2-packager ==== > Version update (4.5.15 -> 4.5.16) > > - Fixed a crash when selecting depending products (bsc#1208421) > - 4.5.16 > > ==== zchunk ==== > Version update (1.2.3 -> 1.2.4) > > - update to 1.2.4: > * Update tests to handle zstd 1.5.4
