Packages changed:
  MicroOS-release (20240828 -> 20240829)
  ffmpeg-4
  libaom (3.7.1 -> 3.7.2)
  libdrm (2.4.122 -> 2.4.123)
  ncurses (6.5.20240817 -> 6.5.20240824)
  openssh (9.6p1 -> 9.8p1)
  openssh-askpass-gnome (9.6p1 -> 9.8p1)
  passt (20240814.61c0b0d -> 20240821.1d6142f)
  patterns-base
  python-setuptools (70.1.1 -> 72.1.0)
  sdbootutil (1+git20240822.bc7e06b -> 1+git20240823.30ef4f1)
  selinux-policy (20240823 -> 20240828)
  systemd-presets-common-SUSE

=== Details ===

==== MicroOS-release ====
Version update (20240828 -> 20240829)
Subpackages: MicroOS-release-appliance MicroOS-release-dvd

- automatically generated by openSUSE-release-tools/pkglistgen

==== ffmpeg-4 ====
Subpackages: libavcodec58_134 libavformat58_76 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9

- Add 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch
  [boo#1229338]

==== libaom ====
Version update (3.7.1 -> 3.7.2)

- Exclude third_party from obscpio
- Update to version 3.7.2:
  * aomedia:3520: get_cubic_kernel_dbl: Assertion `0 <= x && x < 1'
    failed.
  * aomedia:3526: alloc_compressor_data() is called during every
    aom_codec_control() call on the encoder. Note that this partially
    reverts the fix for bug aomedia:3349.
  * b/310457427 and b/310766628: Only use rec_sse in CBR mode.

==== libdrm ====
Version update (2.4.122 -> 2.4.123)
Subpackages: libdrm2 libdrm_amdgpu1 libdrm_intel1 libdrm_radeon1

- update to 2.4.123
  * amdgpu: add new marketing names
  * amdgpu: add new marketing names
  * Convert to Android.bp
  * libs: Tie DSO minor versions to libdrm version
  * readdir_r is deprecated.
  * Fix FTBS on undefined clock_gettime() and asprintf()
  * Export include dirs with -isystem
  * Makes libdrm available on host
  * Adds libdrm_headers
  * Make libdrm recovery_available
  * add crosvm to com.android.virt
  * Enable GPU in crosvm
  * Android.bp: Add include exports for android dir
  * Disable ioctl signed overload for Bionic libc
  * build: bump version to 2.4.123
  * Delete all Makefile.sources files
  * tests: Make modetest and proptest cc_binary in Android.bp

==== ncurses ====
Version update (6.5.20240817 -> 6.5.20240824)
Subpackages: libncurses6 ncurses-utils terminfo-base

- Add ncurses patch 20240824
  + modify infocmp and tabs to use actual name in usage and header.
  + modify test/demo_keyok.c to accept ^Q for quit, for consistency.
- Break dependency cycle between libncurses6 which provides "ncurses"
  by only let terminfo-base recommending "ncurses"

==== openssh ====
Version update (9.6p1 -> 9.8p1)
Subpackages: openssh-clients openssh-common openssh-server

- Add patch to fix sshd not logging in the audit failed login
  attempts (submitted to upstream in
  https://github.com/openssh/openssh-portable/pull/516):
  * fix-audit-fail-attempt.patch
- Use --enable-dsa-keys when building openssh. It's required if
  the user sets the crypto-policy mode to LEGACY, where DSA keys
  should be allowed. The option was added by upstream in 9.7 and
  set to disabled by default.
- These two changes fix 2 of the 3 issues reported in bsc#1229650.
- Fix a dbus connection leaked in the logind patch that was
  missing a sd_bus_unref call (found by Matthias Gerstner):
  * logind_set_tty.patch
- Add a patch that fixes a small memory leak when parsing the
  subsystem configuration option:
  * fix-memleak-in-process_server_config_line_depth.patch
- Update to openssh 9.8p1:
  = Security
  * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
    A critical vulnerability in sshd(8) was present in Portable
    OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
    allow arbitrary code execution with root privileges.
    Successful exploitation has been demonstrated on 32-bit
    Linux/glibc systems with ASLR. Under lab conditions, the attack
    requires on average 6-8 hours of continuous connections up to
    the maximum the server will accept. Exploitation on 64-bit
    systems is believed to be possible but has not been
    demonstrated at this time. It's likely that these attacks will
    be improved upon.
    Exploitation on non-glibc systems is conceivable but has not
    been examined. Systems that lack ASLR or users of downstream
    Linux distributions that have modified OpenSSH to disable
    per-connection ASLR re-randomisation (yes - this is a thing, no
  - we don't understand why) may potentially have an easier path
    to exploitation. OpenBSD is not vulnerable.
    We thank the Qualys Security Advisory Team for discovering,
    reporting and demonstrating exploitability of this problem, and
    for providing detailed feedback on additional mitigation
    measures.
  * 2) Logic error in ssh(1) ObscureKeystrokeTiming (bsc#1227318,
    CVE-2024-39894).
    In OpenSSH version 9.5 through 9.7 (inclusive), when connected
    to an OpenSSH server version 9.5 or later, a logic error in the
    ssh(1) ObscureKeystrokeTiming feature (on by default) rendered
    this feature ineffective - a passive observer could still
    detect which network packets contained real keystrokes when the
    countermeasure was active because both fake and real keystroke
    packets were being sent unconditionally.
    This bug was found by Philippos Giavridis and also
    independently by Jacky Wei En Kung, Daniel Hugenroth and
    Alastair Beresford of the University of Cambridge Computer Lab.
    Worse, the unconditional sending of both fake and real
    keystroke packets broke another long-standing timing attack
    mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke
    echo packets for traffic received on TTYs in echo-off mode,
    such as when entering a password into su(8) or sudo(8). This
    bug rendered these fake keystroke echoes ineffective and could
    allow a passive observer of a SSH session to once again detect
    when echo was off and obtain fairly limited timing information
    about keystrokes in this situation (20ms granularity by
    default).
    This additional implication of the bug was identified by
    Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and
    we thank them for their detailed analysis.
    This bug does not affect connections when
    ObscureKeystrokeTiming was disabled or sessions where no TTY
    was requested.
  = Future deprecation notice
  * OpenSSH plans to remove support for the DSA signature algorithm
    in early 2025. This release disables DSA by default at compile
    time.
    DSA, as specified in the SSHv2 protocol, is inherently weak -
    being limited to a 160 bit private key and use of the SHA1
    digest. Its estimated security level is only 80 bits symmetric
    equivalent.
    OpenSSH has disabled DSA keys by default since 2015 but has
    retained run-time optional support for them. DSA was the only
    mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
    because alternative algorithms were encumbered by patents when
    the SSHv2 protocol was specified.
    This has not been the case for decades at this point and better
    algorithms are well supported by all actively-maintained SSH
    implementations. We do not consider the costs of maintaining
    DSA in OpenSSH to be justified and hope that removing it from
    OpenSSH can accelerate its wider deprecation in supporting
    cryptography libraries.
    This release, and its deactivation of DSA by default at
    compile-time, marks the second step in our timeline to finally
    deprecate DSA. The final step of removing DSA support entirely
    is planned for the first OpenSSH release of 2025.
    DSA support may be re-enabled in OpenBSD by setting
    "DSAKEY=yes" in Makefile.inc. To enable DSA support in
    portable OpenSSH, pass the "--enable-dsa-keys" option to
    configure.
  = Potentially-incompatible changes
  * all: as mentioned above, the DSA signature algorithm is now
    disabled at compile time.
  * sshd(8): the server will now block client addresses that
    repeatedly fail authentication, repeatedly connect without ever
    completing authentication or that crash the server. See the
    ... changelog too long, skipping 181 lines ...
  add "VSOCK VirtIO").

==== openssh-askpass-gnome ====
Version update (9.6p1 -> 9.8p1)

- Update to openssh 9.8p1:
  * No changes for askpass, see main package changelog for
    details.

==== passt ====
Version update (20240814.61c0b0d -> 20240821.1d6142f)
Subpackages: passt-selinux

- Update to version 20240821.1d6142f:
  * README: pasta is indeed a supported back-end for rootless Docker
  * util: Don't stop on unrelated values when looking for --fd in close_open_files()
  * test: Update list of dependencies in README.md
  * tcp, udp: Allow timerfd_gettime64() and recvmmsg_time64() on arm (armhf)
  * util: Provide own version of close_range(), and no-op fallback
  * udp_flow: Add missing unistd.h include for close()
  * test: Duplicate existing recvfrom() valgrind suppression for recv()
  * test/passt.mbuto: Install sshd-session OpenSSH's split process
  * test/passt.mbuto: Run sshd from vsock proxy with absolute path
  * test/lib/setup: Transform i686 kernel architecture name into QEMU name (i386)
  * treewide: Allow additional system calls for i386/i686
  * fwd, conf: Allow NAT of the guest's assigned address
  * fwd: Distinguish translatable from untranslatable addresses on inbound
  * conf: Allow address remapped to host to be configured
  * test: Reconfigure IPv6 address after changing MTU
  * conf, fwd: Split notion of gateway/router from guest-visible host address
  * Don't take "our" MAC address from the host
  * fwd: Split notion of "our tap address" from gateway for IPv4
  * fwd: Helpers to clarify what host addresses aren't guest accessible
  * Initialise our_tap_ll to ip6.gw when suitable
  * Clarify which addresses in ip[46]_ctx are meaningful where
  * treewide: Change misleading 'addr_ll' name
  * util: Correct sock_l4() binding for link local addresses
  * conf: Remove incorrect initialisation of addr_ll_seen
  * conf: Treat --dns addresses as guest visible addresses
  * conf: Correct setting of dns_match address in add_dns6()
  * conf: Move adding of a nameserver from resolv.conf into subfunction
  * conf: Move DNS array bounds checks into add_dns[46]
  * conf: More accurately count entries added in get_dns()
  * conf: Use array indices rather than pointers for DNS array slots
  * treewide: Use struct assignment instead of memcpy() for IP addresses
  * treewide: Rename MAC address fields for clarity
  * util: Helper for formatting MAC addresses
  * treewide: Use "our address" instead of "forwarding address"
  * netlink: Fix typo in function comment for nl_addr_set()
  * pasta: Disable neighbour solicitations on device up to prevent DAD
  * netlink, pasta: Fetch link-local address from namespace interface once it's up
  * netlink, pasta: Disable DAD for link-local addresses on namespace interface
  * netlink, pasta: Turn nl_link_up() into a generic function to set link flags
  * netlink, pasta: Split MTU setting functionality out of nl_link_up()
  * netlink: Fix typo in function comment for nl_addr_get()
  * test: Speed up by cutting on eye candy and performance test duration

==== patterns-base ====
Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11

- Move suggests for libz1 from patterns-base-base to
  patterns-base-minimal_base: be nicer with CI consumers.

==== python-setuptools ====
Version update (70.1.1 -> 72.1.0)

- Update to 72.1.0:
  * Restore the tests command and deprecate access to the module.
  * Added return types to typed public functions.
  * Removed lingering unused code around Distribution._patched_dist.
  * Reset the backports module when enabling vendored packages.
  * Include all vendored files in the sdist.
  * Restored package data that went missing in 71.0. This change also
    incidentally causes tests to be installed once again.
  * Now setuptools declares its own dependencies in the core extra.
    Dependencies are still vendored for bootstrapping purposes, but
    setuptools will prefer installed dependencies if present. The core
    extra is used for informational purposes and should *not* be declared
    in package metadata (e.g. build-requires).
  * Support for loading distutils from the standard library is now
    deprecated, including use of SETUPTOOLS_USE_DISTUTILS=stdlib and
    importing distutils before importing setuptools.
  * Fix distribution name normalisation for valid versions that are not
    canonical (e.g. 1.0-2).

==== sdbootutil ====
Version update (1+git20240822.bc7e06b -> 1+git20240823.30ef4f1)
Subpackages: sdbootutil-snapper sdbootutil-tukit

- Update to version 1+git20240823.30ef4f1:
  * Remove the executed line in grub2bls
  * Support new grub2-bls package

==== selinux-policy ====
Version update (20240823 -> 20240828)
Subpackages: selinux-policy-targeted

- Update to version 20240828:
  * Allow systemd-ssh-generator to load net-pf-40 (bsc#1229766)

==== systemd-presets-common-SUSE ====

- Enable soft-reboot-cleanup.service to make soft-reboot possible
  with container and/or firewalld.