Overview

File _patchinfo of Package patchinfo.28836

<patchinfo incident="28836">
  <issue tracker="jsc" id="PED-3549"/>
  <issue tracker="jsc" id="PED-3550"/>
  <issue tracker="jsc" id="PED-3561"/>
  <issue tracker="cve" id="2023-0950"/>
  <issue tracker="cve" id="2023-2255"/>
  <issue tracker="bnc" id="1209242">VUL-0: CVE-2023-0950: libreoffice: stack underflow in ScInterpreter</issue>
  <issue tracker="bnc" id="1211746">VUL-0: CVE-2023-2255: libreoffice: Remote documents loaded without prompt via IFrame</issue>
  <issue tracker="bnc" id="1204040">PPTX: shadow effect for table offset too far to the right</issue>
  <issue tracker="bnc" id="1198666">Need to be able to set the default tab size for each text object</issue>
  <issue tracker="bnc" id="1200085">FILEOPEN PPTX: extra paragraph after some 2-line text with link</issue>
  <issue tracker="bnc" id="1210687">[META] binutils-gold is unmaintained and will be dropped</issue>
  <packager>dspinella</packager>
  <rating>important</rating>
  <category>feature</category>
  <summary>Feature update for LibreOffice and xmlsec1</summary>
  <description>This update for LibreOffice and xmlsec1 fixes the following issue:
    
libreoffice:

- Version update from 7.4.3.2 to 7.5.4.1 (jsc#PED-3561, jsc#PED-3550, jsc#3549):
  * For the highlights of changes of version 7.5 please consult the official release notes:
    https://wiki.documentfoundation.org/ReleaseNotes/7.5
  * Security issues fixed:
    + CVE-2023-0950: Fixed stack underflow in ScInterpreter (bsc#1209242)
    + CVE-2023-2255: Fixed vulnerability where remote documents could be loaded without prompt via IFrame (bsc#1211746)
  * Bug fixes:
    + Fix PPTX shadow effect for table offset (bsc#1204040)
    + Fix ability to set the default tab size for each text object (bsc#1198666)
    + Fix PPTX extra vertical space between different text formats (bsc#1200085)
    + Do not use binutils-gold as the package is unmaintained and will be removed in the future (boo#1210687)
  * Updated bundled dependencies:
    * boost version update from 1_77_0 to 1_80_0
    * curl version update from 7.83.1 to 8.0.1
    * gpgme version update from 1.16.0 to 1.18.0
    * icu4c-data version update from 70_1 to 72_1
    * icu4c version update from 70_1 to 72_1
    * pdfium version update from 4699 to 5408
    * poppler version update from 21.11.0 to 22.12.0

xmlsec1:
    
- Version update from 1.2.28 to 1.2.37 required by LibreOffice 7.5.2.2 (jsc#PED-3561, jsc#PED-3550):
  * Retired the XMLSec mailing list "xmlsec@aleksey.com" and the XMLSec Online Signature Verifier.
  * Migration to OpenSSL 3.0 API Note that OpenSSL engines are disabled by default when XMLSec library is compiled
    against OpenSSL 3.0.
    To re-enable OpenSSL engines, use `--enable-openssl3-engines` configure flag 
    (there will be a lot of deprecation warnings).
  * The OpenSSL before 1.1.0 and LibreSSL before 2.7.0 are now deprecated and will be removed in the future versions of
    XMLSec Library.
  * Refactored all the integer casts to ensure cast-safety. Fixed all warnings and enabled `-Werror` and `-pedantic` 
    flags on CI builds.
  * Added configure flag to use size_t for xmlSecSize (currently disabled by default for backward compatibility).
  * Support for OpenSSL compiled with OPENSSL_NO_ERR.
  * Full support for LibreSSL 3.5.0 and above
  * Several other small fixes
  * Fix decrypting session key for two recipients 
  * Added `--privkey-openssl-engine` option to enhance openssl engine support
  * Remove MD5 for NSS 3.59 and above
  * Fix PKCS12_parse return code handling
  * Fix OpenSSL lookup
  * xmlSecX509DataGetNodeContent(): don't return 0 for non-empty elements - fix for LibreOffice
  * Unload error strings in OpenSSL shutdown.
  * Make userData available when executing preExecCallback function
  * Add an option to use secure memset.
  * Enabled XML_PARSE_HUGE for all xml parsers.
  * Various build and tests fixes and improvements.
  * Move remaining private header files away from xmlsec/include/`` folder
- Other packaging changes:
  * Relax the crypto policies for the test-suite. It allows the tests using certificates with small key lengths to pass.
  * Pass `--disable-md5` to configure: The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its
    use is discouraged at this time. It is not listed as an algorithm in [XMLDSIG-CORE1]
    https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places