ChangeLog for: 2025-02-09 22:47:04

a/openssl11-solibs-1.1.1zb_p2-x86_64-1.txz:  Upgraded.
a/pkgtools-15.1-noarch-28.txz:  Rebuilt.
  removepkg: when using --verbose, don't remove files in parallel because it
  causes occasional screen corruption. This change only affects --verbose,
  and actually hardly slows that down.
ap/qpdf-11.10.0-x86_64-1.txz:  Upgraded.
ap/vim-9.1.1094-x86_64-1.txz:  Upgraded.
d/cbindgen-0.28.0-x86_64-1.txz:  Upgraded.
d/python-pip-25.0.1-x86_64-1.txz:  Upgraded.
d/rust-bindgen-0.71.1-x86_64-1.txz:  Upgraded.
l/SDL2-2.32.0-x86_64-1.txz:  Upgraded.
l/gegl-0.4.54-x86_64-1.txz:  Upgraded.
l/libffi-3.4.7-x86_64-1.txz:  Upgraded.
l/liboggz-1.1.2-x86_64-1.txz:  Upgraded.
n/openssl11-1.1.1zb_p2-x86_64-1.txz:  Upgraded.
  Apply patch to fix a low severity security issue:
  Fix timing side-channel in ECDSA signature computation.
  There is a timing signal of around 300 nanoseconds when the top word of
  the inverted ECDSA nonce value is zero. This can happen with significant
  probability only for some of the supported elliptic curves. In particular
  the NIST P-521 curve is affected. To be able to measure this leak, the
  attacker process must either be located in the same physical computer or
  must have a very fast network connection with low latency.
  This CVE was fixed by the second 1.1.1zb release that is only available to
  subscribers to OpenSSL's premium extended support. The patch was prepared
  by backporting from the OpenSSL-3.0 repo.
  Thanks to Ken Zalewski for the patch!
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-13176
  (* Security fix *)
xap/vim-gvim-9.1.1094-x86_64-1.txz:  Upgraded.
xfce/xfce4-settings-4.20.1-x86_64-1.txz:  Upgraded.