Packages changed: MicroOS-release (20260520 -> 20260527) coreutils coreutils-systemd crypto-policies file ghostscript (10.07.0 -> 10.07.1) grub2 hplip (3.25.6 -> 3.26.4) hwinfo (25.2 -> 25.3) jq kernel-source (7.0.9 -> 7.0.10) kirigami-addons6 (1.12.0 -> 1.12.1) libcaca (0.99.beta20 -> 0.99.beta20+git.1776622070.7c8e333) libqt5-qtbase (5.15.18+kde109 -> 5.15.19+kde96) libqt5-qtdeclarative (5.15.18+kde22 -> 5.15.19+kde23) libqt5-qtimageformats (5.15.18+kde2 -> 5.15.19+kde2) libqt5-qtquickcontrols2 (5.15.18+kde5 -> 5.15.19+kde5) libqt5-qtspeech (5.15.18+kde1 -> 5.15.19+kde1) libqt5-qtsvg (5.15.18+kde5 -> 5.15.19+kde5) libqt5-qtwayland (5.15.18+kde55 -> 5.15.19+kde55) libqt5-qtx11extras (5.15.18+kde0 -> 5.15.19+kde0) libxmlb (0.3.25 -> 0.3.27) mozilla-nspr (4.38.2 -> 4.39) mozilla-nss (3.122.2 -> 3.123.1) openssh pam (1.7.2 -> 1.7.2+git12) pam-full-src (1.7.2 -> 1.7.2+git12) patterns-base plasma6-workspace poppler (26.02.0 -> 26.05.0) poppler-qt6 (26.02.0 -> 26.05.0) python-certifi (2026.2.25 -> 2026.4.22) python-psutil python-requests (2.33.1 -> 2.34.2) rsync (3.4.1 -> 3.4.3) selinux-policy (20260508 -> 20260522) shim-leap systemd thin-provisioning-tools (1.2.1 -> 1.3.2) which (2.23 -> 2.25) === Details === ==== MicroOS-release ==== Version update (20260520 -> 20260527) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== coreutils ==== - coreutils-tee-fix-infloop-on-EAGAIN-and-short-write.patch: Add upstream patch (boo#1265378) * 'tee' no longer loops infinitely after writing all output if a write call sets errno to EAGAIN. [bug introduced in coreutils-9.11] * 'tee' no longer treats short writes as errors. [bug introduced in coreutils-9.11] ==== coreutils-systemd ==== - coreutils-tee-fix-infloop-on-EAGAIN-and-short-write.patch: Add upstream patch (boo#1265378) * 'tee' no longer loops infinitely after writing all output if a write call sets errno to EAGAIN. [bug introduced in coreutils-9.11] * 'tee' no longer treats short writes as errors. [bug introduced in coreutils-9.11] ==== crypto-policies ==== - Remove crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch to allow X25519 as required for sntrup761x25519-sha512@openssh.com and sntrup761x25519-sha512 in the DEFAULT policy. (bsc#1259825) Rebase crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch - Add PQC support for OpenSSH (bsc#1258311, bsc#1259825) * Enable sntrup761x25519-sha512 for OpenSSH by default * Add crypto-policies-OpenSSH-PQC.patch ==== file ==== Subpackages: file-magic libmagic1 - Add patch file-5.47-s390x.patch from upstream commit Work around an endianess problem on s390x ==== ghostscript ==== Version update (10.07.0 -> 10.07.1) - Version upgrade to 10.07.1 See 'Recent Changes in Ghostscript' at Ghostscript upstream https://ghostscript.readthedocs.io/en/gs10.07.1/News.html * This release addresses a number of potential security issues. ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-common grub2-snapper-plugin - Add python-base BR ==== hplip ==== Version update (3.25.6 -> 3.26.4) Subpackages: hplip-common hplip-cups hplip-driver-hpcups libhplip0 - Update to HPLIP 3.26.4 - Fix CVE-2026-8631 (bsc#1266023) - Fix CVE-2026-8632 (bsc#1266024) - Add support for the following new printers: * HP LaserJet Pro MFP 3106sdw * HP LaserJet Pro MFP 3105sdw * HP Envy 6500e series * HP Envy 6500 series * HP OfficeJet Pro 9730 Series * HP OfficeJet Pro 9730e Series * HP OfficeJet Pro 9720 Series * HP OfficeJet Pro 9720e Series * HP OfficeJet Pro 8130e All-in-One series * HP OfficeJet Pro 8130 All-in-One series * HP OfficeJet 8130e All-in-One series * HP OfficeJet 8130 All-in-One series * HP OfficeJet Pro 8120e All-in-One series * HP OfficeJet Pro 8120 All-in-One series * HP OfficeJet 8120e All-in-One series * HP OfficeJet 8120 All-in-One series * HP DeskJet Ink Advantage ultra 5800 All-in-One Printer series * HP DeskJet Ink Advantage ultra 5100 All-in-One Printer series * HP DeskJet 4300e All-in-One Printer series * HP DeskJet Ink Advantage 4300 All-in-One Printer series * HP DeskJet 4300 All-in-One Printer series * HP DeskJet 2900e All-in-One Printer series * HP DeskJet Ink Advantage 2900 All-in-One Printer series * HP DeskJet 2900 All-in-One Printer series - Adjust the version condition not to build scan_utils since %suse_version macro has been changed to 1610 in Leap 16.1 ==== hwinfo ==== Version update (25.2 -> 25.3) Subpackages: libhd25 - merge gh#openSUSE/hwinfo#178 - fix memory leaks in pci and pppoe modules (bsc#1265908) - avoid NULL pointer in ADD2LOG() call - 25.3 ==== jq ==== Subpackages: libjq1 - Add patch CVE-2026-33948.patch (CVE-2026-33948, bsc#1262043) - Add patch CVE-2026-32316.patch (CVE-2026-32316, bsc#1262044) - Add patch CVE-2026-33947.patch (CVE-2026-33947, bsc#1262069) - Add patch CVE-2026-39956.patch (CVE-2026-39956, bsc#1262070) - Add patch CVE-2026-39979.patch (CVE-2026-39979, bsc#1262071) - Add patch CVE-2026-40164.patch (CVE-2026-40164, bsc#1262072) - Add patch CVE-2026-40612.patch (CVE-2026-40612, bsc#1265060) - Add patch CVE-2026-41256.patch (CVE-2026-41256, bsc#1265061) - Add patch CVE-2026-41257.patch (CVE-2026-41257, bsc#1265062) - Add patch CVE-2026-43894.patch (CVE-2026-43894, bsc#1265070) - Add patch CVE-2026-43895.patch (CVE-2026-43895, bsc#1265071) - Add patch CVE-2026-43896.patch (CVE-2026-43896, bsc#1265075) - Add patches CVE-2026-44777_0.patch and CVE-2026-44777_1.patch (CVE-2026-44777, bsc#1265076) ==== kernel-source ==== Version update (7.0.9 -> 7.0.10) Subpackages: kernel-64kb kernel-default - tracing: Avoid NULL return from hist_field_name() on truncation (git-fixes). - firmware: arm_ffa: Align RxTx buffer size before mapping (git-fixes). - commit bb95589 - Linux 7.0.10 (bsc#1012628). - blk-cgroup: wait for blkcg cleanup before initializing new disk (bsc#1012628). - md: suppress spurious superblock update error message for dm-raid (bsc#1012628). - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START (bsc#1012628). - fs/mbcache: cancel shrink work before destroying the cache (bsc#1012628). - md/raid1: fix the comparing region of interval tree (bsc#1012628). - fs: fix archiecture-specific compat_ftruncate64 (bsc#1012628). - drbd: Balance RCU calls in drbd_adm_dump_devices() (bsc#1012628). - loop: fix partition scan race between udev and loop_reread_partitions() (bsc#1012628). - block: fix zones_cond memory leak on zone revalidation error paths (bsc#1012628). - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() (bsc#1012628). - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() (bsc#1012628). - pstore/ram: fix resource leak when ioremap() fails (bsc#1012628). - erofs: include the trailing NUL in FS_IOC_GETFSLABEL (bsc#1012628). - md: fix array_state=clear sysfs deadlock (bsc#1012628). - ublk: reset per-IO canceled flag on each fetch (bsc#1012628). - blk-wbt: remove WARN_ON_ONCE from wbt_init_enable_default() (bsc#1012628). - erofs: handle 48-bit blocks/uniaddr for extra devices (bsc#1012628). - md: remove unused static md_wq workqueue (bsc#1012628). - md: wake raid456 reshape waiters before suspend (bsc#1012628). - dcache: permit dynamic_dname()s up to NAME_MAX (bsc#1012628). - btrfs: fix the inline compressed extent check in inode_need_compress() (bsc#1012628). - btrfs: fix deadlock between reflink and transaction commit when using flushoncommit (bsc#1012628). - btrfs: do not reject a valid running dev-replace (bsc#1012628). - OPP: debugfs: Use performance level if available to distinguish between rates (bsc#1012628). - OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp() (bsc#1012628). - ACPI: x86: cmos_rtc: Clean up address space handler driver (bsc#1012628). - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver (bsc#1012628). - devres: fix missing node debug info in devm_krealloc() (bsc#1012628). - thermal/drivers/spear: Fix error condition for reading st,thermal-flags (bsc#1012628). - debugfs: check for NULL pointer in debugfs_create_str() (bsc#1012628). - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() (bsc#1012628). - soundwire: debugfs: initialize firmware_file to empty string (bsc#1012628). - amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init() (bsc#1012628). - amd-pstate: Update cppc_req_cached in fast_switch case (bsc#1012628). - cpufreq: Pass the policy to cpufreq_driver->adjust_perf() (bsc#1012628). - PCI: use generic driver_override infrastructure (bsc#1012628). - platform/wmi: use generic driver_override infrastructure (bsc#1012628). - vdpa: use generic driver_override infrastructure (bsc#1012628). - s390/cio: use generic driver_override infrastructure (bsc#1012628). - s390/ap: use generic driver_override infrastructure (bsc#1012628). - bus: fsl-mc: use generic driver_override infrastructure (bsc#1012628). - locking/mutex: Rename mutex_init_lockep() (bsc#1012628). - locking/mutex: Fix wrong comment for CONFIG_DEBUG_LOCK_ALLOC (bsc#1012628). - irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter (bsc#1012628). - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() (bsc#1012628). - hrtimer: Reduce trace noise in hrtimer_start() (bsc#1012628). - locking: Fix rwlock and spinlock lock context annotations (bsc#1012628). - signal: Fix the lock_task_sighand() annotation (bsc#1012628). - ww-mutex: Fix the ww_acquire_ctx function annotations (bsc#1012628). - perf/amd/ibs: Account interrupt for discarded samples (bsc#1012628). - perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR (bsc#1012628). - perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler (bsc#1012628). - x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE (bsc#1012628). ... changelog too long, skipping 2041 lines ... - commit 17ac7c8 ==== kirigami-addons6 ==== Version update (1.12.0 -> 1.12.1) Subpackages: libKirigamiAddonsComponents6 libKirigamiAddonsStatefulApp6 libKirigamiApp6 - Update to 1.12.1 This is a minor release containing mostly bug fixes and small refactoring ==== libcaca ==== Version update (0.99.beta20 -> 0.99.beta20+git.1776622070.7c8e333) - Updated to version 0.99.beta20+git.1776622070.7c8e333: * Switched to typed Ruby wrapping. * Simplified caca_create_display call. * Do not used _caca_alloc2d in the Ruby extension. * Prevented Init_caca from being hidden. * Reverted 156781dd67d024dc067010ef8640d0b91c5c3356. * Switched from MiniTest to Minitest. * Prevented undefined behaviour in overflow check (CVE-2026-42046 bsc1264984). * Fixed a crash on 0 sized font in img2txt. * Fixed an error message in img2txt. * Fixed handling of zero sized image in img2txt. - Rewrited the SPEC file to correctly generate Python packages in all available versions. ==== libqt5-qtbase ==== Version update (5.15.18+kde109 -> 5.15.19+kde96) Subpackages: libQt5Core5 libQt5DBus5 libQt5Gui5 libQt5Network5 libQt5PrintSupport5 libQt5Sql5 libQt5Sql5-sqlite libQt5Test5 libQt5Widgets5 libQt5Xml5 - Update to version 5.15.19+kde96, rebased upstream: * Replace commercial license header with LGPL license header * Revert "Update to Harfbuzz 10.0.1" * QByteArray(View)::lastIndexOf: Guard against needle > haystack * Upgrade Harfbuzz to 11.1.0 * Update PCRE2 to 10.45 * Upgrade Harfbuzz to 11.0.0 * 3rdparty: update TinyCBOR to v0.6.1 * qmake: SBOM 5.15 qmake2cmake parsing fixes * Long live qstdlibdetection.h! * Fix build error in test when lttng tracing backend is enabled * QAbstractSlider: fix missing "emission" of SliderOrientationChange * tst_QAbstractSlider: add a check for sliderChange() "emission" * QStandardItem: add note about reimplementing data/setData() wrt. flags * tst_QPointer: make DerivedParent delete all children * Replace qFatal() statements with qWarning() in case of failed queries * Fix race condition with QTest::ignoreMessage * Add maybe_unused in benchmark to guard against nodiscard in the future * QDockWidgetLayout: mark the ctor explicit * QMdiSubwindow: fix UB (invalid member call) in ControlContainer::removeButtonsFromMenuBar() * tst_QGraphicsGridLayout: fix memleaks in setGeometry() * tst_QGraphicsGridLayout: fix memleak in spanAcrossEmptyRow() * SQLite: Update SQLite to v3.49.1 * tst_QMainWindow: fix unit'ed value in AddDockWidget * tst_QGraphicsGridLayout: fix memory leaks in columnCount() * tst_QGraphicsGridLayout: fix memleaks in spanningItem2x3() * tst_QGraphicsGridLayout: fix memleak in removeItem() * tst_QGraphicsGridLayout: fix memleak in spanningItem2x2() * tst_QGraphicsGridLayout: fix memleaks in addItem() * tst_QGraphicsGridLayout: remove unneeded delete in rowMaximumHeight() * tst_QGraphicsGridLayout: fix memory leaks in rowCount() * tst_QGraphicsGridLayout: fix memleaks in columnSpacing() * tst_QGraphicsLinearLayout: remove remaining memleaks in insertItem() * tst_QGraphicsLinearLayout: fix memleaks in defaultSpacing() * Add a benchmark for QTimeZone::utc * QPainterPath: detach and reset before streaming in * xcb: set _NET_STARTUP_ID at client leader window * Fix generation of the forward header for QFunctionPointer * qUtf16Printable: avoid creating a copy of a QString * QIcon: remove icon from cache if the cached engine fails to load * CommonStyle/QSlider: don't modify outline color * tst_QGraphicsWidget: fix memleak in shortcutsDeletion() * tst_QGraphicsLayout: fix memleaks in alternativeLayoutItems() * tst_QSplitter: fix memleak in replaceWidget() * tst_QGraphicsScene: fix memleaks in selectionChanged()/removeItem() * tst_QComboBox: ignore two warnings from setCompleter() in getSetCheck() * QComboBox: fix UB (signed overflow) in Private::recomputeSizeHint() * tst_QComboBox: fix memleak in task_QTBUG_56693_itemFontFromModel() * tst_QComboBox: fix memleaks in task_QTBUG_52027_mapCompleterIndex() * tst_QComboBox: fix memleak in task190205_setModelAdjustToContents() * tst_QComboBox: fix memleaks in setItemDelegate()/task253944_itemDelegateIsReset() * tst_QComboBox: fix memleak in getSetCheck() * tst_QTextEdit: fix UB (invalid downcast) in various functions * tst_QTextEdit: fix memleak in the MyPaintDevice helper * QLineEdit: fix UB (invalid downcast) in Private::removeAction() * SQLite: Update SQLite to v3.49.0 * tst_QTreeView: fix memleak in fetchUntilScreenFull() * QFileSystemModel: remove an unneeded const_cast * SQLite: Update SQLite to v3.48.0 * SQLite: Update SQLite to v3.47.2 * QXmlStreamReader: fix parsing of non-wellformed inputs * QGUTheme: add Pantheon to the list of GTK based desktop environments * tst_QWidget: fix a memleak in destroyedSignal() * tst_QGraphicsWidget: remove unneeded casts in setStyle() * tst_QGraphicsWidget: fix memleak in qgraphicswidget() * tst_QGraphicsWidget: remove unused object from qgraphicswidget() * tst_QGraphicsWidget: fix memleak in setStyle() * tst_QGraphicsWidget: fix memleak in implicitMouseGrabber() * tst_QGraphicsProxyWidget: fix memleak in forwardTouchEvent() * tst_QGraphicsLinearLayout: remove dead code (dump()) * tst_QGraphicsLinearLayout: fix memleaks in count()/insertIrem() * tst_QGraphicsLinearLayout: fix memleaks in itemAt() * tst_QGraphicsLinearLayout: fix memleaks in itemAt_visualOrder() * tst_QGraphicsLinearLayout: fix memleak in testStretch() * tst_QSplitter: don't leak the QSplitter from initTestCase() * tst_QGraphicsLinearLayout: fix memory leaks in removeAt()/removeItem() * Text widgets: document find() behavior with QRegularExpression * tst_QButtonGroup: fix memleak in task209485_removeFromGroupInEventHandler() * tst_QButtonGroup: fix memleak in keyNavigationPushButtons() * tst_QAbstractScrollArea: fix memleak in task214488_layoutDirection() * QTapGestureRecognizer: fix UB (invalid downcast) in recognize() * tst_QFrame: fix memleak in testPainting() * QXcbDrag: Fix UB (unaligned load) in handleFinished() * tst_QLayout: fix memleak in removeWidget() * tst_QGraphicsItem: properly init QGraphicsSceneDragDropEvent * tst_QGraphicsEffectSource: fix memleak in pixmapPadding() * tst_QGraphicsScene: fix memleaks in taskQTBUG_7863_paintIntoCacheWithTransparentParts() * tst_QGraphicsScene: fix memleak in taskQTBUG_5904_crashWithDeviceCoordinateCache() * tst_QGraphicsItem: fix memleaks in sceneEventFilter() * tst_QGraphicsItem: fix memory leaks in mapRectFromToParent() * QAbstractItemView: fix UB (invalid downcast) in Private::shouldAutoScroll() * tst_QHeaderView: fix UB (invalid downcast) in testStylePosition() * tst_QCalendarWidget: fix memleak in showPrevNext() * QWidgetWindow: fix UB (invalid downcast) in Private::handleDragEnterEvent() * QDateTime: code tidies * Fix UB in QTextStreamPrivate::putNumber() * Narrow some #if-ery on QT_BUILD_INTERNAL to test more normally * tst_QByteArray: check replace() doesn't replace the terminating 0 * QUrl: add a link in a code fragment ... changelog too long, skipping 50 lines ... - Make use of %{?build_ldflags} ==== libqt5-qtdeclarative ==== Version update (5.15.18+kde22 -> 5.15.19+kde23) - Update to version 5.15.19+kde23, rebased upstream: * Increase robustness of tag in Text component * Fix division by zero in QQuickSvgParser * Fix the build with tracing enabled * Fix divide by zero when processing invalid arcs * 2D Renderer: Make sure cachedMirroredPixmap is never dirty when painting * V4: Do not update proto usage before engine is fully initialized * Bump version to 5.15.19 ==== libqt5-qtimageformats ==== Version update (5.15.18+kde2 -> 5.15.19+kde2) - Update to version 5.15.19+kde2, rebased upstream: * Fix libwebp build for old gcc * Update bundled libwebp to version 1.5.0 * Bump version to 5.15.19 ==== libqt5-qtquickcontrols2 ==== Version update (5.15.18+kde5 -> 5.15.19+kde5) Subpackages: libQt5QuickControls2-5 libQt5QuickTemplates2-5 - Update to version 5.15.19+kde5, rebased upstream: * Bump version to 5.15.19 ==== libqt5-qtspeech ==== Version update (5.15.18+kde1 -> 5.15.19+kde1) - Update to version 5.15.19+kde1, rebased upstream: * Bump version to 5.15.19 ==== libqt5-qtsvg ==== Version update (5.15.18+kde5 -> 5.15.19+kde5) - Update to version 5.15.19+kde5, rebased upstream: * Bump version to 5.15.19 ==== libqt5-qtwayland ==== Version update (5.15.18+kde55 -> 5.15.19+kde55) Subpackages: libQt5WaylandClient5 libQt5WaylandCompositor5 - Update to version 5.15.19+kde55, rebased upstream: * Bump version to 5.15.19 ==== libqt5-qtx11extras ==== Version update (5.15.18+kde0 -> 5.15.19+kde0) - Update to version 5.15.19+kde0, rebased upstream: * Bump version to 5.15.19 ==== libxmlb ==== Version update (0.3.25 -> 0.3.27) - Update to version 0.3.27: + New Features: Bump the required version of GLib to 2.68 + Bugfixes: - Do not construct an invalid silo when processing more than 30 attrs - Fix NULL pointer dereference when searching with NULL needle - Fix potential use-after-free when building the in() haystack - Fix stem() type-checking the wrong stack position - Handle NULL string opcodes in more functions - Limit operator recursion depth in xb_machine_parse_section - Limit the number of predicates and OR branches in each section - Prevent an infinite loop when parsing a corrupt silo - Reject XML with more than 65535 unique element names - Changes from version 0.3.26: + New Features: Parse CDATA as text + Bugfixes: - Add bounds check to prevent OOB read in token index lookup - Do not write an invalid silo when more than 63 attrs on one node - No inotify for illumos and Solaris - Prevent stack overflow from unbounded recursion in export ==== mozilla-nspr ==== Version update (4.38.2 -> 4.39) - update to versoin 4.39 * Improved error handling in PR_CreateThread on Windows * Cleanup and Type-cast fixes for prtime * Remove unused prstreams C++ wrapper from NSPR * Memory poisoning and Arena redzone fixes * Removed emacs/vim modelines and .cvsignore files * Added .editorconfig ==== mozilla-nss ==== Version update (3.122.2 -> 3.123.1) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs - update to NSS 3.123.1 * bmo#2033783 - reject DTLS 1.3 Server Hello after HVR without capping ss->vrange.max - update to NSS 3.123 * https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/AW6VHkn6E0o - disabled FIPS patches temporarily (need significant rebasing) ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Improve %prep LDAP regex to preserve subdirectories (e.g., ope- nbsd-compat/) and handle optional [ab]/ prefixes. ==== pam ==== Version update (1.7.2 -> 1.7.2+git12) - Update to version 1.7.2+git12: * pam_env: fix check for buffer size (#975) * pam.8: Drop self reference * pam_unix: always call unix_update if SELinux is enabled (obsoletes pam_unix-selinux.patch) * ci: use one-line syntax for the matrix strategy * ci: add logind jobs for all compilers to the build matrix * ci: add clang-19 jobs to the build matrix * po: update translations using Weblate (Greek) * ci: replace vendordir jobs with novendordir * ci/build.sh: add support for empty VENDORDIR * ci: apply Zizmor recommendations to workflow * ci: use matrix strategy to avoid code duplication * meson: do not undefine _FILE_OFFSET_BITS for 64-bit platforms ==== pam-full-src ==== Version update (1.7.2 -> 1.7.2+git12) - Update to version 1.7.2+git12: * pam_env: fix check for buffer size (#975) * pam.8: Drop self reference * pam_unix: always call unix_update if SELinux is enabled (obsoletes pam_unix-selinux.patch) * ci: use one-line syntax for the matrix strategy * ci: add logind jobs for all compilers to the build matrix * ci: add clang-19 jobs to the build matrix * po: update translations using Weblate (Greek) * ci: replace vendordir jobs with novendordir * ci/build.sh: add support for empty VENDORDIR * ci: apply Zizmor recommendations to workflow * ci: use matrix strategy to avoid code duplication * meson: do not undefine _FILE_OFFSET_BITS for 64-bit platforms ==== patterns-base ==== Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11 - make kernel_livepatching pattern visible (bsc#1263084) - enable kernel livepatching for aarch64 in SLE16.1 and newer (jsc#PED-7906, bsc#1266306). ==== plasma6-workspace ==== Subpackages: plasma6-session plasma6-workspace-libs - Add patch to fix expiration of notifications with Qt 6.11.1 (kde#520120): * 0001-libnotificationmanager-Return-something-of-the-corre.patch ==== poppler ==== Version update (26.02.0 -> 26.05.0) - Update to version 26.05.0: + core: * Improve reconstruction of damaged files. Issue #1693 * PSOutputDev: Remove "pipe as filename" feature * PSOutputDev: Respect pre-existing PageSize policies. * Internal code improvements * Fix crashes in malformed documents + glib: Improve PopplerPage thread-safety + utils: * pdftotext: Add -remove-hyphens option * pdftotext: Do not abort on empty strings. + build system: Increase minimum required dependency versions to those of Ubuntu 24.04 - Changes from version 26.04.0: + core: * Splash: Improve knockout groups rendering. * Improve reconstruction of damaged files * Performance improvement in files with peculiar Form objects. * Fix memory leak if embedding png fails * Internal code improvements + qt5: Fix inverted continuation rect in performMultipleTextSearch + qt6: Fix inverted continuation rect in performMultipleTextSearch - Changes from version 26.03.0: + core: * Add compression support for stamp annotation images * NSS signature backend: Look for Firefox profiles also in XDG config directory * GPG signature backend: Fix marking of qualified keys * Simplify the form of some ink annotations * Speed improvements for some fixes * Internal code improvements + qt5: * Replace deprecated Qt::SystemLocaleDate * Fix wrong result bottom coordinate when searching across lines + qt6: Fix wrong result bottom coordinate when searching across lines + glib: Mark structure_element_iter_new as nullable + build system: Remove USE_FLOAT cmake option - Bump popper_sover to 160 following upstream changes. - Bump dependencies required versions in spec file to match versions in CMakeLists.txt ==== poppler-qt6 ==== Version update (26.02.0 -> 26.05.0) - Update to version 26.05.0: + core: * Improve reconstruction of damaged files. Issue #1693 * PSOutputDev: Remove "pipe as filename" feature * PSOutputDev: Respect pre-existing PageSize policies. * Internal code improvements * Fix crashes in malformed documents + glib: Improve PopplerPage thread-safety + utils: * pdftotext: Add -remove-hyphens option * pdftotext: Do not abort on empty strings. + build system: Increase minimum required dependency versions to those of Ubuntu 24.04 - Changes from version 26.04.0: + core: * Splash: Improve knockout groups rendering. * Improve reconstruction of damaged files * Performance improvement in files with peculiar Form objects. * Fix memory leak if embedding png fails * Internal code improvements + qt5: Fix inverted continuation rect in performMultipleTextSearch + qt6: Fix inverted continuation rect in performMultipleTextSearch - Changes from version 26.03.0: + core: * Add compression support for stamp annotation images * NSS signature backend: Look for Firefox profiles also in XDG config directory * GPG signature backend: Fix marking of qualified keys * Simplify the form of some ink annotations * Speed improvements for some fixes * Internal code improvements + qt5: * Replace deprecated Qt::SystemLocaleDate * Fix wrong result bottom coordinate when searching across lines + qt6: Fix wrong result bottom coordinate when searching across lines + glib: Mark structure_element_iter_new as nullable + build system: Remove USE_FLOAT cmake option - Bump popper_sover to 160 following upstream changes. - Bump dependencies required versions in spec file to match versions in CMakeLists.txt ==== python-certifi ==== Version update (2026.2.25 -> 2026.4.22) - Add missing BR openssl for `/etc/ssl/ca-bundle.pem`. ==== python-psutil ==== - %check phase should run aside from %builddir to use extension from the main binary package (don't build during the %check phase). ==== python-requests ==== Version update (2.33.1 -> 2.34.2) - update to 2.34.2: * Moved `headers` input type back to `Mapping` to avoid invariance issues with `MutableMapping` and inferred dict types. Users calling `Request.headers.update()` may need to narrow typing in their code. * Widened `json` input type from `dict` and `list` to `Mapping` * and `Sequence`. * Changed `headers` input type to MutableMapping and removed `None` from `Request.headers` typing to improve handling for users. * `Response.reason` moved from `str | None` to `str` to improve handling for users. * Fixed a bug where some bodies with custom `__getattr__` implementations weren't being properly detected as Iterables. * Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue. * Digest Auth hashing algorithms have added `usedforsecurity=False` to clarify security considerations. * Requests added support for Python 3.15 based on beta1. * Requests added support for Python 3.14t. * ``Response.history`` no longer contains a reference to itself, preventing accidental looping when traversing the history list. * Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. * Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. ==== rsync ==== Version update (3.4.1 -> 3.4.3) - Fixed some warnings while building the rpm. - Added patches: - rsync-python-3.6-tests.patch: Small patch to support running tests on python 3.6+: - rsync-openat2-glibc-missing.patch: Small patch to build on kernels >= 5.6+ where openat2 is not defined in glibc. - Removed patches already upstream: - rsync-no-libattr.patch - rsync-CVE-2025-10158.patch - rsync-CVE-2026-41035.patch - rsync341-gcc15-bool.patch - Removed support for the unmaintained rsync-patches archive, which in turn removes support for SLP. These patches are not being shipped anymore. - Update to 3.4.3: - SECURITY FIXES: Six CVEs are fixed in this release. Three of the six (CVE-2026-29518, CVE-2026-43617, CVE-2026-43619) require non-default daemon configuration to reach: the first and third need use chroot = no for a module, the second needs daemon chroot = ... set in rsyncd.conf. Two (CVE-2026-43618, CVE-2026-43620) are reachable from a normal pull or a normal authenticated daemon connection. The sixth (CVE-2026-45232) is reachable only when RSYNC_PROXY is set and the proxy (or a MITM) returns a pathological response. Complete list of changes: https://download.samba.org/pub/rsync/NEWS#3.4.3 - CVE-2026-29518, bsc#1264511: Symlink-Race TOCTOU in Daemon (use chroot = no) TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot. An rsync daemon configured with "use chroot = no" was exposed to a time-of-check / time-of-use race on parent path components. - CVE-2026-43617, bsc#1264515: Authorization Bypass via Hostname Resolution Hostname/ACL bypass on an rsync daemon configured with daemon chroot = /X in rsyncd.conf when the chroot tree lacks DNS resolution support. The reverse-DNS lookup of the connecting client was performed after the daemon chroot had been entered; if /X did not contain the libc resolver fixtures (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, NSS service modules) the lookup failed and the connecting hostname was set to "UNKNOWN", causing hostname-based deny rules to silently fail open. IP-based ACLs are unaffected. The per-module use chroot setting is unrelated to this issue. The fix performs the lookup before entering the daemon chroot. - CVE-2026-43618, bsc#1264512: Integer Overflow Information Disclosure Integer overflow in the compressed-token decoder enabling remote memory disclosure to an authenticated daemon peer. Workaround for older releases: refuse options = compress in rsyncd.conf. - CVE-2026-43619, bsc#1264514: Symlink Race Condition via Path-Based Syscalls Symlink races on path-based system calls in "use chroot=no" daemon mode (generalisation of CVE-2026-29518). Earlier fixes for symlink races on the receiver's open() call missed the same race class on every other path-based system call: chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir and lstat. Default "use chroot = yes" is not exposed. - CVE-2026-43620, bsc#1264513: Out-of-Bounds Array Read via recv_files() Out-of-bounds read in the receiver's recv_files() enabling remote denial-of-service of any client pulling from a malicious server (incomplete fix of commit 797e17f). Workaround for older releases: --no-inc-recursive on the client. - CVE-2026-45232, bsc#1265296: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing Off-by-one out-of-bounds stack write in the rsync client's HTTP CONNECT proxy handler (establish_proxy_connection() in socket.c). The fix detects the "buffer filled without finding \n" case explicitly by position and refuses the response with "proxy response line too long". - In addition to the six CVE fixes, this release adds defence-in-depth hardening on several adjacent paths. - BUG FIXES: - Fixed a regression introduced by the 3.4.0 secure_relative_open(). - Complete list of fixes in version 3.4.2: - https://download.samba.org/pub/rsync/NEWS#3.4.2 ==== selinux-policy ==== Version update (20260508 -> 20260522) Subpackages: selinux-policy-targeted - Update to version 20260522: * Fix build by switching to corecmd_exec_bin_noattr() * Split using dirsrv_ and dirsrvadmin_ interfaces into separate blocks * Allow virtqemud execute kmod in the kmod domain * Allow qatlib map kernel modules * Allow sys_resource on execution of generic executables conditionally * Label bootloader-migrate-generator with coreos_bootloader_migrate_generator_exec_t * Label /run/coreos with coreos_installer_var_run_t * Add systemd_create_generator_unit_file() and systemd_write_generator_unit_file() * Allow virtnwfilterd_t r/w on packet_socket (bsc#1264273) * Update fstools swap interfaces with dir search * Allow go-fdo-server to read system information * Change README to openSUSE specific README * Add missing fc rule for org.gnome.DisplayManager (bsc#1264182) * config: make /etc/systemd/user same as /usr/lib/systemd/user * Do not audit iptables attempts to read other process state * Policy for go-fdo-server * Allow setroubleshoot_fixit_t to touch /.autorelabel and reboot * Allow init nnp domain transition do dirsrv_t and dirsrv_snmp_t * Allow NetworkManager_dispatcher_nvme_t check status of systemd services * Allow iptables_t read state of some processes * Label /dev/HID-SENSOR-.* with hid_sensor_device_t - Syncing with upstream rawhide selinux-policy up to: * 190ed3591e0004c395409dd62acea41c8a684fc1 - Update embedded container-selinux version to commit: * e659fc8858d2e34781cc1640ac1658ba484cb3f5 (v2.248.0) ==== shim-leap ==== - Modified the pretrans Lua script to work around the broken DB issue caused by buggy firmware when Secure Boot is disabled. It is impossible for the db to be empty while Secure Boot is enabled. If the db is empty, the installation behavior will be treated the same as when Secure Boot is disabled. We allow the shim installation process to continue and display a message reminding the user to add the appropriate certificate. (bsc#1259096) ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-boot systemd-container udev - Add a weak runtime dependency on libtss2-tcti-device0 to udev (bsc#1260357 bsc#1264224) - systemd.spec: drop deprecated meson options 'libidn' and 'libiptc' Remove -Dlibidn and -Dlibiptc from meson options as both have been fully deprecated by upstream and will be removed in a future release. The libidn library support was completely dropped in commit 429cbac508 and has been replaced by libidn2. OTOH, systemd-networkd and systemd-nspawn no longer support creating NAT rules via iptables/libiptc APIs; only nftables is now supported (see commit c3c42b30dd). - Import commit 1e45daa2fb423eb95ad00dcc389e03cfea8f86dc 1e45daa2fb vconsole-setup: skip setfont(8) when the console driver lacks font support (bsc#1212970) - Import commit 571d61da82f2654afacf52c620ceec3fbf220f6b 571d61da82 cryptsetup: avoid a segfault when a keyfile is passed along with a TPM device (bsc#1263117) 4e16626c0e mkosi: user and group bin needed for a test e5f2b85204 TEST-24-CRYPTSETUP: Use virtio-blk-pci 9bac241fc1 TEST-64-UDEV-STORAGE: Add missing scsi controllers 8581b451ed Revert "mkosi: Mark minimal images as Incremental=relaxed" 5a53f0c965 mkosi-tool/opensuse: add libtss2-tcti-device0 package - systemd.spec: drop ancient Obsoletes for pm-utils, suspend and systemd-analyze that predate 2020. ==== thin-provisioning-tools ==== Version update (1.2.1 -> 1.3.2) - Update to version 1.3.2: * Bump version to 1.3.2 * [doc] Update CHANGES * [thin_repair] Prevent out-of-bounds access from corrupted btree pointers * [thin_repair] Use saturating arithmetic to avoid integer overflow * [build] Update ratatui to address RUSTSEC-2026-0002 * [build] Bump rand to address RUSTSEC-2026-0097 * Bump version to 1.3.1 * [doc] Update CHANGES * [build] Update dependencies to latest patch releases * [space_map] Optimize zero-filling loops in Aggregator region lookup * [tests] Fix device name in the preparation script * [tests] Add tests for thin_ls mapped block counts * [tests] Update documentation for test files * [thin_ls] Optimize second pass by skipping unnecessary key parsing * [thin_ls] Read exclusive leaves multithreaded * [thin_ls] Read leaf nodes multithreaded * [thin_ls] Read internal nodes multithreaded * [thin_ls] Switch to Aggregator for upcoming parallelization * [utils] Add mutable accessor to HashVec * [space_map] Add specialized Aggregator that counts up to two * [space_map] Make Region type configurable via generics * [space_map] Relocate misplaced code documentation * [thin_ls] Print memory usage for performance analysis * [utils] Factor out memory profiling functions * [space_map] Factor out repair_space_map * Bump version to 1.3.0 * [doc] Update CHANGES * [build] Update dependencies to latest patch releases * [pdata] Avoid unnecessary error object construction * [btree] Factor out get_depth method * [btree_walker] Remove multithreaded read_nodes and use references * [thin_check] Handle data mappings outside the space map boundary * [btree_walker] Handle metadata blocks outside the space map boundary * [thin_check] Remove unused error logging * [space_map] Add comments to space_map/aggregator_load.rs * [space_map] Prevent panics from out-of-bounds access in Aggregator * [thin_check] Display number of free blocks using saturating arithmetic * [thin_check] Handle incomplete metadata dump * [thin_check] Do not read space maps while checking the metadata snap * [thin_check] Refactor space map comparison * [thin_explore] Migrate from tui to ratatui * [thin_check] Improve error messages by visiting the mapping tree first * Bump version to 1.3.0-rc.1 * [io_engine] Improve partial read handling in VectoredBlockIo * [io_engine] Pass down the error from IoEngine to the handler * [thin_check] Fix error when no devices are present * [all] Avoid manual implementation of .is_multiple_of() on unsigned types * [io_engine] Handle out of bounds reads in VectoredBlockIo * [space_map] Handle errors in reading bitmap blocks * [thin_check] Handle errors in reading mapping tree leaves * [thin_check] Replace Arc::try_unwrap() by into_inner() * [thin_check] Log additional memory usage info * [space_map] Implement get_nr_allocated() for Aggregator * [io_engine] Implement read_blocks for SyncIoEngine * [utils] Add AdjacentChunks to produce fixed-length consecutive runs * [aggregator] Avoid copying block numbers and cloning iterator items * [thin_check] Re-enable NEEDS_CHECK flag clearing * [thin_check] Repair space map leaks * [thin_check] Enable metadata space map checking in terms of Aggregator * [btree_walker] Introduce layer-based btree walker * [btree_walker] Expose the ValueCollector for building maps from Handlers * [btree] Decouple node check and unpack functions from the io Block * [space_map] Batch update the aggregator while loading the ref counts * [thin_check] Read and compare space maps * [utils] Add spawn_future() for concurrent execution * [space_map] Support loading data/metadata space maps into Aggregators * [btree] Derive Copy trait for NodeError * [thin_check] Use threads to speed up read_internal_nodes() * [thin_check] Rewrite read_internal_nodes() to use streaming read * [thin_check] Speed up summarize_tree * [thin_check] Improve performance of reading leaf nodes * [utils] Introduce RangedBitsetIter to iterate a specific range of bits * [space_map] Introduce Aggregator type * [space_map] Split SpaceMap trait into RefCount and SpaceMap * [io_engine] Implement AsyncIoEngine::read_blocks() for streaming read * [io_engine] Add BufferPool * [io_engine] Rewrite AsyncIoEngine to use tokio IoUring * [io_engine] Introduce io_engine/ring_pool.rs * [io_engine] Add documentation to io_engine/gaps.rs * [io_engine] Add some documentation to io_engine/utils.rs * [io_engine] Remove suggest_nr_threads() from IoEngine * [thin_check] Add get_memory_usage() * [pdata] A couple of trivial performance tweaks to unpacking a btree node * Bump version to 1.2.2 * [doc] Update CHANGES * [build] Update dependencies to latest patch releases * [build] Update dependencies' major/minor versions without code changes * [tests] Add era_invalidate --metadata-snapshot tests * [era_invalidate] Fix missing flag setting for --metadata-snapshot ==== which ==== Version update (2.23 -> 2.25) - Update to 2.25: * Fix an out of bounds stack read