Packages changed: Mesa (26.0.5 -> 26.1.0) Mesa-drivers (26.0.5 -> 26.1.0) MicroOS-release (20260430 -> 20260510) PackageKit SDL3 (3.4.4 -> 3.4.6) accountsservice at-spi2-core (2.60.2 -> 2.60.3) avahi avahi-glib2 bubblewrap (0.11.1 -> 0.11.2) busybox colord coreutils coreutils-systemd curl (8.19.0 -> 8.20.0) distrobox dracut (110+suse.23.g5d9502c7 -> 110+suse.29.g16072cee) dracut-pcr-signature (0.6+4 -> 0.7+0) ethtool (6.19 -> 7.0) fwupd (2.0.20 -> 2.1.1) gawk (5.3.2 -> 5.4.0) gcc16 (16.0.1+git8812 -> 16.1.1+git8886) glib2 (2.88.0 -> 2.88.1) glibc glslang (16.2.0 -> 16.3.0) gnutls (3.8.12 -> 3.8.13) kdump kernel-firmware-amdgpu (20260427 -> 20260505) kernel-firmware-bluetooth (20260423 -> 20260505) kernel-firmware-i915 kernel-firmware-intel (20260408 -> 20260505) kernel-firmware-media (20260414 -> 20260505) kernel-firmware-mediatek kernel-firmware-platform (20260416 -> 20260505) kernel-firmware-qcom (20260423 -> 20260505) kernel-firmware-realtek kernel-source (7.0.2 -> 7.0.5) kexec-tools (2.0.30 -> 2.0.32+git15.g677dd2f) krb5 lcms2 (2.19 -> 2.19.1) leancrypto libass libcontainers-common (20260112 -> 20260429) libdnf-plugin-txnupd libexif (0.6.25 -> 0.6.26) libksysguard6 libsemanage libsndfile ncurses net-tools (2.10+1 -> 3.14~alpha~git.20251212.7011617) openjph (0.27.0 -> 0.27.1) openssh patterns-containers perl (5.42.0 -> 5.42.1) podman (5.8.1 -> 5.8.2) python-Mako (1.3.11 -> 1.3.12) python-greenlet (3.4.0 -> 3.5.0) qt6-base qt6-svg qtkeychain-qt6 (0.15.0 -> 0.16.0) raspberrypi-firmware-dt rootlesskit (2.3.6 -> 3.0.0) sdbootutil (1+git20260421.88e40c4 -> 1+git20260506.25d47bf) sdl2-compat (2.32.66 -> 2.32.68) selinux-policy sensors shadow sord (0.16.20 -> 0.16.22) sqlite3 (3.53.0 -> 3.53.1) sratom (0.6.20 -> 0.6.22) sssd tar update-alternatives (1.22.21 -> 1.22.22) === Details === ==== Mesa ==== Version update (26.0.5 -> 26.1.0) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to 26.1.0 * This release marks the first major feature update in the Mesa 26 series. * Highlights: - Implementation of Vulkan 1.4 API (support varies by driver). - VirtIO-GPU Native-Context for Intel Iris, Crocus, and ANV drivers providing faster GPU paravirtualization. - VirGL is now considered unmaintained. - Zink now supports OpenGL ES 2.0 on PowerVR GPUs. - RADV (AMD) added support for low-latency video encode/decode and VK_KHR_internally_synchronized_queues. - Experimental support for Intel Nova Lake P hardware. - Rusticl (OpenCL) now requires a static C++ standard library. - New extensions supported across various drivers: VK_EXT_present_timing, GL_NV_timeline_semaphore (radeonsi), VK_QCOM_image_processing (turnip), VK_KHR_present_id, VK_KHR_present_wait, and various cl_khr_subgroup extensions. - Dropped support for Python 3.6. Removed related patches: * u_0001-intel-genxml-Drop-from-__future__-import-annotations.patch * u_0002-intel-genxml-Add-a-untyped-OrderedDict-fallback-for-.patch * python36-buildfix1.patch * u_meson-lower-python-version-requirement.patch - Removed obsolete u_dep_xcb.patch. - Adjusted patches for new source context: * n_drirc-disable-rgb10-for-chromium-on-amd.patch - Add patch from https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40161 to fix build on armv6/7: * u_PR-40161.patch - Update to 26.0.6 bugfix release - -> https://docs.mesa3d.org/relnotes/26.0.6 ==== Mesa-drivers ==== Version update (26.0.5 -> 26.1.0) Subpackages: Mesa-dri Mesa-vulkan-device-select libvulkan_lvp - Update to 26.1.0 * This release marks the first major feature update in the Mesa 26 series. * Highlights: - Implementation of Vulkan 1.4 API (support varies by driver). - VirtIO-GPU Native-Context for Intel Iris, Crocus, and ANV drivers providing faster GPU paravirtualization. - VirGL is now considered unmaintained. - Zink now supports OpenGL ES 2.0 on PowerVR GPUs. - RADV (AMD) added support for low-latency video encode/decode and VK_KHR_internally_synchronized_queues. - Experimental support for Intel Nova Lake P hardware. - Rusticl (OpenCL) now requires a static C++ standard library. - New extensions supported across various drivers: VK_EXT_present_timing, GL_NV_timeline_semaphore (radeonsi), VK_QCOM_image_processing (turnip), VK_KHR_present_id, VK_KHR_present_wait, and various cl_khr_subgroup extensions. - Dropped support for Python 3.6. Removed related patches: * u_0001-intel-genxml-Drop-from-__future__-import-annotations.patch * u_0002-intel-genxml-Add-a-untyped-OrderedDict-fallback-for-.patch * python36-buildfix1.patch * u_meson-lower-python-version-requirement.patch - Removed obsolete u_dep_xcb.patch. - Adjusted patches for new source context: * n_drirc-disable-rgb10-for-chromium-on-amd.patch - Add patch from https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40161 to fix build on armv6/7: * u_PR-40161.patch - Update to 26.0.6 bugfix release - -> https://docs.mesa3d.org/relnotes/26.0.6 ==== MicroOS-release ==== Version update (20260430 -> 20260510) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== PackageKit ==== Subpackages: PackageKit-backend-dnf5 libpackagekit-glib2-18 typelib-1_0-PackageKitGlib-1_0 - spec: requires_ge takes a package name as parameter, not a full NVR.arch string (that just happens to work sometimes): Fix by passing '--qf "%%{name}' to the rpm call identifying the target package name. ==== SDL3 ==== Version update (3.4.4 -> 3.4.6) - Update to release 3.4.6 * Fixed scaled cursor image selection on Wayland * Fixed horizontal touchpad scrolling direction on X11 * Fixed crash on exit when using KMSDRM in atomic mode * Fixed multi-threaded crashes using SDL GPU on Vulkan ==== accountsservice ==== - Add accountsservice.tmpfiles file to create directories under /var using systemd-tmpfiles (jsc#PED-14834). ==== at-spi2-core ==== Version update (2.60.2 -> 2.60.3) Subpackages: libatk-1_0-0 libatk-bridge-2_0-0 libatspi0 typelib-1_0-Atk-1_0 typelib-1_0-Atspi-2_0 - Update to version 2.60.3: + libatspi: Fix another NULL pointer dereference. ==== avahi ==== Subpackages: libavahi-client3 libavahi-common3 libavahi-core7 - Add avahi-CVE-2026-24401.patch: Fix unsolicited mDNS response containing a recursive CNAME record (bsc#1257235). - Add avahi-CVE-2026-34933.patch: refuse to accept publish flags where both wide_area and multicast are set. (CVE-2026-34933, bsc#1261546) - Make /var/lib/avahi-autoipd a ghost dir instead of packaging it since avahi-autoipd creates it on start (jsc#PED-14836). ==== avahi-glib2 ==== - Add avahi-CVE-2026-24401.patch: Fix unsolicited mDNS response containing a recursive CNAME record (bsc#1257235). - Add avahi-CVE-2026-34933.patch: refuse to accept publish flags where both wide_area and multicast are set. (CVE-2026-34933, bsc#1261546) - Make /var/lib/avahi-autoipd a ghost dir instead of packaging it since avahi-autoipd creates it on start (jsc#PED-14836). ==== bubblewrap ==== Version update (0.11.1 -> 0.11.2) - Update to version 0.11.2 (bsc#1262113): * In setuid mode, don't run the low-privileged parts of the setup as dumpable, as that allows it to be ptraced which can lead to problems. This is CVE-2026-41163. * New build option `-Dsupport_setuid`, which if set to false (which is the default) disables the support for setuid. Binaries built with this will refuse to run if made setuid. ==== busybox ==== - Fix heap buffer overflow vulnerability in the DHCPv6 client (CVE-2026-29004, bsc#1263989) * 0001-udhcpc6-fix-buffer-overflow.patch * 0002-udhcpc6-check-the-size-of-D6_OPT_IAPREFIX-option.patch ==== colord ==== - Mark both /var/lib/colord and /var/lib/colord/icc as %ghost directories since both are created from a systemd-tmpfiles config file provided by upstream (jsc#PED-14837) - Make colord-color-profiles noarch since it doesn't contain binary files. ==== coreutils ==== - coreutils-tests-misc-tty-eof-avoid-false-failure.patch: Add upstream patch: tests: avoid false failure with perl-IO-Tty >= 1.24 (bsc#1264052) ==== coreutils-systemd ==== - coreutils-tests-misc-tty-eof-avoid-false-failure.patch: Add upstream patch: tests: avoid false failure with perl-IO-Tty >= 1.24 (bsc#1264052) ==== curl ==== Version update (8.19.0 -> 8.20.0) Subpackages: libcurl4 - Update to 8.20.0: * Security fixes: - CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631) - CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632) - CVE-2026-5773: wrong reuse of SMB connection (bsc#1262633) - CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635) - CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636) - CVE-2026-6429: curl: netrc credential leak with reused proxy connection (bsc#1262638) * Changes: - async-thrdd: use thread queue for resolving - lib: add thread pool and queue - lib: drop support for < c-ares 1.16.0 - lib: make SMB support opt-in - multi.h: add CURLMNWC_CLEAR_ALL - rtmp: drop support * Bugfixes: - altsvc: cap the list at 5,000 entries - altsvc: drop the prio field from the struct - altsvc: skip expired entries read from file - asyn-ares: connect async - asyn-ares: drop orphaned variable references - asyn-ares: fix HTTPS-lookup when not on port 443 - asyn-thrdd: drop redundant `result` check - asyn-thrdd: fix clang-tidy unused value warning - async-ares: fix query counter handling - cf-ip-happy: limit concurrent attempts - cf-socket: avoid low risk integer overflow on ancient Solaris - cfilters: fix Curl_pollset_poll() return code mixup - config2setopts: make --capath work in proxy disabled builds - cookie: fix rejection when tabs in value - curl.h: replace macros with C++-friendly method to enforce 3 args - curl_ctype.h: fix spelling in a couple of locally used macros - curl_get_line: error out on read errors - curl_get_line: fix potential infinite loop when filename is a directory - curl_ngtcp2: extend and update callbacks for 1.22.0+ - curl_ntlm_core: drop redundant PP condition - curl_ntlm_core: use wolfCrypt DES API with wolfSSL - curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard - curl_sha512_256: support delegating to wolfSSL API - curlx_now(), prevent zero timestamp - digest: pass in the username quoted (as well) - dns: https-eyeballing async - dnscache: own source file, improvements - doh: fix memory-leak when doing a second DoH resolve - doh: remove superfluous doh_req check - file: init fd to -1 to prevent close fd 0 on early failure - fopen: for temp files, inherit permissions only for owner - ftp: do not strdup DATA hostname - ftp: make the MDTM date parser stricter (again) - ftp: reject PWD responses containing control characters - generate.bat: remove extra % from VC11 and VC12 runs - genserv.pl: make external calls safe - getinfo: initialize `PureInfo` field `used_proxy` - getinfo: repair CURLINFO_TLS_SESSION - h3: HTTPS-RR use in HTTP/3 - Happy Eyeballs: add resolution time delay - hostip: clear the sockaddr_in6 structure before use - hostip: init the curl_jmpenv_lock appropriately - hostip: resolve user supplied ip addresses - HSTS: cap the list - hsts: make the HSTS read callback handle name dupes - hsts: skip expired HSTS entries read from file - hsts: when a dupe host adds subdomains, use that - http2: clear the h2 session at delete - http2: prevent secure schemes pushed over insecure connections - http2: return error on OOM in push headers - http: clear credentials better on redirect - http: clear digest nonce on cross-origin redirect - http: clear the proxy credentials as well on port or scheme change - http: fix auth_used and auth_avail - http: fix Curl_compareheader for multi value headers - http: make Curl_compareheader handle multiple commas in header - http: on 303, switch to GET - http: use header_has_value() instead of duplicate code - imap: reset the UIDVALIDITY state between transfers - lib: accept larger input to md5/hmac/sha256/sha512 functions - lib: always use Curl_1st_fatal instead of Curl_1st_err - lib: make resolving HTTPS DNS records reliable: - lib: move request specific allocations to the request struct - lib: replace `PRI*32` printf masks with C89 ones - libssh2: allocate libssh2-friendly memory in kbd_callback - libssh2: fix error handling on quote errors - libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0 - libssh: path length precaution - libssh: propagate error back in SFTP function - location/follow: mention netrc - man: fix argument type for `CURLSHOPT_[UN]SHARE` options - md4, md5: switch to wolfCrypt API in wolfSSL builds - mime: only allow 40 levels of calls - misc: fix code quality findings - multi: enhance pending handles fairness - multi: fix connection retry for non-http - multi: improve wakeup and wait code - netrc: find login-less password when user is given in URL - netrc: remove unused parsenetrc() macro for netrc-disabled - netrc: skip malformed macdef lines - openssl channel_binding: lookup digest algorithm without NID - openssl: drop obsolete SSLv2 logic - openssl: fix build with 4.0.0-beta1 no-deprecated ... changelog too long, skipping 59 lines ... * Rebased patches: dont-mess-with-rpmoptflags.patch libcurl-ocloexec.patch ==== distrobox ==== Subpackages: distrobox-bash-completion - Split openSUSE-provided configuration to its own branding package (jsc#PED-14656, coo#129) - Suggest podman to hint the solver towards it when neither docker or podman are installed (jsc#PED-14656, coo#129) - Recommend flatpak rather than requiring it: it is only needed for the host-exec feature, and it is not desirable to pull it in on minimal installations. ==== dracut ==== Version update (110+suse.23.g5d9502c7 -> 110+suse.29.g16072cee) Subpackages: dracut-ima - Update to version 110+suse.29.g16072cee: * fix(dracut-install): remove FTS_NOSTAT in install_modules() fts traversal * fix(systemd-cryptsetup): load libcryptsetup via dlopen * fix(systemd-repart): load libfdisk via dlopen * fix(systemd-sysusers): do not run systemd-sysusers as part of the build process * fix(systemd): revert changes related to deduplication of cryptsetup targets * feat(systemd-coredump): save coredumps to journal ==== dracut-pcr-signature ==== Version update (0.6+4 -> 0.7+0) - Update to version 0.7+0: * Boot the ESP in /sysefi during initrd ==== ethtool ==== Version update (6.19 -> 7.0) - update to upstream release 7.0 * Feature: support MSE display (--show-mse) * Feature: add 2 new link_ext_state names * Fix: fix index calculation in ixgbe register dump (-d) * Fix: cmis wavelength tolerance output (-m) * Fix: duplicate sfpid Active Cu compliance output (-m) ==== fwupd ==== Version update (2.0.20 -> 2.1.1) Subpackages: libfwupd3 typelib-1_0-Fwupd-2_0 - Update to version 2.1.1: + This release adds the following features: - Add a new fwupd security check for HP Sure Start - Add a new plugin to verify Intel CSME using SMBIOS data - Add a new tpm-eventlog command to explain the TPM eventlog output - Add CycloneDX and SPDX support to uSWID - Add support for AMD Platform Secure boot - Add support for changing AMD GPU UMA carveout size - Add support for emulation for bluetooth devices - Allow systems to use the udev event source without using systemd - Disable the UEFI plugins on 32bit x86 - Drop support for GPG signing of metadata and firmware - No longer depend on json-glib, libarchive or protobuf-c - Remove the concept of blocked firmware - Show translated problems when a device cannot be installed + This release fixes the following bugs: - Add a timeout to the fwupd-refresh systemd unit - Allow systemd service to access block-sr devices - Always show the correct new firmware version in 'fwupdmgr get-history' - Be more defensive with invalid Corsair device responses - Cache the payload verification result to speed up installing modem firmware - Check for integer overflow when constructing a partial stream - Clear the remaining qc-firehose power reset logs - Decompress a zip file in Aver HID rather than a bz2 archive - Do not allow efivar update without TIME_BASED_AUTHENTICATED_WRITE_ACCESS - Do not hang when parsing an invalid USB descriptor - Do not include EV_NO_ACTION when calculating the TPM PCRs - Do not return an error if the fastboot property is not provided - Do not show all IDs as GUIDs if adding quirks after device setup - Find shim when using systemd-boot and distro-specific locations - Fix activation of dell-kestrel NVM when composite updates are completed - Fix a dell-dock regression when enumerating the status component - Fix a fuzzer timeout when parsing a Synaptics RMI SBL container - Fix a missing error check when updating Genesys USB hubs - Fix a potential heap OOB read in AMD Kria SOM EEPROM parser - Fix a potential Logitech HID++ hang when parsing unexpected payload IDs - Fix a potential out-of-bounds read in Dell dock - Fix a regression causing MBIM QDU updates to fail - Fix a regression when installing on the HP G5 dock - Fix a small memory leak when removing a bluetooth device - Fix an integer underflow when parsing a malicious PE file - Fix get-updates --json silently skipping UPDATABLE_HIDDEN devices - Fix the snapd-uefi request when multiple updates are processed - Honor polkit auth for emulation tag modify device - Make Logitech HID++ devices using RDFU actually work - Only load the history database in the daemon when required - Refactor the Snap support out into a new plugin - Remove a warning when updating Intel GSC OPROMDATA - Remove the bcm57xx recovery device support - Require a CHID for generic ElanTP devices - Speed up calculating the cabinet checksum by ~20% - Support 8bitdo firmware with multiple packed images - Try to claim the DFU USB interface more than once - Use crc32() from zlib.h when computing the most common kind of CRC32 - Verify the uncompressed size when decompressing CAB files + This release adds support for the following hardware: - Blestech Touchpads - ELAN Haptic MCU devices - FocalTouch devices - Himax Touchscreens - HP Engage One G2 Advanced Hub - KATAR PRO Wireless Gaming Dongle - Lenovo keyboard and mice accessories - Lenovo Sapphire Folio Keyboard - Lightware Taurus HC40 and HC60 - Novatek touchscreens - PixArt Touchpads - Rolling RW101-CAT12 modems - Sunwinon HID devices - Drop no longer required BuildRequires: pkgconfig(json-glib-1.0), pkgconfig(libarchive), and pkgconfig(protobuf). - Drop upstream merged patch 0001-Allow-systemd-service-to-access-block-sr-cdrom-devic.patch - Drop fwupd-bsc1130056-change-shim-path.patch: no longer applicable. ==== gawk ==== Version update (5.3.2 -> 5.4.0) - update to 5.4.0: * 1. This release now uses Mike Haertel's MinRX regular expression matcher as the default regexp engine. The old regex and dfa engines are still available. More detail is available in the manual, and in the file README_d/README.matchers. At the very least, read that file! * 2. The manual, in the Bugs section, now makes it explicit that (a) Ad hominem attacks on the lists will not be tolerated, and (b) Discussion of proprietary software is strongly discouraged. Repeated offenses are grounds for being banned from the lists. * 3. There is now a new directive, @nsinclude, which works like @include but does not reset the namespace for the included file to "awk". See the manual for details. * 4. When using lshift() or rshift() and attempting to shift by as many or more bits than in a uintmax_t, gawk returns zero, instead of whatever the C compiler and hardware might have done. * 5. Gawk's use of persistent memory has changed somewhat: * A. Gawk now stores additional meta-information in the backing file. * This means that if you have a backing file with important data in it, you should dump the data to a text file using the old version, create a new backing file, and then read your data back in with the new version, to a *brand new* backing file. * 6. The ordchr extension now supports multibyte / wide characters. * 7. Per the 2024 POSIX standard, `length(array)' is no longer an extension, but a regular feature. Thus --posix no longer rejects it and --lint no longer warns about it. * 8. The --traditional option has been rationalized to bring gawk into sync with BWK awk. It no longer affects the return code from system(), and it no longer prevents using a regexp for RS. Internally, the code was cleaned up some as well. * 9. Assertions in the C code are now enabled. To disable them, manually edit the various Makefiles after running configure and before running make. You will need to add - DNDEBUG to the CFLAGS variable. ==== gcc16 ==== Version update (16.0.1+git8812 -> 16.1.1+git8886) Subpackages: libgcc_s1 libgomp1 libstdc++6 - Update to 16.1.1+git8886, includes GCC 16.1 release. ==== glib2 ==== Version update (2.88.0 -> 2.88.1) Subpackages: glib2-tools libgio-2_0-0 libgirepository-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0 typelib-1_0-GLib-2_0 typelib-1_0-GLibUnix-2_0 typelib-1_0-GModule-2_0 typelib-1_0-GObject-2_0 typelib-1_0-Gio-2_0 - Update to version 2.88.1: + Fix miscompilation with GCC 16 due to GLib’s use of the wrong function attribute. + Fix flag confusion security issue when using `GRegex` with `G_REGEX_RAW` which can result in unbounded out-of-bounds heap reads off the start of a regex input string. + Fix various minor (low severity) security issues, typically one-to-five-byte out-of-bounds reads or ones relying on very specific (and unlikely) API calls or ones relying on discouraged P2P D-Bus configurations. + Updated translations. ==== glibc ==== Subpackages: glibc-locale glibc-locale-base - ibm139x-pending-char-state.patch: Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046, bsc#1261206, BZ #33980) ==== glslang ==== Version update (16.2.0 -> 16.3.0) - Update to release 16.3.0 * Deprecated the HLSL front-end. ==== gnutls ==== Version update (3.8.12 -> 3.8.13) - Update to 3.8.13: * libgnutls: Add more checks to DTLS reassembly [GNUTLS-SA-2026-04-29-1, CVSS: high] [CVE-2026-33846, bsc#1263705] * libgnutls: Fix qsort comparator in DTLS reassembly [GNUTLS-SA-2026-04-29-2, CVSS: high] [CVE-2026-42009, bsc#1263708] * libgnutls: Fix crashing on an underflow with a DTLS datagram A remotely triggerable underflow in the DTLS reassembly code led to a heap overrun. [GNUTLS-SA-2026-04-29-3, CVSS: high] [CVE-2026-33845, bsc#1263704] * libgnutls: Fix RSA-PSK identity truncation [GNUTLS-SA-2026-04-29-4, CVSS: high] [CVE-2026-42010, bsc#1263709] * libgnutls: Fix case-sensitivity of domain name comparison in name constraints [GNUTLS-SA-2026-04-29-5, CVSS: high] [CVE-2026-3833, bsc#1263707] * libgnutls: Fix intersecting empty constraints [GNUTLS-SA-2026-04-29-6, CVSS: medium] [CVE-2026-42011, bsc#1263710] * libgnutls: Suppress CN fallback in presence of URI and SRV SAN [GNUTLS-SA-2026-04-27-7, CVSS: medium] [CVE-2026-42012, bsc#1263711] * libgnutls: Suppress CN fallback for oversized SAN [GNUTLS-SA-2026-04-27-8, CVSS: medium] [CVE-2026-42013, bsc#1263712] * libgnutls: Fix use-after-free in gnutls_pkcs11_token_set_pin [GNUTLS-SA-2026-04-29-9, CVSS: medium] [CVE-2026-42014, bsc#1263713] * libgnutls: Fix overread in RSA key exchange with PKCS#11 keys [GNUTLS-SA-2026-04-29-10, CVSS: medium] [CVE-2026-5260, bsc#1263715] * libgnutls: Fix off-by-one in PKCS#12 bag element bounds check [GNUTLS-SA-2026-04-29-11, CVSS: low] [CVE-2026-42015, bsc#1263714] * libgnutls: Fix multi-entry OCSP response revocation bypass [GNUTLS-SA-2026-04-29-12, CVSS: low] [CVE-2026-3832, bsc#1263706] * libgnutls: Fix timing side-channel in PKCS#7 padding removal [GNUTLS-SA-2026-04-29-13, CVSS: low] [CVE-2026-5419, bsc#1263716] * libgnutls: Fix PSK username comparison during rehandshake * libgnutls: Fix OID length check for OCSP delegated signer EKU * libgnutls: Fix AES keys persisting with pkcs11-provider * libgnutls: Fix missing RSA key coprimality check in verify_params * libgnutls: Fix overread when parsing OpenSSL PEM private keys * libgnutls: Fix a theoretical double-free during certificate import * libgnutls: Fix heap overread in SCT extension parser * libgnutls: Zeroize shared secret derived during hybrid key exchange * build: Support building with Nettle 4.0 Nettle 4.0 was released in Feburary 2026, with API incompatibile changes from 3.10. The library can now compile with it, while Nettle 3.10 is still supported (#1791). * libgnutls: Support deriving ML-DSA public key from an expanded private key RFC 9881 defines 3 private key formats for ML-DSA: "seed", "expandedKey" and both. It is now possible to derive a public key from a private key in the "expandedKey" format (#1723). * libgnutls: Fix loading BIT STRING encoded EdDSA key from PKCS#11 For compatibility reasons, the library supports two formats for EdDSA private keys: either ASN.1 BIT STRING (raw) or OCTET STRING (DER). Previously, loading a private key in the former format resulted in a failure, which is now fixed (#1749). * libgnutls: HPKE (RFC 9180) is now supported as a technology preview The Hybrid Public Key Encryption (HPKE) is a flexible cryptographic protocol which enables to encrypt arbitrary data to a recipient, by combining key encapsulation mechanism (KEM) and authenticated encryption with additional data (AEAD). GnuTLS now includes the implementation contributed by David Dudas. Given this is a technology preview, the implementation and the API might suffer modification in the following period. Use --enable-hpke to turn on this feature (#1506). * libgnutls: Fix TLS 1.3 client certificate selection For servers that send a signature_algorithms extension in CertificateRequest with new rsa_pss_rsae_* algorithms and without the legacy rsa_pkcs1_* ones, the client now properly considers RSA when selecting a certificate to send. This fixes TLS 1.3 interoperability with newer Java servers when using client certificates. * libgnutls: Fix kTLS ChaCha20-Poly1305 IV for TLS 1.2 When using kTLS with ChaCha20-Poly1305 under TLS 1.2, an incorrect value was passed as the IV to the kernel, causing connections to fail early. * libgnutls: Allow fetching object type metadata for PKCS#11 keys A new library function, gnutls_pkcs11_obj_get_pk_algorithm, has been added to check the public key algorithms of PKCS#11 key objects. Object types other than CKO_PRIVATE_KEY are currently not supported. * API and ABI modifications: - gnutls_hpke_kem_t: New enum - gnutls_hpke_kdf_t: New enum - gnutls_hpke_aead_t: New enum - gnutls_hpke_mode_t: New enum - gnutls_hpke_role_t: New enum - gnutls_hpke_context_st: New context structure - gnutls_hpke_init: New function - gnutls_hpke_deinit: New function - gnutls_hpke_encap: New function - gnutls_hpke_seal: New function - gnutls_hpke_decap: New function - gnutls_hpke_open: New function - gnutls_hpke_derive_keypair: New function - gnutls_hpke_export: New function - gnutls_pkcs11_obj_get_pk_algorithm: New function * Rebase gnutls-FIPS-140-3-references.patch * Remove patches upstream: - gnutls-libnettle4-2075.patch - gnutls-libnettle4-2080.patch ==== kdump ==== - drop unconditional calibrate BuildRequires ==== kernel-firmware-amdgpu ==== Version update (20260427 -> 20260505) - Update to version 20260505 (git commit 027be1e3d201): * amdgpu: DMCUB updates for various ASICs ==== kernel-firmware-bluetooth ==== Version update (20260423 -> 20260505) - Update to version 20260505 (git commit 027be1e3d201): * rtl_bt: Add missing rtl8761a_config.bin for RTL8761AU ==== kernel-firmware-i915 ==== - Update aliases from 7.1-rc1 ==== kernel-firmware-intel ==== Version update (20260408 -> 20260505) - Update to version 20260505 (git commit 027be1e3d201): * Linux-firmware: Add Dell ISH firmware 581.7783.0 for Intel Panther Lake systems. ==== kernel-firmware-media ==== Version update (20260414 -> 20260505) - Update to version 20260505 (git commit 027be1e3d201): * qcom: vpu: add Gen2 firmware binary for Agatti ==== kernel-firmware-mediatek ==== - Update aliases from 7.1-rc1 ==== kernel-firmware-platform ==== Version update (20260416 -> 20260505) - Update to version 20260505 (git commit 027be1e3d201): * linux-firmware:Add firmware for Lontium LT7911EXC bridge ==== kernel-firmware-qcom ==== Version update (20260423 -> 20260505) - Update to version 20260505 (git commit 027be1e3d201): * qcom: update ADSP firmware for x1e80100 platform * qcom: Update CDSP firmware for Kaanapali platform ==== kernel-firmware-realtek ==== - Update aliases from 7.1-rc1 ==== kernel-source ==== Version update (7.0.2 -> 7.0.5) Subpackages: kernel-64kb kernel-default - Linux 7.0.5 (bsc#1012628). - xfrm: esp: avoid in-place decrypt on shared skb frags (bsc#1012628). - commit 77ae3c4 - Linux 7.0.4 (bsc#1012628). - ipmi:ssif: NULL thread on error (bsc#1012628). - ipmi:ssif: Remove unnecessary indention (bsc#1012628). - netfilter: reject zero shift in nft_bitwise (bsc#1012628). - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels (bsc#1012628). - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP (bsc#1012628). - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP (bsc#1012628). - vmalloc: fix buffer overflow in vrealloc_node_align() (bsc#1012628). - ALSA: aloop: Fix peer runtime UAF during format-change stop (bsc#1012628). - ALSA: caiaq: fix usb_dev refcount leak on probe failure (bsc#1012628). - drm/imagination: Fix segfault when updating ftrace mask (bsc#1012628). - drm/amdgpu: fix zero-size GDS range init on RDNA4 (bsc#1012628). - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows (bsc#1012628). - ALSA: caiaq: Don't abort when no input device is available (bsc#1012628). - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path (bsc#1012628). - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value (bsc#1012628). - crypto: authencesn - reject short ahash digests during instance creation (bsc#1012628). - mei: me: add nova lake point H DID (bsc#1012628). - mei: me: use PCI_DEVICE_DATA macro (bsc#1012628). - mm: avoid deadlock when holding rmap on mmap_prepare error (bsc#1012628). - mm: various small mmap_prepare cleanups (bsc#1012628). - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling (bsc#1012628). - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor (bsc#1012628). - iio: frequency: admv1013: fix NULL pointer dereference on str (bsc#1012628). - iio: frequency: admv1013: add dev variable (bsc#1012628). - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND (bsc#1012628). - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode (bsc#1012628). - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails (bsc#1012628). - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle (bsc#1012628). - rxgk: Fix potential integer overflow in length check (bsc#1012628). - rtmutex: Use waiter::task instead of current in remove_waiter() (bsc#1012628). - ntfs3: fix integer overflow in run_unpack() volume boundary check (bsc#1012628). - ntfs3: add buffer boundary checks to run_unpack() (bsc#1012628). - NFSv4.1: Apply session size limits on clone path (bsc#1012628). - ktest: Fix the month in the name of the failure directory (bsc#1012628). - IB/core: Fix zero dmac race in neighbor resolution (bsc#1012628). - gtp: disable BH before calling udp_tunnel_xmit_skb() (bsc#1012628). - ceph: only d_add() negative dentries when they are unhashed (bsc#1012628). - ceph: fix num_ops off-by-one when crypto allocation fails (bsc#1012628). - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() (bsc#1012628). - dm mirror: fix integer overflow in create_dirty_log() (bsc#1012628). - crypto: nx - Fix packed layout in struct nx842_crypto_header (bsc#1012628). - crypto: nx - fix context leak in nx842_crypto_free_ctx (bsc#1012628). - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx (bsc#1012628). - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error (bsc#1012628). - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path (bsc#1012628). - crypto: atmel-sha204a - Fix error codes in OTP reads (bsc#1012628). - crypto: atmel-tdes - fix DMA sync direction (bsc#1012628). - crypto: ccree - fix a memory leak in cc_mac_digest() (bsc#1012628). - crypto: hisilicon - Fix dma_unmap_single() direction (bsc#1012628). - crypto: atmel-ecc - Release client on allocation failure (bsc#1012628). - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup (bsc#1012628). - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit (bsc#1012628). - crypto: acomp - fix wrong pointer stored by acomp_save_req() ... changelog too long, skipping 659 lines ... - commit 086d181 ==== kexec-tools ==== Version update (2.0.30 -> 2.0.32+git15.g677dd2f) - update to 2.0.32+git15.g677dd2f: * x86_64: Support UKI image format * pe-zboot: Truncate the trailing zero if Image is signed * kexec: Enable zstd in kexec decompression paths * x86_64: Use the x86-64 level for purgatory * RISC-V: Enable kexec_file_load syscall * RISC-V: Support loading Image binary file * kexec/zboot: Add boundary check on PE header offset * LoongArch: Change COMMAND_LINE_SIZE to 4096 * kexec: Handle removal of multiple 'crashkernel' parameters * LoongArch: Enforce relocatable kernel check for crash dump * LoongArch: Change initrd allocation to top-down * LoongArch: Add kexec_file_load syscall * LoongArch: Remove 'kexec_file' cmdline parameters when using --reuse-cmdline option * kexec/ifdown.c: Use AF_NETLINK instead of AF_INET * ppc64: ensure /memreserve/ sections exist in user-provided FDT * ppc64: handle reboot CPU in case of user provided DTB * ppc64: lift the dtb and initrd restriction * kexec: add kexec flag to support debug printing * UKI: Fix the size of real payload * ppc64: Reserve FDT memory for full elfcorehdr memory size * LoongArch: Increase MAX_MEMORY_RANGES to 1024 - drop outdated patches: * kexec-tools-SYS_getrandom.patch * kexec-tools-riscv64.patch * kexec-tools-riscv-hotplug.patch ==== krb5 ==== - Fix Fix two NegoEx parsing vulnerabilities: * CVE-2026-40355, bsc#1263366 * CVE-2026-40356, bsc#1263367 - Add patch 0012-Fix-two-NegoEx-parsing-vulnerabilities.patch ==== lcms2 ==== Version update (2.19 -> 2.19.1) - Update to version 2.19.1 * Fixed sonames generation when using autotools. * Recovered an undocumented memory write feature lost because a "security" report. ==== leancrypto ==== - Calculate the FIPS HMAC for the leancrypto and the leancrypto-fips libraries. (bsc#1262399) ==== libass ==== - Add patch d013d97631bf86577e7eb44941b2b7b9cf4192d0.patch to fix a leak with libfontconfig ==== libcontainers-common ==== Version update (20260112 -> 20260429) Subpackages: libcontainers-default-policy registries-conf-default - New release 20260429 * bump bundled c/common to 0.67.1 - Switch source to the new upstream monorepo containers/container-libs. - Drop SUSE patches: * 0001-containers.conf-SUSE-clear-cni-config-dir-for-ALP.patch (replaced by containers.conf.d/01-suse-cni.conf drop-in) * 0002-storage-conf-prio-list.patch (no-op btrfs storage_priority patch) * 0003-containers-conf-suse-defaults.patch (replaced by containers.conf.d/00-suse-containers.conf drop-in) - Split SUSE-specific sigstore entries out of default.yaml into per-registry files (registry.suse.com.yaml, registry.suse.de.yaml). - Ship search-registries via a registries.conf.d/ drop-in instead of modifying the base registries.conf in the subpackages. ==== libdnf-plugin-txnupd ==== - requires_ge takes a package name as parameter, not a full NVR.arch string (that just happens to work sometimes): Fix by passing '--qf "%%{name}' to the rpm call identifying the target package name. ==== libexif ==== Version update (0.6.25 -> 0.6.26) - libexif-0.6.26 (2026-04-14): * Security issues fixed: * CVE-2026-40386: An unsigned integer underflow in Fuji and Olympus makernote handling (bsc#1262001) * CVE-2026-40385: An unsigned integer overflow on 32bit systems in Nikon makernote handling (bsc#1262000) * CVE-2026-32775: A buffer overwrite via integer underflow in makernote handling (bsc#1259755) * handle JPEG APP3 marker * added EXIF_TAG_IMAGE_DEPTH tag * translations updated: Arabic, German, Spanish, Polish, Romanian, Serbian, Swedish, Ukrainian, Chinese ==== libksysguard6 ==== Subpackages: ksysguardsystemstats6-data libKSysGuardSystemStats2 libksysguard6-imports - Add missing %verify(not caps) (boo#1263098) ==== libsemanage ==== Subpackages: libsemanage-conf libsemanage2 - Change store root-path for selinux modules from /var/lib/selinux to /etc (fixes bsc#1221342 PED-12492) ==== libsndfile ==== - Fix IMA-ADPCM integer overflow (bsc#1263695, CVE-2026-37555): libsndfile-CVE-2026-37555.patch - Fix buffer overflow in the ircam_read_header function (bsc#1248458, CVE-2025-52194): libsndfile-CVE-2025-52194.patch ==== ncurses ==== Subpackages: libncurses6 ncurses-utils terminfo-base - Remove fix-mouse.patch as it is verified that patch 20260418 includes the fix (boo#1253379) ==== net-tools ==== Version update (2.10+1 -> 3.14~alpha~git.20251212.7011617) - Switch to the latest snapshot of the new active upstream: https://github.com/ecki/net-tools (jsc#PED-14308). - Update to version 3.14~alpha~git.20251212.7011617: * Merges all useful downstream contributions. Obsoletes following patches: 0007-Introduce-T-notrim-option-in-netstat.patch, net-tools-CVE-2025-46836.patch, net-tools-CVE-2025-46836-regression.patch, net-tools-CVE-2025-46836-error-reporting.patch, net-tools-parse_hex-stack-overflow.patch, net-tools-proc_gen_fmt-buffer-overflow.patch, net-tools-ifconfig-avoid-unsafe-memcpy.patch, net-tools-ax25+netrom-overflow-1.patch, net-tools-ax25+netrom-overflow-2.patch, net-tools-ifconfig-long-name-warning.patch. * Translation updates. * Minor fixes. * Defaults changes: * Enable Bluetooth protocol family, Token ring (generic) support and SELinux support. - Prevent denial of service via terminal escape sequences injection (bsc#1254323, gh#ecki/net-tools#2109, CVE-2024-58251, net-tools-netstat-ansi-injection.patch). ==== openjph ==== Version update (0.27.0 -> 0.27.1) - Update to 0.27.1: * Adds a check that we do not use reversible Sqcd/Sqcc with irreversible transform * Detecting illegal precinct width or height #269 ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Update openssh-7.7p1-fips.patch (bsc#1262555): Don't bail out on startup if a non-FIPS algorithm is requested. Filter it out and warn instead. - Update openssh-8.0p1-gssapi-keyex.patch: Apply to GSS too. ==== patterns-containers ==== - Remove incorrect and redundant parent provides in podman subpattern ==== perl ==== Version update (5.42.0 -> 5.42.1) Subpackages: perl-base - update to 5.42.1 * fix transition to/from daylight savings time * fix crashes in some two-variable "for" loop cases * fix autovivification for ternary condition operators ==== podman ==== Version update (5.8.1 -> 5.8.2) - Update to version 5.8.2: * Bump to v5.8.2 * Release notes for v5.8.2 * hyperV: fix powershell path escape (CVE-2026-33414) * cirrus: bump linux machine aarch64 test timeout * Remove iptables references in upgrade tests * bindings: artifact extract reject invalid names * use chrootarchive over plain archive package * fix symlink handling in checkpoint restore * add missing O_CLOEXEC to open calls * Fix Quadlet `Lookup()` stripping unmatched quotes * Add e2e test for shell driver DriverOpts cross-contamination fix * Fix shell driver DriverOpts cross-contamination in secret creation * libpod: fix data race on deferredErr in attachExecHTTP * Consolidate build secret tests and assert no podman-build-secret leak * Remote build: `nTar` secrets with relative paths and ignore bypass * api: fix missing return after error in SystemCheck handler * test: relax rootless runc pid namespace assertion * New images 2026-03-19 * cirrus: ensure NOTIFY_SOCKET is properly unset for all tests * update fedoral base image to 43 and related tests * new image sfx for debian 14 * libpod: Don't dereference ctrSpec.Linux if it is nil * quadlet: allow empty Entrypoint to clear image default * [v5.8] Bump Buildah to 1.43.1, c/common v0.67.1, c/image v5.39.2 * bump go-jose/go-jose to v4.1.4 * [v5.8] Fix `unless-stopped` containers not restarting after ... * Bump Podman to v5.8.2-dev ==== python-Mako ==== Version update (1.3.11 -> 1.3.12) - update to 1.3.12: * Fixed issue in :class:`.TemplateLookup` where a URI with backslash path separators (e.g. ``\..\secret.txt``) could bypass the directory traversal check on Windows, allowing reads of arbitrary files outside of the template directory. Backslash characters in URIs are now normalized to forward slashes before path resolution. ==== python-greenlet ==== Version update (3.4.0 -> 3.5.0) - update to 3.5.0: * Remove the atexit callback. This callback caused greenlet APIs to become unavailable far too soon during interpreter shutdown. Now they remain available while all atexit callbacks run. Sometime after Py_IsFinalizing becomes true, they may begin misbehaving. Because the order in which C extensions are finalized is undefined, C extensions that are sensitive to this need to check the results of that function before invoking greenlet APIs. As a convenience, PyGreenlet_GetCurrent sets an exception and returns NULL when this happens (and greenlet.getcurrent begins returning None); other greenlet C API functions have undefined behaviour. Methods invoked directly on pre-existing greenlet.greenlet objects will continue to function at least until the greenlet C extension has been garbage collected and finalized. See PR 508. ==== qt6-base ==== Subpackages: libQt6Concurrent6 libQt6Core6 libQt6DBus6 libQt6Gui6 libQt6Network6 libQt6OpenGL6 libQt6OpenGLWidgets6 libQt6PrintSupport6 libQt6Sql6 libQt6Test6 libQt6WaylandClient6 libQt6Widgets6 libQt6WlShellIntegration6 libQt6Xml6 qt6-network-tls qt6-networkinformation-connman qt6-networkinformation-glib qt6-networkinformation-nm qt6-printsupport-cups qt6-sql-sqlite qt6-wayland - Add upstream fix (QTBUG-145310, kde#518105): * 0001-freetype-Handle-failing-glyph-rendering.patch - Also use GCC 15 on Leap 16.1 ==== qt6-svg ==== - Add upstream fix (CVE-2026-6210, boo#1264301) * 0001-Test-types-of-nodes-before-downcasting-them.patch ==== qtkeychain-qt6 ==== Version update (0.15.0 -> 0.16.0) - Update to 0.16.0 * Add support for selecting backend via environment variable * Use default DBus timeout for KWallet check * Fix the crash caused by timeout when reading or writing keychain on macOS * Fix restore-after-deletion issue by creating QKeychain jobs dynamically * Add legacy support for KWallet maps * Added Swedish translation * Added Georgian translation * Fixes for various build/build system issues ==== raspberrypi-firmware-dt ==== - Use poling mode for Ethernet carrier detection on CM5 0001-arm64-dts-bcm2712-CM5-Ethernet-PHY-use-polling-mode.patch ==== rootlesskit ==== Version update (2.3.6 -> 3.0.0) - Update to version 3.0.0: * v3.0.0 * docs: update * v3.0.0-rc.0+dev * v3.0.0-rc.0 * port/builtin: support source IP propagation for UDP via IP_TRANSPARENT * testsuite: split protocol-specific code out of testTransparentWithPID * testsuite: use non-loopback IP in TestTCPTransparent * CI: add iptables (required by source-ip-transparent) * Build(deps): Bump golang.org/x/sys from 0.42.0 to 0.43.0 * v3.0.0-beta.1+dev * v3.0.0-beta.1 * docs/port.md: update * port/gvisor-tap-vsock: fix incompatibility with Docker * v3.0.0-beta.0+dev * v3.0.0-beta.0 * rootlesskit-docker-proxy: postpone removal to v4 * Preserve real client source IP in builtin port driver via IP_TRANSPARENT * CI: increase sleep * fix: remove Setsid from runWithoutReap to restore TTY * Build(deps): Bump golang.org/x/sys from 0.41.0 to 0.42.0 * Build(deps): Bump golang.org/x/sync from 0.19.0 to 0.20.0 * Dockerfile: update test deps * Build(deps): Bump actions/attest-build-provenance from 3 to 4 * Build(deps): Bump github.com/containernetworking/plugins * v3.0.0-alpha.2+dev * v3.0.0-alpha.2 * Build(deps): Bump golang.org/x/sys from 0.39.0 to 0.40.0 * Build(deps): Bump github.com/containers/gvisor-tap-vsock * fix(testsuite):fix flaky by ensure port is free to use * Build(deps): Bump golang.org/x/sys from 0.38.0 to 0.39.0 * Build(deps): Bump github.com/containernetworking/plugins * Build(deps): Bump golang.org/x/sync from 0.18.0 to 0.19.0 * Build(deps): Bump actions/setup-go from 5 to 6 * Build(deps): Bump actions/checkout from 5 to 6 * v3.0.0-alpha.1+dev * v3.0.0-alpha.1 * Build(deps): Bump golang.org/x/sync from 0.17.0 to 0.18.0 * Build(deps): Bump golang.org/x/crypto from 0.42.0 to 0.45.0 * Build(deps): Bump actions/checkout from 5 to 6 * ci: fix missing tag variable in release note generation * network/port driver build tags support * Build(deps): Bump github.com/gofrs/flock from 0.12.1 to 0.13.0 * v3.0.0-alpha.0+dev * v3.0.0-alpha.0 * go.mod: bump up * port.md: update benchmark description for gvisor-tap-vsock driver * go.mod: update gvisor-tap-vsock to v0.8.8 and improve port driver benchmarks * refactor: replace Debugf with Debug for logging messages * bump go to version 1.24 (version 1.23 is not supported) update go.mod and go.sum for dependency upgrades and fix gvisor-tap-vsock compatibility * Add gvisortapvsock port driver support * Build(deps): Bump actions/attest-build-provenance from 2 to 3 * Build(deps): Bump actions/checkout from 4 to 5 * Build(deps): Bump golang.org/x/sys from 0.34.0 to 0.35.0 * Build(deps): Bump golang.org/x/sys from 0.33.0 to 0.34.0 * network: add support for gvisor-tap-vsock driver and integration tests * Build(deps): Bump github.com/Masterminds/semver/v3 from 3.3.1 to 3.4.0 * Build(deps): Bump github.com/urfave/cli/v2 from 2.27.6 to 2.27.7 * Implement Pdeathsig behavior for child processes and enhance integration tests * child: refactor command execution to use goroutines with Pdeathsig ==== sdbootutil ==== Version update (1+git20260421.88e40c4 -> 1+git20260506.25d47bf) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper sdbootutil-tukit - Update to version 1+git20260506.25d47bf: * Drop systemd.machine_id if /etc/machine-id is present * Support XBOOTLDR partition * Add CLAUDE.md file * Use command -v instead of hash * Remove dead code * Fix regular expression non-capturing group * Add comment about default values in config file * Clarify when swap is mounted * Fix typo in comment * Exit early if we are outside the initrd * Fix variable name * Fix typo * When cleaning pcrlock.d remove only the content * Do not check in_buildroot when updating entries * update_kernels: Update entries for the system if no snapshot is provided ==== sdl2-compat ==== Version update (2.32.66 -> 2.32.68) - Update to release 2.32.68 * Fixed gamepad rumble in Middle-earth: Shadow of Mordor and other games on Linux * Added an "SDL3_VERSION" hint that can be read by games using sdl2-compat ==== selinux-policy ==== Subpackages: selinux-policy-targeted - start cleanoldsepoldir.service after successfull health-checker.service fixes occational fail on transactional systems when boot failed (boo#1261698) - Change store root-path for selinux modules from /var/lib/selinux to /etc (fixes bsc#1221342 PED-12492) * Service file and script is installed to eventually delete /var/lib/selinux once no snapshot is using it * Fix copy custom modules to /etc and can be checked by the provided script `/usr/libexec/selinux/cleanoldsepoldir.sh --check-custom-selinux-modules` * Add filters for duplicate entries to rpmlintrc for now * Drop dir-or-file-outside-snapshot rpmlint filter ==== sensors ==== - Add sensors-detect-udevadm-path.patch to deal with the move of udevadm from /sbin to /usr/bin (boo#1259511). - Add pwm-fix-bad-scaling-due-to-use-of-integer-type.patch which fixes PWM values being scaled to 0-128% instead of 0-100% (boo#1255928). ==== shadow ==== Subpackages: libsubid5 login_defs shadow-pw-mgmt - Use `%verify(not mode caps)` and remove setuid bit for newgidmap and newuidmap. Related to gh/openSUSE/post-build-checks#66 - shadow-util-linux.patch: util-linux-2.42 introduced new variable: LOGIN_SHELL_FALLBACK. Recognize it and update dependencies. The patch includes gh/shadow-maint/shadow/pull#1621. - shadow-login_defs-check.sh: Adjust for new quilt. ==== sord ==== Version update (0.16.20 -> 0.16.22) - update to 0.16.22: * Add clang nullability annotations * Address new warnings in clang and clang-tidy 21 * Make more API functions tolerate NULL ==== sqlite3 ==== Version update (3.53.0 -> 3.53.1) - Update to version 3.53.1: * Fixes for problems in 3.53.0 reported by users. * See the check-in timeline for details: https://sqlite.org/src/timeline?from=version-3.53.0&to=version-3.53.1 ==== sratom ==== Version update (0.6.20 -> 0.6.22) - update to 0.6.22: * Add clang nullability annotations * Address new warnings in clang and clang-tidy 21 * Fix documentation build without sphinx_lv2_theme * Gracefully handle reading vectors with missing childType properties * Gracefully handle writing vectors with zero childSize properties * Improve error handling ==== sssd ==== Subpackages: libsss_certmap0 libsss_idmap0 sssd-krb5-common sssd-ldap - Add support for UsrEtc; (bsc#1257643); Add patch 0016-UsrEtc.patch - The default configuration file is installed now in /usr/etc/sssd/sssd.conf. It can be completely overridden by manually creating the system specific config file /etc/sssd/sssd.conf, or partially overridden by creating config snippets in /etc/sssd/conf.d/ directory. Check sssd.conf manpage for more details. - Use %pre scriptlet instead of %pretrans to migrate from sssd-common [bsc#1257509]. - The AD backend now uses realmd to update the machine account password. The realmd package is recommended when installing the ad backend. ==== tar ==== - remove the userspace fallback implementation for openat2 - Fix bsc#1246399 / CVE-2025-45582. - Add patch: * CVE-2025-45582.patch - Refresh patch: * tar-fix-extract-unlink.patch ==== update-alternatives ==== Version update (1.22.21 -> 1.22.22) - Fix 'dpkg' package for immutable mode (jsc#PED-14790). - Add dpkg.tmpfiles. - Update to 1.22.22 (minor bump from 1.22.21). - Changelog: * dpkg-query: Fix segfault with empty -S argument. * Perl modules: - Dpkg::OpenPGP: Do not run verify with no keyrings. - Dpkg::Shlibs::Objdump::Object: Add support for "Version References" symbols. - Dpkg::OpenPGP::Backend::GnuPG: Add missing Dpkg::Gettext import. * Code internals: - libdpkg: Terminate zstd decompression when we have no more data. Fixes CVE-2026-2219. - Remove patch file: * CVE-2026-2219.patch * oldperl.patch This patch has been removed as Leap 15.X has reached end-of-life.