Packages changed: AppStream Mesa (26.1.1 -> 26.1.2) Mesa-drivers (26.1.1 -> 26.1.2) MicroOS-release (20260602 -> 20260605) aaa_base (84.87+git20260529.c4391e5 -> 84.87+git20260602.e901e17e) alsa (1.2.15.3 -> 1.2.16) curl dracut (110+suse.31.ga81148a -> 110+suse.32.g36b00ba7) file fontconfig (2.17.1 -> 2.18.0) grub2 harfbuzz (14.2.0 -> 14.2.1) hwdata (0.407 -> 0.408) hwinfo (25.3 -> 25.4) kernel-source (7.0.10 -> 7.0.11) libavif (1.4.1 -> 1.4.2) libbluray (1.4.0 -> 1.4.1) libdnf (0.74.0 -> 0.75.0) libheif (1.22.2 -> 1.23.0) libinput (1.31.2 -> 1.31.3) librsvg (2.62.2 -> 2.62.3) libselinux live555 (2026.05.28 -> 2026.06.01) ncurses (6.6.20260516 -> 6.6.20260530) polkit-default-privs (1550+20260528.62493d2 -> 1550+20260603.7a43683) python-semanage qalculate (5.10.0 -> 5.11.0) samba (4.23.8+git.477.f78166bceed -> 4.24.3+git.475.629de6765b9) sssd tpm2.0-tools === Details === ==== AppStream ==== Subpackages: libAppStreamQt3 libappstream5 - Add upstream change: * 0001-Explicitly-add-fcfreetype.h-include-to-asc-font.c.patch ==== Mesa ==== Version update (26.1.1 -> 26.1.2) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to 26.1.2 bugfix release - -> https://docs.mesa3d.org/relnotes/26.1.2 ==== Mesa-drivers ==== Version update (26.1.1 -> 26.1.2) Subpackages: Mesa-dri Mesa-vulkan-device-select libvulkan_lvp - Update to 26.1.2 bugfix release - -> https://docs.mesa3d.org/relnotes/26.1.2 ==== MicroOS-release ==== Version update (20260602 -> 20260605) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== aaa_base ==== Version update (84.87+git20260529.c4391e5 -> 84.87+git20260602.e901e17e) - Update to version 84.87+git20260602.e901e17e: * Fix a typo + follow symlinks in alljava ==== alsa ==== Version update (1.2.15.3 -> 1.2.16) - Update to alsa-lib 1.2.16: fixes for PCM, control remap, topology, UCM extensions, etc For details, see: https://www.alsa-project.org/wiki/Changes_v1.2.15.3_v1.2.16#alsa-lib ==== curl ==== Subpackages: libcurl4 - Backport fix for issue gh#curl/curl#21547 and gh#Nheko-Reborn/nheko#2054 which caused applications to busy loop with 100% CPU usage * Add libcurl-fix-wakeup-consumption.patch ==== dracut ==== Version update (110+suse.31.ga81148a -> 110+suse.32.g36b00ba7) Subpackages: dracut-ima - Update to version 110+suse.32.g36b00ba7: * fix(systemd-*): add new dlopen dependencies to modules lists ==== file ==== Subpackages: file-magic libmagic1 - Add patch file-5.47-stanza.patch (boo#1261558 partly) * Avoid many false positive on windows file test ==== fontconfig ==== Version update (2.17.1 -> 2.18.0) Subpackages: libfontconfig1 - Update to 2.18.0 * test: Fix a build issue with musl libc * fc-lang: Add suz.orth for Sunuwar * test: add common helper class * test: port basic functionality check to Python * test: update to pass test cases on Win32 * do not mix up a slash and a backslash in file object on Win32 * meson: Add a missing fontconfig architecture test case * Add fontconfig version in FcCache * Improve a warning message * Better error message when missing default config * ci: install before test to avoid fontconfig error * Fix regex to pick up libtool version * Improve performance in FcConfigAdd * Improve log header in FcConfigSubstituteWithPat * meson: Update WrapDB files for v2 format migration * ci: add an option for the address sanitizer * Fix "UBSAN null pointer passed" to qsort * ci: Enable ASAN and UBSAN * Add genericfamily object in FcPattern * Add xsi:nil attribute support to limited elements * Get out from FcConfigAdd immediately if no valid pointer given * Bump the cache version again * fc-case: Update CaseFolding.txt to Unicode 17 * Add obvious namespace to macros for FC_SPACING * Improve handling of constant name * test: fix pytest error when running on the top project directory * meson: Update wrapdb for expat to the latest * Use FcStrCopy instead of strdup * Fix -Wpointer-sign warnings * Do not store duplicate object name into FcObjectSet * Fix unused variable warning when iconv support disabled * doc: Fix a typo in FcPatternAdd description * Add fc-genconf the configuration generator tool * test-conf: Correct test results to display at the proper place * Fix unexpected priority change when looking up by specific family name * Return error code if FcPatternFormat failed * Add const converter for pattern format * fc-genconf: Add scan pattern to update genericfamily with commandline option * Fix dereferencing a null pointer of FcConfig in FcFontSetSort * conf.d: Fix a typo in 65-khmer.conf * Update doc for xsi:nil attribute support * test: add more conditional for bwrap sandbox test cases * meson: add tests-bwrap option * Avoid locale-dependent float-to-string * test-conf: add wrapper setenv for Win32 * Fix invalid memory access on Win32 * More fixes for locale-dependent float-to-string conversion * Replace strtod() with FcStrtod() * Explicitly declare FcPatternObjectCount as a public function * Update meson dependency to 1.11.0 - modified patches * skip-network-test.patch (refreshed) ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-common grub2-snapper-plugin - Fix build with GCC 16 * gcc16.patch * 0001-add-support-for-UEFI-network-protocols.patch ==== harfbuzz ==== Version update (14.2.0 -> 14.2.1) Subpackages: libharfbuzz-gobject0 libharfbuzz-subset0 libharfbuzz0 typelib-1_0-HarfBuzz-0_0 - Update to version 14.2.1: + Various AAT shaping fixes: legacy mort contextual offsets (which could produce out-of-font glyph IDs), in-place deleted-glyph replacements, and overflow in obsolete offset math. + Fix Arabic PUA fallback shaping for the isolated lam-alef-maksura ligature. + Fix float-to-int overflow in avar2 mapping with malformed fonts. + Harden buffer verification after detecting non-monotone clusters. + Various COLR v1 fixes: fix handling of .notdef without paint, round alpha consistently, and report the root clip under the font transform. + Various Glyph-extents fixes: inclusive rounding, and floating-point scaling before rounding so the reported box always covers the glyph. + Various Subsetting fixes: keep the palt spacing feature by default, raise the repacker MAX_SPACES limit, fix a repacker crash on shared LigatureSet nodes, guard gvar size overflow on 32-bit, and fix the post glyph-name sort comparator on macOS. + Replace std::sort with an internal quicksort, removing leaked std:: symbols from the libharfbuzz ABI. + Harden size computations with saturating arithmetic against 32-bit overflow. + Various improvements to the experimental Rust shaper (HarfRust) and font functions (fontations): honor custom font funcs, key shape plans on features, faster buffer handling, and update to HarfRust 0.8. + Various fixes to the experimental harfbuzz-gpu and harfbuzz-vector libraries, including a harfbuzz-vector heap buffer overflow and Windows build fixes. + Map the Hrkt (Katakana or Hiragana) script tag to the kana OpenType tag. + Build configuration: new HB_CONFIG_OVERRIDE_LAST_H override header, decouple HB_NO_DRAW from HB_NO_CFF, and an optional hb-allocator Cargo feature. + Various build, CI, and fuzzing fixes. ==== hwdata ==== Version update (0.407 -> 0.408) - Update to version 0.408: * Update pci and vendor ids ==== hwinfo ==== Version update (25.3 -> 25.4) Subpackages: libhd25 - merge gh#openSUSE/hwinfo#181 - fix redundant conditions in smbios memory device map - 25.4 - merge gh#openSUSE/hwinfo#182 - fix memory leaks (bsc#1267348) - merge gh#openSUSE/hwinfo#180 - fix(core): free modinfo_ext instead of modinfo in hd_free_hd_data - merge gh#openSUSE/hwinfo#179 - Fix: fix sizeof in joystick allocation to use struct size instead of pointer size (bsc#1267348) ==== kernel-source ==== Version update (7.0.10 -> 7.0.11) Subpackages: kernel-64kb kernel-default - Update patches.kernel.org/7.0.10-0148-bpf-fix-end-of-list-detection-in-cgroup_stora.patch (bsc#1012628 CVE-2026-45838 bsc#1266396). - Update patches.kernel.org/7.0.10-0155-bpf-reject-negative-CO-RE-accessor-indices-in.patch (bsc#1012628 CVE-2026-45839 bsc#1266399). - Update patches.kernel.org/7.0.10-0802-openvswitch-cap-upcall-PID-array-size-and-pre.patch (bsc#1012628 CVE-2026-45840 bsc#1266397). - Update patches.kernel.org/7.0.10-0805-netfilter-nfnetlink_osf-fix-divide-by-zero-in.patch (bsc#1012628 CVE-2026-45841 bsc#1266390). - Update patches.kernel.org/7.0.10-0812-slip-reject-VJ-receive-packets-on-instances-w.patch (bsc#1012628 CVE-2026-45842 bsc#1266400). - Update patches.kernel.org/7.0.10-0813-slip-bound-decode-reads-against-the-compresse.patch (bsc#1012628 CVE-2026-45843 bsc#1266395). - Update patches.kernel.org/7.0.10-0860-eventpoll-fix-ep_remove-struct-eventpoll-stru.patch (bsc#1012628 CVE-2026-46242). - Update patches.kernel.org/7.0.10-0888-netfilter-arp_tables-fix-IEEE1394-ARP-payload.patch (bsc#1012628 CVE-2026-45844 bsc#1266392). - Update patches.kernel.org/7.0.10-0939-net-sched-taprio-fix-NULL-pointer-dereference.patch (bsc#1012628 CVE-2026-45845 bsc#1266393). - Update patches.kernel.org/7.0.10-0981-bareudp-fix-NULL-pointer-dereference-in-bareu.patch (bsc#1012628 CVE-2026-45846 bsc#1266394). - Update patches.kernel.org/7.0.10-1139-net-rds-reset-op_nents-when-zerocopy-page-pin.patch (bsc#1012628 CVE-2026-43494 bsc#1265626). - Update patches.kernel.org/7.0.10-1142-net-skbuff-preserve-shared-frag-marker-during.patch (bsc#1012628 CVE-2026-46300 bsc#1265209). - Update patches.kernel.org/7.0.10-1143-net-skbuff-propagate-shared-frag-marker-throu.patch (bsc#1012628 CVE-2026-43503 bsc#1266229). - Update patches.kernel.org/7.0.11-004-smb-client-reject-userspace-cifs.spnego-descri.patch (bsc#1012628 CVE-2026-46243). - Update patches.kernel.org/7.0.4-001-ALSA-usb-audio-stop-parsing-UAC2-rates-at-MAX_N.patch (bsc#1012628 CVE-2026-46018 bsc#1266751). - Update patches.kernel.org/7.0.4-008-LoongArch-Add-spectre-boundry-for-syscall-dispa.patch (bsc#1012628 CVE-2026-45993). - Update patches.kernel.org/7.0.4-009-drm-nouveau-fix-u32-overflow-in-pushbuf-reloc-b.patch (bsc#1012628 CVE-2026-46006). - Update patches.kernel.org/7.0.4-012-greybus-gb-beagleplay-fix-sleep-in-atomic-conte.patch (bsc#1012628 CVE-2026-46041). - Update patches.kernel.org/7.0.4-013-misc-ibmasm-fix-OOB-MMIO-read-in-ibmasm_handle_.patch (bsc#1012628 CVE-2026-46022). - Update patches.kernel.org/7.0.4-014-ibmasm-fix-OOB-reads-in-command_file_write-due-.patch (bsc#1012628 CVE-2026-45994). - Update patches.kernel.org/7.0.4-015-ibmasm-fix-heap-over-read-in-ibmasm_send_i2o_me.patch (bsc#1012628 CVE-2026-46064). - Update patches.kernel.org/7.0.4-022-fs-afs-revert-mmap_prepare-change.patch (bsc#1012628 CVE-2026-46100). - Update patches.kernel.org/7.0.4-029-mm-fix-deferred-split-queue-races-during-migrat.patch (bsc#1012628 CVE-2026-46017 bsc#1267241). - Update patches.kernel.org/7.0.4-030-ocfs2-split-transactions-in-dio-completion-to-a.patch (bsc#1012628 CVE-2026-46080). - Update patches.kernel.org/7.0.4-031-Input-edt-ft5x06-fix-use-after-free-in-debugfs-.patch (bsc#1012628 CVE-2026-46097). - Update patches.kernel.org/7.0.4-032-zram-do-not-forget-to-endio-for-partial-discard.patch (bsc#1012628 CVE-2026-46089). - Update patches.kernel.org/7.0.4-033-wifi-rtw88-check-for-PCI-upstream-bridge-existe.patch (bsc#1012628 CVE-2026-46092). - Update patches.kernel.org/7.0.4-034-wifi-mwifiex-fix-use-after-free-in-mwifiex_adap.patch (bsc#1012628 CVE-2026-46069). - Update patches.kernel.org/7.0.4-038-vfio-cdx-Serialize-VFIO_DEVICE_SET_IRQS-with-a-.patch (bsc#1012628 CVE-2026-46036). - Update patches.kernel.org/7.0.4-039-vfio-cdx-Fix-NULL-pointer-dereference-in-interr.patch (bsc#1012628 CVE-2026-46034 bsc#1266757). - Update patches.kernel.org/7.0.4-041-thermal-core-Fix-thermal-zone-governor-cleanup-.patch (bsc#1012628 CVE-2026-46021 bsc#1267220). - Update patches.kernel.org/7.0.4-042-spi-imx-fix-use-after-free-on-unbind.patch (bsc#1012628 CVE-2026-45996). - Update patches.kernel.org/7.0.4-043-spi-ch341-fix-memory-leaks-on-probe-failures.patch (bsc#1012628 CVE-2026-46074). ... changelog too long, skipping 1593 lines ... - commit fc624df ==== libavif ==== Version update (1.4.1 -> 1.4.2) - update to 1.4.2: * Added since 1.4.1 - Add --jobs flag to avifgainmaputil to use multiple worker threads when reading/writing AVIF files. * Changed since 1.4.1 - Require C11 for compilation. Public headers will remain C99. - Add --jobs flag to avifgainmaputil and enable auto tiling. - Use AOM_TUNE_IQ for layered image inter-frame encoding. - Update aom.cmd/LocalAom.cmake: v3.14.1 - Update LocalAvm.cmake: research-v15.0.0 - Update libjpeg.cmd/LocalJpeg.cmake: 3.1.4.1 - Update libxml2.cmd/LocalLibXml2.cmake: v2.15.3 - Update libyuv.cmd/LocalLibyuv.cmake: 644251f25 (1924) - Update svt.cmd/svt.sh/LocalSvt.cmake: v4.1.0 - Update zlibpng.cmd/LocalZlibpng.cmake: libpng 1.6.58 - Fix memory leak of altICC if avifDecoderFindGainMapItem returns early. - Avoid MT loop restoration crash in libaom < 3.13.3 - Fix decoding layered image with multiple scaled alpha layers - Fix NaN bypass of AVIF_CLAMP in gain map tone mapping (use fminf/fmaxf) - Fix null pointer dereference in avifImageCopy() when avifImageCreateEmpty() fails to allocate the destination gain map image. - avifenc: reject mismatched --depth for Y4M input - Use libaom AOMD_SET_FRAME_SIZE_LIMIT if available - Fix bug in transfer function 11 (used for gain map creation/tone mapping) ==== libbluray ==== Version update (1.4.0 -> 1.4.1) - version update to 1.4.1 * Fix linking on Windows with Freetype enabled * Improve compilation with MSVC * Cleaning and improvements in Meson build files * Fix build with Java 23 for BD-J * Add SSIF files support to bd_open_file_dec() * Add player setting for UO restriction level * Add all UOs to BD_EVENT_UO_MASK_CHANGED * Improve resilence against invalid input * Fix memory leak in UHD playlists * BD-J: Implement TVTimer, TVTimerSpec * BD-J: Improve Java 1.4 compatibility * BD-J: Fix MediaPresentedEvent event emission on start * BD-J: Fix filesystem hooking in Java 25 * BD-J: Fix locators from org.bluray.ti.[PlayItemImpl,TitleComponentImpl] * BD-J: Multiple compability and performance improvements - deleted patches * libbluray-java25.patch (upstreamed) ==== libdnf ==== Version update (0.74.0 -> 0.75.0) - version update to 0.75.0 * context: Support libdnf5 drop-in directories and repository overrides. This * allows applications using the context part of libdnf (e.g. microdnf, PackageKit) to take into account the main configuration from drop-in * directories and repository overrides, similar to how libdnf5 does. These directories are also monitored for changes (except when using non-root installroot path.) This feature can be disabled at build time (ENABLE_DNF5_CONF_DROP_IN, ENABLE_DNF5_CONF_REPOS_OVERRIDE CMake options). * context: dnf_context_set_install_root() now sets installroot also to global mainConf configuration. * IniParser: Support glob range definition in section names * history database: Add "persistence" column (possible values are UNKNOWN, PERSIST, or TRANSIENT). * conf: Add usr_drift_protected_paths configuration option which can be configured by adding .conf files to the drop-in directory /etc/dnf/usr-drift-protected-paths.d, similar to /etc/dnf/protected.d. * Distributions will be able to add paths that are known to cause problems when their contents drift with respect to /usr, e.g. /etc/pam.d. * context: Save repository configuration with dnf_repo_commit() to override file. Previously, repository configuration changes were written directly to the original configuration file. Now they are written to the overwrite file "99-config_manager.repo" for compatibility with the dnf5 config-manager. * config: Convert "protected_packages" to an append option * Don't prepend installroot to varsdir in libdnf::dnf_context_load_vars() * Fix file name comparison in filesystem::createSortedFileList() * Stop importing subkeys to RPM >= 5.99.90 because RPM 6 handles subkeys automatically. * Fix typos in messages in package problems dictionary * build: Fix searching libdnf header files when generating bindings with Swig * build: Don't probe for libcheck dependency if no tests are going to be built * spec: Consistently use CMake RPM macros * tests: Replace deprecated "check" macros * tests: Verify "fopen" return value otherwise we could crash * New functions filesystem::pathJoin(), filesystem::createSortedFileList(), filesystem::getRealpath(), filesystem::isSubdirectory(). * Add libdnf::MergedTransaction::listPersistences() method. * Always use result config.optBinds() by reference, not copy * Remove unused functions with a bug * config: Support optionTListAppend for options lacking fromString - modified patches * libdnf-0.55.0-Switch-allow_vendor_change-off.patch (refreshed) * libdnf-0.72.0-with-static-libsolvext.patch (refreshed) ==== libheif ==== Version update (1.22.2 -> 1.23.0) - version update to 1.23.0: * add API functions to read and write metadata: ambient viewing environment nominal diffuse white luminance * adds a output_image_nclx_profile_passthrough option to heif_decoding_options * CVE TBD (GHSA-jvmp-j3cw-84mh) - unbounded heap allocation in HEIF sequence parser (stsz fixed-size mode missing bound check) ==== libinput ==== Version update (1.31.2 -> 1.31.3) - Update to release 1.31.3 * libinput-device-group now sanitizes the PHYS value which prevents local privilege escalation through udev property injection. * `libinput record`: the --autorestart interval handling was broken for intervals 5s and higher * `libinput recor`: added a convenience fix for running with - -autorestart. * Eraser buttons can now be mapped to any button (previously only BTN_STYLUS, BTN_STYULUS2 and BTN_STYLUS3 were permitted). ==== librsvg ==== Version update (2.62.2 -> 2.62.3) - Update to version 2.62.3: + librsvg crate version 2.62.3 + librsvg-rebind crate version 0.3.0 + Remove loading limits from image-rs. This means that raster images, when embedded in SVG documents, have no limits for their size or memory consumption. The idea, for now, is that security-sensitive applications that use librsvg should do their own sandboxing if they want to impose memory limits. + Fix the logic for whether gdk-pixbuf-query-loaders should be run during cross-compilation. Native builds can of course use it; cross builds can use it if they can run host binaries *and* an executable wrapper has been set *and* the target sysroot contains the corresponding gdk-pixbuf-query-loaders executable ==== libselinux ==== Subpackages: libselinux1 selinux-tools - Add patch for restorecon to log error on readonly fs (bsc#1232226) - Patch: restorecon-Only-log-error-on-readonly-fs-bsc-1232226.patch - Can be dropped with the next toolchain release: https://github.com/SELinuxProject/selinux/commit/fd411d50ba1cb3e8ad5f8ce4e3c9bc7fcbe4340c ==== live555 ==== Version update (2026.05.28 -> 2026.06.01) Subpackages: libBasicUsageEnvironment2 libUsageEnvironment3 libgroupsock33 - Update to version 2026.06.01: + Updated the "RTSPServer" implementation of the "SETUP" command to make it more robust if subclassed code reimplements "lookupServerMediaSession()" as an asynchronous operation. - update to 2026.05.30: * Updated the "RTSPServer" implementation some more to make it more robust if subclassed code reimplements "lookpServerMediaSession()" as an asynchronous operation. * Added an (integer) index to identify each server's 'client connection', and changed the "fClientConnections" table to be indexed by this id. * In the "RTSPServer" implementation, removed the "fOurClientConnection" member variable. This had been left over from when the RTSP "SETUP" command had been implemented as a single, synchronous function. Now that "SETUP" is implemented using multiple functions, possibly asynchronously (depending upon how "lookpServerMediaSession()" is implemented), this member variable was potentially dangerous if more than one "SETUP" is performed concurrently on the same client connection, or on separate client connections. ==== ncurses ==== Version update (6.6.20260516 -> 6.6.20260530) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20260530 + minor renaming, formatting to align with Juergen Pfeifer's fork. + add configure script check for --enable-ext-mouse2, to support ABI 7. + improve special case in tic for %{code} to allow any non-zero byte as the result %'char' - Add ncurses patch 20260523 + modify _nc_wacs[] to make it per-screen (from Juergen Pfeifer's fork) + eliminate a special case in tic when translating %{code} to %'char', since %{92} mapping to %'\' works with tparm and infocmp. ==== polkit-default-privs ==== Version update (1550+20260528.62493d2 -> 1550+20260603.7a43683) - Update to version 1550+20260603.7a43683: * profiles: added new systemd actions (bsc#1266944) - Update to version 1550+20260602.64ede59: * profiles: fwupd new actions in 2.1.4 (bsc#1267014) ==== python-semanage ==== - Depend on libso before make pywrap is executed to avoid race conditions (bsc#1266385) - Add patch: 1266385-libsemanage-Require-LIBSO-before-SWIGSO-and-SWIGRUBY.patch - Add CFLAGS to %make_install call for consistency with %make_build ==== qalculate ==== Version update (5.10.0 -> 5.11.0) - Update to version 5.11 * Add set functions (union, intersect, setdiff, setxor, isMember, isSubset) and operators (∪, ∩, ∖, ⊖, ∈, ⊆, etc.) * Add characters(), count(), digitSum(), and digitalRoot(), find(), popCount(), string(), and while() functions * Support negative row and column values in element(), row(), and column() functions * Support matrix[row][column] syntax * Support text objects in sort() function * Add third optional argument to interval() function to allow exclusion of exact endpoints * Ignore "to" and "where" (and equivalent symbols) inside quotation marks * Ignore dot in front of plus or minus (for consistent behavior in line with entrywise operators) * Show "Division by zero" warning for all divisions by zero * Make display of expressions with time units in time format more consistent * Fix support for vector in argument of many functions (erf, mod, exp, etc.) * Fix explicit conversion to mixed units for year variants * Fix first digit missing in return value of integerDigits() in some cases * Fix segfault when Calculator object is destroyed with uninitialized random state * Fix infinite loop when referencing subfunction in another subfunction * Fix segfault in replace() with variable specified using where expression, e.g. "replace(v, x, 1) where v = x" * Fix segfault when data set function name is followed immediately by a single dot * Fix v[i]=a syntax for vector element assignment * Do not bind escape key (fixes bad behavior with keys that generate escape sequences, e.g function keys) (CLI) * Fix use of x, y, z, without backslash, for arguments when using function command (CLI) * Fix parse status and calculate-as-you-type when "where" expression defines a new symbol (Gtk, Qt) * Convert degree Celsius to Fahrenheit and vice versa in Gnome search provider (Gtk) * Fix compilation on macOS (Gtk) * Minor bug fixes and feature enhancements ==== samba ==== Version update (4.23.8+git.477.f78166bceed -> 4.24.3+git.475.629de6765b9) Subpackages: libldb2 samba-ad-dc-libs samba-client samba-client-libs samba-libs - Update to 4.24.3 * CVE-2026-4480: Fix Unauthenticated Remote Code Execution; (bso#16033); (bsc#1261161). * CVE-2026-4408: Fix Remote Code Execution in SAMR;(bso#16034); (bsc#1261163). * CVE-2026-3238: Fix unauthenticated udp packet crashes AD DC nbt server; (bso#16012); (bsc#1261160). * CVE-2026-3012: Fix CVE-2026-3012 group policy certificate enrollment using http:// without validation;(bso#16003); (bsc#1261159). * CVE-2026-1933: Fix missing access check on reparse point operations; (bso#15992); (bsc#1261188). * CVE-2026-2340: vfs_worm does not block directory modification; (bso#15997); (bsc#1261158). * CVE-2026-40170: thirdparty ngtcp2 needs to be updated; (bso#16059). - Update to 4.24.2 * Samba 4.24 with cups can't get queue and shows errors about fetch_share_cache_time; (bso#16038). * Fix a directory file descriptor leak in vfs_glusterfs that caused unbounded memory growth on the GlusterFS brick with persistent SMB2 connections; (bso#16043). * Windows Offline Files fails with permission error when directory has the read‑only attribute set; (bso#16030). * samba not triggering mount of zfs snapshot in dataset .zfs/snapshots/ directory; (bso#15991). * net ads join still fails with multiple DCs; (bso#15999). * samba-tool shows wrong format specifiers for timestamp attributes; (bso#16076). * restrict anonymous = 2 breaks RODC functionality; (bso#14638). * smbpasswd can crash winbindd on an AD DC; (bso#15973). * smbd does not cleanup on disconnect of the transport connection on lease break errors; (bso#15995). * CVE-2026-40170: thirdparty ngtcp2 needs to be updated; (bso#16059); (bsc#1262273); (bsc#1262337). * Require NTLMv2 session security on Windows makes trusts to Samba unusable; (bso#16067). * Winbind can change Ownership Of / To A User Who has Homedir / In passwd; (bso#16073). * Winbind lsa_OpenPolicy() fails on lsa connection setup with: NT_STATUS_RPC_CANNOT_SUPPORT; (bso#15987). * CTDB read-only record handling contains use after free and resource leak bugs; (bso#16068). - Update to 4.24.1 * autobuild fails if /proc/version contains trailing space; (bso#16057). * use after free in streams_xattr_connect(); (bso#16035). * rpc workers with long living clients grow server memory keytab; (bso#16042); (bsc#1257200). * vfs_snapper failing to access or enumerate files in subfolders; (bso#16058); (bsc#1259667). * Samba is not build with FORTIFY_SOURCE; (bso#16040). * Fix tests with MIT Kerberos 1.22.x; (bso#16055). - Update to 4.24.0 * incorrect behavior on rpcclient enumport with rpcd_spoolss; (bso#16019). * altSecurityIdentities X509 issuer DN order is reversed; (bso#16001). * vfs_aio_ratelimit: introduce burst-aware and persistent state model; (bso#16000). * No function _python_sysroot defined; (bso#15990). * leases torture test flappy; (bso#15978). * smbd: in contend_dirleases() don't bother checking when not enabled; (bso#15984). * 'net ads kerberos kinit' should use also default ccache name from krb5.conf; (bso#15993). * "use-kerberos=desired" broken; (bso#15789). * source3/libads/kerberos.c sets wrong failure for negative connection cache; (bso#15975); (bso#1255755). * CTDB's statd_callout fails on sm-notify; (bso#15938). * CTDB statd_callout_notify notifies unnecessary clients and loses their state; (bso#15939). * Backport domain default AES encryption types to 4.24; (bso#15998). * possible memory leak on rpc_spoolss; (bso#15979); (bsc#1257200). * Winbind group resolution failure; (bso#15972). * ctdbd socket documentation is wrong; (bso#15977). * time_t related build failure on 32bit arch in 4.24.0rc1; (bso#15976). ==== sssd ==== Subpackages: libsss_certmap0 libsss_idmap0 sssd-krb5-common sssd-ldap - The logrotate fragment had a wrong systemd service name in it, which was rectified. ==== tpm2.0-tools ==== - Remove dependency to the abrmd broker service