Packages changed: ImageMagick (7.1.2.25 -> 7.1.2.27) MozillaFirefox (152.0.3 -> 152.0.4) apparmor cifs-utils curl (8.20.0 -> 8.21.0) dracut (110+suse.35.g9834432 -> 110+suse.41.g38f7c003) fdk-aac-free (2.0.0 -> 2.0.3) git (2.54.0 -> 2.55.0) gnome-music gpg2 (2.5.20 -> 2.5.21) gpgme (2.1.1 -> 2.1.2) kernel-source (7.1.2 -> 7.1.3) leancrypto (1.7.2 -> 1.8.0) libXfont2 libapparmor libisofs (1.5.8.pl01 -> 1.5.8.pl02) libreoffice (26.2.4.2 -> 26.2.5.1) libstorage-ng (4.5.339 -> 4.5.341) libva (2.23.0 -> 2.24.0) libva-gl (2.23.0 -> 2.24.0) llvm22 (22.1.7 -> 22.1.8) nvidia-open-driver-G07-signed (595.84_k7.1.2_1 -> 595.84_k7.1.3_1) nvidia-open-driver-G07-signed-cuda (610.43.02_k7.1.2_1 -> 610.43.02_k7.1.3_1) nvme-cli (2.16 -> 3.0~b.3) openSUSE-build-key openSUSE-release (20260707 -> 20260709) openexr (3.4.12 -> 3.4.13) python-gevent (26.4.0 -> 26.5.0) python-pexpect python-ply python-tornado6 rdma-core (62.0 -> 63.0) tiff (4.7.1 -> 4.7.2) uriparser xorg-x11-server xwayland (24.1.11 -> 24.1.12) === Details === ==== ImageMagick ==== Version update (7.1.2.25 -> 7.1.2.27) Subpackages: ImageMagick-config-7-SUSE libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - version update to 7.1.2.27 * Fix HEIC identity CICP with chroma subsampling #8828 * build(deps): bump actions/attest from 4.1.0 to 4.1.1 #8835 * build(deps): bump ubuntu from 53958ec to b7f4819 in /.devcontainer #8834 * build(deps): bump actions/setup-python from 6.2.0 to 6.3.0 #8830 * check profile length before reading header in GetIPTCStream #8829 * Read Cairo ARGB32 in host byte order so SVG colors are correct on big-endian #8825 * Preserve HEIC CICP and CLLI metadata #8824 * reject otb files that declare more pixels than the file holds #8826 * build(deps): bump msys2/setup-msys2 from 2.31.1 to 2.32.0 #8807 * build(deps): bump actions/checkout from 6.0.3 to 7.0.0 #8818 * Fix #8819 revert soname change #8820 * build(deps): bump ubuntu from f3d2860 to 53958ec in /.devcontainer #8814 * Fix #8819 revert soname change (#8820) #8819 * beta release 2c6ba18 * ImageMagick/ImageMagick#8813 71bf0b0 * eliminate compiler warning dc92169 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-422r-8c97-xcg4 be99ffa * eliminate compiler warning 82364cf * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-93x9-jq8c-cwcc 4a3585b * ImageMagick/ImageMagick#8815 5e1a141 * ImageMagick/ImageMagick#8816 532b0f5 * Revert unnecessary patch for GHSA-93x9-jq8c-cwcc e70837c * Removed unnecessary check. 9a5c8ff * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-422r-8c97-xcg4 0bbf7e4 * remove quantization 4041062 * ImageMagick/ImageMagick#8815 9616e88 * correct allow coder logic 634f3a9 * Use AcquireQuantumMemory instead because it already does the necessary checks. 4e96b11 * support coder strict streaming attribute 727ddc9 * change coder flag name 9f7e3cb * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xv2g-79vc-75qf 80b268c * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g568-j2hh-jr58 f8a02fa * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g568-j2hh-jr58 38b6468 * ImageMagick/ImageMagick#8821 bc16247 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cvxf-g9w2-7mcx 1b63224 * latest autoconf/automake updates 1f7213d * Also create an xz version of the source archive. dc0965d * ImageMagick/ImageMagick#8823 64d2e4a * Added job to update the website after a release. 58d6364 * Added a method that can be used to determine the endian of the host. 952c221 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cvxf-g9w2-7mcx fdbe649 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-h22j-f9xw-xjjm 538ad18 * Moved initialization. 42128f2 * Removed redundant checks. e587240 * Cosmetic. 42e20ab * Added earlier exit when image type is invalid. 03a0a68 * Removed all the #if 0 blocks that have been there for ages. f379865 * Added method that can be used to check if incrementing a value would result in an overflow. b2740b9 * overflow check 325fce5 * revert ff4df37 * move add check to private header b3b8d20 * check for possible add overflow c2e84d8 * Improve cache I/O robustness and fix race conditions 92b961a * check for overflow 0ca86fc * Make sure we check the length after each read (GHSA-7rgw-xg25-prjm) 093f476 * Specify the current ref as an argument for the clone in the Windows source job. d0eb51a * Disable job in pull request. c3fef03 * Updated the dependencies. 4a68839 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cvhv-g4rq-3hmw e3e6911 * Updated the dependencies. c74cd62 * policies are case sensitive 0b3fa25 * check for EOF 9a38ee0 * accumulates absolute error per channel (not counts) 5848f4a * Cosmetic 7cee9fe * Require at least version 1.11.0 of the libheif library. c893eb2 * latest autoconf update 9993f71 * don't normalize the AE metric 324ee77 * average composite channel ed56d9e * sanity check 374578b * delay image extent check 81eab95 * check for insufficient image data 225ea95 * check for insufficient image data 62c229b * check for insufficient image data 2d28006 * eliminate compiler warning e4c2b40 * release b661ac9 - version update to 7.1.2-26 * check rows*columns overflow in sct ReadSCTImage #8812 * bound 8bim resolution resource read in GetProfilesFromResourceBlock #8798 * OSS-Fuzz: Fix build errors #8808 * heic: add primary still image to animated AVIF for Firefox compatibility #8804 * chore: remove legacy vsprintf fallback in drawing-wand.c #8796 * Detect Ultra HDR JPEGs from gain-map metadata #8794 * build(deps): bump github/codeql-action from 4.36.1 to 4.36.2 #8795 * Preserve Ultra HDR JPEG gain maps when transcoding #8788 * build(deps): bump actions/checkout from 6.0.2 to 6.0.3 #8790 * build(deps): bump github/codeql-action from 4.36.0 to 4.36.1 #8789 * reject cineon files with an invalid bits per pixel #8781 * beta release 8ee9390 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-c8r2-mc3p-4f8j fe20c95 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6vxp-gfwf-hcr9 f3ff3af * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7c7m-fpjw-gwcq 174275b * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j8rh-v2r8-v94x b535126 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hwf3-r46v-5ggx 4079949 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hv63-qgj6-7gh7 d0d8ae7 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-3564-h588-56gr f80b878 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-99w9-hv66-rfv7 0bb3578 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jfq9-q63x-rc63 f34065e * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-h7f2-f9cc-h2gv 808506d ... changelog too long, skipping 96 lines ... CVE-2026-55595 [bsc#1270079] ==== MozillaFirefox ==== Version update (152.0.3 -> 152.0.4) Subpackages: MozillaFirefox-branding-upstream - Mozilla Firefox 152.0.4 MFSA 2026-62 (boo#1270286) * CVE-2026-14241 (bmo#2043241, bmo#2045514, bmo#2045576, bmo#2045623, bmo#2045765, bmo#2046814, bmo#2049409, bmo#2049840) Memory safety bugs fixed in Firefox 152.0.4 * Smart Window includes several enhancements: You can now ask it to close your tabs, with a confirmation step when needed and the option to undo afterward (bmo#2040769) Browsing history results now appear with images (bmo#2038069) When you give feedback on a response, you can now choose from common reasons and preview exactly what will be shared before submitting (bmo#2033002) * Fixed copy, paste, undo, redo, and similar keyboard shortcuts not working inside macOS system dialogs such as the Save and Open panels. (Bug 2040851, Bug 2040844) * Fixed the Manage Cookies and Site Data dialog opening with an empty list when opened from the Settings search results. (bmo#2041077) * Fixed keyboard focus landing in the wrong place after following an in-page link, so pressing Tab continues from the link's position as expected. (bmo#2049307) ==== apparmor ==== Subpackages: apparmor-abstractions apparmor-docs apparmor-parser apparmor-profiles apparmor-utils python3-apparmor - add curl.diff to fix curl console output ==== cifs-utils ==== Subpackages: wb-cifs-idmap-plugin - Add missing dependencies for "modern" distros (>= SLE-16). ==== curl ==== Version update (8.20.0 -> 8.21.0) Subpackages: libcurl4 - Update to 8.21.0: * Security fixes: - CVE-2026-8286: wrong STARTTLS connection reuse (bsc#1268402) - CVE-2026-8458: wrong reuse for different services (bsc#1268407) - CVE-2026-8924: traling dot domain super cookie (bsc#1268409) - CVE-2026-8925: SASL double-free (bsc#1268411) - CVE-2026-8926: password leak with netrc and user in URL (bsc#1268412) - CVE-2026-8927: env-set cross-proxy Digest auth state leak (bsc#1268413) - CVE-2026-8932: incomplete mTLS config matching in conn reuse (bsc#1268414) - CVE-2026-9079: stale proxy password leak (bsc#1268415) - CVE-2026-9080: UAF after pause in socket callback (bsc#1268416) - CVE-2026-9545: exposing HTTP/3 early data (bsc#1268417) - CVE-2026-9546: sending old referer (bsc#1268419) - CVE-2026-9547: SSH improper host validation (bsc#1268420) - CVE-2026-10536: HTTP/2 stream-dependency tree UAF (bsc#1268422) - CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop (bsc#1268423) - CVE-2026-11564: Native CA trust persist (bsc#1268424) - CVE-2026-11586: WS Auto-PONG memory exhaustion (bsc#1268425) - CVE-2026-11856: cross-origin Digest auth state leak (bsc#1268426) - CVE-2026-12064: proto-default skips SSH verification (bsc#1268427) * For a complete changelog see: https://curl.se/ch/8.21.0.html - Remove patches now in upstream: curl-disabled-redirect-protocol-message.patch libcurl-fix-wakeup-consumption.patch ==== dracut ==== Version update (110+suse.35.g9834432 -> 110+suse.41.g38f7c003) - Update to version 110+suse.41.g38f7c003: * fix(devicetree-firmware): do not call inst_multiple if there are no fw files * fix(systemd-pcrextend): add missing systemd-pcr{nvdone,osseparator}.service * fix(systemd-pcrextend): add NVPCR definition files * fix(tpm2-tss): add missing systemd-tpm2-setup-early.service * feat(dracut): add module to load Qualcomm ADSP module pre-udev * feat(dracut): add module to add fw files from DT firmware-name properties (bsc#1261649) ==== fdk-aac-free ==== Version update (2.0.0 -> 2.0.3) - Update to version 2.0.3: + Minor upstream updates + Fixed one case of a failed assert in SBR encoding + Added build support for s390x - Changes from version 2.0.2: + Minor upstream updates + Lots of upstream and local fuzzing fixes + Added CMake project files + Removed the MSVC specific makefile - Changes from version 2.0.1: + Minor release with a number of crash/fuzz fixes, primarily for the decoder ==== git ==== Version update (2.54.0 -> 2.55.0) Subpackages: git-core git-email git-gui git-web gitk perl-Git - update to 2.55.0: * Hook scripts defined via the configuration system can now be configured to run in parallel. * The userdiff driver for the Scheme language has been extended to cover other Lisp dialects. * Terminal control sequences coming over the sideband while talking to a remote repository are mostly disabled by default, except for ANSI color escape sequences. * "ort" merge backend improvements. * "git checkout -m another-branch" was invented to deal with local changes to paths that are different between the current and the new branch, but it gave only one chance to resolve conflicts. The command was taught to create a stash to save the local changes. * A new builtin "git format-rev" is introduced for pretty formatting one revision expression per line or commit object names found in running text. * "git history" learned "fixup" command. * The internal URL parsing logic has been made accessible via a new subcommand "git url-parse". * Misspelt proxy URL (e.g., httt://…​) did not trigger any warning or failure, which has been corrected. We had a regression in this update that broke https:// proxies, but that has been caught and corrected. * Document the fact that .git/info/exclude is shared across worktrees linked to the same repository. * The command line parser for "git diff" learned a few options take only non-negative integers. * The graph output from commands like "git log --graph" can now be limited to a specified number of lanes, preventing overly wide output in repositories with many branches. * The fsmonitor daemon has been implemented for Linux. * "git cat-file --batch" learns an in-line command "mailmap" that lets the user toggle use of mailmap. * The "git pack-objects --path-walk" traversal has been integrated with several object filters, including blobless and sparse filters. * "git push" learned to take a "remote group" name to push to, which causes pushes to multiple places, just like "git fetch" would do. * The git-jump command (in contrib/) has been taught to automatically pick a mode (merge, diff, or ws) when invoked without arguments. * The documentation for push.default = simple has been clarified to better explain its behavior, making it clear that it pushes the current branch to a same-named branch on the remote, and detailing the upstream requirements for centralized workflows. * The documentation for "--word-diff" has been extended with a bit of implementation detail of where these different words come from. * "git config foo.bar=baz" is not likely to be a request to read the value of such a variable with = in its name; rather it is plausible that the user meant "git config set foo.bar baz". Give advice when giving an error message. * "git rev-list" (and "git log" family of commands) learned a new "--max-count-oldest" that picks oldest N commits in the range instead of the usual newest. * Various AsciiDoc markup fixes in git config documentation and related files to ensure lists and formatting are rendered correctly. ==== gnome-music ==== - Add upstream bug fix patches: + efda5de2d24f01141c5e291ae4267663a8e34831.patch: localsearchwrapper: Fix Tsparql import for type checking + acde5b9fa0955d901c61d980e48e790843b67ed0.patch: application: Add missing gi.require_version on `GstAudio` - Drop global __requires_exclude typelib\\(TSparql\\), no longer needed. ==== gpg2 ==== Version update (2.5.20 -> 2.5.21) Subpackages: dirmngr - Update to 2.5.21: * gpg, gpgsm: Use partial file on decryption, remove on failure. Disable with "--compatibility-flags=no-partial-file-guard". * gpg: Use the INT_RCP_FPR subpacket in revocation signatures. * gpg: Fix potential use-after-free in batch key generation when handling the keyserver URL option * gpgsm: Fix regression in gpgsm_verify with expired certificates. * gpgsm: Require a minimum tag length for GCM decryption. (CVE-2026-57062, boo#1269279) * scd: Limit the size of returned APDU objects from faulty cards. * scd: Fix condition to retrieve ATR * scd:openpgp: Fix regression in CHV1 retry counter byte index. * agent: Make batch import of Kyber keys work * dirmngr: Add a validation check in get_dns_cert_standard. * gpgconf: Raise an error on certain parse errors. - rebase gnupg-set_umask_before_open_outfile.patch ==== gpgme ==== Version update (2.1.1 -> 2.1.2) Subpackages: libgpgme45 - Update to 2.1.2: * fix issues affecting other platforms ==== kernel-source ==== Version update (7.1.2 -> 7.1.3) Subpackages: kernel-64kb kernel-default - Update patches.kernel.org/7.1.1-006-arm64-errata-Mitigate-TLBI-errata-on-various-Ar.patch (bsc#1012628 CVE-2026-53354 bsc#1270230). - Update patches.kernel.org/7.1.3-001-KVM-x86-Fix-shadow-paging-use-after-free-due-to.patch (bsc#1012628 CVE-2026-53359). - Update patches.kernel.org/7.1.3-028-ipv6-account-for-fraggap-on-the-paged-allocatio.patch (bsc#1012628 CVE-2026-53362). suse-add-cves - commit 1cb5006 - Linux 7.1.3 (bsc#1012628). - KVM: x86: Fix shadow paging use-after-free due to unexpected role (bsc#1012628). - batman-adv: tp_meter: keep unacked list in ascending ordered (bsc#1012628). - batman-adv: tp_meter: initialize dup_acks explicitly (bsc#1012628). - batman-adv: tp_meter: initialize dec_cwnd explicitly (bsc#1012628). - batman-adv: tp_meter: avoid window underflow (bsc#1012628). - batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd (bsc#1012628). - batman-adv: tp_meter: fix fast recovery precondition (bsc#1012628). - batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection (bsc#1012628). - batman-adv: tp_meter: add only finished tp_vars to lists (bsc#1012628). - batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE (bsc#1012628). - batman-adv: prevent ELP transmission interval underflow (bsc#1012628). - batman-adv: tp_meter: initialize last_recv_time during init (bsc#1012628). - batman-adv: gw: don't deselect gateway with active hardif (bsc#1012628). - batman-adv: ensure bcast is writable before modifying TTL (bsc#1012628). - batman-adv: fix (m|b)cast csum after decrementing TTL (bsc#1012628). - batman-adv: frag: ensure fragment is writable before modifying TTL (bsc#1012628). - batman-adv: frag: avoid underflow of TTL (bsc#1012628). - batman-adv: v: prevent OGM aggregation on disabled hardif (bsc#1012628). - batman-adv: tp_meter: restrict number of unacked list entries (bsc#1012628). - batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE (bsc#1012628). - batman-adv: tp_meter: prevent parallel modifications of last_recv (bsc#1012628). - batman-adv: tp_meter: handle overlapping packets (bsc#1012628). - batman-adv: tt: don't merge change entries with different VIDs (bsc#1012628). - batman-adv: tt: track roam count per VID (bsc#1012628). - batman-adv: dat: prevent false sharing between VLANs (bsc#1012628). - batman-adv: tvlv: enforce 2-byte alignment (bsc#1012628). - batman-adv: tvlv: avoid race of cifsnotfound handler state (bsc#1012628). - ipv6: account for fraggap on the paged allocation path (bsc#1012628). - ipv4: account for fraggap on the paged allocation path (bsc#1012628). - ntfs3: reject direct userspace writes to reserved $LX* xattrs (bsc#1012628). - wifi: mt76: add wcid publish check in mt76_sta_add (bsc#1012628). - mac802154: llsec: add skb_cow_data() before in-place crypto (bsc#1012628). - net: skmsg: preserve sg.copy across SG transforms (bsc#1012628). - net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink (bsc#1012628). - PCI/P2PDMA: Add Intel QAT, DSA, IAA devices to whitelist (bsc#1012628). - apparmor: mediate the implicit connect of TCP fast open sendmsg (bsc#1012628). - NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR (bsc#1012628). - fbdev: fix use-after-free in store_modes() (bsc#1012628). - fscrypt: Fix key setup in edge case with multiple data unit sizes (bsc#1012628). - kernel/fork: clear PF_BLOCK_TS in copy_process() (bsc#1012628). - block: invalidate cached plug timestamp after task switch (bsc#1012628). - KVM: arm64: Omit tag sync on stage-2 mappings of the zero page (bsc#1012628). - err.h: use __always_inline on all error pointer helpers (bsc#1012628). - gcov: use atomic counter updates to fix concurrent access crashes (bsc#1012628). - KEYS: fix overflow in keyctl_pkey_params_get_2() (bsc#1012628). - keys: Pin request_key_auth payload in instantiate paths (bsc#1012628). - userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing (bsc#1012628). - userfaultfd: build __VMA_UFFD_FLAGS from config-gated masks (bsc#1012628). ... changelog too long, skipping 136 lines ... - commit 0709164 ==== leancrypto ==== Version update (1.7.2 -> 1.8.0) - Update to 1.8.0: * X.509: provide a common automated serial number generator which is the 20 leftmost bytes of the SHA3-256 hash of the certificate DER blob with the serial number being 20 bytes of 0xff and the signature part equally a range of 0xff bytes * Add full support for internal IV generation with GCM - this allows AES-GCM to be used in FIPS mode * Curve448: Fix AVX2 ABI issue * Rust: add X25519 / X448 API to support rustls * Rust: add HKDF API * Rust: add ED25519 API to support rustls * X.509: Add support for ED25519 and ED448 certificates to support rustTLS for a smooth transition to PQC * HMAC: deentangle key and hash management * Remove VLA in the entire library * Fixes to ChaCha20-Poly1305 and HKDF based on Wycheproof * Add first drop of rustls-leancrypto provider - this code is not production-ready, but it works with OpenSSL via localhost as well as AWS-provider procedurally * Add lc_kyber_[x25519|448]_[enc|dec] API * BIKE: fix bug on 32-bit Intel systems * Rust: add status API * Harden various functions, add defense in depth checks suggested by LLMs * Bug fix: ML-KEM KDF helper ingested only ML-KEM part and skipped X25519 * Add return code checker defending against fault injections * ML-DSA / SLH-DSA: slicing the implementation to allow keygen, siggen and sigver to be compiled independently - together with dead code stripping, only the desired functionality is present (e.g. in secure boot mode, only sigver is of interest) - build-script/shim_support.sh compiles only signature verification * Linux kernel: add HMAC support * Ascon: add support and tests for NULL AAD and NULL PT * symmetric ciphers: return error codes for encrypt/decrypt * PBKDF2: add FIPS140-3 compliance checks * AEAD / Symmetric ciphers; add support for parallel use of cipher contexts - this fixes issues with the AES symmetric support in the Linux kernel * ChaCha20: increment only the 32 bit counter to be 100% compliant with RFC7539 - but that implies that for one given setiv only 2^32 - 1 bytes are allowed to be en/decrypted * All production and test code is now subject to regular UBSAN tests * Add Wycheproof compliance testing using Rust interface * Linux kernel: fix all UBSAN reports - the leancrypto.ko and all tests now work do not show any report with ASAN/UBSAN/kmemleak detector tested on X86 and ARMv8. * Remove patches fixed upstream: - leancrypto-ABI-fix.patch - 0001-Linux-kernel-leancrypto_kernel_rng_tester-include-li.patch ==== libXfont2 ==== - bsc1269018_CVE-2026-56001_0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch * BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow (CVE-2026-56001, bsc#1269018) - bsc1269019_CVE-2026-56002_0002-pcfread-validate-bitmap-sizes-and-offsets-against-pe.patch * PCF Font Parsing Heap Buffer Overflow (CVE-2026-56002, bsc#1269019) - bsc1269020_CVE-2026-56003_0003-bitscale-add-bounds-check-to-computeProps-for-proper.patch * computeProps Property Buffer Heap Buffer Overflow (CVE-2026-56003, bsc#1269020) ==== libapparmor ==== - add curl.diff to fix curl console output ==== libisofs ==== Version update (1.5.8.pl01 -> 1.5.8.pl02) - update to 1.5.8.pl02: * Bug fix: iso_local_get_projid() without flag bit5 returned * ISO_PROJID_NO_OPEN_LOCAL on dangling symlinks * Bug fix: Compile time error with --disable-lfa-flags - -enable-projid ==== libreoffice ==== Version update (26.2.4.2 -> 26.2.5.1) Subpackages: libreoffice-base libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-l10n-en libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-qt5 libreoffice-qt6 libreoffice-writer libreofficekit - Update to 26.2.5.1. - Remove b08afae7e41fd5ca3a4101de07366783b17b3887.patch. * Patch has been merged upstream, no longer required. ==== libstorage-ng ==== Version update (4.5.339 -> 4.5.341) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#1089 - minor improvements calling external programs - 4.5.341 - merge gh#openSUSE/libstorage-ng#1088 - provide functions for encryption format and open options using vector of strings - extended tests - 4.5.340 ==== libva ==== Version update (2.23.0 -> 2.24.0) Subpackages: libva-drm2 libva-wayland2 libva-x11-2 libva2 - update to 2.24.0: * va: Add VA_PICTURE_H264_NON_EXISTING flag * va: use secure_getenv instead of getenv in va_x11.c * doc: fix libva av1 link for doxygen * trace: dump input/output data in va_TraceProtectedSessionExecute * trace: Add ProtectedSession Related Log in Trace ==== libva-gl ==== Version update (2.23.0 -> 2.24.0) - update to 2.24.0: * va: Add VA_PICTURE_H264_NON_EXISTING flag * va: use secure_getenv instead of getenv in va_x11.c * doc: fix libva av1 link for doxygen * trace: dump input/output data in va_TraceProtectedSessionExecute * trace: Add ProtectedSession Related Log in Trace ==== llvm22 ==== Version update (22.1.7 -> 22.1.8) - Update to version 22.1.8. * This release contains bug-fixes for the LLVM 22.1.0 release. This release is API and ABI compatible with 22.1.0. ==== nvidia-open-driver-G07-signed ==== Version update (595.84_k7.1.2_1 -> 595.84_k7.1.3_1) Subpackages: nvidia-open-driver-G07-signed-kmp-64kb nvidia-open-driver-G07-signed-kmp-default - preamble: * Workaround: Require update-alternatives on SLE16.1/Leap 16.1 and later as long as CUDA packages have not been adjusted yet (bsc#1267820) ==== nvidia-open-driver-G07-signed-cuda ==== Version update (610.43.02_k7.1.2_1 -> 610.43.02_k7.1.3_1) Subpackages: nvidia-open-driver-G07-signed-cuda-kmp-64kb nvidia-open-driver-G07-signed-cuda-kmp-default - preamble: * Workaround: Require update-alternatives on SLE16.1/Leap 16.1 and later as long as CUDA packages have not been adjusted yet (bsc#1267820) ==== nvme-cli ==== Version update (2.16 -> 3.0~b.3) Subpackages: nvme-cli-bash-completion - Update to version 3.0~b.3: * Release v3.0-b.3 * doc: Regenerate all docs for v3.0-b.3 * libnvme: rename Python binding to libnvme3 * libnvme: classify scoped IPv6 addresses with the TID's numeric test * libnvme/test: drop the netdb gating from the libnvme tests * nvme-cli/fabrics: resolve hostnames before handing addresses to libnvme * libnvme: reject hostname addresses instead of resolving them * libnvme/util: reimplement numeric address helpers without getaddrinfo * nvme-top: avoid recreating the global NVMe context on topology updates * libnvme: return status from libnvme_refresh_topology() * sfx-nvme: fix sizeof mismatch in calloc in nvme_dump_evtlog() * libnvme/tid: group functions by role in tid.c/tid.h * libnvme/fabrics: use str(), not get_canonical(), in the exclusion log * libnvme/tid: replace per-field setters with a set_identity triplet * libnvme/tid: drop get_hash() and equal() * libnvme/tid: reject hostnames, canonicalize numeric addresses * libnvme/doc: add the smart-TID design * libnvme/doc: state the library/application boundary * nvme-print: Update generic name listing to be platform independent * readme: Add readme section on Windows build and environment setup script * plugins: Add build support on Windows * libnvme: fix null pointer dereference in _discovery_config_json() * nvme_test: Update run_ns_io to be platform agnostic. * nbft: fix missing error checks for ftell() and rewind() * nvme-print: use status variable instead of errno * nvme: do not print status message on default * nvme-print-json: centralize init/finish * nvme-print-json: only output json if none empty * nvme-print: add nvme_show_verbose_* helpder * plugins: add newline after json output * tests: Add linting support for all python files recursively under tests. * tests/plugins: Expand testing framework to support plugin tests * nvme: enable cli for windows build * nvme-top: synthesize NVMe kobject uevent on ENOBUFS * nvme-top: support paging in the top dashboard * nvme-top: restore selected subsystem to the first entry * libnvme-wrap: drop unused code * nvme: add windows support for rpmb hash functions * test: Update build configuration to support testing on Windows * test-uint128: Update tostr_test locale handling to be Windows compatible * tests: Update get features test base on Windows capabilities * tests: Configure PATH for tests in a platform-agnostic way. * tests: Add is_windows check and skip unsupported tests on Windows * libnvme: make discovery connects honor the exclusion list * plugins/exclusion: operate on the default list when --name is omitted * libnvme: substitute RUNDIR into the registry udev rule - spec file updates * removed nvme-cli-rpmlintrc * remove duplicates (fdupes) * rename library package name to libnvme3-1 * fixed soname versioning * added ldconfig section for libnvme * fixed include path * fixed python sitesearch path - Update to version 3.0.b.2: * Release v3.0-b.2 * doc: Regenerate all docs for v3.0-b.2 * ioctl-win: Implement reset_ctrl_device using a PnP-level reset. * nvme-cli/fabrics: note an excluded target on connect under --verbose * doc: move REGISTRY.md under libnvme/design/ * doc: add NVMe-oF exclusion list documentation * nvme-cli/fabrics: add --exclude to nvme disconnect * plugins/exclusion: add the nvme exclusion management plugin * libnvme: add the NVMe-oF exclusion list * libnvme: add the libnvmf_tid transport identity * libnvme: add shared fabrics helpers in preparation for exclusion list * libnvme: drop the log messages from the no-netdb stubs * tree: add windows tree support * tree: add global context to libnvme_get_ctrl_transport * nvme: Open files using nvme_open_rawdata to fix Windows issues * plugins/wdc: fix typed malloc size expressions for log buffers * wdc-nvme: validate PCI ID lookup in wdc_log_page_directory() * tree: replace strdup with xstrdup in nvme_alloc_subsystem() * micron: Fix temp directory access security * micron: Fix possible NULL pointer dereference issues * micron: Fix buffer overflow vulnerabilities * fabrics: split uuid_from_dmi_entries file read function * fabrics: make uuid_from_dmi_entries more robust * wdc-nvme: fix null dereference of sph in get_dev_mgmt_log_page_lid_data() * doc: document nvme-cli-ai companion repository * solidigm: Apply fixes to allow compilation on Windows * micron: Fix command injection vulnerabilities * plugins/sandisk: fix memory leak in sndk_get_enc_drive_capabilities() * libnvme: validate context in libnvme_rescan_ctrl() * nvme: fix null pointer dereference in get_log_offset() * plugins/sed: fix null pointer dereference in sedopal_print_locking_features() * telemetry-log: Fix telemetry-log invalid argument error - Update to version 3.0.b.1: * Release v3.0-b.1 * doc: Regenerate all docs for v3.0-b.1 * libnvme/json: persist the registry owner in the config file * libnvme/test: fix exit-code capture in config-diff.sh * tree-linux: move all sysfs-related code to this file * fabrics: move hostnqn/hostid code to fabrics files * tree: unexport libnvme_host_get_ids * scan: refactor filter API * lib: remove log arguments from global context constructor * linux: move crypto APIs in new header ... changelog too long, skipping 844 lines ... * remmove 0002-fabrics-add-helper-to-update-tls-and-concat.patch ==== openSUSE-build-key ==== - Update key for zSystems (managed by OBS, expires 2026-12-06) - replace gpg-pubkey-f6ab3975-62e9e6fb.asc - by gpg-pubkey-f6ab3975-66f622c2.asc ==== openSUSE-release ==== Version update (20260707 -> 20260709) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openexr ==== Version update (3.4.12 -> 3.4.13) Subpackages: libIex-3_4-33 libIlmThread-3_4-33 libOpenEXR-3_4-33 libOpenEXRCore-3_4-33 - update to 3.4.13 ( bsc#1269562, CVE-2026-55371, bsc#1269701, CVE-2026-55373, bsc#1269702, CVE-2026-55059, bsc#1269703, CVE-2026-54920, bsc#1269705, CVE-2026-53532): * Fix a regression introduced in v3.4.11 in decoding of DWAA compression * Fix to handling deep images and very large images with the OpenEXRUtil library * Fix initiliazation issue in B44A decoding * Validate HTJ2K chunk header length before decode * Fix when building statically and using the vendored OpenJPH library * Fix CVE-2026-55373 OpenEXRUtil SampleCountChannel endEdit() can loop forever on UINT_MAX sample counts * Fix CVE-2026-55371 OpenEXRCore exr_attr_set_bytes() accepts NULL type_hint with positive hint_length * Fix CVE-2026-55059 OpenEXRUtil SampleCountChannel row setter heap out-of-bounds write * Fix CVE-2026-54920 Integer Overflow and Use of Uninitialized Pointer leading to Invalid Delete in OpenEXRUtil Image Resize * Fix CVE-2026-53532 Unhandled assert abort in HTJ2K decoder via crafted QCD marker (DoS) ==== python-gevent ==== Version update (26.4.0 -> 26.5.0) - update to 26.5.0: * Build and publish Windows 11 ARM wheels. See :issue:`2172`. * Add preliminary support for Python 3.15b1 and distribute binary wheels for it. ==== python-pexpect ==== - Add upstream wait.patch to fix test failure in staging ==== python-ply ==== - add py315-testfails.patch: fix build with python 3.15+ ==== python-tornado6 ==== - Fix test_strip_headers_on_redirect's URL-embedded-credentials cases. * Update the test_strip_headers_on_redirect test to Correctly handle credential injection in redirect URLs and account for a known libcurl regression with same-origin redirects. (gh#tornadoweb/tornado#3674) * Add python-tornado6-Fix-test_strip_headers_on_redirects.patch ==== rdma-core ==== Version update (62.0 -> 63.0) Subpackages: libefa1 libhns1 libibverbs libibverbs1 libionic1 libmana1 libmlx4-1 libmlx5-1 librdmacm1 rdma-ndd - Update to rdma-core v63.0 - https://github.com/linux-rdma/rdma-core/releases/tag/v63.0 ==== tiff ==== Version update (4.7.1 -> 4.7.2) - Update to 4.7.2: Software configuration changes: * cmake: Fix bundle identifiers to use reverse-DNS format * cmake: Fix and improve Apple framework build support * cmake: Use TurboJPEG CONFIG by default (issue #767) * cmake: changes related to 8-/12-bit modes * cmake: Replace CMath::CMath with direct link to avoid export. * Support for iOS-derived builds * Simplify cmake byte order version check * Add additional warnings, primarily floating precision conversions and integer arithmetic conversions * configure.ac: Require bootstrap with at least Autoconf 2.71. Library changes: * New/improved functionalities:: + Add TIFFGetMaxCompressionRatio() and use it in _TIFFReadEncoded[Tile|Strip)AndAllocBuffer() (issue #781) (CVE-2026-36849) (bsc#1268434) * API/ABI breaks: + None Bug fixes: * Handle negative TIFFReadFile results before state updates (issue #854) * tif_dirread.c: fix copy-paste bug in ChopUpSingleUncompressedStrip * tif_read.c: Fixed division by zero in TIFFStartStrip() (issue #777) * tif_dirwrite.c: add integer overflow checks to allocation size calculations * tif_print.c: add integer overflow checks to allocation size calculations * tif_write.c: fix OOB read and underflow in TIFFAppendToStrip copy loop * DumpModeSeek: add bounds check to prevent OOB pointer advance * TIFFGrowStrips: fix use-after-free on partial realloc failure. * Fix NULL dereference in _TIFFReserveLargeEnoughWriteBuffer() by validating the strip bytecount array before accessing it. * TIFFRGBAImage: avoid int overflows in put functions (issue #830) * tif_getimage: fix inconsistent fromskew handling in put16bitbwtile (issue #792) * tif_getimage: Widen pointer-offset arithmetic in tif_getimage * putcontig8bitYCbCr44tile: fix wrong fromskew computation (issue #798) * putcontig8bitYCbCr42tile: Reject invalid YCbCr subsampling when image dimensions are smaller than the subsampling block to prevent out-of-bounds writes. (issue #753) * TIFFReadRGBAImage(): prevent integer overflow and later heap overflow (issue #787) (CVE-2026-4775) (bsc#1260411) * TIFFFillStrip/Tile(): avoid excessive memory allocation (issue #831) * TIFFLinkDirectory() checks for IFD loops (issue #788) * Check result of _TIFFCheckRealloc to prevent memory leaks and segmentation fault when reallocation fails. * TIFFVTileSize64(): in YCbCr contig non upsampled mode, validate td_samplesperpixel==3 (issue #805) * TIFFReadDirEntryPersampleShort(): be tolerant to tags like SampleFormat not having 1 or SamplesPerPixel values (https://github.com/OSGeo/gdal/issues/13465) * tif_getimage: reject tile widths that would overflow toskew (issue #808) * Fix integer overflow in _TIFFPartialReadStripArray on 32-bit. * TIFFAppendToStrip(): add some checks to avoid null-pointer-dereferencing (issue #777). * _TIFFGetStrileOffsetOrByteCountValue(): fix potential crash on corrupted files when file opened in 'O' mode (https://issues.oss-fuzz.com/issues/471328917) * TIFFReadDirectory(): re-set TIFF_LAZYSTRILELOAD if file opened in 'O' mode * _TIFFMergeFields(): avoid NULL ptr dereference (issue #755). * Check td_stripbytecount_p and td_stripoffset_p for NULL pointer before (re-)writing to file. (issue #749) * JPEGDecodeRaw: initialize output buffer to avoid returning uninitialized memory (issue #892) * JPEG decompressor: initialize output buffer when JPEG image is smaller than strile dimension to avoid heap memory disclosure (issue #826) * JPEG: fix generation of tiled 12-bit JPEG compressed files with libjpeg-turbo 3.0.3 (issue #773) * JPEGDecode(): fix memory leak in error code path (https://issues.oss-fuzz.com/issues/471945501) * tif_jpeg: reject mismatched JPEG data precision to avoid write overflow * Fix signed left-shift UB in LogLuv RANDITHER encoding (issue #850) * PixarLog: error out on invalid ABGR output buffer sizes. * PixarLog: complete ABGR bounds check for multi-row strip decoding. * PixarLog: fix heap-buffer-overflow in 8BITABGR decode with stride 3 (issue #824) (CVE-2026-12912) (bsc#1269779) * PixarLog: fix undoing horizontal differencing when SamplesPerPixel != 3 and 4 (issue #789). * PixarLog codec: fix potential integer overflow/out-of-bounds access (issue #797) * TIFFAdvanceDirectory(): avoid potential read heap-buffer-overflow in mmap code path on 32 bit builds (https://issues.oss-fuzz.com/issues/506737072) * OJPEG: fix integer overflow in subsampling buffer allocation. * OJPEG: fix nullptr deref when changing compression method from OJPEG to something else (issue #795). * OJPEG fix potential integer overflow/out-of-bounds access (issue #796). * ojpeg: prevent EOF infinite loop (fixes commit 2a3d55b) * fix null pointer deference in issue #782. * fix stack-overflow in issue #784. Other changes: * Change EXIF and GPS tag type from IFD8 to LONG8 per EXIF-specification (issue #739). * Harden integer size and offset calculations (issue #897) * TIFFComputeTile/TIFFComputeStrip: use overflow-checked multiplication * Move widening casts inside multiplication scope. * Lots of compiler warning fixes related to enabling more warning flags * Align writing and reading of TIFF_LONG8 and TIFF_IFD8 tags (issue #773) * TIFFFillStrip(): prevent harmless unsigned integer overflow - Drop tiff-CVE-2026-4775.patch ==== uriparser ==== - doc builds via multibuild (https://build.opensuse.org/request/show/1364334) - added sources * _multibuild ==== xorg-x11-server ==== Subpackages: xorg-x11-server-Xvfb xorg-x11-server-extra - bsc1268893_CVE-2026-55999_0002-fb-mi-glamor-reject-glyphs-with-negative-dimensions.patch * glamor Font Atlas Heap Buffer Overflow (CVE-2026-55999, bsc#1268893) - bsc1268893_CVE-2026-55999_0003-glamor-reject-fonts-with-per-glyph-metrics-exceeding.patch * GLX contextTags Use-After-Free in CommonMakeCurrent() (CVE-2026-55999, bsc#1268893) - U_GLX-Free-the-tag-of-the-old-context-later.patch bsc1268894_CVE-2026-56000_0001-glx-free-old-context-tag-before-allocating-new-one-i.patch * GLX contextTags Use-After-Free in CommonMakeCurrent() (CVE-2026-56000, bsc#1268894) ==== xwayland ==== Version update (24.1.11 -> 24.1.12) - bsc1268893_CVE-2026-55999_0002-fb-mi-glamor-reject-glyphs-with-negative-dimensions.patch * glamor Font Atlas Heap Buffer Overflow (CVE-2026-55999, bsc#1268893) - bsc1268893_CVE-2026-55999_0003-glamor-reject-fonts-with-per-glyph-metrics-exceeding.patch * GLX contextTags Use-After-Free in CommonMakeCurrent() (CVE-2026-55999, bsc#1268893) - bsc1268894_CVE-2026-56000_0001-glx-free-old-context-tag-before-allocating-new-one-i.patch * GLX contextTags Use-After-Free in CommonMakeCurrent() (CVE-2026-56000, bsc#1268894) - Update to version 24.1.12: * This release contains the fixes for the issues reported in this security advisory: https://lists.x.org/archives/xorg-announce/2026-June/003702.html - Font Alias Stack-based Buffer Overflow - XSYNC Use-After-Free in miSyncDestroyFence() - XKB Key Types Stack-based Buffer Overflow - XKB SetMap Request Stack-based Buffer Overflow - XSYNC Use-After-Free in FreeCounter() - XSYNC Use-After-Free in SyncChangeCounter() - GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write - CreateSaverWindow Use-After-Free Information Disclosure * Additionally, it contains a number of other various fixes from the stable xwayland-24.1 branch. - Rebase U_xwayland_Dont_run_key_behaviors_and_actions.patch with quilt. - Drop patches fixed upstream: * bsc1266294_CVE-2026-XXXX1_0007-dix-increase-XLFDMAXFONTNAMELEN-to-match-libXfont2-s.patch * bsc1266295_CVE-2026-XXXX2_0001-sync-fix-deletion-of-counters-and-fences.patch * bsc1266296_CVE-2026-XXXX3_0003-xkb-reject-key-types-with-num_levels-exceeding-XkbMa.patch * bsc1266297_CVE-2026-XXXX4_0004-xkb-clamp-nMaps-to-mapWidths-buffer-size-in-CheckKey.patch * bsc1266299_CVE-2026-XXXX6_0002-sync-restart-trigger-list-iteration-in-SyncChangeCou.patch * bsc1266300_CVE-2026-XXXX7_0005-glx-fix-reversed-length-check-in-ChangeDrawableAttri.patch * bsc1266301_CVE-2026-XXXX8_0006-saver-re-fetch-screen-private-after-CheckScreenPriva.patch