Packages changed:
MicroOS-release (20260425 -> 20260430)
PackageKit (1.3.4 -> 1.3.5)
at-spi2-core (2.60.0 -> 2.60.2)
bubblewrap (0.11.0 -> 0.11.1)
cups (2.4.17 -> 2.4.19)
distribution-logos-openSUSE
distrobox (1.8.2.4 -> 1.8.2.5)
editorconfig-core-c (0.12.10 -> 0.12.11)
ethtool (6.15 -> 6.19)
gcc16 (16.0.1+git8711 -> 16.0.1+git8812)
glib2
glibc (2.42 -> 2.43)
gpg2 (2.5.18 -> 2.5.19)
grub2
gsettings-desktop-schemas (50.0 -> 50.1)
gvfs
harfbuzz (14.1.0 -> 14.2.0)
hwdata (0.397 -> 0.406)
kernel-firmware-amdgpu (20260414 -> 20260427)
kernel-firmware-ath12k (20260317 -> 20260421)
kernel-firmware-bluetooth (20260408 -> 20260423)
kernel-firmware-mediatek (20260317 -> 20260423)
kernel-firmware-qcom (20260416 -> 20260423)
kernel-firmware-sound (20260408 -> 20260421)
kernel-source (6.19.12 -> 7.0.2)
lcms2 (2.18 -> 2.19)
leancrypto
libblockdev (3.4.0 -> 3.5.0)
libcamera
libdrm (2.4.131 -> 2.4.133)
libgpg-error (1.59 -> 1.60)
libupnp (1.18.4 -> 1.18.5)
libzypp (17.38.5 -> 17.38.7)
llvm22 (22.1.3 -> 22.1.4)
md4c (0.5.2 -> 0.5.3)
mozilla-nss (3.122.1 -> 3.122.2)
mpg123 (1.33.4 -> 1.33.5)
nghttp2 (1.68.1 -> 1.69.0)
ngtcp2 (1.22.0 -> 1.22.1)
open-vm-tools
openSUSE-build-key
openexr
openssh (10.2p1 -> 10.3p1)
passt (20251215.b40f5cd -> 20260120.386b5f5)
patterns-kde (20240311 -> 20260428)
pipewire
polkit-default-privs (1550+20260414.1647bf2 -> 1550+20260428.f2a5d2e)
pulseaudio
python-cryptography (46.0.7 -> 47.0.0)
python-idna (3.11 -> 3.13)
python313
python313-core
samba (4.23.6+git.466.1a6b75cb208 -> 4.23.7+git.473.9487af01c24)
sed (4.9 -> 4.10)
skopeo (1.22.1 -> 1.22.2)
srt (1.5.4 -> 1.5.5)
sssd (2.12.0 -> 2.13.0)
sysextmgr (0.2.1+git20260310.385db9a -> 1.0.0+git20260429.bf44eec)
systemd (259.5 -> 260.1)
tiff
timezone (2026a -> 2026b)
toolbox (2.4+git20251009.ab435eb -> 2.4+git20260421.7c75c12)
vim (9.2.0219 -> 9.2.0398)
vlc
xbitmaps (1.1.3 -> 1.1.4)
xdg-dbus-proxy (0.1.6 -> 0.1.7)
xterm (407 -> 409)
xwayland (24.1.9 -> 24.1.11)
zstd
zypper (1.14.95 -> 1.14.96)
=== Details ===
==== MicroOS-release ====
Version update (20260425 -> 20260430)
Subpackages: MicroOS-release-appliance MicroOS-release-dvd
- automatically generated by openSUSE-release-tools/pkglistgen
==== PackageKit ====
Version update (1.3.4 -> 1.3.5)
Subpackages: PackageKit-backend-dnf5 libpackagekit-glib2-18 typelib-1_0-PackageKitGlib-1_0
- Update to version 1.3.5:
+ This release fixes a critical security vulnerability that allows
unprivileged local users to obtain root privileges on any
distribution that uses PackageKit. Details will be disclosed
very soon, please update to a fixed version of PackageKit
immediately (ensure the patch from commit
76cfb675fb31acc3ad5595d4380bfff56d2a8697 is applied).
+ Drop slack backend
+ alpm: perform sysupgrade on install and update
+ freebsd: Fix crashing when libpkg asks about ABI mismatch
+ portage: Revamp backend
+ meson: test.depends does not accept a dummy dependency, give it
an empty array instead
+ pkgcli: Set up proxy also if only PAC is available
+ Do not allow re-invoking methods on non-new transactions
+ packagekit/progress: updated old usage of raise StopIteration
+ pkgcli: Add TRANSLATORS comments for commands
+ pkgcli: Rename list-required-by to list-requiring
- Drop 0001-Do-not-allow-re-invoking-methods-on-non-new-txn.patch:
fixed upstream.
- Drop 11c5f1f34f48b58ee10acec839dd01a31728704b.patch:
fixed upstream.
- Add 0001-Do-not-allow-re-invoking-methods-on-non-new-txn.patch:
Do not allow re-invoking methods on non-new transactions
(bsc#1262220, CVE-2026-41651).
==== at-spi2-core ====
Version update (2.60.0 -> 2.60.2)
Subpackages: libatk-1_0-0 libatk-bridge-2_0-0 libatspi0 typelib-1_0-Atk-1_0 typelib-1_0-Atspi-2_0
- Update to version 2.60.2:
+ atspi-device-legacy: add null checks for when x11 isnt
available.
+ python: Fix __getitem__ with a negative offset.
+ Fix a NULL pointer dereference when sending an event.
+ device-x11: Fall back on raw key events if there is no focus.
- Update to version 2.60.1:
+ Detect unresponsive applications, and do not expose them as
children of the desktop.
+ Attempt to fix a crash when opening a group chat in pidgin that
contains new messages.
==== bubblewrap ====
Version update (0.11.0 -> 0.11.1)
- Really drop the nobwrap.helper script as intended on Sep 29 2025.
- update to 0.11.1:
* Reset disposition of `SIGCHLD`, restoring normal subprocess
management if bwrap was run from a process that was ignoring
that signal, such as Erlang or volumeicon
* Don't ignore `--userns 0`, `--userns2 0` or `--pidns 0` if
used
* Note that using a fd number ≥ 3 for these purposes is still
* preferred, to avoid confusion with the stdin, stdout, stderr
* that will be inherited by the command inside the container.
* Fix grammar in an error message
* Fix a broken link in the documentation
* Enable user namespaces in Github Actions configuration,
fixing a CI regression with newer Ubuntu
* Clarify comments
- Drop the nobwrap.helper again: glycin could find a solution to
detect it running in a CI/BuildEnvironment and it disarms
bubblewrap in this case, making this wrapper obsolete
==== cups ====
Version update (2.4.17 -> 2.4.19)
Subpackages: cups-client cups-config libcups2 libcupsimage2
- Version upgrade to 2.4.19:
See https://github.com/openprinting/cups/releases
Release 2.4.19 contains another hotfix after CVE-2026-27447 fix:
* Fixed a regression in shared printing from non-local accounts
(Issue #1557)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.19
- Added 'Michael R Sweet' key to cups.keyring
because cups-2.4.19-source.tar.gz.sig belongs to him.
- Version upgrade to 2.4.18:
See https://github.com/openprinting/cups/releases
The new release 2.4.18 contains hotfix after CVE-2026-27447 fix:
* Fixed cupsd crash if user does not exist (Issue #1555)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.18
==== distribution-logos-openSUSE ====
Subpackages: distribution-logos-openSUSE-MicroOS distribution-logos-openSUSE-icons
- Fix suse_version condition since the value of suse_version is now
1610 in SLE/Leap 16.1
==== distrobox ====
Version update (1.8.2.4 -> 1.8.2.5)
Subpackages: distrobox-bash-completion
- Drop fix-distrobox-to-newer-zypper.patch since it was merged upstream
- Update to 1.8.2.5:
* docs: remove bluefin-cli and powershell ublue images by @renner0e in https://github.com/89luca89/distrobox/pull/1997
* docs: update documentation regarding VSCode integration by @ludrol in https://github.com/89luca89/distrobox/pull/1996
* enter: show container command on dry run by @balanza in https://github.com/89luca89/distrobox/pull/2000
* fix: expose correct dryrun command by @balanza in https://github.com/89luca89/distrobox/pull/2006
* fix: setup_zypper: use drop-in config file if possible by @dannyhpy in https://github.com/89luca89/distrobox/pull/2007
* docs: update README with sandboxing alternatives by @Gerharddc in https://github.com/89luca89/distrobox/pull/2009
* feat: add ALT Linux compatibility improvements by @liannnix in https://github.com/89luca89/distrobox/pull/1989
* fix: Pass -xdev to /bin/find by @danielzgtg in https://github.com/89luca89/distrobox/pull/1998
* add Docker Desktop on macOS compatibility by @ericcurtin in https://github.com/89luca89/distrobox/pull/2019
* init: chmod shadow files to 0400 for container storage compatibility by @89luca89 in https://github.com/89luca89/distrobox/pull/2020
* chore(ci): v2 release candidate workflow by @balanza in https://github.com/89luca89/distrobox/pull/2031
* docs(posts): announcing Distrobox v2 by @balanza in https://github.com/89luca89/distrobox/pull/2032
* build(deps): bump actions/checkout from 4 to 6 by @dependabot[bot] in https://github.com/89luca89/distrobox/pull/2045
* build(deps): bump actions/upload-artifact from 4 to 7 by @dependabot[bot] in https://github.com/89luca89/distrobox/pull/2044
* build(deps): bump actions/download-artifact from 4 to 8 by @dependabot[bot] in https://github.com/89luca89/distrobox/pull/2043
* build(deps): bump actions/setup-go from 5 to 6 by @dependabot[bot] in https://github.com/89luca89/distrobox/pull/2042
* docs: issue template notice for distrobox v2 by @balanza in https://github.com/89luca89/distrobox/pull/2049
* init: also clean empty unversioned .so stubs during nvidia setup by @edodusi in https://github.com/89luca89/distrobox/pull/2024
* fix(enter): su argument order in unshare_groups path (legacy) by @Aromatic05 in https://github.com/89luca89/distrobox/pull/2055
* fix(enter): correct order for su commands in unshare-groups by @dottorblaster in https://github.com/89luca89/distrobox/pull/2067
* chore: bump to v1.8.2.5 by @dottorblaster in https://github.com/89luca89/distrobox/pull/2072
==== editorconfig-core-c ====
Version update (0.12.10 -> 0.12.11)
- update to 0.12.11:
* CVE-2026-40489: l_pattern buffer overflow (boo#1262131)
* Fixes for compiler errors/warnings
- drop editorconfig-core-c-const-correctness.patch
==== ethtool ====
Version update (6.15 -> 6.19)
- Update to release 6.19
* tsinfo: Add support for PTP hardware source
* monitor: Add notification handling for PLCA configuration
* rxfh: IPv6 Flow Label hash support
* netlink: fec: add errors histogram statistics
- Delete 5a6848026277296a151664666ef1c25821787043.patch (merged)
- Move bash-completions into main package.
- add netlink support for RX CQE Coalescing params (bsc#1261256)
5a6848026277296a151664666ef1c25821787043.patch
d35d87fbcda97fe31df79d62277743214641892a.patch
bf023af442f63e16f1699128c7ce467eddc6d340.patch
==== gcc16 ====
Version update (16.0.1+git8711 -> 16.0.1+git8812)
Subpackages: libgcc_s1 libgomp1 libstdc++6
- Update to 16.0.1+git8812, includes GCC 16.1 release candidate #2.
- Update to 16.0.1+git8809, GCC 16.1 release candidate.
==== glib2 ====
Subpackages: glib2-tools libgio-2_0-0 libgirepository-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0 typelib-1_0-GLib-2_0 typelib-1_0-GLibUnix-2_0 typelib-1_0-GModule-2_0 typelib-1_0-GObject-2_0 typelib-1_0-Gio-2_0
- Install the /usr/share/applications/gnome-mimeapps.list symlink
from the package instead of creating it from systemd-tmpfiles
since /usr is mounted read-only in immutble systems. This forces
to also install an empty file as the symlink target.
- Use systemd-tmpfiles to create the default mimeapps lists instead
of writing to /var in %post to fix immutable systems
(jsc#PED-14839)
==== glibc ====
Version update (2.42 -> 2.43)
Subpackages: glibc-locale glibc-locale-base
- sys-mount-cloexec-flag.patch: include: isolate __O_CLOEXEC flag for
sys/mount.h and fcntl.h
- sys-mount-open-tree-macros.patch: Linux: Only define OPEN_TREE_* macros
in if undefined (BZ #33921)
- resolv-count-resource-records.patch: resolv: Count records correctly
(CVE-2026-4437, bsc#1260078, BZ #34014)
- resolv-check-hostname.patch: resolv: Check hostname for validity
(CVE-2026-4438, bsc#1260082, BZ #34015)
- ldbl-128ibm-ceill-floorl-roundl-truncl.patch: Fix ldbl-128ibm ceill,
floorl, roundl and truncl zero-sign handling (BZ #33623)
- getlogin-utmp-fallback.patch: Linux: In getlogin_r, use utmp fallback
only for specific errors
- nss-malloc-failure-checks.patch: nss: Missing checks in
__nss_configure_lookup, __nss_database_get (BZ #28940)
- nss-database-for-fork.patch: nss: Introduce dedicated struct
nss_database_for_fork type
- malloc-sys-kernel-mm.patch: malloc: Avoid accessing /sys/kernel/mm files
- tests-aarch64-makefile-deps-bti.patch: tests: aarch64: fix makefile
dependencies for dlopen tests for BTI
- aarch64-lock-gcs-startup.patch: aarch64: Lock GCS status at startup
- elf-strlen-redir-ifunc.patch: elf: Use dl-symbol-redir-ifunc.h instead
_dl_strlen
- riscv-redir-memcpy-generic.patch: riscv: Resolve calls to memcpy using
memcpy-generic in early startup
- tst-rseq-linux-7.patch: tests: fix tst-rseq with Linux 7.0
- remove -fcf-protection from optflags on non-x86_64 cross compilers.
- Update to glibc 2.43
* The ISO C23 free_sized, free_aligned_sized, memset_explicit, and
memalignment functions have been added
* As specified in ISO C23, the assert macro is defined to take variable
arguments to support expressions with a comma inside a compound
literal initializer not surrounded by parentheses
* For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr,
strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return
pointers into their input arrays now have definitions as macros that
return a pointer to a const-qualified type when the input argument is
a pointer to a const-qualified type
* The ISO C23 typedef names long_double_t, _Float32_t, _Float64_t, and
(on platforms supporting _Float128) _Float128_t, introduced in TS
18661-3:2015, have been added to
* The ISO C23 optional time bases TIME_MONOTONIC, TIME_ACTIVE, and
TIME_THREAD_ACTIVE have been added
* On Linux, the mseal function has been added
* Additional optimized and correctly rounded mathematical functions have
been imported from the CORE-MATH project, in particular acosh, asinh,
atanh, erf, erfc, lgamma, and tgamma.
* Optimized implementations for fma, fmaf, remainder, remaindef, frexpf,
frexp, frexpl (binary128), and frexpl (intel96) have been added.
* The SVID handling for acosf, acoshf, asinhf, atan2f, atanhf, coshf, fmodf,
lgammaf/lgammaf_r, log10f, remainderf, sinhf, sqrtf, tgammaf, y0/j0,
y1/j1, and yn/jn was moved to compat symbols, allowing improvements in
performance
* On Linux, the openat2 function has been added
* On AArch64, support for 2MB transparent huge pages has been enabled by
default in malloc (similar to setting glibc.malloc.hugetlb=1 tunable)
* On AArch64 Linux targets supporting the Scalable Matrix Extension
(SME), the clone() system call wrapper will disable the ZA state of the
SME
* On AArch64 targets supporting the Branch Target Identification (BTI)
extension, it is possible to enforce that all binaries in the process
support BTI using the glibc.cpu.aarch64_bti tunable
* On AArch64 Linux targets supporting at least one of the branch protection
extensions (e.g. Branch Target Identification or Guarded Control Stack), it
is possible to use LD_DEBUG=security to make the dynamic linker show
warning messages about loaded binaries that do not support the
corresponding security feature
* On AArch64, vector variants of the new C23 exp2m1, exp10m1, log10p1,
log2p1, and rsqrt routines have been added
* On RISC-V, an RVV-optimized implementation of memset has been added
* On x86, support for the Intel Nova Lake and Wildcat Lake processors
has been added
* Unicode support has been updated to Unicode 17.0.0
* The manual has been updated and modernized, in particular also regarding
many of its code examples
* Support for dumped heaps has been removed
* The aforementioned change in ISO C23 of the declaration of bsearch,
memchr, strchr, strpbrk, strrchr, strstr, wcschr, wcspbrk, wcsrchr,
wcsstr, and wmemchr as const-preserving macros can lead to compilation
issues in code not set up for it
* The uimaxabs function has been renamed to umaxabs, following a change
to the name of that function in ISO C2Y
* The fromfp, fromfpx, ufromfp and ufromfpx functions, and the
corresponding functions for other floating-point types, now return
their result in the same type as their floating-point argument, rather
than intmax_t or uintmax_t, in accordance with a change to the
definition of these functions in ISO C23
* The support for TX lock elision of pthread mutexes has been removed on all
architectures (powerpc, s390x, x86_64)
* The next linux 6.19 release will remove support for compat syscalls on s390x
* The LD_PROFILE functionality no longer has a default directory for the
profile data it writes
* GLIBC-SA-2026-0001: Integer overflow in memalign leads to heap
corruption (CVE-2026-0861)
* GLIBC-SA-2026-0002: getnetbyaddr and getnetbyaddr_r leak stack
contents to DNS resovler (CVE-2026-0915)
* GLIBC-SA-2026-0003: wordexp with WRDE_REUSE and WRDE_APPEND may return
uninitialized memory (CVE-2025-15281)
- inet-fortified-namespace.patch, abort-fork-lock-init.patch,
ld.so-load-segment-gaps.patch, cancelable-syscall-return-value.patch,
ctype-tls-IE.patch, i386-gnu-tls-abi-tag.patch,
x86-64-gnu2-tls-abi-tag.patch, x86-64-dt-x86-64-plt-abi-tag.patch,
i386-gnu2-tls-abi-tag.patch, aarch64-sve-powf.patch: Removed
==== gpg2 ====
Version update (2.5.18 -> 2.5.19)
- Update to 2.5.19:
* gpg: New option --use-ocb-sym
* gpg: New options --show-[only-]session-hash
* gpgsm: Allow cipher mode to be part of the algo given to the
- -cipher-algo option
* gpgsm: Emit more details when failing to check a crlDP
* agent: Improve pinentry behavior and texts in smartcard context
* dirmngr: New keyword "clear" for --keyserver
* gpg: Fix edge case in --refresh-keys
* gpg: Don't call gcry_kdf_derive with empty passphrase
* gpgsm: Skip the optional PKCS#12 PBES2 keyLength parameter to
allow import of recently issued certificates by the German
Telekom
* gpgsm: Fix a bug so that a certificate can be signed using a
different algo
* gpgsm: Make GCM fully compliant in de-vs mode
* gpgsm: Add a certificate chain check for de-vs compliance
* gpgsm: Show rsaPSS certificates as de-vs compliant in listings
* agent: Rework the trustlist reading code to finally allow a
trustlist.txt with a missing trailing LF
* ssh: Fix RSA padding in signature handling
* gpgtar: Fix -C (--directory) to check the output directory
* agent: Raise an error when p >= q for RSA keys to detect
incorrect generated *PGP keys
==== grub2 ====
Subpackages: grub2-arm64-efi grub2-common grub2-snapper-plugin
- Fix incorrect default entry and bump counter for BLS boot counter files
(bsc#1262580)
* 0001-bls-fix-default-entry-and-bumpcounter-for-BLS-boot-c.patch
- VUL-0: grub: potentially problematic utf8 conversion in bli patches (bsc#1262129)
* 0001-Fix-problematic-utf8-conversion-in-bli-patches.patch
- Fix build for glibc 2.43 by taking upstream changes (bsc#1257256)
* 0001-osdep-linux-ofpath-Update-strstr-calls.patch
* 0001-util-probe-Save-strrchr-ret-val-to-const-data-ptr.patch
* 0002-util-resolve-Save-str-r-chr-ret-val-to-const-data-pt.patch
- Fix string to integer conversion for LoaderConfigTimeout
* 0004-bli-Add-support-for-LoaderConfigTimeout-and-LoaderCo.patch
- grub2.spec: When building the grubbls image, do not hardcode the timeout
value in the early config because it is set by bli.mod when it is loaded
- grub2.spec: Remove hardcoded terminal and theme settings from the early
config as they are now applied at runtime
- Fix missing install device check in grub2-install on PowerPC which could lead
to bootlist corruption (bsc#1221126)
* 0001-Mandatory-install-device-check-for-PowerPC.patch
- Fix double free in xen booting if root filesystem is Btrfs (bsc#1259543)
* grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
* grub2-btrfs-09-get-default-subvolume.patch
- Rewrite BLI patches:
* 0001-blsuki-Add-support-for-LoaderEntries.patch
* 0002-menu-Allow-default-entry-to-have-.conf-suffix.patch
* 0003-bli-Add-support-for-LoaderEntryDefault-and-LoaderEnt.patch
* 0004-bli-Add-support-for-LoaderConfigTimeout-and-LoaderCo.patch
* 0005-bls_bumpcounter-Add-command-to-bump-boot-counter-for.patch
* 0006-bli-Add-support-for-LoaderFeatures.patch
* 0007-blsuki-Fix-sorting-for-entries-with-boot-counting-en.patch
* 0008-blsuki-append-leftover-LoaderEntries.patch
* 0009-blsuki-conservative-UTF-8-buffer-size.patch
- Remove patches:
* 0001-bls-Accept-.conf-suffix-in-setting-default-entry.patch
* grub2-bls-boot-counting.patch
* grub2-bls-boot-assessment.patch
* grub2-blscfg-set-efivars.patch
* grub2-bls-loader-entry-oneshot.patch
* grub2-blsbumpcounter-menu.patch
* grub2-bls-loader-entry-default.patch
* grub2-bls-loader-entries-boot-counting.patch
* grub2-bls-loader-features.patch
* grub2-bls-loader-config-timeout.patch
* grub2-bls-loader-config-timeout-fix.patch
==== gsettings-desktop-schemas ====
Version update (50.0 -> 50.1)
- Update to version 50.1:
+ Updated translations.
==== gvfs ====
Subpackages: gvfs-backends
- Split out cdda in own separate sub package (gvfs-backend-cdda).
==== harfbuzz ====
Version update (14.1.0 -> 14.2.0)
Subpackages: libharfbuzz-gobject0 libharfbuzz-subset0 libharfbuzz0 typelib-1_0-HarfBuzz-0_0
- Update to version 14.2.0:
+ In this release, the experimental raster, vector, and GPU
libraries went through several rounds of code review and
cleanup to make sure they follow the high standards expected of
HarfBuzz code. The API has also been extensively reviewed based
on experience gained from using these libraries. We consider
the code and API to be ready for stabilization, and we expect
to graduate them from experimental in the near future. If you
are using or planning to use these libraries and have any
concerns about the API, it is time to raise them. Once a
library is deemed stable, we will never change the API or ABI
in an incompatible way.
==== hwdata ====
Version update (0.397 -> 0.406)
- update to 0.406:
* Update pci and vendor ids
- update to 0.405:
* Update pci and vendor ids
==== kernel-firmware-amdgpu ====
Version update (20260414 -> 20260427)
- Update to version 20260427 (git commit b64d7354df3a):
* amdgpu: DMCUB updates for various ASICs
- Update to version 20260421 (git commit 0a7e55438c7c):
* amdgpu: DMCUB updates for DCN36
==== kernel-firmware-ath12k ====
Version update (20260317 -> 20260421)
- Update to version 20260421 (git commit 0a7e55438c7c):
* ath12k: QCC2072 hw1.0: add to WLAN.COL.1.0.c2-00074-QCACOLSWPL_V1_TO_SILICONZ-1
* ath12k: QCC2072 hw1.0: add board-2.bin
* ath12k: IPQ5424 hw1.0: add to WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
* ath12k: IPQ5424 hw1.0: add board-2.bin
==== kernel-firmware-bluetooth ====
Version update (20260408 -> 20260423)
- Update to version 20260423 (git commit 479a01628094):
* linux-firmware: Add firmware file for Intel BlazarIW
- Update to version 20260423 (git commit 0d347a3f3ec4):
* linux-firmware: Add firmware file for Intel ScorpiusGfp2 core
* linux-firmware: Add firmware file for Intel BlazarIGfp2 core
* linux-firmware: Update firmware file for Intel BlazarU-HrPGfP core
* linux-firmware: Update firmware file for Intel BlazarU core
* linux-firmware: Update firmware file for Intel Scorpius core
* linux-firmware: Update firmware file for Intel BlazarI core
* Revert "linux-firmware: Update firmware file for Intel Quasar core"
- Update to version 20260421 (git commit 0a7e55438c7c):
* QCA: Update Bluetooth WCN6856 firmware 2.1.0-00665 to 2.1.0-00666
==== kernel-firmware-mediatek ====
Version update (20260317 -> 20260423)
- Update to version 20260423 (git commit 0d347a3f3ec4):
* mediatek MT7925: update bluetooth firmware to 20260414153243
* linux-firmware: update firmware for MT7925 WiFi device
==== kernel-firmware-qcom ====
Version update (20260416 -> 20260423)
- Update to version 20260423 (git commit 0d347a3f3ec4):
* qcom: Update ADSP firmware for Glymur platform
* qcom: Add gpdspr.jsn for qcs8300 platform
- Update to version 20260421 (git commit 0a7e55438c7c):
* qcom: Update ADSP firmware for Kaanapali platform
==== kernel-firmware-sound ====
Version update (20260408 -> 20260421)
- Update to version 20260421 (git commit 0a7e55438c7c):
* cirrus: cs35l56: Add firmware for Cirrus Amps for some Lenovo laptops
* cirrus: cs35l56: Add firmware for Cirrus Amps for some Lenovo laptops (17aa235c 17aa235d)
==== kernel-source ====
Version update (6.19.12 -> 7.0.2)
Subpackages: kernel-64kb kernel-default
- Linux 7.0.2 (bsc#1012628).
- crypto: authencesn - Fix src offset when decrypting in-place
(bsc#1012628).
- pwm: th1520: fix `CLIPPY=1` warning (bsc#1012628).
- drm/amdgpu: replace PASID IDR with XArray (bsc#1012628).
- crypto: krb5enc - fix sleepable flag handling in encrypt
dispatch (bsc#1012628).
- crypto: krb5enc - fix async decrypt skipping hash verification
(bsc#1012628).
- ksmbd: fix use-after-free in __ksmbd_close_fd() via durable
scavenger (bsc#1012628).
- ksmbd: validate owner of durable handle on reconnect
(bsc#1012628).
- scripts: generate_rust_analyzer.py: define scripts
(bsc#1012628).
- scripts/dtc: Remove unused dts_version in dtc-lexer.l
(bsc#1012628).
- fs/ntfs3: validate rec->used in journal-replay file record check
(bsc#1012628).
- f2fs: fix to do sanity check on dcc->discard_cmd_cnt
conditionally (bsc#1012628).
- f2fs: fix UAF caused by decrementing sbi->nr_pages[] in
f2fs_write_end_io() (bsc#1012628).
- f2fs: fix to avoid memory leak in f2fs_rename() (bsc#1012628).
- f2fs: fix to avoid uninit-value access in
f2fs_sanity_check_node_footer (bsc#1012628).
- fuse: reject oversized dirents in page cache (bsc#1012628).
- fuse: abort on fatal signal during sync init (bsc#1012628).
- fuse: Check for large folio with SPLICE_F_MOVE (bsc#1012628).
- fuse: quiet down complaints in fuse_conn_limit_write
(bsc#1012628).
- fuse: fuse_dev_ioctl_clone() should wait for device file to
be initialized (bsc#1012628).
- ksmbd: require minimum ACE size in smb_check_perm_dacl()
(bsc#1012628).
- smb: server: fix active_num_conn leak on transport allocation
failure (bsc#1012628).
- smb: client: fix dir separator in SMB1 UNIX mounts
(bsc#1012628).
- smb: server: fix max_connections off-by-one in tcp accept path
(bsc#1012628).
- smb: client: require a full NFS mode SID before reading mode
bits (bsc#1012628).
- smb: client: validate the whole DACL before rewriting it in
cifsacl (bsc#1012628).
- smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO
path (bsc#1012628).
- ksmbd: validate response sizes in ipc_validate_msg()
(bsc#1012628).
- ksmbd: validate num_aces and harden ACE walk in
smb_inherit_dacl() (bsc#1012628).
- ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
(bsc#1012628).
- ksmbd: use check_add_overflow() to prevent u16 DACL size
overflow (bsc#1012628).
- ksmbd: reset rcount per connection in
ksmbd_conn_wait_idle_sess_id() (bsc#1012628).
- f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
(bsc#1012628).
- ALSA: usb-audio: apply quirk for MOONDROP JU Jiu (bsc#1012628).
- ALSA: hda/realtek: Add quirk for Legion S7 15IMH (bsc#1012628).
- ALSA: caiaq: take a reference on the USB device in create_card()
(bsc#1012628).
- net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
(bsc#1012628).
- crypto: ccp: Don't attempt to copy CSR to userspace if PSP
command failed (bsc#1012628).
- crypto: ccp: Don't attempt to copy PDH cert to userspace if
PSP command failed (bsc#1012628).
- crypto: ccp: Don't attempt to copy ID to userspace if PSP
command failed (bsc#1012628).
- rxrpc: Fix missing validation of ticket length in non-XDR key
preparsing (bsc#1012628).
- mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER
(bsc#1012628).
- Rename to
patches.kernel.org/7.0.2-032-writeback-Fix-use-after-free-in-inode_switch_wb.patch.
- commit 46da294
- Refresh
patches.suse/mfd-bcm2835-pm-Add-BCM2712-PM-device-support.patch.
- Refresh
patches.suse/mfd-bcm2835-pm-Introduce-SoC-specific-type-identifier.patch.
- Refresh
patches.suse/writeback-Fix-use-after-free-in-inode_switch_wbs_wor.patch.
Update upstream status.
- commit 8e3001e
- Re-enable ARM architectures and update configs
Rather late (well, that's an understatement) but better than never.
- commit 46dfbfa
- Update config files. Set INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON=y (bsc#1262308)
The same as for SL-16.*.
- commit ccbbbdf
- Linux 7.0.1 (bsc#1012628).
- clockevents: Add missing resets of the next_event_forced flag
(bsc#1012628).
- mm/userfaultfd: fix hugetlb fault mutex hash calculation
(bsc#1012628).
- media: hackrf: fix to not free memory after the device is
registered in hackrf_probe() (bsc#1012628).
... changelog too long, skipping 164 lines ...
- commit 5844293
==== lcms2 ====
Version update (2.18 -> 2.19)
- Update to version 2.19
* CMake build system.
* Large files support to use profiles up to 4Gb.
* Black point compensation works on multi-channel profiles.
* jpgicc banner is not shown on normal operation, only when help
is requested.
* Added a way to access internal transform pipelines.
* Add a way to retrieve the CMM signature.
* Added extra checks on postscript undocumented functions.
* Added guard on integer overflow when reading .cube files.
* Added unneeded checks as a try to get rid of spam reports about
"vulnerabilities" that are not real.
* Creating an output profile by cmsTransform2DeviceLink does not
propagate correctly the colorant table.
* Added some profile class definitions from iccMAX.
* Deprecated uint16 and uint32 types removed from tifdiff.
* fixed generation of tifdiff on Cmake and meson.
==== leancrypto ====
- Fix build on kernel 7.0
* Add patch 0001-Linux-kernel-leancrypto_kernel_rng_tester-include-li.patch
- Pick fix for ABI issue in AVX2 assembly for Curve448 causing
test failures when building with GCC 16.
* Add patch leancrypto-ABI-fix.patch
==== libblockdev ====
Version update (3.4.0 -> 3.5.0)
Subpackages: libbd_crypto3 libbd_fs3 libbd_loop3 libbd_lvm3 libbd_mdraid3 libbd_nvme3 libbd_part3 libbd_smart3 libbd_swap3 libbd_utils3 libblockdev3
- Update to version 3.5.0:
+ More than hundred fixes for various issues both in code and
test suite were found and fixed using Claude AI.
+ Crypto plugin now offers activate functions that accept
cryptsetup activation flags.
+ Two new functions added to the btrfs plugin for recursively
removing subvolumes and getting btrfs device stats.
==== libcamera ====
Subpackages: libcamera-base0_7 libcamera0_7
- Add libcamera-ov02e10-initial-support.patch
==== libdrm ====
Version update (2.4.131 -> 2.4.133)
Subpackages: libdrm2 libdrm_amdgpu1
- update to 2.4.133
* This release contains few fixes for build errors that weren't
caught by CI.
==== libgpg-error ====
Version update (1.59 -> 1.60)
- Update to 1.60:
* New error codes
* Interface changes relative to the 1.57 release:
GPG_ERR_PUBKEY_NON_COMPLIANT NEW.
GPG_ERR_CIPHER_NON_COMPLIANT NEW.
GPG_ERR_DIGEST_NON_COMPLIANT NEW.
==== libupnp ====
Version update (1.18.4 -> 1.18.5)
Subpackages: libixml11 libupnp20
- Update to release 1.18.5
* Fixed CVE-2026-41682
==== libzypp ====
Version update (17.38.5 -> 17.38.7)
- Fix purge-kernel -rc kernel handling (bsc#1239718)
- Explicitly_set_pool_DISTTYPE_RPM (fixes #726)
- version 17.38.7 (35)
- Check for trusted key updates when updating the general keyring
(bsc#1259706)
- Support multiple MirroredOrigin authorities (bsc#1253193)
- Workaround doxygen bug: doxygen/doxygen#12057
- libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842)
- version 17.38.6 (35)
==== llvm22 ====
Version update (22.1.3 -> 22.1.4)
- Update to version 22.1.4.
* This release contains bug-fixes for the LLVM 22.1.0 release.
This release is API and ABI compatible with 22.1.0.
- Build bolt on riscv64.
- Fix shebang for hwasan_symbolize also on riscv64.
==== md4c ====
Version update (0.5.2 -> 0.5.3)
- Update to 0.5.3
* Avoid repeated prefix language- in code block language
specification if the input already explicitly includes the prefix
* Permissive autolink extensions (MD_FLAG_PERMISSIVExxxAUTOLINKS)
are now tiny bit more permissive, allowing + and - characters
to be anywhere in the path portion of the URL. This also
improves compatibility with GFM
* Make Unicode-specific code compliant to Unicode 18.0
* Fix quadratic time behavior caused by one-by-one walking
over block lines instead of calling md_lookup_line()
* Fix quadratic time and output size behavior caused by
malicious misuse of link reference definitions
* The strike-through extension (with flag MD_FLAG_STRIKETHROUGH)
now follows same logic as other emphasis spans in respect to
punctuation character and word boundaries
* Fix handling tab when removing trailing whitespace,
especially in connection with ATX headers
* We now correctly abort the parser when a callback returns
non-zero. (Previously it worked correctly only for negative
values, values greater than zero were causing strange and
inconsistent behavior)
* Fix handling a code span whose closer is on the next line and
yet another text follows. In the case we erroneously outputted
the closer code span mark as part of the text
* Fix md_decode_utf16le_before__(). (Only affected MD4C builds
built with -MD4C_USE_UTF16 on Windows)
* Do not try to interpret characters in a link URL as Markdown
syntax characters
* Fix detection of closing code block fence if it has a
trailing tabulator
* Fix invalid free() in an error path
==== mozilla-nss ====
Version update (3.122.1 -> 3.122.2)
Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs
- update to NSS 3.122.2:
* bmo#2033783 - reject DTLS 1.3 Server Hello after HVR without
capping ss->vrange.max
==== mpg123 ====
Version update (1.33.4 -> 1.33.5)
- Update to version 1.33.5
* mpg123: Fix generic control mode for largefile-sensitive
builds, where 32 bit off_t was used with mpg123 API calls
expecting 64 bit off_t.
* mpg123-id3dump, out123: Enable 64 bit offset usage on
largefile-sensitive
platforms (regression since 1.32.0).
* libmpg123: Announce support for shadow stack / IBT in x86-64
assembly.
* libmpg123: Also announce PAC/BTI for non-accurate neon64
(aarch64) synth.
* libout123: Add a safeguard to ensure variable-length records
from buffer communication are always zero-terminated.
* libsyn123: Use union work buffer to avoid casts that may
look like breaking strict aliasing.
==== nghttp2 ====
Version update (1.68.1 -> 1.69.0)
- update to 1.69.0:
* nghttpx: Avoid separate allocation for QUIC tx buffer
* lib/CMakeLists.txt: Fix NGHTTP2_CONFIG_INSTALL_DIR path
* nghttpx: Ensure resetting downstream h2 stream
* Fix union usage in nghttp2_data_provider_wrap
* nghttpx: Remove stream_closed_ from Http2DownstreamConnection
* Introduce nghttp2_strlen_lit
* Check nghttp2_is_fatal first
* nghttpd, nghttpx: Accept at most 10 connections per loop
* nghttpx: Accept pending connections until it returns error
* nghttpx: Rework close-wait packet generation for h3
* nghttpx: Add extra validation for non-regular path for
* nghttpx: More strict validation for h1 host
* nghttpd: Refactor with std::span
* nghttp: Refactor with std::span
* nghttp: Move span creation out of loop
* nghttpx: Use std::span for upstream interface
* nghttpx: Modernize downstream connection with std::span
* nghttpx: Deal with partial write in API downstream connection
* nghttpx: Adopt std::span for LiveCheck read path
* Nghttpx connection write span
* Nghttpx connection read span
* nghttpx: Refactor QUIC utils with std::span
* nghttpx: Choose the sensible value for TCP_DEFER_ACCEPT
* nghttpx: Simplify HTTP/2 writer
* nghttpx: Format doc
* nghttpx: Deal with ECONNRESET for IPC socket on worker
* nghttpx: Rewrite LOG macros with std::source_location
* nghttpx: Amend #2671 to fix double logging
* nghttpx: Call Log ctor directly
* nghttpx: Rename LOG_ENABLED to log_enabled
* src: Add static constexpr to ngtcp2 and nghttp3 callbacks
* Nghttpx ech
* nghttpx: Log the number of loaded ECH configuration in NOTICE
==== ngtcp2 ====
Version update (1.22.0 -> 1.22.1)
Subpackages: libngtcp2-16 libngtcp2_crypto_gnutls8 libngtcp2_crypto_ossl0
- update to 1.22.1 (bsc#1262273, CVE-2026-40170):
* Fixes CVE-2026-40170
==== open-vm-tools ====
Subpackages: libvmtools0
- Fix build with glibc 2.43 (boo#1257312)
+ Add patch:
- glibc243.patch
==== openSUSE-build-key ====
- adjust suse_version condition for the Backports key
==== openexr ====
Subpackages: libIex-3_4-33 libIlmThread-3_4-33 libOpenEXR-3_4-33 libOpenEXRCore-3_4-33
- Disable testLargeDataWindowOffsets on 32-bit arm
==== openssh ====
Version update (10.2p1 -> 10.3p1)
Subpackages: openssh-clients openssh-common openssh-server
- Update to openssh 10.3p1:
= Potentially-incompatible changes
* ssh(1), sshd(8): remove bug compatibility for implementations
that don't support rekeying. If such an implementation tries to
interoperate with OpenSSH, it will now eventually fail when the
transport needs rekeying.
* sshd(8): prior to this release, a certificate that had an empty
principals section would be treated as matching any principal
(i.e. as a wildcard) when used via authorized_keys principals=""
option. This was intentional, but created a surprising and
potentially risky situation if a CA accidentally issued a
certificate with an empty principals section: instead of being
useless as one might expect, it could be used to authenticate as
any user who trusted the CA via authorized_keys. [Note that this
condition did not apply to CAs trusted via the sshd_config(5)
TrustedUserCAKeys option.]
This release treats an empty principals section as never matching
any principal, and also fixes interpretation of wildcard
characters in certificate principals. Now they are consistently
implemented for host certificates and not supported for user
certificates.
* ssh(1): the -J and equivalent -oProxyJump="..." options now
validate user and host names for ProxyJump/-J options passed
via the command-line (no such validation is performed for this
option in configuration files). This prevents shell injection in
situations where these were directly exposed to adversarial
input, which would have been a terrible idea to begin with.
Reported by rabbit.
= Security
* ssh(1): validation of shell metacharacters in user names supplied
on the command-line was performed too late to prevent some
situations where they could be expanded from %-tokens in
ssh_config. For certain configurations, such as those that use a
"%u" token in a "Match exec" block, an attacker who can control
the user name passed to ssh(1) could potentially execute arbitrary
shell commands. Reported by Florian Kohnhäuser.
We continue to recommend against directly exposing ssh(1) and
other tools' command-lines to untrusted input. Mitigations such
as this can not be absolute given the variety of shells and user
configurations in use.
* sshd(8): when matching an authorized_keys principals="" option
against a list of principals in a certificate, an incorrect
algorithm was used that could allow inappropriate matching in
cases where a principal name in the certificate contains a
comma character. Exploitation of the condition requires an
authorized_keys principals="" option that lists more than one
principal *and* a CA that will issue a certificate that encodes
more than one of these principal names separated by a comma
(typical CAs strongly constrain which principal names they will
place in a certificate). This condition only applies to user-
trusted CA keys in authorized_keys, the main certificate
authentication path (TrustedUserCAKeys/AuthorizedPrincipalsFile)
is not affected. Reported by Vladimir Tokarev.
* scp(1): when downloading files as root in legacy (-O) mode and
without the -p (preserve modes) flag set, scp did not clear
setuid/setgid bits from downloaded files as one might typically
expect. This bug dates back to the original Berkeley rcp program.
Reported by Christos Papakonstantinou of Cantina and Spearbit.
* sshd(8): fix incomplete application of PubkeyAcceptedAlgorithms
and HostbasedAcceptedAlgorithms with regard to ECDSA keys.
Previously if one of these directives contains any ECDSA algorithm
name (say "ecdsa-sha2-nistp384"), then any other ECDSA algorithm
would be accepted in its place regardless of whether it was
listed or not. Reported by Christos Papakonstantinou of Cantina
and Spearbit.
* ssh(1): connection multiplexing confirmation (requested using
"ControlMaster ask/autoask") was not being tested for proxy mode
multiplexing sessions (i.e. "ssh -O proxy ..."). Reported by
Michalis Vasileiadis.
= New features
* ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent
forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new
names is advertised via the EXT_INFO message. If a server offers
support for the new names, then they are used preferentially.
Support for the pre-standardisation "@openssh.com" extensions for
agent forwarding remains supported.
* ssh-agent(1): implement support for draft-ietf-sshm-ssh-agent
"query" extension.
* ssh-add(1): support querying the protocol extensions via the
agent "query" extension with a new -Q flag.
* ssh(1): support multiple files in a ssh_config RevokedHostKeys
directive.
* sshd(8): support multiple files in a sshd_config RevokedKeys
directive.
* ssh(1): add a ~I escape option that shows information about the
current SSH connection.
* ssh(1): add an "ssh -Oconninfo user@host" multiplexing command
that shows connection information, similar to the ~I escapechar.
* ssh(1): add an "ssh -O channels user@host" multiplexing command to
get a running mux process to show information about what channels
are currently open.
* sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is
applied to login attempts for usernames that do not match real
accounts. Defaults to 5s to match 'authfail' but allows
administrators to block such attempts for longer if desired.
* sshd(8): add a GSSAPIDelegateCredentials option for the server,
controlling whether it accepts delegated credentials offered by
the client. This option mirrors the same option in ssh_config.
* ssh(1), sshd(8): support the VA DSCP codepoint in the IPQoS
... changelog too long, skipping 134 lines ...
* 0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
==== passt ====
Version update (20251215.b40f5cd -> 20260120.386b5f5)
Subpackages: passt-selinux
- Update to version 20260120.386b5f5:
* flow: Remove EPOLLFD_ID_INVALID
* tcp: Register fds with epoll at flow creation
* tcp_splice: Register fds with epoll at flow creation
* conf, pasta: Add --splice-only option
* flow, fwd: Optimise forwarding rule lookup using epoll ref when possible
* fwd, tcp, udp: Add forwarding rule to listening socket epoll references
* fwd: Remap ports based directly on forwarding rule
* flow, fwd: Consult rules table when forwarding a new flow from socket
* fwd: Generate auto-forward exclusions from socket fd tables
* conf, fwd: Check forwarding table for conflicting rules
* tcp, udp: Remove old auto-forwarding socket arrays
* fwd, tcp, udp: Set up listening sockets based on forward table
* ip: Add ipproto_name() function
* fwd: Make space to store listening sockets in forward table
* conf, fwd: Record "auto" port forwards in forwarding table
* conf: Accurately record ifname and address for outbound forwards
* conf, fwd: Keep a table of our port forwarding configuration
* inany: Extend inany_ntop() to treat NULL as a fully unspecified address
* hooks/pre-push: Use mandoc(1) to get HTML anchors to command-line options
* selinux: Enable open permissions on netns directory, operations on container_var_run_t
* igmp: Remove apparently unneeded suppression
* epoll_ctl: Move u64 variant first for safer initialisation
* treewide: Fix more pointers which can be const
* tcp, udp: Make {tcp,udp}_listen() return socket fds
* tcp, udp, conf: Don't silently ignore listens on unsupported IP versions
* flow: Introduce flow_epoll_set() to centralize epoll operations
* tcp_splice: Refactor tcp_splice_conn_epoll_events() to per-side computation
* udp_flow: Assign socket to flow inside udp_flow_sock()
* udp_flow: remove unneeded epoll_ref indirection
* tcp: cleanup timer creation
* tcp: remove timer update in tcp_epoll_ctl()
* apparmor: Upgrade ABI version to 4.0, explicitly enable user namespace creation
* tcp: Fix rounding issue in check for approximating window to zero
* treewide: Fix places where we incorrectly indented with spaces
* tcp: Remove some no longer used includes
* fwd: Minor cleanup to fwd_nat_from_splice()
* fwd: Remove now-unnecessary handling of unspecified oaddr from splice
* udp_vu: Discard datagrams when RX virtqueue is not usable
* fwd, tcp, udp: Consolidate epoll refs for listening sockets
* epoll_ctl: Add missing description for flowside field of epoll_ref
* tcp: Remove unused tcp_epoll_ref
* test: Include sshd-auth in mbuto guest image
* test: Handle Operating System Command escapes in terminal output
* treewide: Don't rely on terminator records in ip[46].dns arrays
* migrate: Don't use terminator element for versions[] array
* util: Be more defensive about buffer overruns in read_file()
* apparmor: Allow reading TCP RTO sysctl parameters
* tcp: Update EPOLL_TYPE_TCP_TIMER fd
* udp: Rename udp_sock_init() to udp_listen() with small cleanups
* tcp: Combine tcp_sock_init_one() and tcp_sock_init() into tcp_listen()
* pasta: Warn, disable matching IP version if not supported, in local mode
* selinux: Enable read and watch permissions on netns directory as well
==== patterns-kde ====
Version update (20240311 -> 20260428)
- Update version number
- Do not build kde_yast on Leap 16
- Obsoletes kde_minimal pattern if PackageHub bsc#1248107
==== pipewire ====
Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools
- Do not require pulseaudio-setup anymore
- Remove workaround for boo#1186561 which was already fixed
5 years ago and which wrote to /var (jsc#PED-15662)
==== polkit-default-privs ====
Version update (1550+20260414.1647bf2 -> 1550+20260428.f2a5d2e)
- Update to version 1550+20260428.f2a5d2e:
* profiles: whitelisted kdenetwork-filesharing {enable,start}service actions (bsc#1262258, bsc#1263037)
- Update to version 1550+20260428.d9ff7af:
* profiles: mcp-server-systemd (bsc#1259556)
==== pulseaudio ====
Subpackages: libpulse-mainloop-glib0 libpulse0 pulseaudio-utils
- Do not run setup-pulseaudio on %post. Everything should work
fine out of the box these days . This improves the behaviour
of the package in immutable systems (jsc#PED-14841).
- Remove workaround in %post for a bug (bsc#1083473) that was
actually fixed in systemd-rpm-macros on March 4 2021
(bsc#1183051).
- Install sh and csh profiles as static files instead of generating
them from setup-pulseaudio (which is not run automatically
anymore).
- pulseaudio-setup is no longer required by pulseaudio.
==== python-cryptography ====
Version update (46.0.7 -> 47.0.0)
- update to 47.0.0:
* Support for Python 3.8 is deprecated and will be removed in
the next cryptography release.
* BACKWARDS INCOMPATIBLE: Support for binary elliptic curves
(SECT* classes) has been removed. These curves are rarely
used and have additional security considerations that make
them undesirable.
* BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been
removed. OpenSSL 3.0.0 or later is now required. LibreSSL,
BoringSSL, and AWS-LC continue to be supported.
* BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1.
* BACKWARDS INCOMPATIBLE: Loading keys with unsupported
algorithms or keys with unsupported explicit curve encodings
now raises
:class:`~cryptography.exceptions.UnsupportedAlgorithm`
instead of ValueError. This change affects :func:`~cryptograp
hy.hazmat.primitives.serialization.load_pem_private_key`, :fu
nc:`~cryptography.hazmat.primitives.serialization.load_der_pr
ivate_key`, :func:`~cryptography.hazmat.primitives.serializat
ion.load_pem_public_key`, :func:`~cryptography.hazmat.primiti
ves.serialization.load_der_public_key`, and
:meth:`~cryptography.x509.Certificate.public_key` when called
on certificates with unsupported public key algorithms.
* BACKWARDS INCOMPATIBLE: When parsing elliptic curve private
keys, we now reject keys that incorrectly encode a private
key of the wrong length because such keys are impossible to
process in a constant-time manner. We do not believe keys
with this problem are in wide use, however we may revert this
change based on the feedback we receive.
* Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys
to :class:`~cryptography.hazmat.decrepit.ciphers.algorithms.T
ripleDES`. In a future release, only 192-bit (24-byte) keys
will be accepted. Users should expand shorter keys themselves
(e.g., for single DES: key + key + key, for two-key: key +
key[:8]).
* Updated the minimum supported Rust version (MSRV) to 1.83.0,
from 1.74.0.
* Support for x86_64 macOS (including publishing wheels) is
deprecated and will be removed in the next release. We will
switch to publishing an arm64 only wheel for macOS.
* Support for 32-bit Windows (including publishing wheels) is
deprecated and will be removed in the next release. Users
should move to a 64-bit Python installation.
* public_bytes and private_bytes methods on keys now raise
TypeError (instead of ValueError) if an invalid encoding is
provided for the given format.
* Moved
:class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB`,
:class:`~cryptography.hazmat.decrepit.ciphers.modes.OFB`, and
:class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB8`
into :doc:`/hazmat/decrepit/index` and deprecated them in the
modes module. They will be removed from the modes module in
49.0.0.
* Moved :class:`~cryptography.hazmat.primitives.ciphers.algorit
hms.Camellia` into :doc:`/hazmat/decrepit/index` and
deprecated it in the cipher module. It will be removed from
the cipher module in 49.0.0.
* Added
:meth:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF.extract`
to :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`.
The previous private implementation will be removed in
49.0.0.
* Added support for loading elliptic curve keys that contain
explicit encodings of the curves secp256r1, secp384r1, and
secp521r1.
* Added support for
:class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2d`
and
:class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2i`
when using OpenSSL 3.2.0+.
* Added derive_into methods to
:class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`,
:class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDFExpand`,
:class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatK
DFHash`, :class:`~cryptography.hazmat.primitives.kdf.concatkd
f.ConcatKDFHMAC`,
:class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id`,
:class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC
`,
:class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC`,
:class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`,
:class:`~cryptography.hazmat.primitives.kdf.scrypt.Scrypt`,
and
:class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`
to allow deriving keys directly into pre-allocated buffers.
* Added encrypt_into and decrypt_into methods to
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESCCM`,
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM`,
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCMSI
V`, :class:`~cryptography.hazmat.primitives.ciphers.aead.AESO
CB3`,
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV`,
and :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaC
ha20Poly1305` to allow encrypting directly into a pre-
allocated buffer.
* Added support for PKCS1v15 signing without DigestInfo using :
class:`~cryptography.hazmat.primitives.asymmetric.utils.NoDig
estInfo`.
* Added
... changelog too long, skipping 34 lines ...
OpenSSL 4.0.0.
==== python-idna ====
Version update (3.11 -> 3.13)
- update to 3.13:
* Correct classification error for codepoint U+A7F1
* Update to Unicode 17.0.0.
* Issue a deprecation warning for the transitional argument.
* Added lazy-loading to provide some performance improvements.
* Removed vestiges of code related to Python 2 support,
including segmentation of data structures specific to Jython.
==== python313 ====
- Add CVE-2026-6019-Morsel-js_output.patch protects against HTML
injection by Base64-encoding cookie values embedded in JS
(bsc#1262654, CVE-2026-6019, gh#python/cpython#90309).
- Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch which rejects
CR/LF in HTTP tunnel request headers (bsc#1261969,
CVE-2026-1502, gh#python/cpython#146211).
- Add CVE-2026-4786-webbrowser-open-action.patch, which fixes
webbrowser %action substitution bypass of dash-prefix check
(bsc#1262319, CVE-2026-4786, gh#python/cpython#148169).
- Add CVE-2026-6100-use-after-free-decompression.patch preventing
dangling pointer which can end in the use-after-free error
(CVE-2026-6100, bsc#1262098, gh#python/cpython#148395).
==== python313-core ====
Subpackages: libpython3_13-1_0 python313-base
- Add CVE-2026-6019-Morsel-js_output.patch protects against HTML
injection by Base64-encoding cookie values embedded in JS
(bsc#1262654, CVE-2026-6019, gh#python/cpython#90309).
- Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch which rejects
CR/LF in HTTP tunnel request headers (bsc#1261969,
CVE-2026-1502, gh#python/cpython#146211).
- Add CVE-2026-4786-webbrowser-open-action.patch, which fixes
webbrowser %action substitution bypass of dash-prefix check
(bsc#1262319, CVE-2026-4786, gh#python/cpython#148169).
- Add CVE-2026-6100-use-after-free-decompression.patch preventing
dangling pointer which can end in the use-after-free error
(CVE-2026-6100, bsc#1262098, gh#python/cpython#148395).
==== samba ====
Version update (4.23.6+git.466.1a6b75cb208 -> 4.23.7+git.473.9487af01c24)
Subpackages: libldb2 samba-ad-dc-libs samba-client samba-client-libs samba-libs
- Update to 4.23.7
* Fix a directory file descriptor leak in vfs_glusterfs that
caused unbounded memory growth on the GlusterFS brick with
persistent SMB2 connections; (bso#16043).
* autobuild fails if /proc/version contains trailing space;
(bso#16057).
* incorrect behavior on rpcclient enumport with rpcd_spoolss;
(bso#16019).
* rpc workers with long living clients grow server memory
keytab; (bso#16042); (bsc#1257200).
* vfs_snapper failing to access or enumerate files in
subfolders; (bso#16058); (bsc#1259667).
* libsmbclient posix extensions with SMB3 don't work at all;
(bso#15960).
* Samba is not build with FORTIFY_SOURCE; (bso#16040).
- Add support to allow default selinux autolabelling by
update-samba-security-profile on service [re]start to be
inhibited; (bsc#1259050).
- Use multiple threads for SELinux relabeling in
update-samba-security-profile (bsc#1259050).
==== sed ====
Version update (4.9 -> 4.10)
- Update to 4.10:
* sed 's/a/b/g' (and other global substitutions) now works on input
lines longer than 2GB. Previously, matches beyond the 2^31 byte offset
would evoke a "panic" (exit 4).
* 'sed --follow-symlinks -i' no longer has a TOCTOU race that could let
an attacker swap a symlink between resolution and open, causing sed to
read attacker-chosen content and write it to the original target.
(bsc#1262144, CVE-2026-5958)
* sed no longer falsely matches when back-references are combined with
optional groups (.?) and the $ anchor. For example, this no longer
falsely matches the empty string at beginning of line:
$ echo ab | sed -E 's/^(.?)(.?).?\2\1$/X/'
Xab
* In --posix mode, sed no longer mishandles backslash escapes (\n,
\t, \a, etc.) after a named character class like [[:alpha:]].
For example, 's/^A\n[[:alpha:]]\n*/XXX/' would fail to match the
trailing newline, treating \n as a literal backslash and an 'n'
rather than a newline. This happened when an earlier backslash
escape in the same regex had already been converted, shifting the
in-place normalization buffer.
* sed --debug no longer crashes when a label (":") command is compiled
before the --debug option is processed, e.g., sed -f<(...) --debug.
* sed no longer rejects the documented GNU extension 'a**' (equivalent
to 'a*') in Basic Regular Expression (BRE) mode. Previously, this
worked only with -E (ERE mode), even though grep has always accepted
it in BRE mode.
* sed no longer rejects "\c[" in regular expressions
* 'sed --follow-symlinks -i' no longer mishandles an operand that is a
short symbolic link to a long symbolic link to a file.
* Fix some some longstanding but unlikely integer overflows.
Internally, 'sed' now more often prefers signed integer arithmetic,
which can be checked automatically via 'gcc -fsanitize=undefined'.
* In the default C locale, diagnostics now quote 'like this' (with
apostrophes) instead of `like this' (with a grave accent and an
apostrophe). This tracks the GNU coding standards.
* 'sed --posix' now warns about uses of backslashes in the 's' command
that are handled by GNU sed but are not portable to other
implementations.
* builds no longer fail on platforms without the header or
getopt_long function.
- Add disable-backref-test.patch
* The bug for back references combined with optional groups and anchor
hasn't been fixed in glibc yet, so the tests fail when building with
"--without-included-regex". Disable the tests for now.
==== skopeo ====
Version update (1.22.1 -> 1.22.2)
- Update to version 1.22.2:
* [release-1.22] Bump Skopeo to 1.22.2
* proxy: Verify *either* toplevel or target
* proxy: Move policycontext into global state
* Packit: fix downstream post-modifications action
==== srt ====
Version update (1.5.4 -> 1.5.5)
- Update to version 1.5.5:
+ Connection State Accuracy: Fixed an issue where srt_connect
reported incorrect error codes when attempted on a socket in a
broken state. The function now correctly identifies these
sockets as closed rather than reporting connection-specific
failures.
+ Listen Operation Refinement:
- Corrected the error code returned when calling srt_listen on
a closed or non-existent socket to ensure status reports
reflect the socket state accurately.
- Backlog updates: Updated the logic for srt_listen to allow
updates to the backlog parameter on sockets already in the
LISTENING state. In such cases, the function now successfully
updates the backlog and returns 0 (success).
+ Fixed a bug where a blocking srt_close call could be
interrupted by a connection attempt.
+ Resolved Issue #3289 regarding srt_connect in blocking mode.
These fixes ensure that interrupting a blocking connection loop
or closing the socket from another thread is correctly
recognized. Previously, these scenarios could cause the
function to incorrectly return success (0) or a misleading
SRT_ECONNSOCK error; it now correctly returns SRT_ESCLOSED or
SRT_EINVSOCK.
+ Fixed a potential buffer overflow in handshake processing by
ensuring that incoming group data length does not exceed
internal buffer capacity.
+ Fixed and then restored the cookie contest method from version
1.4.5 as a lower-risk stability measure. It also introduces a
mechanism to enforce specific cookie values for testing and
development purposes.
+ Fixed reentrancy of srt_strerror()
+ Fixed crash when adding a string-typed option to a group
configuration object
+ Fixed incorrect number of sockets returned by srt_epoll_uwait
+ Fixed inconsistent thread-related objects' state after fork()
+ Fixed issues found by thread and memory sanitizers
+ Fixed unexpected blocking behavior in sendmsg call
+ Fixed stalled connection that should break on rogue NAK/ACK
reception
+ Fixed some misleading error messages
+ Fixed wrong 'connection lost' error when sending to group in
non-blocking pending state
+ Fixed bug where tsbpd might miss m_bClosing flag set in the
meantime
+ Fixed caller-accepting connection without packetfilter while
requested by a caller (now: late-rejection)
==== sssd ====
Version update (2.12.0 -> 2.13.0)
Subpackages: libsss_certmap0 libsss_idmap0 sssd-krb5-common sssd-ldap
- Update to release 2.13
* Fixed CVE-2026-6245, an out-of-bounds read in the PAM
passkey responder.
* During the processing of the `pam_sss_gss` request, SSSD will
read the SID from the PAC of the Kerberos ticket and might add
authentication indicators based on the value of the new option
`pam_gssapi_indicators_apply`. The primary use case is to
handle SIDs added by Active Directory’s Authentication
Mechanism Assurance (AMA).
* Active Directory’s Foreign Security Principals (FSP) are now
properly detected and ignored when reading nested group
members. The `ldap_ignore_unreadable_references` option is only
needed to ignore member objects which are really not
accessible.
* A number of cache performance optimizations for large
deployments.
* Tokens acquired from the IdP are now stored in the domain
cache, and are automatically refreshed if the new option
`idp_auto_refresh` is enabled.
* The `idp_type` option allows `entra_idp` url to be specified if
user is using a different Microsoft Entra endpoint.
* Support for the KDE Plasma Login Manager.
* New option `avoid_by_id_lookups` to tell the SSSD responders to
use a lookup by name instead of by id where possible.
* New options to customize the OAuth2 prompting behavior:
`interactive` and `interactive_prompt`.
- Delete 0001-Fix-libini_config-related-includes.patch,
0001-INI-get-rid-of-useless-macros.patch,
0001-INI-use-proper-deallocators.patch (obsolete)
==== sysextmgr ====
Version update (0.2.1+git20260310.385db9a -> 1.0.0+git20260429.bf44eec)
- Update to version 1.0.0+git20260429.bf44eec:
* Release version 1.0.0
* libsmartcols-devel added to CI
* cleanup not needed functions
* fixed extract
* using pager
* cleanup download
* using vasprintf instead of asprintf
* fixed ENOENT
* cleanup cache
* creating a cache for meta data
* using posix_spawn
* -a option for image-list
* checking environment
* cleanup error handling
* improved logging
* Update help message for cleanup options
==== systemd ====
Version update (259.5 -> 260.1)
Subpackages: libsystemd0 libudev1 systemd-boot systemd-container udev
- Upgrade to v260.1 (commit c0a5a2516d28601fb3afc1a77d7b42fcfe38fced)
See https://github.com/openSUSE/systemd/blob/SUSE/v260/NEWS for details.
- Drop support for System V service scripts.
- Drop 0002-rc-local-fix-ordering-startup-for-etc-init.d-boot.lo.patch
- Drop 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
- Required versions of various library dependencies have been raised.
- systemd-update-helper: switch to the new command 'enqueue-marked'.
- Restore autovt@.service alias (a fallout from upstream commit
072e72424b2e6da1c96489ef6996f49fabd46474)
- systemd.spec: introduce %{container} bcond for container subpackage
- Enable systemd-boot on loongarch64.
==== tiff ====
- * CVE-2026-4775: Signed integer overflow in putcontig8bitYCbCr44tile (bsc#1260411)
Add tiff-CVE-2026-4775.patch
==== timezone ====
Version update (2026a -> 2026b)
- Update to 2026b:
* British Columbia moved to permanent -07 on 2026-03-09
* Some more overflow bugs have been fixed in zic
==== toolbox ====
Version update (2.4+git20251009.ab435eb -> 2.4+git20260421.7c75c12)
- Update to version 2.4+git20260421.7c75c12:
* Make toolbox k8s (rke2) aware (#57)
==== vim ====
Version update (9.2.0219 -> 9.2.0398)
Subpackages: vim-data-common vim-small
- Fix bsc#1261833 / CVE-2026-39881).
- Update to 9.2.0398.
- Changes:
* 9.2.0398: MS-Windows: missing strptime() support
* 9.2.0397: tabpanel: double-click opens a new tab
* 9.2.0396: tests: Test_error_callback_terminal is flaky on macOS
* 9.2.0395: tests: Test_backupskip() may read from $HOME
* 9.2.0394: xxd: offsets greater than LONG_MAX print as negative
* 9.2.0393: MS-Windows: link error with XPM support on UCRT64
* 9.2.0392: tests: Some tests are flaky
* 9.2.0391: tests: Comment in test_vim9_cmd breaks syntax highlighting
* 9.2.0390: filetype: some Beancount files are not recognized
* 9.2.0389: DECRQM still leaves stray "pp" on Apple Terminal.app
* 9.2.0388: strange indent in update_topline()
* 9.2.0387: DECRQM request may leave stray chars in terminal
* 9.2.0386: No scroll/scrollbar support in the tabpanel
* 9.2.0385: Integer overflow with "ze" and large 'sidescrolloff'
* 9.2.0384: stale Insstart after cursor move breaks undo
* 9.2.0383: [security]: runtime(netrw): shell-injection via sftp: and file: URLs
* 9.2.0382: Wayland: focus-stealing is non-working
* 9.2.0381: Vim9: Missing check_secure() in exec_instructions()
* 9.2.0380: completion: a few issues in completion code
* 9.2.0379: gui.color_approx is never used
* 9.2.0378: Using int as bool type in win_T struct
* 9.2.0377: Using int as bool type in gui_T struct
* 9.2.0376: Vim9: elseif condition compiled in dead branch
* 9.2.0375: prop_find() does not find a virt text in starting line
* 9.2.0374: c_CTRL-{G,T} does not handle offset
* 9.2.0373: Ctrl-R mapping not triggered during completion
* 9.2.0372: pum: rendering issues with multibyte text and opacity
* 9.2.0371: filetype: ghostty config files are not recognized
* 9.2.0370: duplicate code with literal string_T assignment
* 9.2.0369: multiple definitions of STRING_INIT macro
* 9.2.0368: too many strlen() calls when adding strings to dicts
* 9.2.0367: runtime(netrw): ~ note expanded on MS Windows
* 9.2.0366: pum: flicker when updating pum in place
* 9.2.0365: using int as bool
* 9.2.0364: tests: test_smoothscroll_textoff_showbreak() fails
* 9.2.0363: Vim9: variable shadowed by script-local function
* 9.2.0362: division by zero with smoothscroll and small windows
* 9.2.0361: tests: no tests for ch_listen() with IPs
* 9.2.0360: Cannot handle mouse-clicks in the tabpanel
* 9.2.0359: wrong VertSplitNC highlighting on winbar
* 9.2.0358: runtime(vimball): still path traversal attacks possible
* 9.2.0357: [security]: command injection via backticks in tag files
* 9.2.0356: Cannot apply 'scrolloff' context lines at end of file
* 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()
* 9.2.0354: filetype: not all Bitbake include files are recognized
* 9.2.0353: Missing out-of-memory check in register.c
* 9.2.0352: 'winhighlight' of left window blends into right window
* 9.2.0351: repeat_string() can be improved
* 9.2.0350: Enabling modelines poses a risk
* 9.2.0349: cannot style non-current window separator
* 9.2.0348: potential buffer underrun when setting statusline like option
* 9.2.0347: Vim9: script-local variable not found
* 9.2.0346: Wrong cursor position when entering command line window
* 9.2.0345: Wrong autoformatting with 'autocomplete'
* 9.2.0344: channel: ch_listen() can bind to network interface
* 9.2.0343: tests: test_clientserver may fail on slower systems
* 9.2.0342: tests: test_excmd.vim leaves swapfiles behind
* 9.2.0341: some functions can be run from the sandbox
* 9.2.0340: pum_redraw() may cause flicker
* 9.2.0339: regexp: nfa_regmatch() allocates and frees too often
* 9.2.0338: Cannot handle mouseclicks in the tabline
* 9.2.0337: list indexing broken on big-endian 32-bit platforms
* 9.2.0336: libvterm: no terminal reflow support
* 9.2.0335: json_encode() uses recursive algorithm
* 9.2.0334: GTK: window geometry shrinks with with client-side decorations
* 9.2.0333: filetype: PklProject files are not recognized
* 9.2.0332: popup: still opacity rendering issues
* 9.2.0331: spellfile: stack buffer overflows in spell file generation
* 9.2.0330: tests: some patterns in tar and zip plugin tests not strict enough
* 9.2.0329: tests: test_indent.vim leaves swapfiles behind
* 9.2.0328: Cannot handle mouseclicks in the statusline
* 9.2.0327: filetype: uv scripts are not detected
* 9.2.0326: runtime(tar): but with dotted path
* 9.2.0325: runtime(tar): bug in zstd handling
* 9.2.0324: 0x9b byte not unescaped in mapping
* 9.2.0323: filetype: buf.lock files are not recognized
* 9.2.0322: tests: test_popupwin fails
* 9.2.0321: MS-Windows: No OpenType font support
* 9.2.0320: several bugs with text properties
* 9.2.0319: popup: rendering issues with partially transparent popups
* 9.2.0318: cannot configure opacity for popup menu
* 9.2.0317: listener functions do not check secure flag
* 9.2.0316: [security]: command injection in netbeans interface via defineAnnoType
* 9.2.0315: missing bound-checks
* 9.2.0314: channel: can bind to all network interfaces
* 9.2.0313: Callback channel not registered in GUI
* 9.2.0312: C-type names are marked as translatable
* 9.2.0311: redrawing logic with text properties can be improved
* 9.2.0310: unnecessary work in vim_strchr() and find_term_bykeys()
* 9.2.0309: Missing out-of-memory check to may_get_cmd_block()
* 9.2.0308: Error message E1547 is wrong
* 9.2.0307: more mismatches between return types and documentation
* 9.2.0306: runtime(tar): some issues with lz4 support
* 9.2.0305: mismatch between return types and documentation
* 9.2.0304: tests: test for 9.2.0285 doesn't always fail without the fix
* 9.2.0303: tests: zip plugin tests don't check for warning message properly
... changelog too long, skipping 88 lines ...
* 9.2.0220: MS-Windows: some defined cannot be set on Cygwin/Mingw
==== vlc ====
Subpackages: libvlc5 libvlccore9 vlc-noX vlc-qt
- Fix Requires for ffmpeg library:
For building the package ffmpeg-7-mini-libs may be installed
which is used for building only, so the name package cannot
be used to determine Requires.
==== xbitmaps ====
Version update (1.1.3 -> 1.1.4)
- Update to version 1.1.4
* This release adds support for building with meson as well as
autoconf.
- switch to meson
==== xdg-dbus-proxy ====
Version update (0.1.6 -> 0.1.7)
- Update to version 0.1.7:
+ Drop the autotools build system
+ Prevent a crash on disconnect
+ Fix building with glibc >= 2.43
+ Fix the eavesdrop filtering to prevent message interception
+ Fix CVE-2026-34080
==== xterm ====
Version update (407 -> 409)
Subpackages: xterm-bin xterm-resize
- update to 409:
* correct one of the special cases added for Debian #1123877 in
patch
* update version for Extended Window Manager Hints
(EWMH), in manpage.
==== xwayland ====
Version update (24.1.9 -> 24.1.11)
- Update to 24.1.11
- This release addresses a number of regressions found in Xwayland 24.1.10:
* Avoids spurious focus changes with KDE when listening for mouse buttons
is enabled for legacy X11 application support
* Fix tablet tools not working anymore as "slave" devices
* Fix a crash when running some XTS tests
* Fix a crash in window damage handling caused a NULL pointer dereference
- supersedes the folloging security patches for CVE-2026-33999,
CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003
(bsc#1260922, bsc#1260923, bsc#1260924, bsc#1260925, bsc#1260926)
* bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch
* bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch
* bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch
* bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch
* bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch
* bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch
==== zstd ====
Subpackages: libzstd1
- Backport 1.5.7 man page patch
* Documentation was not correctly updated at release time
* https://github.com/facebook/zstd/commit/6af3842
Add 0002-fix-1.5.7-documentation.patch
==== zypper ====
Version update (1.14.95 -> 1.14.96)
Subpackages: zypper-needs-restarting
- Autorefresh ris-services the way as plugin-services (bsc#1246504)
It's actually wrong to treat service refreshes different
depending on the service type. For the purpose of a service it
makes no difference how the data about the repos to use are
acquired.
- version 1.14.96