Packages changed:
ImageMagick (7.1.2.19 -> 7.1.2.21)
MozillaFirefox (149.0.2 -> 150.0)
PackageKit (1.3.4 -> 1.3.5)
apache2-mod_php8
at-spi2-core (2.60.0 -> 2.60.2)
bubblewrap (0.11.0 -> 0.11.1)
ceph
cups (2.4.17 -> 2.4.19)
distribution-logos-openSUSE
dos2unix (7.5.4 -> 7.5.5)
editorconfig-core-c (0.12.10 -> 0.12.11)
emacs
ethtool (6.15 -> 6.19)
evince (48.1 -> 48.1+6)
gcc16 (16.0.1+git8711 -> 16.0.1+git8812)
gdb
gdm
geoclue2
glib2
glibc (2.42 -> 2.43)
gnome-bluetooth (47.1 -> 47.2)
gnome-maps (50.0 -> 50.1)
gnome-settings-daemon (50.0 -> 50.1)
gnome-shell (50.0 -> 50.1)
gpg2 (2.5.18 -> 2.5.19)
grub2
gsettings-desktop-schemas (50.0 -> 50.1)
gtk4 (4.22.2 -> 4.22.3)
gvfs
harfbuzz (14.1.0 -> 14.2.0)
hwdata (0.397 -> 0.406)
java-25-openjdk (25.0.2.0 -> 25.0.3.0)
kernel-firmware-amdgpu (20260414 -> 20260427)
kernel-firmware-ath12k (20260317 -> 20260421)
kernel-firmware-bluetooth (20260408 -> 20260423)
kernel-firmware-mediatek (20260317 -> 20260423)
kernel-firmware-qcom (20260416 -> 20260423)
kernel-firmware-sound (20260408 -> 20260421)
kernel-source (6.19.12 -> 7.0.2)
lcms2 (2.18 -> 2.19)
leancrypto
libblockdev (3.4.0 -> 3.5.0)
libcamera
libdrm (2.4.131 -> 2.4.133)
libgpg-error (1.59 -> 1.60)
libphonenumber (9.0.27 -> 9.0.29)
libshumate (1.6.0 -> 1.6.1)
libsigc++3
libupnp (1.18.4 -> 1.18.5)
libyui
libyui-ncurses
libyui-ncurses-pkg
libyui-qt
libyui-qt-graph
libyui-qt-pkg
libzypp (17.38.5 -> 17.38.7)
linux-glibc-devel (6.19 -> 7.0)
llvm22 (22.1.3 -> 22.1.4)
localsearch (3.11.0 -> 3.11.1)
md4c (0.5.2 -> 0.5.3)
mozilla-nss (3.122.1 -> 3.122.2)
mozjs140 (140.8.0 -> 140.10.0)
mpg123 (1.33.4 -> 1.33.5)
mutter (50.0 -> 50.1)
nghttp2 (1.68.1 -> 1.69.0)
ngtcp2 (1.22.0 -> 1.22.1)
nvidia-open-driver-G07-signed (595.58.03_k6.19.12_1 -> 595.71.05_k7.0.2_1)
nvidia-open-driver-G07-signed-cuda (595.58.03_k6.19.12_1 -> 595.71.05_k7.0.2_1)
open-vm-tools
openSUSE-build-key
openSUSE-release (20260425 -> 20260430)
openblas_openmp (0.3.29 -> 0.3.30)
openblas_pthreads (0.3.29 -> 0.3.30)
openexr
openssh (10.2p1 -> 10.3p1)
openssh-askpass-gnome (10.2p1 -> 10.3p1)
orca (50.0.9 -> 50.1)
patterns-kde (20240311 -> 20260428)
patterns-server
php8
pipewire
polkit-default-privs (1550+20260414.1647bf2 -> 1550+20260428.f2a5d2e)
pulseaudio
python-anyio (4.12.1 -> 4.13.0)
python-click (8.3.2 -> 8.3.3)
python-cryptography (46.0.7 -> 47.0.0)
python-gevent (25.9.1 -> 26.4.0)
python-idna (3.11 -> 3.13)
python-pip (26.0.1 -> 26.1)
python-pyOpenSSL (26.0.0 -> 26.1.0)
python-pylsqpack (0.3.23 -> 0.3.24)
python-simplejson (3.20.2 -> 4.1.1)
python-tzdata (2026.1 -> 2026.2)
python-zope.interface (8.3 -> 8.4)
python313
python313-core
salt
samba (4.23.6+git.466.1a6b75cb208 -> 4.23.7+git.473.9487af01c24)
sed (4.9 -> 4.10)
simple-scan (49.1 -> 50.0)
srt (1.5.4 -> 1.5.5)
sssd (2.12.0 -> 2.13.0)
strace (6.19 -> 7.0)
sushi (50.rc.1 -> 50.0)
systemd (259.5 -> 260.1)
tiff
timezone (2026a -> 2026b)
tinysparql (3.11.0 -> 3.11.1)
tnftp
vim (9.2.0219 -> 9.2.0398)
vlc
webkitgtk3 (2.52.2 -> 2.52.3)
webkitgtk4 (2.52.2 -> 2.52.3)
xbitmaps (1.1.3 -> 1.1.4)
xdg-dbus-proxy (0.1.6 -> 0.1.7)
xrandr (1.5.3 -> 1.5.4)
xterm (407 -> 409)
xwayland (24.1.9 -> 24.1.11)
yast2-trans (84.87.20260414.0f82ab3540 -> 84.87.20260424.fdcdc295f0)
zstd
zypper (1.14.95 -> 1.14.96)
=== Details ===
==== ImageMagick ====
Version update (7.1.2.19 -> 7.1.2.21)
Subpackages: ImageMagick-config-7-SUSE libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10
- version update to 7.1.2.21
* Fix JXL orientation when writing. #8673
* Corrected the patch that was made earlier to fix reading JPEG compressed TIFF images
* eliminate deprecated omp_set_nested()
* support MSYS2
* allow namespace::pattern when checking policy rights
* mentioned symlink system policy
* https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7mxf-ff4f-jj7p 2598004
==== MozillaFirefox ====
Version update (149.0.2 -> 150.0)
Subpackages: MozillaFirefox-branding-upstream
- Fix failing builds (boo#1258744)
mozilla-bmo2030493.patch
- Mozilla Firefox 150.0
* https://www.firefox.com/en-US/firefox/150.0/releasenotes
MFSA 2026-30 (bsc#1262230)
* CVE-2026-6746 (bmo#2014596)
Use-after-free in the DOM: Core & HTML component
* CVE-2026-6747 (bmo#2021769)
Use-after-free in the WebRTC component
* CVE-2026-6748 (bmo#2022604)
Uninitialized memory in the Audio/Video: Web Codecs component
* CVE-2026-6749 (bmo#2022610)
Information disclosure due to uninitialized memory in the
Graphics: Canvas2D component
* CVE-2026-6750 (bmo#2023407)
Privilege escalation in the Graphics: WebRender component
* CVE-2026-6751 (bmo#2025883)
Uninitialized memory in the Audio/Video: Web Codecs component
* CVE-2026-6752 (bmo#2027499)
Incorrect boundary conditions in the WebRTC component
* CVE-2026-6753 (bmo#2027501)
Incorrect boundary conditions in the WebRTC component
* CVE-2026-6754 (bmo#2027541)
Use-after-free in the JavaScript Engine component
* CVE-2026-6755 (bmo#1880429)
Mitigation bypass in the DOM: postMessage component
* CVE-2026-6756 (bmo#1992585)
Mitigation bypass in Firefox for Android
* CVE-2026-6757 (bmo#2013588)
Invalid pointer in the JavaScript: WebAssembly component
* CVE-2026-6758 (bmo#2013619)
Use-after-free in the JavaScript: WebAssembly component
* CVE-2026-6759 (bmo#2016164)
Use-after-free in the Widget: Cocoa component
* CVE-2026-6760 (bmo#2016923)
Mitigation bypass in the Networking: Cookies component
* CVE-2026-6761 (bmo#2017857)
Privilege escalation in the Networking component
* CVE-2026-6762 (bmo#2021080)
Spoofing issue in the DOM: Core & HTML component
* CVE-2026-6763 (bmo#2021666)
Mitigation bypass in the File Handling component
* CVE-2026-6764 (bmo#2022162)
Incorrect boundary conditions in the DOM: Device Interfaces
component
* CVE-2026-6765 (bmo#2022419)
Information disclosure in the Form Autofill component
* CVE-2026-6766 (bmo#2023207)
Incorrect boundary conditions in the Libraries component in NSS
* CVE-2026-6767 (bmo#2023209)
Other issue in the Libraries component in NSS
* CVE-2026-6768 (bmo#2023615)
Mitigation bypass in the Networking: Cookies component
* CVE-2026-6769 (bmo#2023753)
Privilege escalation in the Debugger component
* CVE-2026-6770 (bmo#2024220)
Other issue in the Storage: IndexedDB component
* CVE-2026-6771 (bmo#2025067)
Mitigation bypass in the DOM: Security component
* CVE-2026-6772 (bmo#2026089)
Incorrect boundary conditions in the Libraries component in NSS
* CVE-2026-6773 (bmo#2015959)
Denial-of-service due to integer overflow in the Graphics:
WebGPU component
* CVE-2026-6774 (bmo#2016915)
Mitigation bypass in the DOM: Security component
* CVE-2026-6775 (bmo#2021768)
Incorrect boundary conditions in the WebRTC component
* CVE-2026-6776 (bmo#2021770)
Incorrect boundary conditions in the WebRTC: Networking
component
* CVE-2026-6777 (bmo#2022726)
Other issue in the Networking: DNS component
* CVE-2026-6778 (bmo#2022746)
Invalid pointer in the Audio/Video: Playback component
* CVE-2026-6779 (bmo#2023343)
Other issue in the JavaScript Engine component
* CVE-2026-6780 (bmo#2025179)
Denial-of-service in the Audio/Video: Playback component
* CVE-2026-6781 (bmo#2025583)
Denial-of-service in the Audio/Video: Playback component
* CVE-2026-6782 (bmo#2026571)
Information disclosure in the IP Protection component
* CVE-2026-6783 (bmo#2027564)
Incorrect boundary conditions, integer overflow in the
Audio/Video: Playback component
* CVE-2026-6784 (bmo#1536243, bmo#1745382, bmo#1851073, bmo#1893400,
bmo#1963301, bmo#2001319, bmo#2002899, bmo#2012436, bmo#2014435,
bmo#2016901, bmo#2019916, bmo#2020486, bmo#2020612, bmo#2020817,
bmo#2021788, bmo#2022051, bmo#2022367, bmo#2022431, bmo#2023302,
bmo#2023670, bmo#2024225, bmo#2024238, bmo#2024240, bmo#2024265,
bmo#2024367, bmo#2024369, bmo#2024424, bmo#2024760, bmo#2025281,
bmo#2025361, bmo#2025387, bmo#2025466, bmo#2025954, bmo#2025958,
bmo#2026278, bmo#2026292, bmo#2026297, bmo#2026378, bmo#2027148,
bmo#2027287, bmo#2027341, bmo#2027384, bmo#2027427, bmo#2027694,
bmo#2027993, bmo#2028009, bmo#2028270, bmo#2028416, bmo#2028524,
bmo#2029295, bmo#2029301, bmo#2029461, bmo#2029699, bmo#2029800,
bmo#2029801)
Memory safety bugs fixed in Firefox 150 and Thunderbird 150
... changelog too long, skipping 61 lines ...
(bmo#2031958)
==== PackageKit ====
Version update (1.3.4 -> 1.3.5)
Subpackages: PackageKit-backend-zypp PackageKit-gstreamer-plugin PackageKit-gtk3-module libpackagekit-glib2-18 typelib-1_0-PackageKitGlib-1_0
- Update to version 1.3.5:
+ This release fixes a critical security vulnerability that allows
unprivileged local users to obtain root privileges on any
distribution that uses PackageKit. Details will be disclosed
very soon, please update to a fixed version of PackageKit
immediately (ensure the patch from commit
76cfb675fb31acc3ad5595d4380bfff56d2a8697 is applied).
+ Drop slack backend
+ alpm: perform sysupgrade on install and update
+ freebsd: Fix crashing when libpkg asks about ABI mismatch
+ portage: Revamp backend
+ meson: test.depends does not accept a dummy dependency, give it
an empty array instead
+ pkgcli: Set up proxy also if only PAC is available
+ Do not allow re-invoking methods on non-new transactions
+ packagekit/progress: updated old usage of raise StopIteration
+ pkgcli: Add TRANSLATORS comments for commands
+ pkgcli: Rename list-required-by to list-requiring
- Drop 0001-Do-not-allow-re-invoking-methods-on-non-new-txn.patch:
fixed upstream.
- Drop 11c5f1f34f48b58ee10acec839dd01a31728704b.patch:
fixed upstream.
- Add 0001-Do-not-allow-re-invoking-methods-on-non-new-txn.patch:
Do not allow re-invoking methods on non-new transactions
(bsc#1262220, CVE-2026-41651).
==== apache2-mod_php8 ====
- php8: provide builtin php-opcache
- php8-devel: require libraries from "php-config --libs"
==== at-spi2-core ====
Version update (2.60.0 -> 2.60.2)
Subpackages: libatk-1_0-0 libatk-bridge-2_0-0 libatspi0 typelib-1_0-Atk-1_0 typelib-1_0-Atspi-2_0
- Update to version 2.60.2:
+ atspi-device-legacy: add null checks for when x11 isnt
available.
+ python: Fix __getitem__ with a negative offset.
+ Fix a NULL pointer dereference when sending an event.
+ device-x11: Fall back on raw key events if there is no focus.
- Update to version 2.60.1:
+ Detect unresponsive applications, and do not expose them as
children of the desktop.
+ Attempt to fix a crash when opening a group chat in pidgin that
contains new messages.
==== bubblewrap ====
Version update (0.11.0 -> 0.11.1)
- Really drop the nobwrap.helper script as intended on Sep 29 2025.
- update to 0.11.1:
* Reset disposition of `SIGCHLD`, restoring normal subprocess
management if bwrap was run from a process that was ignoring
that signal, such as Erlang or volumeicon
* Don't ignore `--userns 0`, `--userns2 0` or `--pidns 0` if
used
* Note that using a fd number ≥ 3 for these purposes is still
* preferred, to avoid confusion with the stdin, stdout, stderr
* that will be inherited by the command inside the container.
* Fix grammar in an error message
* Fix a broken link in the documentation
* Enable user namespaces in Github Actions configuration,
fixing a CI regression with newer Ubuntu
* Clarify comments
- Drop the nobwrap.helper again: glycin could find a solution to
detect it running in a CI/BuildEnvironment and it disarms
bubblewrap in this case, making this wrapper obsolete
==== ceph ====
Subpackages: librados2 librbd1
- Add ceph-liburing-build-fix.patch to fix build with glibc 2.43
==== cups ====
Version update (2.4.17 -> 2.4.19)
Subpackages: cups-client cups-config libcups2 libcupsimage2
- Version upgrade to 2.4.19:
See https://github.com/openprinting/cups/releases
Release 2.4.19 contains another hotfix after CVE-2026-27447 fix:
* Fixed a regression in shared printing from non-local accounts
(Issue #1557)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.19
- Added 'Michael R Sweet' key to cups.keyring
because cups-2.4.19-source.tar.gz.sig belongs to him.
- Version upgrade to 2.4.18:
See https://github.com/openprinting/cups/releases
The new release 2.4.18 contains hotfix after CVE-2026-27447 fix:
* Fixed cupsd crash if user does not exist (Issue #1555)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.18
==== distribution-logos-openSUSE ====
Subpackages: distribution-logos-openSUSE-Tumbleweed distribution-logos-openSUSE-icons
- Fix suse_version condition since the value of suse_version is now
1610 in SLE/Leap 16.1
==== dos2unix ====
Version update (7.5.4 -> 7.5.5)
- update to 7.5.5:
* New option --error-binary: Return an error if a binary file is
skipped
* Fix: dos2unix error on empty input
==== editorconfig-core-c ====
Version update (0.12.10 -> 0.12.11)
- update to 0.12.11:
* CVE-2026-40489: l_pattern buffer overflow (boo#1262131)
* Fixes for compiler errors/warnings
- drop editorconfig-core-c-const-correctness.patch
==== emacs ====
Subpackages: emacs-el emacs-eln emacs-info emacs-nox etags
- Modify patch emacs-30.2-tree-sitter-0.26.8.patch
* Let find the tree-sitter code find the libraries below
%{_libdir}/tree-sitter/ without using LD_LIBRARY_PATH
- Add patch emacs-30.2-boo1262611.patch
* Fix CVE-2026-6861: Memory corruption vulnerability when
processing SVG CSS (boo#1262611)
- Let treesit test find its ruby shared library
- Modify patch emacs-30.2-tree-sitter-0.26.8.patch
* Add commit to reflect new syntax ot tree-sitter like :equal
changed to :eq?
==== ethtool ====
Version update (6.15 -> 6.19)
- Update to release 6.19
* tsinfo: Add support for PTP hardware source
* monitor: Add notification handling for PLCA configuration
* rxfh: IPv6 Flow Label hash support
* netlink: fec: add errors histogram statistics
- Delete 5a6848026277296a151664666ef1c25821787043.patch (merged)
- Move bash-completions into main package.
- add netlink support for RX CQE Coalescing params (bsc#1261256)
5a6848026277296a151664666ef1c25821787043.patch
d35d87fbcda97fe31df79d62277743214641892a.patch
bf023af442f63e16f1699128c7ce467eddc6d340.patch
==== evince ====
Version update (48.1 -> 48.1+6)
Subpackages: evince-plugin-pdfdocument libevdocument3-4 libevview3-3 typelib-1_0-EvinceDocument-3_0 typelib-1_0-EvinceView-3_0
- Update to version 48.1+6:
+ build: bump DjVuLibre version required
+ libview: Fix crash in the accessible code when page cache text
is NULL
+ po: Fix xml element in Hindi translation
+ Updated translations.
- Drop evince-a11y-crash.patch: Fixed upstream.
- Migrate to xz compression and manual service run
==== gcc16 ====
Version update (16.0.1+git8711 -> 16.0.1+git8812)
Subpackages: cpp16 libasan8 libatomic1 libgcc_s1 libgccjit0 libgfortran5 libgomp1 libhwasan0 libitm1 liblsan0 libobjc4 libstdc++6 libstdc++6-pp libtsan2 libubsan1
- Update to 16.0.1+git8812, includes GCC 16.1 release candidate #2.
- Update to 16.0.1+git8809, GCC 16.1 release candidate.
==== gdb ====
- Reduce scope of debuginfo query workaround. No longer require
"set debuginfod enabled off" in .gdbearlyinit or similar to be
able to use "gdb -tui" (osc#1261254). Patches added:
* gdb-tui-v3-fix-crash-with-debuginfod-query.patch
* gdb-tui-reduce-scope-of-debuginfod-query-crash-worka.patch
- Report helpful error on ptrace permission denied due to
yama/selinux (jsc#PED-15928). Patches added:
* gdb-linux-consider-ptrace_scope-when-building-attach.patch
==== gdm ====
Subpackages: gdm-schema gdm-systemd gdm-xdm-integration libgdm1 typelib-1_0-Gdm-1_0
- Enforce dependency on gsettings-backend-dconf, greeter doesn't
work properly without it.
==== geoclue2 ====
Subpackages: system-user-srvGeoClue typelib-1_0-Geoclue-2_0
- Create the home directory for srvGeoClue under /var with
tmpfiles.d (jsc#PED-14837).
==== glib2 ====
Subpackages: glib2-tools libgio-2_0-0 libgirepository-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0 libgthread-2_0-0 typelib-1_0-GIRepository-3_0 typelib-1_0-GLib-2_0 typelib-1_0-GLibUnix-2_0 typelib-1_0-GModule-2_0 typelib-1_0-GObject-2_0 typelib-1_0-Gio-2_0
- Install the /usr/share/applications/gnome-mimeapps.list symlink
from the package instead of creating it from systemd-tmpfiles
since /usr is mounted read-only in immutble systems. This forces
to also install an empty file as the symlink target.
- Use systemd-tmpfiles to create the default mimeapps lists instead
of writing to /var in %post to fix immutable systems
(jsc#PED-14839)
==== glibc ====
Version update (2.42 -> 2.43)
Subpackages: glibc-devel glibc-extra glibc-gconv-modules-extra glibc-locale glibc-locale-base
- sys-mount-cloexec-flag.patch: include: isolate __O_CLOEXEC flag for
sys/mount.h and fcntl.h
- sys-mount-open-tree-macros.patch: Linux: Only define OPEN_TREE_* macros
in if undefined (BZ #33921)
- resolv-count-resource-records.patch: resolv: Count records correctly
(CVE-2026-4437, bsc#1260078, BZ #34014)
- resolv-check-hostname.patch: resolv: Check hostname for validity
(CVE-2026-4438, bsc#1260082, BZ #34015)
- ldbl-128ibm-ceill-floorl-roundl-truncl.patch: Fix ldbl-128ibm ceill,
floorl, roundl and truncl zero-sign handling (BZ #33623)
- getlogin-utmp-fallback.patch: Linux: In getlogin_r, use utmp fallback
only for specific errors
- nss-malloc-failure-checks.patch: nss: Missing checks in
__nss_configure_lookup, __nss_database_get (BZ #28940)
- nss-database-for-fork.patch: nss: Introduce dedicated struct
nss_database_for_fork type
- malloc-sys-kernel-mm.patch: malloc: Avoid accessing /sys/kernel/mm files
- tests-aarch64-makefile-deps-bti.patch: tests: aarch64: fix makefile
dependencies for dlopen tests for BTI
- aarch64-lock-gcs-startup.patch: aarch64: Lock GCS status at startup
- elf-strlen-redir-ifunc.patch: elf: Use dl-symbol-redir-ifunc.h instead
_dl_strlen
- riscv-redir-memcpy-generic.patch: riscv: Resolve calls to memcpy using
memcpy-generic in early startup
- tst-rseq-linux-7.patch: tests: fix tst-rseq with Linux 7.0
- remove -fcf-protection from optflags on non-x86_64 cross compilers.
- Update to glibc 2.43
* The ISO C23 free_sized, free_aligned_sized, memset_explicit, and
memalignment functions have been added
* As specified in ISO C23, the assert macro is defined to take variable
arguments to support expressions with a comma inside a compound
literal initializer not surrounded by parentheses
* For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr,
strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return
pointers into their input arrays now have definitions as macros that
return a pointer to a const-qualified type when the input argument is
a pointer to a const-qualified type
* The ISO C23 typedef names long_double_t, _Float32_t, _Float64_t, and
(on platforms supporting _Float128) _Float128_t, introduced in TS
18661-3:2015, have been added to
* The ISO C23 optional time bases TIME_MONOTONIC, TIME_ACTIVE, and
TIME_THREAD_ACTIVE have been added
* On Linux, the mseal function has been added
* Additional optimized and correctly rounded mathematical functions have
been imported from the CORE-MATH project, in particular acosh, asinh,
atanh, erf, erfc, lgamma, and tgamma.
* Optimized implementations for fma, fmaf, remainder, remaindef, frexpf,
frexp, frexpl (binary128), and frexpl (intel96) have been added.
* The SVID handling for acosf, acoshf, asinhf, atan2f, atanhf, coshf, fmodf,
lgammaf/lgammaf_r, log10f, remainderf, sinhf, sqrtf, tgammaf, y0/j0,
y1/j1, and yn/jn was moved to compat symbols, allowing improvements in
performance
* On Linux, the openat2 function has been added
* On AArch64, support for 2MB transparent huge pages has been enabled by
default in malloc (similar to setting glibc.malloc.hugetlb=1 tunable)
* On AArch64 Linux targets supporting the Scalable Matrix Extension
(SME), the clone() system call wrapper will disable the ZA state of the
SME
* On AArch64 targets supporting the Branch Target Identification (BTI)
extension, it is possible to enforce that all binaries in the process
support BTI using the glibc.cpu.aarch64_bti tunable
* On AArch64 Linux targets supporting at least one of the branch protection
extensions (e.g. Branch Target Identification or Guarded Control Stack), it
is possible to use LD_DEBUG=security to make the dynamic linker show
warning messages about loaded binaries that do not support the
corresponding security feature
* On AArch64, vector variants of the new C23 exp2m1, exp10m1, log10p1,
log2p1, and rsqrt routines have been added
* On RISC-V, an RVV-optimized implementation of memset has been added
* On x86, support for the Intel Nova Lake and Wildcat Lake processors
has been added
* Unicode support has been updated to Unicode 17.0.0
* The manual has been updated and modernized, in particular also regarding
many of its code examples
* Support for dumped heaps has been removed
* The aforementioned change in ISO C23 of the declaration of bsearch,
memchr, strchr, strpbrk, strrchr, strstr, wcschr, wcspbrk, wcsrchr,
wcsstr, and wmemchr as const-preserving macros can lead to compilation
issues in code not set up for it
* The uimaxabs function has been renamed to umaxabs, following a change
to the name of that function in ISO C2Y
* The fromfp, fromfpx, ufromfp and ufromfpx functions, and the
corresponding functions for other floating-point types, now return
their result in the same type as their floating-point argument, rather
than intmax_t or uintmax_t, in accordance with a change to the
definition of these functions in ISO C23
* The support for TX lock elision of pthread mutexes has been removed on all
architectures (powerpc, s390x, x86_64)
* The next linux 6.19 release will remove support for compat syscalls on s390x
* The LD_PROFILE functionality no longer has a default directory for the
profile data it writes
* GLIBC-SA-2026-0001: Integer overflow in memalign leads to heap
corruption (CVE-2026-0861)
* GLIBC-SA-2026-0002: getnetbyaddr and getnetbyaddr_r leak stack
contents to DNS resovler (CVE-2026-0915)
* GLIBC-SA-2026-0003: wordexp with WRDE_REUSE and WRDE_APPEND may return
uninitialized memory (CVE-2025-15281)
- inet-fortified-namespace.patch, abort-fork-lock-init.patch,
ld.so-load-segment-gaps.patch, cancelable-syscall-return-value.patch,
ctype-tls-IE.patch, i386-gnu-tls-abi-tag.patch,
x86-64-gnu2-tls-abi-tag.patch, x86-64-dt-x86-64-plt-abi-tag.patch,
i386-gnu2-tls-abi-tag.patch, aarch64-sve-powf.patch: Removed
==== gnome-bluetooth ====
Version update (47.1 -> 47.2)
Subpackages: libgnome-bluetooth-3_0-13 libgnome-bluetooth-ui-3_0-13 typelib-1_0-GnomeBluetooth-3_0
- Update to version 47.2:
+ This version adds mnemonics to some buttons, fixes a couple
memory leaks, makes it possible to run the tests with pygobject
>= 3.52
+ Updated translations.
==== gnome-maps ====
Version update (50.0 -> 50.1)
- Update to version 50.1:
+ Fix showing highway shields when clicking on a symbol in the
case when the Overpass query e.g. times-out
+ Updated translations.
==== gnome-settings-daemon ====
Version update (50.0 -> 50.1)
- Update to version 50.1:
+ Build improvements for systemd-less systems
==== gnome-shell ====
Version update (50.0 -> 50.1)
Subpackages: gnome-extensions gnome-shell-calendar
- Update to version 50.1:
+ Use triangular noise shape for dithering lightbox vignette
+ Fix glitch in quick settings with wrapped text in menu
+ Fit on-screen keyboard better on very small screens
+ Enable network agent on lock screen
+ Add basic zoom support to captive portal
+ Plugged leak
+ Misc. bug fixes and cleanups
+ Update translations.
==== gpg2 ====
Version update (2.5.18 -> 2.5.19)
Subpackages: dirmngr
- Update to 2.5.19:
* gpg: New option --use-ocb-sym
* gpg: New options --show-[only-]session-hash
* gpgsm: Allow cipher mode to be part of the algo given to the
- -cipher-algo option
* gpgsm: Emit more details when failing to check a crlDP
* agent: Improve pinentry behavior and texts in smartcard context
* dirmngr: New keyword "clear" for --keyserver
* gpg: Fix edge case in --refresh-keys
* gpg: Don't call gcry_kdf_derive with empty passphrase
* gpgsm: Skip the optional PKCS#12 PBES2 keyLength parameter to
allow import of recently issued certificates by the German
Telekom
* gpgsm: Fix a bug so that a certificate can be signed using a
different algo
* gpgsm: Make GCM fully compliant in de-vs mode
* gpgsm: Add a certificate chain check for de-vs compliance
* gpgsm: Show rsaPSS certificates as de-vs compliant in listings
* agent: Rework the trustlist reading code to finally allow a
trustlist.txt with a missing trailing LF
* ssh: Fix RSA padding in signature handling
* gpgtar: Fix -C (--directory) to check the output directory
* agent: Raise an error when p >= q for RSA keys to detect
incorrect generated *PGP keys
==== grub2 ====
Subpackages: grub2-arm64-efi grub2-arm64-efi-bls grub2-common grub2-snapper-plugin grub2-systemd-sleep-plugin
- Fix incorrect default entry and bump counter for BLS boot counter files
(bsc#1262580)
* 0001-bls-fix-default-entry-and-bumpcounter-for-BLS-boot-c.patch
- VUL-0: grub: potentially problematic utf8 conversion in bli patches (bsc#1262129)
* 0001-Fix-problematic-utf8-conversion-in-bli-patches.patch
- Fix build for glibc 2.43 by taking upstream changes (bsc#1257256)
* 0001-osdep-linux-ofpath-Update-strstr-calls.patch
* 0001-util-probe-Save-strrchr-ret-val-to-const-data-ptr.patch
* 0002-util-resolve-Save-str-r-chr-ret-val-to-const-data-pt.patch
- Fix string to integer conversion for LoaderConfigTimeout
* 0004-bli-Add-support-for-LoaderConfigTimeout-and-LoaderCo.patch
- grub2.spec: When building the grubbls image, do not hardcode the timeout
value in the early config because it is set by bli.mod when it is loaded
- grub2.spec: Remove hardcoded terminal and theme settings from the early
config as they are now applied at runtime
- Fix missing install device check in grub2-install on PowerPC which could lead
to bootlist corruption (bsc#1221126)
* 0001-Mandatory-install-device-check-for-PowerPC.patch
- Fix double free in xen booting if root filesystem is Btrfs (bsc#1259543)
* grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
* grub2-btrfs-09-get-default-subvolume.patch
- Rewrite BLI patches:
* 0001-blsuki-Add-support-for-LoaderEntries.patch
* 0002-menu-Allow-default-entry-to-have-.conf-suffix.patch
* 0003-bli-Add-support-for-LoaderEntryDefault-and-LoaderEnt.patch
* 0004-bli-Add-support-for-LoaderConfigTimeout-and-LoaderCo.patch
* 0005-bls_bumpcounter-Add-command-to-bump-boot-counter-for.patch
* 0006-bli-Add-support-for-LoaderFeatures.patch
* 0007-blsuki-Fix-sorting-for-entries-with-boot-counting-en.patch
* 0008-blsuki-append-leftover-LoaderEntries.patch
* 0009-blsuki-conservative-UTF-8-buffer-size.patch
- Remove patches:
* 0001-bls-Accept-.conf-suffix-in-setting-default-entry.patch
* grub2-bls-boot-counting.patch
* grub2-bls-boot-assessment.patch
* grub2-blscfg-set-efivars.patch
* grub2-bls-loader-entry-oneshot.patch
* grub2-blsbumpcounter-menu.patch
* grub2-bls-loader-entry-default.patch
* grub2-bls-loader-entries-boot-counting.patch
* grub2-bls-loader-features.patch
* grub2-bls-loader-config-timeout.patch
* grub2-bls-loader-config-timeout-fix.patch
==== gsettings-desktop-schemas ====
Version update (50.0 -> 50.1)
- Update to version 50.1:
+ Updated translations.
==== gtk4 ====
Version update (4.22.2 -> 4.22.3)
Subpackages: gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0
- Update to version 4.22.3:
+ Bugs fixed:
- Input panel misplaced when typing with an input method in a
GTKPopover widget
- Snapshot with too small an angle shift freezes
- gtk-demo: Make --autoquit work again
- cssprovider: Fix gtk-application-prefer-dark-theme setting
- gdksettings-wayland: Apply reduced-motion setting
- Revert "testutils: Warn if setting up language didn't work"
- transform: Better float comparisons
- print dialog: Fix GTask lifecycle management
+ Updated translations.
- Update to version 4.22.2+25:
* imcontextwayland: Translate cursor rectangle to correct native
surface
* gdksettings-wayland: Apply reduced-motion setting
* gtkpango: Don't land on a single char of a wrapped line twice
==== gvfs ====
Subpackages: gvfs-backend-afc gvfs-backend-goa gvfs-backend-gphoto gvfs-backend-samba gvfs-backends gvfs-fuse
- Split out cdda in own separate sub package (gvfs-backend-cdda).
==== harfbuzz ====
Version update (14.1.0 -> 14.2.0)
Subpackages: libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz-subset0 libharfbuzz0 typelib-1_0-HarfBuzz-0_0
- Update to version 14.2.0:
+ In this release, the experimental raster, vector, and GPU
libraries went through several rounds of code review and
cleanup to make sure they follow the high standards expected of
HarfBuzz code. The API has also been extensively reviewed based
on experience gained from using these libraries. We consider
the code and API to be ready for stabilization, and we expect
to graduate them from experimental in the near future. If you
are using or planning to use these libraries and have any
concerns about the API, it is time to raise them. Once a
library is deemed stable, we will never change the API or ABI
in an incompatible way.
==== hwdata ====
Version update (0.397 -> 0.406)
- update to 0.406:
* Update pci and vendor ids
- update to 0.405:
* Update pci and vendor ids
==== java-25-openjdk ====
Version update (25.0.2.0 -> 25.0.3.0)
Subpackages: java-25-openjdk-headless
- Update to upstream tag jdk-25.0.3+9 (April 2026 CPU)
* CVEs
+ CVE-2026-22007 (bsc#1262490)
+ CVE-2026-22008 (bsc#1262493)
+ CVE-2026-22013 (bsc#1262494)
+ CVE-2026-22016 (bsc#1262495)
+ CVE-2026-22018 (bsc#1262496)
+ CVE-2026-22021 (bsc#1262497)
+ CVE-2026-23865 (bsc#1259118)
+ CVE-2026-34268 (bsc#1262500)
+ CVE-2026-34282 (bsc#1262501)
* Changes
+ JDK-7191877: TEST_BUG: java/rmi/transport/checkLeaseInfoLeak/
/CheckLeaseLeak.java failing intermittently
+ JDK-8030957: AIX: Implement OperatingSystemMXBean
.getSystemCpuLoad() and .getProcessCpuLoad() on AIX
+ JDK-8068378: [TEST_BUG]The java/awt/Modal/PrintDialogsTest/
/PrintDialogsTest.java instruction need to update
+ JDK-8183336: Better cleanup for jdk/test/java/lang/module/
/customfs/ModulesInCustomFileSystem.java
+ JDK-8212084: G1: Implement UseGCOverheadLimit
+ JDK-8244336: Restrict algorithms at JCE layer
+ JDK-8246037: Shenandoah: update man pages to mention
- XX:+UseShenandoahGC
+ JDK-8255463: java/nio/channels/spi/SelectorProvider/
/inheritedChannel/InheritedChannelTest.java failed with
ThreadTimeoutException
+ JDK-8256289: java/awt/Focus/AppletInitialFocusTest/
/AppletInitialFocusTest1.java failed with "RuntimeException:
Wrong focus owner:
java.awt.Button[button1,41,36,56x23,label=Button1]"
+ JDK-8274082: Wrong test name in jtreg run tag for
java/awt/print/PrinterJob/SwingUIText.java
+ JDK-8286258: [Accessibility,macOS,VoiceOver] VoiceOver reads
the spinner value wrong and sometime partially
+ JDK-8286865: vmTestbase/vm/mlvm/meth/stress/jni/nativeAndMH/
/Test.java fails with Out of space in CodeCache
+ JDK-8287062: com/sun/jndi/ldap/LdapPoolTimeoutTest.java
failed due to different timeout message
+ JDK-8293484: AArch64:
TestUseSHA512IntrinsicsOptionOnSupportedCPU.java fails on CPU
with SHA512 feature support
+ JDK-8299304: Test "java/awt/print/PrinterJob/
/PageDialogTest.java" fails on macOS 13 x64 because the Page
Dialog blocks the Toolkit
+ JDK-8307495: Specialize atomic bitset functions for aix-ppc
+ JDK-8313770: jdk/internal/platform/docker/
/TestSystemMetrics.java fails on Ubuntu
+ JDK-8316274: javax/swing/ButtonGroup/
/TestButtonGroupFocusTraversal.java fails in Ubuntu 23.10 with
Motif LAF
+ JDK-8317838: java/nio/channels/Channels/
/SocketChannelStreams.java running into timeout (aix)
+ JDK-8318662: Refactor some jdk/java/net/httpclient/http2
tests to JUnit
+ JDK-8320677: Printer tests use invalid '@run main/manual=yesno
+ JDK-8333857: Test sun/security/ssl/SSLSessionImpl/
/ResumeChecksServer.java failed: Existing session was used
+ JDK-8333871: Check return values of sysinfo
+ JDK-8334928: Test sun/security/ssl/SSLSocketImpl/
/ReuseAddr.java failed: java.net.BindException: Address
already in use
+ JDK-8335646: Nimbus : JLabel not painted with LAF defined
foreground color on Ubuntu 24.04
+ JDK-8336695: Update Commons BCEL to Version 6.10.0
+ JDK-8339791: Refactor MiscUndecorated/ActiveAWTWindowTest.java
+ JDK-8341039: compiler/cha/TypeProfileFinalMethod.java fails
with assertEquals expected: 0 but was: 2
+ JDK-8342175: MemoryEaterMT fails intermittently with
ExceptionInInitializerError
+ JDK-8342401: [TESTBUG] javax/swing/JSpinner/8223788/
/JSpinnerButtonFocusTest.java test fails in ubuntu 22.04 on
SBR Hosts
+ JDK-8342640: GenShen: Silently ignoring
ShenandoahGCHeuristics considered poor user-experience
+ JDK-8342659: Test vmTestbase/nsk/jdi/ObjectReference/
/referringObjects/referringObjects002/referringObjects002.java
failed: Class nsk.share.jdi.TestClass1 was not unloaded
+ JDK-8343316: Review and update tests using explicit provider
names
+ JDK-8343340: Swapping checking do not work for
MetricsMemoryTester failcount
+ JDK-8343474: [updates] Customize README.md to specifics of
update project
+ JDK-8344073: Test runtime/cds/appcds/
/TestParallelGCWithCDS.java#id0 failed
+ JDK-8346154: [XWayland] Some tests fail intermittently in the
CI, but not locally
+ JDK-8346962: Test CRLReadTimeout.java fails with -Xcomp on a
fastdebug build
+ JDK-8348014: Enhance certificate processing
+ JDK-8349192: jvmti/scenarios/contention/TC05/tc05t001 fails:
ERROR: tc05t001.cpp, 281: (waitedThreadCpuTime -
waitThreadCpuTime) < (EXPECTED_ACCURACY * 1000000)
+ JDK-8352149: Test java/awt/Frame/MultiScreenTest.java fails:
Window list is empty
+ JDK-8353755: Add a helper method to Util - findComponent()
+ JDK-8354244: Use random data in MinMaxRed_Long data arrays
+ JDK-8354469: Keytool exposes the password in plain text when
... changelog too long, skipping 490 lines ...
DEFAULT_PROMOTED_VERSION_PRE=ea for release 25.0.3
==== kernel-firmware-amdgpu ====
Version update (20260414 -> 20260427)
- Update to version 20260427 (git commit b64d7354df3a):
* amdgpu: DMCUB updates for various ASICs
- Update to version 20260421 (git commit 0a7e55438c7c):
* amdgpu: DMCUB updates for DCN36
==== kernel-firmware-ath12k ====
Version update (20260317 -> 20260421)
- Update to version 20260421 (git commit 0a7e55438c7c):
* ath12k: QCC2072 hw1.0: add to WLAN.COL.1.0.c2-00074-QCACOLSWPL_V1_TO_SILICONZ-1
* ath12k: QCC2072 hw1.0: add board-2.bin
* ath12k: IPQ5424 hw1.0: add to WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
* ath12k: IPQ5424 hw1.0: add board-2.bin
==== kernel-firmware-bluetooth ====
Version update (20260408 -> 20260423)
- Update to version 20260423 (git commit 479a01628094):
* linux-firmware: Add firmware file for Intel BlazarIW
- Update to version 20260423 (git commit 0d347a3f3ec4):
* linux-firmware: Add firmware file for Intel ScorpiusGfp2 core
* linux-firmware: Add firmware file for Intel BlazarIGfp2 core
* linux-firmware: Update firmware file for Intel BlazarU-HrPGfP core
* linux-firmware: Update firmware file for Intel BlazarU core
* linux-firmware: Update firmware file for Intel Scorpius core
* linux-firmware: Update firmware file for Intel BlazarI core
* Revert "linux-firmware: Update firmware file for Intel Quasar core"
- Update to version 20260421 (git commit 0a7e55438c7c):
* QCA: Update Bluetooth WCN6856 firmware 2.1.0-00665 to 2.1.0-00666
==== kernel-firmware-mediatek ====
Version update (20260317 -> 20260423)
- Update to version 20260423 (git commit 0d347a3f3ec4):
* mediatek MT7925: update bluetooth firmware to 20260414153243
* linux-firmware: update firmware for MT7925 WiFi device
==== kernel-firmware-qcom ====
Version update (20260416 -> 20260423)
- Update to version 20260423 (git commit 0d347a3f3ec4):
* qcom: Update ADSP firmware for Glymur platform
* qcom: Add gpdspr.jsn for qcs8300 platform
- Update to version 20260421 (git commit 0a7e55438c7c):
* qcom: Update ADSP firmware for Kaanapali platform
==== kernel-firmware-sound ====
Version update (20260408 -> 20260421)
- Update to version 20260421 (git commit 0a7e55438c7c):
* cirrus: cs35l56: Add firmware for Cirrus Amps for some Lenovo laptops
* cirrus: cs35l56: Add firmware for Cirrus Amps for some Lenovo laptops (17aa235c 17aa235d)
==== kernel-source ====
Version update (6.19.12 -> 7.0.2)
Subpackages: kernel-64kb kernel-default
- Linux 7.0.2 (bsc#1012628).
- crypto: authencesn - Fix src offset when decrypting in-place
(bsc#1012628).
- pwm: th1520: fix `CLIPPY=1` warning (bsc#1012628).
- drm/amdgpu: replace PASID IDR with XArray (bsc#1012628).
- crypto: krb5enc - fix sleepable flag handling in encrypt
dispatch (bsc#1012628).
- crypto: krb5enc - fix async decrypt skipping hash verification
(bsc#1012628).
- ksmbd: fix use-after-free in __ksmbd_close_fd() via durable
scavenger (bsc#1012628).
- ksmbd: validate owner of durable handle on reconnect
(bsc#1012628).
- scripts: generate_rust_analyzer.py: define scripts
(bsc#1012628).
- scripts/dtc: Remove unused dts_version in dtc-lexer.l
(bsc#1012628).
- fs/ntfs3: validate rec->used in journal-replay file record check
(bsc#1012628).
- f2fs: fix to do sanity check on dcc->discard_cmd_cnt
conditionally (bsc#1012628).
- f2fs: fix UAF caused by decrementing sbi->nr_pages[] in
f2fs_write_end_io() (bsc#1012628).
- f2fs: fix to avoid memory leak in f2fs_rename() (bsc#1012628).
- f2fs: fix to avoid uninit-value access in
f2fs_sanity_check_node_footer (bsc#1012628).
- fuse: reject oversized dirents in page cache (bsc#1012628).
- fuse: abort on fatal signal during sync init (bsc#1012628).
- fuse: Check for large folio with SPLICE_F_MOVE (bsc#1012628).
- fuse: quiet down complaints in fuse_conn_limit_write
(bsc#1012628).
- fuse: fuse_dev_ioctl_clone() should wait for device file to
be initialized (bsc#1012628).
- ksmbd: require minimum ACE size in smb_check_perm_dacl()
(bsc#1012628).
- smb: server: fix active_num_conn leak on transport allocation
failure (bsc#1012628).
- smb: client: fix dir separator in SMB1 UNIX mounts
(bsc#1012628).
- smb: server: fix max_connections off-by-one in tcp accept path
(bsc#1012628).
- smb: client: require a full NFS mode SID before reading mode
bits (bsc#1012628).
- smb: client: validate the whole DACL before rewriting it in
cifsacl (bsc#1012628).
- smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO
path (bsc#1012628).
- ksmbd: validate response sizes in ipc_validate_msg()
(bsc#1012628).
- ksmbd: validate num_aces and harden ACE walk in
smb_inherit_dacl() (bsc#1012628).
- ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
(bsc#1012628).
- ksmbd: use check_add_overflow() to prevent u16 DACL size
overflow (bsc#1012628).
- ksmbd: reset rcount per connection in
ksmbd_conn_wait_idle_sess_id() (bsc#1012628).
- f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
(bsc#1012628).
- ALSA: usb-audio: apply quirk for MOONDROP JU Jiu (bsc#1012628).
- ALSA: hda/realtek: Add quirk for Legion S7 15IMH (bsc#1012628).
- ALSA: caiaq: take a reference on the USB device in create_card()
(bsc#1012628).
- net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
(bsc#1012628).
- crypto: ccp: Don't attempt to copy CSR to userspace if PSP
command failed (bsc#1012628).
- crypto: ccp: Don't attempt to copy PDH cert to userspace if
PSP command failed (bsc#1012628).
- crypto: ccp: Don't attempt to copy ID to userspace if PSP
command failed (bsc#1012628).
- rxrpc: Fix missing validation of ticket length in non-XDR key
preparsing (bsc#1012628).
- mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER
(bsc#1012628).
- Rename to
patches.kernel.org/7.0.2-032-writeback-Fix-use-after-free-in-inode_switch_wb.patch.
- commit 46da294
- Refresh
patches.suse/mfd-bcm2835-pm-Add-BCM2712-PM-device-support.patch.
- Refresh
patches.suse/mfd-bcm2835-pm-Introduce-SoC-specific-type-identifier.patch.
- Refresh
patches.suse/writeback-Fix-use-after-free-in-inode_switch_wbs_wor.patch.
Update upstream status.
- commit 8e3001e
- Re-enable ARM architectures and update configs
Rather late (well, that's an understatement) but better than never.
- commit 46dfbfa
- Update config files. Set INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON=y (bsc#1262308)
The same as for SL-16.*.
- commit ccbbbdf
- Linux 7.0.1 (bsc#1012628).
- clockevents: Add missing resets of the next_event_forced flag
(bsc#1012628).
- mm/userfaultfd: fix hugetlb fault mutex hash calculation
(bsc#1012628).
- media: hackrf: fix to not free memory after the device is
registered in hackrf_probe() (bsc#1012628).
... changelog too long, skipping 164 lines ...
- commit 5844293
==== lcms2 ====
Version update (2.18 -> 2.19)
- Update to version 2.19
* CMake build system.
* Large files support to use profiles up to 4Gb.
* Black point compensation works on multi-channel profiles.
* jpgicc banner is not shown on normal operation, only when help
is requested.
* Added a way to access internal transform pipelines.
* Add a way to retrieve the CMM signature.
* Added extra checks on postscript undocumented functions.
* Added guard on integer overflow when reading .cube files.
* Added unneeded checks as a try to get rid of spam reports about
"vulnerabilities" that are not real.
* Creating an output profile by cmsTransform2DeviceLink does not
propagate correctly the colorant table.
* Added some profile class definitions from iccMAX.
* Deprecated uint16 and uint32 types removed from tifdiff.
* fixed generation of tifdiff on Cmake and meson.
==== leancrypto ====
- Fix build on kernel 7.0
* Add patch 0001-Linux-kernel-leancrypto_kernel_rng_tester-include-li.patch
- Pick fix for ABI issue in AVX2 assembly for Curve448 causing
test failures when building with GCC 16.
* Add patch leancrypto-ABI-fix.patch
==== libblockdev ====
Version update (3.4.0 -> 3.5.0)
Subpackages: libbd_btrfs3 libbd_crypto3 libbd_fs3 libbd_loop3 libbd_lvm3 libbd_mdraid3 libbd_nvme3 libbd_part3 libbd_smart3 libbd_swap3 libbd_utils3 libblockdev3
- Update to version 3.5.0:
+ More than hundred fixes for various issues both in code and
test suite were found and fixed using Claude AI.
+ Crypto plugin now offers activate functions that accept
cryptsetup activation flags.
+ Two new functions added to the btrfs plugin for recursively
removing subvolumes and getting btrfs device stats.
==== libcamera ====
Subpackages: libcamera-base0_7 libcamera0_7
- Add libcamera-ov02e10-initial-support.patch
==== libdrm ====
Version update (2.4.131 -> 2.4.133)
Subpackages: libdrm2 libdrm_amdgpu1 libdrm_nouveau2 libdrm_radeon1
- update to 2.4.133
* This release contains few fixes for build errors that weren't
caught by CI.
==== libgpg-error ====
Version update (1.59 -> 1.60)
- Update to 1.60:
* New error codes
* Interface changes relative to the 1.57 release:
GPG_ERR_PUBKEY_NON_COMPLIANT NEW.
GPG_ERR_CIPHER_NON_COMPLIANT NEW.
GPG_ERR_DIGEST_NON_COMPLIANT NEW.
==== libphonenumber ====
Version update (9.0.27 -> 9.0.29)
- update to 9.0.29:
* Updated phone metadata for region code(s):
BI, BL, GP, MF, MY, SK, TH, TR, TW
* Updated short number metadata for region code(s): CH
* New geocoding data for country calling code(s): 7 (kk)
* Updated carrier data for country calling code(s):
7 (en, ru), 31 (en), 32 (en), 90 (en), 257 (en), 590 (en),
593 (en)
- update to 9.0.28:
* Update phone metadata for region code(s): BW, IL, MN, RE, SR, YT
* Updated carrier data for country calling code(s):
34 (en), 267 (en), 359 (en), 972 (en), 976 (en)
* Updated / refreshed time zone meta data.
* Decreased the number of invocations of
chooseFormattingPatternForNumber in
PhoneNumberUtil#formatInOriginalFormat
==== libshumate ====
Version update (1.6.0 -> 1.6.1)
Subpackages: libshumate-1_0-1 typelib-1_0-Shumate-1_0
- Update to version 1.6.1:
+ Add missing gettext domains
==== libsigc++3 ====
- Migrate to xz compression and manual service run
==== libupnp ====
Version update (1.18.4 -> 1.18.5)
Subpackages: libixml11 libupnp20
- Update to release 1.18.5
* Fixed CVE-2026-41682
==== libyui ====
- Force -std=gnu++17 to avoid build breakage with the default of
- std=gnu++20 in GCC 16
==== libyui-ncurses ====
- Force -std=gnu++17 to avoid build breakage with the default of
- std=gnu++20 in GCC 16
==== libyui-ncurses-pkg ====
- Force -std=gnu++17 to avoid build breakage with the default of
- std=gnu++20 in GCC 16
==== libyui-qt ====
- Force -std=gnu++17 to avoid build breakage with the default of
- std=gnu++20 in GCC 16
==== libyui-qt-graph ====
- Force -std=gnu++17 to avoid build breakage with the default of
- std=gnu++20 in GCC 16
==== libyui-qt-pkg ====
- Force -std=gnu++17 to avoid build breakage with the default of
- std=gnu++20 in GCC 16
==== libzypp ====
Version update (17.38.5 -> 17.38.7)
- Fix purge-kernel -rc kernel handling (bsc#1239718)
- Explicitly_set_pool_DISTTYPE_RPM (fixes #726)
- version 17.38.7 (35)
- Check for trusted key updates when updating the general keyring
(bsc#1259706)
- Support multiple MirroredOrigin authorities (bsc#1253193)
- Workaround doxygen bug: doxygen/doxygen#12057
- libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842)
- version 17.38.6 (35)
==== linux-glibc-devel ====
Version update (6.19 -> 7.0)
- Update to kernel headers 7.0
- Do not exclude drm headers, libdrm no longer conflicts
==== llvm22 ====
Version update (22.1.3 -> 22.1.4)
- Update to version 22.1.4.
* This release contains bug-fixes for the LLVM 22.1.0 release.
This release is API and ABI compatible with 22.1.0.
- Build bolt on riscv64.
- Fix shebang for hwasan_symbolize also on riscv64.
==== localsearch ====
Version update (3.11.0 -> 3.11.1)
- Update to version 3.11.1:
+ Fix possible failures when extracting metadata from EPUB, ODF
and OOXML documents
+ Updated translations.
- Drop localsearch-zip-private-library.patch: Fixed upstream.
==== md4c ====
Version update (0.5.2 -> 0.5.3)
- Update to 0.5.3
* Avoid repeated prefix language- in code block language
specification if the input already explicitly includes the prefix
* Permissive autolink extensions (MD_FLAG_PERMISSIVExxxAUTOLINKS)
are now tiny bit more permissive, allowing + and - characters
to be anywhere in the path portion of the URL. This also
improves compatibility with GFM
* Make Unicode-specific code compliant to Unicode 18.0
* Fix quadratic time behavior caused by one-by-one walking
over block lines instead of calling md_lookup_line()
* Fix quadratic time and output size behavior caused by
malicious misuse of link reference definitions
* The strike-through extension (with flag MD_FLAG_STRIKETHROUGH)
now follows same logic as other emphasis spans in respect to
punctuation character and word boundaries
* Fix handling tab when removing trailing whitespace,
especially in connection with ATX headers
* We now correctly abort the parser when a callback returns
non-zero. (Previously it worked correctly only for negative
values, values greater than zero were causing strange and
inconsistent behavior)
* Fix handling a code span whose closer is on the next line and
yet another text follows. In the case we erroneously outputted
the closer code span mark as part of the text
* Fix md_decode_utf16le_before__(). (Only affected MD4C builds
built with -MD4C_USE_UTF16 on Windows)
* Do not try to interpret characters in a link URL as Markdown
syntax characters
* Fix detection of closing code block fence if it has a
trailing tabulator
* Fix invalid free() in an error path
==== mozilla-nss ====
Version update (3.122.1 -> 3.122.2)
Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-tools
- update to NSS 3.122.2:
* bmo#2033783 - reject DTLS 1.3 Server Hello after HVR without
capping ss->vrange.max
==== mozjs140 ====
Version update (140.8.0 -> 140.10.0)
- Add security fixes:
+ mozjs140-CVE-2026-32776.patch (bsc#1259728 CVE-2026-32776)
+ mozjs140-CVE-2026-32777.patch (bsc#1259713 CVE-2026-32777)
+ mozjs140-CVE-2026-32778.patch (bsc#1259731 CVE-2026-32778)
- Update to version 140.10.0:
+ Security Vulnerabilities fixed in Firefox ESR 140.10
+ See https://www.firefox.com/en-US/firefox/140.10.0/releasenotes/
+ See https://www.firefox.com/en-US/firefox/140.9.0/releasenotes/
==== mpg123 ====
Version update (1.33.4 -> 1.33.5)
Subpackages: libmpg123-0 mpg123-openal
- Update to version 1.33.5
* mpg123: Fix generic control mode for largefile-sensitive
builds, where 32 bit off_t was used with mpg123 API calls
expecting 64 bit off_t.
* mpg123-id3dump, out123: Enable 64 bit offset usage on
largefile-sensitive
platforms (regression since 1.32.0).
* libmpg123: Announce support for shadow stack / IBT in x86-64
assembly.
* libmpg123: Also announce PAC/BTI for non-accurate neon64
(aarch64) synth.
* libout123: Add a safeguard to ensure variable-length records
from buffer communication are always zero-terminated.
* libsyn123: Use union work buffer to avoid casts that may
look like breaking strict aliasing.
==== mutter ====
Version update (50.0 -> 50.1)
- Update to version 50.1:
+ Allow setting paint debug flags from environment
+ Fix applying pango scale attributes to text
+ Fix moving minimized maximized windows to a different monitor
+ Configure primary GPU in headless mode if it does't support KMS
+ Use fewer buffers for screencast streams
+ Only queue clipped redraws when mapped
+ Fix XReconfigureWMWindow() resizing window when not requested
+ Fix DND sometimes failing with reused data sources
+ Fix performance regression with some nvidia driver versions
+ Use modifiers for secondary GPU FBOs
+ Fix freeze with nvidia driver
+ Fixed crash
+ Misc. bug fixes and cleanups
+ Updated translations.
==== nghttp2 ====
Version update (1.68.1 -> 1.69.0)
- update to 1.69.0:
* nghttpx: Avoid separate allocation for QUIC tx buffer
* lib/CMakeLists.txt: Fix NGHTTP2_CONFIG_INSTALL_DIR path
* nghttpx: Ensure resetting downstream h2 stream
* Fix union usage in nghttp2_data_provider_wrap
* nghttpx: Remove stream_closed_ from Http2DownstreamConnection
* Introduce nghttp2_strlen_lit
* Check nghttp2_is_fatal first
* nghttpd, nghttpx: Accept at most 10 connections per loop
* nghttpx: Accept pending connections until it returns error
* nghttpx: Rework close-wait packet generation for h3
* nghttpx: Add extra validation for non-regular path for
* nghttpx: More strict validation for h1 host
* nghttpd: Refactor with std::span
* nghttp: Refactor with std::span
* nghttp: Move span creation out of loop
* nghttpx: Use std::span for upstream interface
* nghttpx: Modernize downstream connection with std::span
* nghttpx: Deal with partial write in API downstream connection
* nghttpx: Adopt std::span for LiveCheck read path
* Nghttpx connection write span
* Nghttpx connection read span
* nghttpx: Refactor QUIC utils with std::span
* nghttpx: Choose the sensible value for TCP_DEFER_ACCEPT
* nghttpx: Simplify HTTP/2 writer
* nghttpx: Format doc
* nghttpx: Deal with ECONNRESET for IPC socket on worker
* nghttpx: Rewrite LOG macros with std::source_location
* nghttpx: Amend #2671 to fix double logging
* nghttpx: Call Log ctor directly
* nghttpx: Rename LOG_ENABLED to log_enabled
* src: Add static constexpr to ngtcp2 and nghttp3 callbacks
* Nghttpx ech
* nghttpx: Log the number of loaded ECH configuration in NOTICE
==== ngtcp2 ====
Version update (1.22.0 -> 1.22.1)
Subpackages: libngtcp2-16 libngtcp2_crypto_gnutls8 libngtcp2_crypto_ossl0
- update to 1.22.1 (bsc#1262273, CVE-2026-40170):
* Fixes CVE-2026-40170
==== nvidia-open-driver-G07-signed ====
Version update (595.58.03_k6.19.12_1 -> 595.71.05_k7.0.2_1)
Subpackages: nvidia-open-driver-G07-signed-kmp-64kb nvidia-open-driver-G07-signed-kmp-default
- update CUDA variant to 595.71.05
- update non-CUDA variant to 595.71.05 (boo#1262574)
- disable-objtool-override.patch
* get rid of confusing objtool warnings (boo#1212841)
- -> from https://github.com/joanbm/nvidia-470xx-linux-mainline
==== nvidia-open-driver-G07-signed-cuda ====
Version update (595.58.03_k6.19.12_1 -> 595.71.05_k7.0.2_1)
Subpackages: nvidia-open-driver-G07-signed-cuda-kmp-64kb nvidia-open-driver-G07-signed-cuda-kmp-default
- update CUDA variant to 595.71.05
- update non-CUDA variant to 595.71.05 (boo#1262574)
- disable-objtool-override.patch
* get rid of confusing objtool warnings (boo#1212841)
- -> from https://github.com/joanbm/nvidia-470xx-linux-mainline
==== open-vm-tools ====
Subpackages: libvmtools0 open-vm-tools-desktop
- Fix build with glibc 2.43 (boo#1257312)
+ Add patch:
- glibc243.patch
==== openSUSE-build-key ====
- adjust suse_version condition for the Backports key
==== openSUSE-release ====
Version update (20260425 -> 20260430)
Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd
- automatically generated by openSUSE-release-tools/pkglistgen
==== openblas_openmp ====
Version update (0.3.29 -> 0.3.30)
- moved the testing to the build itself
- Update to version 0.3.30:
general:
* fixed an installation problem with the thread safety test in gmake builds
* fixed spurious overwriting of an input array in complex GEMMT/GEMMTR
* fixed naming of GEMMTR in error messages from XERBLA
* fixed compilation of SBGEMMT/SBGEMMTR in CMake builds
* fixed the implementation of ?NRM2 to handle INCX=0 correctly
* removed tests for CSROT and ZDROT that relied on unspecified behavior
* fixed a performance regression in multithreaded GEMM that was particularly
serious on POWER targets
* fixed linking issues when using LLVM's flang-new with gmake
* fixed a potential thread safety problem with C11 atomic operations
* further improved the workload partitioning in parallel GEMM
* fixed omission of LAPACKE interfaces for CGESVDQ,CTRSYL3 and ?GEQPF in
CMake builds
* fixed mishandling of setting NO_LAPACK to FALSE, and incorrect dependencies
for LAPACK function SPMV in CMake builds
* added explicit CMake options for building LAPACKE and shared libraries
* simplified and improved handling of OpenMP options in CMake builds
* renaming (pre/postfixing) and optional generation of PDB files for debugging
* Fixed building with (Mingw) gmake on Windows to ensure completeness of the
LAPACK included in the static library (potential race condition due to the
Windows version of the "ln" utility creating snapshot copies rather than links)
* fixed unwanted deletion of the lapacke_mangling.h file by "make clean"
* fixed potential duplication of a _64 suffix on library names in CMake builds
* fixed compilation of the C fallback copies of the LAPACK code with GCC 15
* included fixed from the Reference-LAPACK project:
fixed a truncated error message in the EIG part of the testsuite
(Reference-LAPACK PR 1119)
fixed too strict check in LAPACKE_?gesdd_work (PR #1126)
fixed memory corruption when calling ?GEEV with non-finite data (PR #1128)
fixed missing initialization of a variable in C/GEQP3RK (PR #1131)
fixed 2nd dimension chosen in C/ZUNMLQ transposition operation (PR #1135)
x86_64:
* fixed an error in the SBGEMV kernel for Cooper Lake/Sapphire Rapids
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
* improved the compiler identification code for flang-new
* fixed a potential build issue in the ZSUM kernel
* fixed "argument list too long" errors when building on MacOS
* added cpu autodetection support for several new Arrow Lake models
* fixed conditional inclusion of the fast path SGEMM kernel in DYNAMIC_ARCH
* fixed compilation with the MinGW build of GCC 15
x86:
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
* worked around potential miscompilation of CDOT with very old binutils
arm64:
* fixed cpu type detection of A64FX and some ThunderX models (broken in 0.3.29)
* added support for the AmpereOne/1A cpus in DYNAMIC_ ARCH builds
* added an optimized SBGEMM kernel for NEOVERSEV1
* improved 1xN SBGEMM performance by forwarding to SBGEMV
* introduced a stepwise increase of the thread count used for
SGEMM and SGEMV on NEOVERSEV1/V2 in relation to problem size
* introduced a stepwise increase of the thread count used for
DGEMV on NEOVERSEV1 in relation to problem size
* introduced a stepwise increase of the thread count used for
SDOT and DDOT on NEOVERSEV1 in relation to problem size
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
* added a fast path SGEMM kernel for small workloads on SME capable targets
* improved performance of SGEMM and DGEMM kernels for small workloads
* improved performance of SGEMV and DGEMV on SVE-capable targets
* improved performance of SGEMV on NEOVERSEN1 and Apple M
added optimized SSYMV and DSYMV kernels for NEOVERSEN1, Apple M and all
SVE capable targets
* added optimized SBGEMV kernels for NEOVERSEV1/V2/N2
* improved performance of SGEMM through faster NCOPY kernels
* added compiler options for the NVIDIA HPC Compiler Suite
* fixed cpu core type and cache size detection on Apple M4
* updated GEMM parameter settings for Neoverse cpus in cross-builds with CMake
* fixed default compiler options for NEOVERSEN1 and CORTEXX2 in CMake builds
* fixed conditional inclusion of the fast path SGEMM kernel in DYNAMIC_ARCH
* fixed potential miscompilation of the non-SVE SDOT kernel
arm:
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
* fixed unwanted generation of object files with a writable stack
riscv64:
* added optimized SROTM and DROTM kernels for x280
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
* improved performance of GEMM_TCOPY on RVV1.0 targets with
VLEN of 128 or 256
* improved performance of OMATCOPY on targets with VLEN 256
* greatly improved performance of SGEMV/DGEMV
* improved performance of CGEMV and ZGEMV on C910V and all RVV targets
with VLEN 256
* improved performance of SAXPBY and DAXPBY on C910V and all RVV targets
with VLEN 256
* improved performance of AXPY and DOT on C910V and ZVL256B targets by
* falling back to non-vectorized code for very small N. (Thereby fixing
poor performance of CHBMV/ZHBMV for very small K)
* fixed CMake build failures of the TRMM kernels
power:
* fixed building for PPCG4 with CMake
* fixed SSCAL/DSCAL on PPC970 running FreeBSD
* fixed a potential alignment issue in the POWER8 SGEMV kernel
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
zarch:
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
* fixed unwanted generation of object files with a writable stack
- Removed Restore-the-non-vectorized-code-from-before-PR4880-for-POWER8.patch
as incorporated upstream
- Added testrun package which runs the tests separately, the package
itself is empty, but build fails if any test fails
==== openblas_pthreads ====
Version update (0.3.29 -> 0.3.30)
- moved the testing to the build itself
- Update to version 0.3.30:
general:
* fixed an installation problem with the thread safety test in gmake builds
* fixed spurious overwriting of an input array in complex GEMMT/GEMMTR
* fixed naming of GEMMTR in error messages from XERBLA
* fixed compilation of SBGEMMT/SBGEMMTR in CMake builds
* fixed the implementation of ?NRM2 to handle INCX=0 correctly
* removed tests for CSROT and ZDROT that relied on unspecified behavior
* fixed a performance regression in multithreaded GEMM that was particularly
serious on POWER targets
* fixed linking issues when using LLVM's flang-new with gmake
* fixed a potential thread safety problem with C11 atomic operations
* further improved the workload partitioning in parallel GEMM
* fixed omission of LAPACKE interfaces for CGESVDQ,CTRSYL3 and ?GEQPF in
CMake builds
* fixed mishandling of setting NO_LAPACK to FALSE, and incorrect dependencies
for LAPACK function SPMV in CMake builds
* added explicit CMake options for building LAPACKE and shared libraries
* simplified and improved handling of OpenMP options in CMake builds
* renaming (pre/postfixing) and optional generation of PDB files for debugging
* Fixed building with (Mingw) gmake on Windows to ensure completeness of the
LAPACK included in the static library (potential race condition due to the
Windows version of the "ln" utility creating snapshot copies rather than links)
* fixed unwanted deletion of the lapacke_mangling.h file by "make clean"
* fixed potential duplication of a _64 suffix on library names in CMake builds
* fixed compilation of the C fallback copies of the LAPACK code with GCC 15
* included fixed from the Reference-LAPACK project:
fixed a truncated error message in the EIG part of the testsuite
(Reference-LAPACK PR 1119)
fixed too strict check in LAPACKE_?gesdd_work (PR #1126)
fixed memory corruption when calling ?GEEV with non-finite data (PR #1128)
fixed missing initialization of a variable in C/GEQP3RK (PR #1131)
fixed 2nd dimension chosen in C/ZUNMLQ transposition operation (PR #1135)
x86_64:
* fixed an error in the SBGEMV kernel for Cooper Lake/Sapphire Rapids
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
* improved the compiler identification code for flang-new
* fixed a potential build issue in the ZSUM kernel
* fixed "argument list too long" errors when building on MacOS
* added cpu autodetection support for several new Arrow Lake models
* fixed conditional inclusion of the fast path SGEMM kernel in DYNAMIC_ARCH
* fixed compilation with the MinGW build of GCC 15
x86:
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
* worked around potential miscompilation of CDOT with very old binutils
arm64:
* fixed cpu type detection of A64FX and some ThunderX models (broken in 0.3.29)
* added support for the AmpereOne/1A cpus in DYNAMIC_ ARCH builds
* added an optimized SBGEMM kernel for NEOVERSEV1
* improved 1xN SBGEMM performance by forwarding to SBGEMV
* introduced a stepwise increase of the thread count used for
SGEMM and SGEMV on NEOVERSEV1/V2 in relation to problem size
* introduced a stepwise increase of the thread count used for
DGEMV on NEOVERSEV1 in relation to problem size
* introduced a stepwise increase of the thread count used for
SDOT and DDOT on NEOVERSEV1 in relation to problem size
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
* added a fast path SGEMM kernel for small workloads on SME capable targets
* improved performance of SGEMM and DGEMM kernels for small workloads
* improved performance of SGEMV and DGEMV on SVE-capable targets
* improved performance of SGEMV on NEOVERSEN1 and Apple M
added optimized SSYMV and DSYMV kernels for NEOVERSEN1, Apple M and all
SVE capable targets
* added optimized SBGEMV kernels for NEOVERSEV1/V2/N2
* improved performance of SGEMM through faster NCOPY kernels
* added compiler options for the NVIDIA HPC Compiler Suite
* fixed cpu core type and cache size detection on Apple M4
* updated GEMM parameter settings for Neoverse cpus in cross-builds with CMake
* fixed default compiler options for NEOVERSEN1 and CORTEXX2 in CMake builds
* fixed conditional inclusion of the fast path SGEMM kernel in DYNAMIC_ARCH
* fixed potential miscompilation of the non-SVE SDOT kernel
arm:
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
* fixed unwanted generation of object files with a writable stack
riscv64:
* added optimized SROTM and DROTM kernels for x280
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
* improved performance of GEMM_TCOPY on RVV1.0 targets with
VLEN of 128 or 256
* improved performance of OMATCOPY on targets with VLEN 256
* greatly improved performance of SGEMV/DGEMV
* improved performance of CGEMV and ZGEMV on C910V and all RVV targets
with VLEN 256
* improved performance of SAXPBY and DAXPBY on C910V and all RVV targets
with VLEN 256
* improved performance of AXPY and DOT on C910V and ZVL256B targets by
* falling back to non-vectorized code for very small N. (Thereby fixing
poor performance of CHBMV/ZHBMV for very small K)
* fixed CMake build failures of the TRMM kernels
power:
* fixed building for PPCG4 with CMake
* fixed SSCAL/DSCAL on PPC970 running FreeBSD
* fixed a potential alignment issue in the POWER8 SGEMV kernel
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
zarch:
* fixed corner cases of NAN and INF input handling in CSCAL and ZSCAL
* fixed unwanted generation of object files with a writable stack
- Removed Restore-the-non-vectorized-code-from-before-PR4880-for-POWER8.patch
as incorporated upstream
- Added testrun package which runs the tests separately, the package
itself is empty, but build fails if any test fails
==== openexr ====
Subpackages: libIex-3_4-33 libIlmThread-3_4-33 libOpenEXR-3_4-33 libOpenEXRCore-3_4-33
- Disable testLargeDataWindowOffsets on 32-bit arm
==== openssh ====
Version update (10.2p1 -> 10.3p1)
Subpackages: openssh-clients openssh-common openssh-server
- Update to openssh 10.3p1:
= Potentially-incompatible changes
* ssh(1), sshd(8): remove bug compatibility for implementations
that don't support rekeying. If such an implementation tries to
interoperate with OpenSSH, it will now eventually fail when the
transport needs rekeying.
* sshd(8): prior to this release, a certificate that had an empty
principals section would be treated as matching any principal
(i.e. as a wildcard) when used via authorized_keys principals=""
option. This was intentional, but created a surprising and
potentially risky situation if a CA accidentally issued a
certificate with an empty principals section: instead of being
useless as one might expect, it could be used to authenticate as
any user who trusted the CA via authorized_keys. [Note that this
condition did not apply to CAs trusted via the sshd_config(5)
TrustedUserCAKeys option.]
This release treats an empty principals section as never matching
any principal, and also fixes interpretation of wildcard
characters in certificate principals. Now they are consistently
implemented for host certificates and not supported for user
certificates.
* ssh(1): the -J and equivalent -oProxyJump="..." options now
validate user and host names for ProxyJump/-J options passed
via the command-line (no such validation is performed for this
option in configuration files). This prevents shell injection in
situations where these were directly exposed to adversarial
input, which would have been a terrible idea to begin with.
Reported by rabbit.
= Security
* ssh(1): validation of shell metacharacters in user names supplied
on the command-line was performed too late to prevent some
situations where they could be expanded from %-tokens in
ssh_config. For certain configurations, such as those that use a
"%u" token in a "Match exec" block, an attacker who can control
the user name passed to ssh(1) could potentially execute arbitrary
shell commands. Reported by Florian Kohnhäuser.
We continue to recommend against directly exposing ssh(1) and
other tools' command-lines to untrusted input. Mitigations such
as this can not be absolute given the variety of shells and user
configurations in use.
* sshd(8): when matching an authorized_keys principals="" option
against a list of principals in a certificate, an incorrect
algorithm was used that could allow inappropriate matching in
cases where a principal name in the certificate contains a
comma character. Exploitation of the condition requires an
authorized_keys principals="" option that lists more than one
principal *and* a CA that will issue a certificate that encodes
more than one of these principal names separated by a comma
(typical CAs strongly constrain which principal names they will
place in a certificate). This condition only applies to user-
trusted CA keys in authorized_keys, the main certificate
authentication path (TrustedUserCAKeys/AuthorizedPrincipalsFile)
is not affected. Reported by Vladimir Tokarev.
* scp(1): when downloading files as root in legacy (-O) mode and
without the -p (preserve modes) flag set, scp did not clear
setuid/setgid bits from downloaded files as one might typically
expect. This bug dates back to the original Berkeley rcp program.
Reported by Christos Papakonstantinou of Cantina and Spearbit.
* sshd(8): fix incomplete application of PubkeyAcceptedAlgorithms
and HostbasedAcceptedAlgorithms with regard to ECDSA keys.
Previously if one of these directives contains any ECDSA algorithm
name (say "ecdsa-sha2-nistp384"), then any other ECDSA algorithm
would be accepted in its place regardless of whether it was
listed or not. Reported by Christos Papakonstantinou of Cantina
and Spearbit.
* ssh(1): connection multiplexing confirmation (requested using
"ControlMaster ask/autoask") was not being tested for proxy mode
multiplexing sessions (i.e. "ssh -O proxy ..."). Reported by
Michalis Vasileiadis.
= New features
* ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent
forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new
names is advertised via the EXT_INFO message. If a server offers
support for the new names, then they are used preferentially.
Support for the pre-standardisation "@openssh.com" extensions for
agent forwarding remains supported.
* ssh-agent(1): implement support for draft-ietf-sshm-ssh-agent
"query" extension.
* ssh-add(1): support querying the protocol extensions via the
agent "query" extension with a new -Q flag.
* ssh(1): support multiple files in a ssh_config RevokedHostKeys
directive.
* sshd(8): support multiple files in a sshd_config RevokedKeys
directive.
* ssh(1): add a ~I escape option that shows information about the
current SSH connection.
* ssh(1): add an "ssh -Oconninfo user@host" multiplexing command
that shows connection information, similar to the ~I escapechar.
* ssh(1): add an "ssh -O channels user@host" multiplexing command to
get a running mux process to show information about what channels
are currently open.
* sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is
applied to login attempts for usernames that do not match real
accounts. Defaults to 5s to match 'authfail' but allows
administrators to block such attempts for longer if desired.
* sshd(8): add a GSSAPIDelegateCredentials option for the server,
controlling whether it accepts delegated credentials offered by
the client. This option mirrors the same option in ssh_config.
* ssh(1), sshd(8): support the VA DSCP codepoint in the IPQoS
... changelog too long, skipping 134 lines ...
* 0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
==== openssh-askpass-gnome ====
Version update (10.2p1 -> 10.3p1)
- "Update" to openssh 10.3p1:
* No changes for askpass, see main package changelog for
details.
==== orca ====
Version update (50.0.9 -> 50.1)
- Update to version 50.1:
+ Web:
- Fix presentation of multiline-text web combo boxes.
- Fix presentation of link file size.
- Fix double-presentation of "focus mode" when page load
completes.
- Fix say all looping in content, and eliminate some
chattiness.
+ Preferences:
- Fix preferences saving to old profile path after rename.
- Fix bug preventing restoration of default voice values.
- Fix left-over JSONism that prevented spiel from being saved
as the speech server.
- Handle TypeError resulting from speech synthesizer crashing
during prefs save.
+ Updated translations.
==== patterns-kde ====
Version update (20240311 -> 20260428)
Subpackages: patterns-kde-kde patterns-kde-kde_edutainment patterns-kde-kde_games patterns-kde-kde_ide patterns-kde-kde_imaging patterns-kde-kde_internet patterns-kde-kde_multimedia patterns-kde-kde_office patterns-kde-kde_pim patterns-kde-kde_plasma patterns-kde-kde_utilities patterns-kde-kde_utilities_opt patterns-kde-kde_yast
- Update version number
- Do not build kde_yast on Leap 16
- Obsoletes kde_minimal pattern if PackageHub bsc#1248107
==== patterns-server ====
Subpackages: patterns-server-dhcp_dns_server patterns-server-directory_server patterns-server-file_server patterns-server-kvm_server patterns-server-lamp_server patterns-server-mail_server patterns-server-printing
- Fix suse_version condition since Leap 16.1 does have a suse_version
value of 1610
==== php8 ====
Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter
- php8: provide builtin php-opcache
- php8-devel: require libraries from "php-config --libs"
==== pipewire ====
Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-jack pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools
- Do not require pulseaudio-setup anymore
- Remove workaround for boo#1186561 which was already fixed
5 years ago and which wrote to /var (jsc#PED-15662)
==== polkit-default-privs ====
Version update (1550+20260414.1647bf2 -> 1550+20260428.f2a5d2e)
- Update to version 1550+20260428.f2a5d2e:
* profiles: whitelisted kdenetwork-filesharing {enable,start}service actions (bsc#1262258, bsc#1263037)
- Update to version 1550+20260428.d9ff7af:
* profiles: mcp-server-systemd (bsc#1259556)
==== pulseaudio ====
Subpackages: libpulse-mainloop-glib0 libpulse0 pulseaudio-utils system-user-pulse
- Do not run setup-pulseaudio on %post. Everything should work
fine out of the box these days . This improves the behaviour
of the package in immutable systems (jsc#PED-14841).
- Remove workaround in %post for a bug (bsc#1083473) that was
actually fixed in systemd-rpm-macros on March 4 2021
(bsc#1183051).
- Install sh and csh profiles as static files instead of generating
them from setup-pulseaudio (which is not run automatically
anymore).
- pulseaudio-setup is no longer required by pulseaudio.
==== python-anyio ====
Version update (4.12.1 -> 4.13.0)
- update to 4.13.0:
* Dropped support for Python 3.9
* Added a ttl parameter to the anyio.functools.lru_cache
wrapper
* Widened the type annotations of file I/O streams to accept
IO[bytes] instead of just BinaryIO
* Fixed anyio.Path not being compatible with Python 3.15 due to
the removal of pathlib.Path.is_reserved() and the addition of
pathlib.Path.__vfspath__()
* Fixed the BrokenResourceError raised by the asyncio
SocketStream not having the original exception as its cause
* Fixed the TypeError raised when using "func" as a parameter
name in pytest.mark.parametrize when using the pytest plugin
* Fixed the pytest plugin not running tests that had the anyio
marker added programmatically via
pytest_collection_modifyitems
* Fixed cancellation exceptions leaking from a CancelScope on
asyncio when they are contained in an exception group
alongside non-cancellation exceptions
* Fixed Condition.wait() not passing on a notification when the
task is cancelled but already received a notification
* Fixed inverted condition in the process pool shutdown phase
which would cause still-running pooled processes not to be
terminated
==== python-click ====
Version update (8.3.2 -> 8.3.3)
- update to 8.3.3:
* Use :func:`shlex.split` to split pager and editor commands
into argv lists for :class:`subprocess.Popen`, removing
shell=True. :issue:`1026` :pr:`1477` :pr:`2775`
* Fix TypeError when rendering help for an option whose default
value is an object that doesn't support equality comparison
with strings, such as semver.Version. :issue:`3298`
:pr:`3299`
* Fix pager test pollution under parallel execution by using
pytest's tmp_path fixture instead of a shared temporary file
path. :pr:`3238`
* Treat Sentinel.UNSET values in a default_map as absent, so
they fall through to the next default source instead of being
used as the value. :issue:`3224` :pr:`3240`
* Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(),
breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp)
can interact with the real terminal instead of the captured
I/O streams. :issue:`654` :issue:`824` :issue:`843` :pr:`951`
:pr:`3235`
* Add optional randomized parallel test execution using pytest-
randomly and pytest-xdist to detect test pollution and race
conditions. :pr:`3151`
* Add contributor documentation for running stress tests,
randomized parallel tests, and Flask smoke tests. :pr:`3151`
:pr:`3177`
* Show custom show_default string in prompts, matching the
existing help text behavior. :issue:`2836` :pr:`2837`
:pr:`3165` :pr:`3262` :pr:`3280` :pr:`3328`
* Fix default=True with boolean flag_value always returning the
flag_value instead of True. The default=True to flag_value
substitution now only applies to non-boolean flags, where
True acts as a sentinel meaning "activate this flag by
default". For boolean flags, default=True is returned as a
literal value. :issue:`3111` :pr:`3239`
* Mark make_default_short_help as private API. :issue:`3189`
:pr:`3250`
* CliRunner's redirected streams now expose the original file
descriptor via fileno(), so that faulthandler, subprocess,
and other C-level consumers no longer crash with
io.UnsupportedOperation. :issue:`2865`
* Change :class:`ParameterSource` to an :class:`~enum.IntEnum`
and reorder its members from most to least explicit, so
values can be compared to check whether a parameter was
explicitly provided. :issue:`2879` :pr:`3248`
==== python-cryptography ====
Version update (46.0.7 -> 47.0.0)
Subpackages: python311-cryptography python313-cryptography
- update to 47.0.0:
* Support for Python 3.8 is deprecated and will be removed in
the next cryptography release.
* BACKWARDS INCOMPATIBLE: Support for binary elliptic curves
(SECT* classes) has been removed. These curves are rarely
used and have additional security considerations that make
them undesirable.
* BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been
removed. OpenSSL 3.0.0 or later is now required. LibreSSL,
BoringSSL, and AWS-LC continue to be supported.
* BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1.
* BACKWARDS INCOMPATIBLE: Loading keys with unsupported
algorithms or keys with unsupported explicit curve encodings
now raises
:class:`~cryptography.exceptions.UnsupportedAlgorithm`
instead of ValueError. This change affects :func:`~cryptograp
hy.hazmat.primitives.serialization.load_pem_private_key`, :fu
nc:`~cryptography.hazmat.primitives.serialization.load_der_pr
ivate_key`, :func:`~cryptography.hazmat.primitives.serializat
ion.load_pem_public_key`, :func:`~cryptography.hazmat.primiti
ves.serialization.load_der_public_key`, and
:meth:`~cryptography.x509.Certificate.public_key` when called
on certificates with unsupported public key algorithms.
* BACKWARDS INCOMPATIBLE: When parsing elliptic curve private
keys, we now reject keys that incorrectly encode a private
key of the wrong length because such keys are impossible to
process in a constant-time manner. We do not believe keys
with this problem are in wide use, however we may revert this
change based on the feedback we receive.
* Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys
to :class:`~cryptography.hazmat.decrepit.ciphers.algorithms.T
ripleDES`. In a future release, only 192-bit (24-byte) keys
will be accepted. Users should expand shorter keys themselves
(e.g., for single DES: key + key + key, for two-key: key +
key[:8]).
* Updated the minimum supported Rust version (MSRV) to 1.83.0,
from 1.74.0.
* Support for x86_64 macOS (including publishing wheels) is
deprecated and will be removed in the next release. We will
switch to publishing an arm64 only wheel for macOS.
* Support for 32-bit Windows (including publishing wheels) is
deprecated and will be removed in the next release. Users
should move to a 64-bit Python installation.
* public_bytes and private_bytes methods on keys now raise
TypeError (instead of ValueError) if an invalid encoding is
provided for the given format.
* Moved
:class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB`,
:class:`~cryptography.hazmat.decrepit.ciphers.modes.OFB`, and
:class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB8`
into :doc:`/hazmat/decrepit/index` and deprecated them in the
modes module. They will be removed from the modes module in
49.0.0.
* Moved :class:`~cryptography.hazmat.primitives.ciphers.algorit
hms.Camellia` into :doc:`/hazmat/decrepit/index` and
deprecated it in the cipher module. It will be removed from
the cipher module in 49.0.0.
* Added
:meth:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF.extract`
to :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`.
The previous private implementation will be removed in
49.0.0.
* Added support for loading elliptic curve keys that contain
explicit encodings of the curves secp256r1, secp384r1, and
secp521r1.
* Added support for
:class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2d`
and
:class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2i`
when using OpenSSL 3.2.0+.
* Added derive_into methods to
:class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`,
:class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDFExpand`,
:class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatK
DFHash`, :class:`~cryptography.hazmat.primitives.kdf.concatkd
f.ConcatKDFHMAC`,
:class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id`,
:class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC
`,
:class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC`,
:class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`,
:class:`~cryptography.hazmat.primitives.kdf.scrypt.Scrypt`,
and
:class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`
to allow deriving keys directly into pre-allocated buffers.
* Added encrypt_into and decrypt_into methods to
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESCCM`,
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM`,
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCMSI
V`, :class:`~cryptography.hazmat.primitives.ciphers.aead.AESO
CB3`,
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV`,
and :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaC
ha20Poly1305` to allow encrypting directly into a pre-
allocated buffer.
* Added support for PKCS1v15 signing without DigestInfo using :
class:`~cryptography.hazmat.primitives.asymmetric.utils.NoDig
estInfo`.
* Added
... changelog too long, skipping 34 lines ...
OpenSSL 4.0.0.
==== python-gevent ====
Version update (25.9.1 -> 26.4.0)
- update to 26.4.0:
* Make gevent.ssl stop reusing exception instances, as this
could appear to cause a memory leak if there are many short
reads or writes. Reported by 사재혁. See :issue:`2159`.
* Fix Greenlet.dead returning true for an active greenlet
during early bootstrap. Thanks to Taegyun Kim. See
:issue:`2166`.
* Fix some potential GIL-related crashes during interpreter
shutdown by avoiding acquiring the GIL in libev callbacks
when the interpreter is finalizing. Thanks to Thomas
Kowalski. See :issue:`2170`.
* Support for Python 3.9 has been removed. Manylinux wheels are
built with version 2_28, up from 2014.
==== python-idna ====
Version update (3.11 -> 3.13)
Subpackages: python311-idna python313-idna
- update to 3.13:
* Correct classification error for codepoint U+A7F1
* Update to Unicode 17.0.0.
* Issue a deprecation warning for the transitional argument.
* Added lazy-loading to provide some performance improvements.
* Removed vestiges of code related to Python 2 support,
including segmentation of data structures specific to Jython.
==== python-pip ====
Version update (26.0.1 -> 26.1)
Subpackages: python311-pip python313-pip
- Update to 26.1 (bsc#1262429, CVE-2026-3219):
[#] Deprecations and Removals
- Drop support for Python 3.9.
[#] Features
- Add experimental support to read requirements from standardized
pylock.toml files (``-r pylock.toml``).
- Allow ``--uploaded-prior-to`` to accept a duration in days (e.g.,
``P3D`` for 3 days ago).
[#] Enhancements
- Speed up dependency resolution when there are complex conflicts.
- Reduce memory usage when resolving large dependency trees.
- Emit a deprecation warning when pip imports an unexpected module
after installation of a distribution has started.
- Allow URL constraints to apply to requirements with extras.
- Allow unpinned requirements to use hashes from constraints.
Constraints like ``{name}=={version} --hash=...`` feeds into hash
verification for a corresponding requirement.
- Improve conflict reports that involve direct URLs.
- Show all errors instead of first error for faulty
``dependency_groups`` definitions.
[#] Bug Fixes
- Fix recovery hint for missing RECORD file to use
``--ignore-installed`` instead of ``--force-reinstall``.
- Fix misleading error message when a constraint file cannot be
opened.
- Show the filename rather than the full URL when downloading files
from non-PyPI indexes in non-verbose mode.
- Remove the adjacent ``__pycache__`` directory when a .py file is
removed.
- Force UTF-8 encoding for :pep:`723` metadata.
- Minor performance improvement when filtering candidates during
resolution.
- Fix a hang on Windows when stdout is closed during verbose output.
- Common path prefixes are determined by path segment, not character
by character.
- Fix installing ``.tar.gz`` source distributions that look like a
zip file.
[#] Vendored Libraries
- Upgrade certifi to 2026.2.25
- Upgrade packaging to 26.2
- Upgrade requests to 2.33.1
- Upgrade tomli to 2.3.1
- Upgrade urllib3 to 2.6.3
- Use ``packaging`` 26.1's new ``dependency_groups`` module,
removing ``dependency-groups`` vendor.
- Use ``packaging.direct_url`` to manipulate ``direct_url.json``.
Besides difference in validation error messages, there should be
no user-visible change.
==== python-pyOpenSSL ====
Version update (26.0.0 -> 26.1.0)
Subpackages: python311-pyOpenSSL python313-pyOpenSSL
- update to 26.1.0 (CVE-2026-40475, bsc#1262803):
* Maximum supported cryptography version is now 47.x.
* Fixed X509Name field setters to correctly pass the value
length to OpenSSL. Previously, values containing NUL bytes
would be silently truncated, causing a divergence between the
stored ASN.1 value and the value visible from Python. Credit
to BudongJW for reporting the issue. CVE-2026-40475
==== python-pylsqpack ====
Version update (0.3.23 -> 0.3.24)
- update to 0.3.24:
* Do not crash if decoding an empty header name
* Ensure encoder validates all input before starting encoding
==== python-simplejson ====
Version update (3.20.2 -> 4.1.1)
- update to 4.1.1:
* The C extension now accelerates encoding when ``indent=`` is
set.
* Previously the encoder fell back to the pure-Python
implementation whenever a non-None ``indent`` was passed;
* The C extension now emits PEP 678 ``exc.add_note()``
annotations on serialization failures, matching the pure-Python
encoder. A chained error on ``{'a': [1, object(), 3]}``
produces the same three notes
* Skip uploading Pyodide/wasm wheels to PyPI, which rejects
them with "unsupported platform tag 'pyodide_2024_0_wasm32'". The
wheels are still built in CI and preserved as workflow artifacts.
* simplejson 4 requires Python 2.7 or Python 3.8+. Older Python
* versions (2.5, 2.6, 3.0-3.7) are no longer supported. pip
will not install simplejson 4 on unsupported versions.
* Full support for Python 3.13+ free-threading (PEP 703). The C
* extension is now safe to use with the GIL disabled
(python3.14t):
* - Converted all static types to heap types with per-module
state
* Numerous C extension memory safety fixes:
* Fix use-after-free and leak in encoder ident handling
* Fix NULL dereferences on OOM in module init and static
string init
* Fix reference leaks in dict encoder (skipkeys item,
variable shadowing)
* Fix member table copy-paste, exception clobbering, missing
Py_VISIT
* Fix error-as-truthy bugs in maybe_quote_bigint and
is_raw_json
* Fix iterable_as_array swallowing MemoryError and
KeyboardInterrupt
* Fix for_json and _asdict swallowing MemoryError,
KeyboardInterrupt,
==== python-tzdata ====
Version update (2026.1 -> 2026.2)
- update to 2026.2:
* 2026b released
* British Columbia moved to permanent -07 on 2026-03-09. Some
more overflow bugs have been fixed in zic.
==== python-zope.interface ====
Version update (8.3 -> 8.4)
- update to 8.4:
* Add support for automatically building and publishing
Windows/ARM64 wheels.
==== python313 ====
Subpackages: python313-curses python313-dbm python313-tk
- Add CVE-2026-6019-Morsel-js_output.patch protects against HTML
injection by Base64-encoding cookie values embedded in JS
(bsc#1262654, CVE-2026-6019, gh#python/cpython#90309).
- Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch which rejects
CR/LF in HTTP tunnel request headers (bsc#1261969,
CVE-2026-1502, gh#python/cpython#146211).
- Add CVE-2026-4786-webbrowser-open-action.patch, which fixes
webbrowser %action substitution bypass of dash-prefix check
(bsc#1262319, CVE-2026-4786, gh#python/cpython#148169).
- Add CVE-2026-6100-use-after-free-decompression.patch preventing
dangling pointer which can end in the use-after-free error
(CVE-2026-6100, bsc#1262098, gh#python/cpython#148395).
==== python313-core ====
Subpackages: libpython3_13-1_0 python313-base python313-devel
- Add CVE-2026-6019-Morsel-js_output.patch protects against HTML
injection by Base64-encoding cookie values embedded in JS
(bsc#1262654, CVE-2026-6019, gh#python/cpython#90309).
- Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch which rejects
CR/LF in HTTP tunnel request headers (bsc#1261969,
CVE-2026-1502, gh#python/cpython#146211).
- Add CVE-2026-4786-webbrowser-open-action.patch, which fixes
webbrowser %action substitution bypass of dash-prefix check
(bsc#1262319, CVE-2026-4786, gh#python/cpython#148169).
- Add CVE-2026-6100-use-after-free-decompression.patch preventing
dangling pointer which can end in the use-after-free error
(CVE-2026-6100, bsc#1262098, gh#python/cpython#148395).
==== salt ====
Subpackages: python311-salt salt-master salt-minion
- BDSA-2025-60810: Harden Tornado from invalid HTTP reason phrases
- Read full URI from ldap pillar config (bsc#1254900)
- Added:
* bdsa-2025-60810-harden-against-invalid-http-reason-p.patch
* read-full-uri-from-ldap-pillar-config-753.patch
==== samba ====
Version update (4.23.6+git.466.1a6b75cb208 -> 4.23.7+git.473.9487af01c24)
Subpackages: libldb2 python3-ldb samba-ad-dc-libs samba-client samba-client-libs samba-dcerpc samba-gpupdate samba-ldb-ldap samba-libs samba-libs-python3 samba-python3 samba-winbind samba-winbind-libs
- Update to 4.23.7
* Fix a directory file descriptor leak in vfs_glusterfs that
caused unbounded memory growth on the GlusterFS brick with
persistent SMB2 connections; (bso#16043).
* autobuild fails if /proc/version contains trailing space;
(bso#16057).
* incorrect behavior on rpcclient enumport with rpcd_spoolss;
(bso#16019).
* rpc workers with long living clients grow server memory
keytab; (bso#16042); (bsc#1257200).
* vfs_snapper failing to access or enumerate files in
subfolders; (bso#16058); (bsc#1259667).
* libsmbclient posix extensions with SMB3 don't work at all;
(bso#15960).
* Samba is not build with FORTIFY_SOURCE; (bso#16040).
- Add support to allow default selinux autolabelling by
update-samba-security-profile on service [re]start to be
inhibited; (bsc#1259050).
- Use multiple threads for SELinux relabeling in
update-samba-security-profile (bsc#1259050).
==== sed ====
Version update (4.9 -> 4.10)
- Update to 4.10:
* sed 's/a/b/g' (and other global substitutions) now works on input
lines longer than 2GB. Previously, matches beyond the 2^31 byte offset
would evoke a "panic" (exit 4).
* 'sed --follow-symlinks -i' no longer has a TOCTOU race that could let
an attacker swap a symlink between resolution and open, causing sed to
read attacker-chosen content and write it to the original target.
(bsc#1262144, CVE-2026-5958)
* sed no longer falsely matches when back-references are combined with
optional groups (.?) and the $ anchor. For example, this no longer
falsely matches the empty string at beginning of line:
$ echo ab | sed -E 's/^(.?)(.?).?\2\1$/X/'
Xab
* In --posix mode, sed no longer mishandles backslash escapes (\n,
\t, \a, etc.) after a named character class like [[:alpha:]].
For example, 's/^A\n[[:alpha:]]\n*/XXX/' would fail to match the
trailing newline, treating \n as a literal backslash and an 'n'
rather than a newline. This happened when an earlier backslash
escape in the same regex had already been converted, shifting the
in-place normalization buffer.
* sed --debug no longer crashes when a label (":") command is compiled
before the --debug option is processed, e.g., sed -f<(...) --debug.
* sed no longer rejects the documented GNU extension 'a**' (equivalent
to 'a*') in Basic Regular Expression (BRE) mode. Previously, this
worked only with -E (ERE mode), even though grep has always accepted
it in BRE mode.
* sed no longer rejects "\c[" in regular expressions
* 'sed --follow-symlinks -i' no longer mishandles an operand that is a
short symbolic link to a long symbolic link to a file.
* Fix some some longstanding but unlikely integer overflows.
Internally, 'sed' now more often prefers signed integer arithmetic,
which can be checked automatically via 'gcc -fsanitize=undefined'.
* In the default C locale, diagnostics now quote 'like this' (with
apostrophes) instead of `like this' (with a grave accent and an
apostrophe). This tracks the GNU coding standards.
* 'sed --posix' now warns about uses of backslashes in the 's' command
that are handled by GNU sed but are not portable to other
implementations.
* builds no longer fail on platforms without the header or
getopt_long function.
- Add disable-backref-test.patch
* The bug for back references combined with optional groups and anchor
hasn't been fixed in glibc yet, so the tests fail when building with
"--without-included-regex". Disable the tests for now.
==== simple-scan ====
Version update (49.1 -> 50.0)
- Update to version 50.0:
+ Update cursor names to be correctly displayed on Wayland.
+ Fix scanner selection disappearing after failed scan.
+ Use AdwToggleGroup in preferences dialog.
+ Bump minimum libadwaita version.
+ Show in-app notification after export with open folder action.
+ Fix if multiple pages in book-view the horizontal scroll bar is
not shown, except a resize event occurs.
+ Updated translations.
==== srt ====
Version update (1.5.4 -> 1.5.5)
- Update to version 1.5.5:
+ Connection State Accuracy: Fixed an issue where srt_connect
reported incorrect error codes when attempted on a socket in a
broken state. The function now correctly identifies these
sockets as closed rather than reporting connection-specific
failures.
+ Listen Operation Refinement:
- Corrected the error code returned when calling srt_listen on
a closed or non-existent socket to ensure status reports
reflect the socket state accurately.
- Backlog updates: Updated the logic for srt_listen to allow
updates to the backlog parameter on sockets already in the
LISTENING state. In such cases, the function now successfully
updates the backlog and returns 0 (success).
+ Fixed a bug where a blocking srt_close call could be
interrupted by a connection attempt.
+ Resolved Issue #3289 regarding srt_connect in blocking mode.
These fixes ensure that interrupting a blocking connection loop
or closing the socket from another thread is correctly
recognized. Previously, these scenarios could cause the
function to incorrectly return success (0) or a misleading
SRT_ECONNSOCK error; it now correctly returns SRT_ESCLOSED or
SRT_EINVSOCK.
+ Fixed a potential buffer overflow in handshake processing by
ensuring that incoming group data length does not exceed
internal buffer capacity.
+ Fixed and then restored the cookie contest method from version
1.4.5 as a lower-risk stability measure. It also introduces a
mechanism to enforce specific cookie values for testing and
development purposes.
+ Fixed reentrancy of srt_strerror()
+ Fixed crash when adding a string-typed option to a group
configuration object
+ Fixed incorrect number of sockets returned by srt_epoll_uwait
+ Fixed inconsistent thread-related objects' state after fork()
+ Fixed issues found by thread and memory sanitizers
+ Fixed unexpected blocking behavior in sendmsg call
+ Fixed stalled connection that should break on rogue NAK/ACK
reception
+ Fixed some misleading error messages
+ Fixed wrong 'connection lost' error when sending to group in
non-blocking pending state
+ Fixed bug where tsbpd might miss m_bClosing flag set in the
meantime
+ Fixed caller-accepting connection without packetfilter while
requested by a caller (now: late-rejection)
==== sssd ====
Version update (2.12.0 -> 2.13.0)
Subpackages: libnfsidmap-sss libsss_certmap0 libsss_idmap0 sssd-krb5-common sssd-ldap
- Update to release 2.13
* Fixed CVE-2026-6245, an out-of-bounds read in the PAM
passkey responder.
* During the processing of the `pam_sss_gss` request, SSSD will
read the SID from the PAC of the Kerberos ticket and might add
authentication indicators based on the value of the new option
`pam_gssapi_indicators_apply`. The primary use case is to
handle SIDs added by Active Directory’s Authentication
Mechanism Assurance (AMA).
* Active Directory’s Foreign Security Principals (FSP) are now
properly detected and ignored when reading nested group
members. The `ldap_ignore_unreadable_references` option is only
needed to ignore member objects which are really not
accessible.
* A number of cache performance optimizations for large
deployments.
* Tokens acquired from the IdP are now stored in the domain
cache, and are automatically refreshed if the new option
`idp_auto_refresh` is enabled.
* The `idp_type` option allows `entra_idp` url to be specified if
user is using a different Microsoft Entra endpoint.
* Support for the KDE Plasma Login Manager.
* New option `avoid_by_id_lookups` to tell the SSSD responders to
use a lookup by name instead of by id where possible.
* New options to customize the OAuth2 prompting behavior:
`interactive` and `interactive_prompt`.
- Delete 0001-Fix-libini_config-related-includes.patch,
0001-INI-get-rid-of-useless-macros.patch,
0001-INI-use-proper-deallocators.patch (obsolete)
==== strace ====
Version update (6.19 -> 7.0)
- Update to strace 7.0
* Implemented optional colorized trace output.
* Implemented decoding of rseq and rseq_slice_yield syscalls.
* Implemented decoding of BPF_TRACE_FSESSION bpf attach type.
* Implemented decoding of BPF_PROG_ASSOC_STRUCT_OPS bpf command.
* Implemented decoding of UDMABUF_CREATE, UDMABUF_CREATE_LIST,
and VIDIOC_QUERYMENU ioctl commands.
* Updated decoding of statmount syscall flags.
* Updated lists of BPF_*, BTRFS_*, FS_*, IORING_*, KEY_*, KVM_*, NT_*,
OPEN_TREE_*, PR_*, V4L2_*, and *_MAGIC constants.
* Updated lists of ioctl commands from Linux 7.0.
==== sushi ====
Version update (50.rc.1 -> 50.0)
- Update to version 50.0:
+ Fix a typo.
+ Updated translations.
==== systemd ====
Version update (259.5 -> 260.1)
Subpackages: libsystemd0 libudev1 systemd-boot systemd-container udev
- Upgrade to v260.1 (commit c0a5a2516d28601fb3afc1a77d7b42fcfe38fced)
See https://github.com/openSUSE/systemd/blob/SUSE/v260/NEWS for details.
- Drop support for System V service scripts.
- Drop 0002-rc-local-fix-ordering-startup-for-etc-init.d-boot.lo.patch
- Drop 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
- Required versions of various library dependencies have been raised.
- systemd-update-helper: switch to the new command 'enqueue-marked'.
- Restore autovt@.service alias (a fallout from upstream commit
072e72424b2e6da1c96489ef6996f49fabd46474)
- systemd.spec: introduce %{container} bcond for container subpackage
- Enable systemd-boot on loongarch64.
==== tiff ====
- * CVE-2026-4775: Signed integer overflow in putcontig8bitYCbCr44tile (bsc#1260411)
Add tiff-CVE-2026-4775.patch
==== timezone ====
Version update (2026a -> 2026b)
Subpackages: tzselect
- Update to 2026b:
* British Columbia moved to permanent -07 on 2026-03-09
* Some more overflow bugs have been fixed in zic
==== tinysparql ====
Version update (3.11.0 -> 3.11.1)
Subpackages: libtracker-sparql-3_0-0 typelib-1_0-Tracker-3_0
- Update to version 3.11.1:
+ Fixes to memory leaks and issues spotted by ASAN
+ Make lifetime of some mutexes explicit
==== tnftp ====
- Fix broken man page symlink (bsc#1260040).
==== vim ====
Version update (9.2.0219 -> 9.2.0398)
Subpackages: vim-data vim-data-common xxd
- Fix bsc#1261833 / CVE-2026-39881).
- Update to 9.2.0398.
- Changes:
* 9.2.0398: MS-Windows: missing strptime() support
* 9.2.0397: tabpanel: double-click opens a new tab
* 9.2.0396: tests: Test_error_callback_terminal is flaky on macOS
* 9.2.0395: tests: Test_backupskip() may read from $HOME
* 9.2.0394: xxd: offsets greater than LONG_MAX print as negative
* 9.2.0393: MS-Windows: link error with XPM support on UCRT64
* 9.2.0392: tests: Some tests are flaky
* 9.2.0391: tests: Comment in test_vim9_cmd breaks syntax highlighting
* 9.2.0390: filetype: some Beancount files are not recognized
* 9.2.0389: DECRQM still leaves stray "pp" on Apple Terminal.app
* 9.2.0388: strange indent in update_topline()
* 9.2.0387: DECRQM request may leave stray chars in terminal
* 9.2.0386: No scroll/scrollbar support in the tabpanel
* 9.2.0385: Integer overflow with "ze" and large 'sidescrolloff'
* 9.2.0384: stale Insstart after cursor move breaks undo
* 9.2.0383: [security]: runtime(netrw): shell-injection via sftp: and file: URLs
* 9.2.0382: Wayland: focus-stealing is non-working
* 9.2.0381: Vim9: Missing check_secure() in exec_instructions()
* 9.2.0380: completion: a few issues in completion code
* 9.2.0379: gui.color_approx is never used
* 9.2.0378: Using int as bool type in win_T struct
* 9.2.0377: Using int as bool type in gui_T struct
* 9.2.0376: Vim9: elseif condition compiled in dead branch
* 9.2.0375: prop_find() does not find a virt text in starting line
* 9.2.0374: c_CTRL-{G,T} does not handle offset
* 9.2.0373: Ctrl-R mapping not triggered during completion
* 9.2.0372: pum: rendering issues with multibyte text and opacity
* 9.2.0371: filetype: ghostty config files are not recognized
* 9.2.0370: duplicate code with literal string_T assignment
* 9.2.0369: multiple definitions of STRING_INIT macro
* 9.2.0368: too many strlen() calls when adding strings to dicts
* 9.2.0367: runtime(netrw): ~ note expanded on MS Windows
* 9.2.0366: pum: flicker when updating pum in place
* 9.2.0365: using int as bool
* 9.2.0364: tests: test_smoothscroll_textoff_showbreak() fails
* 9.2.0363: Vim9: variable shadowed by script-local function
* 9.2.0362: division by zero with smoothscroll and small windows
* 9.2.0361: tests: no tests for ch_listen() with IPs
* 9.2.0360: Cannot handle mouse-clicks in the tabpanel
* 9.2.0359: wrong VertSplitNC highlighting on winbar
* 9.2.0358: runtime(vimball): still path traversal attacks possible
* 9.2.0357: [security]: command injection via backticks in tag files
* 9.2.0356: Cannot apply 'scrolloff' context lines at end of file
* 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()
* 9.2.0354: filetype: not all Bitbake include files are recognized
* 9.2.0353: Missing out-of-memory check in register.c
* 9.2.0352: 'winhighlight' of left window blends into right window
* 9.2.0351: repeat_string() can be improved
* 9.2.0350: Enabling modelines poses a risk
* 9.2.0349: cannot style non-current window separator
* 9.2.0348: potential buffer underrun when setting statusline like option
* 9.2.0347: Vim9: script-local variable not found
* 9.2.0346: Wrong cursor position when entering command line window
* 9.2.0345: Wrong autoformatting with 'autocomplete'
* 9.2.0344: channel: ch_listen() can bind to network interface
* 9.2.0343: tests: test_clientserver may fail on slower systems
* 9.2.0342: tests: test_excmd.vim leaves swapfiles behind
* 9.2.0341: some functions can be run from the sandbox
* 9.2.0340: pum_redraw() may cause flicker
* 9.2.0339: regexp: nfa_regmatch() allocates and frees too often
* 9.2.0338: Cannot handle mouseclicks in the tabline
* 9.2.0337: list indexing broken on big-endian 32-bit platforms
* 9.2.0336: libvterm: no terminal reflow support
* 9.2.0335: json_encode() uses recursive algorithm
* 9.2.0334: GTK: window geometry shrinks with with client-side decorations
* 9.2.0333: filetype: PklProject files are not recognized
* 9.2.0332: popup: still opacity rendering issues
* 9.2.0331: spellfile: stack buffer overflows in spell file generation
* 9.2.0330: tests: some patterns in tar and zip plugin tests not strict enough
* 9.2.0329: tests: test_indent.vim leaves swapfiles behind
* 9.2.0328: Cannot handle mouseclicks in the statusline
* 9.2.0327: filetype: uv scripts are not detected
* 9.2.0326: runtime(tar): but with dotted path
* 9.2.0325: runtime(tar): bug in zstd handling
* 9.2.0324: 0x9b byte not unescaped in mapping
* 9.2.0323: filetype: buf.lock files are not recognized
* 9.2.0322: tests: test_popupwin fails
* 9.2.0321: MS-Windows: No OpenType font support
* 9.2.0320: several bugs with text properties
* 9.2.0319: popup: rendering issues with partially transparent popups
* 9.2.0318: cannot configure opacity for popup menu
* 9.2.0317: listener functions do not check secure flag
* 9.2.0316: [security]: command injection in netbeans interface via defineAnnoType
* 9.2.0315: missing bound-checks
* 9.2.0314: channel: can bind to all network interfaces
* 9.2.0313: Callback channel not registered in GUI
* 9.2.0312: C-type names are marked as translatable
* 9.2.0311: redrawing logic with text properties can be improved
* 9.2.0310: unnecessary work in vim_strchr() and find_term_bykeys()
* 9.2.0309: Missing out-of-memory check to may_get_cmd_block()
* 9.2.0308: Error message E1547 is wrong
* 9.2.0307: more mismatches between return types and documentation
* 9.2.0306: runtime(tar): some issues with lz4 support
* 9.2.0305: mismatch between return types and documentation
* 9.2.0304: tests: test for 9.2.0285 doesn't always fail without the fix
* 9.2.0303: tests: zip plugin tests don't check for warning message properly
... changelog too long, skipping 88 lines ...
* 9.2.0220: MS-Windows: some defined cannot be set on Cygwin/Mingw
==== vlc ====
Subpackages: libvlc5 libvlccore9 vlc-codec-gstreamer vlc-noX vlc-qt
- Fix Requires for ffmpeg library:
For building the package ffmpeg-7-mini-libs may be installed
which is used for building only, so the name package cannot
be used to determine Requires.
==== webkitgtk3 ====
Version update (2.52.2 -> 2.52.3)
Subpackages: libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles
- Update to version 2.52.3:
+ Add support for the "scrollbar-color" CSS property.
+ Fix some emoji glyphs being rendered as missing glyph boxes.
+ Fix JavaScriptCore crashes on architectures other than x86_64.
+ Fix the build on s390x.
+ Fix several crashes and rendering issues.
+ Updated translations.
==== webkitgtk4 ====
Version update (2.52.2 -> 2.52.3)
Subpackages: libjavascriptcoregtk-6_0-1 libwebkitgtk-6_0-4 typelib-1_0-JavaScriptCore-6_0 typelib-1_0-WebKit-6_0 webkitgtk-6_0-injected-bundles
- Update to version 2.52.3:
+ Add support for the "scrollbar-color" CSS property.
+ Fix some emoji glyphs being rendered as missing glyph boxes.
+ Fix JavaScriptCore crashes on architectures other than x86_64.
+ Fix the build on s390x.
+ Fix several crashes and rendering issues.
+ Updated translations.
==== xbitmaps ====
Version update (1.1.3 -> 1.1.4)
- Update to version 1.1.4
* This release adds support for building with meson as well as
autoconf.
- switch to meson
==== xdg-dbus-proxy ====
Version update (0.1.6 -> 0.1.7)
- Update to version 0.1.7:
+ Drop the autotools build system
+ Prevent a crash on disconnect
+ Fix building with glibc >= 2.43
+ Fix the eavesdrop filtering to prevent message interception
+ Fix CVE-2026-34080
==== xrandr ====
Version update (1.5.3 -> 1.5.4)
- Update to version 1.5.4
* This release detects when the X server is Xwayland and warns
that not all features will work, as rootless Xwayland provides
a read-only emulation of RANDR and does not allow changing
output configurations with RANDR.
* This release also adds support for building with meson as
well as autoconf.
- switch to meson
==== xterm ====
Version update (407 -> 409)
Subpackages: xterm-bin xterm-resize
- update to 409:
* correct one of the special cases added for Debian #1123877 in
patch
* update version for Extended Window Manager Hints
(EWMH), in manpage.
==== xwayland ====
Version update (24.1.9 -> 24.1.11)
- Update to 24.1.11
- This release addresses a number of regressions found in Xwayland 24.1.10:
* Avoids spurious focus changes with KDE when listening for mouse buttons
is enabled for legacy X11 application support
* Fix tablet tools not working anymore as "slave" devices
* Fix a crash when running some XTS tests
* Fix a crash in window damage handling caused a NULL pointer dereference
- supersedes the folloging security patches for CVE-2026-33999,
CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003
(bsc#1260922, bsc#1260923, bsc#1260924, bsc#1260925, bsc#1260926)
* bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch
* bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch
* bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch
* bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch
* bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch
* bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch
==== yast2-trans ====
Version update (84.87.20260414.0f82ab3540 -> 84.87.20260424.fdcdc295f0)
Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu
- Update to version 84.87.20260424.fdcdc295f0:
* Translated using Weblate (Spanish)
* Translated using Weblate (Swedish)
* Translated using Weblate (Swedish)
* Translated using Weblate (Swedish)
* Translated using Weblate (Swedish)
* Translated using Weblate (Swedish)
==== zstd ====
Subpackages: libzstd1
- Backport 1.5.7 man page patch
* Documentation was not correctly updated at release time
* https://github.com/facebook/zstd/commit/6af3842
Add 0002-fix-1.5.7-documentation.patch
==== zypper ====
Version update (1.14.95 -> 1.14.96)
Subpackages: zypper-log zypper-needs-restarting
- Autorefresh ris-services the way as plugin-services (bsc#1246504)
It's actually wrong to treat service refreshes different
depending on the service type. For the purpose of a service it
makes no difference how the data about the repos to use are
acquired.
- version 1.14.96