Packages changed: Mesa (26.0.5 -> 26.1.0) Mesa-drivers (26.0.5 -> 26.1.0) MozillaFirefox (150.0 -> 150.0.2) PackageKit SDL3 (3.4.4 -> 3.4.6) accountsservice apache2 apache2-manual apache2-prefork apache2-utils at at-spi2-core (2.60.2 -> 2.60.3) avahi avahi-glib2 bubblewrap (0.11.1 -> 0.11.2) busybox colord coreutils coreutils-systemd curl (8.19.0 -> 8.20.0) dracut (110+suse.23.g5d9502c7 -> 110+suse.29.g16072cee) dracut-pcr-signature (0.6+4 -> 0.7+0) ethtool (6.19 -> 7.0) fwupd (2.0.20 -> 2.1.1) gawk (5.3.2 -> 5.4.0) gcc16 (16.0.1+git8812 -> 16.1.1+git8886) gdm gdm-branding-openSUSE glib2 (2.88.0 -> 2.88.1) glibc glslang (16.2.0 -> 16.3.0) gnome-control-center gnome-session gnome-settings-daemon gnome-shell gnome-software gnutls (3.8.12 -> 3.8.13) gtk4 (4.22.3 -> 4.22.4) inkscape (1.4.3+git2.fcd0343856 -> 1.4.4+git0.dcaf3e7d9e) kdump kernel-firmware-amdgpu (20260427 -> 20260505) kernel-firmware-bluetooth (20260423 -> 20260505) kernel-firmware-i915 kernel-firmware-intel (20260408 -> 20260505) kernel-firmware-media (20260414 -> 20260505) kernel-firmware-mediatek kernel-firmware-platform (20260416 -> 20260505) kernel-firmware-qcom (20260423 -> 20260505) kernel-firmware-realtek kernel-source (7.0.2 -> 7.0.5) kexec-tools (2.0.30 -> 2.0.32+git15.g677dd2f) krb5 lcms2 (2.19 -> 2.19.1) leancrypto lftp libass libexif (0.6.25 -> 0.6.26) libgit2 (1.9.2 -> 1.9.3) libgsf (1.14.56 -> 1.14.58) libksysguard6 libsemanage libsndfile libvirt (12.2.0 -> 12.3.0) mariadb (11.8.5 -> 11.8.6) mozjs140 (140.10.0 -> 140.10.1) mutter ncurses net-tools (2.10+1 -> 3.14~alpha~git.20251212.7011617) nvidia-open-driver-G06-signed (580.159.03_k7.0.2_1 -> 580.159.03_k7.0.5_1) nvidia-open-driver-G07-signed (595.71.05_k7.0.2_1 -> 595.71.05_k7.0.5_1) nvidia-open-driver-G07-signed-cuda (595.71.05_k7.0.2_1 -> 595.71.05_k7.0.5_1) nvidia-settings (580.142 -> 580.159.03) openSUSE-release (20260430 -> 20260510) openjph (0.27.0 -> 0.27.1) openssh ovmf perl (5.42.0 -> 5.42.1) postfix (3.11.1 -> 3.11.2) postgresql postgresql18 python-greenlet (3.4.0 -> 3.5.0) qt6-base qt6-svg qtkeychain-qt6 (0.15.0 -> 0.16.0) raspberrypi-firmware-dt sdbootutil (1+git20260421.88e40c4 -> 1+git20260506.25d47bf) sdl2-compat (2.32.66 -> 2.32.68) selinux-policy sensors shadow smartmontools sord (0.16.20 -> 0.16.22) sqlite3 (3.53.0 -> 3.53.1) sratom (0.6.20 -> 0.6.22) sso-mib (0.8.1 -> 0.9.0) sssd sysconfig (0.90.4 -> 0.90.5) tar tree (2.3.1 -> 2.3.2) tree-sitter unbound (1.24.2 -> 1.25.0) update-alternatives (1.22.21 -> 1.22.22) xf86-video-nv (2.1.23 -> 2.1.24) yast2-storage-ng (5.0.42 -> 5.0.43) yelp (49.0+22 -> 49.1) === Details === ==== Mesa ==== Version update (26.0.5 -> 26.1.0) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to 26.1.0 * This release marks the first major feature update in the Mesa 26 series. * Highlights: - Implementation of Vulkan 1.4 API (support varies by driver). - VirtIO-GPU Native-Context for Intel Iris, Crocus, and ANV drivers providing faster GPU paravirtualization. - VirGL is now considered unmaintained. - Zink now supports OpenGL ES 2.0 on PowerVR GPUs. - RADV (AMD) added support for low-latency video encode/decode and VK_KHR_internally_synchronized_queues. - Experimental support for Intel Nova Lake P hardware. - Rusticl (OpenCL) now requires a static C++ standard library. - New extensions supported across various drivers: VK_EXT_present_timing, GL_NV_timeline_semaphore (radeonsi), VK_QCOM_image_processing (turnip), VK_KHR_present_id, VK_KHR_present_wait, and various cl_khr_subgroup extensions. - Dropped support for Python 3.6. Removed related patches: * u_0001-intel-genxml-Drop-from-__future__-import-annotations.patch * u_0002-intel-genxml-Add-a-untyped-OrderedDict-fallback-for-.patch * python36-buildfix1.patch * u_meson-lower-python-version-requirement.patch - Removed obsolete u_dep_xcb.patch. - Adjusted patches for new source context: * n_drirc-disable-rgb10-for-chromium-on-amd.patch - Add patch from https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40161 to fix build on armv6/7: * u_PR-40161.patch - Update to 26.0.6 bugfix release - -> https://docs.mesa3d.org/relnotes/26.0.6 ==== Mesa-drivers ==== Version update (26.0.5 -> 26.1.0) Subpackages: Mesa-dri Mesa-libva Mesa-vulkan-device-select libvulkan_lvp - Update to 26.1.0 * This release marks the first major feature update in the Mesa 26 series. * Highlights: - Implementation of Vulkan 1.4 API (support varies by driver). - VirtIO-GPU Native-Context for Intel Iris, Crocus, and ANV drivers providing faster GPU paravirtualization. - VirGL is now considered unmaintained. - Zink now supports OpenGL ES 2.0 on PowerVR GPUs. - RADV (AMD) added support for low-latency video encode/decode and VK_KHR_internally_synchronized_queues. - Experimental support for Intel Nova Lake P hardware. - Rusticl (OpenCL) now requires a static C++ standard library. - New extensions supported across various drivers: VK_EXT_present_timing, GL_NV_timeline_semaphore (radeonsi), VK_QCOM_image_processing (turnip), VK_KHR_present_id, VK_KHR_present_wait, and various cl_khr_subgroup extensions. - Dropped support for Python 3.6. Removed related patches: * u_0001-intel-genxml-Drop-from-__future__-import-annotations.patch * u_0002-intel-genxml-Add-a-untyped-OrderedDict-fallback-for-.patch * python36-buildfix1.patch * u_meson-lower-python-version-requirement.patch - Removed obsolete u_dep_xcb.patch. - Adjusted patches for new source context: * n_drirc-disable-rgb10-for-chromium-on-amd.patch - Add patch from https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40161 to fix build on armv6/7: * u_PR-40161.patch - Update to 26.0.6 bugfix release - -> https://docs.mesa3d.org/relnotes/26.0.6 ==== MozillaFirefox ==== Version update (150.0 -> 150.0.2) Subpackages: MozillaFirefox-branding-upstream - Mozilla Firefox 150.0.2 MFSA 2026-40 (bsc#1264378) * CVE-2026-8090 (bmo#2034352) Use-after-free in the DOM: Networking component * CVE-2026-8092 (bmo#1806249, bmo#2021977, bmo#2022576, bmo#2022722, bmo#2024439, bmo#2027883, bmo#2029463, bmo#2030323, bmo#2032042, bmo#2032043, bmo#2033270, bmo#2033637, bmo#2034422, bmo#2034496, bmo#2035879, bmo#2036516) Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox ESR 140.10.2 and Firefox 150.0.2 * CVE-2026-8093 (bmo#1981270, bmo#2027154, bmo#2028332, bmo#2029327, bmo#2029428, bmo#2029894, bmo#2032189, bmo#2034837, bmo#2035968, bmo#2036256) Memory safety bugs fixed in Firefox 150.0.2 * Fixed an issue where websites on internal or corporate networks that require a login prompt would show a blank page. (bmo#2034752) * Fixed an issue that prevented highlighting from working on scanned images in the built-in PDF viewer. (bmo#2034980) * Fixed an issue where the "New" badge persisted on Split View menu items. (bmo#2027793) * Fixed an issue that prevented some webcams from working correctly in video calls. (bmo#2034722) * Fixed an issue where a tab would crash when dragging and dropping nested folders onto a webpage. (bmo#2030461) * Improved how Firefox displays websites with advanced 3D effects, fixing cases where parts of the page could disappear or appear incorrectly. (bmo#2034283) * Fixed an issue that could prevent Firefox’s local backup feature from completing successfully. (bmo#2029240) * Fixed an issue where the status and navigation bars would flicker or show mismatched colors when editing a page’s address. (bmo#2021596) * Improved the appearance of search suggestions in the address bar by preventing icons from appearing stretched or distorted. (bmo#2035353) - Mozilla Firefox 150.0.1 MFSA 2026-35 (boo#1263110) * CVE-2026-7320 (bmo#2027433) Information disclosure due to incorrect boundary conditions in the Audio/Video component * CVE-2026-7322 (bmo#2021904, bmo#2022731, bmo#2027158, bmo#2027733, bmo#2027973, bmo#2027976, bmo#2028231, bmo#2028731, bmo#2028886, bmo#2029067, bmo#2029700, bmo#2029724, bmo#2029806, bmo#2029814, bmo#2030108, bmo#2030111, bmo#2031524, bmo#2031921, bmo#2032040) Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1, Thunderbird ESR 140.10.1, Firefox 150.0.1 and Thunderbird 150.0.1 * CVE-2026-7323 (bmo#2028537, bmo#2029911, bmo#2031121, bmo#2033602) Memory safety bugs fixed in Firefox ESR 140.10.1, Thunderbird ESR 140.10.1, Firefox 150.0.1 and Thunderbird 150.0.1 * CVE-2026-7324 (bmo#2029419, bmo#2029717, bmo#2029769, bmo#2029886) Memory safety bugs fixed in Firefox 150.0.1 and Thunderbird 150.0.1 * Fixed: Fixed an issue where Facebook and other websites might not load properly for users with Bitdefender security software installed (bmo#2034178) * Fixed: Fixed an issue where denying a geolocation permission prompt could cause Firefox to show the system permission dialog again on a second attempt. (bmo#2034120) * Fixed: Fixed an issue that prevented tabs from being added to some older saved tab groups. (bmo#2031961) * Fixed: Fixed a layout issue where some drop-down menus expanded to display all list items at once. (bmo#2033117) - drop mozilla-bmo2031958.patch, included - requires NSS >= 3.122.2 ==== PackageKit ==== Subpackages: PackageKit-backend-zypp PackageKit-gstreamer-plugin PackageKit-gtk3-module libpackagekit-glib2-18 typelib-1_0-PackageKitGlib-1_0 - spec: requires_ge takes a package name as parameter, not a full NVR.arch string (that just happens to work sometimes): Fix by passing '--qf "%%{name}' to the rpm call identifying the target package name. ==== SDL3 ==== Version update (3.4.4 -> 3.4.6) - Update to release 3.4.6 * Fixed scaled cursor image selection on Wayland * Fixed horizontal touchpad scrolling direction on X11 * Fixed crash on exit when using KMSDRM in atomic mode * Fixed multi-threaded crashes using SDL GPU on Vulkan ==== accountsservice ==== Subpackages: libaccountsservice0 typelib-1_0-AccountsService-1_0 - Add accountsservice.tmpfiles file to create directories under /var using systemd-tmpfiles (jsc#PED-14834). ==== apache2 ==== - cgi-bin is disabled by default in modern Apache configurations; creating it unconditionally via tmpfiles.d is unnecessary - Remove /srv/www/cgi-bin from apache2.tmpfiles - Drop %ghost %dir %{cgidir} from %files - Drop %{cgidir} from %check mkdir invocation - Fix bsc#1262159. - MaxRequestWorkers (256) must be a multiple of ThreadsPerChild (25). Decreased to 250. - use tmpfiles.d for runtime directory creation This improves compatibility with immutable OSs, such as MicroOS. - Add apache2.tmpfiles. - Drop buildroot mkdir calls for log, cache and lib directories: these are now created at runtime via tmpfiles.d - Mark /srv/www, htdocs, cgi-bin, log, cache and lib dirs as %ghost in %files: RPM registers ownership without packaging the paths ==== apache2-manual ==== - cgi-bin is disabled by default in modern Apache configurations; creating it unconditionally via tmpfiles.d is unnecessary - Remove /srv/www/cgi-bin from apache2.tmpfiles - Drop %ghost %dir %{cgidir} from %files - Drop %{cgidir} from %check mkdir invocation - Fix bsc#1262159. - MaxRequestWorkers (256) must be a multiple of ThreadsPerChild (25). Decreased to 250. - use tmpfiles.d for runtime directory creation This improves compatibility with immutable OSs, such as MicroOS. - Add apache2.tmpfiles. - Drop buildroot mkdir calls for log, cache and lib directories: these are now created at runtime via tmpfiles.d - Mark /srv/www, htdocs, cgi-bin, log, cache and lib dirs as %ghost in %files: RPM registers ownership without packaging the paths ==== apache2-prefork ==== - cgi-bin is disabled by default in modern Apache configurations; creating it unconditionally via tmpfiles.d is unnecessary - Remove /srv/www/cgi-bin from apache2.tmpfiles - Drop %ghost %dir %{cgidir} from %files - Drop %{cgidir} from %check mkdir invocation - Fix bsc#1262159. - MaxRequestWorkers (256) must be a multiple of ThreadsPerChild (25). Decreased to 250. - use tmpfiles.d for runtime directory creation This improves compatibility with immutable OSs, such as MicroOS. - Add apache2.tmpfiles. - Drop buildroot mkdir calls for log, cache and lib directories: these are now created at runtime via tmpfiles.d - Mark /srv/www, htdocs, cgi-bin, log, cache and lib dirs as %ghost in %files: RPM registers ownership without packaging the paths ==== apache2-utils ==== - cgi-bin is disabled by default in modern Apache configurations; creating it unconditionally via tmpfiles.d is unnecessary - Remove /srv/www/cgi-bin from apache2.tmpfiles - Drop %ghost %dir %{cgidir} from %files - Drop %{cgidir} from %check mkdir invocation - Fix bsc#1262159. - MaxRequestWorkers (256) must be a multiple of ThreadsPerChild (25). Decreased to 250. - use tmpfiles.d for runtime directory creation This improves compatibility with immutable OSs, such as MicroOS. - Add apache2.tmpfiles. - Drop buildroot mkdir calls for log, cache and lib directories: these are now created at runtime via tmpfiles.d - Mark /srv/www, htdocs, cgi-bin, log, cache and lib dirs as %ghost in %files: RPM registers ownership without packaging the paths ==== at ==== - Use systemd-tmpfiles to create spool structure [jsc#PED-14783] - Added sources * at-tmpfiles.conf ==== at-spi2-core ==== Version update (2.60.2 -> 2.60.3) Subpackages: libatk-1_0-0 libatk-bridge-2_0-0 libatspi0 typelib-1_0-Atk-1_0 typelib-1_0-Atspi-2_0 - Update to version 2.60.3: + libatspi: Fix another NULL pointer dereference. ==== avahi ==== Subpackages: libavahi-client3 libavahi-common3 libavahi-core7 - Add avahi-CVE-2026-24401.patch: Fix unsolicited mDNS response containing a recursive CNAME record (bsc#1257235). - Add avahi-CVE-2026-34933.patch: refuse to accept publish flags where both wide_area and multicast are set. (CVE-2026-34933, bsc#1261546) - Make /var/lib/avahi-autoipd a ghost dir instead of packaging it since avahi-autoipd creates it on start (jsc#PED-14836). ==== avahi-glib2 ==== - Add avahi-CVE-2026-24401.patch: Fix unsolicited mDNS response containing a recursive CNAME record (bsc#1257235). - Add avahi-CVE-2026-34933.patch: refuse to accept publish flags where both wide_area and multicast are set. (CVE-2026-34933, bsc#1261546) - Make /var/lib/avahi-autoipd a ghost dir instead of packaging it since avahi-autoipd creates it on start (jsc#PED-14836). ==== bubblewrap ==== Version update (0.11.1 -> 0.11.2) - Update to version 0.11.2 (bsc#1262113): * In setuid mode, don't run the low-privileged parts of the setup as dumpable, as that allows it to be ptraced which can lead to problems. This is CVE-2026-41163. * New build option `-Dsupport_setuid`, which if set to false (which is the default) disables the support for setuid. Binaries built with this will refuse to run if made setuid. ==== busybox ==== Subpackages: busybox-static - Fix heap buffer overflow vulnerability in the DHCPv6 client (CVE-2026-29004, bsc#1263989) * 0001-udhcpc6-fix-buffer-overflow.patch * 0002-udhcpc6-check-the-size-of-D6_OPT_IAPREFIX-option.patch ==== colord ==== Subpackages: colord-color-profiles libcolord2 libcolorhug2 - Mark both /var/lib/colord and /var/lib/colord/icc as %ghost directories since both are created from a systemd-tmpfiles config file provided by upstream (jsc#PED-14837) - Make colord-color-profiles noarch since it doesn't contain binary files. ==== coreutils ==== - coreutils-tests-misc-tty-eof-avoid-false-failure.patch: Add upstream patch: tests: avoid false failure with perl-IO-Tty >= 1.24 (bsc#1264052) ==== coreutils-systemd ==== - coreutils-tests-misc-tty-eof-avoid-false-failure.patch: Add upstream patch: tests: avoid false failure with perl-IO-Tty >= 1.24 (bsc#1264052) ==== curl ==== Version update (8.19.0 -> 8.20.0) Subpackages: libcurl4 - Update to 8.20.0: * Security fixes: - CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631) - CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632) - CVE-2026-5773: wrong reuse of SMB connection (bsc#1262633) - CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635) - CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636) - CVE-2026-6429: curl: netrc credential leak with reused proxy connection (bsc#1262638) * Changes: - async-thrdd: use thread queue for resolving - lib: add thread pool and queue - lib: drop support for < c-ares 1.16.0 - lib: make SMB support opt-in - multi.h: add CURLMNWC_CLEAR_ALL - rtmp: drop support * Bugfixes: - altsvc: cap the list at 5,000 entries - altsvc: drop the prio field from the struct - altsvc: skip expired entries read from file - asyn-ares: connect async - asyn-ares: drop orphaned variable references - asyn-ares: fix HTTPS-lookup when not on port 443 - asyn-thrdd: drop redundant `result` check - asyn-thrdd: fix clang-tidy unused value warning - async-ares: fix query counter handling - cf-ip-happy: limit concurrent attempts - cf-socket: avoid low risk integer overflow on ancient Solaris - cfilters: fix Curl_pollset_poll() return code mixup - config2setopts: make --capath work in proxy disabled builds - cookie: fix rejection when tabs in value - curl.h: replace macros with C++-friendly method to enforce 3 args - curl_ctype.h: fix spelling in a couple of locally used macros - curl_get_line: error out on read errors - curl_get_line: fix potential infinite loop when filename is a directory - curl_ngtcp2: extend and update callbacks for 1.22.0+ - curl_ntlm_core: drop redundant PP condition - curl_ntlm_core: use wolfCrypt DES API with wolfSSL - curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard - curl_sha512_256: support delegating to wolfSSL API - curlx_now(), prevent zero timestamp - digest: pass in the username quoted (as well) - dns: https-eyeballing async - dnscache: own source file, improvements - doh: fix memory-leak when doing a second DoH resolve - doh: remove superfluous doh_req check - file: init fd to -1 to prevent close fd 0 on early failure - fopen: for temp files, inherit permissions only for owner - ftp: do not strdup DATA hostname - ftp: make the MDTM date parser stricter (again) - ftp: reject PWD responses containing control characters - generate.bat: remove extra % from VC11 and VC12 runs - genserv.pl: make external calls safe - getinfo: initialize `PureInfo` field `used_proxy` - getinfo: repair CURLINFO_TLS_SESSION - h3: HTTPS-RR use in HTTP/3 - Happy Eyeballs: add resolution time delay - hostip: clear the sockaddr_in6 structure before use - hostip: init the curl_jmpenv_lock appropriately - hostip: resolve user supplied ip addresses - HSTS: cap the list - hsts: make the HSTS read callback handle name dupes - hsts: skip expired HSTS entries read from file - hsts: when a dupe host adds subdomains, use that - http2: clear the h2 session at delete - http2: prevent secure schemes pushed over insecure connections - http2: return error on OOM in push headers - http: clear credentials better on redirect - http: clear digest nonce on cross-origin redirect - http: clear the proxy credentials as well on port or scheme change - http: fix auth_used and auth_avail - http: fix Curl_compareheader for multi value headers - http: make Curl_compareheader handle multiple commas in header - http: on 303, switch to GET - http: use header_has_value() instead of duplicate code - imap: reset the UIDVALIDITY state between transfers - lib: accept larger input to md5/hmac/sha256/sha512 functions - lib: always use Curl_1st_fatal instead of Curl_1st_err - lib: make resolving HTTPS DNS records reliable: - lib: move request specific allocations to the request struct - lib: replace `PRI*32` printf masks with C89 ones - libssh2: allocate libssh2-friendly memory in kbd_callback - libssh2: fix error handling on quote errors - libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0 - libssh: path length precaution - libssh: propagate error back in SFTP function - location/follow: mention netrc - man: fix argument type for `CURLSHOPT_[UN]SHARE` options - md4, md5: switch to wolfCrypt API in wolfSSL builds - mime: only allow 40 levels of calls - misc: fix code quality findings - multi: enhance pending handles fairness - multi: fix connection retry for non-http - multi: improve wakeup and wait code - netrc: find login-less password when user is given in URL - netrc: remove unused parsenetrc() macro for netrc-disabled - netrc: skip malformed macdef lines - openssl channel_binding: lookup digest algorithm without NID - openssl: drop obsolete SSLv2 logic - openssl: fix build with 4.0.0-beta1 no-deprecated ... changelog too long, skipping 59 lines ... * Rebased patches: dont-mess-with-rpmoptflags.patch libcurl-ocloexec.patch ==== dracut ==== Version update (110+suse.23.g5d9502c7 -> 110+suse.29.g16072cee) - Update to version 110+suse.29.g16072cee: * fix(dracut-install): remove FTS_NOSTAT in install_modules() fts traversal * fix(systemd-cryptsetup): load libcryptsetup via dlopen * fix(systemd-repart): load libfdisk via dlopen * fix(systemd-sysusers): do not run systemd-sysusers as part of the build process * fix(systemd): revert changes related to deduplication of cryptsetup targets * feat(systemd-coredump): save coredumps to journal ==== dracut-pcr-signature ==== Version update (0.6+4 -> 0.7+0) - Update to version 0.7+0: * Boot the ESP in /sysefi during initrd ==== ethtool ==== Version update (6.19 -> 7.0) - update to upstream release 7.0 * Feature: support MSE display (--show-mse) * Feature: add 2 new link_ext_state names * Fix: fix index calculation in ixgbe register dump (-d) * Fix: cmis wavelength tolerance output (-m) * Fix: duplicate sfpid Active Cu compliance output (-m) ==== fwupd ==== Version update (2.0.20 -> 2.1.1) Subpackages: fwupd-bash-completion libfwupd3 typelib-1_0-Fwupd-2_0 - Update to version 2.1.1: + This release adds the following features: - Add a new fwupd security check for HP Sure Start - Add a new plugin to verify Intel CSME using SMBIOS data - Add a new tpm-eventlog command to explain the TPM eventlog output - Add CycloneDX and SPDX support to uSWID - Add support for AMD Platform Secure boot - Add support for changing AMD GPU UMA carveout size - Add support for emulation for bluetooth devices - Allow systems to use the udev event source without using systemd - Disable the UEFI plugins on 32bit x86 - Drop support for GPG signing of metadata and firmware - No longer depend on json-glib, libarchive or protobuf-c - Remove the concept of blocked firmware - Show translated problems when a device cannot be installed + This release fixes the following bugs: - Add a timeout to the fwupd-refresh systemd unit - Allow systemd service to access block-sr devices - Always show the correct new firmware version in 'fwupdmgr get-history' - Be more defensive with invalid Corsair device responses - Cache the payload verification result to speed up installing modem firmware - Check for integer overflow when constructing a partial stream - Clear the remaining qc-firehose power reset logs - Decompress a zip file in Aver HID rather than a bz2 archive - Do not allow efivar update without TIME_BASED_AUTHENTICATED_WRITE_ACCESS - Do not hang when parsing an invalid USB descriptor - Do not include EV_NO_ACTION when calculating the TPM PCRs - Do not return an error if the fastboot property is not provided - Do not show all IDs as GUIDs if adding quirks after device setup - Find shim when using systemd-boot and distro-specific locations - Fix activation of dell-kestrel NVM when composite updates are completed - Fix a dell-dock regression when enumerating the status component - Fix a fuzzer timeout when parsing a Synaptics RMI SBL container - Fix a missing error check when updating Genesys USB hubs - Fix a potential heap OOB read in AMD Kria SOM EEPROM parser - Fix a potential Logitech HID++ hang when parsing unexpected payload IDs - Fix a potential out-of-bounds read in Dell dock - Fix a regression causing MBIM QDU updates to fail - Fix a regression when installing on the HP G5 dock - Fix a small memory leak when removing a bluetooth device - Fix an integer underflow when parsing a malicious PE file - Fix get-updates --json silently skipping UPDATABLE_HIDDEN devices - Fix the snapd-uefi request when multiple updates are processed - Honor polkit auth for emulation tag modify device - Make Logitech HID++ devices using RDFU actually work - Only load the history database in the daemon when required - Refactor the Snap support out into a new plugin - Remove a warning when updating Intel GSC OPROMDATA - Remove the bcm57xx recovery device support - Require a CHID for generic ElanTP devices - Speed up calculating the cabinet checksum by ~20% - Support 8bitdo firmware with multiple packed images - Try to claim the DFU USB interface more than once - Use crc32() from zlib.h when computing the most common kind of CRC32 - Verify the uncompressed size when decompressing CAB files + This release adds support for the following hardware: - Blestech Touchpads - ELAN Haptic MCU devices - FocalTouch devices - Himax Touchscreens - HP Engage One G2 Advanced Hub - KATAR PRO Wireless Gaming Dongle - Lenovo keyboard and mice accessories - Lenovo Sapphire Folio Keyboard - Lightware Taurus HC40 and HC60 - Novatek touchscreens - PixArt Touchpads - Rolling RW101-CAT12 modems - Sunwinon HID devices - Drop no longer required BuildRequires: pkgconfig(json-glib-1.0), pkgconfig(libarchive), and pkgconfig(protobuf). - Drop upstream merged patch 0001-Allow-systemd-service-to-access-block-sr-cdrom-devic.patch - Drop fwupd-bsc1130056-change-shim-path.patch: no longer applicable. ==== gawk ==== Version update (5.3.2 -> 5.4.0) - update to 5.4.0: * 1. This release now uses Mike Haertel's MinRX regular expression matcher as the default regexp engine. The old regex and dfa engines are still available. More detail is available in the manual, and in the file README_d/README.matchers. At the very least, read that file! * 2. The manual, in the Bugs section, now makes it explicit that (a) Ad hominem attacks on the lists will not be tolerated, and (b) Discussion of proprietary software is strongly discouraged. Repeated offenses are grounds for being banned from the lists. * 3. There is now a new directive, @nsinclude, which works like @include but does not reset the namespace for the included file to "awk". See the manual for details. * 4. When using lshift() or rshift() and attempting to shift by as many or more bits than in a uintmax_t, gawk returns zero, instead of whatever the C compiler and hardware might have done. * 5. Gawk's use of persistent memory has changed somewhat: * A. Gawk now stores additional meta-information in the backing file. * This means that if you have a backing file with important data in it, you should dump the data to a text file using the old version, create a new backing file, and then read your data back in with the new version, to a *brand new* backing file. * 6. The ordchr extension now supports multibyte / wide characters. * 7. Per the 2024 POSIX standard, `length(array)' is no longer an extension, but a regular feature. Thus --posix no longer rejects it and --lint no longer warns about it. * 8. The --traditional option has been rationalized to bring gawk into sync with BWK awk. It no longer affects the return code from system(), and it no longer prevents using a regexp for RS. Internally, the code was cleaned up some as well. * 9. Assertions in the C code are now enabled. To disable them, manually edit the various Makefiles after running configure and before running make. You will need to add - DNDEBUG to the CFLAGS variable. ==== gcc16 ==== Version update (16.0.1+git8812 -> 16.1.1+git8886) Subpackages: cpp16 libasan8 libatomic1 libgcc_s1 libgccjit0 libgfortran5 libgomp1 libhwasan0 libitm1 liblsan0 libobjc4 libstdc++6 libstdc++6-pp libtsan2 libubsan1 - Update to 16.1.1+git8886, includes GCC 16.1 release. ==== gdm ==== Subpackages: gdm-schema gdm-systemd gdm-xdm-integration libgdm1 typelib-1_0-Gdm-1_0 - Drop all X11/XOrg related BuildRequires: pkgconfig(x11), pkgconfig(xau), pkgconfig(xcb), pkgconfig(xdmcp), pkgconfig(xi), pkgconfig(xinerama), pkgconfig(xrandr) and pkgconfig(xorg-server). - Drop check-devel, we already have pkgconfig(check) BuildRequires. ==== gdm-branding-openSUSE ==== - [git]: Do not store *.changes as LFS object. ==== glib2 ==== Version update (2.88.0 -> 2.88.1) Subpackages: glib2-tools libgio-2_0-0 libgirepository-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0 libgthread-2_0-0 typelib-1_0-GIRepository-3_0 typelib-1_0-GLib-2_0 typelib-1_0-GLibUnix-2_0 typelib-1_0-GModule-2_0 typelib-1_0-GObject-2_0 typelib-1_0-Gio-2_0 - Update to version 2.88.1: + Fix miscompilation with GCC 16 due to GLib’s use of the wrong function attribute. + Fix flag confusion security issue when using `GRegex` with `G_REGEX_RAW` which can result in unbounded out-of-bounds heap reads off the start of a regex input string. + Fix various minor (low severity) security issues, typically one-to-five-byte out-of-bounds reads or ones relying on very specific (and unlikely) API calls or ones relying on discouraged P2P D-Bus configurations. + Updated translations. ==== glibc ==== Subpackages: glibc-devel glibc-extra glibc-gconv-modules-extra glibc-locale glibc-locale-base - ibm139x-pending-char-state.patch: Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046, bsc#1261206, BZ #33980) ==== glslang ==== Version update (16.2.0 -> 16.3.0) - Update to release 16.3.0 * Deprecated the HLSL front-end. ==== gnome-control-center ==== Subpackages: gnome-control-center-color gnome-control-center-goa gnome-control-center-user-faces gnome-control-center-users - Align with what meson setup checks for: Drop /usr/bin/Xvfb, pkgconfig(gl), pkgconfig(x11), pkgconfig(xcursor), pkgconfig(xft) and pkgconfig(xi) BuildRequires. ==== gnome-session ==== - Eliminate usage of update-alternatives on suse_version >= 1610 (jsc#PED-15674): GNOME-Session was the only one installng that handler into the wayland-sessions directory, and apparently nothing is reading it. GNOME does not have the X-Session anymore, making the step out easy at this time. - [git]: Do not store *.changes as LFS object. - Drop X11, OpenGL and glib2 BuildRequires: pkgconfig(egl), pkgconfig(epoxy), pkgconfig(gio-2.0), pkgconfig(gio-unix-2.0), pkgconfig(gl), pkgconfig(glesv2), pkgconfig(glib-2.0), pkgconfig(ice), pkgconfig(sm), pkgconfig(x11), pkgconfig(xcomposite) and pkgconfig(xtrans). ==== gnome-settings-daemon ==== - Drop unused pkgconfig(xi) and pkgconfig(xkbfile) BuildRequires. ==== gnome-shell ==== Subpackages: gnome-extensions gnome-shell-calendar - Align BuildRequires with what meson setup checks for: + Add: pkgconfig(xext), pkgconfig(xfixes) and pkgconfig(xfixes) + Drop: pkgconfig(gdk-x11-3.0), pkgconfig(gnome-bluetooth-3.0), pkgconfig(gtk+-3.0), pkgconfig(libcanberra) and pkgconfig(libcanberra-gtk3) ==== gnome-software ==== Subpackages: gnome-software-plugin-packagekit - Add fdupes BuildRequires and macro, remove duplicate files. ==== gnutls ==== Version update (3.8.12 -> 3.8.13) Subpackages: libgnutls-dane0 libgnutls30 - Update to 3.8.13: * libgnutls: Add more checks to DTLS reassembly [GNUTLS-SA-2026-04-29-1, CVSS: high] [CVE-2026-33846, bsc#1263705] * libgnutls: Fix qsort comparator in DTLS reassembly [GNUTLS-SA-2026-04-29-2, CVSS: high] [CVE-2026-42009, bsc#1263708] * libgnutls: Fix crashing on an underflow with a DTLS datagram A remotely triggerable underflow in the DTLS reassembly code led to a heap overrun. [GNUTLS-SA-2026-04-29-3, CVSS: high] [CVE-2026-33845, bsc#1263704] * libgnutls: Fix RSA-PSK identity truncation [GNUTLS-SA-2026-04-29-4, CVSS: high] [CVE-2026-42010, bsc#1263709] * libgnutls: Fix case-sensitivity of domain name comparison in name constraints [GNUTLS-SA-2026-04-29-5, CVSS: high] [CVE-2026-3833, bsc#1263707] * libgnutls: Fix intersecting empty constraints [GNUTLS-SA-2026-04-29-6, CVSS: medium] [CVE-2026-42011, bsc#1263710] * libgnutls: Suppress CN fallback in presence of URI and SRV SAN [GNUTLS-SA-2026-04-27-7, CVSS: medium] [CVE-2026-42012, bsc#1263711] * libgnutls: Suppress CN fallback for oversized SAN [GNUTLS-SA-2026-04-27-8, CVSS: medium] [CVE-2026-42013, bsc#1263712] * libgnutls: Fix use-after-free in gnutls_pkcs11_token_set_pin [GNUTLS-SA-2026-04-29-9, CVSS: medium] [CVE-2026-42014, bsc#1263713] * libgnutls: Fix overread in RSA key exchange with PKCS#11 keys [GNUTLS-SA-2026-04-29-10, CVSS: medium] [CVE-2026-5260, bsc#1263715] * libgnutls: Fix off-by-one in PKCS#12 bag element bounds check [GNUTLS-SA-2026-04-29-11, CVSS: low] [CVE-2026-42015, bsc#1263714] * libgnutls: Fix multi-entry OCSP response revocation bypass [GNUTLS-SA-2026-04-29-12, CVSS: low] [CVE-2026-3832, bsc#1263706] * libgnutls: Fix timing side-channel in PKCS#7 padding removal [GNUTLS-SA-2026-04-29-13, CVSS: low] [CVE-2026-5419, bsc#1263716] * libgnutls: Fix PSK username comparison during rehandshake * libgnutls: Fix OID length check for OCSP delegated signer EKU * libgnutls: Fix AES keys persisting with pkcs11-provider * libgnutls: Fix missing RSA key coprimality check in verify_params * libgnutls: Fix overread when parsing OpenSSL PEM private keys * libgnutls: Fix a theoretical double-free during certificate import * libgnutls: Fix heap overread in SCT extension parser * libgnutls: Zeroize shared secret derived during hybrid key exchange * build: Support building with Nettle 4.0 Nettle 4.0 was released in Feburary 2026, with API incompatibile changes from 3.10. The library can now compile with it, while Nettle 3.10 is still supported (#1791). * libgnutls: Support deriving ML-DSA public key from an expanded private key RFC 9881 defines 3 private key formats for ML-DSA: "seed", "expandedKey" and both. It is now possible to derive a public key from a private key in the "expandedKey" format (#1723). * libgnutls: Fix loading BIT STRING encoded EdDSA key from PKCS#11 For compatibility reasons, the library supports two formats for EdDSA private keys: either ASN.1 BIT STRING (raw) or OCTET STRING (DER). Previously, loading a private key in the former format resulted in a failure, which is now fixed (#1749). * libgnutls: HPKE (RFC 9180) is now supported as a technology preview The Hybrid Public Key Encryption (HPKE) is a flexible cryptographic protocol which enables to encrypt arbitrary data to a recipient, by combining key encapsulation mechanism (KEM) and authenticated encryption with additional data (AEAD). GnuTLS now includes the implementation contributed by David Dudas. Given this is a technology preview, the implementation and the API might suffer modification in the following period. Use --enable-hpke to turn on this feature (#1506). * libgnutls: Fix TLS 1.3 client certificate selection For servers that send a signature_algorithms extension in CertificateRequest with new rsa_pss_rsae_* algorithms and without the legacy rsa_pkcs1_* ones, the client now properly considers RSA when selecting a certificate to send. This fixes TLS 1.3 interoperability with newer Java servers when using client certificates. * libgnutls: Fix kTLS ChaCha20-Poly1305 IV for TLS 1.2 When using kTLS with ChaCha20-Poly1305 under TLS 1.2, an incorrect value was passed as the IV to the kernel, causing connections to fail early. * libgnutls: Allow fetching object type metadata for PKCS#11 keys A new library function, gnutls_pkcs11_obj_get_pk_algorithm, has been added to check the public key algorithms of PKCS#11 key objects. Object types other than CKO_PRIVATE_KEY are currently not supported. * API and ABI modifications: - gnutls_hpke_kem_t: New enum - gnutls_hpke_kdf_t: New enum - gnutls_hpke_aead_t: New enum - gnutls_hpke_mode_t: New enum - gnutls_hpke_role_t: New enum - gnutls_hpke_context_st: New context structure - gnutls_hpke_init: New function - gnutls_hpke_deinit: New function - gnutls_hpke_encap: New function - gnutls_hpke_seal: New function - gnutls_hpke_decap: New function - gnutls_hpke_open: New function - gnutls_hpke_derive_keypair: New function - gnutls_hpke_export: New function - gnutls_pkcs11_obj_get_pk_algorithm: New function * Rebase gnutls-FIPS-140-3-references.patch * Remove patches upstream: - gnutls-libnettle4-2075.patch - gnutls-libnettle4-2080.patch ==== gtk4 ==== Version update (4.22.3 -> 4.22.4) Subpackages: gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0 - Update to version 4.22.4: + Bugs fixed: - Misc backports - popoverbin: Point to the center of the widget when popping up + Updated translations. ==== inkscape ==== Version update (1.4.3+git2.fcd0343856 -> 1.4.4+git0.dcaf3e7d9e) Subpackages: inkscape-extensions-extra inkscape-extensions-gimp - Update to version INKSCAPE_1_4_4+git0.dcaf3e7d9e: * Documentation update for Inkscape 1.4.4 * Revert "Switch PangoCairo rendering backend to Fontconfig" * Revert "Fix canvas text label Unicode rendering" * update translations * Revert "Show cursor on Text tool constructor" * Revert "Remove cursor show code from _updateCursor" * Speed up drawing cache insert * Prepare 1.4.4-rc * Update man page + tutorials for 1.4.4rc * Show cursor on Text tool constructor * Remove cursor show code from _updateCursor * Fix building with Poppler 26.04.0 * Fix build with poppler-26.03.0. * Switch PangoCairo rendering backend to Fontconfig * Add openmp on LLVM * explicitely make GUI executables on windows * Fix building with Poppler 0.26.02 * Fix warning with poppler 26.x.x * Fix build with poppler 26.01.0 * Make text itemization code clearer * Handle text with different lang across tspans * Fix crash while using maximum scans in trace dialog * Additional patching to make uri test work * Fix crash when opening corrupted Rotate Copies LPE SVGs * Fix crash in connector endpoint handling with null curve * Fix #6040: svg with markers which dont have associated path data now don't cause issues * Fix connector tool crash on overlapping shapes * Add tests for try_attach() from uri-reference.cpp * Fix Suprious Unsupported URI warning for web hyperlinks * Fix mime type of ODF extension * Disconnecting signals in dialog destructors * Use unordered_map where the ordering is not important * Fix crash and disable Corners LPE on groups * Connector Tool: Fix crash when undoing connection * Specify file is relicensed to GPL-2.0-or-later * Add elementary palette * Fix crash on adding knot to invalid gradient * Fix cmdline help showing translation artefacts * Fix clippath item visibility on releasing the clip * Use is_expandable_space for justified text * Fix crash while using tweak tool * Fix canvas text label Unicode rendering * Implement faster and smarter prettify_svgd * Fix gradient tool performance * EnablePages must always select a page if one isn't set. * Fix Layers & Objects dialog slowness * Fix crash on Break Apart with certain paths * Guard against duplicate entries in recently-used.xbel * Make splitPath() match previous behaviour * Fix splitPath() ignoring drive letter on Windows * Include implicit headers for gcc-16 * Avoid unchecked optional access in render_preview * Remove !desktop check in export dialog destruction * Robustify Cairo error handling in Canvas and Export dialog * Fix instructions in the US zine template * Fix crash with pen tablet connected * Fix crash when selecting object with PowerStroke * Fix color entry spamming undo stack * Rename star turn upright for clarity * Fix missing paste on page metadata * Update graphics for 1.4.4 * Revert "Fix Unicode dialog crashing" for alternative fix * Add Level Star action and add it to star toolbar * Stop cursor from blinking when defocused * Fix Opacity is not applied with last style if set with object and dialog * Fix Unicode dialog crashing * update translations * Make expander in L&O dialog clickable in RTL interface * Edit label and tooltip for Preserve Shape setting * Fix Welcome dialog stacking up when run more than once * Fix keyboard navigation in Objects dialog * update translations * Fix missing signal blocking in page toolbar * Convert libuemf to a git submodule * update translations - remove patches, applied upstream * Fix_Poppler_26_01_00_compat.patch * Fix_Poppler_26_02_0_compat.patch * inkscape-gcc16.patch ==== kdump ==== - drop unconditional calibrate BuildRequires ==== kernel-firmware-amdgpu ==== Version update (20260427 -> 20260505) - Update to version 20260505 (git commit 027be1e3d201): * amdgpu: DMCUB updates for various ASICs ==== kernel-firmware-bluetooth ==== Version update (20260423 -> 20260505) - Update to version 20260505 (git commit 027be1e3d201): * rtl_bt: Add missing rtl8761a_config.bin for RTL8761AU ==== kernel-firmware-i915 ==== - Update aliases from 7.1-rc1 ==== kernel-firmware-intel ==== Version update (20260408 -> 20260505) - Update to version 20260505 (git commit 027be1e3d201): * Linux-firmware: Add Dell ISH firmware 581.7783.0 for Intel Panther Lake systems. ==== kernel-firmware-media ==== Version update (20260414 -> 20260505) - Update to version 20260505 (git commit 027be1e3d201): * qcom: vpu: add Gen2 firmware binary for Agatti ==== kernel-firmware-mediatek ==== - Update aliases from 7.1-rc1 ==== kernel-firmware-platform ==== Version update (20260416 -> 20260505) - Update to version 20260505 (git commit 027be1e3d201): * linux-firmware:Add firmware for Lontium LT7911EXC bridge ==== kernel-firmware-qcom ==== Version update (20260423 -> 20260505) - Update to version 20260505 (git commit 027be1e3d201): * qcom: update ADSP firmware for x1e80100 platform * qcom: Update CDSP firmware for Kaanapali platform ==== kernel-firmware-realtek ==== - Update aliases from 7.1-rc1 ==== kernel-source ==== Version update (7.0.2 -> 7.0.5) Subpackages: kernel-64kb kernel-default - Linux 7.0.5 (bsc#1012628). - xfrm: esp: avoid in-place decrypt on shared skb frags (bsc#1012628). - commit 77ae3c4 - Linux 7.0.4 (bsc#1012628). - ipmi:ssif: NULL thread on error (bsc#1012628). - ipmi:ssif: Remove unnecessary indention (bsc#1012628). - netfilter: reject zero shift in nft_bitwise (bsc#1012628). - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels (bsc#1012628). - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP (bsc#1012628). - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP (bsc#1012628). - vmalloc: fix buffer overflow in vrealloc_node_align() (bsc#1012628). - ALSA: aloop: Fix peer runtime UAF during format-change stop (bsc#1012628). - ALSA: caiaq: fix usb_dev refcount leak on probe failure (bsc#1012628). - drm/imagination: Fix segfault when updating ftrace mask (bsc#1012628). - drm/amdgpu: fix zero-size GDS range init on RDNA4 (bsc#1012628). - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows (bsc#1012628). - ALSA: caiaq: Don't abort when no input device is available (bsc#1012628). - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path (bsc#1012628). - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value (bsc#1012628). - crypto: authencesn - reject short ahash digests during instance creation (bsc#1012628). - mei: me: add nova lake point H DID (bsc#1012628). - mei: me: use PCI_DEVICE_DATA macro (bsc#1012628). - mm: avoid deadlock when holding rmap on mmap_prepare error (bsc#1012628). - mm: various small mmap_prepare cleanups (bsc#1012628). - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling (bsc#1012628). - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor (bsc#1012628). - iio: frequency: admv1013: fix NULL pointer dereference on str (bsc#1012628). - iio: frequency: admv1013: add dev variable (bsc#1012628). - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND (bsc#1012628). - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode (bsc#1012628). - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails (bsc#1012628). - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle (bsc#1012628). - rxgk: Fix potential integer overflow in length check (bsc#1012628). - rtmutex: Use waiter::task instead of current in remove_waiter() (bsc#1012628). - ntfs3: fix integer overflow in run_unpack() volume boundary check (bsc#1012628). - ntfs3: add buffer boundary checks to run_unpack() (bsc#1012628). - NFSv4.1: Apply session size limits on clone path (bsc#1012628). - ktest: Fix the month in the name of the failure directory (bsc#1012628). - IB/core: Fix zero dmac race in neighbor resolution (bsc#1012628). - gtp: disable BH before calling udp_tunnel_xmit_skb() (bsc#1012628). - ceph: only d_add() negative dentries when they are unhashed (bsc#1012628). - ceph: fix num_ops off-by-one when crypto allocation fails (bsc#1012628). - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() (bsc#1012628). - dm mirror: fix integer overflow in create_dirty_log() (bsc#1012628). - crypto: nx - Fix packed layout in struct nx842_crypto_header (bsc#1012628). - crypto: nx - fix context leak in nx842_crypto_free_ctx (bsc#1012628). - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx (bsc#1012628). - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error (bsc#1012628). - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path (bsc#1012628). - crypto: atmel-sha204a - Fix error codes in OTP reads (bsc#1012628). - crypto: atmel-tdes - fix DMA sync direction (bsc#1012628). - crypto: ccree - fix a memory leak in cc_mac_digest() (bsc#1012628). - crypto: hisilicon - Fix dma_unmap_single() direction (bsc#1012628). - crypto: atmel-ecc - Release client on allocation failure (bsc#1012628). - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup (bsc#1012628). - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit (bsc#1012628). - crypto: acomp - fix wrong pointer stored by acomp_save_req() ... changelog too long, skipping 659 lines ... - commit 086d181 ==== kexec-tools ==== Version update (2.0.30 -> 2.0.32+git15.g677dd2f) - update to 2.0.32+git15.g677dd2f: * x86_64: Support UKI image format * pe-zboot: Truncate the trailing zero if Image is signed * kexec: Enable zstd in kexec decompression paths * x86_64: Use the x86-64 level for purgatory * RISC-V: Enable kexec_file_load syscall * RISC-V: Support loading Image binary file * kexec/zboot: Add boundary check on PE header offset * LoongArch: Change COMMAND_LINE_SIZE to 4096 * kexec: Handle removal of multiple 'crashkernel' parameters * LoongArch: Enforce relocatable kernel check for crash dump * LoongArch: Change initrd allocation to top-down * LoongArch: Add kexec_file_load syscall * LoongArch: Remove 'kexec_file' cmdline parameters when using --reuse-cmdline option * kexec/ifdown.c: Use AF_NETLINK instead of AF_INET * ppc64: ensure /memreserve/ sections exist in user-provided FDT * ppc64: handle reboot CPU in case of user provided DTB * ppc64: lift the dtb and initrd restriction * kexec: add kexec flag to support debug printing * UKI: Fix the size of real payload * ppc64: Reserve FDT memory for full elfcorehdr memory size * LoongArch: Increase MAX_MEMORY_RANGES to 1024 - drop outdated patches: * kexec-tools-SYS_getrandom.patch * kexec-tools-riscv64.patch * kexec-tools-riscv-hotplug.patch ==== krb5 ==== Subpackages: krb5-client - Fix Fix two NegoEx parsing vulnerabilities: * CVE-2026-40355, bsc#1263366 * CVE-2026-40356, bsc#1263367 - Add patch 0012-Fix-two-NegoEx-parsing-vulnerabilities.patch ==== lcms2 ==== Version update (2.19 -> 2.19.1) - Update to version 2.19.1 * Fixed sonames generation when using autotools. * Recovered an undocumented memory write feature lost because a "security" report. ==== leancrypto ==== - Calculate the FIPS HMAC for the leancrypto and the leancrypto-fips libraries. (bsc#1262399) ==== lftp ==== - Drop update-alternatives BuildRequires and Requires(post|postun): u-a code was removed from lftp package back in July 2023. ==== libass ==== - Add patch d013d97631bf86577e7eb44941b2b7b9cf4192d0.patch to fix a leak with libfontconfig ==== libexif ==== Version update (0.6.25 -> 0.6.26) - libexif-0.6.26 (2026-04-14): * Security issues fixed: * CVE-2026-40386: An unsigned integer underflow in Fuji and Olympus makernote handling (bsc#1262001) * CVE-2026-40385: An unsigned integer overflow on 32bit systems in Nikon makernote handling (bsc#1262000) * CVE-2026-32775: A buffer overwrite via integer underflow in makernote handling (bsc#1259755) * handle JPEG APP3 marker * added EXIF_TAG_IMAGE_DEPTH tag * translations updated: Arabic, German, Spanish, Polish, Romanian, Serbian, Swedish, Ukrainian, Chinese ==== libgit2 ==== Version update (1.9.2 -> 1.9.3) - update to 1.9.3: * bugfixes and compatibility improvements particularly around SHA256 support ==== libgsf ==== Version update (1.14.56 -> 1.14.58) Subpackages: gsf-office-thumbnailer libgsf-1-114 - Update to version 1.14.58: + Fix gsf_infile_msole_child_by_index - Update to version 1.14.57: + Fix problems with ole files bigger than 4G. + Document property fix. + Introspection fixes. + Make gzip, bzip, zip handle 4G+ writes. + Make gzip, bzip, zip handle 4G+ reads. + Improve testing. + Ole performace improvements with loads of children. ==== libksysguard6 ==== Subpackages: ksysguardsystemstats6-data libKSysGuardSystemStats2 libksysguard6-imports libksysguard6-plugins - Add missing %verify(not caps) (boo#1263098) ==== libsemanage ==== Subpackages: libsemanage-conf libsemanage2 - Change store root-path for selinux modules from /var/lib/selinux to /etc (fixes bsc#1221342 PED-12492) ==== libsndfile ==== - Fix IMA-ADPCM integer overflow (bsc#1263695, CVE-2026-37555): libsndfile-CVE-2026-37555.patch - Fix buffer overflow in the ircam_read_header function (bsc#1248458, CVE-2025-52194): libsndfile-CVE-2025-52194.patch ==== libvirt ==== Version update (12.2.0 -> 12.3.0) Subpackages: libvirt-client libvirt-daemon-common libvirt-daemon-config-network libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lock libvirt-daemon-log libvirt-daemon-plugin-lockd libvirt-daemon-qemu libvirt-libs - Update to libvirt 12.3.0 - bsc#1251789, bsc#1263564 - Many incremental improvements and bug fixes, see https://libvirt.org/news.html#v12-3-0-2026-05-02 ==== mariadb ==== Version update (11.8.5 -> 11.8.6) Subpackages: libmariadbd19 mariadb-client mariadb-errormessages - Update to 11.8.6: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.6 https://mariadb.com/docs/release-notes/community-server/changelogs/11.8/11.8.6 * fixes for the following security vulnerabilities: 11.8.6: CVE-2026-32710 (bsc#1260081) - Update skipped test list - Add MDEV-38811.patch * Fixes crash in information_schema.table_constraints when --skip-grant-tables (bsc#1263153) ==== mozjs140 ==== Version update (140.10.0 -> 140.10.1) - Update to version 140.10.1: + Various security fixes + See https://www.firefox.com/en-US/firefox/140.10.1/releasenotes/ ==== mutter ==== - Align with what meson setup checks for: + Drop xvfb-run, pkgconfig(xcb-randr), pkgconfig(xkbcommon-x11), pkgconfig(xkbfile), pkgconfig(xrender) and pkgconfig(xtst) BuildRequires. + Add pkgconfig(xcb-res) and pkgconfig(xkeyboard-config-2) ==== ncurses ==== Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Remove fix-mouse.patch as it is verified that patch 20260418 includes the fix (boo#1253379) ==== net-tools ==== Version update (2.10+1 -> 3.14~alpha~git.20251212.7011617) - Switch to the latest snapshot of the new active upstream: https://github.com/ecki/net-tools (jsc#PED-14308). - Update to version 3.14~alpha~git.20251212.7011617: * Merges all useful downstream contributions. Obsoletes following patches: 0007-Introduce-T-notrim-option-in-netstat.patch, net-tools-CVE-2025-46836.patch, net-tools-CVE-2025-46836-regression.patch, net-tools-CVE-2025-46836-error-reporting.patch, net-tools-parse_hex-stack-overflow.patch, net-tools-proc_gen_fmt-buffer-overflow.patch, net-tools-ifconfig-avoid-unsafe-memcpy.patch, net-tools-ax25+netrom-overflow-1.patch, net-tools-ax25+netrom-overflow-2.patch, net-tools-ifconfig-long-name-warning.patch. * Translation updates. * Minor fixes. * Defaults changes: * Enable Bluetooth protocol family, Token ring (generic) support and SELinux support. - Prevent denial of service via terminal escape sequences injection (bsc#1254323, gh#ecki/net-tools#2109, CVE-2024-58251, net-tools-netstat-ansi-injection.patch). ==== nvidia-open-driver-G06-signed ==== Version update (580.159.03_k7.0.2_1 -> 580.159.03_k7.0.5_1) - fix-objtool-warnings.patch (not applied on aarch64) * Get rid of "'naked' return found in MITIGATION_RETHUNK build" objtool warnings (boo#1212841, boo#1263834) - remove again disable-objtool-override.patch ==== nvidia-open-driver-G07-signed ==== Version update (595.71.05_k7.0.2_1 -> 595.71.05_k7.0.5_1) Subpackages: nvidia-open-driver-G07-signed-kmp-64kb nvidia-open-driver-G07-signed-kmp-default - fix-objtool-warnings.patch (not applied on aarch64) * Get rid of "'naked' return found in MITIGATION_RETHUNK build" objtool warnings (boo#1212841, boo#1263834) - remove again disable-objtool-override.patch ==== nvidia-open-driver-G07-signed-cuda ==== Version update (595.71.05_k7.0.2_1 -> 595.71.05_k7.0.5_1) Subpackages: nvidia-open-driver-G07-signed-cuda-kmp-64kb nvidia-open-driver-G07-signed-cuda-kmp-default - fix-objtool-warnings.patch (not applied on aarch64) * Get rid of "'naked' return found in MITIGATION_RETHUNK build" objtool warnings (boo#1212841, boo#1263834) - remove again disable-objtool-override.patch ==== nvidia-settings ==== Version update (580.142 -> 580.159.03) - update to version 580.159.03 (boo#1262749) ==== openSUSE-release ==== Version update (20260430 -> 20260510) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openjph ==== Version update (0.27.0 -> 0.27.1) - Update to 0.27.1: * Adds a check that we do not use reversible Sqcd/Sqcc with irreversible transform * Detecting illegal precinct width or height #269 ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Update openssh-7.7p1-fips.patch (bsc#1262555): Don't bail out on startup if a non-FIPS algorithm is requested. Filter it out and warn instead. - Update openssh-8.0p1-gssapi-keyex.patch: Apply to GSS too. ==== ovmf ==== Subpackages: qemu-uefi-aarch64 - Replace 'Support multiple entries' patch with 'drop GCD system memory check' patches because the fix was merged upstream (bsc#1259640) - Remove ovmf-ArmPkg-CpuDxe-Support-multiple-entries-in-RegionIsSy.patch - Add backported patch drop GCD system memory check from MemoryAttribute protocol - ovmf-ArmPkg-CpuDxe-Drop-GCD-system-memory-check-from-Memo.patch 99d8c3710a0f ArmPkg/CpuDxe: Drop GCD system memory check from MemoryAttribute protocol - ovmf-ArmPkg-CpuDxe-Refuse-to-clear-XN-from-device-memory-.patch c00c1216ce7f ArmPkg/CpuDxe: Refuse to clear XN from device memory mappings - Update OVMF descriptors - Set priority for qcow2 over raw format images. - Lower the priority of the CoCo OVMF descriptor. ==== perl ==== Version update (5.42.0 -> 5.42.1) Subpackages: perl-base - update to 5.42.1 * fix transition to/from daylight savings time * fix crashes in some two-variable "for" loop cases * fix autovivification for ternary condition operators ==== postfix ==== Version update (3.11.1 -> 3.11.2) - update to 3.11.2 * Bugfix (defect introduced: Postfix 3.11): the proxymap(8) daemon dereferenced an uninitialized pointer after a request protocol error. This daemon is not exposed to local or remote users. Found by Claude Opus 4.6. * Bugfix (defect introduced: 20260309) a change, to set the service_name default value to "amnesiac", violated a test that parameter names in postconf output must match 1:1 with parameter names in the postlink script. * Portability: support for recent FreeBSD, NetBSD, and OpenBSD versions. * Bugfix (defect introduced: Postfix 2.2, date 20041207): When truncating a database file, the cdb: database client looked at the file size from before requesting an exclusive lock on a database file, instead of the file size after the exclusive lock was granted. Found by Claude Opus 4.6. * Bugfix (defect introduced: Postfix alpha, date 19980309): file descriptor leak after fork() failure. Found by Claude Opus 4.6. * Mistakes in debug logging. Found by Claude Opus 4.6. This affected two files in Postfix 3.8 and 3.9, three files in Postfix 3.10 and 3.11. * Unchecked null pointer results after an out-of-memory condition in a library dependency. Found by Claude Opus 4.6. The fix is to return an error status or to log a fatal error. This affected three source files. * Missing or incomplete guards for ssize_t or int overflow, found by Claude Opus 4.6. This affected three source files. These limits are unlikely to be exceeded because the size of in-memory objects is limited by design (the number of in-memory objects is also limited). ==== postgresql ==== Subpackages: postgresql-contrib postgresql-llvmjit postgresql-server - Get rid of update-alternatives and support immutable mode. See README.SUSE for details. (bsc#1245862, jsc#PED-14820) ==== postgresql18 ==== Subpackages: libpq5 postgresql18-contrib postgresql18-llvmjit postgresql18-server - bsc#1263804: After dropping update-alternatives we have to package /usr/bin/pg_config as an actual symlink, not %ghost. - Fix spelling of build conditionals. - Get rid of update-alternatives for openSUSE/SLE 16.0 and newer to support immutable systems and transactional updates. (jsc#PED-14820) ==== python-greenlet ==== Version update (3.4.0 -> 3.5.0) - update to 3.5.0: * Remove the atexit callback. This callback caused greenlet APIs to become unavailable far too soon during interpreter shutdown. Now they remain available while all atexit callbacks run. Sometime after Py_IsFinalizing becomes true, they may begin misbehaving. Because the order in which C extensions are finalized is undefined, C extensions that are sensitive to this need to check the results of that function before invoking greenlet APIs. As a convenience, PyGreenlet_GetCurrent sets an exception and returns NULL when this happens (and greenlet.getcurrent begins returning None); other greenlet C API functions have undefined behaviour. Methods invoked directly on pre-existing greenlet.greenlet objects will continue to function at least until the greenlet C extension has been garbage collected and finalized. See PR 508. ==== qt6-base ==== Subpackages: libQt6Concurrent6 libQt6Core6 libQt6DBus6 libQt6Gui6 libQt6Network6 libQt6OpenGL6 libQt6OpenGLWidgets6 libQt6PrintSupport6 libQt6Sql6 libQt6Test6 libQt6WaylandClient6 libQt6Widgets6 libQt6WlShellIntegration6 libQt6Xml6 qt6-network-tls qt6-networkinformation-connman qt6-networkinformation-glib qt6-networkinformation-nm qt6-platformtheme-gtk3 qt6-printsupport-cups qt6-sql-mysql qt6-sql-sqlite qt6-wayland - Add upstream fix (QTBUG-145310, kde#518105): * 0001-freetype-Handle-failing-glyph-rendering.patch - Also use GCC 15 on Leap 16.1 ==== qt6-svg ==== Subpackages: libQt6Svg6 libQt6SvgWidgets6 - Add upstream fix (CVE-2026-6210, boo#1264301) * 0001-Test-types-of-nodes-before-downcasting-them.patch ==== qtkeychain-qt6 ==== Version update (0.15.0 -> 0.16.0) Subpackages: libqt6keychain1 qtkeychain-qt6-lang - Update to 0.16.0 * Add support for selecting backend via environment variable * Use default DBus timeout for KWallet check * Fix the crash caused by timeout when reading or writing keychain on macOS * Fix restore-after-deletion issue by creating QKeychain jobs dynamically * Add legacy support for KWallet maps * Added Swedish translation * Added Georgian translation * Fixes for various build/build system issues ==== raspberrypi-firmware-dt ==== - Use poling mode for Ethernet carrier detection on CM5 0001-arm64-dts-bcm2712-CM5-Ethernet-PHY-use-polling-mode.patch ==== sdbootutil ==== Version update (1+git20260421.88e40c4 -> 1+git20260506.25d47bf) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20260506.25d47bf: * Drop systemd.machine_id if /etc/machine-id is present * Support XBOOTLDR partition * Add CLAUDE.md file * Use command -v instead of hash * Remove dead code * Fix regular expression non-capturing group * Add comment about default values in config file * Clarify when swap is mounted * Fix typo in comment * Exit early if we are outside the initrd * Fix variable name * Fix typo * When cleaning pcrlock.d remove only the content * Do not check in_buildroot when updating entries * update_kernels: Update entries for the system if no snapshot is provided ==== sdl2-compat ==== Version update (2.32.66 -> 2.32.68) - Update to release 2.32.68 * Fixed gamepad rumble in Middle-earth: Shadow of Mordor and other games on Linux * Added an "SDL3_VERSION" hint that can be read by games using sdl2-compat ==== selinux-policy ==== Subpackages: selinux-policy-targeted - start cleanoldsepoldir.service after successfull health-checker.service fixes occational fail on transactional systems when boot failed (boo#1261698) - Change store root-path for selinux modules from /var/lib/selinux to /etc (fixes bsc#1221342 PED-12492) * Service file and script is installed to eventually delete /var/lib/selinux once no snapshot is using it * Fix copy custom modules to /etc and can be checked by the provided script `/usr/libexec/selinux/cleanoldsepoldir.sh --check-custom-selinux-modules` * Add filters for duplicate entries to rpmlintrc for now * Drop dir-or-file-outside-snapshot rpmlint filter ==== sensors ==== Subpackages: libsensors4 - Add sensors-detect-udevadm-path.patch to deal with the move of udevadm from /sbin to /usr/bin (boo#1259511). - Add pwm-fix-bad-scaling-due-to-use-of-integer-type.patch which fixes PWM values being scaled to 0-128% instead of 0-100% (boo#1255928). ==== shadow ==== Subpackages: libsubid5 login_defs shadow-pw-mgmt - Use `%verify(not mode caps)` and remove setuid bit for newgidmap and newuidmap. Related to gh/openSUSE/post-build-checks#66 - shadow-util-linux.patch: util-linux-2.42 introduced new variable: LOGIN_SHELL_FALLBACK. Recognize it and update dependencies. The patch includes gh/shadow-maint/shadow/pull#1621. - shadow-login_defs-check.sh: Adjust for new quilt. ==== smartmontools ==== - Update smartmontools-drivedb.h to the latest version from the upstream branch 7.5. - NEW DEFAULT: Never check disks that do not spin (boo#1259501, smartmontools-suse-default.patch). - Generate smartd.opts, even if smartd_opts is empty. - Use "systemctl" instead of "service" (boo#1259501#c4, smartmontools.generate_smartd_opts.in). - Fix the package for immutable mode (jsc#PED-14826, smartmontools.tmpfiles.in). - Remove obsolete checks from smartmontools-rpmlintrc. ==== sord ==== Version update (0.16.20 -> 0.16.22) - update to 0.16.22: * Add clang nullability annotations * Address new warnings in clang and clang-tidy 21 * Make more API functions tolerate NULL ==== sqlite3 ==== Version update (3.53.0 -> 3.53.1) Subpackages: libsqlite3-0 sqlite3-tcl - Update to version 3.53.1: * Fixes for problems in 3.53.0 reported by users. * See the check-in timeline for details: https://sqlite.org/src/timeline?from=version-3.53.0&to=version-3.53.1 ==== sratom ==== Version update (0.6.20 -> 0.6.22) - update to 0.6.22: * Add clang nullability annotations * Address new warnings in clang and clang-tidy 21 * Fix documentation build without sphinx_lv2_theme * Gracefully handle reading vectors with missing childType properties * Gracefully handle writing vectors with zero childSize properties * Improve error handling ==== sso-mib ==== Version update (0.8.1 -> 0.9.0) - Import version 0.9.0 This bugfix release fixes building without libjwt and implements asking for consent if needed when acquiring a token ==== sssd ==== Subpackages: libnfsidmap-sss libsss_certmap0 libsss_idmap0 sssd-krb5-common sssd-ldap - Add support for UsrEtc; (bsc#1257643); Add patch 0016-UsrEtc.patch - The default configuration file is installed now in /usr/etc/sssd/sssd.conf. It can be completely overridden by manually creating the system specific config file /etc/sssd/sssd.conf, or partially overridden by creating config snippets in /etc/sssd/conf.d/ directory. Check sssd.conf manpage for more details. - Use %pre scriptlet instead of %pretrans to migrate from sssd-common [bsc#1257509]. - The AD backend now uses realmd to update the machine account password. The realmd package is recommended when installing the ad backend. ==== sysconfig ==== Version update (0.90.4 -> 0.90.5) Subpackages: sysconfig-netconfig - version 0.90.5 * netconfig: Do not remove custom /etc/{resolv,yp}.conf on uninstall of sysconfig-netconfig, but only the symlinks to /run/netconfig files created by netconfig or tmpfiles.d(5) (bsc#1263889). ==== tar ==== Subpackages: tar-rmt - remove the userspace fallback implementation for openat2 - Fix bsc#1246399 / CVE-2025-45582. - Add patch: * CVE-2025-45582.patch - Refresh patch: * tar-fix-extract-unlink.patch ==== tree ==== Version update (2.3.1 -> 2.3.2) - update to 2.3.2: * Whitelist characters instead of blacklisting (had an incomplete blacklist somehow,) in url_encode() (M. Richardson) * Wrong path was being used to allocate a path string. * Symbolic link name might be printed incorrectly when -f and - l were used at the same time. (Masaki Hasegawa) * Use EXIT_FAILURE / EXIT_SUCCESS instead of 1 / 0 in exit(), supposedly more portable, but I am not sure I'm convinced. * Fix regression (maybe) in --gitignore for paths that are relative to the .gitignore file broken by using realpath to ==== tree-sitter ==== Review corrections: 1. Fixed SLPP violation: Moved tree-sitter-load-path.el and the grammar directory from the shared library package (libtree-sitter0_26) to the main tree-sitter package. This allows different library versions to be installed in parallel. 2. Removed legacy transition logic: Deleted the Provides and Obsoletes for older library versions (0_22 and 0_25) that were causing hard-dependency conflicts during upgrades. 3. Eliminated conflicting symlink: Added a command in the %install section to remove the unused libtree-sitter.so.0 symlink, preventing potential file conflicts. 4. Verified configuration: Confirmed baselibs.conf correctly references the current library package. - Add `Provides: lib%{name}%{somajor} = %{version}-%{release}` to the definition of `lib%{name}%{somajor}` subpackage. - Correct changelog. ==== unbound ==== Version update (1.24.2 -> 1.25.0) Subpackages: libunbound8 unbound-anchor - Enable quic support by default on the distros where ngtcp2 supports quic. - complete the buildrequire set for quic support by also requiring the devel files for the openssl backend in ngtcp2: pkgconfig(libngtcp2_crypto_ossl) - Update to 1.25.0: Features: * TTL behavior changes: cached records reaching TTL 0 are expired; TTL 0 upstream answers are no longer cached by cachedb; serve-expired-reply-ttl is now capped by the original TTL value; TTL decoding updated to adhere to RFC 8767 section 4 * Add new statistics: num.queries.replyaddr_limit and requestlist.current.replies * Add 'log-thread-id' configuration option to log the system-wide Linux thread ID for easier debugging * Add ECC-GOST12 support per RFC 9558 (available as contrib/gost12.patch) * Allow synthesized DNAME TTL=0 to be served from cache within a 1-second grace period, reducing recursion for TTL=0 DNAMEs (RFC 2308) * Fix DoT/DoH/DoQ to reload certificates on config reload without requiring a full restart; fast_reload now supports changes to tls-service-key, tls-service-pem and tls-cert-bundle * Allow ip@port notation in control-interface configuration * Add iter-scrub-rrsig option (default: 8) to limit the number of RRSIGs processed by the scrubber * Add 'tls-protocols' configuration option to select which TLS protocol versions are used; TLSv1.2 is re-enabled by default * Add pthread_setname_np support for named threads Bug Fixes: * Fix handle leak in pythonmod on pythonmod_init * Fix crash when mesh_detect_cycle_found() is called with no mesh state * Fix modstack_call_init to use the original string when it has changed * Fix fr_atomic_copy_cfg * Fix auth-zone empty label for $ORIGIN when downloading via HTTP * Fix respip and dns64 to be usable simultaneously; RPZ now works with DNS64 * Fix HTTPS and QUIC not being enabled when port is listed in interface-automatic-ports * Allow wait-limit-cookie: 0 to disable cookie-validated wait limits * Fix FIPS mode in OpenSSL causing unit test failure * Fix discard-timeout to only drop UDP, not stream connections * Reply with SERVFAIL when the wait-limit is exceeded * Add extended DNS error code for invalid query type * Replace deprecated SWIG $function with $action * Log a warning for possible circular dependency when using hostnames in stub/forward zones * Fix infra cache for NAT64 by moving NAT64 synthesis to the delegation point when adding target addresses * Fix discard-timeout packet accounting in the mesh area * Update IANA portlist * Copy DNSTAP configuration from daemon to workers after fast_reload * Fix HTTP/2 stream mesh state removal and drop handling for postpone_drop and send failures * Log THROWAWAY and (DNSSEC) LAME responses with clearer categorization in log output * Fix EDE removal logic consistency between encoding errors and encoding replies * Fix EDNS subnet scope-zero queries not being stored when forward-no-cache or stub-no-cache is set * Do not initialize quic_table unless QUIC is enabled * Fix fast_reload to copy iter_scrub_ns, iter_scrub_cname and max_global_quota options * Fix allow-notify entries with hostnames to be copied after IPv4/IPv6 lookup; fix skipping hostname lookups when only URLs are configured * Fix NAT64 inconsistency with do-not-query-address during retries * Fix cachedb aggressive negative responses not setting the RA flag * Fix root key priming failure after loading RPZ zones containing ZONEMD RRtype * Fix local-zone always_refuse to also block DS queries * Fix cache lookup/store in external cachedb when forwarder/stub uses the no-cache option * Fix cachedb returning expired bogus data as non-bogus * Fix validator unchecked state handling with validation recursion and EDNS subnet * Fix DNAME lookup flag and assertion in expired calculation debug routine * Fix DNS rebinding bypass via SVCB/HTTPS records; private-address now also elides SVCB and HTTPS records matching the filter * Warn for unused 'nodefault' local-zone configuration in unbound-checkconf * Fix lock/unlock for view in memory error handling * Apply cache TTL policy to DNAME and synthesized CNAME on the wire path * Fix detection of HTTP listening port in fast_reload * Fix ignoring out-of-zone DNAME records for CNAME synthesis * Fix invalid HTTP content length/chunk size checks and RR rdata field length validation in zone transfer, preventing heap buffer-overflow read errors * Fix defense in depth for service callback with empty packet * Fix shared memory statistics with threads * Fix EDNS client subnet to not store SERVFAIL in the global cache after a failed lookup; stores a short-lived failure entry in the subnet cache instead * Fix memory corruption related core dumps when alloc_reg_obtain encounters an empty list ... changelog too long, skipping 25 lines ... * Update keyring to new NLnet Labs release signing key ==== update-alternatives ==== Version update (1.22.21 -> 1.22.22) - Fix 'dpkg' package for immutable mode (jsc#PED-14790). - Add dpkg.tmpfiles. - Update to 1.22.22 (minor bump from 1.22.21). - Changelog: * dpkg-query: Fix segfault with empty -S argument. * Perl modules: - Dpkg::OpenPGP: Do not run verify with no keyrings. - Dpkg::Shlibs::Objdump::Object: Add support for "Version References" symbols. - Dpkg::OpenPGP::Backend::GnuPG: Add missing Dpkg::Gettext import. * Code internals: - libdpkg: Terminate zstd decompression when we have no more data. Fixes CVE-2026-2219. - Remove patch file: * CVE-2026-2219.patch * oldperl.patch This patch has been removed as Leap 15.X has reached end-of-life. ==== xf86-video-nv ==== Version update (2.1.23 -> 2.1.24) - Update to version 1.24 * Quiet -Wredundant-decls from xorg/os.h fallbacks for new libc functions * Don't try to load xaa module if not compiled with XAA support * man page: stop claiming to use XAA on Xorg 1.13 & later * Improve man page formatting * g80: Avoid segfault if AccelMethod isn't set and XAA isn't built * Strip trailing whitespace from source files * gitlab CI: drop the ci-fairy check-mr job * use XNFalloc() instead of xnfalloc * use XNFcallocarray() instead of xnfcalloc macro * g80: dont set accelmethod to xaa when xaa is disabled * nv: support 0xf0 device id range * g80/display: Annotate functions * g80/disp: preinit all heads we know in display * g80/output: update known PCI rom sigs * nv: support GT 320M....hopefully * nv/man: link the gitlab issue tracker * treewide: replace XNFcallocarray with XNFcalloc and add wrap it * FreeBSD: nv_driver: Disable check for pci driver in FreeBSD. * netbsd: Try getting the EDID via wscons if the DDC2 method fails. * netbsd: disable not-useful check for an existing kernel driver ==== yast2-storage-ng ==== Version update (5.0.42 -> 5.0.43) - Add device parameter to EncryptionProcess#finish_installation (related to jsc#PED-10703). - 5.0.43 ==== yelp ==== Version update (49.0+22 -> 49.1) Subpackages: libyelp-1-0 - Update to version 49.1: + Fixed issue that could allow remote access to local files. + Updated translations.