Packages changed: apache2-mod_php8 (8.5.7 -> 8.5.8) checkpolicy (3.10 -> 3.11) cifs-utils (7.6 -> 7.7) freerdp (3.27.1 -> 3.28.0) gimp ibus (1.5.33 -> 1.5.34) ibus_gtk4 (1.5.33 -> 1.5.34) libcamera (0.7.1 -> 0.7.2) libdovi (3.3.2 -> 3.4.0) libphonenumber (9.0.33 -> 9.0.34) libpsl (0.22.0 -> 0.23.0) libseccomp (2.6.0 -> 2.6.1) libselinux (3.10 -> 3.11) libselinux-bindings (3.10 -> 3.11) libsemanage (3.10 -> 3.11) libsepol (3.10 -> 3.11) openSUSE-release (20260712 -> 20260714) php8 (8.5.7 -> 8.5.8) policycoreutils (3.10 -> 3.11) publicsuffix (20260622 -> 20260708) python-semanage (3.10 -> 3.11) sdbootutil (1+git20260506.25d47bf -> 1+git20260714.d9bb736) selinux-policy (20260618 -> 20260702) xsetroot (1.1.3 -> 1.1.4) === Details === ==== apache2-mod_php8 ==== Version update (8.5.7 -> 8.5.8) - fix build with GCC 16 (gh#php/php-src#22206) [boo#1267259] - added patch + php-fix-build-gcc16.patch - use system liburiparser [bsc#1270538] [bsc#1270539] - version update to 8.5.8 (CVE-2026-14355 [bsc#1270351]) CLI: Fixed bug GH-21901 (Stale getopt() optional value). Date: Fixed bug GH-18422 (int overflow in php_date_llabs). DOM: Fixed bug GH-22077 (UAF in custom XPath function). Opcache: Fixed tracing JIT crash when a VM interrupt is handled during an observed user function call. Fixed bug GH-21746 (Segfault with tracing JIT). Fixed bug GH-22004 (Assertion failure at ext/opcache/jit/zend_jit_trace.c). Fixed tailcall VM crash when a VM interrupt is handled from a VM helper. OpenSSL: Fix compatibility issues with OpenSSL 4.0. Standard: Fixed bug GH-21689 (version_compare() incorrectly handles versions ending with a dot). URI: Fixed CVE-2026-44927 (In uriparser before 1.0.2, there is pointer difference truncation to int in various places). (CVE-2026-44927) Fixed CVE-2026-44928 (In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal). (CVE-2026-44928) - Revert changes for building with GCC 16 ==== checkpolicy ==== Version update (3.10 -> 3.11) - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - User-visible changes: - Fixed checkpolicy handling of out-of-range and complement at range boundaries for xperm rules (#530, #531). - Dropped legacy fscon statement support from checkpolicy - never used in SELinux policies for mainline kernels (#518). - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - Test fixes - Notable Bugfixes: - checkpolicy: remove unneeded malloc() casts - checkpolicy: add missing strdup() failure checks - checkpolicy: use calloc() so no need to do memset() - checkpolicy: replace malloc()+memset() with calloc() ==== cifs-utils ==== Version update (7.6 -> 7.7) Subpackages: wb-cifs-idmap-plugin - Update cifs-utils to 7.7: * cifs.upcall: fix regression with krb5 + creduid * cifs.upcall: Avoid int overflow after year 2038 * mount.cifs: fix const correctness in parse_options * cifs.upcall: fix compiler warning with -Wvla * smbinfo: parse action and filename from change notifications ==== freerdp ==== Version update (3.27.1 -> 3.28.0) Subpackages: libfreerdp3-3 librdtk0-0 libwinpr3-3 - Update to version 3.28.0: + Feature and bugfix release. * iOS client has been revived by @bho3538 * Android client build updates by @svncibrahim * Windows client did get some updates by @zorjen122 * Server side smartcard API by @joantolo * Improved client statistics interface, now also supports static channels * Improved fuzzer and unit tests * CMake preset support making it easier to create a working build configuration, see https://github.com/FreeRDP/FreeRDP/wiki/Compilation#presets + CVE fixes: * CVE-XXXX-XXXXX (GHSA-pjqx-v446-x7fc) * CVE-XXXX-XXXXX (GHSA-9g22-w2gr-vcmp) * CVE-XXXX-XXXXX (GHSA-f27x-frr8-j9hc) * CVE-XXXX-XXXXX (GHSA-72j9-356v-88xq) * CVE-XXXX-XXXXX (GHSA-v64m-xxfw-hrv6) * CVE-2026-57158 * CVE-2026-57157 * CVE-2026-57156 + Changes: * feat(client): Modernize iOS client. (iFreeRDP) (#12949) * [client,ios] remove some deprecation warnings (#12981) * Ios cmake (#12997) * [client,ios] add openh264 build (#13003) * [client,android] riscv64 support (#12923) * [client,android] make release configurable (#12929) * [client,android] allow overriding version name and code (#12931) * [client,android] redesign touch pointer (#12946) * [client,android] move external deps to own CMake file (#12992) * Android build (#12917) * [client,sdl] guard file clipboard (#12911) * [client,sdl] Askpass (#12925) * [client,sdl] throw a real exception instead of invalid bare throw (#12936) * [client,sdl] run sdl_OnUserNotificationEventHandler on SDL thread (#12941) * [client,sdl] fix mouse and touchpad natural scroll setting being ignored (#12967) * fix(client/win) Reset scroll offset when hiding scrollbars (#7536) (#12939) * feat(client/win): improve wfreerdp fullscreen floatbar controls (#12851) * Channel stats (#12964) * Statistics interface (#12968) * [core,channels] add freerdp_static_client_channel_stat_free (#12966) * Support RDPDR Device Control Responses (#12756) * Wlog appender context (#12907) * [winpr,image] bound unaligned bitmap read to declared image size (#12910) * [codec,color] add empty checks for copy (#12912) * Win credssp (#12913) * Adjustments for building on Windows with MSVC (#12916) * channel statistics and random gateway connection id (#12922) * [channels,video] bound frame copy to current surface size (#12919) * OSS-Fuzz: Add new fuzzers targets channels rail client (#12924) * [utils,smartcard] validate cbAtr against rgbAtr size on unpack (#12928) * [channels,rdpecam] fix device added notification parsing (#12930) * [emu,scard] bound select-by-AID compare to GIDS AID length (#12933) * Rails feature setting, xfreerdp kbd sync (#12927) * [core,orders] fix inverted overflow guard in update_read_delta_points (#12938) * [codec,mppc] add missing out of bounds check (#12942) * [channels,tsmf] bound visible rect read in update_geometry_info (#12943) * [channels,rdpecam] bound channel name read in device removed pdu (#12945) * [core,tcp] improve connection failure logging (#12950) * Warn fixes (#12951) * [codec,planar] fix range check, abort early (#12952) * [channels,rdpsnd,mac] recover audio after AVAudioEngine config change (#12958) * [codec,planar] range-check before control byte read in plane rle (#12956) * [channel,rail] fix tests and uninitialized variables (#12960) * [channels,rdpdr] fix off-by-one scan length in rdpdr_read_ustring (#12961) * [channels,remdesk] validate ctl pdu DataLength against received stream (#12955) * [channels,rdpsnd] bound client format pdu length to UINT16 (#12962) * Winpr harden parser checks (#12965) * [winpr,file] bound '?' wildcard match to file name length (#12969) * [channels,urbdrc] bound msusb descriptor reads to received length (#12971) * [core,update] fix the calling convention for Windows x86 (#12973) * [channels,drive] reject trailing '..' in contains_dotdot (#12974) * OSS-Fuzz: Add new fuzzer targeets WinPRClipboard processing (#12976) * Pr/12970 (#12975) * Cliprdr and rdpsnd fixes (#12980) * [channels,rail] fix order read/cleanup (#12979) * [core,utils] skip AuthenticateEx for RDP/TSL/SMARTCARD_PIN/FIDO_PIN (#12978) * replace NULL with nullptr (#12982) * [channels,cliprdr] fix pdu-tracker leak (#12983) * Fuzz fixes bmp (#12986) * [core,gateway] fix const warning (#12987) * [channels] bound dynamic channel message header to received length (#12988) * cmake: add minimal preset for lightweight builds (#12989) * Cleanup all (#12991) * Range checks (#12993) * Deprecations (#12994) * [winpr,string] fix winpr_strnstr needle length (gateway SIGSEGV) (#12995) * Bmp cache (#12999) * [codec,dsp] ensure out capacity in opus encode (#13001) * [winpr,string] match winpr_strnstr fallback to native strnstr (#13002) * Smartcard fixes (#13009) * [client,common] /smartcard-logon pass PEM directly (#13011) * Correct UTF-8 to UTF-16 length (#13012) ==== gimp ==== Subpackages: gimp-plugin-aa gimp-plugin-python3 libgimp-3_0-0 libgimpui-3_0-0 - Add gimp-CVE-2026-58379.patch:Fix PSP File Parsing Heap Buffer Overflow (CVE-2026-58379, bsc#1270299) - Add gimp-CVE-2026-59089.patch:Fix Signed integer overflow (CVE-2026-59089, bsc#1270440) - Lower gexiv2_min_version to 0.14.3, the one Leap 16.1 has atm ==== ibus ==== Version update (1.5.33 -> 1.5.34) Subpackages: ibus-dict-emoji ibus-gtk ibus-gtk3 ibus-lang libibus-1_0-5 typelib-1_0-IBus-1_0 - Upstream update to 1.5.34 * no source changes from 1.5.34-rc2 * replace a tar artifact with the released one - Update version to 1.5.34-rc2(1.5.33.92) * Enhance panel --enable-wayland-im option without daemon * Enhance mouse position in Emojier category list * Enhance Emoji and Unicode notifications * Show Emoji annotations in GNOME * Refer QT_IM_MODULES to check Wayland configuration * Support input purpose and hints in ibus-wayland * Update simple.xml with xkeyboard-config 2.46 * Fix locale compose features * Fix Backspace after commit-text in Ghostty * Fix "no memory" error with focus changes in Sway * Fix latch key in Latvian(tilde) keymap in ibus-wayland * Fix memory leaks * Fix SEGV in ibus-x11 * Fix Panel bugs * Fix build issues * Replace ibus-daemon with ibus start in Github issue templace * IBus Wayland panel can run without --exec-daemon option for the debugging purpose * Follow mouse cursor in Emojier category list * Enhance the order of the loading locale compose file * Support to delete surrounding text feature with the Wayland input-method protocol * Add IBUS_INPUT_HINT_HIDDEN_TEXT * Enhance the pre-edit text in GNOME-Shell password including GDM * Show Emoji annotations in the candidate popup in GNOME * Update translators - Refresh setup-switch-im.patch ==== ibus_gtk4 ==== Version update (1.5.33 -> 1.5.34) - Upstream update to 1.5.34 * no source changes from 1.5.34-rc2 * replace a tar artifact with the released one - Update version to 1.5.34-rc2(1.5.33.92) * Enhance panel --enable-wayland-im option without daemon * Enhance mouse position in Emojier category list * Enhance Emoji and Unicode notifications * Show Emoji annotations in GNOME * Refer QT_IM_MODULES to check Wayland configuration * Support input purpose and hints in ibus-wayland * Update simple.xml with xkeyboard-config 2.46 * Fix locale compose features * Fix Backspace after commit-text in Ghostty * Fix "no memory" error with focus changes in Sway * Fix latch key in Latvian(tilde) keymap in ibus-wayland * Fix memory leaks * Fix SEGV in ibus-x11 * Fix Panel bugs * Fix build issues * Replace ibus-daemon with ibus start in Github issue templace * IBus Wayland panel can run without --exec-daemon option for the debugging purpose * Follow mouse cursor in Emojier category list * Enhance the order of the loading locale compose file * Support to delete surrounding text feature with the Wayland input-method protocol * Add IBUS_INPUT_HINT_HIDDEN_TEXT * Enhance the pre-edit text in GNOME-Shell password including GDM * Show Emoji annotations in the candidate popup in GNOME * Update translators - Refresh setup-switch-im.patch ==== libcamera ==== Version update (0.7.1 -> 0.7.2) Subpackages: libcamera-base0_7 libcamera0_7 - Update to release 0.7.2 * Fixes two separate saturation handling bugs in both the SoftISP and the Raspberry Pi IPA. * On the SoftISP, 12-bit formats are now supported, black level correction is 'fixed' and there are interesting performance improvements with eGL buffer caching. * Within the IPA handling, support for Sony IMX678 was added, as well as Omnivision OV08x40 and OV01A10, and moved to a proportional AGC algorithm for the simple pipeline handler. - Delete libcamera-ov02e10-initial-support.patch ==== libdovi ==== Version update (3.3.2 -> 3.4.0) - Update to 3.4.0: * dovi_rpu_add_cmv40_safe_default_metadata: Adds CMv4.0 default metadata to an existing CMv2.9 RPU * dovi_generate_from_json: Allows generating a list of RPUs from JSON * dovi_rpu_remove_cmv40_metadata: Allows to completely remove CM v4.0 metadata from the RPU * dovi/level11: improve byte1 parsing and remove byte2 validation ==== libphonenumber ==== Version update (9.0.33 -> 9.0.34) - update to 9.0.34: * Updated alternate formatting data for country calling code(s): 34 * Updated phone metadata for region code(s): CM, ES, GY, HN, MZ, SR, TM, TZ, US, UZ * Updated geocoding data for country calling code(s): 504 (en) * Updated carrier data for country calling code(s): 46 (en), 255 (en), 258 (en), 352 (en), 381 (en), 592 (en), 597 (en), 886 (en), 998 (en) * Updated / refreshed time zone meta data. ==== libpsl ==== Version update (0.22.0 -> 0.23.0) - Update to version 0.23.0: * Properly handle leading dot in domains (CVE-2026-8924) * Using libidn as runtime now requires explicit configuration * Modernize configure.ac * Simplify license headers - Regenerate the built-in PSL and test DAFSA files from the system publicsuffix at build time, so they stay in sync with the packaged list and test-is-public-all no longer fails on version skew ==== libseccomp ==== Version update (2.6.0 -> 2.6.1) - Produce unique .src.rpm files per multibuild flavor. - Update to release 2.6.1 * Fixed incorrect 64-bit comparison merge that can weaken libseccomp filters. * Fixed issue where oversized libseccomp filters can trigger a double free. * Fixed issue where oversized libseccomp filters can trigger a heap corruption. * Fixed struct aliasing undefined behavior in the internal libseccomp hash algorithm. * Fixed issue where extraneous bytes were being copied to the destination buffer in seccomp_export_bpf_mem(). * Fix a bug where merged libseccomp filters failed to merge the notify_used flag, leading to no listener file descriptor being generated. - 62-sim-arch_transactions-remove-fuzzer.patch: removed upstream - Fixes in SPEC file. - Update make-python-build.patch to work with multiple versions of Python interpreters. - Add python-pip-packages.patch, modernize-python-build.patch - Enable _multibuild back. - Add support for generating of multiple versions of Python subpackages (using %python_subpackage_only). ==== libselinux ==== Version update (3.10 -> 3.11) Subpackages: libselinux1 libselinux1-32bit selinux-tools - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - User-visible changes: - Several security improvements in libselinux - Rewrote libselinux selinux_restorecon(3) to eliminate TOCTOU issues in file relabeling if /proc is available - Fixed libselinux constructor to not clobber errno (#445). - Fixed libselinux selabel_partial_match(3) to correctly find partial matches. - Fixed libselinux selinux_init_policy_load() to still try to mount selinuxfs on /sys/fs/selinux even if the mount of sysfs on /sys fails - this can occur legitimately within a user namespace. - Improved restorecon related functionality in libselinux - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - Fixed libselinux build for non-pthread builds. - Multiple fixes for musl/llvm-based builds, including adding a new EXTRA_LD_FLAGS variable that can be set for libselinux builds to pass - -undefined-version through to lld (#511 thru #515). - Fixed uclibc build failure (#435). - Build shared libraries with -fPIC for LTO. - Notable bug fixes: - libselinux: avoid out-of-bounds access on zero-length lines - Packaging changes: - Drop patch restorecon-Only-log-error-on-readonly-fs-bsc-1232226.patch as it was accepted upstream - Rewrite skip_cycles.patch since the code path has been rewritten entirely upstream ==== libselinux-bindings ==== Version update (3.10 -> 3.11) - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - libselinux and python use system Python3 build module - Updated pywrap build targets for modern python builds using the Python3 build module. - Build shared libraries with -fPIC for LTO. - Packaging changes: - Add python-build as BuildRequires - Drop python3.6 build in 15.7, as python-build is not available for python3.6 - Add workaround in Makefile as python multi build does not work with the combined dist/ folder from upstream ==== libsemanage ==== Version update (3.10 -> 3.11) Subpackages: libsemanage-conf libsemanage2 - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - Test fixes - Notable bug fixes: - libsemanage: guard end of path in semanage_fc_find_meta - libsemanage: bunzip: guard against size overflow - libsemanage: genhomedircon: fix STR_COMPARATOR() passed to lfind() - libsemanage: genhomdircon: handle NULL bsearch() in get_users() - libsemanage: fix OOB cleanup in semanage_direct_list() - libsemanage: make expand-check a proper boolean option - libsemanage: use 'bool' for boolean options - libsemanage: Do not use vfork() - libsemanage: Do not discard ‘const’ qualifier ==== libsepol ==== Version update (3.10 -> 3.11) - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - User-visible changes: - Fixed libsepol generation of constraint expressions with a list of names when writing policy.conf from CIL. - Fixed libsepol to generate constrain/validatetrans instead of mlsconstrain/mlsvalidatetrans when converting a module to CIL unless the constraint contains an expression based on level. - Fixed libsepol selection of tunableif or booleanif and to skip empty conditional blocks when converting a module to CIL. - Fixed libsepol/secilc reporting of CIL source file info. - Fixed libsepol to require at least one perm in a CIL classperm and to correctly count the number of elements in the avtab. - Fixed libsepol to link xperm rule permissions correctly. - Fixed libsepol off-by-one error in cats_ebitmap_len(). - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - Many hardening fixes spanning the entire tree - Notable bug fixes: - libsepol: cast to unsigned char in ctype calls - libsepol: bound type values in type_set_expand negset loop - libsepol/cil: fix double free of borrowed type datum on error path ==== openSUSE-release ==== Version update (20260712 -> 20260714) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== php8 ==== Version update (8.5.7 -> 8.5.8) Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter - fix build with GCC 16 (gh#php/php-src#22206) [boo#1267259] - added patch + php-fix-build-gcc16.patch - use system liburiparser [bsc#1270538] [bsc#1270539] - version update to 8.5.8 (CVE-2026-14355 [bsc#1270351]) CLI: Fixed bug GH-21901 (Stale getopt() optional value). Date: Fixed bug GH-18422 (int overflow in php_date_llabs). DOM: Fixed bug GH-22077 (UAF in custom XPath function). Opcache: Fixed tracing JIT crash when a VM interrupt is handled during an observed user function call. Fixed bug GH-21746 (Segfault with tracing JIT). Fixed bug GH-22004 (Assertion failure at ext/opcache/jit/zend_jit_trace.c). Fixed tailcall VM crash when a VM interrupt is handled from a VM helper. OpenSSL: Fix compatibility issues with OpenSSL 4.0. Standard: Fixed bug GH-21689 (version_compare() incorrectly handles versions ending with a dot). URI: Fixed CVE-2026-44927 (In uriparser before 1.0.2, there is pointer difference truncation to int in various places). (CVE-2026-44927) Fixed CVE-2026-44928 (In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal). (CVE-2026-44928) - Revert changes for building with GCC 16 ==== policycoreutils ==== Version update (3.10 -> 3.11) Subpackages: policycoreutils-lang policycoreutils-python-utils python313-policycoreutils - Move the sandbox subpackage to the separate selinux-sandbox package (bsc#1270534) drop policycoreutils-sandbox-fix-cleanup.patch - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - User-visible changes: - Several security improvements in dbus and gui - Dropped Python 2 support from audit2why - Added `setfiles -A` option to disable SELINUX_RESTORECON_ADD_ASSOC - restorecon only logs error on read-only filesystem instead of failing (allows relabeling with read-only BTRFS subvolumes) - Introduced a new SELINUX_RESTORECON_SKIP_MULTILINK flag to selinux_restorecon(3); if set, then selinux_restorecon(3) will refuse to relabel files with multiple hard links to prevent mislabeling them. Updated restorecond(8) to always pass this flag when relabeling files to prevent mislabeling hard links to files owned by others, e.g. when relabeling user home directories or /tmp. - Fixed semanage audit fd creation to avoid hitting RLIMIT_NOFILE on large semanage import operations (#291). - Improved semanage-fcontext(8) manpage - Fixed dispol and dismod to show all options in the -h text. - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - Updated pywrap build targets for modern python builds using the Python3 build module. - Disabled build isolation for sepolicy python module. - Fixed build errors with glibc 2.43. - Updated pywrap build targets for modern python builds using the Python3 build module. - Packaging changes: - Drop sepolicy-build-isolation.patch was accepted upstream - Drop sandbox-sandbox-fix-saving-file-changes.patch was accepted upstream - Add python-build as new BuildRequires - Rewrite policycoreutils-sandbox-fix-cleanup.patch Code was rewritten upstream, dropped the part in seunshare.c - Rewrite usr_etc.patch Did not apply anymore due to code changes ==== publicsuffix ==== Version update (20260622 -> 20260708) - Update to version 20260708: * Add dev.cv, store.cv, and sch.ac to PSL private domains for Code Fost Host (#2989) * Add grok.me (xAI) to PRIVATE section (#2993) * Remove info.at, biz.at (#2995) * remove mayfirst.org (#2994) * Add multiple dnsHome.de domains (#2916) * Add puter.site puter.app puter.work (#2914) ==== python-semanage ==== Version update (3.10 -> 3.11) - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - Fixed libsemanage pywrap target deps for parallel builds. - Packaging changes: - Drop 1266385-libsemanage-Require-LIBSO-before-SWIGSO-and-SWIGRUBY.patch was accepted upstream ==== sdbootutil ==== Version update (1+git20260506.25d47bf -> 1+git20260714.d9bb736) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20260714.d9bb736: * tukit: do not fail if service is not found - Update to version 1+git20260713.d869cf8: * Ignore errors in the snapper plugin - Update to version 1+git20260709.7dfd021: * Remove the background process in the plugin * Fix missing initrd condition (bsc#1270420) * After reboot the shutdown service is not active * Disable the shutdown service after main service * Update uhmac dependencies (rust-openssl) bsc#1270192, CVE-2026-41676 bsc#1270995, CVE-2026-45784 bsc#1270922, CVE-2026-44662 bsc#1270863, CVE-2026-41898 bsc#1270742, CVE-2026-41681 bsc#1270670, CVE-2026-41678 bsc#1270616, CVE-2026-41677 bsc#1270471, CVE-2026-42327 * Add systemd transient service to update predictions * Install extra EFI binaries - Update to version 1+git20260625.7fa275e: * Remove duplicate code and parametrize timers * Check boot entry before kernel installation * Re-install an old kernel if initrd cannot be reused * Skip installation for already installed kernel * Add configurable devicetree entry support * Set explicit kernel and initrd paths * Remove the full tmpdir in the service * Fix /run/sdbootutil permissions * Execute predictions in the background * Add --disable-predictions parameter * Fix comparison operator * Add print-loader-path command ==== selinux-policy ==== Version update (20260618 -> 20260702) Subpackages: selinux-policy-targeted - Update selinux-policy-sandbox description (bsc#1270534) - Update to version 20260702: * Include key_socket in socket_class_set * Remove 14 permissive domains * ci: Run cockpit-machines tests in PRs * Remove the lockdown class from the policy * Allow systemd-logind the sys_ptrace capability in the user namespace * Allow systemd-sleep the perfmon capability * Allow sshd_session_t dyntransition to sftpd_t * Allow lttng kernel tracing * Allow loadkeys create and use its private tmpfs files * Allow journald create and use netlink_tcpdiag_socket * Fix typo in the comment of build.conf * Allow gpg_pinentry_t to write session dbus socket files * Allow systemd-hostnamed read hwdb files * Allow systemd-machined to manage nspawn runtime directory * Allow pcm-sensor-server the sys_admin capability * Allow nut/upsmon read nut_conf_t symlinks * Support new sanlock features - using libdm and SG_IO * Allow thumb_t mount proc filesystem * Allow aide connect to the GDM userdb provider socket * Allow postfix_postdrop_t/system_mail_t append to init unix domain stream sockets * Allow nfsd_t to create netlink_generic_socket (bsc#1267826) * Add anaconda_ioctl_fifo_files_install() and anaconda_write_fifo_files_install() * Allow install_t domain transition to insights_client_t * Allow staff user mounton /var/lib dirs * Allow systemd-coredump signull container runtime * Allow blueman get the attributes of a tmpfs filesystem * portage_compile_domain: Require xdm_xserver_tmp_t type * Add missing interface requirements * Dontaudit virt_driver_domain execmem * fixed file after comment from zpytela. * added caddy related paths. * Remove extra parameters from interface headers * Update bootupd policy for running lsblk * Allow pcscd_t to search cgroup - Syncing with upstream rawhide selinux-policy up to: * 3cf2aa66a844ba5e87fb2a8f04be08c62cf5538a - Update embedded container-selinux version to commit: * 9715eb09108e9fabb0fbaeee9044636b349370eb (v2.250.0) - Update to version 20260630: * Allow snapper_sdbootutil_plugin_t create transient units (bsc#1267377) * Allow bootctl access unconfined_t pid (bsc#1267377) * Refactor sdbootutil into seperate module (bsc#1267377) * Allow pcrlock to send kernel dgram (bsc#1267377) * Add tiny sdbootutil module for sdbootutil snapper plugin changes (bsc#1267377) ==== xsetroot ==== Version update (1.1.3 -> 1.1.4) - Update to version 1.1.4 * -help should exit(0) not (1) * Accept --help & --version as aliases to -help & -version * Improve man page formatting * man page: fix warnings from `mandoc -T lint` * gitlab CI: drop the ci-fairy check-mr job * Strip trailing whitespace from source files * meson: Add option to build with meson - Switch to Meson build system