Packages changed: AppStream (1.0.4 -> 1.0.5) AppStream-qt6 (1.0.4 -> 1.0.5) Box2D Mesa (25.0.4 -> 25.0.5) Mesa-drivers (25.0.4 -> 25.0.5) MozillaFirefox (137.0.2 -> 138.0) PackageKit-Qt6 (1.1.1 -> 1.1.2) aaa_base (84.87+git20250410.71df276 -> 84.87+git20250429.1cad3bc) apache-commons-logging (1.3.4 -> 1.3.5) at-spi2-core (2.56.1 -> 2.56.2) augeas ayatana-ido (0.10.2 -> 0.10.4) blog (2.34 -> 2.35) btrfsprogs busybox cnf container-selinux (2.236.0 -> 2.237.0) coreutils coreutils-systemd crypto-policies cyrus-imapd dhcp ethtool fdupes (2.3.1 -> 2.4.0) firewalld fuse3 (3.17.1 -> 3.17.2) gcc14 (14.2.1+git11321 -> 14.2.1+git11702) gcc15 (15.0.1+git9352 -> 15.1.1+git9595) gdb (15.2 -> 16.3) gimp glib2-branding-openSUSE glslang (15.2.0 -> 15.3.0) gnome-music (48.beta+25 -> 48.beta+31) gnome-shell gnutls grub2 gstreamer (1.26.0 -> 1.26.1) gstreamer-plugins-bad (1.26.0 -> 1.26.1) gstreamer-plugins-base (1.26.0 -> 1.26.1) gstreamer-plugins-good (1.26.0 -> 1.26.1) hwdata (0.393 -> 0.394) iptables java-21-openjdk (21.0.6.0 -> 21.0.7.0) jemalloc jitterentropy (3.4.1 -> 3.6.3) kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-ath11k (20250227 -> 20250424) kernel-firmware-ath12k (20250206 -> 20250424) kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi (20250312 -> 20250423) kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media (20250422 -> 20250424) kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-prestera kernel-firmware-qcom kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network kernel-source (6.14.3 -> 6.14.4) libavif (1.1.1 -> 1.2.1) libeconf (0.7.7 -> 0.7.8) libedit (20210910.3.1 -> 20250104.3.1) libgcrypt libgpg-error (1.54 -> 1.55) libheif (1.19.7 -> 1.19.8) liblogging libnftnl libqt5-qtwebengine libraw (0.21.3 -> 0.21.4) libsoup libsoup2 libssh libxkbcommon (1.8.1 -> 1.9.0) libzip libzypp (17.36.6 -> 17.36.7) lilv lua54 mariadb-connector-c mozilla-nss (3.109 -> 3.110) ncurses (6.5.20250412 -> 6.5.20250426) nghttp2 (1.64.0 -> 1.65.0) open-vm-tools openSUSE-release (20250423 -> 20250503) openssh (9.9p2 -> 10.0p2) openssh-askpass-gnome (9.9p2 -> 10.0p2) openssl-3 (3.2.4 -> 3.5.0) openssl (3.2.4 -> 3.5.0) orca postfix (3.10.1 -> 3.10.2) publicsuffix (20250407 -> 20250424) python-M2Crypto (0.44.0 -> 0.45.1) python-MarkupSafe (2.1.5 -> 3.0.2) python-gevent (24.10.3 -> 25.4.2) python-greenlet (3.1.1 -> 3.2.1) python-h11 (0.14.0 -> 0.16.0) python-httpcore (1.0.8 -> 1.0.9) python-hyperframe (6.0.1 -> 6.1.0) python-pycares (4.6.0 -> 4.6.1) python-pylsqpack (0.3.19 -> 0.3.20) python311 python311-core python313 (3.13.2 -> 3.13.3) python313-core (3.13.2 -> 3.13.3) qt6-declarative rpm sane-backends sdbootutil (1+git20250421.7ffd25a -> 1+git20250430.f7d1ad1) selinux-policy (20250411 -> 20250429) sqlite3 texlive unbound (1.22.0 -> 1.23.0) webrtc-audio-processing-1 wtmpdb (0.73.0+git20250408.edb8638 -> 0.74.0+git20250424.2e93e77) xfce4-pulseaudio-plugin (0.5.0 -> 0.5.1) yast2-journal (5.0.1 -> 5.0.2) yast2-trans (84.87.20250416.5cd9324ae2 -> 84.87.20250422.c1fec29547) zypper (1.14.88 -> 1.14.89) === Details === ==== AppStream ==== Version update (1.0.4 -> 1.0.5) Subpackages: libappstream5 - Update to 1.0.5 Features: * qt: Expose markup conversion utils * desktop-styles: Add android and iOS * validator: Check for xml:lang="en" being used on description template elements * validator: Flag cases of raw text in "description" elements * metadata: Add more known extensions into as_metadata_file_guess_style() Specification: * docs: Clarify that the style segment of a screenshot environment is optional * docs: Explain consequences of defining an icon for desktop-app metainfo * docs: Clarify that description content must be in p/li elements Bugfixes: * validator: mark as_validator_issue_tag_list static * docs: Add workaround for gi-docgen misnaming devhelp files * compose: Do not permit SVG images as screenshots * compose: Don't "forget" to scan remaining paths when re-encountering a dir * pool: Try explicit singular term match if we only have low-quality tokens * utils: Provide compatibility with Fedora icon tarballs when installing them * utils: Remove leftover g_chmod() * zstd-decompressor: Pass output/written data when decompression finished * utils: Expect a dash in icons file name * utils: Recognize .yml* and .yaml* file extension variants, and .zst extension * utils: Rename the appstream file when re-saving it on install ==== AppStream-qt6 ==== Version update (1.0.4 -> 1.0.5) - Update to 1.0.5 Features: * qt: Expose markup conversion utils * desktop-styles: Add android and iOS * validator: Check for xml:lang="en" being used on description template elements * validator: Flag cases of raw text in "description" elements * metadata: Add more known extensions into as_metadata_file_guess_style() Specification: * docs: Clarify that the style segment of a screenshot environment is optional * docs: Explain consequences of defining an icon for desktop-app metainfo * docs: Clarify that description content must be in p/li elements Bugfixes: * validator: mark as_validator_issue_tag_list static * docs: Add workaround for gi-docgen misnaming devhelp files * compose: Do not permit SVG images as screenshots * compose: Don't "forget" to scan remaining paths when re-encountering a dir * pool: Try explicit singular term match if we only have low-quality tokens * utils: Provide compatibility with Fedora icon tarballs when installing them * utils: Remove leftover g_chmod() * zstd-decompressor: Pass output/written data when decompression finished * utils: Expect a dash in icons file name * utils: Recognize .yml* and .yaml* file extension variants, and .zst extension * utils: Rename the appstream file when re-saving it on install ==== Box2D ==== - Drop BuildRequires: glew-devel as it is not used for build ==== Mesa ==== Version update (25.0.4 -> 25.0.5) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to release 25.0.5 - -> https://docs.mesa3d.org/relnotes/25.0.5 ==== Mesa-drivers ==== Version update (25.0.4 -> 25.0.5) Subpackages: Mesa-dri Mesa-gallium Mesa-libva Mesa-vulkan-device-select libvulkan_lvp - Update to release 25.0.5 - -> https://docs.mesa3d.org/relnotes/25.0.5 ==== MozillaFirefox ==== Version update (137.0.2 -> 138.0) Subpackages: MozillaFirefox-branding-upstream - Mozilla Firefox 138.0 https://www.mozilla.org/en-US/firefox/138.0/releasenotes/ MFSA 2025-28 (bsc#1241621) * CVE-2025-2817 (bmo#1917536) Privilege escalation in Firefox Updater * CVE-2025-4082 (bmo#1937097) WebGL shader attribute memory corruption in Firefox for macOS * CVE-2025-4083 (bmo#1958350) Process isolation bypass using "javascript:" URI links in cross-origin frames * CVE-2025-4085 (bmo#1915280) Potential information leakage and privilege escalation in UITour actor * CVE-2025-4086 (bmo#1945705) Specially crafted filename could be used to obscure download type * CVE-2025-4087 (bmo#1952465) Unsafe attribute access during XPath parsing * CVE-2025-4088 (bmo#1953521) Cross-site request forgery via storage access API redirects * CVE-2025-4089 (bmo#1949994, bmo#1956698, bmo#1960198) Potential local code execution in "copy as cURL" command * CVE-2025-4090 (bmo#1929478) Leaked library paths in Firefox for Android * CVE-2025-4091 (bmo#1951161, bmo#1952105) Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 * CVE-2025-4092 (bmo#1924108, bmo#1950780, bmo#1959367) Memory safety bugs fixed in Firefox 138 and Thunderbird 138 - requires NSS 3.110 - rebased patches ==== PackageKit-Qt6 ==== Version update (1.1.1 -> 1.1.2) - Update to 1.1.2 * offline: Make sure we allow for interactive authorization * Allow Transaction::setHints before the transaction has started * Fix check for PackageKit D-Bus specs * Add missing info enum values ==== aaa_base ==== Version update (84.87+git20250410.71df276 -> 84.87+git20250429.1cad3bc) Subpackages: aaa_base-extras - Update to version 84.87+git20250429.1cad3bc: * Remove alias "you" (boo#1242011) - Update to version 84.87+git20250425.1664836: * Fix bug boo#1241205 by adding missed endif * alias.bash: future-proof egrep/fgrep color aliases ==== apache-commons-logging ==== Version update (1.3.4 -> 1.3.5) - Upgrade to 1.3.5 * Fixed Bugs + Javadoc is missing its Overview page. + Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80). * Changes + Bump org.apache.commons:commons-parent from 72 to 81 #285, [#287], #295, #298, #303, #310, #339. + Bump org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0 [#288] [test]. + Bump log4j2.version from 2.23.1 to 2.24.3 #292, #299, #319, [#328]. * Removed: + Remove "cobertura" plugin use JaCoco, Cobertura is unmaintained. ==== at-spi2-core ==== Version update (2.56.1 -> 2.56.2) Subpackages: libatk-1_0-0 libatk-bridge-2_0-0 libatspi0 typelib-1_0-Atk-1_0 typelib-1_0-Atspi-2_0 - Update to version 2.56.2: + Fix the build with glib < 2.76. + a11y-manager-device: Fix unmap_keysym_modifier. ==== augeas ==== Subpackages: augeas-bash-completion augeas-lenses libaugeas0 libfa1 - Add patch, fix for bsc#1239909 / CVE-2025-2588: * CVE-2025-2588.patch ==== ayatana-ido ==== Version update (0.10.2 -> 0.10.4) - Update to version 0.10.4: * src/idoscalemenuitem.c: Disable menu item selection * src/idoscalemenuitem.c: Add ability to close the menu when the slider's value changes. - Update to version 0.10.3: * src/idoswitchmenuitem.c: Allow the switch to display an accelerator. ==== blog ==== Version update (2.34 -> 2.35) Subpackages: libblogger2 - Update to version 2.35 * Make s390 3215 console work that is use EPOLLOUT|EPOLLONESHOT to control if we can write to ttyS0 in nonblocking mode and if not reenable EPOLLOUT|EPOLLONESHOT. * At boot set for ttyS0 via vmcp API nonblocking MORE mode with `0 0'. It beeps but boots. - Remove patches now upstream * blog-3215.patch * blog-install.patch ==== btrfsprogs ==== Subpackages: btrfsprogs-bash-completion btrfsprogs-udev-rules libbtrfs0 libbtrfsutil1 - Fix name clash of parse_range between common/parse-utils.c and libblkid.a from util-linux-2.41 (btrfsprogs-libblkid-static-lib-clash.patch). ==== busybox ==== Subpackages: busybox-static - fix regression in hexdump that broke kernel build: * busybox-1.37.0-fix-regression-n2.patch - fix build/tests and hexdump on big endian systems (S390): * busybox-1.37.0-hexdump-fix-regression-for-uint16-on-big-endian-syst.patch * busybox-1.37.0-od-make-B-test-little-endian-only-add-variant-for-bi.patch * busybox-1.37.0-hexdump-add-tests-for-x-handle-little-big-endian-pro.patch ==== cnf ==== Subpackages: cnf-bash - Fix Obsolete of a scout-command-not-found to <= 0.2.9 ==== container-selinux ==== Version update (2.236.0 -> 2.237.0) - Update to version 2.237.0: * bootc/install_t: allow transition to container_runtime_t * Allow containers to mask parts of their /proc ==== coreutils ==== - coreutils-i18n.patch: update gnulib mbchar+mbfile to the commit used by coreutils-9.7: https://git.sv.gnu.org/cgit/gnulib.git/commit/?id=41e7b7e0d mainly to pick up these commits: - c67c553e758 mbfile: Support pushback characters also right before EOF. - 87ee7ef66ee mbfile: Allow 2 pushback characters. ==== coreutils-systemd ==== - coreutils-i18n.patch: update gnulib mbchar+mbfile to the commit used by coreutils-9.7: https://git.sv.gnu.org/cgit/gnulib.git/commit/?id=41e7b7e0d mainly to pick up these commits: - c67c553e758 mbfile: Support pushback characters also right before EOF. - 87ee7ef66ee mbfile: Allow 2 pushback characters. ==== crypto-policies ==== Subpackages: crypto-policies-scripts - Update crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch ==== cyrus-imapd ==== Subpackages: cyradm libcyrus0 perl-Cyrus-Annotator perl-Cyrus-IMAP perl-Cyrus-SIEVE-managesieve - CVE-2025-23394: cyrus-imapd: daily-backup.sh allows escalation from cyrus to root (bsc#1241536) Adapt backup-cyrus.service to run as user cyrus:mail ==== dhcp ==== Subpackages: dhcp-client dhcp-relay dhcp-server - Add compile option '-std=gnu17' to fix build with gcc15. [bsc#1241472] ==== ethtool ==== Subpackages: ethtool-bash-completion - fix AppStream metainfo XML file * misc-fix-AppStream-metainfo-XML.patch ==== fdupes ==== Version update (2.3.1 -> 2.4.0) - Update to 2.4.0: * Add quick summary option that skips byte-for-byte match confirmation. * Reduce number of progress indicator updates for better performance. - Update to 2.3.2: * Keep cursor as close to current group as possible after deleting files. ==== firewalld ==== Subpackages: firewalld-bash-completion python3-firewall - Split the package to build the firewalld-rpmmacros subpackage in a _multibuild flavor so that we can build it in Factory/i586 by itself instead of building the whole package, which has more dependencies (like python-PyQt6). ==== fuse3 ==== Version update (3.17.1 -> 3.17.2) Subpackages: libfuse3-4 - Updae to release 3.17.2 * Fixed initialization races related to buffer reallocation when large buf sizes are used (/proc/sys/fs/fuse/max_pages_limit). * A conn.want flag conversion fix for high-level applications. ==== gcc14 ==== Version update (14.2.1+git11321 -> 14.2.1+git11702) - Add gcc14-pr108900.patch to revert it, fixing libqt6webengine build. - Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702 * Remove gcc14-pr118780.patch now on the upstream branch - Fix build on s390x [bsc#1241549] ==== gcc15 ==== Version update (15.0.1+git9352 -> 15.1.1+git9595) Subpackages: cpp15 libasan8 libatomic1 libgcc_s1 libgccjit0 libgfortran5 libgomp1 libhwasan0 libitm1 liblsan0 libobjc4 libstdc++6 libstdc++6-pp libtsan2 libubsan1 - Update to GCC 15 branch head, 15.1.1+git9595 * includes GCC 15.1 release - Enable gfx9-generic, gfx10-3-generic and gfx11-generic multilibs for the AMD GCN offload compiler when llvm is new enough. - Build the COBOL frontend also for risc-v - Add loongarch64 to quadmath_arch ==== gdb ==== Version update (15.2 -> 16.3) - Mention fixup-gdb-6.5-gcore-buffer-limit-test.patch. - Mention changes in GDB 16: * GDB now supports watchpoints for tagged data pointers (see https://en.wikipedia.org/wiki/Tagged_pointer) on amd64, such as the one used by the Linear Address Masking (LAM) feature provided by Intel. * Debugging support for Intel MPX has been removed. This includes the removal of: * MPX register support * the commands "show/set mpx bound" (deprecated since GDB 15) * i386 and amd64 implementation of the hooks report_signal_info and get_siginfo_type. * GDB now supports printing of asynchronous events from the Intel Processor Trace during 'record instruction-history', 'record function-call-history' and all stepping commands. This can be controlled with the new "set record btrace pt event-tracing" command. * GDB now supports printing of ptwrite payloads from the Intel Processor Trace during 'record instruction-history', 'record function-call-history' and all stepping commands. The payload is also accessible in Python as a RecordAuxiliary object. Printing is customizable via a ptwrite filter function in Python. By default, the raw ptwrite payload is printed for each ptwrite that is encountered. * For breakpoints that are created in the 'pending' state, any 'thread' or 'task' keywords are parsed at the time the breakpoint is created, rather than at the time the breakpoint becomes non-pending. * Thread-specific breakpoints are only inserted into the program space in which the thread of interest is running. In most cases program spaces are unique for each inferior, so this means that thread-specific breakpoints will usually only be inserted for the inferior containing the thread of interest. The breakpoint will be hit no less than before. * For ARM targets, the offset of the pc in the jmp_buf has been fixed to match glibc 2.20 and later. This should only matter when not using libc probes. This may cause breakage when using an incompatible libc, like uclibc or newlib, or an older glibc. * MTE (Memory Tagging Extension) debugging is now supported on AArch64 baremetal targets. * In a record session, when a forward emulation reaches the end of the reverse history, the warning message has been changed to indicate that the end of the history has been reached. It also specifies that the forward execution can continue, and the recording will also continue. * The Ada 'Object_Size attribute is now supported. * New bash script gstack uses GDB to print stack traces of running processes. * Python API: * Added gdb.record.clear. Clears the trace data of the current recording. This forces re-decoding of the trace for successive commands. * Added the new event source gdb.tui_enabled. * New module gdb.missing_objfile that facilitates dealing with missing objfiles when opening a core-file. * New function gdb.missing_objfile.register_handler that can register an instance of a sub-class of gdb.missing_debug.MissingObjfileHandler as a handler for missing objfiles. * New class gdb.missing_objfile.MissingObjfileHandler which can be sub-classed to create handlers for missing objfiles. * The 'signed' argument to gdb.Architecture.integer_type() will no longer accept non-bool types. * The gdb.MICommand.installed property can only be set to True or False. * The 'qualified' argument to gdb.Breakpoint constructor will no longer accept non-bool types. * Added the gdb.Symbol.is_artificial attribute. * Debugger Adapter Protocol changes: * The "scopes" request will now return a scope holding global variables from the stack frame's compilation unit. * The "scopes" request will return a "returnValue" scope holding the return value from the latest "stepOut" command, when appropriate. * The "launch" and "attach" requests were rewritten in accordance with some clarifications to the spec. Now they can be sent at any time after the "initialized" event, but will not take effect (or send a response) until after the "configurationDone" request has been sent. * The "variables" request will not return artificial symbols. * New commands: * show jit-reader-directory Show the name of the directory that "jit-reader-load" uses for relative file names. * set style line-number foreground COLOR set style line-number background COLOR set style line-number intensity VALUE Control the styling of line numbers printed by GDB. * set style command foreground COLOR set style command background COLOR set style command intensity VALUE Control the styling of GDB commands when displayed by GDB. * set style title foreground COLOR set style title background COLOR set style title intensity VALUE This style now applies to the header line of lists, for example the first line of the output of "info breakpoints". Previous uses of this style have been replaced with the new ... changelog too long, skipping 120 lines ... * gdb-rhbz-818343-set-solib-absolute-prefix-testcase.patch ==== gimp ==== Subpackages: gimp-plugin-aa gimp-plugin-python3 libgimp-3_0-0 libgimpui-3_0-0 - Added libheif-aom dependency to AVIF support (boo#1241553). ==== glib2-branding-openSUSE ==== - Update defaults to match current situation: + Remove banshee preference: banshee has not been shipped since 2016. + Add Loupe to the preferred applications for images + Do not use Eog by default. As it's alphabetically before Loupe, Eog would always win the way it was listed (when installed). + Explicitly set image/tiff to org.gnome.Loupe as Eog is no longer part of the default installations. ==== glslang ==== Version update (15.2.0 -> 15.3.0) - Update to release 15.3 * Fix crash calling coopMatLoadTensorNV on an array element * Implement GL_EXT_bfloat16 * Add missing error checks for bfloat16 math ==== gnome-music ==== Version update (48.beta+25 -> 48.beta+31) - Update to version 48.beta+31: + Remove useless GIRepository import. + Updated translations. ==== gnome-shell ==== Subpackages: gnome-extensions gnome-shell-calendar - Drop gnome-shell-executable-path-not-absolute.patch: The original patch did not work as expected, and assuming gsettings is in the bin dir of gnome-shell is not correct, so keep relative path (bsc#1241666). ==== gnutls ==== Subpackages: libgnutls-dane0 libgnutls30 - Fix FIPS mode running on Tumbleweed [bsc#1237101] * When nettle or libhogweed are installed with glbic-hwcaps for x86_64-v3, some paths differ and we are unable to match the hmac file for the lib. * Add gnutls-FIPS-HMAC-x86_64-v3-opt.patch ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-common grub2-snapper-plugin grub2-systemd-sleep-plugin - grub2-common: use fuse3 - Add support for boot assessment, needed by health-checker * grub2-bls-boot-counting.patch * grub2-bls-boot-assessment.patch * grub2-bls-boot-show-snapshot.patch * grub2-blscfg-fix-hang.patch * grub2-blscfg-set-efivars.patch - Fix reading bls fragments in file-system dependent order that is not predictable (bsc#1241046) * 0001-blscfg-read-fragments-in-order.patch - Fix PPC CAS reboot failure work when initiated via submenu (bsc#1241132) * 0001-Fix-PowerPC-CAS-reboot-to-evaluate-menu-context.patch ==== gstreamer ==== Version update (1.26.0 -> 1.26.1) Subpackages: gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.26.1: + Highlighted bugfixes: - awstranslate and speechmatics plugin improvements - decodebin3 fixes and urisourcebin/playbin3 stability improvements - Closed captions: CEA-708 generation and muxing fixes, and H.264/H.265 caption extractor fixes - dav1d AV1 decoder: RGB support, plus colorimetry, renegotiation and buffer pool handling fixes - Fix regression when rendering VP9 with alpha - H.265 decoder base class and caption inserter SPS/PPS handling fixes - hlssink3 and hlsmultivariantsink feature enhancements - Matroska v4 support in muxer, seeking fixes in demuxer - macOS: framerate guessing for cameras or capture devices where the OS reports silly framerates - MP4 demuxer uncompressed video handling improvements and sample table handling fixes - oggdemux: seeking improvements in streaming mode - unixfdsrc: fix gst_memory_resize warnings - Plugin loader fixes, especially for Windows - QML6 GL source renegotiation fixes - RTP and RTSP stability fixes - Thread-safety improvements for the Media Source Extension (MSE) library - v4l2videodec: fix A/V sync issues after decoding errors - Various improvements and fixes for the fragmented and non-fragmented MP4 muxers - Video encoder base class segment and buffer timestamp handling fixes - Video time code support for 119.88 fps and drop-frames-related conversion fixes - WebRTC: Retransmission entry creation fixes and better audio level header extension compatibility - YUV4MPEG encoder improvments - dots-viewer: make work locally without network access - gst-python: fix compatibility with PyGObject >= 3.52.0 - Cerbero: recipe updates, compatibility fixes for Python < 3.10; Windows Android cross-build improvements - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - Correctly handle whitespace paths when executing gst-plugin-scanner - Ensure properties are freed before (re)setting with g_value_dup_string() and during cleanup - cmake: Fix PKG_CONFIG_PATH formatting for Windows cross-builds - macos: Move macos function documentation to the .h so the introspection has the information - meson.build: test for and link against libatomic if it exists - pluginloader-win32: Fix helper executable path under devenv - pluginloader: fix pending_plugins Glist use-after-free issue - unixfdsrc: Complains about resize of memory area - tracers: dots: fix debug log ==== gstreamer-plugins-bad ==== Version update (1.26.0 -> 1.26.1) Subpackages: libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.26.1: + Add missing Requires in pkg-config + Ensure properties are freed before (re)setting with g_value_dup_string() and during cleanup + Update docs + aja: Use the correct location of the AJA NTV2 SDK in the docs + alphacombine: De-couple flush-start/stop events handling + alphadecodebin: use a multiqueue instead of a couple of queues + avfvideosrc: Guess reasonable framerate values for some 3rd party devices + codecalpha: name both queues + d3d12converter: Fix cropping when automatic mipmap is enabled + dashsink: Make sure to use a non-NULL pad name when requesting a pad from splitmuxsink + docs: Fix GstWebRTCICE* class documentation + h264ccextractor, h265ccextractor: Handle gap with unknown pts + h265decoder, h265ccinserter: Fix broken SPS/PPS link + h265parser: Fix num_long_term_pics bound check + Segmentation fault in H265 decoder + h266decoder: fix leak parsing SEI messages + meson.build: test for and link against libatomic if it exists + mse: Improved Thread Safety of API + mse: Revert ownership transfer API change in gst_source_buffer_append_buffer() + tensordecoders: updating element classification + unixfd: Fix wrong memory size when offset > 0 + uvcsink: Respond to control requests with proper error handling + v4l2codecs: unref frame in all error paths of end_picture + va: Skip codecs that report maximum width or height lower than minimum + vapostproc: fix wrong video orientation after restarting the element + vavp9enc: fix mem leaks in _vp9_decide_profile + vkformat: fix build error + vtenc: Avoid deadlocking when changing properties on the fly + vulkan: fix memory leak at dynamic registering + webrtc: enhance rtx entry creation + webrtcbin: add missing warning for caps missmatch + ZDI-CAN-26596: New Vulnerability Report (Security) - Drop va-codecs-check-size.patch: Fixed upstream. - Drop cuda_nvdec conditional, builds fine for aarch64/armv7 now. ==== gstreamer-plugins-base ==== Version update (1.26.0 -> 1.26.1) Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.26.1: + Ensure properties are freed before (re)setting with g_value_dup_string() and during cleanup + alsadeviceprovider: Fix leak of Alsa longname + audioaggregator: fix error added in !8416 when chaining up + audiobasesink: Fix custom slaving driftsamples calculation and add custom audio clock slaving callback example + decodebin3: - Don't avoid parsebin even if we have a matching decoder - Doesn't plug parsebin for AAC from tsdemux + gl: eglimage: warn the reason of export failure + glcolorconvert: - Fix YUVA<->RGBA conversions - Regression when rendering alpha vp9 + gldownload: Unref glcontext after usage + meson.build: test for and link against libatomic if it exists + oggdemux: Don't push new packets if there is a pending seek + urisourcebin: - Make parsebin activation more reliable - Deadlock between parsebin and typefind + videoencoder: Use the correct segment and buffer timestamp in the chain function + videotimecode: Fix conversion of timecode to datetime with drop-frame timecodes and handle 119.88 fps correctly in all places ==== gstreamer-plugins-good ==== Version update (1.26.0 -> 1.26.1) Subpackages: gstreamer-plugins-good-gtk - Update to version 1.26.1: + Ensure properties are freed before (re)setting with g_value_dup_string() and during cleanup + gst-plugins-good: Matroska mux v4 support + matroska-demux: Prevent corrupt cluster duplication + qml6glsrc: update buffer pool on renegotiation + qt6: Add a missing newline in unsupported platform message + qtdemux: - Fix stsc size check in qtdemux_merge_sample_table() - Next Iteration Of Uncompressed MP4 Decoder - Unref simple caps after use + rtspsrc: - Do not emit signal 'no-more-pads' too early - Don't error out on not-linked too early + rtpsession: - Do not push events while holding SESSION_LOCK - Deadlock when gst_rtp_session_send_rtcp () is forwarding eos + v4l2: drop frame for frames that cannot be decoded + v4l2videodec: AV unsync for streams with many frames that cannot be decoded + v4l2object: - Fix memory leak - Fix type mismatch when ioctl takes int + y4menc: - Fix Y41B format - Handle frames with GstVideoMeta ==== hwdata ==== Version update (0.393 -> 0.394) - Update to version 0.394: * Update pci and vendor ids ==== iptables ==== Subpackages: libip4tc2 libip6tc2 libxtables12 xtables-plugins - Remove legacy backend from SLES16 ==== java-21-openjdk ==== Version update (21.0.6.0 -> 21.0.7.0) Subpackages: java-21-openjdk-headless - Update to upstream tag jdk-21.0.7+6 (April 2025 CPU) * CVEs + CVE-2025-21587, bsc#1241274 + CVE-2025-30691, bsc#1241275 + CVE-2025-30698, bsc#1241276 * Changes + JDK-8198237: [macos] Test java/awt/Frame/ /ExceptionOnSetExtendedStateTest/ /ExceptionOnSetExtendedStateTest.java fails + JDK-8211851: (ch) java/nio/channels/AsynchronousSocketChannel/ /StressLoopback.java times out (aix) + JDK-8226933: [TEST_BUG]GTK L&F: There is no swatches or RGB tab in JColorChooser + JDK-8226938: [TEST_BUG]GTK L&F: There is no Details button in FileChooser Dialog + JDK-8227529: With malformed --app-image the error messages are awful + JDK-8277240: java/awt/Graphics2D/ScaledTransform/ /ScaledTransform.java dialog does not get disposed + JDK-8283664: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintTextTest.java + JDK-8286875: ProgrammableUpcallHandler::on_entry/on_exit access thread fields from native + JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic + JDK-8294316: SA core file support is broken on macosx-x64 starting with macOS 12.x + JDK-8295159: DSO created with -ffast-math breaks Java floating-point arithmetic + JDK-8302111: Serialization considerations + JDK-8304701: Request with timeout aborts later in-flight request on HTTP/1.1 cxn + JDK-8309841: Jarsigner should print a warning if an entry is removed + JDK-8311546: Certificate name constraints improperly validated with leading period + JDK-8312570: [TESTBUG] Jtreg compiler/loopopts/superword/ /TestDependencyOffsets.java fails on 512-bit SVE + JDK-8313633: [macOS] java/awt/dnd/NextDropActionTest/ /NextDropActionTest.java fails with java.lang.RuntimeException: wrong next drop action! + JDK-8313905: Checked_cast assert in CDS compare_by_loader + JDK-8314752: Use google test string comparison macros + JDK-8314909: tools/jpackage/windows/Win8282351Test.java fails with java.lang.AssertionError: Expected [0]. Actual [1618]: + JDK-8315486: vmTestbase/nsk/jdwp/ThreadReference/ /ForceEarlyReturn/forceEarlyReturn002/forceEarlyReturn002.java timed out + JDK-8315825: Open some swing tests + JDK-8315882: Open some swing tests 2 + JDK-8315883: Open source several Swing JToolbar tests + JDK-8315952: Open source several Swing JToolbar JTooltip JTree tests + JDK-8316056: Open source several Swing JTree tests + JDK-8316146: Open some swing tests 4 + JDK-8316149: Open source several Swing JTree JViewport KeyboardManager tests + JDK-8316218: Open some swing tests 5 + JDK-8316371: Open some swing tests 6 + JDK-8316627: JViewport Test headless failure + JDK-8316885: jcmd: Compiler.CodeHeap_Analytics cmd does not inform about missing aggregate + JDK-8317283: jpackage tests run osx-specific checks on windows and linux + JDK-8317636: Improve heap walking API tests to verify correctness of field indexes + JDK-8317808: HTTP/2 stream cancelImpl may leave subscriber registered + JDK-8317919: pthread_attr_init handle return value and destroy pthread_attr_t object + JDK-8319233: AArch64: Build failure with clang due to - Wformat-nonliteral warning + JDK-8320372: test/jdk/sun/security/x509/DNSName/ /LeadingPeriod.java validity check failed + JDK-8320676: Manual printer tests have no Pass/Fail buttons, instructions close set 1 + JDK-8320691: Timeout handler on Windows takes 2 hours to complete + JDK-8320706: RuntimePackageTest.testUsrInstallDir test fails on Linux + JDK-8320916: jdk/jfr/event/gc/stacktrace/ /TestParallelMarkSweepAllocationPendingStackTrace.java failed with "OutOfMemoryError: GC overhead limit exceeded" + JDK-8321818: vmTestbase/nsk/stress/strace/strace015.java failed with 'Cannot read the array length because "" is null' + JDK-8322983: Virtual Threads: exclude 2 tests + JDK-8324672: Update jdk/java/time/tck/java/time/ /TCKInstant.java now() to be more robust + JDK-8324807: Manual printer tests have no Pass/Fail buttons, instructions close set 2 + JDK-8324838: test_nmt_locationprinting.cpp broken in the gcc windows build + JDK-8325042: Remove unused JVMDITools test files + JDK-8325529: Remove unused imports from `ModuleGenerator` test file + JDK-8325659: Normalize Random usage by incubator vector tests + JDK-8325937: runtime/handshake/HandshakeDirectTest.java causes "monitor end should be strictly below the frame ... changelog too long, skipping 347 lines ... + rediff ==== jemalloc ==== - Add fix_make_check_with_gcc15.patch to make the testsuite pass despite new GCC malloc-related optimizations. [boo#1240665] ==== jitterentropy ==== Version update (3.4.1 -> 3.6.3) - Update to 3.6.3: [bsc#1242050] * Correct time stamp processing on AIX * Use high-resolution time stamp on Apple Silicon * GCD power-up test: consider OSR * Remove patches fixed in the update: - jitterentropy-fix-a-stack-corruption-on-s390x.patch * Rebase patches: - jitterentropy-split-internal-header.patch - jitterentropy-with-debug.patch - Update to 3.6.2: * Fix RCT re-initialization in jent_read_entropy_safe * simplify test code * improve keyword portability - Update to 3.6.1: * Add more test code * Add support for SunPRO compiler * Fix compilation on OpenBSD by replacing sed with tr * internal timer: Add support for Apple * Various small fixes to compilation to imporve portability - Update to 3.6.0: * Remove bi-modal behavior of conditioning function * Make jent_read_entropy_safe safer by retrying the health test * Move the version information to make them available at compile time - Update to 3.5.0: * add distinction between intermittent and permanent health failure * add compile time option to allow configuring a mask to reduce the size of the time stamp used for the APT ==== kernel-firmware-amdgpu ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-ath10k ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-ath11k ==== Version update (20250227 -> 20250424) - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. - Update to version 20250424 (git commit c8af472e05cb): * ath11k: WCN6855 hw2.0: update board-2.bin * ath11k: IPQ5018 hw1.0: update to WLAN.HK.2.6.0.1-01300-QCAHKSWPL_SILICONZ-1 ==== kernel-firmware-ath12k ==== Version update (20250206 -> 20250424) - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. - Update to version 20250424 (git commit c8af472e05cb): * ath12k: WCN7850 hw2.0: update to WLAN.HMT.1.1.c5-00284-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 * ath12k: QCN9274 hw2.0: update board-2.bin ==== kernel-firmware-atheros ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-bluetooth ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-bnx2 ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-brcm ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-chelsio ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-dpaa2 ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-i915 ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-intel ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-iwlwifi ==== Version update (20250312 -> 20250423) - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. - Update to version 20250423 (git commit c67433231cbd): * iwlwifi: add Bz/gl FW for core95-82 release * iwlwifi: update ty/So/Ma firmwares for core95-82 release * iwlwifi: update cc/Qu/QuZ firmwares for core95-82 release - Update to version 20250422 (git commit 32f3227b67c0): * iwlwifi: add Bz-hr FW for core93-123 release ==== kernel-firmware-liquidio ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-marvell ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-media ==== Version update (20250422 -> 20250424) - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. - Update to version 20250424 (git commit c8af472e05cb): * qcom: vpu: update video firmware binary for SA8775p ==== kernel-firmware-mediatek ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-mellanox ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-mwifiex ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-network ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-nfp ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-nvidia ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-platform ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-prestera ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-qcom ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-qlogic ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-radeon ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-realtek ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-serial ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-sound ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-ti ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-ueagle ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-usb-network ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-source ==== Version update (6.14.3 -> 6.14.4) Subpackages: kernel-64kb kernel-default - Linux 6.14.4 (bsc#1012628). - scsi: hisi_sas: Enable force phy when SATA disk directly connected (bsc#1012628). - wifi: at76c50x: fix use after free access in at76_disconnect (bsc#1012628). - wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() (bsc#1012628). - wifi: mac80211: Purge vif txq in ieee80211_do_stop() (bsc#1012628). - wifi: brcmfmac: fix memory leak in brcmf_get_module_param (bsc#1012628). - wifi: wl1251: fix memory leak in wl1251_tx_work (bsc#1012628). - scsi: iscsi: Fix missing scsi_host_put() in error path (bsc#1012628). - scsi: smartpqi: Use is_kdump_kernel() to check for kdump (bsc#1012628). - md/raid10: fix missing discard IO accounting (bsc#1012628). - md/md-bitmap: fix stats collection for external bitmaps (bsc#1012628). - ASoC: dwc: always enable/disable i2s irqs (bsc#1012628). - ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() (bsc#1012628). - crypto: tegra - Fix IV usage for AES ECB (bsc#1012628). - ovl: remove unused forward declaration (bsc#1012628). - RDMA/bnxt_re: Fix budget handling of notification queue (bsc#1012628). - RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() (bsc#1012628). - RDMA/hns: Fix wrong maximum DMA segment size (bsc#1012628). - ALSA: hda/cirrus_scodec_test: Don't select dependencies (bsc#1012628). - ALSA: hda/realtek - Fixed ASUS platform headset Mic issue (bsc#1012628). - ASoC: cs42l43: Reset clamp override on jack removal (bsc#1012628). - RDMA/core: Silence oversized kvmalloc() warning (bsc#1012628). - firmware: cs_dsp: test_bin_error: Fix uninitialized data used as fw version (bsc#1012628). - Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address (bsc#1012628). - Bluetooth: btrtl: Prevent potential NULL dereference (bsc#1012628). - Bluetooth: l2cap: Check encryption key size on incoming connection (bsc#1012628). - RDMA/bnxt_re: Remove unusable nq variable (bsc#1012628). - ipv6: add exception routes to GC list in rt6_insert_exception (bsc#1012628). - xen: fix multicall debug feature (bsc#1012628). - mlxbf-bootctl: use sysfs_emit_at() in secure_boot_fuse_state_show() (bsc#1012628). - wifi: iwlwifi: pcie: set state to no-FW before reset handshake (bsc#1012628). - Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" (bsc#1012628). - igc: fix PTM cycle trigger logic (bsc#1012628). - igc: increase wait time before retrying PTM (bsc#1012628). - igc: move ktime snapshot into PTM retry loop (bsc#1012628). - igc: handle the IGC_PTP_ENABLED flag correctly (bsc#1012628). - igc: cleanup PTP module if probe fails (bsc#1012628). - igc: add lock preventing multiple simultaneous PTM transactions (bsc#1012628). - perf tools: Remove evsel__handle_error_quirks() (bsc#1012628). - dt-bindings: soc: fsl: fsl,ls1028a-reset: Fix maintainer entry (bsc#1012628). - smc: Fix lockdep false-positive for IPPROTO_SMC (bsc#1012628). - test suite: use %zu to print size_t (bsc#1012628). - selftests: mincore: fix tmpfs mincore test failure (bsc#1012628). - pds_core: fix memory leak in pdsc_debugfs_add_qcq() (bsc#1012628). - ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() (bsc#1012628). - net: mctp: Set SOCK_RCU_FREE (bsc#1012628). - net: hibmcge: fix incorrect pause frame statistics issue (bsc#1012628). - net: hibmcge: fix incorrect multicast filtering issue (bsc#1012628). - net: hibmcge: fix wrong mtu log issue (bsc#1012628). - net: hibmcge: fix not restore rx pause mac addr after reset issue (bsc#1012628). - block: fix resource leak in blk_register_queue() error path (bsc#1012628). - netlink: specs: ovs_vport: align with C codegen capabilities (bsc#1012628). - net: openvswitch: fix nested key length validation in the set() action (bsc#1012628). - can: rockchip_canfd: fix broken quirks checks (bsc#1012628). - net: ngbe: fix memory leak in ngbe_probe() error path (bsc#1012628). - octeontx2-pf: handle otx2_mbox_get_rsp errors (bsc#1012628). - net: ethernet: ti: am65-cpsw: fix port_np reference counting (bsc#1012628). - eth: bnxt: fix missing ring index trim on error path (bsc#1012628). - loop: aio inherit the ioprio of original request (bsc#1012628). - loop: stop using vfs_iter_{read,write} for buffered I/O (bsc#1012628). - nvmet: pci-epf: always fully initialize completion entries (bsc#1012628). ... changelog too long, skipping 328 lines ... - commit f04c2d4 ==== libavif ==== Version update (1.1.1 -> 1.2.1) - Disable tests due to restrictions in Factory/ring1. - Temporary deactivation of the generation of manual pages with pandoc due to restrictions in Factory/ring1. (https://build.opensuse.org/request/show/1272161#comment-2136811) - update to 1.2.1: * Added since 1.2.0 - Add support for outputting all frames of an image sequence in avifdec. - avifdec --index all sequence.avif out.png creates files named - out-xxxxxxxxxx.png where xxxxxxxxxx are the zero-padded frame indices. * Changed since 1.2.0 - Fix local libargparse dependency patch step on macOS 10.15 and earlier. - Patch local libyuv dependency for compatibility with gcc 10. - Use stricter C99 syntax to avoid related compilation issues. - Update svt.cmd/svt.sh/LocalSvt.cmake to v3.0.1. - update to 1.2.0: * Added since 1.1.1 - Turn on the gain map API. Remove the AVIF_ENABLE_EXPERIMENTAL_GAIN_MAP CMake flag. - Allow YCgCo_Re and YCgCo_Ro encoding/decoding and update the enum values to the latest CICP specification. Remove the AVIF_ENABLE_EXPERIMENTAL_YCGCO_R CMake flag. - Add the properties and numProperties fields to avifImage. They are filled by the avifDecoder instance with the properties unrecognized by libavif. They are written by the avifEncoder. - Add avif(Un)SignedFraction structs and avifDoubleTo(Un)SignedFraction utility functions. - Add 'avifgainmaputil' command line tool to installed apps. - Add avifCropRectRequiresUpsampling(). - Add experimental support for PixelInformationProperty syntax from HEIF 3rd Ed. Amd2 behind the compilation flag AVIF_ENABLE_EXPERIMENTAL_EXTENDED_PIXI. - Add experimental Sample Transform recipe BIT_DEPTH_EXTENSION_12B_8B_OVERLAP_4B. * Changed since 1.1.1 - avifenc: Allow large images to be encoded. - Fix empty CMAKE_CXX_FLAGS_RELEASE if -DAVIF_CODEC_AOM=LOCAL -DAVIF_LIBYUV=OFF is specified. #2365. - Rename AVIF_ENABLE_EXPERIMENTAL_METAV1 to AVIF_ENABLE_EXPERIMENTAL_MINI and update the experimental reduced header feature to the latest specification draft. Rename AVIF_HEADER_REDUCED to AVIF_HEADER_MINI. - Update the experimental Sample Transform feature behind the AVIF_ENABLE_EXPERIMENTAL_SAMPLE_TRANSFORM CMake flag to the latest specification draft. - Ignore gain maps with unsupported metadata. Handle gain maps with writer_version > 0 correctly. - Simplify gain map API: remove the enableParsingGainMapMetadata setting, now gain map metadata is always parsed if present and if this feature is compiled in. Replace enableDecodingGainMap and ignoreColorAndAlpha with a bit field to choose image content to decode. Remove gainMapPresent: users can check if decoder->image->gainMap != NULL instead. Remove avifGainMapMetadata and avifGainMapMetadataDouble structs. - Write an empty HandlerBox name field instead of "libavif" (saves 7 bytes). - Check for FileTypeBox precedence in avifParse(). - Do not write an alternative group with the same ID as an item. - Update aom.cmd/LocalAom.cmake: v3.12.0. The new codec-specific option tune=iq (image quality) is added in libaom v3.12.0. - Update parseAV2SequenceHeader() and avm.cmd: research-v9.0.0 - Update dav1d.cmd/dav1d_android.sh/LocalDav1d.cmake: 1.5.1 - Update libjpeg.cmd/LocalJpeg.cmake: v3.0.4 - Update libxml2.cmd/LocalLibXml2.cmake: v2.13.5 - Update libyuv.cmd: ccdf87034 (1903) - Update svt.cmd/svt.sh/LocalSvt.cmake to v3.0.0. When available, use EbSvtAv1EncConfiguration::lossless and ::level_of_parallelism in libavif. - Remove AVIF_ENABLE_GTEST CMake option. It's now implied by AVIF_GTEST=LOCAL/SYSTEM. - Deprecate avifEncoder's minQuantizer, maxQuantizer, minQuantizerAlpha, and maxQuantizerAlpha fields. quality and qualityAlpha should be used instead. Deprecate avifenc's --min, --max, --minalpha and --maxalpha flags. -q or --qcolor and --qalpha should be used instead. - For dependencies, the deprecated way of setting AVIF_LOCAL_* to ON is removed. Dependency options can now only be set to OFF/LOCAL/SYSTEM. - Change the default quality for alpha to be the same as the quality for color. - Allow decoding subsampled images with odd Clean Aperture dimensions or offsets. - Deprecate avifCropRectConvertCleanApertureBox() and avifCleanApertureBoxConvertCropRect(). Replace them with avifCropRectFromCleanApertureBox() and avifCleanApertureBoxFromCropRect(). - Write descriptive properties before transformative properties. - Reject non-essential transformative properties. - Treat avifenc --stdin as a regular positional file path argument. - Update man pages based on avifenc/dec's --help message. - android_jni: Support 16kb page size - android_jni: Set threads to 2 instead of CPU count - Fix overflows when dealing with alpha during YUV/RGB conversions and in avifRGBImageAllocatePixels(). - Make avifEncoder.headerFormat a flag combination for future features. - Rename AVIF_HEADER_FULL to AVIF_HEADER_DEFAULT. Deprecate AVIF_HEADER_FULL. - Fix decoding image sequences with non video tracks (such as audio or subtitles). - Fix type checking of auxiliary tracks: previously any auxiliary track was assumed to be alpha, even if it was a different type. If the aux type is absent, it is assumed to be alpha. - Add libargparse-ee74d1b53bd680748af14e737378de57e2a0a954.tar.gz - Add %check/tests - Add man pages ==== libeconf ==== Version update (0.7.7 -> 0.7.8) - Update to version 0.7.8: * Fix memory access if there are a comment character inside a comment. ==== libedit ==== Version update (20210910.3.1 -> 20250104.3.1) - update to 20250104: * all: sync with upstream source * doc/Makefile.am: fix regression. Name all manpage links as el_* (e.g. el_history.3) to avoid conflicts. * src/chartype.c: Add missing stdint.h * src/sys.h, src/reallocarr.c: Remove unused sys/cdefs.h include, to compile against musl libc * src/sys.h: Add __sun guard around sys/types.h in sys.h - drop libedit-20180525-manpage-conflicts.patch and libedit-hidden-symbols.patch: upstreamed - no need for autoreconf and it's BuildRequires: ==== libgcrypt ==== - Differentiate use of SHA1 in the service level indicator [jsc#PED-12227] * Include upstream SLI revamp and fips certification fixes * Add patches: - libgcrypt-fips-Introduce-an-internal-API-for-FIPS-service-indicator.patch - libgcrypt-fips-Introduce-GCRYCTL_FIPS_SERVICE_INDICATOR-and-the-macro.patch - libgcrypt-fips-kdf-Implement-new-FIPS-service-indicator-for-gcry_kdf_derive.patch - libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_hash_.patch - libgcrypt-fips-tests-Add-t-digest.patch - libgcrypt-fips-Change-the-internal-API-for-new-FIPS-service-indicator.patch - libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_open-API.patch - libgcrypt-fips-tests-Add-tests-for-md_open-write-read-close-for-t-digest.patch - libgcrypt-fips-mac-Implement-new-FIPS-service-indicator-for-gcry_mac_open.patch - libgcrypt-fips-cipher-Implement-new-FIPS-service-indicator-for-cipher_open.patch - libgcrypt-tests-fips-Add-gcry_mac_open-tests.patch - libgcrypt-tests-fips-Rename-t-fips-service-ind.patch - libgcrypt-tests-fips-Move-KDF-tests-to-t-fips-service-ind.patch - libgcrypt-tests-fips-Add-gcry_cipher_open-tests.patch - libgcrypt-fips-md-gcry_md_copy-should-care-about-FIPS-service-indicator.patch - libgcrypt-fips-cipher-Implement-FIPS-service-indicator-for-gcry_pk_hash_-API.patch - libgcrypt-fips-Introduce-GCRYCTL_FIPS_REJECT_NON_FIPS.patch - libgcrypt-Fix-the-previous-change.patch - libgcrypt-fips-Rejection-by-GCRYCTL_FIPS_REJECT_NON_FIPS-not-by-open-flags.patch - libgcrypt-fips-cipher-Add-behavior-not-to-reject-but-mark-non-compliant.patch - libgcrypt-fips-ecc-Add-rejecting-or-marking-for-gcry_pk_get_curve.patch - libgcrypt-tests-Add-more-tests-to-tests-t-fips-service-ind.patch - libgcrypt-fips-ecc-Check-DATA-in-gcry_pk_sign-verify-in-FIPS-mode.patch - libgcrypt-fips-cipher-Fix-memory-leak-for-gcry_pk_hash_sign.patch - libgcrypt-build-Improve-__thread-specifier-check.patch - libgcrypt-cipher-Check-and-mark-non-compliant-cipher-modes-in-the-SLI.patch - libgcrypt-cipher-Rename-_gcry_cipher_is_mode_fips_compliant.patch - libgcrypt-cipher-Don-t-differentiate-GCRY_CIPHER_MODE_CMAC-in-FIPS-mode.patch - libgcrypt-cipher-rsa-Mark-reject-SHA1-unknown-with-RSA-signature-generation.patch - libgcrypt-md-Fix-gcry_md_algo_info-to-mark-reject-under-FIPS-mode.patch - libgcrypt-md-Use-check_digest_algo_spec-in-_gcry_md_selftest.patch - libgcrypt-tests-Update-t-fips-service-ind-using-GCRY_MD_SHA256-for-KDF-tests.patch - libgcrypt-fips-cipher-Do-the-computation-when-marking-non-compliant.patch - libgcrypt-tests-Allow-tests-with-USE_RSA.patch - libgcrypt-cipher-Add-KAT-for-non-rfc6979-ECDSA-with-fixed-k.patch - libgcrypt-cipher-Differentiate-use-of-label-K-in-the-SLI.patch - libgcrypt-cipher-Differentiate-igninvflag-in-the-SLI.patch - libgcrypt-cipher-Differentiate-no-blinding-flag-in-the-SLI.patch - libgcrypt-fips-cipher-Add-GCRY_FIPS_FLAG_REJECT_PK_FLAGS.patch - libgcrypt-cipher-ecc-Fix-for-supplied-K.patch - libgcrypt-cipher-visibility-Differentiate-use-of-random-override-in-the-SLI.patch - libgcrypt-cipher-fips-Fix-for-random-override.patch - libgcrypt-md-Make-SHA-1-non-FIPS-internally-for-1.12-API.patch - libgcrypt-fips-Fix-GCRY_FIPS_FLAG_REJECT_MD.patch - libgcrypt-doc-Add-about-GCRYCTL_FIPS_SERVICE_INDICATOR.patch - libgcrypt-doc-Fix-syntax-error.patch * Rebase patches: - libgcrypt-FIPS-SLI-kdf-leylength.patch ==== libgpg-error ==== Version update (1.54 -> 1.55) - Update to 1.55: * Rewrite the extended length path handling under Windows. [T5754] * Add new test commands to the gpg-error tool. Allow command w/o dashes and reformat the help. [rEc002490a8f] * Silence warning from gcc 15. [T7621] ==== libheif ==== Version update (1.19.7 -> 1.19.8) Subpackages: gdk-pixbuf-loader-libheif libheif-aom libheif-dav1d libheif-ffmpeg libheif-jpeg libheif-openjpeg libheif-rav1e libheif-svtenc libheif1 - update to 1.19.8: * Set essential flag for transformative properties as required by MIAF. This fixes the display of AVIF images with transformations encoded by libheif in Chrome, which checks whether this flag is set. This mainly affected images encoded by ImageMagick. * If the environment variable LIBHEIF_SECURITY_LIMITS is set to OFF, libheif will not check any security limits. This can be used if a user works with large images and the application software does not allow to adjust the libheif security limits. * Resolved processing 16-bit JPEG-2000 ==== liblogging ==== - Compile with gcc15 instead of gcc14 * gcc14 is not availalbe in the Leap16 codestream ==== libnftnl ==== - Update signing key to 0x8C5F7146A1757A65E2422A94D70D1A666ACF2B21, which is currently used to sign the latest tarballs including version 1.2.9. ==== libqt5-qtwebengine ==== - Add some backported upstream changes to fix gcc-15 compile time errors: * qtwebengine-5.15.18-gcc15-cstdint.patch ==== libraw ==== Version update (0.21.3 -> 0.21.4) - version update to 0.21.4 * additional checks in PhaseOne correction tag 0x412 processing * Do not apply canon metadata crop to DNG files * Make sure the profile_length is the same size as the allocated memory. * fix: remove duplicated supported camera * check split_col/split_row values in phase_one_correct * Prevent out-of-bounds read in fuji 0xf00c tag parser * prevent OOB reads in phase_one_correct - modified sources % baselibs.conf - fixes: * CVE-2025-43964 [bsc#1241584] * CVE-2025-43962 [bsc#1241585] * CVE-2025-43961 [bsc#1241643] * CVE-2025-43963 [bsc#1241642] ==== libsoup ==== Subpackages: libsoup-3_0-0 typelib-1_0-Soup-3_0 - Add libsoup-CVE-2025-32907.patch: correct merge of ranges (boo#1241222 CVE-2025-32907 glgo#GNOME/libsoup!452). ==== libsoup2 ==== - Add more CVE fixes: + c9083869.patch (boo#1241686 CVE-2025-46420) + libsoup-CVE-2025-32914.patch (boo#1241164 CVE-2025-32914) + libsoup-CVE-2025-32907.patch (boo#1241222 CVE-2025-32907) + libsoup-CVE-2025-46421.patch (boo#1241688 CVE-2025-46421) ==== libssh ==== Subpackages: libssh-config libssh4 - Fix build and tests with OpenSSH >= 10.0 * Use %make_build instead of naked make * Add patches: - libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch - libssh-misc-Fix-OpenSSH-banner-parsing.patch ==== libxkbcommon ==== Version update (1.8.1 -> 1.9.0) Subpackages: libxkbcommon-x11-0 libxkbcommon0 libxkbregistry0 - Update to release 1.9.0 * keysyms can now be written as just Unicode strings, including multi-keysyms. * Added support for new ``, `` and `` wildcard syntax in rules files. * Added support for a new escaping format for Unicode, `\u{NNNN}`. ==== libzip ==== - Fix libzip-devel dependencies. libzip-targets*.cmake create CMake targets for zipcmp, zipmerge and ziptool. ==== libzypp ==== Version update (17.36.6 -> 17.36.7) - fixed build with boost 1.88. - XmlReader: Fix detection of bad input streams (fixes #635) libxml2 2.14 potentially reads the complete stream, so it may have the 'eof' bit set. Which is not 'good' but also not 'bad'. - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more related attributes a service may set. Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck, keeppackages, gpgkey, mirrorlist, and metalink with the same semantic as in a .repo file. - version 17.36.7 (35) ==== lilv ==== - Rework the way the preferred python flavor is used as prefix so it also works with Slowroll - Add BuildRequires for pkgconfig(zix) which was pulled in indirectly but is actually required since 0.24.22. - Generate the python subpackage with the python flavored prefix it's being used instead of always using python3 ==== lua54 ==== - Fix license: it is MIT, not GPL-3.0-or-later. ==== mariadb-connector-c ==== - add patches from upstream to fix gcc-15 compile time errors: * mariadb-connector-c-3.4.5-gcc15.patch * mariadb-connector-c-3.4.5-gcc15-part2.patch ==== mozilla-nss ==== Version update (3.109 -> 3.110) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-sysinit mozilla-nss-tools - update to NSS 3.110 * bmo#1930806 - FIPS changes need to be upstreamed: force ems policy * bmo#1954724 - Prevent excess allocations in sslBuffer_Grow * bmo#1953429 - Remove Crl templates from ASN1 fuzz target * bmo#1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target * bmo#1952855 - Fix memory leak in NSS_CMSMessage_IsSigned * bmo#1930807 - NSS policy updates * bmo#1951161 - Improve locking in nssPKIObject_GetInstances * bmo#1951394 - Fix race in sdb_GetMetaData * bmo#1951800 - Fix member access within null pointer * bmo#1950077 - Increase smime fuzzer memory limit * bmo#1949677 - Enable resumption when using custom extensions * bmo#1952568 - change CN of server12 test certificate * bmo#1949118 - Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * bmo#1949118 - Part 1: Fix smime UBSan errors * bmo#1930806 - FIPS changes need to be upstreamed: updated key checks * bmo#1951491 - Don't build libpkix in static builds * bmo#1951395 - handle `-p all` in try syntax * bmo#1951346 - fix opt-make builds to actually be opt * bmo#1951346 - fix opt-static builds to actually be opt * bmo#1916439 - Remove extraneous assert - Removed upstreamed nss-fips-stricter-dh.patch - Added bmo1962556.patch to fix test failures - Rebased nss-fips-approved-crypto-non-ec.patch nss-fips-combined-hash-sign-dsa-ecdsa.patch ==== ncurses ==== Version update (6.5.20250412 -> 6.5.20250426) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Modify patch ncurses-5.9-ibm327x.dif * sclp term: use ASCII Console key mapping and support home * ibm327x term: can do color and drawings but no cursor - Add ncurses patch 20250426 + expand note on extensions in curs_addch.3x + add illumos, sun-16color, sun-256color, sun-direct -TD + add wyse+cvis -TD - Add ncurses patch 20250419 + add note on scrolling and lower-right corner to waddch and wadd_wch manual pages. - Modify patch ncurses-5.9-ibm327x.dif * sclp term: more missed features like home/end/pageup/pagedown keys ==== nghttp2 ==== Version update (1.64.0 -> 1.65.0) - version update to 1.65.0 * Change clang-format options by @tatsuhiro-t in #2240 * build(deps): bump github.com/quic-go/quic-go from 0.46.0 to 0.47.0 by @dependabot in #2243 * build(deps): bump golang.org/x/net from 0.28.0 to 0.29.0 by @dependabot in #2244 * nghttp2_map: Port ngtcp2 changes by @tatsuhiro-t in #2245 * h2load: Fix UDP datagram send/recv metric by @tatsuhiro-t in #2248 * build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0 by @dependabot in #2252 * fix race condition on h1 connection close by @TuxInvader in #2249 * Gha ubuntu 24.04 by @tatsuhiro-t in #2254 * GHA: Run tests for i686-w64-mingw32 host by @tatsuhiro-t in #2255 * cmake: Fix c-ares v1.34.0 version detection failure by @tatsuhiro-t in #2256 * fix: -Wextra-semi errors in nghttp2_helper.h by @codebytere in #2258 * clang-format macros that do not need semicolon at the end by @tatsuhiro-t in #2259 * Remove extra semicolons by @tatsuhiro-t in #2260 * Bump ngtcp2 and its dependencies by @tatsuhiro-t in #2261 * Do not allow '@' in :authority or host field values by @tatsuhiro-t in #2262 * h2load: GRO buffer size should be 64KiB by @tatsuhiro-t in #2263 * Bump libbpf to v1.4.6 by @tatsuhiro-t in #2264 * Update nghttp2_check_authority doc by @tatsuhiro-t in #2265 ==== open-vm-tools ==== Subpackages: libvmtools0 open-vm-tools-desktop - (bsc#1237147): Newer version of containerd do not have the directory /usr/share/go/1.x/contrib/src/github.com/containerd/containerd/api. Update detect-suse-location.patch to point to the directory /usr/share/go/1.x/contrib/src/github.com/containerd/containerd/vendor/github.com/containerd/containerd/api to find the needed files and update the tasks.proto file to import from github.com/containerd/containerd/vendor/github.com/containerd/containerd/api ==== openSUSE-release ==== Version update (20250423 -> 20250503) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openssh ==== Version update (9.9p2 -> 10.0p2) Subpackages: openssh-clients openssh-common openssh-server - Add openssh-send-extra-term-env.patch, which appends a few environment variables useful for terminal identification to the default send and accept lists. - "Update" to openssh 10.0p2: - There was an issue during the packaging of 10.0p1 which made it identify itself as 10.0p2 so 10.0p1 is now considered identical to 10.0p2 and upstream won't release a separate 10.0p2 package. - Update to openssh 10.0p1: = Potentially-incompatible changes * This release removes support for the weak DSA signature algorithm, completing the deprecation process that began in 2015 (when DSA was disabled by default) and repeatedly warned over the last 12 months. * scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by scp & sftp. This disables implicit session creation by these tools when ControlMaster was set to yes/auto by configuration, which some users found surprising. This change will not prevent scp/sftp from using an existing multiplexing session if one had already been created. GHPR557 * This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this. * sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per- connection sshd-session binary to a new sshd-auth binary. Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection. It also yields a small runtime memory saving as the authentication code will be unloaded after the authentication phase completes. This change should be largely invisible to users, though some log messages may now come from "sshd-auth" instead of "sshd-session". Downstream distributors of OpenSSH will need to package the sshd-auth binary. * sshd(8): this release disables finite field (a.k.a modp) Diffie-Hellman key exchange in sshd by default. Specifically, this removes the "diffie-hellman-group*" and "diffie-hellman-group-exchange-*" methods from the default KEXAlgorithms list. The client is unchanged and continues to support these methods by default. Finite field Diffie Hellman is slow and computationally expensive for the same security level as Elliptic Curve DH or PQ key agreement while offering no redeeming advantages. ECDH has been specified for the SSH protocol for 15 years and some form of ECDH has been the default key exchange in OpenSSH for the last 14 years. * sshd(8): this release removes the implicit fallback to compiled-in groups for Diffie-Hellman Group Exchange KEX when the moduli file exists but does not contain moduli within the client-requested range. The fallback behaviour remains for the case where the moduli file does not exist at all. This allows administrators more explicit control over which DH groups will be selected, but can lead to connection failures if the moduli file is edited incorrectly. bz#2793 = Security * sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. X11 forwarding is disabled by default in the server and agent forwarding is off by default in the client. = New features * ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement. This algorithm is considered to be safe against attack by quantum computers, is guaranteed to be no less strong than the popular curve25519-sha256 algorithm, has been standardised by NIST and is considerably faster than the previous default. * ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher for the connection. The default cipher preference list is now Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR (128/192/256). * ssh(1): add %-token and environment variable expansion to the ssh_config SetEnv directive. * ssh(1): allow %-token and environment variable expansion in the ssh_config User directive, with the exception of %r and %C which would be self-referential. bz#3477 * ssh(1), sshd(8): add "Match version" support to ssh_config and sshd_config. Allows matching on the local version of OpenSSH, e.g. "Match version OpenSSH_10.*". * ssh(1): add support for "Match sessiontype" to ssh_config. Allows matching on the type of session initially requested, either "shell" for interactive sessions, "exec" for command execution sessions, "subsystem" for subsystem requests, such as sftp, or "none" for transport/forwarding-only sessions. * ssh(1): add support for "Match command ..." support to ssh_config, allowing matching on the remote command as specified on the command-line. * ssh(1): allow 'Match tagged ""' and 'Match command ""' to match empty tag and command values respectively. * sshd(8): allow glob(3) patterns to be used in sshd_config AuthorizedKeysFile and AuthorizedPrincipalsFile directives. bz2755 * sshd(1): support the VersionAddendum in the client, mirroring the option of the same name in the server; bz2745 * ssh-agent(1): the agent will now delete all loaded keys when signaled with SIGUSR1. This allows deletion of keys without having access to $SSH_AUTH_SOCK. * Portable OpenSSH, ssh-agent(1): support systemd-style socket activation in ssh-agent using the LISTEN_PID/LISTEN_FDS mechanism. Activated when these environment variables are set, ... changelog too long, skipping 116 lines ... * fix-nopie-flag.patch ==== openssh-askpass-gnome ==== Version update (9.9p2 -> 10.0p2) - "Update" to openssh 10.0p2: * No changes for askpass, see main package changelog for details. - Update to openssh 10.0p1: * No changes for askpass, see main package changelog for details. ==== openssl-3 ==== Version update (3.2.4 -> 3.5.0) Subpackages: libopenssl3 - Update to 3.5.0: * Changes: - Default encryption cipher for the req, cms, and smime applications changed from des-ede3-cbc to aes-256-cbc. - The default TLS supported groups list has been changed to include and prefer hybrid PQC KEM groups. Some practically unused groups were removed from the default list. - The default TLS keyshares have been changed to offer X25519MLKEM768 and and X25519. - All BIO_meth_get_*() functions were deprecated. * New features: - Support for server side QUIC (RFC 9000) - Support for 3rd party QUIC stacks including 0-RTT support - Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA) - A new configuration option no-tls-deprecated-ec to disable support for TLS groups deprecated in RFC8422 - A new configuration option enable-fips-jitter to make the FIPS provider to use the JITTER seed source - Support for central key generation in CMP - Support added for opaque symmetric key objects (EVP_SKEY) - Support for multiple TLS keyshares and improved TLS key establishment group configurability - API support for pipelining in provided cipher algorithms * Remove patches: - openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch - openssl-3-support-CPACF-sha3-shake-perf-improvement.patch - openssl-3-add-defines-CPACF-funcs.patch - openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch - openssl-3-add-xof-state-handling-s3_absorb.patch - openssl-3-fix-state-handling-sha3_absorb_s390x.patch - openssl-3-fix-s390x_shake_squeeze.patch - openssl-3-hw-acceleration-aes-xts-s390x.patch - openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch - openssl-3-fix-state-handling-keccak_final_s390x.patch - openssl-3-add-hw-acceleration-hmac.patch - openssl-3-fix-state-handling-sha3_final_s390x.patch - openssl-3-fix-hmac-digest-detection-s390x.patch - openssl-3-support-multiple-sha3_squeeze_s390x.patch - openssl-3-fix-sha3-squeeze-ppc64.patch - openssl-3-fix-s390x_sha3_absorb.patch - openssl-3-fix-state-handling-shake_final_s390x.patch - openssl-3-add_EVP_DigestSqueeze_api.patch - openssl-FIPS-enforce-security-checks-during-initialization.patch - openssl-FIPS-140-3-zeroization.patch - openssl-FIPS-Add-explicit-indicator-for-key-length.patch - openssl-FIPS-Mark-SHA1-as-nonapproved.patch - openssl-Remove-EC-curves.patch - openssl-FIPS-services-minimize.patch - openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch - openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch - openssl-3-fix-quic_multistream_test.patch - openssl-3-jitterentropy-3.4.0.patch - openssl-Add-FIPS-indicator-parameter-to-HKDF.patch - openssl-FIPS-140-3-DRBG.patch - openssl-FIPS-Use-FFDHE2048-in-self-test.patch - openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch - openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch - openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch - openssl-FIPS-enforce-EMS-support.patch - openssl-Allow-disabling-of-SHA1-signatures.patch - openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch * Rebased patches: - openssl-pkgconfig.patch - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch - openssl-Add-Kernel-FIPS-mode-flag-support.patch - openssl-Force-FIPS.patch - openssl-disable-fipsinstall.patch - openssl-FIPS-embed-hmac.patch - openssl-Add-changes-to-ectest-and-eccurve.patch - openssl-Disable-explicit-ec.patch - openssl-skipped-tests-EC-curves.patch - openssl-FIPS-140-3-keychecks.patch - openssl-FIPS-early-KATS.patch - openssl-FIPS-limit-rsa-encrypt.patch - openssl-FIPS-Expose-a-FIPS-indicator.patch - openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch - openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch - openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch - openssl-FIPS-RSA-disable-shake.patch - openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch - openssl-FIPS-Enforce-error-state.patch - openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch - openssl-FIPS-enforce-EMS-support.patch - openssl-TESTS-Disable-default-provider-crypto-policies.patch - openssl-skip-quic-pairwise.patch * Add patches: - openssl-FIPS-Fix-encoder-decoder-negative-test.patch - openssl-FIPS-SUSE-FIPS-module-version.patch - openssl-FIPS-EC-disable-weak-curves.patch - openssl-FIPS-NO-DES-support.patch - openssl-FIPS-NO-DSA-Support.patch - openssl-FIPS-NO-Kmac.patch - openssl-FIPS-NO-PQ-ML-SLH-DSA.patch - openssl-shared-jitterentropy.patch - openssl-rh-allow-sha1-signatures.patch - openssl-disable-75-test_quicapi-test.patch - Changes between 3.3.0 and 3.4.0: * Changes: - Deprecation of TS_VERIFY_CTX_set_* functions and addition of ... changelog too long, skipping 96 lines ... - Support for using certificate profiles and extened delayed delivery in CMP ==== openssl ==== Version update (3.2.4 -> 3.5.0) - Update to 3.5.0 ==== orca ==== - Downgrade Wnck to Recommends. It is an optional dependency and is not used under Wayland (bsc#1241516). ==== postfix ==== Version update (3.10.1 -> 3.10.2) - update to 3.10.2 * Bugfix (defect introduced: date 19991116): when appending a setting to a main.cf or master.cf file that did not end in a newline character, the "postconf -e" command did not add an extra newline character before appending the new setting, causing information to become garbled. * Bugfix (defect introduced: Postfix 2.3, date 20051222): the Dovecot auth client did not attempt to create a new connection after an I/O error on an existing connection. * Improved and corrected error messages when converting (host or service) information to (symbolic text, numerical text, or binary) form. * Documentation: updated link to Dovecot documentation. ==== publicsuffix ==== Version update (20250407 -> 20250424) - Update to version 20250424: * Add lp.dev to public_suffix_list.dat (#2391) * fix: autopin dependencies (#2430) * Run go mod tidy * Bump golang.org/x/net from 0.33.0 to 0.38.0 in /tools (#2438) * Add mmv.kr / vki.kr (#2442) * dev.project-study.com (#2444) * add `preview.site` (#2445) * Add `luyani.app` (#2440) * Add objectstorage.ch (#2439) * Add val.run (#2432) * Update public_suffix_list.dat (#2437) * Add seg.ar to public_suffix_list.dat (#2433) * Add convex.app and convex.site (#2436) * Add e2b.app (#2431) * Add *.devinapps.com (#2435) * Add rules for Amazon Cognito (#2366) * add `figma.site` (#2429) ==== python-M2Crypto ==== Version update (0.44.0 -> 0.45.1) - Update to 0.45.1: - ci: switch from using sha1 to sha256. - ci(keys): regenerate rsa*.pem keys as well - fix: make the package compatible with OpenSSL >= 3.4 (don’t rely on LEGACY crypto-policies) - chore: package also system_shadowing directory to make builds more reliable - Update to 0.45.0: - chore: preparing 0.45.0 release - fix(lib,ssl): rewrite ssl_accept, ssl_{read,write}_nbio for better error handling - fix: replace m2_PyBuffer_Release with native PyBuffer_Release - chore: build Windows builds with Python 3.13 as well - fix: remove support for Engine - chore: use actual license of the project - ci(Debian): make M2Crypto buildable on Debian (bsc#1240965) - swig: Workaround for reading sys/select.h ending with wrong types. - ci: bump required setuptools version because of change in naming strategy - fix: add fix for build with older GCC - fix: remove AnyStr and Any types ==== python-MarkupSafe ==== Version update (2.1.5 -> 3.0.2) - Update to 3.0.2 * Fix compatibility when __str__ returns a str subclass. #472 * Build requires setuptools >= 70.1. #475 - Update to 3.0.1 * Address compiler warnings that became errors in GCC 14. #466 * Fix compatibility with proxy objects. #467 - Update to 3.0.0 * Support Python 3.13 and its experimental free-threaded build. #461 * Drop support for Python 3.7 and 3.8. * Use modern packaging metadata with pyproject.toml instead of setup.cfg. #348 * Change distutils imports to setuptools. #399 * Use deferred evaluation of annotations. #400 * Update signatures for Markup methods to match str signatures. Use positional-only arguments. #400 * Some str methods on Markup no longer escape their argument: strip, lstrip, rstrip, removeprefix, removesuffix, partition, and rpartition; replace only escapes its new argument. These methods are conceptually linked to search methods such as in, find, and index, which already do not escape their argument. #401 * The __version__ attribute is deprecated. Use feature detection, or importlib.metadata.version("markupsafe"), instead. #402 * Speed up escaping plain strings by 40%. #434 * Simplify speedups implementation. #437 ==== python-gevent ==== Version update (24.10.3 -> 25.4.2) - Update to 25.4.2: [bsc#1241067, bsc#1241037] * Make gevent's queue classes subscriptable to match the standard library. See issue #2102. * Make the c-ares resolver build on Windows. * The gevent testsuite runs a copy of the test_ssl from cpython but the follwoing change has not been ported yet: - gh-126500: test_ssl: Don't stop ThreadedEchoServer on OSError in ConnectionHandler [gh#python/cpython/pull/126503] - Rebase gevent-openssl35-test-fix.patch - Upstream PR: [gh#gevent/gevent/pull/2103] - Update to 25.4.1 * Remove some legacy code that supported Python 2 for compatibility with the upcoming releases of Cython 3.1. * Add a new environment variable and configuration setting to control whether blocking reports are printed by the monitor thread. * Add initial support for Python 3.14a7. * Fix using gevent’s BackdoorServer with Unix sockets. * Do not use pywsgi in a security-conscious environment. Fix one security issue related to HTTP 100 Continue handling. See issue #2075. ==== python-greenlet ==== Version update (3.1.1 -> 3.2.1) - Update to 3.2.1 * Fix a crash regression for Riscv64. See issue 443. - from version 3.2.0 * Remove support for Python 3.7 and 3.8. * Add untested, community supported implementation for RiscV 32. See PR 438. * Make greenlet build and run on Python 3.14a7. It will not build on earlier 3.14 alpha releases, and may not build on later 3.14 releases. * Packaging: Use PEP 639 license expressions and include license files. ==== python-h11 ==== Version update (0.14.0 -> 0.16.0) - Update 0.16.0: * Security fix (CVE-2025-43859, bsc#1241872) Reject certain malformed Transfer-Encoding: chunked bodies that were previously accepted. These could have enabled request-smuggling attacks when an h11-based HTTP server was placed behind a load balancer with a matching bug in its chunked handling. Advisory with more details: https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj - 0.15.0: * Reject Content-Lengths >= 1 zettabyte (1 billion terabytes) early, without attempting to parse the integer (#181) ==== python-httpcore ==== Version update (1.0.8 -> 1.0.9) - Update to 1.0.9 * Resolve https://github.com/advisories/GHSA-vqfr-h8mv-ghfj with h11 dependency update. (#1008) ==== python-hyperframe ==== Version update (6.0.1 -> 6.1.0) Subpackages: python311-hyperframe python313-hyperframe - Update to 6.1.0 * API Changes (Backward Incompatible) * Support for Python 3.6 has been removed. * Support for Python 3.7 has been removed. * Support for Python 3.8 has been removed. * API Changes (Backward Compatible) * Support for Python 3.10 has been added. * Support for Python 3.11 has been added. * Support for Python 3.12 has been added. * Support for Python 3.13 has been added. * Updated packaging and testing infrastructure. * Code cleanup and linting. * Improved type hints. ==== python-pycares ==== Version update (4.6.0 -> 4.6.1) - update to 4.6.1: * Fix missing attribute type information for errno ==== python-pylsqpack ==== Version update (0.3.19 -> 0.3.20) - update to 0.3.20: * update ls-qpack to 2.6.1 ==== python311 ==== Subpackages: python311-curses python311-dbm - Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only a mapping, but if this hit a virtual address size limit it could lead to a MemoryError or other process crash. On unusual systems or builds where all allocated memory is touched and backed by actual ram or storage it could’ve consumed resources doing so until similarly crashing. - gh-127257: In ssl, system call failures that OpenSSL reports using ERR_LIB_SYS are now raised as OSError. - gh-121277: Writers of CPython’s documentation can now use next as the version for the versionchanged, versionadded, deprecated directives. - gh-106883: Disable GC during the _PyThread_CurrentFrames() and _PyThread_CurrentExceptions() calls to avoid the interpreter to deadlock. - Remove upstreamed patch: - CVE-2025-0938-sq-brackets-domain-names.patch - Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch which makes test_ssl not to stop ThreadedEchoServer on OSError, which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067, gh#python/cpython!126572) ==== python311-core ==== Subpackages: libpython3_11-1_0 python311-base - Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only a mapping, but if this hit a virtual address size limit it could lead to a MemoryError or other process crash. On unusual systems or builds where all allocated memory is touched and backed by actual ram or storage it could’ve consumed resources doing so until similarly crashing. - gh-127257: In ssl, system call failures that OpenSSL reports using ERR_LIB_SYS are now raised as OSError. - gh-121277: Writers of CPython’s documentation can now use next as the version for the versionchanged, versionadded, deprecated directives. - gh-106883: Disable GC during the _PyThread_CurrentFrames() and _PyThread_CurrentExceptions() calls to avoid the interpreter to deadlock. - Remove upstreamed patch: - CVE-2025-0938-sq-brackets-domain-names.patch - Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch which makes test_ssl not to stop ThreadedEchoServer on OSError, which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067, gh#python/cpython!126572) ==== python313 ==== Version update (3.13.2 -> 3.13.3) Subpackages: python313-curses python313-dbm python313-tk - Update to 3.13.3: - Tools/Demos - gh-131852: msgfmt no longer adds the POT-Creation-Date to generated .mo files for consistency with GNU msgfmt. - gh-85012: Correctly reset msgctxt when compiling messages in msgfmt. - gh-130025: The iOS testbed now correctly handles symlinks used as Python framework references. - Tests - gh-131050: test_ssl.test_dh_params is skipped if the underlying TLS library does not support finite-field ephemeral Diffie-Hellman. - gh-129200: Multiple iOS testbed runners can now be started at the same time without introducing an ambiguity over simulator ownership. - gh-130292: The iOS testbed will now run successfully on a machine that has not previously run Xcode tests (such as CI configurations). - gh-130293: The tests of terminal colorization are no longer sensitive to the value of the TERM variable in the testing environment. - gh-126332: Add unit tests for pyrepl. - Security - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-127371: Avoid unbounded buffering for tempfile.SpooledTemporaryFile.writelines(). Previously, disk spillover was only checked after the lines iterator had been exhausted. This is now done after each line is written. - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - Library - gh-132174: Fix function name in error message of _interpreters.run_string. - gh-132171: Fix crash of _interpreters.run_string on string subclasses. - gh-129204: Introduce new _PYTHON_SUBPROCESS_USE_POSIX_SPAWN environment variable knob in subprocess to control the use of os.posix_spawn(). - gh-132159: Do not shadow user arguments in generated __new__() by decorator warnings.deprecated. Patch by Xuehai Pan. - gh-132075: Fix possible use of socket address structures with uninitialized members. Now all structure members are initialized with zeroes by default. - gh-132002: Fix crash when deallocating contextvars.ContextVar with weird unahashable string names. - gh-131668: socket: Fix code parsing AF_BLUETOOTH socket addresses. - gh-131492: Fix a resource leak when constructing a gzip.GzipFile with a filename fails, for example when passing an invalid compresslevel. - gh-131325: Fix sendfile fallback implementation to drain data after writing to transport in asyncio. - gh-129843: Fix incorrect argument passing in warnings.warn_explicit(). - gh-131204: Use monospace font from System Font Stack for cross-platform support in difflib.HtmlDiff. - gh-130940: The PyConfig.use_system_logger attribute, introduced in Python 3.13.2, has been removed. The introduction of this attribute inadvertently introduced an ABI breakage on macOS and iOS. The use of the system logger is now enabled by default on iOS, and disabled by default on macOS. - gh-131045: Fix issue with __contains__, values, and pseudo-members for enum.Flag. - gh-130959: Fix pure-Python implementation of datetime.time.fromisoformat() to reject times with spaces in fractional part (for example, 12:34:56.400 +02:00), matching the C implementation. Patch by Michał Gorny. - gh-130637: Add validation for numeric response data in poplib.POP3.stat() method - gh-130461: Remove .. index:: directives from the uuid module documentation. These directives previously created entries in the general index for getnode() as well as the uuid1(), uuid3(), uuid4(), and uuid5() constructor functions. - gh-130379: The zipapp module now calculates the list of files to be added to the archive before creating the archive. This avoids accidentally including the target when it is being created in the source directory. - gh-130285: Fix corner case for random.sample() allowing the counts parameter to specify an empty population. So now, sample([], 0, counts=[]) and sample('abc', k=0, counts=[0, 0, 0]) both give the same result as sample([], 0). - gh-130250: Fix regression in traceback.print_last(). - gh-130230: Fix crash in pow() with only Decimal third argument. - gh-118761: Reverts a change in the previous release attempting to make some stdlib imports used within the subprocess module lazy as this was causing errors during ... changelog too long, skipping 175 lines ... (gh#python/cpython#132535). ==== python313-core ==== Version update (3.13.2 -> 3.13.3) Subpackages: libpython3_13-1_0 python313-base - Update to 3.13.3: - Tools/Demos - gh-131852: msgfmt no longer adds the POT-Creation-Date to generated .mo files for consistency with GNU msgfmt. - gh-85012: Correctly reset msgctxt when compiling messages in msgfmt. - gh-130025: The iOS testbed now correctly handles symlinks used as Python framework references. - Tests - gh-131050: test_ssl.test_dh_params is skipped if the underlying TLS library does not support finite-field ephemeral Diffie-Hellman. - gh-129200: Multiple iOS testbed runners can now be started at the same time without introducing an ambiguity over simulator ownership. - gh-130292: The iOS testbed will now run successfully on a machine that has not previously run Xcode tests (such as CI configurations). - gh-130293: The tests of terminal colorization are no longer sensitive to the value of the TERM variable in the testing environment. - gh-126332: Add unit tests for pyrepl. - Security - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-127371: Avoid unbounded buffering for tempfile.SpooledTemporaryFile.writelines(). Previously, disk spillover was only checked after the lines iterator had been exhausted. This is now done after each line is written. - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - Library - gh-132174: Fix function name in error message of _interpreters.run_string. - gh-132171: Fix crash of _interpreters.run_string on string subclasses. - gh-129204: Introduce new _PYTHON_SUBPROCESS_USE_POSIX_SPAWN environment variable knob in subprocess to control the use of os.posix_spawn(). - gh-132159: Do not shadow user arguments in generated __new__() by decorator warnings.deprecated. Patch by Xuehai Pan. - gh-132075: Fix possible use of socket address structures with uninitialized members. Now all structure members are initialized with zeroes by default. - gh-132002: Fix crash when deallocating contextvars.ContextVar with weird unahashable string names. - gh-131668: socket: Fix code parsing AF_BLUETOOTH socket addresses. - gh-131492: Fix a resource leak when constructing a gzip.GzipFile with a filename fails, for example when passing an invalid compresslevel. - gh-131325: Fix sendfile fallback implementation to drain data after writing to transport in asyncio. - gh-129843: Fix incorrect argument passing in warnings.warn_explicit(). - gh-131204: Use monospace font from System Font Stack for cross-platform support in difflib.HtmlDiff. - gh-130940: The PyConfig.use_system_logger attribute, introduced in Python 3.13.2, has been removed. The introduction of this attribute inadvertently introduced an ABI breakage on macOS and iOS. The use of the system logger is now enabled by default on iOS, and disabled by default on macOS. - gh-131045: Fix issue with __contains__, values, and pseudo-members for enum.Flag. - gh-130959: Fix pure-Python implementation of datetime.time.fromisoformat() to reject times with spaces in fractional part (for example, 12:34:56.400 +02:00), matching the C implementation. Patch by Michał Gorny. - gh-130637: Add validation for numeric response data in poplib.POP3.stat() method - gh-130461: Remove .. index:: directives from the uuid module documentation. These directives previously created entries in the general index for getnode() as well as the uuid1(), uuid3(), uuid4(), and uuid5() constructor functions. - gh-130379: The zipapp module now calculates the list of files to be added to the archive before creating the archive. This avoids accidentally including the target when it is being created in the source directory. - gh-130285: Fix corner case for random.sample() allowing the counts parameter to specify an empty population. So now, sample([], 0, counts=[]) and sample('abc', k=0, counts=[0, 0, 0]) both give the same result as sample([], 0). - gh-130250: Fix regression in traceback.print_last(). - gh-130230: Fix crash in pow() with only Decimal third argument. - gh-118761: Reverts a change in the previous release attempting to make some stdlib imports used within the subprocess module lazy as this was causing errors during ... changelog too long, skipping 175 lines ... (gh#python/cpython#132535). ==== qt6-declarative ==== Subpackages: libQt6LabsAnimation6 libQt6LabsFolderListModel6 libQt6LabsPlatform6 libQt6LabsQmlModels6 libQt6LabsSettings6 libQt6LabsSharedImage6 libQt6LabsWavefrontMesh6 libQt6Qml6 libQt6QmlCore6 libQt6QmlLocalStorage6 libQt6QmlMeta6 libQt6QmlModels6 libQt6QmlNetwork6 libQt6QmlWorkerScript6 libQt6QmlXmlListModel6 libQt6Quick6 libQt6QuickControls2-6 libQt6QuickControls2Impl6 libQt6QuickDialogs2-6 libQt6QuickDialogs2QuickImpl6 libQt6QuickDialogs2Utils6 libQt6QuickEffects6 libQt6QuickLayouts6 libQt6QuickParticles6 libQt6QuickShapes6 libQt6QuickTemplates2-6 libQt6QuickTest6 libQt6QuickVectorImage6 libQt6QuickWidgets6 qt6-declarative-imports - Add 0001-do-not-re-resolve-iterator-value-types.patch We've resolved the value type in the type propagator. Trying to do it again in the code generator, after the iterator may have been adjusted, is quite wrong. If we resolve the list value type on a type that's not a list (anymore), then we get an invalid type, which subsequently crashes. ==== rpm ==== Subpackages: librpmbuild10 - print scriptlet messages in --runposttrans * needed to fix leaking tmp files [bsc#1218459] * updated patch: posttrans.diff - backport architecture check fix from upstream * new patch: archcheck.diff - backport empty password fix from upstream * new patch: emptypw.diff - backport buildsys specific prep fix from upstream * new patch: buildsysprep.diff - fix memory leak in str2locale [bsc#1241052] * updated patch: localetag.diff ==== sane-backends ==== Subpackages: libsane1 sane-backends-autoconfig - add c23-keywords.patch from upstream to fix gcc15 compile error ==== sdbootutil ==== Version update (1+git20250421.7ffd25a -> 1+git20250430.f7d1ad1) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20250430.f7d1ad1: * Update DA lockout message * jeos-firstboot-enroll: show errors as dialog - Update to version 1+git20250425.25d659b: * get-timeout for sd-boot return unsigned value * jeos-firstboot-enroll: drop unused variable * jeos-firstboot-enroll: continue if no enrollment (bsc#1236583) * jeos-firstboot-enroll: hide keyctl output * jeos-firstboot-enroll: add title and description - Update to version 1+git20250423.61ca94f: * Revert "Use filesystem order in grub2-bls" (bsc#1241046) - Update to version 1+git20250423.7e34390: * Check if TPM2 is in lockout (bsc#1241168) * Retry password when mismatch ==== selinux-policy ==== Version update (20250411 -> 20250429) Subpackages: selinux-policy-targeted - Update to version 20250429: * Allow cluster_t use NoNewPrivileges systemd hardening (bsc#1241921) * allows gssd_t to read nfs symlinks (bsc#1241042) * Label tpm2-measure.log with systemd_pcrlock_var_lib_t (bsc#1240887) ==== sqlite3 ==== Subpackages: libsqlite3-0 sqlite3-tcl - Add subpackage for the lemon parser generator. - Add patches: * sqlite-3.49.0-fix-lemon-missing-cflags.patch * sqlite-3.6.23-lemon-system-template.patch ==== texlive ==== - Add source-asymptote-liblsp.dif: fix some missing #include statements (boo#1241475) ==== unbound ==== Version update (1.22.0 -> 1.23.0) Subpackages: libunbound8 unbound-anchor - Update to 1.23.0: Features: * Increase the default of max-global-quota to 200 from 128 after operational feedback. Still keeping the possible amplification factor (CAMP related issues) in the hundreds. * Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767. * For #1175, the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767. * For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT. * Add resolver.arpa and service.arpa to the default locally served zones. * Merge #1042: Fast Reload. The unbound-control fast_reload is added. It reads changed config in a thread, then only briefly pauses the service threads, that keep running. DNS service is only interrupted briefly, less than a second. * Merge #1019: Redis read-only replica support. Introduces new 'redis-replica-*' options for the Redis cache backend. * Merge #902: DNS Error Reporting (RFC 9567). Introduces new configuration option 'dns-error-reporting' and new statistics for 'num.dns_error_reports'. Bug Fixes: * Fix #1154: Tag Incorrectly Applying for Other Interfaces Using the Same IP. This fix is not for 1.22.0. * Fix #1163: Typos in unbound.conf documentation. * Merge #1159: Stats for discard-timeout and wait-limit. * Add test case for #1159. * Some clean up for stat_values.test. * Merge #1170 from Melroy van den Berg, Fix chroot manpage description. * Merge #1157 from Liang Zhu, Fix heap corruption when calling ub_ctx_delete in Windows. * Fix redis that during a reload it does not fail if the redis server does not connect or does not respond. It still logs the errors and if the server is up checks expiration features. * Merge #1167: Makefile.in: fix occasional parallel build failures around bison rule. * Fix SETEX check during Redis (re)initialization. * Fix for the serve expired DNSSEC information fix, it would not allow current delegation information be updated in cache. The fix allows current delegation and validation recursion information to be updated, but as a consequence no longer has certain expired information around for later dnssec valid expired responses. * Fix to log redis timeout error string on failure. * More descriptive text for 'harden-algo-downgrade'. * Complete fix for max-global-quota to 200. * Fix #1183: the data being used is released in method nsec3_hash_test_entry. * Fix for #1183: release nsec3 hashes per test file. * Merge #1169 from Sergey Kacheev, fix: lock-free counters for auth_zone up/down queries. * Fix comparison to help static analyzer. * For #1175, update serve-expired tests. * Merge #1189: Fix the dname_str method to cause conversion errors when the domain name length is 255. * Merge #1197: dname_str() fixes. * Merge #1198: Fix log-servfail with serve expired and no useful cache contents. * Safeguard alias loop while looking in the cache for expired answers. * Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege drop. * Fix typo in log_servfail.tdir test. * Merge #1204: ci: set persist-credentials: false for actions/checkout per zizmor suggestion. * Merge #1174: Serve expired cache update fixes. Fixes a regression bug with serve-expired that appeared in 1.22.0 and would not allow the iterator to update the cache with not-yet-validated entries resulting in increased outgoing traffic. * Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS handshake. * Fix #1213: Misleading error message on default access control causing refuse. * Merge #1221: Consider auth zones when checking for forwarders. * Merge #1222: Unique DoT and DoH SSL contexts to allow for different ALPN. * Create the quic SSL listening context only when needed. * Fix compile of interface check code when dnscrypt or quic is disabled. * Fix encoding of RR type ATMA. * Fix to check length in ATMA string to wire. * Merge #1229: check before use daemon->shm_info. * Use the same interface listening port discovery code for all needed protocols. * Port to string only when needed before getaddrinfo(). * Do not open unencrypted channels next to encrypted ones on the same port. * Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is set. * Merge #1220 from Petr Menšík, Add unbound members group access to control key. * Make the default value of module-config "validator iterator" regardless of compilation options. --enable-subnet would implicitly change the value to enable the subnetcache module by default in the past. * Fix #986: Resolving sas.com with dnssec-validation fails though signed delegations seem to be (mostly) correct. Consider reconfigurations when calculating the still_useful_timeout ... changelog too long, skipping 62 lines ... * Merge #1265: Fix WSAPoll. ==== webrtc-audio-processing-1 ==== - Add webrtc-audio-processing-1.3-gcc15.patch to fix gcc-15 compile time errors ==== wtmpdb ==== Version update (0.73.0+git20250408.edb8638 -> 0.74.0+git20250424.2e93e77) Subpackages: libwtmpdb0 - Update to version 0.74.0+git20250424.2e93e77: * Release version 0.74.0 * Fix varlink interface name (rebootmgr vs wtmpdb) * import: match login by tty if non-zero pid does not match ==== xfce4-pulseaudio-plugin ==== Version update (0.5.0 -> 0.5.1) Subpackages: xfce4-pulseaudio-plugin-lang - Update to version 0.5.1 * Add device ports selector to the menu * Fix missing icon in first notification popup * Translation Updates ==== yast2-journal ==== Version update (5.0.1 -> 5.0.2) - Fixed regexp for changed 'journalctl --list-boots' output: Now taking daylight savings time on/off into account (bsc#1241904) - 5.0.2 ==== yast2-trans ==== Version update (84.87.20250416.5cd9324ae2 -> 84.87.20250422.c1fec29547) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20250422.c1fec29547: * Translated using Weblate (Polish) ==== zypper ==== Version update (1.14.88 -> 1.14.89) Subpackages: zypper-log zypper-needs-restarting - Updated translations (bsc#1230267) - version 1.14.89