Packages changed: aws-lc (1.59.0 -> 1.61.0) cups (2.4.12 -> 2.4.14) cups-filters libjpeg-turbo (3.0.4 -> 3.1.2) openSUSE-release (20250917 -> 20250918) openssl-3 (3.5.2 -> 3.5.3) openssl (3.5.2 -> 3.5.3) re2c (4.1 -> 4.3) sdbootutil (1+git20250909.8b2878e -> 1+git20250917.7aab076) systemd webp-pixbuf-loader === Details === ==== aws-lc ==== Version update (1.59.0 -> 1.61.0) Subpackages: libcrypto-awslc0 libssl-awslc0 - update to version 1.61.0: * Apply additional X509 validation checks on certificates sourced from trust store * Reorganizing compatibility tests, rework certificates for better groking * Additional X.509 Behavior Compatibility Tests * Add Support for IPv4 and IPv6 X.509 Certificate Name Constraints * Merge main to x509 * Reintroduce support for validating DNS commonName subjects when name constraints are present. * Support client-side hostname checks with leading . * Verify leaf certificate public key rather then leaving it to the caller * Support for explicit curve parameter on EC public keys where parameters match supported curves * Add x86 Keccak implementation * Gate EC explicit curve parameters for X.509 behind flag * Update CPU Jitter Entropy dependency to version 3.6.3 * Fix benchmarking issues with FIPS main * Add standalone MLKEM supported groups * Document and statically assert counters can't overflow * TLS Transfer Serialization Improvements * Fix ternary operator in github workflow * Merge x509 branch into main * Address clang-ci comments on new x509 code * Implement snapsafe fallback entropy source * Rand small fixes * Import s2n-bignum 2025-09-05-04 * Refactor iOS CI script * Re-import mlkem-native for addition of CFI directives * Fix typo in ssl_transfer_asn1 * Fix for zig build * Update SSLProxy patch * ML-DSA service indicator * Add aes-xts AArch64 implementation that will eventually be imported from s2n-bignum. * Fix Keccak MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX flag * Increase SSLBuffer size to INT_MAX * Wrap compiler when FIPS w/ clang v20+ * Test ACCP in FIPS mode as well as non-FIPS * fix: Allow zero-length passwords in PEM key decryption * Use CheckCCompilerFlag to test -Wno-cast-function-type * Make X509 CodeBuild webhook more resilient - update to version 1.60.0: * Anchor CodeBuild account-id patterns * Implement read/write timeouts for BIO datagram * Migrate from CodeBuild account actor filter to pull request comment filter based on GitHub permissions * Implement ragdoll * Add expandedKey ASN.1 encoding for KEM keys ==== cups ==== Version update (2.4.12 -> 2.4.14) Subpackages: cups-client cups-config libcups2 libcupsimage2 - Version upgrade to 2.4.14: See https://github.com/openprinting/cups/releases The hotfix release brings fix for installation process of localized templates and CUPS web UI home pages. - Version upgrade to 2.4.13: See https://github.com/openprinting/cups/releases The release 2.4.13 brings two CVE fixes fix for important CVE-2025-58060 "Authentication bypass with AuthType Negotiate" (bsc#1249049) and fix for moderate CVE-2025-58364 "Remote DoS via null dereference" (bsc#1249128) together with several bug fixes. The release includes a new feature - new attribute for printer and job objects - print-as-raster - which allows enforce rasterization of the file for IPP Everywhere/AirPrint printers, which supports PDF and raster document formats. The feature is useful for working around internal PDF issues in the printer firmware, for example missing diacritic when printing a PDF. Detailed list (from CHANGES.md): * Blocked authentication using alternate methods in cupsd (CVE-2025-58060) * Fixed extension tag handling in 'ipp_read_io()' in libcups (CVE-2025-58364) * Added 'print-as-raster' printer and job attributes for forcing rasterization (Issue #1282) * Updated documentation (Issue #1086) * Updated IPP backend to try a sanitized user name if the printer/server does not like the value (Issue #1145) * Updated the scheduler to send the "printer-added" or "printer-modified" events whenever an IPP Everywhere PPD is installed (Issue #1244) * Updated the scheduler to send the "printer-modified" event whenever the system default printer is changed (Issue #1246) * Fixed a memory leak in 'httpClose' (Issue #1223) * Fixed missing commas in 'ippCreateRequestedArray' (Issue #1234) * Fixed subscription issues in the scheduler and D-Bus notifier (Issue #1235) * Fixed media-default reporting for custom sizes (Issue #1238) * Fixed support for IPP/PPD options with periods or underscores (Issue #1249) * Fixed parsing of real numbers in PPD compiler source files (Issue #1263) * Fixed scheduler freezing with zombie clients (Issue #1264) * Fixed support for the server name in the ErrorLog filename (Issue #1277) * Fixed job cleanup after daemon restart (Issue #1315) * Fixed handling of buggy DYMO USB printer serial numbers (Issue #1338) * Fixed unreachable block in IPP backend (Issue #1351) * Fixed memory leak in _cupsConvertOptions (Issue #1354) Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.14 ==== cups-filters ==== - cups-filters-1.28.17-CVE-2024-47176.patch is based on https://github.com/OpenPrinting/cups-browsed/commit/1d1072a0de573b7850958df614e9ec5b73ea0e0d backported to cups-filters 1.28.17 to fix CVE-2024-47176 "cups-browsed binds to UDP INADDR_ANY:631" (bsc#1230939) and to avoid CVE-2024-47850 "cups-browsed can be abused to initiate remote DDoS against third-party targets" (bsc#1231294) by removing legacy CUPS Browsing support in cups-browsed (introduced 2012) which is no longer needed nowadays. CUPS browsing was removed from CUPS since version 1.6. Legacy CUPS Browsing is a generic security risk, see the section "Automated print queue setup via cups-browsed" in https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings - cups-filters-1.28.17-CVE-2024-47076.patch is based on https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3 backported to cups-filters 1.28.17 to fix CVE-2024-47076 "lack of input sanitization in cfGetPrinterAttributes5" (bsc#1230937) - cups-filters-1.28.17-CVE-2024-47175.patch is based on https://github.com/OpenPrinting/libppd/commit/d681747ebf12602cb426725eb8ce2753211e2477 backported to cups-filters 1.28.17 to fix CVE-2024-47175 "lack of input sanitization in _ppdCreateFromIPP()" (bsc#1230932) - In general regarding CUPS and cups-browsed security issues see https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings ==== libjpeg-turbo ==== Version update (3.0.4 -> 3.1.2) Subpackages: libjpeg8 libjpeg8-x86-64-v3 libturbojpeg0 libturbojpeg0-x86-64-v3 - version update to 3.1.2 * The libjpeg-turbo source tree has been reorganized. * cjpeg no longer allows GIF input files to be converted into 12-bit-per-sample JPEG files. * Added support for lossless JPEG images with 2 to 15 bits per sample to the libjpeg and TurboJPEG APIs. * All deprecated constants and methods in the TurboJPEG Java API have been removed. * TJBench command-line arguments are now more consistent with those of cjpeg, djpeg, and jpegtran. * Added a new TJBench option (-pixelformat gray) that can be used to test the performance of compressing/decompressing a grayscale JPEG image from/to a packed-pixel grayscale image. * Fixed an issue whereby, if TJPARAM_NOREALLOC was set, TurboJPEG compression and lossless transformation functions ignored the JPEG buffer size(s) passed to them and assumed that the JPEG buffer(s) had been allocated to a worst-case size returned by tj3JPEGBufSize(). * The TurboJPEG C and Java APIs have been improved. * TJExample has been replaced with three programs (TJComp, TJDecomp, and TJTran) that demonstrate how to approximate the functionality of cjpeg, djpeg, and jpegtran using the TurboJPEG C and Java APIs. - modified patches * libjpeg-turbo-1.3.0-tiff-ojpeg.patch (refreshed) ==== openSUSE-release ==== Version update (20250917 -> 20250918) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openssl-3 ==== Version update (3.5.2 -> 3.5.3) Subpackages: libopenssl3 libopenssl3-32bit libopenssl3-x86-64-v3 - Update to 3.5.3: * Added FIPS 140-3 PCT on DH key generation. * Fixed the synthesised OPENSSL_VERSION_NUMBER. - Rebase patches: * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch * openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch * openssl-FIPS-limit-rsa-encrypt.patch ==== openssl ==== Version update (3.5.2 -> 3.5.3) - Update to 3.5.3 ==== re2c ==== Version update (4.1 -> 4.3) - Update to version 4.3 * Added warning -Wdeprecated-eof-rule, this will be turned to error in the future. * Improved re2c performance (made determinization faster, #544). - Update to version 4.2 * Added Swift backend * Added options: + --lang swift + --computed-gotos-relative * Added configurations: + re2c:cgoto:relative, re2c:computed-gotos:relative + re2c:yyfn:throw * Added syntax file code templates: + code:cgoto + code:cgoto_data + code:yytarget_filter + code:type_yyctable * Added syntax file conditionals: + .cgoto.relative + .yyfn.throw * Added some C++ benchmarks without submatch extraction. ==== sdbootutil ==== Version update (1+git20250909.8b2878e -> 1+git20250917.7aab076) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20250917.7aab076: * Revert "PCR#15 workaround for LVM devices" * measure-pcr-generator: escape the device name * Fix boot_root for systemd 258 ==== systemd ==== Subpackages: libsystemd0 libsystemd0-32bit libudev1 systemd-32bit systemd-boot systemd-container systemd-experimental systemd-lang udev - Move systemd-pcrlock out from the experimental sub-package to udev (bsc#1248261) - systemd.spec: use %sysusers_generate_pre so that some systemd users are already available in %pre. This is important because D-Bus automatically reloads its configuration whenever new configuration files are installed, i.e. between %pre and %post. (bsc#1248501) No needs for systemd and udev packages as they are always installed during the initial installation. - Sign aarch64 and riscv systemd-boot EFI binaries (bsc#1247474) ==== webp-pixbuf-loader ==== - Drop gdk-pixbuf-thumbnailer Requires: only needed for directory ownership (and deprecated).