Packages changed: aws-lc (1.67.0 -> 1.68.0) container-selinux (2.245.0 -> 2.246.0) gpm iproute2 (6.18 -> 6.19) kernel-source (6.19.2 -> 6.19.3) libstorage-ng (4.5.300 -> 4.5.301) libupnp (1.14.25 -> 1.18.0) libxcrypt libzio (1.10 -> 1.12) numactl (2.0.19.14.g690a72c -> 2.0.19.27.gc9475de) openSUSE-release (20260220 -> 20260223) openssl-3 patterns-yast (20220411 -> 20260219) pipewire (1.5.85 -> 1.6.0) python-certifi (2025.11.12 -> 2026.1.4) qt6-declarative selinux-policy (20260203 -> 20260219) transmission (4.0.6 -> 4.1.1) virtualbox virtualbox-kmp (7.2.6_k6.19.2_1 -> 7.2.6_k6.19.3_1) vlc wpa_supplicant xfce4-whiskermenu-plugin (2.10.0 -> 2.10.1) yast2-schema (5.0.2 -> 5.0.3) === Details === ==== aws-lc ==== Version update (1.67.0 -> 1.68.0) Subpackages: libcrypto-awslc0 libssl-awslc0 - Update to version 1.68.0: * Enable Hybrid PQ KeyShares by default * Remove AVX conditional from cmake script * openssl-ca command implementation for self-sign certificates * Initial Framework for Using Doxygen to Document Public Header Files * Move md4 out of FIPS module * Remove FIPS counter framework and other tidying up * Adds a new randomness generation API * Ensure pkcs7 checks ASN1_TYPE->type * Integrate Wycheproof ML-DSA test vectors * Simplify FIPS conditional in top-level build script * Add method to get type of ML-DSA instance configured under EVP PKEY * Nmap build needs liblinear * Disable SLP vectorizer for FIPS shared library builds on GCC 14+ * Address some CMake findings * Support GCC 4.8 for aarch64 * Free potential memory before assigning new pointer * Ensure index argument is not negative in ASN1_BIT_STRING_set_bit * Ensure no overflow in signed output length in do_buf * Ensure public key is set before verifying through ML-DSA verify * Correct CCM nids in object definition * Address Reported Bug Findings * Fix OPENSSL_memchr per C23 * Fix argument order in hmac_copy * Support WASM/Emscripten * Generate Rust Bindings ==== container-selinux ==== Version update (2.245.0 -> 2.246.0) - Update to version 2.246.0: * Allow containers to mount on container_var_run_t directories * Allow container_runtime_domain runtime fifo_files transition * Allow TUN/TAP device access for container_engine_t * Add the container_signull() interface ==== gpm ==== Subpackages: libgpm2 - Make the package installable on atomically updatable systems (jsc#PED-14720) - Use env variables when starting service instead of hardcoded - Remove GPM_REPEAT as it's unused ==== iproute2 ==== Version update (6.18 -> 6.19) Subpackages: iproute2-bash-completion - Update to release 6.19 * devlink: Introduce burst period for health reporter * ip-xfrm: add pcpu-num support * devlink: Add support for 64bit parameters * genl: add json support * mptcp: add 'laminar' endpoint support * iplink_can: add initial CAN XL support ==== kernel-source ==== Version update (6.19.2 -> 6.19.3) - Linux 6.19.3 (bsc#1012628). - scsi: qla2xxx: Fix bsg_done() causing double free (bsc#1012628). - arm64: dts: mediatek: mt8183: Add missing endpoint IDs to display graph (bsc#1012628). - LoongArch: Rework KASAN initialization for PTW-enabled systems (bsc#1012628). - fbdev: rivafb: fix divide error in nv3_arb() (bsc#1012628). - fbdev: smscufx: properly copy ioctl memory to kernelspace (bsc#1012628). - f2fs: fix to add gc count stat in f2fs_gc_range (bsc#1012628). - f2fs: fix to check sysfs filename w/ gc_pin_file_thresh correctly (bsc#1012628). - f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes (bsc#1012628). - f2fs: fix out-of-bounds access in sysfs attribute read/write (bsc#1012628). - f2fs: fix to avoid UAF in f2fs_write_end_io() (bsc#1012628). - f2fs: support non-4KB block size without packed_ssa feature (bsc#1012628). - f2fs: fix to avoid mapping wrong physical block for swapfile (bsc#1012628). - f2fs: optimize f2fs_overwrite_io() for f2fs_iomap_begin (bsc#1012628). - Revert "f2fs: block cache/dio write during f2fs_enable_checkpoint()" (bsc#1012628). - USB: serial: option: add Telit FN920C04 RNDIS compositions (bsc#1012628). - f2fs: fix to do sanity check on node footer in __write_node_folio() (bsc#1012628). - f2fs: fix to do sanity check on node footer in {read,write}_end_io (bsc#1012628). - f2fs: fix incomplete block usage in compact SSA summaries (bsc#1012628). - Rename to patches.kernel.org/6.19.3-014-iommu-arm-smmu-qcom-do-not-register-driver-in-.patch. - commit fcdf9c5 - selftests/bpf: Support when CONFIG_VXLAN=m (git-fixes). - commit e58ed90 - Move upstreamed amdxdna patches into sorted section - commit 787d692 - drm/i915/alpm: ALPM disable fixes (bsc#1257601). - commit 1715d3e ==== libstorage-ng ==== Version update (4.5.300 -> 4.5.301) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#1059 - use existing define - 4.5.301 ==== libupnp ==== Version update (1.14.25 -> 1.18.0) - Update to release 1.18.0 * Update readFromSSDPSocket to not return an error when a zero length packet is received. * Fix a crash in ixml element set attribute node ns. * Signature change involving ``const`` in: ``Upnp_FunPtr``, ``TvCtrlPointCallbackEventHandler``, ``SSDPResultData_get_Param``, ``SSDPResultData_Callback`` ==== libxcrypt ==== Subpackages: libcrypt1 libcrypt1-32bit libxcrypt-devel - Fix building with glibc 2.43, Fixes: bsc#1258487 * Add libxcrypt-fix-const-qualifiers.patch ==== libzio ==== Version update (1.10 -> 1.12) - Update to version 1.12 * Correct version number * Only give those bytes back which had been readed * Get manconv work even for 1 byte files * Allow to open undetected file descriptor * Avoid NULL pointer dereference in fdzopen - Remove patch libzio-1.11.patch now upstream - Add patch libzio-1.11.patch * Avoid problems in fdzopen with NULL as what argument * Allow to open regular files as well even if from pipes - Update to version 1.11 Modernize xz and zstd usage and much more which is to allow to detect the compression type even if not reading from a file or rewindable standard input but from a pipe or socket. Update the manual page as well. ==== numactl ==== Version update (2.0.19.14.g690a72c -> 2.0.19.27.gc9475de) Subpackages: libnuma1 - Update to version 2.0.19.27.gc9475de: * Fix: distance test avoid out-of-bounds write causing segfault * test: use sizeof(int) instead of sizeof(int *) for status and nodes * Fix off-by-one bug in arguments to mbind/get_mempolicy/set_mempolicy * __atomic_compare_exchange_n may fail and cause a segmentation fault so use strong variation * remove extra whitespace * Set _GNU_SOURCE more broadly * Change a #warning to #pragma message * Handle parallel allocation races with other thread for node mask * Fix numademo regression on kernels without weighted interleave * Enable numa_fail_alloc_on_error to improve error messages * Add numa_fail_alloc_on_error * Add numa_exit_on_warn to header file * Fix out of memory handling buffer growing for nodes probing ==== openSUSE-release ==== Version update (20260220 -> 20260223) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openssl-3 ==== Subpackages: libopenssl3 libopenssl3-32bit libopenssl3-x86-64-v3 - Do not guard ulp-macros with arch x86-64. - Security fixes: * Missing ASN1_TYPE validation in PKCS#12 parsing - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795] * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function - openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796] * Missing ASN1_TYPE validation in TS_RESP_verify_response() function - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420] * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421] * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419] * TLS 1.3 CompressedCertificate excessive memory allocation - openssl-CVE-2025-66199.patch [bsc#1256833, CVE-2025-66199] * Heap out-of-bounds write in BIO_f_linebuffer on short writes - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160] * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418] * 'openssl dgst' one-shot codepath silently truncates inputs greater than 16MB - openssl-CVE-2025-15469.patch [bsc#1256832, CVE-2025-15469] * Stack buffer overflow in CMS AuthEnvelopedData parsing - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467] - openssl-CVE-2025-15467-comments.patch - openssl-CVE-2025-15467-test.patch * Improper validation of PBMAC1 parameters in PKCS#12 MAC verification - openssl-CVE-2025-11187.patch [bsc#1256829, CVE-2025-11187] * NULL dereference in SSL_CIPHER_find() function on unknown cipher ID - openssl-CVE-2025-15468.patch [bsc#1256831, CVE-2025-15468] - Enable livepatching support for ppc64le [bsc#1257274] - Security fix: [bsc#1250232 CVE-2025-9230] * Fix out-of-bounds read & write in RFC 3211 KEK unwrap * Add patch openssl-CVE-2025-9230.patch - Security fix: [bsc#1250233 CVE-2025-9231] * Fix timing side-channel in SM2 algorithm on 64 bit ARM * Add patch openssl-CVE-2025-9231.patch - Security fix: [bsc#1250234 CVE-2025-9232] * Fix out-of-bounds read in HTTP client no_proxy handling * Add patch openssl-CVE-2025-9232.patch ==== patterns-yast ==== Version update (20220411 -> 20260219) Subpackages: patterns-yast-x11_yast patterns-yast-yast2_basis patterns-yast-yast2_desktop patterns-yast-yast2_install_wf patterns-yast-yast2_server - Remove dropped yast2-mail from patterns (bsc#1258171) - 20260219 ==== pipewire ==== Version update (1.5.85 -> 1.6.0) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-jack pipewire-lang pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.6.0: * This is the 1.6 release that is API and ABI compatible with previous 1.4.x releases. * This release contains some of the bigger changes that happened since the 1.4 release last year, including: - An LDAC decoder was added for bluetooth. - SpanDSP for bluetooth packet loss concealment. - Safe parsing and building of PODs in shared memory. - Added support for metadata features. This is used to signal that the sync_timeline metadata supports the RELEASE operation. - Node commands and events can contain extra user data. - Support for more compressed format helper functions to create and parse formats. - Support for compile time max channels. The max channels was increased to 128. - Support for audio channel layouts was added. This makes it possible to set "audio.layout" = "5.1" instead of the more verbose audio.position = [ FL, FR, FC, LFE, SL, SR ] - Support for Capability Params was added. This can be used to negotiate capabilities on a link before format and buffer negotiation takes place. - More HDR colortypes are added. - Loops now have locking with priority inversion. Most code was adapted to use the faster locks instead of epoll/eventfd to update shared state. - Channel position are parsed from EDID data. - Channel maps are now set on ALSA. - The resampler now supports configurable window functions such as blackman and kaiser windows. The phases are now also calculated with fixed point math, which makes it more accurate. - Many bluetooth updates and improvements. - The filter-graph has an ffmpeg and ONNX plugin. The ffmpeg plugin can run an audio AVFilterGraph. The ONNX plugin can run some models such as the silero VAD. - Many AVB updates. Work is ongoing to merge the Milan protocol. - Support for v0 clients was removed. - The jack-tunnel module can now autoconnect ports. - ROC support multitrack layouts now. - Many RTP updates. - rlimits can now be set in the config file. - Thread reset on fork can now be configured. JACK clients expect this to be disabled. - node.exclusive is now enforced. - node.reliable enables reliable transport. - pw-cat supports sysex and midiclip as well as some more uncompressed formats. Options were added to set the container and codec formats as well as list the supported containers, codecs, layouts and channel names. - Documentation updates. * Highlights (since the previous 1.5.85 prerelease) - Fix a 64 channel limit in the channel mixer. - Fix an fd leak in pulse-server in some error cases. - Some small fixes and improvements. * PipeWire - Fix Capability leaks. - Return an error in pw-stream get-time when not STREAMING. - Set the current time in the driver position before starting. - Some followers might look at it. * Modules - Improve default channel handling in module-filter-chain. - Support source and sink only module-filter-chain. - Tweak the filter-chain spatializer example gains. - Handle new snapcast service type. (#5104 (closed)) - Implement socket activation without depending on libsystemd. - Support ipv4 link-local addresses in RAOP and snapcast. (#4830 (closed)) - Forward ROC-toolkit logs to pipewire. * SPA - Improve default channel handling in filter-graph. (#5084 (closed)) - Clamp control values to min/max. (#5088 (closed)) - Support mode JBL gaming headsets. - Handle some SOFA errors and add gain option. - Really handle more than 64 channels in the channelmixer. (#5118 (closed)) - Allow removal in ALSA-udev of ignored cards. * pulse-server - Fix mono mixdown query. - Expose headset autoswitch message. - Handle EPROTO errors by disconnecting. - Handle timeouts in play-sample streams. (#5099 (closed)) * GStreamer - Fix crop metadata. - Fix a race in the buffer release function. * Tools - Improve format support and detection in pw-cat. - Add some more options to pw-cat to list supported containers and formats. (#5117 (closed)) ==== python-certifi ==== Version update (2025.11.12 -> 2026.1.4) Subpackages: python311-certifi python313-certifi - Update to 2026.1.4 * Update CI workflow to use Ubuntu 24.04 and Python 3.14 stable * Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#384) * Bump actions/checkout from 5.0.1 to 6.0.0 (#378) * Bump peter-evans/create-pull-request from 7.0.11 to 8.0.0 (#383) ==== qt6-declarative ==== Subpackages: libQt6LabsAnimation6 libQt6LabsFolderListModel6 libQt6LabsPlatform6 libQt6LabsQmlModels6 libQt6LabsSettings6 libQt6LabsSharedImage6 libQt6LabsSynchronizer6 libQt6LabsWavefrontMesh6 libQt6Qml6 libQt6QmlCore6 libQt6QmlLocalStorage6 libQt6QmlMeta6 libQt6QmlModels6 libQt6QmlNetwork6 libQt6QmlWorkerScript6 libQt6QmlXmlListModel6 libQt6Quick6 libQt6QuickControls2-6 libQt6QuickControls2Impl6 libQt6QuickDialogs2-6 libQt6QuickDialogs2QuickImpl6 libQt6QuickDialogs2Utils6 libQt6QuickEffects6 libQt6QuickLayouts6 libQt6QuickParticles6 libQt6QuickShapes6 libQt6QuickTemplates2-6 libQt6QuickTest6 libQt6QuickVectorImage6 libQt6QuickWidgets6 qt6-declarative-imports - Add upstream changes (kde#513527, QTBUG-142514): * 0001-QtQml-Fix-corner-cases-around-dead-contexts-in-AOT-a.patch * 0001-QtQml-Do-not-clear-objects-propertyCaches-on-last-GC.patch * 0001-QtQml-Handle-the-case-of-getFallbackMethod-returning.patch ==== selinux-policy ==== Version update (20260203 -> 20260219) Subpackages: selinux-policy-targeted - Update to version 20260219: * Allow syslog_t access ISC dhcpd /dev/log socket (bsc#1255725) * Update rules for snapper sdbootutil plugin (bsc#1257624) * privoxy: account for openSUSE chroot configuration (bsc#1237375) * Fix gitlab-ci throwing false warnings * Add diffutils explicitly to .gitlab-ci * Fix gitlab CI - Fix hash in _servicedata - was: a1c0fcdf4397f03534deaa8a4596b9da7f2bb674 - should be: ecd7927a3d5f06cff0b645b4146d355fede80922 ==== transmission ==== Version update (4.0.6 -> 4.1.1) Subpackages: transmission-common transmission-gtk transmission-gtk-lang - Update to 4.1.1: * Fixed a 4.1.0 bug that failed to report some filesystem errors to RPC clients who were querying the system's free space available. (#8258) * Fixed a 4.1.0 bug that kept a a torrent's updated queue position from being shown. (#8298) * Fixed a 4.1.0 bug that caused torrents' queuing order to sometimes be lost between sessions. (#8306) * Fixed "assertion failed: no timezone" error on OpenSolaris. (#8358) * Fixed a 4.0.0 bug that displayed the wrong mime-type icon for mp4 video files. (#8411) * Hardened .torrent parsing by exiting sooner if pieces has an invalid size. (#8412) * Reverted a 4.1.0 RPC change that broke some 3rd party code by returning floating-point numbers, rather than integers, for speed limit fields. (#8416) * Fixed crash that could happen if a user paused a torrent and edited its tracker list at the same time. (#8478) * Fixed 4.1.0 crash on arm32 by switching crc32 libraries to Mark Madler's crcany. (#8529) * Require UTF-8 filenames in .torrent files, as required by the BitTorrent spec. (#8541) * Fixed crash that could occur when parsing a .torrent file with a bad pieces key. (#8542) * Fixed potential file descriptor leak when launching scripts on POSIX systems. (#8549) * Changed the network traffic algorithm to spread bandwidth more evenly amongst peers. (#8259) * Improved laggy user interface when bandwidth usage is high. (#8454) * For more see: https://github.com/transmission/transmission/releases/tag/4.1.1 - Update to 4.1.0: * Improved µTP download performance. (#6508) * Added support for IPv6 and dual-stack UDP trackers. (#6687) * Support trackers that only support the old BEP-7 with &ipv4= and &ipv6=. (#7481) * New JSON-RPC 2.0-compliant RPC API. (#7269) * Added optional sequential downloading. (#4795) * Use native icons for menus and toolbars: SF Symbols on macOS, Segoe Fluent on Windows 11, Segoe MDL2 on Windows 10, and XDG standard icon names everywhere else. (#7819, Qt Client) * Fixed 4.0.6 bug where Transmission might spam HTTP tracker announces. (#7086) * For more see: https://github.com/transmission/transmission/releases/tag/4.1.0 - Cleanup .changes file (proper date and header in general) - Update harden_transmission-daemon.service.patch ==== virtualbox ==== - add kernel-6.19.patch (bsc#1258115) ==== virtualbox-kmp ==== Version update (7.2.6_k6.19.2_1 -> 7.2.6_k6.19.3_1) - add kernel-6.19.patch (bsc#1258115) ==== vlc ==== Subpackages: libvlc5 libvlccore9 vlc-codec-gstreamer vlc-lang vlc-noX vlc-qt - Add libupnp-1.18.patch ==== wpa_supplicant ==== - Enable CONFIG_EXT_PASSWORD_FILE to be able to load PSK and password from an external file. ==== xfce4-whiskermenu-plugin ==== Version update (2.10.0 -> 2.10.1) Subpackages: xfce4-whiskermenu-plugin-lang - Update to version 2.10.1 * Fix meson to make minsize an optimized build * Bring settings dialog to front if already shown * Translation Updates ==== yast2-schema ==== Version update (5.0.2 -> 5.0.3) - Remove dropped yast2-mail from BuildRequires (bsc#1258171) - > No more support for mail server AutoYaST schema elements - 5.0.3