Packages changed: MicroOS-release (20250708 -> 20250709) coreutils coreutils-systemd jeos-firstboot (1.5.5 -> 1.5.8) kernel-source (6.15.4 -> 6.15.5) mozilla-nss (3.110 -> 3.112) nghttp2 (1.65.0 -> 1.66.0) openssl-3 (3.5.0 -> 3.5.1) openssl (3.5.0 -> 3.5.1) patterns-base read-only-root-fs (1.0+git20250422.3e17744 -> 1.0+git20250708.3eed5de) selinux-policy === Details === ==== MicroOS-release ==== Version update (20250708 -> 20250709) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== coreutils ==== - coreutils-9.7-sort-CVE-2025-5278.patch: Add upstream patch: sort with key character offsets of SIZE_MAX, could induce a read of 1 byte before an allocated heap buffer. (CVE-2025-5278, bsc#1243767) ==== coreutils-systemd ==== - coreutils-9.7-sort-CVE-2025-5278.patch: Add upstream patch: sort with key character offsets of SIZE_MAX, could induce a read of 1 byte before an allocated heap buffer. (CVE-2025-5278, bsc#1243767) ==== jeos-firstboot ==== Version update (1.5.5 -> 1.5.8) - Update to version 1.5.8: * Update files/usr/share/jeos-firstboot/jeos-firstboot-functions * Use SUSE_PRETTY_NAME as product name to display if it exists (bsc#1245364) * Use xterm-256color on WSL based hosts boo#1237756 ==== kernel-source ==== Version update (6.15.4 -> 6.15.5) - usb: typec: displayport: Fix potential deadlock (git-fixes). - commit 478c062 - Linux 6.15.5 (bsc#1012628). - cifs: Correctly set SMB1 SessionKey field in Session Setup Request (bsc#1012628). - cifs: Fix cifs_query_path_info() for Windows NT servers (bsc#1012628). - cifs: Fix encoding of SMB1 Session Setup NTLMSSP Request in non-UNICODE mode (bsc#1012628). - NFSv4: Always set NLINK even if the server doesn't support it (bsc#1012628). - NFSv4.2: fix listxattr to return selinux security label (bsc#1012628). - NFSv4.2: fix setattr caching of TIME_[MODIFY|ACCESS]_SET when timestamps are delegated (bsc#1012628). - mailbox: Not protect module_put with spin_lock_irqsave (bsc#1012628). - mfd: max77541: Fix wakeup source leaks on device unbind (bsc#1012628). - mfd: max14577: Fix wakeup source leaks on device unbind (bsc#1012628). - mfd: max77705: Fix wakeup source leaks on device unbind (bsc#1012628). - mfd: 88pm886: Fix wakeup source leaks on device unbind (bsc#1012628). - mfd: sprd-sc27xx: Fix wakeup source leaks on device unbind (bsc#1012628). - sunrpc: don't immediately retransmit on seqno miss (bsc#1012628). - hwmon: (isl28022) Fix current reading calculation (bsc#1012628). - dm vdo indexer: don't read request structure after enqueuing (bsc#1012628). - leds: multicolor: Fix intensity setting while SW blinking (bsc#1012628). - fuse: fix race between concurrent setattrs from multiple nodes (bsc#1012628). - cxl/region: Add a dev_err() on missing target list entries (bsc#1012628). - cxl: core/region - ignore interleave granularity when ways=1 (bsc#1012628). - NFSv4: xattr handlers should check for absent nfs filehandles (bsc#1012628). - hwmon: (pmbus/max34440) Fix support for max34451 (bsc#1012628). - ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension (bsc#1012628). - ksmbd: provide zero as a unique ID to the Mac client (bsc#1012628). - rust: module: place cleanup_module() in .exit.text section (bsc#1012628). - rust: arm: fix unknown (to Clang) argument '-mno-fdpic' (bsc#1012628). - dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using (bsc#1012628). - dmaengine: xilinx_dma: Set dma_device directions (bsc#1012628). - PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane (bsc#1012628). - PCI: apple: Fix missing OF node reference in apple_pcie_setup_port (bsc#1012628). - PCI: imx6: Add workaround for errata ERR051624 (bsc#1012628). - wifi: iwlwifi: mld: Move regulatory domain initialization (bsc#1012628). - nvme-tcp: fix I/O stalls on congested sockets (bsc#1012628). - nvme-tcp: sanitize request list handling (bsc#1012628). - md/md-bitmap: fix dm-raid max_write_behind setting (bsc#1012628). - amd/amdkfd: fix a kfd_process ref leak (bsc#1012628). - drm/amdgpu/vcn5.0.1: read back register after written (bsc#1012628). - drm/amdgpu/vcn4: read back register after written (bsc#1012628). - drm/amdgpu/vcn3: read back register after written (bsc#1012628). - drm/amdgpu/vcn2.5: read back register after written (bsc#1012628). - bcache: fix NULL pointer in cache_set_flush() (bsc#1012628). - drm/amdgpu: seq64 memory unmap uses uninterruptible lock (bsc#1012628). - drm/scheduler: signal scheduled fence when kill job (bsc#1012628). - iio: pressure: zpa2326: Use aligned_s64 for the timestamp (bsc#1012628). - bus: mhi: host: pci_generic: Add Telit FN920C04 modem support (bsc#1012628). - um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h (bsc#1012628). - um: use proper care when taking mmap lock during segfault (bsc#1012628). - 8250: microchip: pci1xxxx: Add PCIe Hot reset disable support for Rev C0 and later devices (bsc#1012628). - coresight: Only check bottom two claim bits (bsc#1012628). - usb: dwc2: also exit clock_gating when stopping udc while suspended (bsc#1012628). - iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos (bsc#1012628). - iio: dac: adi-axi-dac: add cntrl chan check (bsc#1012628). - iio: light: al3000a: Fix an error handling path in al3000a_probe() (bsc#1012628). - iio: adc: ad7606_spi: check error in ad7606B_sw_mode_config() (bsc#1012628). - iio: hid-sensor-prox: Add support for 16-bit report size (bsc#1012628). ... changelog too long, skipping 375 lines ... - commit 071950d ==== mozilla-nss ==== Version update (3.110 -> 3.112) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs - update to NSS 3.112 * bmo#1963792 - Fix alias for mac workers on try * bmo#1966786 - ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * bmo#1931930 - ABI/API break in ssl certificate processing * bmo#1955971 - remove unnecessary assertion in sec_asn1d_init_state_based_on_template. * bmo#1965754 - update taskgraph to v14.2.1. * bmo#1964358 - Workflow for automation of the release on GitHub when pushing a tag * bmo#1952860 - fix faulty assertions in SEC_ASN1DecoderUpdate * bmo#1934877 - Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 - update taskgraph to v14.1.1 * bmo#1962503 - Partial fix for ACVP build CI job * bmo#1961827 - Initialize find in sftk_searchDatabase * bmo#1963121 - Add clang-18 to extra builds * bmo#1963044 - Fault tolerant git fetch for fuzzing * bmo#1962556 - Tolerate intermittent failures in ssl_policy_pkix_ocsp * bmo#1962770 - fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * bmo#1961835 - fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls. * bmo#1963102 - Remove Cryptofuzz CI version check - Modify bmo1962556.patch to catch OBS specific errors ==== nghttp2 ==== Version update (1.65.0 -> 1.66.0) - Ship manpages together with binaries - Ship documentation in previously dangling doc subpackage - update to 1.66.0: * Bump github.com/quic-go/quic-go to v0.50.0 * build(deps): bump golang.org/x/net from 0.35.0 to 0.37.0 * h2load: Check the return value from OBJ_nid2sn * build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 * Remove go toolchain * build(deps): bump github.com/quic-go/quic-go from 0.50.0 to 0.50.1 * nghttpx: Close h1 connection on CONNECT failure * doc:rubydomain: Fix build failure with rubydomain namespace * Update integration tests * quic: Use secure random generator for ngtcp2_rand * Revert "quic: Use secure random generator for ngtcp2_rand" * quic: Use secure random generator for ngtcp2_rand * GHA: Replace macos-13 with macos-15 * build(deps): bump golang.org/x/net from 0.38.0 to 0.39.0 * Bump ngtcp2 * nghttpx: Refactor QUIC packet write * h2load: Refactor QUIC packet write path * nghttpx: Adopt std::span::first * Rewrite util::quote_string * Rewrite util::utos functions * Rewrite util::decode_hex * Make util::format_hex constexpr * Remove util::inp_strlower in favor of util::tolower * Refactor util::make_http_hostport and util::make_hostport * Refine output iterator requirements * Make base64 encoder/decoder constexpr * Optimize util::utos * Optimize util::format_hex * Optimize util::utox * Disallow array to substitute R && * Revert "nghttpx: No need to capitalize HTTP/1.1 field name" * Refactor http2::capitalize * Bump quic-go to v0.52.0 * nghttpx: Fix integral logging is always done in 64 bits integer - Build with HTTP/3 support - Tidy up spec file ==== openssl-3 ==== Version update (3.5.0 -> 3.5.1) Subpackages: libopenssl3 - Update to 3.5.1: * Fix x509 application adds trusted use instead of rejected use. [bsc#1243564, CVE-2025-4575] - Remove patches: * openssl-Fix-P384-on-P8-targets.patch * openssl-CVE-2025-4575.patch - Rebase patches: * openssl-Allow-disabling-of-SHA1-signatures.patch * openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch * openssl-FIPS-NO-DES-support.patch - Fix a bogus warning caused by -Wfree-nonheap-object * Add patch openssl-Fix-Wfree-nonheap-object-warning.patch ==== openssl ==== Version update (3.5.0 -> 3.5.1) - Update to 3.5.1 ==== patterns-base ==== Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11 - Add a kdump pattern (bsc#1244712). ==== read-only-root-fs ==== Version update (1.0+git20250422.3e17744 -> 1.0+git20250708.3eed5de) - Update to version 1.0+git20250708.3eed5de: * writable-etc: Install findmnt instead of mountpoint * CI: Omit volatile-overlay from the initrd * Add basic CI * Only remount when [/sysroot]/etc is ro (bsc#1246021) ==== selinux-policy ==== Subpackages: selinux-policy-targeted - Update macros.selinux-policy to trigger a full relabel on transactional systems upon module installation. This is rather expensive and will hopefully be replaced by a more fine grained solution later on (bsc#1232753)