Packages changed: MicroOS-release (20260605 -> 20260613) aaa_base (84.87+git20260602.e901e17e -> 84.87+git20260610.3b5a868c) baloo-widgets (26.04.1 -> 26.04.2) boost-base container-selinux (2.248.0 -> 2.249.0) dnf5 (5.4.0.0 -> 5.4.2.1) dolphin (26.04.1 -> 26.04.2) falkon (26.04.1 -> 26.04.2) ffmpegthumbs (26.04.1 -> 26.04.2) file (5.47 -> 5.48) flatpak (1.16.6 -> 1.18.0) fontconfig (2.18.0 -> 2.18.1) fwupd (2.1.3 -> 2.1.5) gcc15 (15.2.1+git10776 -> 15.3.0+git11272) glib-networking graphite2 (1.3.14 -> 1.3.15) gstreamer (1.28.3 -> 1.28.4) gstreamer-plugins-bad (1.28.3 -> 1.28.4) gstreamer-plugins-base (1.28.3 -> 1.28.4) hplip kaccounts-integration (26.04.1 -> 26.04.2) kaccounts-providers (26.04.1 -> 26.04.2) kate (26.04.1 -> 26.04.2) kdegraphics-mobipocket (26.04.1 -> 26.04.2) kdegraphics-thumbnailers (26.04.1 -> 26.04.2) kdenetwork-filesharing (26.04.1 -> 26.04.2) kdialog (26.04.1 -> 26.04.2) kernel-source (7.0.11 -> 7.0.12) kio-extras (26.04.1 -> 26.04.2) kio-gdrive (26.04.1 -> 26.04.2) konsole (26.04.1 -> 26.04.2) kpmcore (26.04.1 -> 26.04.2) kwalletmanager (26.04.1 -> 26.04.2) less (702 -> 704) libkdcraw (26.04.1 -> 26.04.2) libkexiv2-qt6 (26.04.1 -> 26.04.2) libkgapi6 (26.04.1 -> 26.04.2) libzypp (17.38.11 -> 17.38.13) mpg123 (1.33.5 -> 1.33.6) ncurses (6.6.20260530 -> 6.6.20260608) netcfg openexr (3.4.11 -> 3.4.12) openssl-3 partitionmanager (26.04.1 -> 26.04.2) patterns-base pinentry pinentry-gui policycoreutils python-PyJWT (2.12.1 -> 2.13.0) qrca (26.04.1 -> 26.04.2) rav1e rsync sdl2-compat (2.32.68 -> 2.32.70) selinux-policy (20260526 -> 20260605) signon-kwallet-extension (26.04.1 -> 26.04.2) snapper sqlite3 (3.53.1 -> 3.53.2) sssd (2.13.0 -> 2.13.1) sudo systemd (260.1 -> 260.2) xdg-desktop-portal (1.20.4 -> 1.22.0) xorg-x11-server zypper (1.14.97 -> 1.14.98) === Details === ==== MicroOS-release ==== Version update (20260605 -> 20260613) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== aaa_base ==== Version update (84.87+git20260602.e901e17e -> 84.87+git20260610.3b5a868c) - Update to version 84.87+git20260610.3b5a868c: * Add missing "=" in alljava.csh (boo#1267423) ==== baloo-widgets ==== Version update (26.04.1 -> 26.04.2) - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== boost-base ==== Subpackages: boost-license1_91_0 libboost_filesystem1_91_0 libboost_log1_91_0 libboost_thread1_91_0 - Force remove boost_atomic directory to fix the failing build with GCC 16 ==== container-selinux ==== Version update (2.248.0 -> 2.249.0) - Update to version 2.249.0: * bump to v2.249.0 * Allow rpmdb to manage files on mounted container filesystems ==== dnf5 ==== Version update (5.4.0.0 -> 5.4.2.1) Subpackages: libdnf5-plugin-appstream libdnf5_2 - Update to 5.4.2.1 + 5.4.2.1 changelog: https://github.com/rpm-software-management/dnf5/releases/tag/5.4.2.1 + 5.4.2.0 changelog: https://github.com/rpm-software-management/dnf5/releases/tag/5.4.2.0 + 5.4.1.0 changelog: https://github.com/rpm-software-management/dnf5/releases/tag/5.4.1.0 - Refresh patches + dnf5-Use-usr-lib-sysimage-for-the-persistent-state-dir.patch + dnf5-disable-Werror.patch - Add SUSE Linux family default settings ==== dolphin ==== Version update (26.04.1 -> 26.04.2) Subpackages: dolphin-part libdolphinvcs6 - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - Changes since 26.04.1: * KItemListWidget: Add pressedChanged (kde#508329) * tests: kfileitemmodeltest avoid scheme-less url * dolphintabpage: drop swapActiveView in RightView close path (kde#520002) * userfeedback: prevent dangling pointer access in SettingsDataSource (kde#519876) ==== falkon ==== Version update (26.04.1 -> 26.04.2) Subpackages: falkon-kde - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== ffmpegthumbs ==== Version update (26.04.1 -> 26.04.2) - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== file ==== Version update (5.47 -> 5.48) Subpackages: file-magic libmagic1 - Update to 5.48: * add landlock support (valoq) * add BE/LE GUID * multiple fixes to prevent integer overflow in 32 bits (kerwin) * PR/745: bitstreamout: Don't flush when trying to set negative offsets on pipes, just continue, fixes 'cat file.zip | file -' * PR/753: vmihalko: Fix race is magic_getpath() * PR/728: Anton Monroe: Reinstate regex/c - Port patch file-5.47.dif and rename it to file-5.48.dif - Port patches * file-4.21-xcursor.dif * file-5.19-biorad.dif * file-5.19-printf.dif * file-5.22-elf.dif * file-5.28-btrfs-image.dif * file-secure_getenv.patch - Remove patches now upstream * file-5.47-regression.dif * file-5.47-s390x.patch * file-5.47-stanza.patch ==== flatpak ==== Version update (1.16.6 -> 1.18.0) Subpackages: flatpak-selinux libflatpak0 system-user-flatpak - Update to version 1.18.0: + Enhancements: - Improve error handling and printed output of flatpak-coredumpctl - Support the AMD vendor specific compute interface (/dev/kfd) via the DRI device permission - Improve the output of flatpak update with failure causes - Improve startup time for fish shell integration + Bug fixes: - Fix building when HAVE_LIBSYSTEMD but not USE_SYSTEM_HELPER is defined - Ignore system bus failures in parental controls check - Fix some return values and replace deprecated GTimeVal with g_get_real_time() - Suppress an unused-result warning in the tests + Updated translations. - Stop passing http_backend=curl to meson setup, no longer needed, nor recognized. - Drop patch fixed upstream: + 1262051-selinux-flatpak.if-should-be-installed-in-distribute.patch ==== fontconfig ==== Version update (2.18.0 -> 2.18.1) Subpackages: libfontconfig1 - Update to 2.18.1 * Workaround :-prefixed filename used in Qt * meson: force enabling HAVE_C99_VSNPRINTF * Do not set 'sans-serif' for default genericfamily * Fix another font matching issue * Fix not matching with a font family name * Disable invalid attribute warning by default * boo#1267844 ==== fwupd ==== Version update (2.1.3 -> 2.1.5) Subpackages: libfwupd3 typelib-1_0-Fwupd-2_0 - Update to version 2.1.5: + This release adds the following features: - Allow overriding the detected CPU vendor to allow more self tests - Allow updating the Windows-specific UEFI CA on dual boot machines - Install the db updates on broken hardware with new firmware + This release fixes the following bugs: - Add tests for the vbe, upower, uefi-sbat, pci-bcr, mtd, gpio and msr plugins - Check the array index in some runtime-generated code - Claim the udev netlink backend before old libusb versions - Expand the netlink socket buffer to prevent packet loss during event floods - Fix a msgpack regression when updating some Huddly cameras - Fix HID feature read buffer size in goodix-tp device probe - Fix reproducible builds - Fix the check-reboot-needed command - Increase the i2c-hid re-bind delay for synaptics-rmi PID 0x96e7 - Parse the dell-dock marketing name in a more safe way - Set a firmware size limit on intel-gsc aux and oprom firmware types - Simplify the engine by only loading the config object once - Use a cryptographically secure RNG when building the idle and inhibit IDs - Use a more appropriate firmware maximum size for Huddly cameras + This release adds support for the following hardware: - Elan touchscreens - Update to version 2.1.4: + This release adds the following features: - Add a libcrypto-based JCat implementation for Android - Add support for NixOS to the quickstart script - Add support for the Compal BIOS version format - Allow a remote to specify that a username or password is required - Allow storing a per-user password in XDG_CONFIG_HOME - Detect encrypted swap devices below device-mapper - Ensure that all firmware subclasses set the maximum size - Remove the flashrom plugin - Save the SMBIOS BiosReleaseDate string to uploaded reports - Tell Star Labs coreboot users to manually update when required + This release fixes the following bugs: - Add a retry limit when updating failing Goodix MoC devices - Add several bounds checks for when updating Dell docks - Add vendor name and name for the various Framework UEFI certificates - Allow recovery if the Lenovo dock internal state is invalid - Avoid truncation when calculating the AMD GPU atombios size - Check firmware size against Novatek flash start address - Check for config offset overflow when updating Synaptics RMI devices - Check for multiplication overflow in BCM57xx stage1 size calculation - Check for overflow when writing to CCGX DMC devices - Check stream size before calculating Legion HID ID offset - Check stream size before subtracting Ilitek ITS CRC length - Clear Sunplus camera download state if the previous flash failed - Do not show plugin warnings when using --version - Filter the install flags provided by the D-Bus client - Fix a potential heap buffer overflow in FDT strlist parsing - Fix a potential heap buffer overflow in Nordic HID peer validation - Fix a potential OOB read in DFOTA modem response parsing - Fix a potential path traversal vulnerability in firmware backup - Fix a regression when searching for file magic - Fix a regression when using report-export --sign - Fix fwupd domain check bypass when using Qubes - Ignore efivar free space requirement on Microsoft Hyper-V hosts - Limit the number of hints a D-Bus client can set - Limit the size of parsed USB descriptors to ~64KiB - Make it easy to enable an authenticated remote - Make the Novatek boot update more reliable - Only read BCR from Intel SPI controllers - Prevent a possible division by zero error in the progressbar code - Prevent decompression bomb attacks in uSWID zlib payload parsing - Prevent NVRAM-seeded ptential path traversal when loading ESP files - Redact the username and password of remotes when using a non-active console - Require authorization for firmware installation on emulated devices - Require authorization for more D-Bus methods from non-local users - Restrict Curl protocols to prevent potential SSRF attacks - Restrict ModifyRemote to prevent a supply-chain redirection - Show a short easy-to-read string as the Pixart touchpad name - Tolerate post-quantum CA PKCS#7 failures when using Qubes - Validate ACPI PHAT specific data offset before parsing - Validate Corsair write size before subtracting header size - Validate DFU address offset before parsing the header - Validate Elan touchpad IAP address is within firmware bounds - Validate Logitech TAP AP region bounds before calculating size - Validate payload length is large enough for FPC sec-link - Validate sector range before writing pixart-tp firmware - Validate VBE area start does not exceed area size - Validate write offset does not exceed TI TPS6598x stream size + This release adds support for the following hardware: - Egis MoC devices with PID 9201 - Intel Arc Pro B65 and Arc Pro B70 (#10389) - Lenovo dock devices in 'provisioned' mode - Pixart TP devices with PID 1343 - Several GigaDevice and Puya SPI chips - Drop no longer needed BuildRequires: pkgconfig(jcat), pkgconfig(flashrom) ==== gcc15 ==== Version update (15.2.1+git10776 -> 15.3.0+git11272) - Update to GCC 15.3 release - Update to GCC 15 branch head, 15.2.1+git11263, GCC 15.3 RC1 - Drop -fhardened from RPM_OPT_FLAGS - Avoid conflicts between %gcc_libc_bootstrap packages of different versions if update-alternatives are still in use (SLE 15 and older) ==== glib-networking ==== - Add CVE-2026-10028.patch: tls: detect cycles when setting issuer property (CVE-2026-10028, bsc#1267979, glgo#GNOME/glib-networking!279) ==== graphite2 ==== Version update (1.3.14 -> 1.3.15) - version update to 1.3.15: . Bug fixes. . Update graphite website documentation. . Use SPDX lines, and improve license declarations. . Fix incorrectly generated graphite2.pc pkgconf file. - modified patches * graphite2-1.2.0-cmakepath.patch (refreshed) * link-gcc-shared.diff (refreshed) - deleted patches * graphite2-1.3.14-gcc15.patch (upstreamed) - fixes CVE-2026-50593 [bsc#1267734] ==== gstreamer ==== Version update (1.28.3 -> 1.28.4) Subpackages: libgstreamer-1_0-0 - Update to version 1.28.4: + Highlighted bugfixes: - Various security fixes and playback fixes - audioaggregator: fixes for conversion of in-progress buffers when input caps change - audioresample: more armv7 fixes - camerabin: Fix caps negotiation failure when starting video capture - Debug logging performance improvements - fmp4mux: Fix draining in chunk mode after partial GOPs were drained - gldownload: fix handling of directly imported dmabufs from glupload - matroskamux: Write ReferenceBlock for non-keyframe video in BlockGroups - rtp2: session: add "stats" property - rtspsrc2: handle parse errors with TCP interleaved more gracefully where the server just drops data - rtspsrc2: implement support for SRTP, authentication, HTTP tunnelling, keep alive, stream selection, TLS validation, latency configuration - st2038combiner: only forward video pad segment, fixing issues for cases where the ST2038 segment differs - Wavpack audio: Various channel and channel-mask related fixes - webrtc, sdp: set level in negotiated caps only if level asymmetry not allowed, fixing an H.264 negotiation regression with higher resolutions - androidmedia: add various new codec mime / profile mappings (WMV, VC1, AC3/EAC3/AC4, AAC, H265) and support decoding FLAC - d3d12decoder: Fix decoding on Qualcomm GPUs on ARM64 Windows - wasapi2src: fix hang when using loopback-target-pid (regression from 1.26) - cerbero: update to Rust 1.96, plus glib-networking OpenSSL backend fixes - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - bufferpool: avoid leaking partially preallocated buffers - caps: fix multiple caps leaks - datetime: Improve correctness of ISO-8601 string parsing - info: Don't use fwrite() on Windows for debug logging - info: Use stack allocation for messages smaller than 1kB - task: Fix racy tests by making unref deterministic - value: fix crash when converting NULL G_TYPE_VALUE_ARRAY to G_TYPE_STRING - registry: detect libgstreamer load from Android container and skip canonicalization - tests: Fix build with glib <= 2.67.2 ==== gstreamer-plugins-bad ==== Version update (1.28.3 -> 1.28.4) Subpackages: libgstphotography-1_0-0 libgstplay-1_0-0 - Update to version 1.28.4: + ahcsrc: Register exposure-mode property for GstPhotography interface + amc: Don't try printing NULL caps + amcvideodec: Don't keep crop-rectangle uninitialized if not specified + androidmedia: Add various new codec mime / profile mappings + androidmedia: Don't print error logs if downstream returns flushing / EOS + androidmedia: Fix typo in error message + androidmedia: support decoding flac + av1parser: Fix bytes/bits confusion when parsing tile data size + camerabin: Fix caps negotiation when starting video capture + d3d12decoder: Fix decoding on Qualcomm GPUs + mpegtspacketizer: Do not seek before the first PCR + mxfdemux: Use unsigned integers in more places and don't truncate 64 bit integers + svtav1enc: Scale MDCV and CLL to SVT-AV1's expected units + va: drm: Fix fd leak and return type in create_va_display + vajpegdecoder: Validate that enough data is available for the current JPEG segment + vulkanupload: Don't reallocate the pool when the framerate changes + wasapi2: Don't reset process loopback capture client + wasapi2src hangs when using loopback-target-pid in GStreamer 1.28 (regression from 1.26) + tests: Fix build with glib <= 2.67.2 + meson: fix building -bad tests with disabled mse ==== gstreamer-plugins-base ==== Version update (1.28.3 -> 1.28.4) Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 - Update to version 1.28.4: + audio-resampler-neon: fix accumulated stride + audio-resampler-neon: re-increment address + audioaggregator: Remove brittle conversion of in-progress buffers + discoverer: Lock the DISCO_LOCK whenever accessing the streams list + gl: egl: Set TRANSFER_NEED_DOWNLOAD flag + gldownload: Can't handle directly imported dmabufs from glupload + glupload: fix memleak on failure path + glwindow: Allow setting a NULL window handle + id3v2: Don't modify const data and check for enough data when reading RVA2 tags + id3v2: Don't unnecessarily assert on size==0 when unsyncing data + pbutils: Add NULL check for tmpcaps parsing + pbutils: Fix possible null dereference when empty string is provided + rtcpbuffer: Add some missing bounds checks when parsing SDES + sdp: keep level-asymmetry-allowed in the caps + subparse: Avoid zero and extreme fps when parsing mdvdsub subtitles + uridecodebin3: Use PLAY_ITEMS_LOCK for URI-related getter + uridecodebin: Protect missing_plugin_errors list from concurrent access + videodmabufpool: Fix debug category + xmptag: Correctly initialize pointer to the end of the input array ==== hplip ==== Subpackages: hplip-common hplip-cups hplip-driver-hpcups libhplip0 - hp-plugin: fix plugin installation from local file (lp#2154206) * add pluginhandler-fix-plugin-installation-from-local-fil.patch ==== kaccounts-integration ==== Version update (26.04.1 -> 26.04.2) Subpackages: libkaccounts6-2 - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== kaccounts-providers ==== Version update (26.04.1 -> 26.04.2) - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== kate ==== Version update (26.04.1 -> 26.04.2) Subpackages: kate-plugins - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - Changes since 26.04.1: * fix comment * fix urlinfo for relative files with line * diffwidget.cpp - include QDir to fix compile * ensure we hide the buttons in the view space if no tabs & nav bar there (alternative implementation) (kde#515133) * Use proper working directory when invoking git (kde#519685) ==== kdegraphics-mobipocket ==== Version update (26.04.1 -> 26.04.2) - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== kdegraphics-thumbnailers ==== Version update (26.04.1 -> 26.04.2) - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== kdenetwork-filesharing ==== Version update (26.04.1 -> 26.04.2) - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== kdialog ==== Version update (26.04.1 -> 26.04.2) - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== kernel-source ==== Version update (7.0.11 -> 7.0.12) Subpackages: kernel-64kb kernel-default - Linux 7.0.12 (bsc#1012628). - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size (bsc#1012628). - ACPI: button: Fix ACPI GPE handler leak during removal (bsc#1012628). - ACPI: button: Enable wakeup GPEs for ACPI buttons at probe time (bsc#1012628). - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit (bsc#1012628). - net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked (bsc#1012628). - nfc: llcp: Fix use-after-free in llcp_sock_release() (bsc#1012628). - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() (bsc#1012628). - xfrm: Check for underflow in xfrm_state_mtu (bsc#1012628). - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems (bsc#1012628). - tools/bootconfig: Fix buf leaks in apply_xbc (bsc#1012628). - HID: remove duplicate hid_warn_ratelimited definition (bsc#1012628). - kunit: fix use-after-free in debugfs when using kunit.filter (bsc#1012628). - accel/rocket: fix UAF via dangling GEM handle in create_bo (bsc#1012628). - netfilter: synproxy: refresh tcphdr after skb_ensure_writable (bsc#1012628). - netfilter: xt_cpu: prefer raw_smp_processor_id (bsc#1012628). - netfilter: ebtables: fix OOB read in compat_mtw_from_user (bsc#1012628). - netfilter: nf_tables: fix dst corruption in same register operation (bsc#1012628). - tun: free page on short-frame rejection in tun_xdp_one() (bsc#1012628). - tap: free page on error paths in tap_get_user_xdp() (bsc#1012628). - tun: free page on build_skb failure in tun_xdp_one() (bsc#1012628). - vsock: keep poll shutdown state consistent (bsc#1012628). - net: netlink: fix sending unassigned nsid after assigned one (bsc#1012628). - net: netlink: don't set nsid on local notifications (bsc#1012628). - net/smc: Do not re-initialize smc hashtables (bsc#1012628). - net/iucv: fix locking in .getsockopt (bsc#1012628). - scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues (bsc#1012628). - scsi: scsi_debug: Add missing newline in scsi_debug_device_reset() (bsc#1012628). - ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() (bsc#1012628). - ALSA: hda: cs35l56: Fix system name string leaks (bsc#1012628). - ALSA: pcm: oss: Fix setup list UAF on proc write error (bsc#1012628). - ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors (bsc#1012628). - net/mlx5: HWS: Reject unsupported remove-header action (bsc#1012628). - net: hsr: fix potential OOB access in supervision frame handling (bsc#1012628). - accel/ivpu: prevent uninitialized data bug in debugfs (bsc#1012628). - gpio: mxc: fix irq_high handling (bsc#1012628). - drm/i915/aux: use polling when irqs are unavailable (bsc#1012628). - net: Avoid checksumming unreadable skb tail on trim (bsc#1012628). - ethtool: rss: avoid modifying the RSS context response (bsc#1012628). - ethtool: rss: add missing errno on RSS context delete (bsc#1012628). - ethtool: rss: fix falsely ignoring indir table updates (bsc#1012628). - ethtool: rss: fix indir_table and hkey leak on get_rxfh failure (bsc#1012628). - ethtool: rss: fix hkey leak when indir_size is 0 (bsc#1012628). - ethtool: rss: avoid device context leak on reply-build failure (bsc#1012628). - ethtool: module: call ethnl_ops_complete() on module flash errors (bsc#1012628). - ethtool: module: avoid leaking a netdev ref on module flash errors (bsc#1012628). - ethtool: module: avoid racy updates to dev->ethtool bitfield (bsc#1012628). - ethtool: module: check fw_flash_in_progress under rtnl_lock (bsc#1012628). - ethtool: module: fix cleanup if socket used for flashing multiple devices (bsc#1012628). - ethtool: cmis: require exact CDB reply length (bsc#1012628). - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl (bsc#1012628). - ethtool: cmis: validate start_cmd_payload_size from module (bsc#1012628). - ethtool: cmis: validate fw->size against start_cmd_payload_size (bsc#1012628). - cxl/test: Update mock dev array before calling platform_device_add() (bsc#1012628). - tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() (bsc#1012628). ... changelog too long, skipping 1174 lines ... - commit c8ca8cf ==== kio-extras ==== Version update (26.04.1 -> 26.04.2) Subpackages: libkioarchive6-6 trash_kcm - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== kio-gdrive ==== Version update (26.04.1 -> 26.04.2) - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== konsole ==== Version update (26.04.1 -> 26.04.2) Subpackages: konsole-part - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - Changes since 26.04.1: * Fix copy command causing scroll to bottom ==== kpmcore ==== Version update (26.04.1 -> 26.04.2) Subpackages: libkpmcore13 - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== kwalletmanager ==== Version update (26.04.1 -> 26.04.2) - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== less ==== Version update (702 -> 704) - Update to 704: * Fix possibly passing unsafe options to man when opening an OSC 8 link * Fix possibly sending unsafe OSC sequence to terminal when file contains an unterminated OSC sequence * In Examine and Shell commands, expand % and # to shell-escaped filenames ==== libkdcraw ==== Version update (26.04.1 -> 26.04.2) Subpackages: libKDcrawQt6-5 libkdcraw-qt6 - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== libkexiv2-qt6 ==== Version update (26.04.1 -> 26.04.2) Subpackages: libKExiv2Qt6-0 - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== libkgapi6 ==== Version update (26.04.1 -> 26.04.2) Subpackages: libKPim6GAPICore6 libKPim6GAPIDrive6 libkgapi6-sasl2-kdexoauth2 - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== libzypp ==== Version update (17.38.11 -> 17.38.13) - A .repo files "path=" entry must not refer to a location outside the repo (bsc#1267874, CVE-2026-44942) A "path=" entry may solely denote a sub-directory of the baseurl where the metadata are located. A relative path trying to access data outside the baseurl is reported and sanitized. - version 17.38.13 (35) - Repo "keyhint" must denote a filename, no path (bsc#1267426, CVE-2026-44941) - version 17.38.12 (35) ==== mpg123 ==== Version update (1.33.5 -> 1.33.6) - Update to version 1.33.6 * mpg123 + Prepare for const-returning strchr(). + Hide seq_len debugging counter in non-debug mode. + Fix memory leak with --network internal due to inverted NULL check in net123_close_internal() (handle never NULL in practice, though). * mpg123, out123: Fix strrchr() usage to be more const and correct under C99 as well as C23. * mpg123-strip: Also use largefile API properly using mpg123config.h, but without actual effect at least on Linux/x86. It is cleaner that way, though. * libmpg123: Remove unused loop variable in layer2 left over from runtime table elimination (32 bit mmx/sse code). ==== ncurses ==== Version update (6.6.20260530 -> 6.6.20260608) Subpackages: libncurses6 ncurses-utils terminfo-base - Pre work for ABI 7 - Add ncurses patch 20260608 + amend *.map to put recent cookie-related functions in a new tinfo ".current" section (report by Sven Joachim). + add npc to kmscon, fixing flash -TD - Add ncurses patch 20260607 + actually add kmscon (report by Branden Robinson) - Add ncurses patch 20260606 + add kmscon (report by Jocelyn Falempe) -TD + fix a minor regression in infocmp -g option. + fixes for compiler warnings/cppcheck. ==== netcfg ==== - Patch services file in %prep instead of in %install - Spec cleanup - Add missing %verify(not mode) (boo#1263098) - services: remove invalid SIEVE entry, again (was fixed and broken again in 2013 already) boo#1243708, boo#822653 ==== openexr ==== Version update (3.4.11 -> 3.4.12) Subpackages: libIex-3_4-33 libIlmThread-3_4-33 libOpenEXR-3_4-33 libOpenEXRCore-3_4-33 - version update to 3.4.12 * Fix several minor memory leaks recovering from reading invalid files. * The compressor API incorrectly identfied `HTJ2K` and `HTJ2K256` as lossy; they are lossles. * Fix CMake AVX feature detection that caused DWA SIMD code to fail on certain architectures. * The `WidenFilename` utility function is marked as deprecated, to be removed in a future release. * `exrmetrics` now print the on-disk size of the data portion of each part. Useful for determining compression impact on part data * Reject files where the dataWindows does not match the pixel array dimensions. * Support NumPy float vector attributes * Reading now skips over invalid parts, returns the valid parts only. * Doc strings have proper indentation * [CVE-2026-45696](https://www.cve.org/CVERecord?id=CVE-2026-45696) OpenEXR `ht_undo_impl` heap-buffer-overflow READ via codestream/channel width mismatch in HTJ2K decode * [CVE-2026-44663](https://www.cve.org/CVERecord?id=CVE-2026-44663) Integer overflow in HTJ2K decoder ( `ht_undo_impl` ) leading to heap-buffer-overflow * [OSS-Fuzz 512895184](https://issues.oss-fuzz.com/issues/512895184) * [OSS-Fuzz 512314697](https://issues.oss-fuzz.com/issues/512314697) * [OSS-Fuzz 508362159](https://issues.oss-fuzz.com/issues/508362159) * [OSS-Fuzz 507413960](https://issues.oss-fuzz.com/issues/507413960) ==== openssl-3 ==== Subpackages: libopenssl3 - Security fixes: * CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357) * CVE-2026-45446: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (bsc#1266356) * CVE-2026-42770: FFC-DH Peer Validation Uses Attacker-Supplied q (bsc#1266353) * CVE-2026-45445: AES-OCB IV Ignored on EVP_Cipher() Path (bsc#1266355) * CVE-2026-42767: NULL Pointer Dereference in CRMF EncryptedValue Decryption (bsc#1266350) * CVE-2026-42768: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() (bsc#1266351) * CVE-2026-42769: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate (bsc#1266352) * CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349) * CVE-2026-34183: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler (bsc#1266345) * CVE-2026-42764: NULL pointer dereference in QUIC server initial packet handling (bsc#1266347) * CVE-2026-34182: CMS AuthEnvelopedData Processing May Accept Forged Messages (bsc#1266344) * CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341) * CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340) * CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342) * Add patches: openssl-CVE-2026-45447.patch openssl-CVE-2026-45446.patch openssl-CVE-2026-42770.patch openssl-CVE-2026-45445.patch openssl-CVE-2026-42767.patch openssl-CVE-2026-42768.patch openssl-CVE-2026-42769.patch openssl-CVE-2026-42766.patch openssl-CVE-2026-34183.patch openssl-CVE-2026-42764.patch openssl-CVE-2026-34182.patch openssl-CVE-2026-9076.patch openssl-CVE-2026-7383.patch openssl-CVE-2026-34180.patch ==== partitionmanager ==== Version update (26.04.1 -> 26.04.2) - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== patterns-base ==== Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11 - only do Requires: libyui-ncurses-pkg and libyui-qt-pkg if Tumbleweed since libyui is no longer available in Leap 16.1 ==== pinentry ==== - Force -std=gnu++17 when building with GCC 16 to fix the broken build ==== pinentry-gui ==== - Force -std=gnu++17 when building with GCC 16 to fix the broken build ==== policycoreutils ==== Subpackages: policycoreutils-python-utils python313-policycoreutils - Reintroduce sandbox package (bsc#1266226) and a couple quality of life improvements: add policycoreutils-sandbox-fix-cleanup.patch add sandbox-sandbox-fix-saving-file-changes.patch ==== python-PyJWT ==== Version update (2.12.1 -> 2.13.0) - Update to 2.13.0 - Security * CVE-2026-48526 (bsc#1266802) — JWK JSON accepted as HMAC secret (algorithm confusion). HMACAlgorithm.prepare_key previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in algorithms=[…] and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. * CVE-2026-48523 (bsc#1266799) — Algorithm allow-list bypass with PyJWK / PyJWKClient. When verifying with a PyJWK, the caller's algorithms=[…] allow-list was checked against the token header alg as a string only; actual verification used the algorithm bound to the PyJWK. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header alg to match the PyJWK's algorithm before verification. * CVE-2026-48525 (bsc#1266801) — DoS via base64 decode of unused payload segment when b64=false. For detached-payload JWS (b64=false), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied detached_payload. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. * CVE-2026-48522 (bsc#1266798) — PyJWKClient accepts non-HTTP(S) URIs. PyJWKClient.fetch_data passed its URI to urllib.request.urlopen, which by default also handles file://, ftp://, and data: schemes. An application that fed an attacker-influenced URI into PyJWKClient could be coerced into reading local files or reaching other unintended schemes. PyJWKClient now rejects any URI whose scheme isn't http or https. * CVE-2026-48524 (bsc#1266800) — PyJWKClient cache wiped on fetch error. A finally-block put(jwk_set=None) cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application- wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. - Fixed * Reject empty HMAC keys outright in HMACAlgorithm.prepare_key with InvalidKeyError instead of accepting them with only a warning. Defends against the os.getenv("JWT_SECRET", "") footgun. * Forward per-call options (including enforce_minimum_key_length) from PyJWT.decode through to PyJWS._verify_signature. The option was previously silently dropped between the two layers, so it only took effect when set on the PyJWT instance. * RFC 7797 §3 compliance for b64=false: the encoder now auto-adds "b64" to crit, and the decoder rejects tokens that set b64=false without listing it in crit - Changed * Migrate the dev, docs, and tests package extras to dependency groups ==== qrca ==== Version update (26.04.1 -> 26.04.2) - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== rav1e ==== - Update cargo dependencies (bsc#1249016 CVE-2025-58160). ==== rsync ==== - Add missing python3-base BR ==== sdl2-compat ==== Version update (2.32.68 -> 2.32.70) - Update to release 2.32.70 * Fixed showing the on-screen keyboard at application startup. ==== selinux-policy ==== Version update (20260526 -> 20260605) Subpackages: selinux-policy-targeted - move %postMigration from %posttrans to %post to finish migration and copy user/custom modules to /etc when zypper dup is aborted due different package issue or semodu invocation (fixes boo#1264463) - Update to version 20260605: * Update dbus_role_template() with communication over unix dgram socket * Allow staff user read nsfs files * Allow staff user additional sandboxing permissions * Dontaudit sa-update perfmon and sys_admin capabilities * packit: Stop notifying martinpitt for Cockpit test failures * Allow the kernel to execute also special files * Bring back execmem permission for svirt_tcg_t * Dontaudit tlp_t requesting dac_read_search (bsc#1265386) * Leave content of virtqemud_use_execmem empty * Dontaudit libvirt-daemons execmem * Allow virtstoraged to setattr fixed disk devices * Dontaudit ksmtuned dac_read_search and dac_override capabilities * Remove unused hypervkvp_unit_file_t * Allow mock create and use its private tmpfs files * Allow samba-bgqd send to nmbd over a unix datagram socket * Vibecode Gitlab CI smoke test for Leap 16.0+ - Syncing with upstream rawhide selinux-policy up to: * 443befa43872b63a5c1d7773fca159fda2abf772 - Update embedded container-selinux version to commit: * d3e0ce57e97c38e1403c0eb5a29b10d5d6dd82c6 (v2.249.0) ==== signon-kwallet-extension ==== Version update (26.04.1 -> 26.04.2) - Update to 26.04.2 * New bugfix release * For more details please see: * https://kde.org/announcements/gear/26.04.2/ - No code change since 26.04.1 ==== snapper ==== Subpackages: libsnapper8 - add dependencies to dbus in service files (see bsc#1265853) - improved error handling when disconnected by dbus (see gh#openSUSE/snapper#223) - improve error handling if uid of client cannot be detected (see bsc#1265853) - Add snapper-sync to synchronize the highest snapshot number (gh#openSUSE/snapper#1128) ==== sqlite3 ==== Version update (3.53.1 -> 3.53.2) - Update to version 3.53.2: * Fixes for problems in 3.53.0 reported by users. * See the check-in timeline for details: https://sqlite.org/src/timeline?from=version-3.53.1&to=version-3.53.2 ==== sssd ==== Version update (2.13.0 -> 2.13.1) Subpackages: libsss_certmap0 libsss_idmap0 sssd-krb5-common sssd-ldap - Update to release 2.13.1 * Fixed an issue where SSSD fails to start when DNS is unresponsive. * SSSD no longer crashes if ``ldap_read_rootdse=never`` and ``enumerate=true`` is set. - Add jwk.patch ==== sudo ==== - Fix missing %verify(not mode) %{_bindir}/sudo (bsc#1263098) ==== systemd ==== Version update (260.1 -> 260.2) Subpackages: libsystemd0 libudev1 systemd-boot systemd-container udev - Temporarily add 1001-units-drop-Before-sockets.target-from-networkd-resol.patch until upstream releases it. - Import commit a1ca0edbe97b747694600671445c19aa565f7b7e (merge of v260.2) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/1e45daa2fb423eb95ad00dcc389e03cfea8f86dc...a1ca0edbe97b747694600671445c19aa565f7b7e This update includes the following fix: a2c799878a logind: keep lingering users at startup-time GC (bsc#1262305) ==== xdg-desktop-portal ==== Version update (1.20.4 -> 1.22.0) - Update to version 1.22.0: + Bug Fixes: - Correct passing icon GVariant around in the Dynamic Launcher Portal - Improve Document Portal document path resolving for the File Chooser and OpenURI Portals ==== xorg-x11-server ==== Subpackages: xorg-x11-server-Xvfb - Add missing %verify(not mode) (boo#1263098). ==== zypper ==== Version update (1.14.97 -> 1.14.98) Subpackages: zypper-needs-restarting - Transactional systems: Delegate rw-commands to transactional-wrapper if available (jsc#PED-13680, jsc#PED-15607) On a transactional system where the root filesystem is mounted read-only, zypper commands that modify the system cannot be executed directly. If the system provides a transactional-wrapper utility, zypper will automatically attempt to invoke it. The wrapper transparently executes the zypper command within a new, writable snapshot and manages the lifecycle of that snapshot based on the command's exit status. On transactional systems lacking a transactional-wrapper, users must manually invoke specialized tools -such as transactional-update- to install, update, or remove software. - version 1.14.98