Packages changed:
AppStream (1.0.4 -> 1.0.5)
AppStream-qt6 (1.0.4 -> 1.0.5)
Box2D
Mesa (25.0.4 -> 25.0.5)
Mesa-drivers (25.0.4 -> 25.0.5)
MozillaFirefox (137.0.2 -> 138.0)
PackageKit-Qt6 (1.1.1 -> 1.1.2)
aaa_base (84.87+git20250410.71df276 -> 84.87+git20250429.1cad3bc)
apache-commons-logging (1.3.4 -> 1.3.5)
at-spi2-core (2.56.1 -> 2.56.2)
augeas
ayatana-ido (0.10.2 -> 0.10.4)
blog (2.34 -> 2.35)
btrfsprogs
busybox
cnf
container-selinux (2.236.0 -> 2.237.0)
coreutils
coreutils-systemd
crypto-policies
cyrus-imapd
dhcp
ethtool
fdupes (2.3.1 -> 2.4.0)
firewalld
fuse3 (3.17.1 -> 3.17.2)
gcc14 (14.2.1+git11321 -> 14.2.1+git11702)
gcc15 (15.0.1+git9352 -> 15.1.1+git9595)
gdb (15.2 -> 16.3)
gimp
glib2-branding-openSUSE
glslang (15.2.0 -> 15.3.0)
gnome-music (48.beta+25 -> 48.beta+31)
gnome-shell
gnutls
grub2
gstreamer (1.26.0 -> 1.26.1)
gstreamer-plugins-bad (1.26.0 -> 1.26.1)
gstreamer-plugins-base (1.26.0 -> 1.26.1)
gstreamer-plugins-good (1.26.0 -> 1.26.1)
hwdata (0.393 -> 0.394)
iptables
java-21-openjdk (21.0.6.0 -> 21.0.7.0)
jemalloc
jitterentropy (3.4.1 -> 3.6.3)
kernel-firmware-amdgpu
kernel-firmware-ath10k
kernel-firmware-ath11k (20250227 -> 20250424)
kernel-firmware-ath12k (20250206 -> 20250424)
kernel-firmware-atheros
kernel-firmware-bluetooth
kernel-firmware-bnx2
kernel-firmware-brcm
kernel-firmware-chelsio
kernel-firmware-dpaa2
kernel-firmware-i915
kernel-firmware-intel
kernel-firmware-iwlwifi (20250312 -> 20250423)
kernel-firmware-liquidio
kernel-firmware-marvell
kernel-firmware-media (20250422 -> 20250424)
kernel-firmware-mediatek
kernel-firmware-mellanox
kernel-firmware-mwifiex
kernel-firmware-network
kernel-firmware-nfp
kernel-firmware-nvidia
kernel-firmware-platform
kernel-firmware-prestera
kernel-firmware-qcom
kernel-firmware-qlogic
kernel-firmware-radeon
kernel-firmware-realtek
kernel-firmware-serial
kernel-firmware-sound
kernel-firmware-ti
kernel-firmware-ueagle
kernel-firmware-usb-network
kernel-source (6.14.3 -> 6.14.4)
libavif (1.1.1 -> 1.2.1)
libeconf (0.7.7 -> 0.7.8)
libedit (20210910.3.1 -> 20250104.3.1)
libgcrypt
libgpg-error (1.54 -> 1.55)
libheif (1.19.7 -> 1.19.8)
liblogging
libnftnl
libqt5-qtwebengine
libraw (0.21.3 -> 0.21.4)
libsoup
libsoup2
libssh
libxkbcommon (1.8.1 -> 1.9.0)
libzip
libzypp (17.36.6 -> 17.36.7)
lilv
lua54
mariadb-connector-c
mozilla-nss (3.109 -> 3.110)
ncurses (6.5.20250412 -> 6.5.20250426)
nghttp2 (1.64.0 -> 1.65.0)
open-vm-tools
openSUSE-release (20250423 -> 20250503)
openssh (9.9p2 -> 10.0p2)
openssh-askpass-gnome (9.9p2 -> 10.0p2)
openssl-3 (3.2.4 -> 3.5.0)
openssl (3.2.4 -> 3.5.0)
orca
postfix (3.10.1 -> 3.10.2)
publicsuffix (20250407 -> 20250424)
python-M2Crypto (0.44.0 -> 0.45.1)
python-MarkupSafe (2.1.5 -> 3.0.2)
python-gevent (24.10.3 -> 25.4.2)
python-greenlet (3.1.1 -> 3.2.1)
python-h11 (0.14.0 -> 0.16.0)
python-httpcore (1.0.8 -> 1.0.9)
python-hyperframe (6.0.1 -> 6.1.0)
python-pycares (4.6.0 -> 4.6.1)
python-pylsqpack (0.3.19 -> 0.3.20)
python311
python311-core
python313 (3.13.2 -> 3.13.3)
python313-core (3.13.2 -> 3.13.3)
qt6-declarative
rpm
sane-backends
sdbootutil (1+git20250421.7ffd25a -> 1+git20250430.f7d1ad1)
selinux-policy (20250411 -> 20250429)
sqlite3
texlive
unbound (1.22.0 -> 1.23.0)
webrtc-audio-processing-1
wtmpdb (0.73.0+git20250408.edb8638 -> 0.74.0+git20250424.2e93e77)
xfce4-pulseaudio-plugin (0.5.0 -> 0.5.1)
yast2-journal (5.0.1 -> 5.0.2)
yast2-trans (84.87.20250416.5cd9324ae2 -> 84.87.20250422.c1fec29547)
zypper (1.14.88 -> 1.14.89)
=== Details ===
==== AppStream ====
Version update (1.0.4 -> 1.0.5)
Subpackages: libappstream5
- Update to 1.0.5
Features:
* qt: Expose markup conversion utils
* desktop-styles: Add android and iOS
* validator: Check for xml:lang="en" being used on description
template elements
* validator: Flag cases of raw text in "description" elements
* metadata: Add more known extensions into
as_metadata_file_guess_style()
Specification:
* docs: Clarify that the style segment of a screenshot
environment is optional
* docs: Explain consequences of defining an icon for
desktop-app metainfo
* docs: Clarify that description content must be in p/li
elements
Bugfixes:
* validator: mark as_validator_issue_tag_list static
* docs: Add workaround for gi-docgen misnaming devhelp files
* compose: Do not permit SVG images as screenshots
* compose: Don't "forget" to scan remaining paths when
re-encountering a dir
* pool: Try explicit singular term match if we only have
low-quality tokens
* utils: Provide compatibility with Fedora icon tarballs when
installing them
* utils: Remove leftover g_chmod()
* zstd-decompressor: Pass output/written data when decompression
finished
* utils: Expect a dash in icons file name
* utils: Recognize .yml* and .yaml* file extension variants,
and .zst extension
* utils: Rename the appstream file when re-saving it on install
==== AppStream-qt6 ====
Version update (1.0.4 -> 1.0.5)
- Update to 1.0.5
Features:
* qt: Expose markup conversion utils
* desktop-styles: Add android and iOS
* validator: Check for xml:lang="en" being used on description
template elements
* validator: Flag cases of raw text in "description" elements
* metadata: Add more known extensions into
as_metadata_file_guess_style()
Specification:
* docs: Clarify that the style segment of a screenshot
environment is optional
* docs: Explain consequences of defining an icon for
desktop-app metainfo
* docs: Clarify that description content must be in p/li
elements
Bugfixes:
* validator: mark as_validator_issue_tag_list static
* docs: Add workaround for gi-docgen misnaming devhelp files
* compose: Do not permit SVG images as screenshots
* compose: Don't "forget" to scan remaining paths when
re-encountering a dir
* pool: Try explicit singular term match if we only have
low-quality tokens
* utils: Provide compatibility with Fedora icon tarballs when
installing them
* utils: Remove leftover g_chmod()
* zstd-decompressor: Pass output/written data when decompression
finished
* utils: Expect a dash in icons file name
* utils: Recognize .yml* and .yaml* file extension variants,
and .zst extension
* utils: Rename the appstream file when re-saving it on install
==== Box2D ====
- Drop BuildRequires: glew-devel as it is not used for build
==== Mesa ====
Version update (25.0.4 -> 25.0.5)
Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1
- Update to release 25.0.5
- -> https://docs.mesa3d.org/relnotes/25.0.5
==== Mesa-drivers ====
Version update (25.0.4 -> 25.0.5)
Subpackages: Mesa-dri Mesa-gallium Mesa-libva Mesa-vulkan-device-select libvulkan_lvp
- Update to release 25.0.5
- -> https://docs.mesa3d.org/relnotes/25.0.5
==== MozillaFirefox ====
Version update (137.0.2 -> 138.0)
Subpackages: MozillaFirefox-branding-upstream
- Mozilla Firefox 138.0
https://www.mozilla.org/en-US/firefox/138.0/releasenotes/
MFSA 2025-28 (bsc#1241621)
* CVE-2025-2817 (bmo#1917536)
Privilege escalation in Firefox Updater
* CVE-2025-4082 (bmo#1937097)
WebGL shader attribute memory corruption in Firefox for macOS
* CVE-2025-4083 (bmo#1958350)
Process isolation bypass using "javascript:" URI links in
cross-origin frames
* CVE-2025-4085 (bmo#1915280)
Potential information leakage and privilege escalation in
UITour actor
* CVE-2025-4086 (bmo#1945705)
Specially crafted filename could be used to obscure download
type
* CVE-2025-4087 (bmo#1952465)
Unsafe attribute access during XPath parsing
* CVE-2025-4088 (bmo#1953521)
Cross-site request forgery via storage access API redirects
* CVE-2025-4089 (bmo#1949994, bmo#1956698, bmo#1960198)
Potential local code execution in "copy as cURL" command
* CVE-2025-4090 (bmo#1929478)
Leaked library paths in Firefox for Android
* CVE-2025-4091 (bmo#1951161, bmo#1952105)
Memory safety bugs fixed in Firefox 138, Thunderbird 138,
Firefox ESR 128.10, and Thunderbird 128.10
* CVE-2025-4092 (bmo#1924108, bmo#1950780, bmo#1959367)
Memory safety bugs fixed in Firefox 138 and Thunderbird 138
- requires NSS 3.110
- rebased patches
==== PackageKit-Qt6 ====
Version update (1.1.1 -> 1.1.2)
- Update to 1.1.2
* offline: Make sure we allow for interactive authorization
* Allow Transaction::setHints before the transaction has started
* Fix check for PackageKit D-Bus specs
* Add missing info enum values
==== aaa_base ====
Version update (84.87+git20250410.71df276 -> 84.87+git20250429.1cad3bc)
Subpackages: aaa_base-extras
- Update to version 84.87+git20250429.1cad3bc:
* Remove alias "you" (boo#1242011)
- Update to version 84.87+git20250425.1664836:
* Fix bug boo#1241205 by adding missed endif
* alias.bash: future-proof egrep/fgrep color aliases
==== apache-commons-logging ====
Version update (1.3.4 -> 1.3.5)
- Upgrade to 1.3.5
* Fixed Bugs
+ Javadoc is missing its Overview page.
+ Remove -nouses directive from maven-bundle-plugin. OSGi
package imports now state 'uses' definitions for package
imports, this doesn't affect JPMS (from
org.apache.commons:commons-parent:80).
* Changes
+ Bump org.apache.commons:commons-parent from 72 to 81 #285,
[#287], #295, #298, #303, #310, #339.
+ Bump org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0
[#288] [test].
+ Bump log4j2.version from 2.23.1 to 2.24.3 #292, #299, #319,
[#328].
* Removed:
+ Remove "cobertura" plugin use JaCoco, Cobertura is
unmaintained.
==== at-spi2-core ====
Version update (2.56.1 -> 2.56.2)
Subpackages: libatk-1_0-0 libatk-bridge-2_0-0 libatspi0 typelib-1_0-Atk-1_0 typelib-1_0-Atspi-2_0
- Update to version 2.56.2:
+ Fix the build with glib < 2.76.
+ a11y-manager-device: Fix unmap_keysym_modifier.
==== augeas ====
Subpackages: augeas-bash-completion augeas-lenses libaugeas0 libfa1
- Add patch, fix for bsc#1239909 / CVE-2025-2588:
* CVE-2025-2588.patch
==== ayatana-ido ====
Version update (0.10.2 -> 0.10.4)
- Update to version 0.10.4:
* src/idoscalemenuitem.c: Disable menu item selection
* src/idoscalemenuitem.c: Add ability to close the menu when the
slider's value changes.
- Update to version 0.10.3:
* src/idoswitchmenuitem.c: Allow the switch to display an
accelerator.
==== blog ====
Version update (2.34 -> 2.35)
Subpackages: libblogger2
- Update to version 2.35
* Make s390 3215 console work that is use EPOLLOUT|EPOLLONESHOT
to control if we can write to ttyS0 in nonblocking mode and if
not reenable EPOLLOUT|EPOLLONESHOT.
* At boot set for ttyS0 via vmcp API nonblocking MORE mode with
`0 0'. It beeps but boots.
- Remove patches now upstream
* blog-3215.patch
* blog-install.patch
==== btrfsprogs ====
Subpackages: btrfsprogs-bash-completion btrfsprogs-udev-rules libbtrfs0 libbtrfsutil1
- Fix name clash of parse_range between common/parse-utils.c and
libblkid.a from util-linux-2.41
(btrfsprogs-libblkid-static-lib-clash.patch).
==== busybox ====
Subpackages: busybox-static
- fix regression in hexdump that broke kernel build:
* busybox-1.37.0-fix-regression-n2.patch
- fix build/tests and hexdump on big endian systems (S390):
* busybox-1.37.0-hexdump-fix-regression-for-uint16-on-big-endian-syst.patch
* busybox-1.37.0-od-make-B-test-little-endian-only-add-variant-for-bi.patch
* busybox-1.37.0-hexdump-add-tests-for-x-handle-little-big-endian-pro.patch
==== cnf ====
Subpackages: cnf-bash
- Fix Obsolete of a scout-command-not-found to <= 0.2.9
==== container-selinux ====
Version update (2.236.0 -> 2.237.0)
- Update to version 2.237.0:
* bootc/install_t: allow transition to container_runtime_t
* Allow containers to mask parts of their /proc
==== coreutils ====
- coreutils-i18n.patch: update gnulib mbchar+mbfile to the commit
used by coreutils-9.7:
https://git.sv.gnu.org/cgit/gnulib.git/commit/?id=41e7b7e0d
mainly to pick up these commits:
- c67c553e758 mbfile: Support pushback characters also right before EOF.
- 87ee7ef66ee mbfile: Allow 2 pushback characters.
==== coreutils-systemd ====
- coreutils-i18n.patch: update gnulib mbchar+mbfile to the commit
used by coreutils-9.7:
https://git.sv.gnu.org/cgit/gnulib.git/commit/?id=41e7b7e0d
mainly to pick up these commits:
- c67c553e758 mbfile: Support pushback characters also right before EOF.
- 87ee7ef66ee mbfile: Allow 2 pushback characters.
==== crypto-policies ====
Subpackages: crypto-policies-scripts
- Update crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
==== cyrus-imapd ====
Subpackages: cyradm libcyrus0 perl-Cyrus-Annotator perl-Cyrus-IMAP perl-Cyrus-SIEVE-managesieve
- CVE-2025-23394: cyrus-imapd: daily-backup.sh allows escalation from
cyrus to root (bsc#1241536)
Adapt backup-cyrus.service to run as user cyrus:mail
==== dhcp ====
Subpackages: dhcp-client dhcp-relay dhcp-server
- Add compile option '-std=gnu17' to fix build with gcc15.
[bsc#1241472]
==== ethtool ====
Subpackages: ethtool-bash-completion
- fix AppStream metainfo XML file
* misc-fix-AppStream-metainfo-XML.patch
==== fdupes ====
Version update (2.3.1 -> 2.4.0)
- Update to 2.4.0:
* Add quick summary option that skips byte-for-byte match confirmation.
* Reduce number of progress indicator updates for better performance.
- Update to 2.3.2:
* Keep cursor as close to current group as possible after deleting files.
==== firewalld ====
Subpackages: firewalld-bash-completion python3-firewall
- Split the package to build the firewalld-rpmmacros subpackage in
a _multibuild flavor so that we can build it in Factory/i586 by
itself instead of building the whole package, which has more
dependencies (like python-PyQt6).
==== fuse3 ====
Version update (3.17.1 -> 3.17.2)
Subpackages: libfuse3-4
- Updae to release 3.17.2
* Fixed initialization races related to buffer reallocation when
large buf sizes are used (/proc/sys/fs/fuse/max_pages_limit).
* A conn.want flag conversion fix for high-level applications.
==== gcc14 ====
Version update (14.2.1+git11321 -> 14.2.1+git11702)
- Add gcc14-pr108900.patch to revert it, fixing libqt6webengine build.
- Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702
* Remove gcc14-pr118780.patch now on the upstream branch
- Fix build on s390x [bsc#1241549]
==== gcc15 ====
Version update (15.0.1+git9352 -> 15.1.1+git9595)
Subpackages: cpp15 libasan8 libatomic1 libgcc_s1 libgccjit0 libgfortran5 libgomp1 libhwasan0 libitm1 liblsan0 libobjc4 libstdc++6 libstdc++6-pp libtsan2 libubsan1
- Update to GCC 15 branch head, 15.1.1+git9595
* includes GCC 15.1 release
- Enable gfx9-generic, gfx10-3-generic and gfx11-generic multilibs
for the AMD GCN offload compiler when llvm is new enough.
- Build the COBOL frontend also for risc-v
- Add loongarch64 to quadmath_arch
==== gdb ====
Version update (15.2 -> 16.3)
- Mention fixup-gdb-6.5-gcore-buffer-limit-test.patch.
- Mention changes in GDB 16:
* GDB now supports watchpoints for tagged data pointers (see
https://en.wikipedia.org/wiki/Tagged_pointer) on amd64, such
as the one used by the Linear Address Masking (LAM) feature
provided by Intel.
* Debugging support for Intel MPX has been removed. This
includes the removal of:
* MPX register support
* the commands "show/set mpx bound" (deprecated since GDB 15)
* i386 and amd64 implementation of the hooks report_signal_info
and get_siginfo_type.
* GDB now supports printing of asynchronous events from the
Intel Processor Trace during 'record instruction-history',
'record function-call-history' and all stepping commands.
This can be controlled with the new "set record btrace pt
event-tracing" command.
* GDB now supports printing of ptwrite payloads from the Intel
Processor Trace during 'record instruction-history', 'record
function-call-history' and all stepping commands. The payload
is also accessible in Python as a RecordAuxiliary object.
Printing is customizable via a ptwrite filter function in
Python. By default, the raw ptwrite payload is printed for
each ptwrite that is encountered.
* For breakpoints that are created in the 'pending' state, any
'thread' or 'task' keywords are parsed at the time the
breakpoint is created, rather than at the time the breakpoint
becomes non-pending.
* Thread-specific breakpoints are only inserted into the
program space in which the thread of interest is running.
In most cases program spaces are unique for each inferior,
so this means that thread-specific breakpoints will usually
only be inserted for the inferior containing the thread of
interest. The breakpoint will be hit no less than before.
* For ARM targets, the offset of the pc in the jmp_buf has
been fixed to match glibc 2.20 and later. This should only
matter when not using libc probes. This may cause breakage
when using an incompatible libc, like uclibc or newlib, or
an older glibc.
* MTE (Memory Tagging Extension) debugging is now supported on
AArch64 baremetal targets.
* In a record session, when a forward emulation reaches the end
of the reverse history, the warning message has been changed
to indicate that the end of the history has been reached. It
also specifies that the forward execution can continue, and
the recording will also continue.
* The Ada 'Object_Size attribute is now supported.
* New bash script gstack uses GDB to print stack traces of
running processes.
* Python API:
* Added gdb.record.clear. Clears the trace data of the
current recording. This forces re-decoding of the trace for
successive commands.
* Added the new event source gdb.tui_enabled.
* New module gdb.missing_objfile that facilitates dealing with
missing objfiles when opening a core-file.
* New function gdb.missing_objfile.register_handler that can
register an instance of a sub-class of
gdb.missing_debug.MissingObjfileHandler as a handler for
missing objfiles.
* New class gdb.missing_objfile.MissingObjfileHandler which
can be sub-classed to create handlers for missing objfiles.
* The 'signed' argument to gdb.Architecture.integer_type()
will no longer accept non-bool types.
* The gdb.MICommand.installed property can only be set to True
or False.
* The 'qualified' argument to gdb.Breakpoint constructor will
no longer accept non-bool types.
* Added the gdb.Symbol.is_artificial attribute.
* Debugger Adapter Protocol changes:
* The "scopes" request will now return a scope holding global
variables from the stack frame's compilation unit.
* The "scopes" request will return a "returnValue" scope
holding the return value from the latest "stepOut" command,
when appropriate.
* The "launch" and "attach" requests were rewritten in
accordance with some clarifications to the spec. Now they
can be sent at any time after the "initialized" event, but
will not take effect (or send a response) until after the
"configurationDone" request has been sent.
* The "variables" request will not return artificial symbols.
* New commands:
* show jit-reader-directory
Show the name of the directory that "jit-reader-load" uses
for relative file names.
* set style line-number foreground COLOR
set style line-number background COLOR
set style line-number intensity VALUE
Control the styling of line numbers printed by GDB.
* set style command foreground COLOR
set style command background COLOR
set style command intensity VALUE
Control the styling of GDB commands when displayed by GDB.
* set style title foreground COLOR
set style title background COLOR
set style title intensity VALUE
This style now applies to the header line of lists, for
example the first line of the output of "info breakpoints".
Previous uses of this style have been replaced with the new
... changelog too long, skipping 120 lines ...
* gdb-rhbz-818343-set-solib-absolute-prefix-testcase.patch
==== gimp ====
Subpackages: gimp-plugin-aa gimp-plugin-python3 libgimp-3_0-0 libgimpui-3_0-0
- Added libheif-aom dependency to AVIF support (boo#1241553).
==== glib2-branding-openSUSE ====
- Update defaults to match current situation:
+ Remove banshee preference: banshee has not been shipped since
2016.
+ Add Loupe to the preferred applications for images
+ Do not use Eog by default. As it's alphabetically before
Loupe, Eog would always win the way it was listed (when
installed).
+ Explicitly set image/tiff to org.gnome.Loupe as Eog is no
longer part of the default installations.
==== glslang ====
Version update (15.2.0 -> 15.3.0)
- Update to release 15.3
* Fix crash calling coopMatLoadTensorNV on an array element
* Implement GL_EXT_bfloat16
* Add missing error checks for bfloat16 math
==== gnome-music ====
Version update (48.beta+25 -> 48.beta+31)
- Update to version 48.beta+31:
+ Remove useless GIRepository import.
+ Updated translations.
==== gnome-shell ====
Subpackages: gnome-extensions gnome-shell-calendar
- Drop gnome-shell-executable-path-not-absolute.patch: The original
patch did not work as expected, and assuming gsettings is in the
bin dir of gnome-shell is not correct, so keep relative path
(bsc#1241666).
==== gnutls ====
Subpackages: libgnutls-dane0 libgnutls30
- Fix FIPS mode running on Tumbleweed [bsc#1237101]
* When nettle or libhogweed are installed with glbic-hwcaps for x86_64-v3,
some paths differ and we are unable to match the hmac file for the lib.
* Add gnutls-FIPS-HMAC-x86_64-v3-opt.patch
==== grub2 ====
Subpackages: grub2-arm64-efi grub2-common grub2-snapper-plugin grub2-systemd-sleep-plugin
- grub2-common: use fuse3
- Add support for boot assessment, needed by health-checker
* grub2-bls-boot-counting.patch
* grub2-bls-boot-assessment.patch
* grub2-bls-boot-show-snapshot.patch
* grub2-blscfg-fix-hang.patch
* grub2-blscfg-set-efivars.patch
- Fix reading bls fragments in file-system dependent order that is not
predictable (bsc#1241046)
* 0001-blscfg-read-fragments-in-order.patch
- Fix PPC CAS reboot failure work when initiated via submenu (bsc#1241132)
* 0001-Fix-PowerPC-CAS-reboot-to-evaluate-menu-context.patch
==== gstreamer ====
Version update (1.26.0 -> 1.26.1)
Subpackages: gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0
- Update to version 1.26.1:
+ Highlighted bugfixes:
- awstranslate and speechmatics plugin improvements
- decodebin3 fixes and urisourcebin/playbin3 stability
improvements
- Closed captions: CEA-708 generation and muxing fixes, and
H.264/H.265 caption extractor fixes
- dav1d AV1 decoder: RGB support, plus colorimetry,
renegotiation and buffer pool handling fixes
- Fix regression when rendering VP9 with alpha
- H.265 decoder base class and caption inserter SPS/PPS
handling fixes
- hlssink3 and hlsmultivariantsink feature enhancements
- Matroska v4 support in muxer, seeking fixes in demuxer
- macOS: framerate guessing for cameras or capture devices
where the OS reports silly framerates
- MP4 demuxer uncompressed video handling improvements and
sample table handling fixes
- oggdemux: seeking improvements in streaming mode
- unixfdsrc: fix gst_memory_resize warnings
- Plugin loader fixes, especially for Windows
- QML6 GL source renegotiation fixes
- RTP and RTSP stability fixes
- Thread-safety improvements for the Media Source Extension
(MSE) library
- v4l2videodec: fix A/V sync issues after decoding errors
- Various improvements and fixes for the fragmented and
non-fragmented MP4 muxers
- Video encoder base class segment and buffer timestamp
handling fixes
- Video time code support for 119.88 fps and
drop-frames-related conversion fixes
- WebRTC: Retransmission entry creation fixes and better audio
level header extension compatibility
- YUV4MPEG encoder improvments
- dots-viewer: make work locally without network access
- gst-python: fix compatibility with PyGObject >= 3.52.0
- Cerbero: recipe updates, compatibility fixes for Python <
3.10; Windows Android cross-build improvements
- Various bug fixes, build fixes, memory leak fixes, and other
stability and reliability improvements
+ gstreamer:
- Correctly handle whitespace paths when executing
gst-plugin-scanner
- Ensure properties are freed before (re)setting with
g_value_dup_string() and during cleanup
- cmake: Fix PKG_CONFIG_PATH formatting for Windows
cross-builds
- macos: Move macos function documentation to the .h so the
introspection has the information
- meson.build: test for and link against libatomic if it exists
- pluginloader-win32: Fix helper executable path under devenv
- pluginloader: fix pending_plugins Glist use-after-free issue
- unixfdsrc: Complains about resize of memory area
- tracers: dots: fix debug log
==== gstreamer-plugins-bad ====
Version update (1.26.0 -> 1.26.1)
Subpackages: libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0
- Update to version 1.26.1:
+ Add missing Requires in pkg-config
+ Ensure properties are freed before (re)setting with
g_value_dup_string() and during cleanup
+ Update docs
+ aja: Use the correct location of the AJA NTV2 SDK in the docs
+ alphacombine: De-couple flush-start/stop events handling
+ alphadecodebin: use a multiqueue instead of a couple of queues
+ avfvideosrc: Guess reasonable framerate values for some 3rd
party devices
+ codecalpha: name both queues
+ d3d12converter: Fix cropping when automatic mipmap is enabled
+ dashsink: Make sure to use a non-NULL pad name when requesting
a pad from splitmuxsink
+ docs: Fix GstWebRTCICE* class documentation
+ h264ccextractor, h265ccextractor: Handle gap with unknown pts
+ h265decoder, h265ccinserter: Fix broken SPS/PPS link
+ h265parser: Fix num_long_term_pics bound check
+ Segmentation fault in H265 decoder
+ h266decoder: fix leak parsing SEI messages
+ meson.build: test for and link against libatomic if it exists
+ mse: Improved Thread Safety of API
+ mse: Revert ownership transfer API change in
gst_source_buffer_append_buffer()
+ tensordecoders: updating element classification
+ unixfd: Fix wrong memory size when offset > 0
+ uvcsink: Respond to control requests with proper error handling
+ v4l2codecs: unref frame in all error paths of end_picture
+ va: Skip codecs that report maximum width or height lower than
minimum
+ vapostproc: fix wrong video orientation after restarting the
element
+ vavp9enc: fix mem leaks in _vp9_decide_profile
+ vkformat: fix build error
+ vtenc: Avoid deadlocking when changing properties on the fly
+ vulkan: fix memory leak at dynamic registering
+ webrtc: enhance rtx entry creation
+ webrtcbin: add missing warning for caps missmatch
+ ZDI-CAN-26596: New Vulnerability Report (Security)
- Drop va-codecs-check-size.patch: Fixed upstream.
- Drop cuda_nvdec conditional, builds fine for aarch64/armv7 now.
==== gstreamer-plugins-base ====
Version update (1.26.0 -> 1.26.1)
Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0
- Update to version 1.26.1:
+ Ensure properties are freed before (re)setting with
g_value_dup_string() and during cleanup
+ alsadeviceprovider: Fix leak of Alsa longname
+ audioaggregator: fix error added in !8416 when chaining up
+ audiobasesink: Fix custom slaving driftsamples calculation and
add custom audio clock slaving callback example
+ decodebin3:
- Don't avoid parsebin even if we have a matching decoder
- Doesn't plug parsebin for AAC from tsdemux
+ gl: eglimage: warn the reason of export failure
+ glcolorconvert:
- Fix YUVA<->RGBA conversions
- Regression when rendering alpha vp9
+ gldownload: Unref glcontext after usage
+ meson.build: test for and link against libatomic if it exists
+ oggdemux: Don't push new packets if there is a pending seek
+ urisourcebin:
- Make parsebin activation more reliable
- Deadlock between parsebin and typefind
+ videoencoder: Use the correct segment and buffer timestamp in
the chain function
+ videotimecode: Fix conversion of timecode to datetime with
drop-frame timecodes and handle 119.88 fps correctly in all
places
==== gstreamer-plugins-good ====
Version update (1.26.0 -> 1.26.1)
Subpackages: gstreamer-plugins-good-gtk
- Update to version 1.26.1:
+ Ensure properties are freed before (re)setting with
g_value_dup_string() and during cleanup
+ gst-plugins-good: Matroska mux v4 support
+ matroska-demux: Prevent corrupt cluster duplication
+ qml6glsrc: update buffer pool on renegotiation
+ qt6: Add a missing newline in unsupported platform message
+ qtdemux:
- Fix stsc size check in qtdemux_merge_sample_table()
- Next Iteration Of Uncompressed MP4 Decoder
- Unref simple caps after use
+ rtspsrc:
- Do not emit signal 'no-more-pads' too early
- Don't error out on not-linked too early
+ rtpsession:
- Do not push events while holding SESSION_LOCK
- Deadlock when gst_rtp_session_send_rtcp () is forwarding eos
+ v4l2: drop frame for frames that cannot be decoded
+ v4l2videodec: AV unsync for streams with many frames that
cannot be decoded
+ v4l2object:
- Fix memory leak
- Fix type mismatch when ioctl takes int
+ y4menc:
- Fix Y41B format
- Handle frames with GstVideoMeta
==== hwdata ====
Version update (0.393 -> 0.394)
- Update to version 0.394:
* Update pci and vendor ids
==== iptables ====
Subpackages: libip4tc2 libip6tc2 libxtables12 xtables-plugins
- Remove legacy backend from SLES16
==== java-21-openjdk ====
Version update (21.0.6.0 -> 21.0.7.0)
Subpackages: java-21-openjdk-headless
- Update to upstream tag jdk-21.0.7+6 (April 2025 CPU)
* CVEs
+ CVE-2025-21587, bsc#1241274
+ CVE-2025-30691, bsc#1241275
+ CVE-2025-30698, bsc#1241276
* Changes
+ JDK-8198237: [macos] Test java/awt/Frame/
/ExceptionOnSetExtendedStateTest/
/ExceptionOnSetExtendedStateTest.java fails
+ JDK-8211851: (ch) java/nio/channels/AsynchronousSocketChannel/
/StressLoopback.java times out (aix)
+ JDK-8226933: [TEST_BUG]GTK L&F: There is no swatches or RGB
tab in JColorChooser
+ JDK-8226938: [TEST_BUG]GTK L&F: There is no Details button in
FileChooser Dialog
+ JDK-8227529: With malformed --app-image the error messages
are awful
+ JDK-8277240: java/awt/Graphics2D/ScaledTransform/
/ScaledTransform.java dialog does not get disposed
+ JDK-8283664: Remove jtreg tag manual=yesno for
java/awt/print/PrinterJob/PrintTextTest.java
+ JDK-8286875: ProgrammableUpcallHandler::on_entry/on_exit
access thread fields from native
+ JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism
are problematic
+ JDK-8294316: SA core file support is broken on macosx-x64
starting with macOS 12.x
+ JDK-8295159: DSO created with -ffast-math breaks Java
floating-point arithmetic
+ JDK-8302111: Serialization considerations
+ JDK-8304701: Request with timeout aborts later in-flight
request on HTTP/1.1 cxn
+ JDK-8309841: Jarsigner should print a warning if an entry is
removed
+ JDK-8311546: Certificate name constraints improperly
validated with leading period
+ JDK-8312570: [TESTBUG] Jtreg compiler/loopopts/superword/
/TestDependencyOffsets.java fails on 512-bit SVE
+ JDK-8313633: [macOS] java/awt/dnd/NextDropActionTest/
/NextDropActionTest.java fails with java.lang.RuntimeException:
wrong next drop action!
+ JDK-8313905: Checked_cast assert in CDS compare_by_loader
+ JDK-8314752: Use google test string comparison macros
+ JDK-8314909: tools/jpackage/windows/Win8282351Test.java fails
with java.lang.AssertionError: Expected [0]. Actual [1618]:
+ JDK-8315486: vmTestbase/nsk/jdwp/ThreadReference/
/ForceEarlyReturn/forceEarlyReturn002/forceEarlyReturn002.java
timed out
+ JDK-8315825: Open some swing tests
+ JDK-8315882: Open some swing tests 2
+ JDK-8315883: Open source several Swing JToolbar tests
+ JDK-8315952: Open source several Swing JToolbar JTooltip
JTree tests
+ JDK-8316056: Open source several Swing JTree tests
+ JDK-8316146: Open some swing tests 4
+ JDK-8316149: Open source several Swing JTree JViewport
KeyboardManager tests
+ JDK-8316218: Open some swing tests 5
+ JDK-8316371: Open some swing tests 6
+ JDK-8316627: JViewport Test headless failure
+ JDK-8316885: jcmd: Compiler.CodeHeap_Analytics cmd does not
inform about missing aggregate
+ JDK-8317283: jpackage tests run osx-specific checks on
windows and linux
+ JDK-8317636: Improve heap walking API tests to verify
correctness of field indexes
+ JDK-8317808: HTTP/2 stream cancelImpl may leave subscriber
registered
+ JDK-8317919: pthread_attr_init handle return value and
destroy pthread_attr_t object
+ JDK-8319233: AArch64: Build failure with clang due to
- Wformat-nonliteral warning
+ JDK-8320372: test/jdk/sun/security/x509/DNSName/
/LeadingPeriod.java validity check failed
+ JDK-8320676: Manual printer tests have no Pass/Fail buttons,
instructions close set 1
+ JDK-8320691: Timeout handler on Windows takes 2 hours to
complete
+ JDK-8320706: RuntimePackageTest.testUsrInstallDir test fails
on Linux
+ JDK-8320916: jdk/jfr/event/gc/stacktrace/
/TestParallelMarkSweepAllocationPendingStackTrace.java failed
with "OutOfMemoryError: GC overhead limit exceeded"
+ JDK-8321818: vmTestbase/nsk/stress/strace/strace015.java
failed with 'Cannot read the array length because "<local4>"
is null'
+ JDK-8322983: Virtual Threads: exclude 2 tests
+ JDK-8324672: Update jdk/java/time/tck/java/time/
/TCKInstant.java now() to be more robust
+ JDK-8324807: Manual printer tests have no Pass/Fail buttons,
instructions close set 2
+ JDK-8324838: test_nmt_locationprinting.cpp broken in the gcc
windows build
+ JDK-8325042: Remove unused JVMDITools test files
+ JDK-8325529: Remove unused imports from `ModuleGenerator`
test file
+ JDK-8325659: Normalize Random usage by incubator vector tests
+ JDK-8325937: runtime/handshake/HandshakeDirectTest.java
causes "monitor end should be strictly below the frame
... changelog too long, skipping 347 lines ...
+ rediff
==== jemalloc ====
- Add fix_make_check_with_gcc15.patch to make the testsuite pass
despite new GCC malloc-related optimizations. [boo#1240665]
==== jitterentropy ====
Version update (3.4.1 -> 3.6.3)
- Update to 3.6.3: [bsc#1242050]
* Correct time stamp processing on AIX
* Use high-resolution time stamp on Apple Silicon
* GCD power-up test: consider OSR
* Remove patches fixed in the update:
- jitterentropy-fix-a-stack-corruption-on-s390x.patch
* Rebase patches:
- jitterentropy-split-internal-header.patch
- jitterentropy-with-debug.patch
- Update to 3.6.2:
* Fix RCT re-initialization in jent_read_entropy_safe
* simplify test code
* improve keyword portability
- Update to 3.6.1:
* Add more test code
* Add support for SunPRO compiler
* Fix compilation on OpenBSD by replacing sed with tr
* internal timer: Add support for Apple
* Various small fixes to compilation to imporve portability
- Update to 3.6.0:
* Remove bi-modal behavior of conditioning function
* Make jent_read_entropy_safe safer by retrying the health test
* Move the version information to make them available at compile time
- Update to 3.5.0:
* add distinction between intermittent and permanent health failure
* add compile time option to allow configuring a mask to reduce the
size of the time stamp used for the APT
==== kernel-firmware-amdgpu ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-ath10k ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-ath11k ====
Version update (20250227 -> 20250424)
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
- Update to version 20250424 (git commit c8af472e05cb):
* ath11k: WCN6855 hw2.0: update board-2.bin
* ath11k: IPQ5018 hw1.0: update to WLAN.HK.2.6.0.1-01300-QCAHKSWPL_SILICONZ-1
==== kernel-firmware-ath12k ====
Version update (20250206 -> 20250424)
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
- Update to version 20250424 (git commit c8af472e05cb):
* ath12k: WCN7850 hw2.0: update to WLAN.HMT.1.1.c5-00284-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
* ath12k: QCN9274 hw2.0: update board-2.bin
==== kernel-firmware-atheros ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-bluetooth ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-bnx2 ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-brcm ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-chelsio ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-dpaa2 ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-i915 ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-intel ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-iwlwifi ====
Version update (20250312 -> 20250423)
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
- Update to version 20250423 (git commit c67433231cbd):
* iwlwifi: add Bz/gl FW for core95-82 release
* iwlwifi: update ty/So/Ma firmwares for core95-82 release
* iwlwifi: update cc/Qu/QuZ firmwares for core95-82 release
- Update to version 20250422 (git commit 32f3227b67c0):
* iwlwifi: add Bz-hr FW for core93-123 release
==== kernel-firmware-liquidio ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-marvell ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-media ====
Version update (20250422 -> 20250424)
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
- Update to version 20250424 (git commit c8af472e05cb):
* qcom: vpu: update video firmware binary for SA8775p
==== kernel-firmware-mediatek ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-mellanox ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-mwifiex ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-network ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-nfp ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-nvidia ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-platform ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-prestera ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-qcom ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-qlogic ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-radeon ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-realtek ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-serial ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-sound ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-ti ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-ueagle ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-usb-network ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-source ====
Version update (6.14.3 -> 6.14.4)
Subpackages: kernel-64kb kernel-default
- Linux 6.14.4 (bsc#1012628).
- scsi: hisi_sas: Enable force phy when SATA disk directly
connected (bsc#1012628).
- wifi: at76c50x: fix use after free access in at76_disconnect
(bsc#1012628).
- wifi: mac80211: Update skb's control block key in
ieee80211_tx_dequeue() (bsc#1012628).
- wifi: mac80211: Purge vif txq in ieee80211_do_stop()
(bsc#1012628).
- wifi: brcmfmac: fix memory leak in brcmf_get_module_param
(bsc#1012628).
- wifi: wl1251: fix memory leak in wl1251_tx_work (bsc#1012628).
- scsi: iscsi: Fix missing scsi_host_put() in error path
(bsc#1012628).
- scsi: smartpqi: Use is_kdump_kernel() to check for kdump
(bsc#1012628).
- md/raid10: fix missing discard IO accounting (bsc#1012628).
- md/md-bitmap: fix stats collection for external bitmaps
(bsc#1012628).
- ASoC: dwc: always enable/disable i2s irqs (bsc#1012628).
- ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe()
(bsc#1012628).
- crypto: tegra - Fix IV usage for AES ECB (bsc#1012628).
- ovl: remove unused forward declaration (bsc#1012628).
- RDMA/bnxt_re: Fix budget handling of notification queue
(bsc#1012628).
- RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe()
(bsc#1012628).
- RDMA/hns: Fix wrong maximum DMA segment size (bsc#1012628).
- ALSA: hda/cirrus_scodec_test: Don't select dependencies
(bsc#1012628).
- ALSA: hda/realtek - Fixed ASUS platform headset Mic issue
(bsc#1012628).
- ASoC: cs42l43: Reset clamp override on jack removal
(bsc#1012628).
- RDMA/core: Silence oversized kvmalloc() warning (bsc#1012628).
- firmware: cs_dsp: test_bin_error: Fix uninitialized data used
as fw version (bsc#1012628).
- Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for
invalid address (bsc#1012628).
- Bluetooth: btrtl: Prevent potential NULL dereference
(bsc#1012628).
- Bluetooth: l2cap: Check encryption key size on incoming
connection (bsc#1012628).
- RDMA/bnxt_re: Remove unusable nq variable (bsc#1012628).
- ipv6: add exception routes to GC list in rt6_insert_exception
(bsc#1012628).
- xen: fix multicall debug feature (bsc#1012628).
- mlxbf-bootctl: use sysfs_emit_at() in
secure_boot_fuse_state_show() (bsc#1012628).
- wifi: iwlwifi: pcie: set state to no-FW before reset handshake
(bsc#1012628).
- Revert "wifi: mac80211: Update skb's control block key in
ieee80211_tx_dequeue()" (bsc#1012628).
- igc: fix PTM cycle trigger logic (bsc#1012628).
- igc: increase wait time before retrying PTM (bsc#1012628).
- igc: move ktime snapshot into PTM retry loop (bsc#1012628).
- igc: handle the IGC_PTP_ENABLED flag correctly (bsc#1012628).
- igc: cleanup PTP module if probe fails (bsc#1012628).
- igc: add lock preventing multiple simultaneous PTM transactions
(bsc#1012628).
- perf tools: Remove evsel__handle_error_quirks() (bsc#1012628).
- dt-bindings: soc: fsl: fsl,ls1028a-reset: Fix maintainer entry
(bsc#1012628).
- smc: Fix lockdep false-positive for IPPROTO_SMC (bsc#1012628).
- test suite: use %zu to print size_t (bsc#1012628).
- selftests: mincore: fix tmpfs mincore test failure
(bsc#1012628).
- pds_core: fix memory leak in pdsc_debugfs_add_qcq()
(bsc#1012628).
- ethtool: cmis_cdb: use correct rpl size in
ethtool_cmis_module_poll() (bsc#1012628).
- net: mctp: Set SOCK_RCU_FREE (bsc#1012628).
- net: hibmcge: fix incorrect pause frame statistics issue
(bsc#1012628).
- net: hibmcge: fix incorrect multicast filtering issue
(bsc#1012628).
- net: hibmcge: fix wrong mtu log issue (bsc#1012628).
- net: hibmcge: fix not restore rx pause mac addr after reset
issue (bsc#1012628).
- block: fix resource leak in blk_register_queue() error path
(bsc#1012628).
- netlink: specs: ovs_vport: align with C codegen capabilities
(bsc#1012628).
- net: openvswitch: fix nested key length validation in the set()
action (bsc#1012628).
- can: rockchip_canfd: fix broken quirks checks (bsc#1012628).
- net: ngbe: fix memory leak in ngbe_probe() error path
(bsc#1012628).
- octeontx2-pf: handle otx2_mbox_get_rsp errors (bsc#1012628).
- net: ethernet: ti: am65-cpsw: fix port_np reference counting
(bsc#1012628).
- eth: bnxt: fix missing ring index trim on error path
(bsc#1012628).
- loop: aio inherit the ioprio of original request (bsc#1012628).
- loop: stop using vfs_iter_{read,write} for buffered I/O
(bsc#1012628).
- nvmet: pci-epf: always fully initialize completion entries
(bsc#1012628).
... changelog too long, skipping 328 lines ...
- commit f04c2d4
==== libavif ====
Version update (1.1.1 -> 1.2.1)
- Disable tests due to restrictions in Factory/ring1.
- Temporary deactivation of the generation of manual pages
with pandoc due to restrictions in Factory/ring1.
(https://build.opensuse.org/request/show/1272161#comment-2136811)
- update to 1.2.1:
* Added since 1.2.0
- Add support for outputting all frames of an image sequence in avifdec.
- avifdec --index all sequence.avif out.png creates files named
- out-xxxxxxxxxx.png where xxxxxxxxxx are the zero-padded frame indices.
* Changed since 1.2.0
- Fix local libargparse dependency patch step on macOS 10.15 and earlier.
- Patch local libyuv dependency for compatibility with gcc 10.
- Use stricter C99 syntax to avoid related compilation issues.
- Update svt.cmd/svt.sh/LocalSvt.cmake to v3.0.1.
- update to 1.2.0:
* Added since 1.1.1
- Turn on the gain map API. Remove the AVIF_ENABLE_EXPERIMENTAL_GAIN_MAP CMake
flag.
- Allow YCgCo_Re and YCgCo_Ro encoding/decoding and update the enum values to
the latest CICP specification. Remove the AVIF_ENABLE_EXPERIMENTAL_YCGCO_R
CMake flag.
- Add the properties and numProperties fields to avifImage. They are filled by
the avifDecoder instance with the properties unrecognized by libavif. They are
written by the avifEncoder.
- Add avif(Un)SignedFraction structs and avifDoubleTo(Un)SignedFraction
utility functions.
- Add 'avifgainmaputil' command line tool to installed apps.
- Add avifCropRectRequiresUpsampling().
- Add experimental support for PixelInformationProperty syntax from HEIF 3rd Ed.
Amd2 behind the compilation flag AVIF_ENABLE_EXPERIMENTAL_EXTENDED_PIXI.
- Add experimental Sample Transform recipe
BIT_DEPTH_EXTENSION_12B_8B_OVERLAP_4B.
* Changed since 1.1.1
- avifenc: Allow large images to be encoded.
- Fix empty CMAKE_CXX_FLAGS_RELEASE if -DAVIF_CODEC_AOM=LOCAL -DAVIF_LIBYUV=OFF
is specified. #2365.
- Rename AVIF_ENABLE_EXPERIMENTAL_METAV1 to AVIF_ENABLE_EXPERIMENTAL_MINI and
update the experimental reduced header feature to the latest specification
draft. Rename AVIF_HEADER_REDUCED to AVIF_HEADER_MINI.
- Update the experimental Sample Transform feature behind the
AVIF_ENABLE_EXPERIMENTAL_SAMPLE_TRANSFORM CMake flag to the latest
specification draft.
- Ignore gain maps with unsupported metadata. Handle gain maps with
writer_version > 0 correctly.
- Simplify gain map API: remove the enableParsingGainMapMetadata setting, now
gain map metadata is always parsed if present and if this feature is compiled
in. Replace enableDecodingGainMap and ignoreColorAndAlpha with a bit field to
choose image content to decode. Remove gainMapPresent: users can check if
decoder->image->gainMap != NULL instead. Remove avifGainMapMetadata and
avifGainMapMetadataDouble structs.
- Write an empty HandlerBox name field instead of "libavif" (saves 7 bytes).
- Check for FileTypeBox precedence in avifParse().
- Do not write an alternative group with the same ID as an item.
- Update aom.cmd/LocalAom.cmake: v3.12.0. The new codec-specific option tune=iq
(image quality) is added in libaom v3.12.0.
- Update parseAV2SequenceHeader() and avm.cmd: research-v9.0.0
- Update dav1d.cmd/dav1d_android.sh/LocalDav1d.cmake: 1.5.1
- Update libjpeg.cmd/LocalJpeg.cmake: v3.0.4
- Update libxml2.cmd/LocalLibXml2.cmake: v2.13.5
- Update libyuv.cmd: ccdf87034 (1903)
- Update svt.cmd/svt.sh/LocalSvt.cmake to v3.0.0. When available, use
EbSvtAv1EncConfiguration::lossless and ::level_of_parallelism in libavif.
- Remove AVIF_ENABLE_GTEST CMake option. It's now implied by
AVIF_GTEST=LOCAL/SYSTEM.
- Deprecate avifEncoder's minQuantizer, maxQuantizer, minQuantizerAlpha,
and maxQuantizerAlpha fields. quality and qualityAlpha should be used
instead. Deprecate avifenc's --min, --max, --minalpha and --maxalpha
flags. -q or --qcolor and --qalpha should be used instead.
- For dependencies, the deprecated way of setting AVIF_LOCAL_* to ON is
removed. Dependency options can now only be set to OFF/LOCAL/SYSTEM.
- Change the default quality for alpha to be the same as the quality for color.
- Allow decoding subsampled images with odd Clean Aperture dimensions or offsets.
- Deprecate avifCropRectConvertCleanApertureBox() and
avifCleanApertureBoxConvertCropRect(). Replace them with
avifCropRectFromCleanApertureBox() and avifCleanApertureBoxFromCropRect().
- Write descriptive properties before transformative properties.
- Reject non-essential transformative properties.
- Treat avifenc --stdin as a regular positional file path argument.
- Update man pages based on avifenc/dec's --help message.
- android_jni: Support 16kb page size
- android_jni: Set threads to 2 instead of CPU count
- Fix overflows when dealing with alpha during YUV/RGB conversions and in
avifRGBImageAllocatePixels().
- Make avifEncoder.headerFormat a flag combination for future features.
- Rename AVIF_HEADER_FULL to AVIF_HEADER_DEFAULT. Deprecate AVIF_HEADER_FULL.
- Fix decoding image sequences with non video tracks (such as audio or subtitles).
- Fix type checking of auxiliary tracks: previously any auxiliary track was
assumed to be alpha, even if it was a different type. If the aux type is absent,
it is assumed to be alpha.
- Add libargparse-ee74d1b53bd680748af14e737378de57e2a0a954.tar.gz
- Add %check/tests
- Add man pages
==== libeconf ====
Version update (0.7.7 -> 0.7.8)
- Update to version 0.7.8:
* Fix memory access if there are a comment character inside a comment.
==== libedit ====
Version update (20210910.3.1 -> 20250104.3.1)
- update to 20250104:
* all: sync with upstream source
* doc/Makefile.am: fix regression. Name all manpage links as
el_* (e.g. el_history.3) to avoid conflicts.
* src/chartype.c: Add missing stdint.h
* src/sys.h, src/reallocarr.c: Remove unused sys/cdefs.h
include, to compile against musl libc
* src/sys.h: Add __sun guard around sys/types.h in sys.h
- drop libedit-20180525-manpage-conflicts.patch and
libedit-hidden-symbols.patch: upstreamed
- no need for autoreconf and it's BuildRequires:
==== libgcrypt ====
- Differentiate use of SHA1 in the service level indicator [jsc#PED-12227]
* Include upstream SLI revamp and fips certification fixes
* Add patches:
- libgcrypt-fips-Introduce-an-internal-API-for-FIPS-service-indicator.patch
- libgcrypt-fips-Introduce-GCRYCTL_FIPS_SERVICE_INDICATOR-and-the-macro.patch
- libgcrypt-fips-kdf-Implement-new-FIPS-service-indicator-for-gcry_kdf_derive.patch
- libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_hash_.patch
- libgcrypt-fips-tests-Add-t-digest.patch
- libgcrypt-fips-Change-the-internal-API-for-new-FIPS-service-indicator.patch
- libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_open-API.patch
- libgcrypt-fips-tests-Add-tests-for-md_open-write-read-close-for-t-digest.patch
- libgcrypt-fips-mac-Implement-new-FIPS-service-indicator-for-gcry_mac_open.patch
- libgcrypt-fips-cipher-Implement-new-FIPS-service-indicator-for-cipher_open.patch
- libgcrypt-tests-fips-Add-gcry_mac_open-tests.patch
- libgcrypt-tests-fips-Rename-t-fips-service-ind.patch
- libgcrypt-tests-fips-Move-KDF-tests-to-t-fips-service-ind.patch
- libgcrypt-tests-fips-Add-gcry_cipher_open-tests.patch
- libgcrypt-fips-md-gcry_md_copy-should-care-about-FIPS-service-indicator.patch
- libgcrypt-fips-cipher-Implement-FIPS-service-indicator-for-gcry_pk_hash_-API.patch
- libgcrypt-fips-Introduce-GCRYCTL_FIPS_REJECT_NON_FIPS.patch
- libgcrypt-Fix-the-previous-change.patch
- libgcrypt-fips-Rejection-by-GCRYCTL_FIPS_REJECT_NON_FIPS-not-by-open-flags.patch
- libgcrypt-fips-cipher-Add-behavior-not-to-reject-but-mark-non-compliant.patch
- libgcrypt-fips-ecc-Add-rejecting-or-marking-for-gcry_pk_get_curve.patch
- libgcrypt-tests-Add-more-tests-to-tests-t-fips-service-ind.patch
- libgcrypt-fips-ecc-Check-DATA-in-gcry_pk_sign-verify-in-FIPS-mode.patch
- libgcrypt-fips-cipher-Fix-memory-leak-for-gcry_pk_hash_sign.patch
- libgcrypt-build-Improve-__thread-specifier-check.patch
- libgcrypt-cipher-Check-and-mark-non-compliant-cipher-modes-in-the-SLI.patch
- libgcrypt-cipher-Rename-_gcry_cipher_is_mode_fips_compliant.patch
- libgcrypt-cipher-Don-t-differentiate-GCRY_CIPHER_MODE_CMAC-in-FIPS-mode.patch
- libgcrypt-cipher-rsa-Mark-reject-SHA1-unknown-with-RSA-signature-generation.patch
- libgcrypt-md-Fix-gcry_md_algo_info-to-mark-reject-under-FIPS-mode.patch
- libgcrypt-md-Use-check_digest_algo_spec-in-_gcry_md_selftest.patch
- libgcrypt-tests-Update-t-fips-service-ind-using-GCRY_MD_SHA256-for-KDF-tests.patch
- libgcrypt-fips-cipher-Do-the-computation-when-marking-non-compliant.patch
- libgcrypt-tests-Allow-tests-with-USE_RSA.patch
- libgcrypt-cipher-Add-KAT-for-non-rfc6979-ECDSA-with-fixed-k.patch
- libgcrypt-cipher-Differentiate-use-of-label-K-in-the-SLI.patch
- libgcrypt-cipher-Differentiate-igninvflag-in-the-SLI.patch
- libgcrypt-cipher-Differentiate-no-blinding-flag-in-the-SLI.patch
- libgcrypt-fips-cipher-Add-GCRY_FIPS_FLAG_REJECT_PK_FLAGS.patch
- libgcrypt-cipher-ecc-Fix-for-supplied-K.patch
- libgcrypt-cipher-visibility-Differentiate-use-of-random-override-in-the-SLI.patch
- libgcrypt-cipher-fips-Fix-for-random-override.patch
- libgcrypt-md-Make-SHA-1-non-FIPS-internally-for-1.12-API.patch
- libgcrypt-fips-Fix-GCRY_FIPS_FLAG_REJECT_MD.patch
- libgcrypt-doc-Add-about-GCRYCTL_FIPS_SERVICE_INDICATOR.patch
- libgcrypt-doc-Fix-syntax-error.patch
* Rebase patches:
- libgcrypt-FIPS-SLI-kdf-leylength.patch
==== libgpg-error ====
Version update (1.54 -> 1.55)
- Update to 1.55:
* Rewrite the extended length path handling under Windows. [T5754]
* Add new test commands to the gpg-error tool. Allow command w/o
dashes and reformat the help. [rEc002490a8f]
* Silence warning from gcc 15. [T7621]
==== libheif ====
Version update (1.19.7 -> 1.19.8)
Subpackages: gdk-pixbuf-loader-libheif libheif-aom libheif-dav1d libheif-ffmpeg libheif-jpeg libheif-openjpeg libheif-rav1e libheif-svtenc libheif1
- update to 1.19.8:
* Set essential flag for transformative properties as required by
MIAF. This fixes the display of AVIF images with transformations
encoded by libheif in Chrome, which checks whether this flag is
set. This mainly affected images encoded by ImageMagick.
* If the environment variable LIBHEIF_SECURITY_LIMITS is set to OFF,
libheif will not check any security limits. This can be used if a
user works with large images and the application software does not
allow to adjust the libheif security limits.
* Resolved processing 16-bit JPEG-2000
==== liblogging ====
- Compile with gcc15 instead of gcc14
* gcc14 is not availalbe in the Leap16 codestream
==== libnftnl ====
- Update signing key to 0x8C5F7146A1757A65E2422A94D70D1A666ACF2B21,
which is currently used to sign the latest tarballs including
version 1.2.9.
==== libqt5-qtwebengine ====
- Add some backported upstream changes to fix gcc-15 compile time
errors:
* qtwebengine-5.15.18-gcc15-cstdint.patch
==== libraw ====
Version update (0.21.3 -> 0.21.4)
- version update to 0.21.4
* additional checks in PhaseOne correction tag 0x412 processing
* Do not apply canon metadata crop to DNG files
* Make sure the profile_length is the same size as the allocated memory.
* fix: remove duplicated supported camera
* check split_col/split_row values in phase_one_correct
* Prevent out-of-bounds read in fuji 0xf00c tag parser
* prevent OOB reads in phase_one_correct
- modified sources
% baselibs.conf
- fixes:
* CVE-2025-43964 [bsc#1241584]
* CVE-2025-43962 [bsc#1241585]
* CVE-2025-43961 [bsc#1241643]
* CVE-2025-43963 [bsc#1241642]
==== libsoup ====
Subpackages: libsoup-3_0-0 typelib-1_0-Soup-3_0
- Add libsoup-CVE-2025-32907.patch: correct merge of ranges
(boo#1241222 CVE-2025-32907 glgo#GNOME/libsoup!452).
==== libsoup2 ====
- Add more CVE fixes:
+ c9083869.patch (boo#1241686 CVE-2025-46420)
+ libsoup-CVE-2025-32914.patch (boo#1241164 CVE-2025-32914)
+ libsoup-CVE-2025-32907.patch (boo#1241222 CVE-2025-32907)
+ libsoup-CVE-2025-46421.patch (boo#1241688 CVE-2025-46421)
==== libssh ====
Subpackages: libssh-config libssh4
- Fix build and tests with OpenSSH >= 10.0
* Use %make_build instead of naked make
* Add patches:
- libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
- libssh-misc-Fix-OpenSSH-banner-parsing.patch
==== libxkbcommon ====
Version update (1.8.1 -> 1.9.0)
Subpackages: libxkbcommon-x11-0 libxkbcommon0 libxkbregistry0
- Update to release 1.9.0
* keysyms can now be written as just Unicode strings, including
multi-keysyms.
* Added support for new `<none>`, `<some>` and `<any>` wildcard
syntax in rules files.
* Added support for a new escaping format for Unicode, `\u{NNNN}`.
==== libzip ====
- Fix libzip-devel dependencies. libzip-targets*.cmake create
CMake targets for zipcmp, zipmerge and ziptool.
==== libzypp ====
Version update (17.36.6 -> 17.36.7)
- fixed build with boost 1.88.
- XmlReader: Fix detection of bad input streams (fixes #635)
libxml2 2.14 potentially reads the complete stream, so it may
have the 'eof' bit set. Which is not 'good' but also not 'bad'.
- rpm: Fix detection of %triggerscript starts (bsc#1222044)
- RepoindexFileReader: add more <repo> related attributes a
service may set.
Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck,
keeppackages, gpgkey, mirrorlist, and metalink with the same
semantic as in a .repo file.
- version 17.36.7 (35)
==== lilv ====
- Rework the way the preferred python flavor is used as prefix so
it also works with Slowroll
- Add BuildRequires for pkgconfig(zix) which was pulled in
indirectly but is actually required since 0.24.22.
- Generate the python subpackage with the python flavored prefix
it's being used instead of always using python3
==== lua54 ====
- Fix license: it is MIT, not GPL-3.0-or-later.
==== mariadb-connector-c ====
- add patches from upstream to fix gcc-15 compile time errors:
* mariadb-connector-c-3.4.5-gcc15.patch
* mariadb-connector-c-3.4.5-gcc15-part2.patch
==== mozilla-nss ====
Version update (3.109 -> 3.110)
Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-sysinit mozilla-nss-tools
- update to NSS 3.110
* bmo#1930806 - FIPS changes need to be upstreamed: force ems policy
* bmo#1954724 - Prevent excess allocations in sslBuffer_Grow
* bmo#1953429 - Remove Crl templates from ASN1 fuzz target
* bmo#1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target
* bmo#1952855 - Fix memory leak in NSS_CMSMessage_IsSigned
* bmo#1930807 - NSS policy updates
* bmo#1951161 - Improve locking in nssPKIObject_GetInstances
* bmo#1951394 - Fix race in sdb_GetMetaData
* bmo#1951800 - Fix member access within null pointer
* bmo#1950077 - Increase smime fuzzer memory limit
* bmo#1949677 - Enable resumption when using custom extensions
* bmo#1952568 - change CN of server12 test certificate
* bmo#1949118 - Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle
* bmo#1949118 - Part 1: Fix smime UBSan errors
* bmo#1930806 - FIPS changes need to be upstreamed: updated key checks
* bmo#1951491 - Don't build libpkix in static builds
* bmo#1951395 - handle `-p all` in try syntax
* bmo#1951346 - fix opt-make builds to actually be opt
* bmo#1951346 - fix opt-static builds to actually be opt
* bmo#1916439 - Remove extraneous assert
- Removed upstreamed nss-fips-stricter-dh.patch
- Added bmo1962556.patch to fix test failures
- Rebased nss-fips-approved-crypto-non-ec.patch nss-fips-combined-hash-sign-dsa-ecdsa.patch
==== ncurses ====
Version update (6.5.20250412 -> 6.5.20250426)
Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen
- Modify patch ncurses-5.9-ibm327x.dif
* sclp term: use ASCII Console key mapping and support home
* ibm327x term: can do color and drawings but no cursor
- Add ncurses patch 20250426
+ expand note on extensions in curs_addch.3x
+ add illumos, sun-16color, sun-256color, sun-direct -TD
+ add wyse+cvis -TD
- Add ncurses patch 20250419
+ add note on scrolling and lower-right corner to waddch and wadd_wch
manual pages.
- Modify patch ncurses-5.9-ibm327x.dif
* sclp term: more missed features like home/end/pageup/pagedown keys
==== nghttp2 ====
Version update (1.64.0 -> 1.65.0)
- version update to 1.65.0
* Change clang-format options by @tatsuhiro-t in #2240
* build(deps): bump github.com/quic-go/quic-go from 0.46.0 to 0.47.0 by @dependabot in #2243
* build(deps): bump golang.org/x/net from 0.28.0 to 0.29.0 by @dependabot in #2244
* nghttp2_map: Port ngtcp2 changes by @tatsuhiro-t in #2245
* h2load: Fix UDP datagram send/recv metric by @tatsuhiro-t in #2248
* build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0 by @dependabot in #2252
* fix race condition on h1 connection close by @TuxInvader in #2249
* Gha ubuntu 24.04 by @tatsuhiro-t in #2254
* GHA: Run tests for i686-w64-mingw32 host by @tatsuhiro-t in #2255
* cmake: Fix c-ares v1.34.0 version detection failure by @tatsuhiro-t in #2256
* fix: -Wextra-semi errors in nghttp2_helper.h by @codebytere in #2258
* clang-format macros that do not need semicolon at the end by @tatsuhiro-t in #2259
* Remove extra semicolons by @tatsuhiro-t in #2260
* Bump ngtcp2 and its dependencies by @tatsuhiro-t in #2261
* Do not allow '@' in :authority or host field values by @tatsuhiro-t in #2262
* h2load: GRO buffer size should be 64KiB by @tatsuhiro-t in #2263
* Bump libbpf to v1.4.6 by @tatsuhiro-t in #2264
* Update nghttp2_check_authority doc by @tatsuhiro-t in #2265
==== open-vm-tools ====
Subpackages: libvmtools0 open-vm-tools-desktop
- (bsc#1237147): Newer version of containerd do not have the directory
/usr/share/go/1.x/contrib/src/github.com/containerd/containerd/api.
Update detect-suse-location.patch to point to the directory
/usr/share/go/1.x/contrib/src/github.com/containerd/containerd/vendor/github.com/containerd/containerd/api
to find the needed files and update the tasks.proto file to import from
github.com/containerd/containerd/vendor/github.com/containerd/containerd/api
==== openSUSE-release ====
Version update (20250423 -> 20250503)
Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd
- automatically generated by openSUSE-release-tools/pkglistgen
==== openssh ====
Version update (9.9p2 -> 10.0p2)
Subpackages: openssh-clients openssh-common openssh-server
- Add openssh-send-extra-term-env.patch, which appends a few
environment variables useful for terminal identification to the
default send and accept lists.
- "Update" to openssh 10.0p2:
- There was an issue during the packaging of 10.0p1 which made it
identify itself as 10.0p2 so 10.0p1 is now considered identical
to 10.0p2 and upstream won't release a separate 10.0p2 package.
- Update to openssh 10.0p1:
= Potentially-incompatible changes
* This release removes support for the weak DSA signature
algorithm, completing the deprecation process that began in
2015 (when DSA was disabled by default) and repeatedly warned
over the last 12 months.
* scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by
scp & sftp. This disables implicit session creation by these
tools when ControlMaster was set to yes/auto by configuration,
which some users found surprising. This change will not prevent
scp/sftp from using an existing multiplexing session if one had
already been created. GHPR557
* This release has the version number 10.0 and announces itself
as "SSH-2.0-OpenSSH_10.0". Software that naively matches
versions using patterns like "OpenSSH_1*" may be confused by
this.
* sshd(8): this release removes the code responsible for the
user authentication phase of the protocol from the per-
connection sshd-session binary to a new sshd-auth binary.
Splitting this code into a separate binary ensures that the
crucial pre-authentication attack surface has an entirely
disjoint address space from the code used for the rest of the
connection. It also yields a small runtime memory saving as the
authentication code will be unloaded after the authentication
phase completes. This change should be largely invisible to
users, though some log messages may now come from "sshd-auth"
instead of "sshd-session". Downstream distributors of OpenSSH
will need to package the sshd-auth binary.
* sshd(8): this release disables finite field (a.k.a modp)
Diffie-Hellman key exchange in sshd by default. Specifically,
this removes the "diffie-hellman-group*" and
"diffie-hellman-group-exchange-*" methods from the default
KEXAlgorithms list. The client is unchanged and continues to
support these methods by default. Finite field Diffie Hellman
is slow and computationally expensive for the same security
level as Elliptic Curve DH or PQ key agreement while offering
no redeeming advantages. ECDH has been specified for the SSH
protocol for 15 years and some form of ECDH has been the
default key exchange in OpenSSH for the last 14 years.
* sshd(8): this release removes the implicit fallback to
compiled-in groups for Diffie-Hellman Group Exchange KEX when
the moduli file exists but does not contain moduli within the
client-requested range. The fallback behaviour remains for the
case where the moduli file does not exist at all. This allows
administrators more explicit control over which DH groups will
be selected, but can lead to connection failures if the moduli
file is edited incorrectly. bz#2793
= Security
* sshd(8): fix the DisableForwarding directive, which was failing
to disable X11 forwarding and agent forwarding as documented.
X11 forwarding is disabled by default in the server and agent
forwarding is off by default in the client.
= New features
* ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256
is now used by default for key agreement. This algorithm is
considered to be safe against attack by quantum computers,
is guaranteed to be no less strong than the popular
curve25519-sha256 algorithm, has been standardised by NIST
and is considerably faster than the previous default.
* ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
for the connection. The default cipher preference list is now
Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
(128/192/256).
* ssh(1): add %-token and environment variable expansion to the
ssh_config SetEnv directive.
* ssh(1): allow %-token and environment variable expansion in
the ssh_config User directive, with the exception of %r and %C
which would be self-referential. bz#3477
* ssh(1), sshd(8): add "Match version" support to ssh_config and
sshd_config. Allows matching on the local version of OpenSSH,
e.g. "Match version OpenSSH_10.*".
* ssh(1): add support for "Match sessiontype" to ssh_config.
Allows matching on the type of session initially requested,
either "shell" for interactive sessions, "exec" for command
execution sessions, "subsystem" for subsystem requests, such as
sftp, or "none" for transport/forwarding-only sessions.
* ssh(1): add support for "Match command ..." support to
ssh_config, allowing matching on the remote command as
specified on the command-line.
* ssh(1): allow 'Match tagged ""' and 'Match command ""' to match
empty tag and command values respectively.
* sshd(8): allow glob(3) patterns to be used in sshd_config
AuthorizedKeysFile and AuthorizedPrincipalsFile directives.
bz2755
* sshd(1): support the VersionAddendum in the client, mirroring
the option of the same name in the server; bz2745
* ssh-agent(1): the agent will now delete all loaded keys when
signaled with SIGUSR1. This allows deletion of keys without
having access to $SSH_AUTH_SOCK.
* Portable OpenSSH, ssh-agent(1): support systemd-style socket
activation in ssh-agent using the LISTEN_PID/LISTEN_FDS
mechanism. Activated when these environment variables are set,
... changelog too long, skipping 116 lines ...
* fix-nopie-flag.patch
==== openssh-askpass-gnome ====
Version update (9.9p2 -> 10.0p2)
- "Update" to openssh 10.0p2:
* No changes for askpass, see main package changelog for
details.
- Update to openssh 10.0p1:
* No changes for askpass, see main package changelog for
details.
==== openssl-3 ====
Version update (3.2.4 -> 3.5.0)
Subpackages: libopenssl3
- Update to 3.5.0:
* Changes:
- Default encryption cipher for the req, cms, and smime applications
changed from des-ede3-cbc to aes-256-cbc.
- The default TLS supported groups list has been changed to include
and prefer hybrid PQC KEM groups. Some practically unused groups
were removed from the default list.
- The default TLS keyshares have been changed to offer X25519MLKEM768
and and X25519.
- All BIO_meth_get_*() functions were deprecated.
* New features:
- Support for server side QUIC (RFC 9000)
- Support for 3rd party QUIC stacks including 0-RTT support
- Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA)
- A new configuration option no-tls-deprecated-ec to disable support
for TLS groups deprecated in RFC8422
- A new configuration option enable-fips-jitter to make the FIPS
provider to use the JITTER seed source
- Support for central key generation in CMP
- Support added for opaque symmetric key objects (EVP_SKEY)
- Support for multiple TLS keyshares and improved TLS key establishment
group configurability
- API support for pipelining in provided cipher algorithms
* Remove patches:
- openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
- openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
- openssl-3-add-defines-CPACF-funcs.patch
- openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
- openssl-3-add-xof-state-handling-s3_absorb.patch
- openssl-3-fix-state-handling-sha3_absorb_s390x.patch
- openssl-3-fix-s390x_shake_squeeze.patch
- openssl-3-hw-acceleration-aes-xts-s390x.patch
- openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch
- openssl-3-fix-state-handling-keccak_final_s390x.patch
- openssl-3-add-hw-acceleration-hmac.patch
- openssl-3-fix-state-handling-sha3_final_s390x.patch
- openssl-3-fix-hmac-digest-detection-s390x.patch
- openssl-3-support-multiple-sha3_squeeze_s390x.patch
- openssl-3-fix-sha3-squeeze-ppc64.patch
- openssl-3-fix-s390x_sha3_absorb.patch
- openssl-3-fix-state-handling-shake_final_s390x.patch
- openssl-3-add_EVP_DigestSqueeze_api.patch
- openssl-FIPS-enforce-security-checks-during-initialization.patch
- openssl-FIPS-140-3-zeroization.patch
- openssl-FIPS-Add-explicit-indicator-for-key-length.patch
- openssl-FIPS-Mark-SHA1-as-nonapproved.patch
- openssl-Remove-EC-curves.patch
- openssl-FIPS-services-minimize.patch
- openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch
- openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch
- openssl-3-fix-quic_multistream_test.patch
- openssl-3-jitterentropy-3.4.0.patch
- openssl-Add-FIPS-indicator-parameter-to-HKDF.patch
- openssl-FIPS-140-3-DRBG.patch
- openssl-FIPS-Use-FFDHE2048-in-self-test.patch
- openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
- openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch
- openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
- openssl-FIPS-enforce-EMS-support.patch
- openssl-Allow-disabling-of-SHA1-signatures.patch
- openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
* Rebased patches:
- openssl-pkgconfig.patch
- openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
- openssl-Add-Kernel-FIPS-mode-flag-support.patch
- openssl-Force-FIPS.patch
- openssl-disable-fipsinstall.patch
- openssl-FIPS-embed-hmac.patch
- openssl-Add-changes-to-ectest-and-eccurve.patch
- openssl-Disable-explicit-ec.patch
- openssl-skipped-tests-EC-curves.patch
- openssl-FIPS-140-3-keychecks.patch
- openssl-FIPS-early-KATS.patch
- openssl-FIPS-limit-rsa-encrypt.patch
- openssl-FIPS-Expose-a-FIPS-indicator.patch
- openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
- openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
- openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
- openssl-FIPS-RSA-disable-shake.patch
- openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
- openssl-FIPS-Enforce-error-state.patch
- openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch
- openssl-FIPS-enforce-EMS-support.patch
- openssl-TESTS-Disable-default-provider-crypto-policies.patch
- openssl-skip-quic-pairwise.patch
* Add patches:
- openssl-FIPS-Fix-encoder-decoder-negative-test.patch
- openssl-FIPS-SUSE-FIPS-module-version.patch
- openssl-FIPS-EC-disable-weak-curves.patch
- openssl-FIPS-NO-DES-support.patch
- openssl-FIPS-NO-DSA-Support.patch
- openssl-FIPS-NO-Kmac.patch
- openssl-FIPS-NO-PQ-ML-SLH-DSA.patch
- openssl-shared-jitterentropy.patch
- openssl-rh-allow-sha1-signatures.patch
- openssl-disable-75-test_quicapi-test.patch
- Changes between 3.3.0 and 3.4.0:
* Changes:
- Deprecation of TS_VERIFY_CTX_set_* functions and addition of
... changelog too long, skipping 96 lines ...
- Support for using certificate profiles and extened delayed delivery in CMP
==== openssl ====
Version update (3.2.4 -> 3.5.0)
- Update to 3.5.0
==== orca ====
- Downgrade Wnck to Recommends. It is an optional dependency and
is not used under Wayland (bsc#1241516).
==== postfix ====
Version update (3.10.1 -> 3.10.2)
- update to 3.10.2
* Bugfix (defect introduced: date 19991116): when appending a
setting to a main.cf or master.cf file that did not end in a
newline character, the "postconf -e" command did not add an
extra newline character before appending the new setting, causing
information to become garbled.
* Bugfix (defect introduced: Postfix 2.3, date 20051222): the
Dovecot auth client did not attempt to create a new connection
after an I/O error on an existing connection.
* Improved and corrected error messages when converting (host or
service) information to (symbolic text, numerical text, or
binary) form.
* Documentation: updated link to Dovecot documentation.
==== publicsuffix ====
Version update (20250407 -> 20250424)
- Update to version 20250424:
* Add lp.dev to public_suffix_list.dat (#2391)
* fix: autopin dependencies (#2430)
* Run go mod tidy
* Bump golang.org/x/net from 0.33.0 to 0.38.0 in /tools (#2438)
* Add mmv.kr / vki.kr (#2442)
* dev.project-study.com (#2444)
* add `preview.site` (#2445)
* Add `luyani.app` (#2440)
* Add objectstorage.ch (#2439)
* Add val.run (#2432)
* Update public_suffix_list.dat (#2437)
* Add seg.ar to public_suffix_list.dat (#2433)
* Add convex.app and convex.site (#2436)
* Add e2b.app (#2431)
* Add *.devinapps.com (#2435)
* Add rules for Amazon Cognito (#2366)
* add `figma.site` (#2429)
==== python-M2Crypto ====
Version update (0.44.0 -> 0.45.1)
- Update to 0.45.1:
- ci: switch from using sha1 to sha256.
- ci(keys): regenerate rsa*.pem keys as well
- fix: make the package compatible with OpenSSL >= 3.4 (don’t
rely on LEGACY crypto-policies)
- chore: package also system_shadowing directory to make builds more reliable
- Update to 0.45.0:
- chore: preparing 0.45.0 release
- fix(lib,ssl): rewrite ssl_accept, ssl_{read,write}_nbio for better error handling
- fix: replace m2_PyBuffer_Release with native PyBuffer_Release
- chore: build Windows builds with Python 3.13 as well
- fix: remove support for Engine
- chore: use actual license of the project
- ci(Debian): make M2Crypto buildable on Debian (bsc#1240965)
- swig: Workaround for reading sys/select.h ending with wrong types.
- ci: bump required setuptools version because of change in naming strategy
- fix: add fix for build with older GCC
- fix: remove AnyStr and Any types
==== python-MarkupSafe ====
Version update (2.1.5 -> 3.0.2)
- Update to 3.0.2
* Fix compatibility when __str__ returns a str subclass. #472
* Build requires setuptools >= 70.1. #475
- Update to 3.0.1
* Address compiler warnings that became errors in GCC 14. #466
* Fix compatibility with proxy objects. #467
- Update to 3.0.0
* Support Python 3.13 and its experimental free-threaded build. #461
* Drop support for Python 3.7 and 3.8.
* Use modern packaging metadata with pyproject.toml instead
of setup.cfg. #348
* Change distutils imports to setuptools. #399
* Use deferred evaluation of annotations. #400
* Update signatures for Markup methods to match str signatures.
Use positional-only arguments. #400
* Some str methods on Markup no longer escape their argument: strip,
lstrip, rstrip, removeprefix, removesuffix, partition, and
rpartition; replace only escapes its new argument. These methods
are conceptually linked to search methods such as in, find, and
index, which already do not escape their argument. #401
* The __version__ attribute is deprecated. Use feature detection,
or importlib.metadata.version("markupsafe"), instead. #402
* Speed up escaping plain strings by 40%. #434
* Simplify speedups implementation. #437
==== python-gevent ====
Version update (24.10.3 -> 25.4.2)
- Update to 25.4.2: [bsc#1241067, bsc#1241037]
* Make gevent's queue classes subscriptable to match the standard
library. See issue #2102.
* Make the c-ares resolver build on Windows.
* The gevent testsuite runs a copy of the test_ssl from cpython but
the follwoing change has not been ported yet:
- gh-126500: test_ssl: Don't stop ThreadedEchoServer on OSError
in ConnectionHandler [gh#python/cpython/pull/126503]
- Rebase gevent-openssl35-test-fix.patch
- Upstream PR: [gh#gevent/gevent/pull/2103]
- Update to 25.4.1
* Remove some legacy code that supported Python 2 for compatibility
with the upcoming releases of Cython 3.1.
* Add a new environment variable and configuration setting to control
whether blocking reports are printed by the monitor thread.
* Add initial support for Python 3.14a7.
* Fix using gevent’s BackdoorServer with Unix sockets.
* Do not use pywsgi in a security-conscious environment. Fix one
security issue related to HTTP 100 Continue handling. See issue #2075.
==== python-greenlet ====
Version update (3.1.1 -> 3.2.1)
- Update to 3.2.1
* Fix a crash regression for Riscv64. See issue 443.
- from version 3.2.0
* Remove support for Python 3.7 and 3.8.
* Add untested, community supported implementation for RiscV 32. See PR 438.
* Make greenlet build and run on Python 3.14a7. It will not build on earlier
3.14 alpha releases, and may not build on later 3.14 releases.
* Packaging: Use PEP 639 license expressions and include license files.
==== python-h11 ====
Version update (0.14.0 -> 0.16.0)
- Update 0.16.0:
* Security fix (CVE-2025-43859, bsc#1241872)
Reject certain malformed Transfer-Encoding: chunked bodies that
were previously accepted. These could have enabled
request-smuggling attacks when an h11-based HTTP server was placed
behind a load balancer with a matching bug in its chunked
handling.
Advisory with more details:
https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj
- 0.15.0:
* Reject Content-Lengths >= 1 zettabyte (1 billion terabytes) early,
without attempting to parse the integer (#181)
==== python-httpcore ====
Version update (1.0.8 -> 1.0.9)
- Update to 1.0.9
* Resolve https://github.com/advisories/GHSA-vqfr-h8mv-ghfj with h11
dependency update. (#1008)
==== python-hyperframe ====
Version update (6.0.1 -> 6.1.0)
Subpackages: python311-hyperframe python313-hyperframe
- Update to 6.1.0
* API Changes (Backward Incompatible)
* Support for Python 3.6 has been removed.
* Support for Python 3.7 has been removed.
* Support for Python 3.8 has been removed.
* API Changes (Backward Compatible)
* Support for Python 3.10 has been added.
* Support for Python 3.11 has been added.
* Support for Python 3.12 has been added.
* Support for Python 3.13 has been added.
* Updated packaging and testing infrastructure.
* Code cleanup and linting.
* Improved type hints.
==== python-pycares ====
Version update (4.6.0 -> 4.6.1)
- update to 4.6.1:
* Fix missing attribute type information for errno
==== python-pylsqpack ====
Version update (0.3.19 -> 0.3.20)
- update to 0.3.20:
* update ls-qpack to 2.6.1
==== python311 ====
Subpackages: python311-curses python311-dbm
- Update to 3.11.12:
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject domain
names containing square brackets ([ and ]). Square brackets
are only valid for IPv6 and IPvFuture hosts according to RFC
3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
gh#python/cpython#105704).
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so that
it spanned more than one line, the surrounding quotes and
internal escapes would be omitted. This could theoretically
be used to spoof header lines using a carefully constructed
quoted string if the resulting rendered email was transmitted
or re-parsed.
- gh-119511: Fix a potential denial of service in the imaplib
module. When connecting to a malicious server, it could
cause an arbitrary amount of memory to be allocated. On many
systems this is harmless as unused virtual memory is only
a mapping, but if this hit a virtual address size limit
it could lead to a MemoryError or other process crash. On
unusual systems or builds where all allocated memory is
touched and backed by actual ram or storage it could’ve
consumed resources doing so until similarly crashing.
- gh-127257: In ssl, system call failures that OpenSSL reports
using ERR_LIB_SYS are now raised as OSError.
- gh-121277: Writers of CPython’s documentation can now use
next as the version for the versionchanged, versionadded,
deprecated directives.
- gh-106883: Disable GC during the _PyThread_CurrentFrames()
and _PyThread_CurrentExceptions() calls to avoid the
interpreter to deadlock.
- Remove upstreamed patch:
- CVE-2025-0938-sq-brackets-domain-names.patch
- Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
which makes test_ssl not to stop ThreadedEchoServer on OSError,
which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067,
gh#python/cpython!126572)
==== python311-core ====
Subpackages: libpython3_11-1_0 python311-base
- Update to 3.11.12:
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject domain
names containing square brackets ([ and ]). Square brackets
are only valid for IPv6 and IPvFuture hosts according to RFC
3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
gh#python/cpython#105704).
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so that
it spanned more than one line, the surrounding quotes and
internal escapes would be omitted. This could theoretically
be used to spoof header lines using a carefully constructed
quoted string if the resulting rendered email was transmitted
or re-parsed.
- gh-119511: Fix a potential denial of service in the imaplib
module. When connecting to a malicious server, it could
cause an arbitrary amount of memory to be allocated. On many
systems this is harmless as unused virtual memory is only
a mapping, but if this hit a virtual address size limit
it could lead to a MemoryError or other process crash. On
unusual systems or builds where all allocated memory is
touched and backed by actual ram or storage it could’ve
consumed resources doing so until similarly crashing.
- gh-127257: In ssl, system call failures that OpenSSL reports
using ERR_LIB_SYS are now raised as OSError.
- gh-121277: Writers of CPython’s documentation can now use
next as the version for the versionchanged, versionadded,
deprecated directives.
- gh-106883: Disable GC during the _PyThread_CurrentFrames()
and _PyThread_CurrentExceptions() calls to avoid the
interpreter to deadlock.
- Remove upstreamed patch:
- CVE-2025-0938-sq-brackets-domain-names.patch
- Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
which makes test_ssl not to stop ThreadedEchoServer on OSError,
which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067,
gh#python/cpython!126572)
==== python313 ====
Version update (3.13.2 -> 3.13.3)
Subpackages: python313-curses python313-dbm python313-tk
- Update to 3.13.3:
- Tools/Demos
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages
in msgfmt.
- gh-130025: The iOS testbed now correctly handles symlinks
used as Python framework references.
- Tests
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-129200: Multiple iOS testbed runners can now be started
at the same time without introducing an ambiguity over
simulator ownership.
- gh-130292: The iOS testbed will now run successfully on a
machine that has not previously run Xcode tests (such as CI
configurations).
- gh-130293: The tests of terminal colorization are no longer
sensitive to the value of the TERM variable in the testing
environment.
- gh-126332: Add unit tests for pyrepl.
- Security
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously,
disk spillover was only checked after the lines iterator
had been exhausted. This is now done after each line is
written.
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using
a carefully constructed encoded-word if the resulting
rendered email was transmitted or re-parsed.
- Library
- gh-132174: Fix function name in error message of
_interpreters.run_string.
- gh-132171: Fix crash of _interpreters.run_string on string
subclasses.
- gh-129204: Introduce new _PYTHON_SUBPROCESS_USE_POSIX_SPAWN
environment variable knob in subprocess to control the use
of os.posix_spawn().
- gh-132159: Do not shadow user arguments in generated
__new__() by decorator warnings.deprecated. Patch by Xuehai
Pan.
- gh-132075: Fix possible use of socket address structures
with uninitialized members. Now all structure members are
initialized with zeroes by default.
- gh-132002: Fix crash when deallocating
contextvars.ContextVar with weird unahashable string names.
- gh-131668: socket: Fix code parsing AF_BLUETOOTH socket
addresses.
- gh-131492: Fix a resource leak when constructing a
gzip.GzipFile with a filename fails, for example when
passing an invalid compresslevel.
- gh-131325: Fix sendfile fallback implementation to drain
data after writing to transport in asyncio.
- gh-129843: Fix incorrect argument passing in
warnings.warn_explicit().
- gh-131204: Use monospace font from System Font Stack for
cross-platform support in difflib.HtmlDiff.
- gh-130940: The PyConfig.use_system_logger attribute,
introduced in Python 3.13.2, has been removed. The
introduction of this attribute inadvertently introduced an
ABI breakage on macOS and iOS. The use of the system logger
is now enabled by default on iOS, and disabled by default
on macOS.
- gh-131045: Fix issue with __contains__, values, and
pseudo-members for enum.Flag.
- gh-130959: Fix pure-Python implementation of
datetime.time.fromisoformat() to reject times with spaces
in fractional part (for example, 12:34:56.400 +02:00),
matching the C implementation. Patch by Michał Gorny.
- gh-130637: Add validation for numeric response data in
poplib.POP3.stat() method
- gh-130461: Remove .. index:: directives from the uuid
module documentation. These directives previously created
entries in the general index for getnode() as well as
the uuid1(), uuid3(), uuid4(), and uuid5() constructor
functions.
- gh-130379: The zipapp module now calculates the list of
files to be added to the archive before creating the
archive. This avoids accidentally including the target when
it is being created in the source directory.
- gh-130285: Fix corner case for random.sample() allowing the
counts parameter to specify an empty population. So now,
sample([], 0, counts=[]) and sample('abc', k=0, counts=[0,
0, 0]) both give the same result as sample([], 0).
- gh-130250: Fix regression in traceback.print_last().
- gh-130230: Fix crash in pow() with only Decimal third
argument.
- gh-118761: Reverts a change in the previous release
attempting to make some stdlib imports used within the
subprocess module lazy as this was causing errors during
... changelog too long, skipping 175 lines ...
(gh#python/cpython#132535).
==== python313-core ====
Version update (3.13.2 -> 3.13.3)
Subpackages: libpython3_13-1_0 python313-base
- Update to 3.13.3:
- Tools/Demos
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages
in msgfmt.
- gh-130025: The iOS testbed now correctly handles symlinks
used as Python framework references.
- Tests
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-129200: Multiple iOS testbed runners can now be started
at the same time without introducing an ambiguity over
simulator ownership.
- gh-130292: The iOS testbed will now run successfully on a
machine that has not previously run Xcode tests (such as CI
configurations).
- gh-130293: The tests of terminal colorization are no longer
sensitive to the value of the TERM variable in the testing
environment.
- gh-126332: Add unit tests for pyrepl.
- Security
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously,
disk spillover was only checked after the lines iterator
had been exhausted. This is now done after each line is
written.
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using
a carefully constructed encoded-word if the resulting
rendered email was transmitted or re-parsed.
- Library
- gh-132174: Fix function name in error message of
_interpreters.run_string.
- gh-132171: Fix crash of _interpreters.run_string on string
subclasses.
- gh-129204: Introduce new _PYTHON_SUBPROCESS_USE_POSIX_SPAWN
environment variable knob in subprocess to control the use
of os.posix_spawn().
- gh-132159: Do not shadow user arguments in generated
__new__() by decorator warnings.deprecated. Patch by Xuehai
Pan.
- gh-132075: Fix possible use of socket address structures
with uninitialized members. Now all structure members are
initialized with zeroes by default.
- gh-132002: Fix crash when deallocating
contextvars.ContextVar with weird unahashable string names.
- gh-131668: socket: Fix code parsing AF_BLUETOOTH socket
addresses.
- gh-131492: Fix a resource leak when constructing a
gzip.GzipFile with a filename fails, for example when
passing an invalid compresslevel.
- gh-131325: Fix sendfile fallback implementation to drain
data after writing to transport in asyncio.
- gh-129843: Fix incorrect argument passing in
warnings.warn_explicit().
- gh-131204: Use monospace font from System Font Stack for
cross-platform support in difflib.HtmlDiff.
- gh-130940: The PyConfig.use_system_logger attribute,
introduced in Python 3.13.2, has been removed. The
introduction of this attribute inadvertently introduced an
ABI breakage on macOS and iOS. The use of the system logger
is now enabled by default on iOS, and disabled by default
on macOS.
- gh-131045: Fix issue with __contains__, values, and
pseudo-members for enum.Flag.
- gh-130959: Fix pure-Python implementation of
datetime.time.fromisoformat() to reject times with spaces
in fractional part (for example, 12:34:56.400 +02:00),
matching the C implementation. Patch by Michał Gorny.
- gh-130637: Add validation for numeric response data in
poplib.POP3.stat() method
- gh-130461: Remove .. index:: directives from the uuid
module documentation. These directives previously created
entries in the general index for getnode() as well as
the uuid1(), uuid3(), uuid4(), and uuid5() constructor
functions.
- gh-130379: The zipapp module now calculates the list of
files to be added to the archive before creating the
archive. This avoids accidentally including the target when
it is being created in the source directory.
- gh-130285: Fix corner case for random.sample() allowing the
counts parameter to specify an empty population. So now,
sample([], 0, counts=[]) and sample('abc', k=0, counts=[0,
0, 0]) both give the same result as sample([], 0).
- gh-130250: Fix regression in traceback.print_last().
- gh-130230: Fix crash in pow() with only Decimal third
argument.
- gh-118761: Reverts a change in the previous release
attempting to make some stdlib imports used within the
subprocess module lazy as this was causing errors during
... changelog too long, skipping 175 lines ...
(gh#python/cpython#132535).
==== qt6-declarative ====
Subpackages: libQt6LabsAnimation6 libQt6LabsFolderListModel6 libQt6LabsPlatform6 libQt6LabsQmlModels6 libQt6LabsSettings6 libQt6LabsSharedImage6 libQt6LabsWavefrontMesh6 libQt6Qml6 libQt6QmlCore6 libQt6QmlLocalStorage6 libQt6QmlMeta6 libQt6QmlModels6 libQt6QmlNetwork6 libQt6QmlWorkerScript6 libQt6QmlXmlListModel6 libQt6Quick6 libQt6QuickControls2-6 libQt6QuickControls2Impl6 libQt6QuickDialogs2-6 libQt6QuickDialogs2QuickImpl6 libQt6QuickDialogs2Utils6 libQt6QuickEffects6 libQt6QuickLayouts6 libQt6QuickParticles6 libQt6QuickShapes6 libQt6QuickTemplates2-6 libQt6QuickTest6 libQt6QuickVectorImage6 libQt6QuickWidgets6 qt6-declarative-imports
- Add 0001-do-not-re-resolve-iterator-value-types.patch
We've resolved the value type in the type propagator. Trying to do it
again in the code generator, after the iterator may have been adjusted,
is quite wrong. If we resolve the list value type on a type that's not
a list (anymore), then we get an invalid type, which subsequently
crashes.
==== rpm ====
Subpackages: librpmbuild10
- print scriptlet messages in --runposttrans
* needed to fix leaking tmp files [bsc#1218459]
* updated patch: posttrans.diff
- backport architecture check fix from upstream
* new patch: archcheck.diff
- backport empty password fix from upstream
* new patch: emptypw.diff
- backport buildsys specific prep fix from upstream
* new patch: buildsysprep.diff
- fix memory leak in str2locale [bsc#1241052]
* updated patch: localetag.diff
==== sane-backends ====
Subpackages: libsane1 sane-backends-autoconfig
- add c23-keywords.patch from upstream to fix gcc15 compile error
==== sdbootutil ====
Version update (1+git20250421.7ffd25a -> 1+git20250430.f7d1ad1)
Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper
- Update to version 1+git20250430.f7d1ad1:
* Update DA lockout message
* jeos-firstboot-enroll: show errors as dialog
- Update to version 1+git20250425.25d659b:
* get-timeout for sd-boot return unsigned value
* jeos-firstboot-enroll: drop unused variable
* jeos-firstboot-enroll: continue if no enrollment (bsc#1236583)
* jeos-firstboot-enroll: hide keyctl output
* jeos-firstboot-enroll: add title and description
- Update to version 1+git20250423.61ca94f:
* Revert "Use filesystem order in grub2-bls" (bsc#1241046)
- Update to version 1+git20250423.7e34390:
* Check if TPM2 is in lockout (bsc#1241168)
* Retry password when mismatch
==== selinux-policy ====
Version update (20250411 -> 20250429)
Subpackages: selinux-policy-targeted
- Update to version 20250429:
* Allow cluster_t use NoNewPrivileges systemd hardening (bsc#1241921)
* allows gssd_t to read nfs symlinks (bsc#1241042)
* Label tpm2-measure.log with systemd_pcrlock_var_lib_t (bsc#1240887)
==== sqlite3 ====
Subpackages: libsqlite3-0 sqlite3-tcl
- Add subpackage for the lemon parser generator.
- Add patches:
* sqlite-3.49.0-fix-lemon-missing-cflags.patch
* sqlite-3.6.23-lemon-system-template.patch
==== texlive ====
- Add source-asymptote-liblsp.dif: fix some missing #include
statements (boo#1241475)
==== unbound ====
Version update (1.22.0 -> 1.23.0)
Subpackages: libunbound8 unbound-anchor
- Update to 1.23.0:
Features:
* Increase the default of max-global-quota to 200 from 128 after
operational feedback. Still keeping the possible amplification
factor (CAMP related issues) in the hundreds.
* Fix #1175: serve-expired does not adhere to secure-by-default
principle. The default value of serve-expired-client-timeout
is set to 1800 as suggested by RFC8767.
* For #1175, the default value of serve-expired-ttl is set to 86400
(1 day) as suggested by RFC8767.
* For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
* Add resolver.arpa and service.arpa to the default locally served
zones.
* Merge #1042: Fast Reload. The unbound-control fast_reload is added.
It reads changed config in a thread, then only briefly pauses the
service threads, that keep running. DNS service is only interrupted
briefly, less than a second.
* Merge #1019: Redis read-only replica support.
Introduces new 'redis-replica-*' options for the Redis cache backend.
* Merge #902: DNS Error Reporting (RFC 9567). Introduces new
configuration option 'dns-error-reporting' and new statistics for
'num.dns_error_reports'.
Bug Fixes:
* Fix #1154: Tag Incorrectly Applying for Other Interfaces
Using the Same IP. This fix is not for 1.22.0.
* Fix #1163: Typos in unbound.conf documentation.
* Merge #1159: Stats for discard-timeout and wait-limit.
* Add test case for #1159.
* Some clean up for stat_values.test.
* Merge #1170 from Melroy van den Berg, Fix chroot manpage
description.
* Merge #1157 from Liang Zhu, Fix heap corruption when calling
ub_ctx_delete in Windows.
* Fix redis that during a reload it does not fail if the redis
server does not connect or does not respond. It still logs the
errors and if the server is up checks expiration features.
* Merge #1167: Makefile.in: fix occasional parallel build failures
around bison rule.
* Fix SETEX check during Redis (re)initialization.
* Fix for the serve expired DNSSEC information fix, it would not allow
current delegation information be updated in cache. The fix allows
current delegation and validation recursion information to be
updated, but as a consequence no longer has certain expired
information around for later dnssec valid expired responses.
* Fix to log redis timeout error string on failure.
* More descriptive text for 'harden-algo-downgrade'.
* Complete fix for max-global-quota to 200.
* Fix #1183: the data being used is released in method
nsec3_hash_test_entry.
* Fix for #1183: release nsec3 hashes per test file.
* Merge #1169 from Sergey Kacheev, fix: lock-free counters for
auth_zone up/down queries.
* Fix comparison to help static analyzer.
* For #1175, update serve-expired tests.
* Merge #1189: Fix the dname_str method to cause conversion errors
when the domain name length is 255.
* Merge #1197: dname_str() fixes.
* Merge #1198: Fix log-servfail with serve expired and no useful cache
contents.
* Safeguard alias loop while looking in the cache for expired answers.
* Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
drop.
* Fix typo in log_servfail.tdir test.
* Merge #1204: ci: set persist-credentials: false for actions/checkout
per zizmor suggestion.
* Merge #1174: Serve expired cache update fixes. Fixes a regression bug
with serve-expired that appeared in 1.22.0 and would not allow the
iterator to update the cache with not-yet-validated entries resulting
in increased outgoing traffic.
* Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
handshake.
* Fix #1213: Misleading error message on default access control causing
refuse.
* Merge #1221: Consider auth zones when checking for forwarders.
* Merge #1222: Unique DoT and DoH SSL contexts to allow for different
ALPN.
* Create the quic SSL listening context only when needed.
* Fix compile of interface check code when dnscrypt or quic is
disabled.
* Fix encoding of RR type ATMA.
* Fix to check length in ATMA string to wire.
* Merge #1229: check before use daemon->shm_info.
* Use the same interface listening port discovery code for all needed
protocols.
* Port to string only when needed before getaddrinfo().
* Do not open unencrypted channels next to encrypted ones on the same
port.
* Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
set.
* Merge #1220 from Petr MenÅ¡Ãk, Add unbound members group access to
control key.
* Make the default value of module-config "validator iterator"
regardless of compilation options. --enable-subnet would implicitly
change the value to enable the subnetcache module by default in the
past.
* Fix #986: Resolving sas.com with dnssec-validation fails though
signed delegations seem to be (mostly) correct.
Consider reconfigurations when calculating the still_useful_timeout
... changelog too long, skipping 62 lines ...
* Merge #1265: Fix WSAPoll.
==== webrtc-audio-processing-1 ====
- Add webrtc-audio-processing-1.3-gcc15.patch to fix gcc-15
compile time errors
==== wtmpdb ====
Version update (0.73.0+git20250408.edb8638 -> 0.74.0+git20250424.2e93e77)
Subpackages: libwtmpdb0
- Update to version 0.74.0+git20250424.2e93e77:
* Release version 0.74.0
* Fix varlink interface name (rebootmgr vs wtmpdb)
* import: match login by tty if non-zero pid does not match
==== xfce4-pulseaudio-plugin ====
Version update (0.5.0 -> 0.5.1)
Subpackages: xfce4-pulseaudio-plugin-lang
- Update to version 0.5.1
* Add device ports selector to the menu
* Fix missing icon in first notification popup
* Translation Updates
==== yast2-journal ====
Version update (5.0.1 -> 5.0.2)
- Fixed regexp for changed 'journalctl --list-boots' output:
Now taking daylight savings time on/off into account
(bsc#1241904)
- 5.0.2
==== yast2-trans ====
Version update (84.87.20250416.5cd9324ae2 -> 84.87.20250422.c1fec29547)
Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu
- Update to version 84.87.20250422.c1fec29547:
* Translated using Weblate (Polish)
==== zypper ====
Version update (1.14.88 -> 1.14.89)
Subpackages: zypper-log zypper-needs-restarting
- Updated translations (bsc#1230267)
- version 1.14.89