Packages changed:
MozillaFirefox (137.0.2 -> 138.0)
apache-commons-logging (1.3.4 -> 1.3.5)
at-spi2-core (2.56.1 -> 2.56.2)
fcitx-chewing
fcitx-cloudpinyin
fcitx-googlepinyin
fcitx-sunpinyin
fcitx-table-extra
fcitx-zhuyin
fdupes (2.3.1 -> 2.4.0)
gstreamer (1.26.0 -> 1.26.1)
gstreamer-plugins-bad (1.26.0 -> 1.26.1)
gstreamer-plugins-base (1.26.0 -> 1.26.1)
gstreamer-plugins-good (1.26.0 -> 1.26.1)
jemalloc
mozilla-nss (3.109 -> 3.110)
openSUSE-release (20250501 -> 20250502)
=== Details ===
==== MozillaFirefox ====
Version update (137.0.2 -> 138.0)
Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common
- Mozilla Firefox 138.0
https://www.mozilla.org/en-US/firefox/138.0/releasenotes/
MFSA 2025-28 (bsc#1241621)
* CVE-2025-2817 (bmo#1917536)
Privilege escalation in Firefox Updater
* CVE-2025-4082 (bmo#1937097)
WebGL shader attribute memory corruption in Firefox for macOS
* CVE-2025-4083 (bmo#1958350)
Process isolation bypass using "javascript:" URI links in
cross-origin frames
* CVE-2025-4085 (bmo#1915280)
Potential information leakage and privilege escalation in
UITour actor
* CVE-2025-4086 (bmo#1945705)
Specially crafted filename could be used to obscure download
type
* CVE-2025-4087 (bmo#1952465)
Unsafe attribute access during XPath parsing
* CVE-2025-4088 (bmo#1953521)
Cross-site request forgery via storage access API redirects
* CVE-2025-4089 (bmo#1949994, bmo#1956698, bmo#1960198)
Potential local code execution in "copy as cURL" command
* CVE-2025-4090 (bmo#1929478)
Leaked library paths in Firefox for Android
* CVE-2025-4091 (bmo#1951161, bmo#1952105)
Memory safety bugs fixed in Firefox 138, Thunderbird 138,
Firefox ESR 128.10, and Thunderbird 128.10
* CVE-2025-4092 (bmo#1924108, bmo#1950780, bmo#1959367)
Memory safety bugs fixed in Firefox 138 and Thunderbird 138
- requires NSS 3.110
- rebased patches
==== apache-commons-logging ====
Version update (1.3.4 -> 1.3.5)
- Upgrade to 1.3.5
* Fixed Bugs
+ Javadoc is missing its Overview page.
+ Remove -nouses directive from maven-bundle-plugin. OSGi
package imports now state 'uses' definitions for package
imports, this doesn't affect JPMS (from
org.apache.commons:commons-parent:80).
* Changes
+ Bump org.apache.commons:commons-parent from 72 to 81 #285,
[#287], #295, #298, #303, #310, #339.
+ Bump org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0
[#288] [test].
+ Bump log4j2.version from 2.23.1 to 2.24.3 #292, #299, #319,
[#328].
* Removed:
+ Remove "cobertura" plugin use JaCoco, Cobertura is
unmaintained.
==== at-spi2-core ====
Version update (2.56.1 -> 2.56.2)
Subpackages: at-spi2-core-lang libatk-1_0-0 libatk-bridge-2_0-0 libatspi0 typelib-1_0-Atk-1_0 typelib-1_0-Atspi-2_0
- Update to version 2.56.2:
+ Fix the build with glib < 2.76.
+ a11y-manager-device: Fix unmap_keysym_modifier.
==== fcitx-chewing ====
- Set -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix build with cmake4
==== fcitx-cloudpinyin ====
- Set -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix build with cmake4
==== fcitx-googlepinyin ====
- Set -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix build with cmake4
==== fcitx-sunpinyin ====
- Set -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix build with cmake4
==== fcitx-table-extra ====
Subpackages: fcitx-table-cn-wubi-large fcitx-table-extra-lang fcitx-table-tw-boshiamy fcitx-table-tw-cangjie-large fcitx-table-tw-cangjie5 fcitx-table-tw-smart-cangjie6
- Set -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix build with cmake4
==== fcitx-zhuyin ====
- Set -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix build with cmake4
==== fdupes ====
Version update (2.3.1 -> 2.4.0)
- Update to 2.4.0:
* Add quick summary option that skips byte-for-byte match confirmation.
* Reduce number of progress indicator updates for better performance.
- Update to 2.3.2:
* Keep cursor as close to current group as possible after deleting files.
==== gstreamer ====
Version update (1.26.0 -> 1.26.1)
Subpackages: gstreamer-lang gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0
- Update to version 1.26.1:
+ Highlighted bugfixes:
- awstranslate and speechmatics plugin improvements
- decodebin3 fixes and urisourcebin/playbin3 stability
improvements
- Closed captions: CEA-708 generation and muxing fixes, and
H.264/H.265 caption extractor fixes
- dav1d AV1 decoder: RGB support, plus colorimetry,
renegotiation and buffer pool handling fixes
- Fix regression when rendering VP9 with alpha
- H.265 decoder base class and caption inserter SPS/PPS
handling fixes
- hlssink3 and hlsmultivariantsink feature enhancements
- Matroska v4 support in muxer, seeking fixes in demuxer
- macOS: framerate guessing for cameras or capture devices
where the OS reports silly framerates
- MP4 demuxer uncompressed video handling improvements and
sample table handling fixes
- oggdemux: seeking improvements in streaming mode
- unixfdsrc: fix gst_memory_resize warnings
- Plugin loader fixes, especially for Windows
- QML6 GL source renegotiation fixes
- RTP and RTSP stability fixes
- Thread-safety improvements for the Media Source Extension
(MSE) library
- v4l2videodec: fix A/V sync issues after decoding errors
- Various improvements and fixes for the fragmented and
non-fragmented MP4 muxers
- Video encoder base class segment and buffer timestamp
handling fixes
- Video time code support for 119.88 fps and
drop-frames-related conversion fixes
- WebRTC: Retransmission entry creation fixes and better audio
level header extension compatibility
- YUV4MPEG encoder improvments
- dots-viewer: make work locally without network access
- gst-python: fix compatibility with PyGObject >= 3.52.0
- Cerbero: recipe updates, compatibility fixes for Python <
3.10; Windows Android cross-build improvements
- Various bug fixes, build fixes, memory leak fixes, and other
stability and reliability improvements
+ gstreamer:
- Correctly handle whitespace paths when executing
gst-plugin-scanner
- Ensure properties are freed before (re)setting with
g_value_dup_string() and during cleanup
- cmake: Fix PKG_CONFIG_PATH formatting for Windows
cross-builds
- macos: Move macos function documentation to the .h so the
introspection has the information
- meson.build: test for and link against libatomic if it exists
- pluginloader-win32: Fix helper executable path under devenv
- pluginloader: fix pending_plugins Glist use-after-free issue
- unixfdsrc: Complains about resize of memory area
- tracers: dots: fix debug log
==== gstreamer-plugins-bad ====
Version update (1.26.0 -> 1.26.1)
Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0
- Update to version 1.26.1:
+ Add missing Requires in pkg-config
+ Ensure properties are freed before (re)setting with
g_value_dup_string() and during cleanup
+ Update docs
+ aja: Use the correct location of the AJA NTV2 SDK in the docs
+ alphacombine: De-couple flush-start/stop events handling
+ alphadecodebin: use a multiqueue instead of a couple of queues
+ avfvideosrc: Guess reasonable framerate values for some 3rd
party devices
+ codecalpha: name both queues
+ d3d12converter: Fix cropping when automatic mipmap is enabled
+ dashsink: Make sure to use a non-NULL pad name when requesting
a pad from splitmuxsink
+ docs: Fix GstWebRTCICE* class documentation
+ h264ccextractor, h265ccextractor: Handle gap with unknown pts
+ h265decoder, h265ccinserter: Fix broken SPS/PPS link
+ h265parser: Fix num_long_term_pics bound check
+ Segmentation fault in H265 decoder
+ h266decoder: fix leak parsing SEI messages
+ meson.build: test for and link against libatomic if it exists
+ mse: Improved Thread Safety of API
+ mse: Revert ownership transfer API change in
gst_source_buffer_append_buffer()
+ tensordecoders: updating element classification
+ unixfd: Fix wrong memory size when offset > 0
+ uvcsink: Respond to control requests with proper error handling
+ v4l2codecs: unref frame in all error paths of end_picture
+ va: Skip codecs that report maximum width or height lower than
minimum
+ vapostproc: fix wrong video orientation after restarting the
element
+ vavp9enc: fix mem leaks in _vp9_decide_profile
+ vkformat: fix build error
+ vtenc: Avoid deadlocking when changing properties on the fly
+ vulkan: fix memory leak at dynamic registering
+ webrtc: enhance rtx entry creation
+ webrtcbin: add missing warning for caps missmatch
+ ZDI-CAN-26596: New Vulnerability Report (Security)
- Drop va-codecs-check-size.patch: Fixed upstream.
- Drop cuda_nvdec conditional, builds fine for aarch64/armv7 now.
==== gstreamer-plugins-base ====
Version update (1.26.0 -> 1.26.1)
Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0
- Update to version 1.26.1:
+ Ensure properties are freed before (re)setting with
g_value_dup_string() and during cleanup
+ alsadeviceprovider: Fix leak of Alsa longname
+ audioaggregator: fix error added in !8416 when chaining up
+ audiobasesink: Fix custom slaving driftsamples calculation and
add custom audio clock slaving callback example
+ decodebin3:
- Don't avoid parsebin even if we have a matching decoder
- Doesn't plug parsebin for AAC from tsdemux
+ gl: eglimage: warn the reason of export failure
+ glcolorconvert:
- Fix YUVA<->RGBA conversions
- Regression when rendering alpha vp9
+ gldownload: Unref glcontext after usage
+ meson.build: test for and link against libatomic if it exists
+ oggdemux: Don't push new packets if there is a pending seek
+ urisourcebin:
- Make parsebin activation more reliable
- Deadlock between parsebin and typefind
+ videoencoder: Use the correct segment and buffer timestamp in
the chain function
+ videotimecode: Fix conversion of timecode to datetime with
drop-frame timecodes and handle 119.88 fps correctly in all
places
==== gstreamer-plugins-good ====
Version update (1.26.0 -> 1.26.1)
Subpackages: gstreamer-plugins-good-gtk gstreamer-plugins-good-lang
- Update to version 1.26.1:
+ Ensure properties are freed before (re)setting with
g_value_dup_string() and during cleanup
+ gst-plugins-good: Matroska mux v4 support
+ matroska-demux: Prevent corrupt cluster duplication
+ qml6glsrc: update buffer pool on renegotiation
+ qt6: Add a missing newline in unsupported platform message
+ qtdemux:
- Fix stsc size check in qtdemux_merge_sample_table()
- Next Iteration Of Uncompressed MP4 Decoder
- Unref simple caps after use
+ rtspsrc:
- Do not emit signal 'no-more-pads' too early
- Don't error out on not-linked too early
+ rtpsession:
- Do not push events while holding SESSION_LOCK
- Deadlock when gst_rtp_session_send_rtcp () is forwarding eos
+ v4l2: drop frame for frames that cannot be decoded
+ v4l2videodec: AV unsync for streams with many frames that
cannot be decoded
+ v4l2object:
- Fix memory leak
- Fix type mismatch when ioctl takes int
+ y4menc:
- Fix Y41B format
- Handle frames with GstVideoMeta
==== jemalloc ====
- Add fix_make_check_with_gcc15.patch to make the testsuite pass
despite new GCC malloc-related optimizations. [boo#1240665]
==== mozilla-nss ====
Version update (3.109 -> 3.110)
Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-sysinit mozilla-nss-tools
- update to NSS 3.110
* bmo#1930806 - FIPS changes need to be upstreamed: force ems policy
* bmo#1954724 - Prevent excess allocations in sslBuffer_Grow
* bmo#1953429 - Remove Crl templates from ASN1 fuzz target
* bmo#1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target
* bmo#1952855 - Fix memory leak in NSS_CMSMessage_IsSigned
* bmo#1930807 - NSS policy updates
* bmo#1951161 - Improve locking in nssPKIObject_GetInstances
* bmo#1951394 - Fix race in sdb_GetMetaData
* bmo#1951800 - Fix member access within null pointer
* bmo#1950077 - Increase smime fuzzer memory limit
* bmo#1949677 - Enable resumption when using custom extensions
* bmo#1952568 - change CN of server12 test certificate
* bmo#1949118 - Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle
* bmo#1949118 - Part 1: Fix smime UBSan errors
* bmo#1930806 - FIPS changes need to be upstreamed: updated key checks
* bmo#1951491 - Don't build libpkix in static builds
* bmo#1951395 - handle `-p all` in try syntax
* bmo#1951346 - fix opt-make builds to actually be opt
* bmo#1951346 - fix opt-static builds to actually be opt
* bmo#1916439 - Remove extraneous assert
- Removed upstreamed nss-fips-stricter-dh.patch
- Added bmo1962556.patch to fix test failures
- Rebased nss-fips-approved-crypto-non-ec.patch nss-fips-combined-hash-sign-dsa-ecdsa.patch
==== openSUSE-release ====
Version update (20250501 -> 20250502)
Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd
- automatically generated by openSUSE-release-tools/pkglistgen