Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=3&version=Tumbleweed&build=20251020 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MozillaFirefox (143.0.3 -> 144.0) adaptec-firmware arphic-uming-fonts aws-lc (1.61.4 -> 1.62.0) btrfsprogs (6.16.1 -> 6.17) clamav (1.4.3 -> 1.5.1) git (2.51.0 -> 2.51.1) glu gnome-browser-connector gnome-shell (49.0+17 -> 49.1) gnome-sudoku (49.1 -> 49.2) gnome-tour (49.0.openSUSE+git20251009.a4002c9 -> 49.0.openSUSE+git20251016.669c499) grub2 gstreamer (1.26.6 -> 1.26.7) gstreamer-plugins-bad (1.26.6 -> 1.26.7) gstreamer-plugins-base (1.26.6 -> 1.26.7) gstreamer-plugins-good (1.26.6 -> 1.26.7) gstreamer-plugins-libav (1.26.6 -> 1.26.7) gstreamer-plugins-rs (1.26.6+git20.e287e869 -> 1.26.7+git0.6ab75814) gstreamer-plugins-ugly (1.26.6 -> 1.26.7) highway (1.2.0 -> 1.3.0) iproute2 (6.16 -> 6.17) kernel-firmware-i915 (20250903 -> 20251014) kernel-firmware-intel (20251011 -> 20251018) kernel-firmware-media (20251004 -> 20251018) kernel-firmware-mediatek kernel-firmware-nvidia (20250516 -> 20251018) kernel-firmware-realtek kernel-firmware-sound (20250930 -> 20251018) kernel-source (6.17.2 -> 6.17.3) kf6-kio (6.19.0 -> 6.19.1) kyotocabinet leancrypto libselinux libselinux-bindings libsoup libxslt lua54 mozilla-nss (3.115.1 -> 3.117) mutter (49.0+68 -> 49.1) nvidia-open-driver-G06-signed (580.95.05_k6.17.0_2 -> 580.95.05_k6.17.3_1) openSUSE-release (20251015 -> 20251020) opensuse-welcome-launcher orca (49.3 -> 49.4) pipewire (1.4.8+git68.636cbae9b -> 1.5.81) pixman poppler poppler-qt6 publicsuffix (20250904 -> 20251001) python-msgpack (1.1.1 -> 1.1.2) python311 (3.11.13 -> 3.11.14) python311-core (3.11.13 -> 3.11.14) python313 (3.13.7 -> 3.13.9) python313-core (3.13.7 -> 3.13.9) qalculate (5.7.0 -> 5.8.0) qt6-webengine samba (4.22.3+git.403.4e078bdb832 -> 4.22.5+git.431.dc5a539f124) selinux-policy (20251014 -> 20251016) simple-scan (49.0.1 -> 49.1) systemd-presets-common-SUSE tumbler (4.20.0 -> 4.20.1) util-linux (2.41.1 -> 2.41.2) util-linux-systemd (2.41.1 -> 2.41.2) wireplumber (0.5.11 -> 0.5.12) yast2 (5.0.15 -> 5.0.16) === Details === ==== MozillaFirefox ==== Version update (143.0.3 -> 144.0) Subpackages: MozillaFirefox-branding-upstream - Mozilla Firefox 144.0 please check https://www.firefox.com/en-US/firefox/144.0/releasenotes for all news MFSA 2025-81 (bsc#1251263) * CVE-2025-11708 (bmo#1988931) Use-after-free in MediaTrackGraphImpl::GetInstance() * CVE-2025-11709 (bmo#1989127) Out of bounds read/write in a privileged process triggered by WebGL textures * CVE-2025-11710 (bmo#1989899) Cross-process information leaked due to malicious IPC messages * CVE-2025-11711 (bmo#1989978) Some non-writable Object properties could be modified * CVE-2025-11716 (bmo#1818679) Sandboxed iframes allowed links to open in external apps (Android only) * CVE-2025-11717 (bmo#1872601) The password edit screen was not hidden in Android card view * CVE-2025-11712 (bmo#1979536) An OBJECT tag type attribute overrode browser behavior on web resources without a content-type * CVE-2025-11718 (bmo#1980808) Address bar could be spoofed on Android using visibilitychange * CVE-2025-11713 (bmo#1986142) Potential user-assisted code execution in âCopy as cURLâ command * CVE-2025-11719 (bmo#1991950) Use-after-free caused by the native messaging web extension API on Windows * CVE-2025-11720 (bmo#1979534, bmo#1984370) Spoofing risk in Android custom tabs * CVE-2025-11714 (bmo#1973699, bmo#1989945, bmo#1990970, bmo#1991040, bmo#1992113) Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144 * CVE-2025-11715 (bmo#1983838, bmo#1987624, bmo#1988244, bmo#1988912, bmo#1989734, bmo#1990085, bmo#1991899) Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144 * CVE-2025-11721 (bmo#1986816) Memory safety bug fixed in Firefox 144 and Thunderbird 144 - requires NSS >= 3.116 rust = 1.88 (upstream uses 1.89 already which is not available everywhere) - switched to clang build temporarily because of bmo#1990430 and use clang 20 max (21 fails to build) - stop building for i586 as it failing to build and Mozilla officially discontinues any 32bit support for Linux with 145 https://blog.mozilla.org/futurereleases/2025/09/05/firefox-32-bit-linux-support-to-end-in-2026/ ==== adaptec-firmware ==== - use %license tag [bsc#1252133] ==== arphic-uming-fonts ==== - use %license tag [bsc#1252137] - Stop marking arphic-uming as essential for CJK locales (and thus essential enough to be on the openSUSE DVD) ==== aws-lc ==== Version update (1.61.4 -> 1.62.0) Subpackages: libcrypto-awslc0 libssl-awslc0 - update to version 1.62.0: * nginx now supports AWS-LC * Fix tests that assume X25519 will be negotiated * Fixing a bug in ML-DSA poly_uniform function * Migrate integration omnibus * Delete util/bot directory * Type fix in mldsa * Centralize password handling tool-openssl * crypto/pem: replace strncmp with CRYPTO_memcmp to fix -Wstring-compare error * Implement dgst CLI command * Add ASN.1 decoding for ML-KEM private keys as seeds * Implement genrsa command * Move udiv and sencond tweak calculations to when needed * Add null check on RSA key checks * Implement workaround for FORTIFY_SOURCE warning with jitterentropy * Implement coverity suggestions * Add minimal EC CLI tool implementation * Adding pkeyutl tool to the CLI * Add option ENABLE_SOURCE_MODIFICATION * Simple script to build/run tests * Add build-time option to opt-out of CPU Jitter Entropy ==== btrfsprogs ==== Version update (6.16.1 -> 6.17) Subpackages: btrfsprogs-bash-completion btrfsprogs-udev-rules libbtrfs0 libbtrfsutil1 - update to 6.17 * inspect list-chunks: more sorting keys, descending order * fi resize: add support for offline (unmounted) growing of single device * device stats: add support for offline (unmounted) reads * quota status: new command, overview what mode is enabled, tunables * fi commit-stats: new command, print various commit stats from sysfs (since kernel 6.1) * balance start: print warning and delay start if there's a missing device in the filesystem * mkfs: print zoned mode (native, emulated) * check: verify device bytes in super block item and in chunk tree * other * updated CI, new and updated tests * cleanups, refactoring * documentation updates ==== clamav ==== Version update (1.4.3 -> 1.5.1) Subpackages: libclamav12 libclammspack0 - New version: 1.5.1: * Fixed a significant performance issue when scanning some PE files. * Fixed an issue recording file entries from a ZIP archive central directory which resulted in "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the ClamScan --alert-exceeds-max command line option or ClamD AlertExceedsMax config file option. * Improved performance when scanning TNEF email attachments. * Fixed an issue with recording metadata for OOXML office documents. * Fixed an issue with signature matches for VBA in OLE2 office documents. * Loosened overly restrictive rules for embedded file identification and increased the limit for finding PE files embedded in other PE files. * Fixed an issue with extracting some RAR archives embedded in other files. * Fixed an issue with calculating fuzzy hashes affecting some images by updating the version for several Rust library dependencies. - Add json-c-json-c-0.18-20240915.tar.gz and link it statically into libclamav on SLE-12, because version 0.12 is too old. - New version 1.5.0: * Added checks to determine if an OLE2-based Microsoft Office document is encrypted. * Added the ability to record URIs found in HTML if the generate-JSON-metadata feature is enabled. * Added the ability to record URIs found in PDFs if the generate-JSON-metadata feature is enabled. * Added regex support for the clamd.conf OnAccessExcludePath config option. * Added CVD signing/verification with external .sign files. * Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like limits disabling MD5 and SHA1 from being used for verifying digital signatures or for being used to trust a file when checking for false positives * ClamD: Added an option to disable select administrative commands including SHUTDOWN, RELOAD, STATS and VERSION. * libclamav: Added extended hashing functions with a "flags" parameter that allows the caller to choose if they want to bypass FIPS hash algorithm limits. * See the release announcement for the full list of changes: https://blog.clamav.net/2025/10/clamav-150-released.html - Obsoleted patches: * clamav-freshclam_test.patch * clamav-disable-administrative-commands.patch * clamav-fips.patch - Use macros for library versions - Remove service symlinks: rcclamd, rcfreshclam, rcclamav-milter, and clamonacc. - Use rust 1.86 for SLE-12 and SLE-15-SP2. ==== git ==== Version update (2.51.0 -> 2.51.1) Subpackages: git-core git-email git-gui git-web gitk perl-Git - Update to 2.51.1: - Fixes since Git 2.51.0 * The "do you still use it?" message given by a command that is deeply deprecated and allow us to suggest alternatives has been updated. * The compatObjectFormat extension is used to hide an incomplete feature that is not yet usable for any purpose other than developing the feature further. Document it as such to discourage its use by mere mortals. * Manual page for "gitk" is updated with the current maintainer's name. * Update the instructions for using GGG in the MyFirstContribution document to say that a GitHub PR could be made against `git/git` instead of `gitgitgadget/git`. * Clang-format update to let our control macros be formatted the way we had them traditionally, e.g., "for_each_string_list_item()" without space before the parentheses. * A few places where a size_t value was cast to curl_off_t without checking has been updated to use the existing helper function. * The start_delayed_progress() function in the progress eye-candy API did not clear its internal state, making an initial delay value larger than 1 second ineffective, which has been corrected. * Makefile tried to run multiple "cargo build" which would not work very well; serialize their execution to work around this problem. * Adjust to the way newer versions of cURL selectively enable tracing options, so that our tests can continue to work. * During interactive rebase, using 'drop' on a merge commit led to an error, which has been corrected. * "git refs migrate" to migrate the reflog entries from a refs backend to another had a handful of bugs squashed. * "git push" had a code path that led to BUG() but it should have been a die(), as it is a response to a usual but invalid end-user action to attempt pushing an object that does not exist. * Various bugs about rename handling in "ort" merge strategy have been fixed. * "git diff --no-index" run inside a subdirectory under control of a Git repository operated at the top of the working tree and stripped the prefix from the output, and oddballs like "-" (stdin) did not work correctly because of it. Correct the set-up by undoing what the set-up sequence did to cwd and prefix. * Various options to "git diff" that make comparison ignore certain aspects of the differences (like "space changes are ignored", "differences in lines that match these regular expressions are ignored") did not work well with "--name-only" and friends. * Under a race against another process that is repacking the repository, especially a partially cloned one, "git fetch" may mistakenly think some objects we do have are missing, which has been corrected. * "git repack --path-walk" lost objects in some corner cases, which has been corrected. cf. <CABPp-BHFxxGrqKc0m==TjQNjDGdO=H5Rf6EFsf2nfE1=tur...@mail.gmail.com> * Fixes multiple crashes around midx write-out codepaths. * A broken or malicious "git fetch" can say that it has the same object for many many times, and the upload-pack serving it can exhaust memory storing them redundantly, which has been corrected. * A corner case bug in "git log -L..." has been corrected. * Some among "git add -p" and friends ignored color.diff and/or color.ui configuration variables, which is an old regression, which has been corrected. * "git rebase -i" failed to clean-up the commit log message when the command commits the final one in a chain of "fixup" commands, which has been corrected. * Deal more gracefully with directory / file conflicts when the files backend is used for ref storage, by failing only the ones that are involved in the conflict while allowing others. ==== glu ==== - added missing LICENSE file (bsc#1252149) ==== gnome-browser-connector ==== - add unzip as a requires, otherwise the extensions can't get extracted ==== gnome-shell ==== Version update (49.0+17 -> 49.1) Subpackages: gnome-extensions gnome-shell-calendar - Update to version 49.1: + Fix freeze when dragging quick settings sliders on touch + Fix key focus on choice list on login screen + Fix animation glitch when cancelling overview search + Also send activation token for notifications without app + Unify warning styling in dialogs + Update keyboard indicator on modifier-only layout switches + Improve accessibility of screenshot UI + Improve Hindi bolnagri input with on-screen keyboard + Do not expire notifications that are about to show + Improve accessibility icons on login screen + Make media messages follow notification policy + Misc. bug fixes and cleanups + Updated translations. - No longer explicitly exclude Soup from the typelib scanner, and consequently no longer add typelib(Soup) = 3.0 requires. This was needed before GNOME 45, as gnome-shell had fallback code and we needed to help take the decision. ==== gnome-sudoku ==== Version update (49.1 -> 49.2) - Update to verison 49.2: + Fix the grid not being keyboard focusable after the first game ==== gnome-tour ==== Version update (49.0.openSUSE+git20251009.a4002c9 -> 49.0.openSUSE+git20251016.669c499) Subpackages: gnome-tour-data opensuse-welcome - Add custom lang package for opensuse-welcome. This will remove the indirect dependency on gnome-tour. bsc#1252077 ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-arm64-efi-bls grub2-common grub2-snapper-plugin grub2-systemd-sleep-plugin - make grub plugin compatible with snapper's plugin API (bsc#1246172) - clean up some unused code ==== gstreamer ==== Version update (1.26.6 -> 1.26.7) Subpackages: gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.26.7: + Highlighted bugfixes in 1.26.7: - cea608overlay: improve handling of non-system memory - cuda: Fix runtime kernel compile with CUDA 13.0 - d3d12: Fix crop meta support in converter and passthrough handling in deinterlacer - fallbacksrc: source handling improvements; no-more-pads signal for streams-unaware parents - inter: add properties to fine tune the inner elements - qtdemux: surround sound channel layout handling fixes and performance improvements for GoPro videos - rtp: Add linear audio (L8, L16, L24) RTP payloaders / depayloaders - rtspsrc: Send RTSP keepalives in TCP/interleaved modes - rtpamrpay2: frame quality indicator flag related fixes - rtpbasepay2: reuse last PTS when possible, to work around problems with NVIDIA Jetson AV1 encoder - mpegtsmux, tsdemux: Opus audio handling fixes - threadshare: latency related improvements and many other fixes - matroskamux, tsmux, flvmux, cea608mux: Best pad determination fixes at EOS - unixfd: support buffers with a big payload - videorate unknown buffer duration assertion failure with variable framerates - editing services: Make GESTimeline respect SELECT_ELEMENT_TRACK signal discard decision; memory leak fixes - gobject-introspection annotation fixes - cerbero: Update meson to 1.9.0 to enable Xcode 26 compatibility - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - controller: Fix get_all() return type annotation - gst-launch: Do not assume error messages have a src element - multiqueue: Fix object reference handling in signal callbacks - netclientclock: Fix memory leak in error paths ==== gstreamer-plugins-bad ==== Version update (1.26.6 -> 1.26.7) Subpackages: libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstsctp-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.26.7: + cuda: Fix runtime kernel compile with CUDA 13.0 + d3d12convert: Fix crop meta support + d3d12deinterlace: Fix passthrough handling + gst: Fix a few small leaks + matroskamux: Properly check if pads are EOS in find_best_pad + tsdemux: Directly forward Opus AUs without opus_control_header + tsmux: Write a full Opus channel configuration if no matching Vorbis one is found + unixfd: Fix case of buffer with big payload + vacompositor: Correct scale-method properties + webrtc: nice: Fix a use-after-free and a mem leak + Fix all compiler warnings on Fedora + Fix issues with G_DISABLE_CHECKS & G_DISABLE_ASSERT ==== gstreamer-plugins-base ==== Version update (1.26.6 -> 1.26.7) Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.26.7: + discoverer: Mark gst_discoverer_stream_info_list_free() as transfer full + riff: Add channel reorder maps for 3 and 7 channel audio + sdp: proper usage of gst_buffer_append + videorate: fix assert fail due to invalid buffer duration + Fix build error with glib < 2.68 ==== gstreamer-plugins-good ==== Version update (1.26.6 -> 1.26.7) Subpackages: gstreamer-plugins-good-gtk - Update to version 1.26.7: + matroskamux: Properly check if pads are EOS in find_best_pad + qtdemux: - Bad performance with GoPro videos containing FDSC metadata tracks - Fix open/seek perf for GoPro files with SOS track - Handle unsupported channel layout tags gracefully - Set channel-mask to 0 for unknown layout tags + rtspsrc: Send RTSP keepalives in TCP/interleaved modes + v4l2: - Add GstV4l2Error handling in gst_v4l2_get_capabilities - Fix memory leak for DRM caps negotiation + v4l2transform: reconfigure v4l2object only if respective caps changed + Fix issues with G_DISABLE_CHECKS & G_DISABLE_ASSERT ==== gstreamer-plugins-libav ==== Version update (1.26.6 -> 1.26.7) - Update to version 1.26.7: + Fix all compiler warnings on Fedora. ==== gstreamer-plugins-rs ==== Version update (1.26.6+git20.e287e869 -> 1.26.7+git0.6ab75814) - Rebase and re-enable patch: * fix-reproducibility.patch - Update to version 1.26.7+git0.6ab75814: * tracers: Fix inverted append logic when writing log files * threadshare: - examples: standalone: also handle buffer lists - Pad push_list: downgrade Pad flushing log level - sinks: fix / handle query() - backpressure: abort pending items on flush start - udpsink: fix panic recalculating latency from certain executors - audiotestsrc: . support more Audio formats . use AudioInfo . fix latency . act as a pseudo live source by default - runtime task: execute action in downward transition - example cleanups - udpsink: distinguish sync status for latency & report added latency - sink elements: implement `send_event` - dataqueue elements: report min and max latency * rtp: - Add linear audio (L8, L16, L24) RTP payloaders / depayloaders * rtp: basedepay: reuse last PTS, when possible * skia: Update to skia-safe 0.89 * mp4: Update to mp4-atom 0.9 * Update dependencies * webrtc: livekit: Drop connection lock after take() * onvifmetadatapay: copy metadata from source buffer * fallbacksrc: Fix custom source reuse case * add `rust-tls-native-roots` feature to the `reqwest` dep * rtpamrpay2: - Actually forward the frame quality indicator - Set frame quality indicator flag - Disable patch that doesn't apply: * fix-reproducibility.patch - Remove a section in a json file that references the gstelevenlabs plugin (a proprietary plugin that isn't built) so it's clear to the legal review bot that there isn't any proprietary code. - Add patch developed by amyspark in https://gitlab.freedesktop.org/gstreamer/gst-plugins-rs/-/merge_requests/2162 to fix the .pc reproducibility issues (boo#1237097) * 0001-cargo_wrapper-deduplicate-Libs_private.patch - Add patch to fix reproducibility of package build (boo#1237097) * fix-reproducibility.patch ==== gstreamer-plugins-ugly ==== Version update (1.26.6 -> 1.26.7) - Update to version 1.26.7: + No changes, stable bump only ==== highway ==== Version update (1.2.0 -> 1.3.0) - Replace avx10_2.patch by a new one completely disabling AVX10.2 until upstream figures out how to the details of toolchain invocation. [boo#1248740] - Update to release 1.3.0 * Add AVX10_2 and Loongson LASX/LSX targets * Add AVX3_SPR F16, WASM_EMU256 F64 types * Add Complex number operations, F16/BF16 assignment operators * Add emulated bf16/f16 Load/StoreInterleaved - Add avx10_2.patch ==== iproute2 ==== Version update (6.16 -> 6.17) Subpackages: iproute2-bash-completion - Update to release 6.17 * ip: display the 'netns-immutable' property * color: Assume background is dark if unknown * color: Do not use dark blue in dark-background palette * bridge: mdb: Support offload failed flag * iplink_bridge: Add mdb_offload_fail_notification * ip ntable: Add support for "mcast_reprobes" parameter * ip neigh: Add support for "extern_valid" flag * Add support for 'tc-bw' attribute in devlink-rate ==== kernel-firmware-i915 ==== Version update (20250903 -> 20251014) - Update to version 20251014 (git commit bd4d2bde91e1): * i915: Xe2LPD DMC v2.29 * i915: Xe3LPD DMC v2.32 * i915: Xe3LPD_3002 DMC v2.27 ==== kernel-firmware-intel ==== Version update (20251011 -> 20251018) - Update to version 20251018 (git commit 8b4de42e3432): * Intel IPU7: Update product signed firmware binary ==== kernel-firmware-media ==== Version update (20251004 -> 20251018) - Update to version 20251018 (git commit 8b4de42e3432): * qcom: vpu: rename firmware binaries ==== kernel-firmware-mediatek ==== - Update aliases from 6.18-rc1 ==== kernel-firmware-nvidia ==== Version update (20250516 -> 20251018) - Update to version 20251018 (git commit 8b4de42e3432): * nvidia: add generic bootloader for GSP-enabled systems - Update to version 20251014 (git commit bd4d2bde91e1): * WHENCE: nvidia: rearrange GSP-RM firmware lines ==== kernel-firmware-realtek ==== - Update aliases from 6.18-rc1 ==== kernel-firmware-sound ==== Version update (20250930 -> 20251018) - Update to version 20251018 (git commit 8b4de42e3432): * linux-firmware: qcom: sync audioreach firmwares from v1.0.0 build - Update aliases from 6.18-rc1 ==== kernel-source ==== Version update (6.17.2 -> 6.17.3) Subpackages: kernel-64kb kernel-default - Delete patches.suse/Revert-net-bonding-add-broadcast_neighbor-netlink-op.patch. - Delete patches.suse/Revert-net-bonding-add-broadcast_neighbor-option-for.patch. - Delete patches.suse/Revert-net-bonding-send-peer-notify-when-failure-rec.patch. About to be replaced by a proper patch in the next commit. - commit a9d395c - net: bonding: update the slave array for broadcast mode (bsc#1250894). - commit 5508f45 - wifi: iwlwifi: Add missing firmware info for bz-b0-* models (bsc#1252084). - commit 4ff36a8 - Linux 6.17.3 (bsc#1012628). - drm/amdgpu/vcn: Fix double-free of vcn dump buffer (bsc#1012628). - scsi: ufs: core: Fix PM QoS mutex initialization (bsc#1012628). - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call (bsc#1012628). - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode (bsc#1012628). - usb: typec: tipd: Clear interrupts first (bsc#1012628). - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock (bsc#1012628). - net/9p: Fix buffer overflow in USB transport layer (bsc#1012628). - bus: fsl-mc: Check return value of platform_get_resource() (bsc#1012628). - pinctrl: check the return value of pinmux_ops::get_function_name() (bsc#1012628). - tee: fix register_shm_helper() (bsc#1012628). - thunderbolt: Fix use-after-free in tb_dp_dprx_work (bsc#1012628). - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release (bsc#1012628). - remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() (bsc#1012628). - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit() (bsc#1012628). - sunrpc: fix null pointer dereference on zero-length checksum (bsc#1012628). - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak (bsc#1012628). - Input: atmel_mxt_ts - allow reset GPIO to sleep (bsc#1012628). - misc: fastrpc: Skip reference for DMA handles (bsc#1012628). - misc: fastrpc: fix possible map leak in fastrpc_put_args (bsc#1012628). - misc: fastrpc: Fix fastrpc_map_lookup operation (bsc#1012628). - misc: fastrpc: Save actual DMA size in fastrpc_map structure (bsc#1012628). - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() (bsc#1012628). - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is disabled (bsc#1012628). - mm: hugetlb: avoid soft lockup when mprotect to large memory area (bsc#1012628). - fbdev: simplefb: Fix use after free in simplefb_detach_genpds() (bsc#1012628). - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid (bsc#1012628). - ext4: fix checks for orphan inodes (bsc#1012628). - ext4: fix potential null deref in ext4_mb_init() (bsc#1012628). - ksmbd: add max ip connections parameter (bsc#1012628). - ksmbd: fix error code overwriting in smb2_get_info_filesystem() (bsc#1012628). - ksmbd: Fix race condition in RPC handle list access (bsc#1012628). - mm/ksm: fix flag-dropping behavior in ksm_madvise (bsc#1012628). - LoongArch: BPF: Fix uninitialized symbol 'retval_off' (bsc#1012628). - LoongArch: BPF: Remove duplicated flags check (bsc#1012628). - LoongArch: BPF: No text_poke() for kernel text (bsc#1012628). - LoongArch: BPF: Remove duplicated bpf_flush_icache() (bsc#1012628). - LoongArch: BPF: Make error handling robust in arch_prepare_bpf_trampoline() (bsc#1012628). - LoongArch: BPF: Make trampoline size stable (bsc#1012628). - LoongArch: BPF: Don't align trampoline size (bsc#1012628). - LoongArch: BPF: No support of struct argument in trampoline programs (bsc#1012628). - LoongArch: BPF: Sign-extend struct ops return values properly (bsc#1012628). - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT (bsc#1012628). - LoongArch: Automatically disable kaslr if boot from kexec_file (bsc#1012628). - dm: fix NULL pointer dereference in __dm_suspend() (bsc#1012628). - dm: fix queue start/stop imbalance under suspend/load/resume races (bsc#1012628). - tracing: Stop fortify-string from warning in tracing_mark_raw_write() (bsc#1012628). - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf (bsc#1012628). - tracing: Have trace_marker use per-cpu data to read user space (bsc#1012628). - tracing: Fix irqoff tracers on failure of acquiring calltime (bsc#1012628). - tracing: Fix wakeup tracers on failure of acquiring calltime ... changelog too long, skipping 911 lines ... - commit f00dc5b ==== kf6-kio ==== Version update (6.19.0 -> 6.19.1) Subpackages: libKF6KIO6 - Update to 6.19.1 * Bump version for 6.19.1 release * Fix HTTP network error propagation * Forward all KIO error codes, not just ERR_ACCESS_DENIED * Delete network reply also when handling a redirection * CopyJob: Skip permission check if there is no UDS_ACCESS entry ==== kyotocabinet ==== - Add bug number bsc#1252197 ==== leancrypto ==== - Add patch to fix BTI on aarch64: * leancrypto-fix-aarch64-BTI.patch ==== libselinux ==== Subpackages: libselinux1 selinux-tools - Ship license file (bsc#1252160) - Add man_selinux_disabled_mismatch_kernel_config.patch to explain in the selinux(8) man page to not disable SELinux via /etc/selinux/config and enable it at the same time via kernel cmd line (bsc#1246549) ==== libselinux-bindings ==== - Ship license file (bsc#1252160) ==== libsoup ==== Subpackages: libsoup-3_0-0 typelib-1_0-Soup-3_0 - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ==== libxslt ==== Subpackages: libexslt0 libxslt-tools libxslt1 - security update - added patches CVE-2025-11731 [bsc#1251979], type confusion in exsltFuncResultCompfunction leading to denial of service * libxslt-CVE-2025-11731.patch ==== lua54 ==== - Clean up of the SPEC file. ==== mozilla-nss ==== Version update (3.115.1 -> 3.117) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-sysinit mozilla-nss-tools - update to NSS 3.117 * bmo#1992218 - fix memory leak in secasn1decode_unittest.cc * bmo#1988913 - Add OISTE roots * bmo#1976051 - Add runbook for certdata.txt changes * bmo#1991666 - dbtool: close databases before shutdown * bmo#1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates * bmo#1956754 - donât flush base64 when buffer is null * bmo#1989541 - Set use_pkcs5_pbkd2_params2_only=1 for fuzzing builds * bmo#1989480 - mozilla::pkix: recognize the qcStatements extension for QWACs * bmo#1980465 - Fix a big-endian-problematic cast in zlib calls * bmo#1962321 - Revert removing out/ directory after ossfuzz build * bmo#1988524 - Add Cryptofuzz to OSS-Fuzz build * bmo#1984704 - Add PKCS#11 trust tests * bmo#1983308 - final disable dsa patch cert.sh * bmo#1983320 - ml-dsa: move tls 1.3 to use streaming signatures * bmo#1983320 - ml-dsa: Prep Create a FindOidTagByString function * bmo#1983320 - ml-dsa: softoken changes * bmo#1983320 - ml-dsa: der key decode * bmo#1983320 - ml-dsa: Prep colapse the overuse of keyType outside of pk11wrap and cryptohi * bmo#1983320 - ml-dsa: Prep Create a CreateSignatureAlgorithmID function - update to NSS 3.116 * bmo#1983308 - disable DSA in NSS script tests * bmo#1983308 - Disabling of some algorithms: generic cert.sh * bmo#1981046 - Need to update to new mechanisms * bmo#1983320 - Add ML-DSA public key printing support in NSS command-line utilities * bmo#1986802 - note embedded scts before revocation checks are performed * bmo#1983320 - Add support for ML-DSA keys and mechanisms in PKCS#11 interface * bmo#1983320 - Add support for ML-DSA key type and public key structure * bmo#1983320 - Enable ML-DSA integration via OIDs support and SECMOD flag * bmo#1983308 - disable kyber * bmo#1965329 - Implement PKCS #11 v3.2 PQ functions (use verify signature) * bmo#1983308 - Disable dsa - gtests * bmo#1983313 - make group and scheme support in test tools generic * bmo#1983770 - Create GH workflow to automatically close PRs * bmo#1983308 - Disable dsa - base code * bmo#1983308 - Disabling of some algorithms: remove dsa from pk11_mode * bmo#1983308 - Disable seed and RC2 bug fixes * bmo#1982742 - restore support for finding certificates by decoded serial number * bmo#1984165 - avoid CKR_BUFFER_TO_SMALL error in trust lookups * bmo#1983399 - lib/softtoken/{sdb.c,sftkdbti.h}: Align sftkdb_known_attributes_size type * bmo#1965329 - Use PKCS #11 v3.2 KEM mechanisms and functions ==== mutter ==== Version update (49.0+68 -> 49.1) - Add mutter-fix-xwayland-dnd-crash.patch: Fix crash when dragging and dropping from an app running via xwayland - Update to version 49.1: + Fix various glitches during resize/move drags + Fix lost keyboard focus in overview with some devices + Fix popup constraint rule and work around broken clients + Require pointer interaction prior to allowing pointer warp + Fix GTK apps locking up after entering popover submenu + Fix presentation timings with commit-timing-v1 + Be more robust against clients providing bogus window geometry + Fix maximized windows extending under panel + Fix switching keyboard layout via xkb-options + Advertise explicit sync only for dmabufs screencasts + Fix multi-touch handling on X11 + Fix keyboard driven resize drags + Fix DND actions not working reliably in some X11 clients + Do not force pointer focus on popups + Fixes for cancelling and restoring sizes after drags + Fix windows reverting to previous size after client resizes + Fix pointer constraints for some fullscreen X11 clients + Fixed crashes + Plugged leak + Misc. bug fixes and cleanups + Updated translations. ==== nvidia-open-driver-G06-signed ==== Version update (580.95.05_k6.17.0_2 -> 580.95.05_k6.17.3_1) - renamed check to %name-check package - changed Requires to * nvidia-modprobe = %version * nvidia-persitenced = %version it has been >= before ... - Check4WrongSupplements.sh * check for wrong Supplements in generated KMPs after build by misusing %post of a dummy "check" subpackage ==== openSUSE-release ==== Version update (20251015 -> 20251020) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== opensuse-welcome-launcher ==== - Make opensuse-welcome-launcher support a --unconditional parameter and launch it using this parameter when called via the desktop file from the launcher. Fixes the issue that the icon shown in the launcher did not actually start anything. ==== orca ==== Version update (49.3 -> 49.4) - Update to version 49.4: + Web: Fix regression in which table navigation in a grid switches to focus mode. + Updated translations. ==== pipewire ==== Version update (1.4.8+git68.636cbae9b -> 1.5.81) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-jack pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.5.81 (1.6 RC1): * This is the first 1.6 release candidate that is API and ABI compatible with previous 1.4.x, 1.2.x and 1.0.x releases. * In addition to all the changes backported to 1.4.x, this release also contains some new features: - Highlights * The link negotiation code was refactored and improved. Applications now have more options for selecting the default values and restricting the available options. The default negotiation code will now attempt to better match the application suggested values. * The loop now has support for locking with priority inversion. Most of the code was updated to use the locks instead of invoke to get proper concurrent updates with the loop. The Thread loop functionality of locks, signal and wait was moved to the SPA loop. This guarantees better real-time behaviour because inter-thread synchronization does not have to pass eventfd/epoll. * The control stream parser was rewritten to be safe against concurrent updates while parsing, which can occur when parsing shared memory. It also has extra checks to avoid integer overflows and undefined behaviour. * MIDI 2.0 clip support was added to the tools. * Bluetooth ASHA (Audio Streaming for Hearing Aid) support was added. * The ALSA node setup was tweaked to provide low latency with the ALSA Firewire driver. * Better support for explicit sync. It is now possible to negotiate extra features to know if a consumer will signal the sync objects and implement a fallback using a reliable transport. * Many bug fixes and improvements. - PipeWire * Avoid process calls in disconnect in pw-stream. (#3314) * Disable PipeWire services for root. * The link negotiation was refactored and improved. Drivers now always have a lower priority in deciding the final format. * Backwards compatibility with the v0 protocol was removed. * pw-stream and pw-filter will now refuse to queue a buffer that was not dequeued before. * Object properties will now be updated on the global as well. * The priority of config overrides is correct now. (#4816) * Async links now correctly report 1 extra quantum of latency. * node.exclusive and the new port.exclusive flag are now enforced by PipeWire itself. * A new timer-queue helper was added to schedule timeouts. * node.terminal and node.physical properties are now copied to the ports to make it possible to create virtual sources and sinks for JACK applications. * Port properties will now be dynamically updated when the node properties they depend on are updated. * Passive leaf nodes are now handled better. Now they will also run when the peer is active. (#4915) * Reliable transport has been added for output ports. This can be used in some cases if the producer wants to ensure buffers are consumed by a consumer. (#4885) * Context properties now support rlimit. properties to configure rlimits. (#4047) - Modules * Close SyncObj fds. * module-combine-stream has better Latency reporting. * The JACK tunnel can now optionally connect ports. * module-loopback has better Latency reporting. * A Dolby Surround and Dolby Pro Logic II example filter config was added. * Filter-chain can now resample to a specific rate before running the filters. This is useful when the filter-graph needs to run at a specific rate. * Avahi-poll now uses the timer-queue to schedule timeouts. * Modules are ported to timer-queue instead of using timerfd directly for non-realtime timers. - SPA * The loop now has support for locking with priority inversion. Most of the code was updated to use the locks instead of invoke to get proper concurrent updates with the loop. The Thread loop functionality of locks, signal and wait was moved to the SPA loop. * UMP to Midi 1.0 conversion was improved, some UMP events are now converted to multiple Midi 1.0 messages. (#4839) * The POD filter was refactored and improved. It is now possible to use the default value of the output by specifying an invalid input default value. * The POD parser was made safe for concurrent updates of the memory it is parsing. This is important when the POD is in shared memory and the parser should not access invalid memory. * Some hardcoded channel limits were removed and now use the global channel limit. More things can dynamically adapt to this global limit. The max number of channels was then bumped to 128. * The POD builder is safe to use on shared memory now and tries to avoid many integer overflows. * Most debug functions are safe to be used on shared memory. * User specified Commands and Events are now possible. * The SPA_IO_CLOCK_FLAG_DISCONT was added to spa_io_clock to signal a discont in the clock due to clock change. * AC3, DTS, EAC3, TRUEHD and MPEGH now have helper parser functions. * H265 was added as a video format. (#4674) ... changelog too long, skipping 120 lines ... - Adapt to newer libcamera changes. ==== pixman ==== - Reenable LTO on riscv64 as gcc has been fixed ==== poppler ==== Subpackages: libpoppler-cpp2 libpoppler-glib8 libpoppler153 poppler-tools - security update - added patches CVE-2025-52885 [bsc#1251940], raw pointers can lead to dangling pointers when the vector is resized * poppler-CVE-2025-52885.patch ==== poppler-qt6 ==== - security update - added patches CVE-2025-52885 [bsc#1251940], raw pointers can lead to dangling pointers when the vector is resized * poppler-CVE-2025-52885.patch ==== publicsuffix ==== Version update (20250904 -> 20251001) - Update to version 20251001: * util: gTLD data autopull updates for 2025-10-01T15:18:26 UTC * Add, remove and update number of domains allowing subdomain registration ==== python-msgpack ==== Version update (1.1.1 -> 1.1.2) - Update to 1.1.2 * Update Cython to v3.1.4 * Update cibuildwheel to v3.2.0 * Drop Python 3.8 * Add Python 3.14 * Add windows-arm ==== python311 ==== Version update (3.11.13 -> 3.11.14) Subpackages: python311-curses python311-dbm - Update to 3.11.14: - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with âzip64 extensible dataâ if there are no bytes prepended to the ZIP file. - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. * Whitespaces no longer accepted between </ and the tag name. E.g. </ script> does not end the script section. * Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. * Null character (U+0000) no longer ends the tag name. * Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. </script/foo=">"/>. * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. <a foo=bar/ //>. * Multiple = between attribute name and value are no longer collapsed. E.g. <a foo==bar> produces attribute âfooâ with value â=barâ. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ â as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs â comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements âtextareaâ and âtitleâ) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the <script> tag is not closed. Patch by Waylan Limberg. - Library - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-138998: Update bundled libexpat to 2.7.2 - gh-130577: tarfile now validates archives to ensure member offsets are non-negative. (Contributed by Alexander Enrique Urieles Nieto in gh-130577.) - gh-135374: Update the bundled copy of setuptools to 79.0.1. - Drop upstreamed patches: - CVE-2025-8194-tarfile-no-neg-offsets.patch - CVE-2025-6069-quad-complex-HTMLParser.patch ==== python311-core ==== Version update (3.11.13 -> 3.11.14) Subpackages: libpython3_11-1_0 python311-base - Update to 3.11.14: - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with âzip64 extensible dataâ if there are no bytes prepended to the ZIP file. - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. * Whitespaces no longer accepted between </ and the tag name. E.g. </ script> does not end the script section. * Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. * Null character (U+0000) no longer ends the tag name. * Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. </script/foo=">"/>. * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. <a foo=bar/ //>. * Multiple = between attribute name and value are no longer collapsed. E.g. <a foo==bar> produces attribute âfooâ with value â=barâ. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ â as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs â comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements âtextareaâ and âtitleâ) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the <script> tag is not closed. Patch by Waylan Limberg. - Library - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-138998: Update bundled libexpat to 2.7.2 - gh-130577: tarfile now validates archives to ensure member offsets are non-negative. (Contributed by Alexander Enrique Urieles Nieto in gh-130577.) - gh-135374: Update the bundled copy of setuptools to 79.0.1. - Drop upstreamed patches: - CVE-2025-8194-tarfile-no-neg-offsets.patch - CVE-2025-6069-quad-complex-HTMLParser.patch ==== python313 ==== Version update (3.13.7 -> 3.13.9) Subpackages: python313-curses python313-dbm python313-tk - Update to 3.13.9: - Library - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - Update to 3.13.8: - macOS - gh-124111: Update macOS installer to use Tcl/Tk 8.6.17. - gh-139573: Updated bundled version of OpenSSL to 3.0.18. - Windows - gh-139573: Updated bundled version of OpenSSL to 3.0.18. - gh-138896: Fix error installing C runtime on non-updated Windows machines - Tools/Demos - gh-139330: SBOM generation tool didnât cross-check the version and checksum values against the Modules/expat/refresh.sh script, leading to the values becoming out-of-date during routine updates. - gh-137873: The iOS test runner has been simplified, resolving some issues that have been observed using the runner in GitHub Actions and Azure Pipelines test environments. - Tests - gh-139208: Fix regrtest --fast-ci --verbose: donât ignore the - -verbose option anymore. Patch by Victor Stinner. - Security - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-139283: sqlite3: correctly handle maximum number of rows to fetch in Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by Bénédikt Tran. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ â as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - Library - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-139289: Do a real lazy-import on rlcompleter in pdb and restore the existing completer after importing rlcompleter. - gh-139210: Fix use-after-free when reporting unknown event in xml.etree.ElementTree.iterparse(). Patch by Ken Jin. - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in subprocess. - gh-112729: Fix crash when calling _interpreters.create when the process is out of memory. - gh-139076: Fix a bug in the pydoc module that was hiding functions in a Python module if they were implemented in an extension module and the module did not have __all__. - gh-138998: Update bundled libexpat to 2.7.2 - gh-130567: Fix possible crash in locale.strxfrm() due to a platform bug on macOS. - gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of the os.stat_result structure. - gh-128636: Fix crash in PyREPL when os.environ is overwritten with an invalid value for mac - gh-88375: Fix normalization of the robots.txt rules and URLs in the urllib.robotparser module. No longer ignore trailing ?. Distinguish raw special characters ?, = and & from the percent-encoded ones. - gh-138515: email is added to Emscripten build. - gh-111788: Fix parsing errors in the urllib.robotparser module. Donât fail trying to parse weird paths. Donât fail trying to decode non-UTF-8 robots.txt files. - gh-138432: zoneinfo.reset_tzpath() will now convert any os.PathLike objects it receives into strings before adding them to TZPATH. It will raise TypeError if anything other than a string is found after this conversion. If given an os.PathLike object that represents a relative path, it will now raise ValueError instead of TypeError, and present a more informative error message. - gh-138008: Fix segmentation faults in the ctypes module due to invalid argtypes. Patch by Dung Nguyen. - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other platforms). - gh-138204: Forbid expansion of shared anonymous memory maps on Linux, which caused a bus error. - gh-138010: Fix an issue where defining a class with a @warnings.deprecated-decorated base class may not invoke the correct __init_subclass__() method in cases involving multiple inheritance. Patch by Brian Schubert. - gh-138133: Prevent infinite traceback loop when sending CTRL^C to Python through strace. - gh-134869: Fix an issue where pressing Ctrl+C during tab completion in the REPL would leave the autocompletion menu in a corrupted state. - gh-137317: inspect.signature() now correctly handles classes that use a descriptor on a wrapped __init__() or __new__() method. Contributed by Yongyu Yan. - gh-137754: Fix import of the zoneinfo module if the C implementation of the datetime module is not available. - gh-137490: Handle ECANCELED in the same way as EINTR in signal.sigwaitinfo() on NetBSD. - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and inspect.getsource() for generator expressions. - gh-137017: Fix threading.Thread.is_alive to remain True until the underlying OS thread is fully cleaned up. This avoids false negatives in edge cases involving thread monitoring or premature ... changelog too long, skipping 67 lines ... Patch by Bénédikt Tran. ==== python313-core ==== Version update (3.13.7 -> 3.13.9) Subpackages: libpython3_13-1_0 python313-base python313-devel - Update to 3.13.9: - Library - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - Update to 3.13.8: - macOS - gh-124111: Update macOS installer to use Tcl/Tk 8.6.17. - gh-139573: Updated bundled version of OpenSSL to 3.0.18. - Windows - gh-139573: Updated bundled version of OpenSSL to 3.0.18. - gh-138896: Fix error installing C runtime on non-updated Windows machines - Tools/Demos - gh-139330: SBOM generation tool didnât cross-check the version and checksum values against the Modules/expat/refresh.sh script, leading to the values becoming out-of-date during routine updates. - gh-137873: The iOS test runner has been simplified, resolving some issues that have been observed using the runner in GitHub Actions and Azure Pipelines test environments. - Tests - gh-139208: Fix regrtest --fast-ci --verbose: donât ignore the - -verbose option anymore. Patch by Victor Stinner. - Security - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-139283: sqlite3: correctly handle maximum number of rows to fetch in Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by Bénédikt Tran. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ â as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - Library - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-139289: Do a real lazy-import on rlcompleter in pdb and restore the existing completer after importing rlcompleter. - gh-139210: Fix use-after-free when reporting unknown event in xml.etree.ElementTree.iterparse(). Patch by Ken Jin. - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in subprocess. - gh-112729: Fix crash when calling _interpreters.create when the process is out of memory. - gh-139076: Fix a bug in the pydoc module that was hiding functions in a Python module if they were implemented in an extension module and the module did not have __all__. - gh-138998: Update bundled libexpat to 2.7.2 - gh-130567: Fix possible crash in locale.strxfrm() due to a platform bug on macOS. - gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of the os.stat_result structure. - gh-128636: Fix crash in PyREPL when os.environ is overwritten with an invalid value for mac - gh-88375: Fix normalization of the robots.txt rules and URLs in the urllib.robotparser module. No longer ignore trailing ?. Distinguish raw special characters ?, = and & from the percent-encoded ones. - gh-138515: email is added to Emscripten build. - gh-111788: Fix parsing errors in the urllib.robotparser module. Donât fail trying to parse weird paths. Donât fail trying to decode non-UTF-8 robots.txt files. - gh-138432: zoneinfo.reset_tzpath() will now convert any os.PathLike objects it receives into strings before adding them to TZPATH. It will raise TypeError if anything other than a string is found after this conversion. If given an os.PathLike object that represents a relative path, it will now raise ValueError instead of TypeError, and present a more informative error message. - gh-138008: Fix segmentation faults in the ctypes module due to invalid argtypes. Patch by Dung Nguyen. - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other platforms). - gh-138204: Forbid expansion of shared anonymous memory maps on Linux, which caused a bus error. - gh-138010: Fix an issue where defining a class with a @warnings.deprecated-decorated base class may not invoke the correct __init_subclass__() method in cases involving multiple inheritance. Patch by Brian Schubert. - gh-138133: Prevent infinite traceback loop when sending CTRL^C to Python through strace. - gh-134869: Fix an issue where pressing Ctrl+C during tab completion in the REPL would leave the autocompletion menu in a corrupted state. - gh-137317: inspect.signature() now correctly handles classes that use a descriptor on a wrapped __init__() or __new__() method. Contributed by Yongyu Yan. - gh-137754: Fix import of the zoneinfo module if the C implementation of the datetime module is not available. - gh-137490: Handle ECANCELED in the same way as EINTR in signal.sigwaitinfo() on NetBSD. - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and inspect.getsource() for generator expressions. - gh-137017: Fix threading.Thread.is_alive to remain True until the underlying OS thread is fully cleaned up. This avoids false negatives in edge cases involving thread monitoring or premature ... changelog too long, skipping 67 lines ... Patch by Bénédikt Tran. ==== qalculate ==== Version update (5.7.0 -> 5.8.0) Subpackages: libqalculate23 qalculate-data - Update to version 5.8.0 * Add output in scientific (sci), engineering (eng), ans simple notation as "to"-operator options. * Improve support (and fix segfault) for exponential notation in hexadecimal numbers. * Add TeX point, TeX scaled point, twip, and agate typography units, and change "ATA Pica" to "Johnson Pica" and "ATA Point" to "American Point". * Add darcy, kayser, lambert, foot-lambert, and cc units. * Add compton wavelength constants for muon, neutron, proton, and tau. * Update calculation of fraction of year (with day counting basis 0 and 1) to match method used in spreadsheets other than Gnumeric. * Change default quantile algorithm from 8 to 7. * Improve accuracy for intervals in solutions to equations when using interval arithmetic. * Show warning about default assumptions the first time an equation is solved. * Show warning symbol when calculate as you type expression results in a question. * Show warning and ask for confirmation when deactivating interval arithmetic. * Improve completion. * Add "save config" option (if disabled qalc.cfg is never automatically updated) and relocate qalc.history to $XDG_STATE_HOME. * Increase speed when calculating many expressions from file. * Automatically recalculate expression with current time every second. * Fix support for prompt string containing Unicode characters, control characters, and/or escape sequences. * Fix poolvar(), ttest(), cor(), dollarde() and dollarfr() functions. * Fix inequality with 1/f(x) on one side, e.g. "1/(x-2) ⤠2". * Fix segfault with extremely small numbers and high number of bits in floating point conversion. * Fix crashes and freezes in some corner cases. * Fix value of Planck unit (was rounded to 7 decimals). * Fix negative time zone in date and time input. * Many minor bug fixes and feature enhancements. ==== qt6-webengine ==== Subpackages: libQt6WebEngineCore6 libQt6WebEngineQuick6 libQt6WebEngineWidgets6 qt6-webengine-imports - Add patches from webrtc's upstream to fix header includes in order to build with pipewire 1.5.81: * 0001-webrtc-IWYU-modules-video_capture.patch * 0002-webrtc-IWYU-modules-desktop_capture-and-modules-video_captu.patch ==== samba ==== Version update (4.22.3+git.403.4e078bdb832 -> 4.22.5+git.431.dc5a539f124) Subpackages: libldb2 python3-ldb samba-ad-dc-libs samba-client samba-client-libs samba-dcerpc samba-gpupdate samba-ldb-ldap samba-libs samba-libs-python3 samba-python3 samba-winbind samba-winbind-libs - Update to 4.22.5 * CVE-2025-10230: Command injection via WINS server hook script (bso#15903); (bsc#1251280). * CVE-2025-9640: uninitialized memory disclosure via vfs_streams_xattr; (bso#15885); (bsc#1251279). - Relax samba-gpupdate requirement for cepces, certmonger, and sscep to a recommends. They are only required if utilizing certificate auto enrollment (bsc#1249087). - Disable timeouts for smb.service so that possibly slow running ExecStartPre script 'update-samba-security-profile' doesn't cause service start to fail due to timeouts;(bsc#1249181). - Ensure semanage is pulled in as a requirement when samba in installed when selinux security access mechanism that is used; (bsc#1249180). - don't attempt to label paths that don't exist, also remove unecessary evaluation of semange & restorecon cmds;(bsc#1249179). - Update to 4.22.4 * netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0; (bso#14981). * getpwuid does not shift to new DC when current DC is down; (bso#15844). * Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName-; (bso#15876). * Unresponsive second DC can cause idmapping failure when using idmap_ad-; (bso#15881). * kinit command is failing with Missing cache Error; (bso#15840). * Figuring out the DC name from IP address fails and breaks fork_domain_child(); (bso#15891). * vfs_streams_depot fstatat broken; (bso#15816). * Delayed leader broadcast can block ctdb forever; (bso#15892). * Apparently there is a conflict between shadow_copy2 module and virusfilter (action quarantine); (bso#15663). * Fix handling of empty GPO link; (bso#15877). * SMB ACL inheritance doesn't work for files created; (bso#15880). ==== selinux-policy ==== Version update (20251014 -> 20251016) Subpackages: selinux-policy-targeted - Update to version 20251016: * fail2ban: bump module version * fail2ban: allow fail2ban to watch all log files and dirs (bsc#1251952) * fail2ban: fix typos in interface descriptions * fail2ban: tweak file context regex for /run/fail2ban * fail2ban: drop file context for old rc.d file * Allow wicket to manage its proc directories (bsc#1235731) * Allow NM to manage wicked pid files (bsc#1235731) * Allow NM to reach systemd unit files (bsc#1235731) ==== simple-scan ==== Version update (49.0.1 -> 49.1) - Update to version 49.1: + Updated translations. ==== systemd-presets-common-SUSE ==== - Drop default state of issue-generator.path and issue-generator.service: issue generator is being phased out and replaced by util-linux' agetty implementation. ==== tumbler ==== Version update (4.20.0 -> 4.20.1) Subpackages: libtumbler-1-0 tumbler-folder-thumbnailer tumbler-lang tumbler-webp-thumbnailer - Update to version 4.20.1: * Update Copyright year * gepub-thumbnailer: Get pixbuf in "area-prepared" signal handler * gst-thumbnailer: Fix TumblerThumbnailFlavor leak * ffmpeg-thumbnailer: Update mime type list from upstream desktop file * xdg-cache: Fix TumblerThumbnailFlavor leaks * cover-thumbnailer: Capture regex matchinfo for series episodes * cover-thumbnailer: Update the base URL for TMDB * cover-thumbnailer: Use correct parameter types with curl * poppler-thumbnailer: Only use embedded thumbnail if resolution suffices * gst-thumbnailer: Make mime type checking more flexible * Translation Updates - Replace packageand(package1:package2) with (package1 and package2) - tumbler-folder-thumbnailer and tumbler-webp-thumbnailer are noarch packages. ==== util-linux ==== Version update (2.41.1 -> 2.41.2) Subpackages: libblkid1 libfdisk1 libmount1 libsmartcols1 libuuid1 - Include agetty netlink fixes from the final upstream commits (jsc#PED-8734, util-linux-lib-netlink.patch and util-linux-agetty-netlink.patch) and upstream fixes (util-linux-lib-netlink-fix1.patch, util-linux-lib-netlink-fix2.patch, util-linux-lib-netlink-fix3.patch and util-linux-agetty-netlink-fix4.patch). - Fix configs library use in agetty (replace util-linux-issuedir-usr-lib.patch by upstream util-linux-lib-configs-fix1.patch, add util-linux-lib-configs-fix2.patch, util-linux-lib-configs-fix3.patch, util-linux-lib-configs-fix4.patch, util-linux-lib-configs-fix5.patch and util-linux-lib-configs-fix6.patch). - Fix agetty erase of escape characters (relevant to bsc#1194818, util-linux-agetty-escape-erase.patch). - Own /usr/lib/issue.d directory. - Perform migration from issue-generator (jsc#PED-8734, fixes boo#1244446). - Drop util-linux-agetty-ssh-host-keys.patch. This feature is not used in MicroOS any more. - Remove Provides/Obsoletes for s390-32, upgrade from SLE11 SP1 is no more supported. - agetty: use /usr/lib/issue.d for backward compatibility (util-linux-issuedir-usr-lib.patch). - Fix address matching in agetty (boo#1247371, util-linux-lib-netlink.patch). - Update generated man pages (util-linux-man-generated.patch). - Add configs library and use it in agetty (gh#util-linux/util-linux#3752, util-linux-lib-configs.patch, util-linux-agetty-configs.patch). - Update to version 2.41.2: * bash-completion: * fix function name of enosys completion * add choom and coresched * blkid: correct an erroneous error message * findmnt: * (usage) add a needed equals sign before an optional argument * add missing newline in --raw, --pair and --list output formats * fsck.cramfs: check buffer size for memcpy() * getopt: document special symbols that should not be used as option characters * hardlink (man): add note note about ULFILEEQ_DEBUG= * libblkid: * Fix probe_ioctl_tp assigning BLKGETDISKSEQ as physical sector size * (ext) reduce false positive * improve UUID_SUB= description * lib/color-names: * fix stupid bugs * Fix color name canonicalization * libfdisk: * (script) improve separator usage in named-fields dump * (script) fix device name separator parsing * liblastlog2: markup fixes for man pages * libmount: don't report fsconfig errors with "nofail" * lib/path: avoid double free() for cpusets * lib (treewide): add ul_ prefix to functions with generic names * logger: * fix buffer overflow when read stdin * fix incorrect warning message when both --file and a message are specified * lsblk: * fix possible use-after-free * fix memory leak [coverity scan] * use md as fallback TYPE when md/level empty * lscpu: * New Arm C1 parts * Add NVIDIA Olympus arm64 core (jsc#PED-13683) * man: * Fixed incorrect ipcrm options * Replace RETURN VALUE with EXIT STATUS in section 1 * mkfs.cramfs: avoid uninitialized value [coverity scan] * more: temporarily ignore stdin when waiting for stderr * rev: add --zero option to --help output * setpriv: Improve getgroups() Portability * sfdisk: reject spurious arguments for - -reorder/--backup-pt-sectors * zramctl: * ignore ENOENT when setting max_comp_streams * fix MEM-USED column description * Misc: Add missing ;; to -m case (#1) * tests fixes * translation updates - Remove bash 5.3 hack for kill/decode. It is now fixed. - Mark test script/options as failing. It randomly fails on aarch64, arm7l and s390x inside OBS (needs research). ==== util-linux-systemd ==== Version update (2.41.1 -> 2.41.2) Subpackages: lastlog2 liblastlog2-2 - Include agetty netlink fixes from the final upstream commits (jsc#PED-8734, util-linux-lib-netlink.patch and util-linux-agetty-netlink.patch) and upstream fixes (util-linux-lib-netlink-fix1.patch, util-linux-lib-netlink-fix2.patch, util-linux-lib-netlink-fix3.patch and util-linux-agetty-netlink-fix4.patch). - Fix configs library use in agetty (replace util-linux-issuedir-usr-lib.patch by upstream util-linux-lib-configs-fix1.patch, add util-linux-lib-configs-fix2.patch, util-linux-lib-configs-fix3.patch, util-linux-lib-configs-fix4.patch, util-linux-lib-configs-fix5.patch and util-linux-lib-configs-fix6.patch). - Fix agetty erase of escape characters (relevant to bsc#1194818, util-linux-agetty-escape-erase.patch). - Own /usr/lib/issue.d directory. - Perform migration from issue-generator (jsc#PED-8734, fixes boo#1244446). - Drop util-linux-agetty-ssh-host-keys.patch. This feature is not used in MicroOS any more. - Remove Provides/Obsoletes for s390-32, upgrade from SLE11 SP1 is no more supported. - agetty: use /usr/lib/issue.d for backward compatibility (util-linux-issuedir-usr-lib.patch). - Fix address matching in agetty (boo#1247371, util-linux-lib-netlink.patch). - Update generated man pages (util-linux-man-generated.patch). - Add configs library and use it in agetty (gh#util-linux/util-linux#3752, util-linux-lib-configs.patch, util-linux-agetty-configs.patch). - Update to version 2.41.2: * bash-completion: * fix function name of enosys completion * add choom and coresched * blkid: correct an erroneous error message * findmnt: * (usage) add a needed equals sign before an optional argument * add missing newline in --raw, --pair and --list output formats * fsck.cramfs: check buffer size for memcpy() * getopt: document special symbols that should not be used as option characters * hardlink (man): add note note about ULFILEEQ_DEBUG= * libblkid: * Fix probe_ioctl_tp assigning BLKGETDISKSEQ as physical sector size * (ext) reduce false positive * improve UUID_SUB= description * lib/color-names: * fix stupid bugs * Fix color name canonicalization * libfdisk: * (script) improve separator usage in named-fields dump * (script) fix device name separator parsing * liblastlog2: markup fixes for man pages * libmount: don't report fsconfig errors with "nofail" * lib/path: avoid double free() for cpusets * lib (treewide): add ul_ prefix to functions with generic names * logger: * fix buffer overflow when read stdin * fix incorrect warning message when both --file and a message are specified * lsblk: * fix possible use-after-free * fix memory leak [coverity scan] * use md as fallback TYPE when md/level empty * lscpu: * New Arm C1 parts * Add NVIDIA Olympus arm64 core (jsc#PED-13683) * man: * Fixed incorrect ipcrm options * Replace RETURN VALUE with EXIT STATUS in section 1 * mkfs.cramfs: avoid uninitialized value [coverity scan] * more: temporarily ignore stdin when waiting for stderr * rev: add --zero option to --help output * setpriv: Improve getgroups() Portability * sfdisk: reject spurious arguments for - -reorder/--backup-pt-sectors * zramctl: * ignore ENOENT when setting max_comp_streams * fix MEM-USED column description * Misc: Add missing ;; to -m case (#1) * tests fixes * translation updates - Remove bash 5.3 hack for kill/decode. It is now fixed. - Mark test script/options as failing. It randomly fails on aarch64, arm7l and s390x inside OBS (needs research). ==== wireplumber ==== Version update (0.5.11 -> 0.5.12) Subpackages: libwireplumber-0_5-0 - Update to version 0.5.12: * Additions & Enhancements: - Added mono audio configuration support via node.features.audio.mono setting that can be changed at runtime with wpctl (!721) - Added automatic muting of ALSA devices when a running node is removed, helping prevent loud audio on speakers when headsets are unplugged (!734) - Added notifications API module for sending system notifications (!734) - Added comprehensive wpctl man page and documentation (!735, #825) - Enhanced object interest handling for PipeWire properties on session items (!738) * Fixes: - Fixed race condition during shutdown in the permissions portal module that could cause crashes in GDBus signal handling (!748). - Added device validity check in state-routes handling to prevent issues when devices are removed during async operations (!737, #844) - Fixed Log.critical undefined function error in device-info-cache (!733) - Improved device hook documentation and configuration (!736) - Add patch from upstream to avoid dispatcher errors in the log when registering/removing hooks that were already registered/removed before: * 0001-automute-alsa-routes.lua-Dont-register_remove-hooks-if.patch ==== yast2 ==== Version update (5.0.15 -> 5.0.16) Subpackages: yast2-logs - save_y2logs: Sanitize confidential data in macro_inst_initial.ycp (bsc#1251768) - 5.0.16
