Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=3&version=Tumbleweed&build=20260109 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: Mesa Mesa-drivers gnome-settings-daemon kernel-source (6.18.3 -> 6.18.4) libsodium (1.0.20 -> 1.0.21) libsoup libsoup2 lightdm mc nautilus (49.2 -> 49.3) openSUSE-release (20260108 -> 20260109) python-urllib3 (2.5.0 -> 2.6.2) ruby-common sdbootutil (1+git20251218.1cd7294 -> 1+git20260108.be38224) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - get rid of Mesa 24.1.7 used for s390x (boo#1233167), which supersedes the following patches: * python36-buildfix1-s390x.patch * u_dep_xcb-s390x.patch * u_mesa-CVE-2023-45913-s390x.patch ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-libva Mesa-vulkan-device-select libvulkan_lvp - get rid of Mesa 24.1.7 used for s390x (boo#1233167), which supersedes the following patches: * python36-buildfix1-s390x.patch * u_dep_xcb-s390x.patch * u_mesa-CVE-2023-45913-s390x.patch ==== gnome-settings-daemon ==== - Drop /usr/bin/pkexec Requires: this has not been needed anymore since GMOME 3.37. ==== kernel-source ==== Version update (6.18.3 -> 6.18.4) Subpackages: kernel-64kb kernel-default - Linux 6.18.4 (bsc#1012628). - drm: nova: depend on CONFIG_64BIT (bsc#1012628). - x86/microcode/AMD: Select which microcode patch to load (bsc#1012628). - sched/core: Add comment explaining force-idle vruntime snapshots (bsc#1012628). - sched/eevdf: Fix min_vruntime vs avg_vruntime (bsc#1012628). - sched_ext: Fix incorrect sched_class settings for per-cpu migration tasks (bsc#1012628). - mm/huge_memory: merge uniform_split_supported() and non_uniform_split_supported() (bsc#1012628). - KVM: s390: Fix gmap_helper_zap_one_page() again (bsc#1012628). - drm/edid: add DRM_EDID_IDENT_INIT() to initialize struct drm_edid_ident (bsc#1012628). - drm/displayid: add quirk to ignore DisplayID checksum errors (bsc#1012628). - drm/amdgpu: don't attach the tlb fence for SI (bsc#1012628). - wifi: rtw88: limit indirect IO under powered off for RTL8822CS (bsc#1012628). - wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() (bsc#1012628). - wifi: cfg80211: sme: store capped length in __cfg80211_connect_result() (bsc#1012628). - wifi: mac80211: do not use old MBSSID elements (bsc#1012628). - sched_ext: fix uninitialized ret on alloc_percpu() failure (bsc#1012628). - i40e: fix scheduling in set_rx_mode (bsc#1012628). - i40e: validate ring_len parameter against hardware-specific values (bsc#1012628). - iavf: fix off-by-one issues in iavf_config_rss_reg() (bsc#1012628). - idpf: fix LAN memory regions command on some NVMs (bsc#1012628). - idpf: reduce mbx_task schedule delay to 300us (bsc#1012628). - cpuset: fix warning when disabling remote partition (bsc#1012628). - crypto: seqiv - Do not use req->iv after crypto_aead_encrypt (bsc#1012628). - Bluetooth: MGMT: report BIS capability flags in supported settings (bsc#1012628). - Bluetooth: btusb: revert use of devm_kzalloc in btusb (bsc#1012628). - net: mdio: aspeed: add dummy read to avoid read-after-write issue (bsc#1012628). - net: openvswitch: Avoid needlessly taking the RTNL on vport destroy (bsc#1012628). - ip6_gre: make ip6gre_header() robust (bsc#1012628). - powerpc/tools: drop `-o pipefail` in gcc check scripts (bsc#1012628). - platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event names (bsc#1012628). - platform/x86: msi-laptop: add missing sysfs_remove_group() (bsc#1012628). - platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic (bsc#1012628). - team: fix check for port enabled in team_queue_override_port_prio_changed() (bsc#1012628). - net: airoha: Move net_devs registration in a dedicated routine (bsc#1012628). - net: dsa: properly keep track of conduit reference (bsc#1012628). - net: dsa: fix missing put_device() in dsa_tree_find_first_conduit() (bsc#1012628). - amd-xgbe: reset retries and mode on RX adapt failures (bsc#1012628). - selftests: drv-net: psp: fix templated test names in psp_ip_ver_test_builder() (bsc#1012628). - selftests: drv-net: psp: fix test names in ipver_test_builder() (bsc#1012628). - net: usb: rtl8150: fix memory leak on usb_submit_urb() failure (bsc#1012628). - selftests: net: fix "buffer overflow detected" for tap.c (bsc#1012628). - net: wangxun: move PHYLINK dependency (bsc#1012628). - platform/x86/intel/pmt: Fix kobject memory leak on init failure (bsc#1012628). - smc91x: fix broken irq-context in PREEMPT_RT (bsc#1012628). - genalloc.h: fix htmldocs warning (bsc#1012628). - firewire: nosy: Fix dma_free_coherent() size (bsc#1012628). - bng_en: update module description (bsc#1012628). - net: dsa: b53: skip multicast entries for fdb_dump() (bsc#1012628). - kbuild: fix compilation of dtb specified on command-line without make rule (bsc#1012628). - mcb: Add missing modpost build support (bsc#1012628). - net: mdio: rtl9300: use scoped for loops (bsc#1012628). - net: usb: asix: validate PHY address before use (bsc#1012628). - net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct (bsc#1012628). - tools/sched_ext: fix scx_show_state.py for scx_root change (bsc#1012628). - vfio/pds: Fix memory leak in pds_vfio_dirty_enable() (bsc#1012628). - platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing (bsc#1012628). - platform/x86/intel/pmt/discovery: use valid device pointer in dev_err_probe (bsc#1012628). - octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" (bsc#1012628). - net: stmmac: fix the crash issue for zero copy XDP_TX action ... changelog too long, skipping 448 lines ... - commit 0ccf2fe ==== libsodium ==== Version update (1.0.20 -> 1.0.21) - Update to 1.0.21: * The new crypto_ipcrypt_* functions implement mechanisms for securely encrypting and anonymizing IP addresses. * The sodium_bin2ip and sodium_ip2bin helper functions have been added to complement the crypto_ipcrypt_* functions and easily convert addresses between bytes and strings. * XOF: the crypto_xof_shake* and crypto_xof_turboshake* functions are * standard extendable output functions. From input of any length, they can derive output of any length with the same properties as hash functions. These primitives are required by many post-quantum mechanisms, but can also be used for a wide range of applications, including key derivation, session encryption and more. * Performance of AES256-GCM and AEGIS on ARM has been improved with some compilers * Security: optblockers have been introduced in critical code paths to prevent compilers from introducing unwanted side channels via conditional jumps. This was observed on RISC-V targets with specific compilers and options. * Security: crypto_core_ed25519_is_valid_point() now properly rejects small-order points that are not in the main subgroup [bsc#1256070, CVE-2025-15444] * ((nonnull)) attributes have been relaxed on some crypto_stream* functions to allow NULL output buffers when the output length is zero * A cross-compilation issue with old clang versions has been fixed * crypto_aead_aes256gcm_is_available is exported to JavaScript * Security: memory fences have been added after MAC verification in AEAD to prevent speculative access to plaintext before authentication is complete * Assembly files now include .gnu.property notes for proper IBT and Shadow Stack support when building with CET instrumentation. - Add patch libsodium-Fix-compilation-with-GCC-on-aarch64.patch ==== libsoup ==== Subpackages: libsoup-3_0-0 typelib-1_0-Soup-3_0 - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ==== libsoup2 ==== - Add libsoup2-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ==== lightdm ==== Subpackages: liblightdm-gobject-1-0 lightdm-bash-completion lightdm-lang - Move all created /run, /var/lib, /var/cache and /var/log directories to systemd-tmpfiles ==== mc ==== Subpackages: mc-lang - run obs/service/source_validators/helpers/fix_changelog ==== nautilus ==== Version update (49.2 -> 49.3) Subpackages: gnome-shell-search-provider-nautilus libnautilus-extension4 - Update to version 49.3: + Bugfixes: - Don't waste resources on images with extreme dimensions - Consider thumbnailing finished at correct time - Redraw view when screen scale factor changes - Fix potential outdated view item usage - Correctly close mime type program chooser dialog + Updated translations. ==== openSUSE-release ==== Version update (20260108 -> 20260109) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== python-urllib3 ==== Version update (2.5.0 -> 2.6.2) Subpackages: python311-urllib3 python313-urllib3 - Update to 2.6.2 * Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. - Update to 2.6.1 * Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. - Update to 2.6.0 * Security: - Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471, GHSA-2xpw-w6gg-jr37, bsc#1254867) - Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418, GHSA-gm62-xv2j-4w53, bsc#1254866) * Features: - Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. - Added host and port information to string representations of HTTPConnection. - Added support for Python 3.14 free-threading builds explicitly. * Removals: - Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). * Bugfixes: - Fixed redirect handling in urllib3.PoolManager when an integer is passed for the retries parameter. - Fixed HTTPConnectionPool when used in Emscripten with no explicit port. - Fixed handling of SSLKEYLOGFILE with expandable variables. * Misc: - Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. - Improved the performance of content decoding by optimizing BytesQueueBuffer class. - Allowed building the urllib3 package with newer setuptools-scm v9.x. - Ensured successful urllib3 builds by setting Hatchling requirement to ⥠1.27.0. ==== ruby-common ==== - Some gems (especially rust based ones) start failing if /usr/bin/ruby is not available. But they can take the desired ruby binary from the RUBY environment variable. Since we can not really set that properly via pre_install, set it within the loop to the current ruby binary before calling the ruby part of gem_install.sh. ==== sdbootutil ==== Version update (1+git20251218.1cd7294 -> 1+git20260108.be38224) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20260108.be38224: * Use tmpfiles.d for /var directories (PED-14900) - Update to version 1+git20260107.2807c87: * Enable armv7 builds (boo#1254865)
