Packages changed: GraphicsMagick NetworkManager-applet apache2-mod_php8 (8.4.20 -> 8.5.5) babl (0.1.124 -> 0.1.126) binutils blog (2.38 -> 2.40) ca-certificates (2+git20260203.5937e9f -> 2+git20260420.2a8e251) coreutils (9.10 -> 9.11) coreutils-systemd (9.10 -> 9.11) crypto-policies cups (2.4.16 -> 2.4.17) discount dnsmasq emacs gimp (3.2.2 -> 3.2.4) git (2.53.0 -> 2.54.0) gnome-calculator (50.0 -> 50.0+16) gnome-remote-desktop (50.0 -> 50.1) gstreamer-plugins-rs highway (1.3.0 -> 1.4.0) libXpm libgcrypt (1.12.1 -> 1.12.2) libgme (0.6.4 -> 0.6.5) libkdcraw libstorage-ng (4.5.313 -> 4.5.314) libxml2 (2.15.2 -> 2.15.3) mariadb mozilla-nss (3.121 -> 3.122.1) mpc (1.3.1 -> 1.4.1) ncurses (6.6.20260328 -> 6.6.20260418) ntfs-3g_ntfsprogs openSUSE-release (20260420 -> 20260425) openssh ovmf patterns-base php8 (8.4.20 -> 8.5.5) pipewire (1.6.2 -> 1.6.4) poppler poppler-qt6 postfix python-lxml (6.0.2 -> 6.1.0) quadrapassel (50.0.1 -> 50.1) raspberrypi-firmware (2025.06.05 -> 2026.02.11) raspberrypi-firmware-config (2025.06.05 -> 2026.02.11) ruby4.0 (4.0.2 -> 4.0.3) sdbootutil (1+git20260409.83d5678 -> 1+git20260421.88e40c4) sso-mib (0.8.0 -> 0.8.1) tar tftp time (1.9 -> 1.10) xdg-user-dirs (0.18 -> 0.20) xterm (406 -> 407) yast2-trans (84.87.20260325.bd0ff66bcc -> 84.87.20260414.0f82ab3540) zlib === Details === ==== GraphicsMagick ==== Subpackages: libGraphicsMagick++-Q16-12 libGraphicsMagick-Q16-3 libGraphicsMagick3-config - added patches CVE-2026-33535: Out-of-Bounds write of a zero byte in X11 display interaction [bsc#1260874] * GraphicsMagick-CVE-2026-33535.patch ==== NetworkManager-applet ==== Subpackages: NetworkManager-connection-editor - Migrate to xz compression and manual service run ==== apache2-mod_php8 ==== Version update (8.4.20 -> 8.5.5) - php8-devel: require pkgconfig(capstone) now that we build with libcapstone enabled - version update to 8.5.5 Core: Fixed bug GH-20672 (Incorrect property_info sizing for locally shadowed trait properties). Fixed bugs GH-20875, GH-20873, GH-20854 (Propagate IN_GET guard in get_property_ptr_ptr for lazy proxies). Bz2: Fix truncation of total output size causing erroneous errors. DOM: Fixed bug GH-21486 (Dom\HTMLDocument parser mangles xml:space and xml:lang attributes). FFI: Fixed resource leak in FFI::cdef() onsymbol resolution failure. GD: Fixed bug GH-21431 (phpinfo() to display libJPEG 10.0 support). Opcache: Fixed bug GH-21052 (Preloaded constant erroneously propagated to file-cached script). Fixed bug GH-20838 (JIT compiler produces wrong arithmetic results). Fixed bug GH-21267 (JIT tracing: infinite loop on FETCH_OBJ_R with IS_UNDEF property in polymorphic context). Fixed bug GH-21395 (uaf in jit). OpenSSL: Fixed bug GH-21083 (Skip private_key_bits validation for EC/curve-based keys). Fix missing error propagation for BIO_printf() calls. PCNTL: Fixed signal handler installation on AIX by bumping the storage size of the num_signals global. PCRE: Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl, php_pcre_split_impl, and php_pcre_grep_impl. Phar: Fixed bug GH-21333 (use after free when unlinking entries during iteration of a compressed phar). SNMP: Fixed bug GH-21336 (SNMP::setSecurity() undefined behavior with NULL arguments). SOAP: Fixed Set-Cookie parsing bug wrong offset while scanning attributes. SPL: Fixed bug GH-21454 (missing write lock validation in SplHeap). Standard: Fixed bug GH-20906 (Assertion failure when messing up output buffers). Fixed bug GH-20627 (Cannot identify some avif images with getimagesize). Sysvshm: Fix memory leak in shm_get_var() when variable is corrupted. XSL: Fix GH-21357 (XSLTProcessor works with DOMDocument, but fails with Dom\XMLDocument). Fixed bug GH-21496 (UAF in dom_objects_free_storage). - version update to 8.5.4 Core: Fixed bug GH-21029 (zend_mm_heap corrupted on Aarch64, LTO builds). Fixed bug GH-21059 (Segfault when preloading constant AST closure). Fixed bug GH-21072 (Crash on (unset) cast in constant expression). Fix deprecation now showing when accessing null key of an array with JIT. Fixed bug GH-20657 (Assertion failure in zend_lazy_object_get_info triggered by setRawValueWithoutLazyInitialization() and newLazyGhost()). Fixed bug GH-20504 (Assertion failure in zend_get_property_guard when accessing properties on Reflection LazyProxy via isset()). Fixed OSS-Fuzz #478009707 (Borked assign-op/inc/dec on untyped hooked property backing value). Fixed bug GH-21215 (Build fails with -std=). Fixed bug GH-13674 (Build system installs libtool wrappers when using slibtool). Curl: Don't truncate length. Date: Fixed bug GH-20936 (DatePeriod::__set_state() cannot handle null start). Fix timezone offset with seconds losing precision. DOM: Fixed bug GH-21077 (Accessing Dom\Node::baseURI can throw TypeError). Fixed bug GH-21097 (Accessing Dom\Node properties can can throw TypeError). LDAP: Fixed bug GH-21262 (ldap_modify() too strict controls argument validation makes it impossible to unset attribute). MBString: Fixed bug GH-21223; mb_guess_encoding no longer crashes when passed huge list of candidate encodings (with 200,000+ entries). Opcache: Fixed bug GH-20718 ("Insufficient shared memory" when using JIT on Solaris). Fixed bug GH-21227 (Borked SCCP of array containing partial object). OpenSSL: Fix a bunch of leaks and error propagation. Windows: Fixed compilation with clang (missing intrin.h include). - version update to 8.5.3 Core: Fixed bug GH-20806 (preserve_none feature compatiblity with LTO). Fixed bug GH-20767 (build failure with musttail/preserve_none feature on macOs). Fixed bug GH-20837 (NULL dereference when calling ob_start() in shutdown function triggered by bailout in php_output_lock_error()). Fix OSS-Fuzz #471533782 (Infinite loop in GC destructor fiber). Fix OSS-Fuzz #472563272 (Borked block_pass JMP[N]Z optimization). Fixed bug GH-20914 (Internal enums can be cloned and compared). Fix OSS-Fuzz #474613951 (Leaked parent property default value). Fixed bug GH-20895 (ReflectionProperty does not return the PHPDoc of a property if it contains an attribute with a Closure). Fixed bug GH-20766 (Use-after-free in FE_FREE with GC interaction). Fix OSS-Fuzz #471486164 (Broken by-ref assignment to uninitialized hooked backing value). Fix OSS-Fuzz #438780145 (Nested finally with repeated return type check may uaf). Fixed bug GH-20905 (Lazy proxy bailing __clone assertion). Fixed bug GH-20479 (Hooked object properties overflow). Date: Update timelib to 2022.16. DOM: Fixed GH-21041 (Dom\HTMLDocument corrupts closing tags within scripts). MbString: Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is invalid in the encoding). Fixed bug GH-20836 (Stack overflow in mb_convert_variables with recursive array references). Opcache: Fixed bug GH-20818 (Segfault in Tracing JIT with object reference). OpenSSL: Fix memory leaks when sk_X509_new_null() fails. Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails. Fix crash in openssl_x509_parse() when X509_NAME_oneline() fails. ... changelog too long, skipping 513 lines ... * php-systzdata-v24.patch (refreshed) ==== babl ==== Version update (0.1.124 -> 0.1.126) Subpackages: libbabl-0_1-0 typelib-1_0-Babl-0_1 - Update to version 0.1.126: + It is now possible to build with MSVC. ==== binutils ==== Subpackages: libctf-nobfd0 libctf0 - Migrate from update-alternatives to libalternatives (jsc#PED-15667). - Update %suse_version > 1600 checks (jsc#PED-15792). - Split new libsframe2 package from binutils (shared lib policy). - Make (currently inactive) gold subpackage no require binutils in a specific version. - Add binutils-workaround-premature-libsframe-uninst.diff for this to temporarily avoid 99-check-remove-rpms getting in the way. - Add binutils-fix-c23.diff to fix a compile error with new glibc. ==== blog ==== Version update (2.38 -> 2.40) Subpackages: libblogger2 - Update to version 2.40 * Protect password data stream on 3270 console as well On S390 the 3270 console is also logged and the passwords, even if hidden on the 3270 console, would be logged as well. - Update to version 2.39 * New feature to protect passwords to be logged On S390 now blogd use for 3215 console the command [#]CP SPOOL CONSOLE STOP to stop logging the plain password at prompting for the password. Also a warning is written out to warn the user that the password will be visible. With getting the password the CONSOLE log is enabled again if it was enabled before. ==== ca-certificates ==== Version update (2+git20260203.5937e9f -> 2+git20260420.2a8e251) - Update to version 2+git20260420.2a8e251: * update-ca-certificates requires mv and ln from coreutils ==== coreutils ==== Version update (9.10 -> 9.11) - Update to 9.11: Bug fixes * 'dd' now always diagnoses partial writes correctly upon write failure. Previously it may have indicated that only full writes were performed. [This bug was present in "the beginning".] * 'fold' will no longer truncate output when encountering 0xFF bytes. [bug introduced in coreutils-9.8] * 'fold' is again responsive to its input. Previously it would have delayed processing until 256KiB was read from the input. [bug introduced in coreutils-9.8] * 'kill --help' now has links to valid anchors in the html manual. [bug introduced in coreutils-9.10] * When configured with --enable-systemd, the commands 'pinky', 'uptime', 'users', and 'who' no longer consider the systemd session classes 'greeter', 'lock-screen', 'background', 'background-light', and 'none' to be users. [bug introduced in coreutils-9.4] * 'pwd' on ancient systems will no longer overflow a buffer when operating in deep paths longer than twice the system PATH_MAX. [bug introduced in coreutils-9.6] * 'stat --printf=%%N' no longer performs unnecessary checks of the QUOTING_STYLE environment variable. [bug introduced in coreutils-8.26] * 'timeout' no longer exits abruptly when its parent is the init process, e.g., when started by the entrypoint of a container. [bug introduced in coreutils-9.10] New Features * 'cut' now supports multi-byte input and delimiters. Consequently the -c option is now honored, and no longer an alias for -b, and the -n option is now honored, and no longer ignored. Also the -d option supports multi-byte delimiters. * 'cut' adds new options for better compatibility: The -w,--whitespace-delimited option was added to support blank aligned fields and for better compatibility with FreeBSD/macOS. The -O option was added as an alias for the --output-delimiter option, for better compatibility with busybox/toybox. The -F option was added as an alias for -w -O ' ' for better compatibility with busybox/toybox. * 'date --date' now parses dot delimited dd.mm.yy format common in Europe. This is in addition to the already supported mm/dd/yy and yy-mm-dd formats. Changes in behavior * 'cksum --check' now uses shell quoting when required, to more robustly escape file names output in diagnostics. This also affects md5sum, sha*sum, and b2sum. Improvements * 'cat' now uses zero-copy I/O on Linux when appropriate, to improve throughput. E.g., throughput improved 6x from 12.9GiB/s to 81.8GiB/s on a Power10 system. * 'df --local' recognises more file system types as remote. Specifically: autofs, ncpfs, smb, smb2, gfs, gfs2, userlandfs. * 'df' improves duplicate mount suppression, by checking each mount against all previously kept entries for the same device, not just the latest one. * 'expand' and 'unexpand' now support multi-byte characters. * 'groups' and 'id' will now exit sooner after a write error, which is significant when listing information for many users. * 'install' now allows the combination of the --compare and - -preserve-timestamps options. * 'fold', 'join', 'numfmt', 'uniq' now use more consistent blank character determination on non GLIBC platforms. For example \u3000 (ideographic space) will be considered a blank character on all platforms. * 'nl' now supports multi-byte --section-delimiter characters. * 'shuf -i' now operates up to two times faster on systems with unlocked stdio functions. * 'tac' will now exit sooner after a write error, which is significant when operating on a file with many lines. * 'timeout' now properly detects when it is reparented by a subreaper process on Linux instead of init, e.g., the 'systemd --user' process. * 'wc -l' now operates up to four and a half times faster on hosts that support Neon instructions. * 'wc -m' now operates up to 2.6 times faster on GLIBC when processing non-ASCII UTF-8 characters. * 'yes' now uses zero-copy I/O on Linux to significantly increase throughput. E.g., throughput improved 15x from 11.6GiB/s to 175GiB/s on a Power10 system. Build-related * ./configure --enable-single-binary=hardlinks is now supported on systems with dash as the system shell at /bin/sh. [issue introduced in coreutils-9.10] * The test suite may have failed with a "Hangup" error if run non-interactively. [issue introduced in coreutils-9.10] - coreutils-i18n.patch: Refresh patch. Remove now-upstream I18N patches for cut(1), expand(1) and unexpand(1). - Refresh all other patches. ==== coreutils-systemd ==== Version update (9.10 -> 9.11) - Update to 9.11: Bug fixes * 'dd' now always diagnoses partial writes correctly upon write failure. Previously it may have indicated that only full writes were performed. [This bug was present in "the beginning".] * 'fold' will no longer truncate output when encountering 0xFF bytes. [bug introduced in coreutils-9.8] * 'fold' is again responsive to its input. Previously it would have delayed processing until 256KiB was read from the input. [bug introduced in coreutils-9.8] * 'kill --help' now has links to valid anchors in the html manual. [bug introduced in coreutils-9.10] * When configured with --enable-systemd, the commands 'pinky', 'uptime', 'users', and 'who' no longer consider the systemd session classes 'greeter', 'lock-screen', 'background', 'background-light', and 'none' to be users. [bug introduced in coreutils-9.4] * 'pwd' on ancient systems will no longer overflow a buffer when operating in deep paths longer than twice the system PATH_MAX. [bug introduced in coreutils-9.6] * 'stat --printf=%%N' no longer performs unnecessary checks of the QUOTING_STYLE environment variable. [bug introduced in coreutils-8.26] * 'timeout' no longer exits abruptly when its parent is the init process, e.g., when started by the entrypoint of a container. [bug introduced in coreutils-9.10] New Features * 'cut' now supports multi-byte input and delimiters. Consequently the -c option is now honored, and no longer an alias for -b, and the -n option is now honored, and no longer ignored. Also the -d option supports multi-byte delimiters. * 'cut' adds new options for better compatibility: The -w,--whitespace-delimited option was added to support blank aligned fields and for better compatibility with FreeBSD/macOS. The -O option was added as an alias for the --output-delimiter option, for better compatibility with busybox/toybox. The -F option was added as an alias for -w -O ' ' for better compatibility with busybox/toybox. * 'date --date' now parses dot delimited dd.mm.yy format common in Europe. This is in addition to the already supported mm/dd/yy and yy-mm-dd formats. Changes in behavior * 'cksum --check' now uses shell quoting when required, to more robustly escape file names output in diagnostics. This also affects md5sum, sha*sum, and b2sum. Improvements * 'cat' now uses zero-copy I/O on Linux when appropriate, to improve throughput. E.g., throughput improved 6x from 12.9GiB/s to 81.8GiB/s on a Power10 system. * 'df --local' recognises more file system types as remote. Specifically: autofs, ncpfs, smb, smb2, gfs, gfs2, userlandfs. * 'df' improves duplicate mount suppression, by checking each mount against all previously kept entries for the same device, not just the latest one. * 'expand' and 'unexpand' now support multi-byte characters. * 'groups' and 'id' will now exit sooner after a write error, which is significant when listing information for many users. * 'install' now allows the combination of the --compare and - -preserve-timestamps options. * 'fold', 'join', 'numfmt', 'uniq' now use more consistent blank character determination on non GLIBC platforms. For example \u3000 (ideographic space) will be considered a blank character on all platforms. * 'nl' now supports multi-byte --section-delimiter characters. * 'shuf -i' now operates up to two times faster on systems with unlocked stdio functions. * 'tac' will now exit sooner after a write error, which is significant when operating on a file with many lines. * 'timeout' now properly detects when it is reparented by a subreaper process on Linux instead of init, e.g., the 'systemd --user' process. * 'wc -l' now operates up to four and a half times faster on hosts that support Neon instructions. * 'wc -m' now operates up to 2.6 times faster on GLIBC when processing non-ASCII UTF-8 characters. * 'yes' now uses zero-copy I/O on Linux to significantly increase throughput. E.g., throughput improved 15x from 11.6GiB/s to 175GiB/s on a Power10 system. Build-related * ./configure --enable-single-binary=hardlinks is now supported on systems with dash as the system shell at /bin/sh. [issue introduced in coreutils-9.10] * The test suite may have failed with a "Hangup" error if run non-interactively. [issue introduced in coreutils-9.10] - coreutils-i18n.patch: Refresh patch. Remove now-upstream I18N patches for cut(1), expand(1) and unexpand(1). - Refresh all other patches. ==== crypto-policies ==== Subpackages: crypto-policies-scripts - Modify the output of fips-mode-setup to hint the user when setting the FIPS mode in transactional systems to use the command 'transactional-update setup-fips'. (bsc#1262315) ==== cups ==== Version update (2.4.16 -> 2.4.17) Subpackages: cups-client cups-config libcups2 libcupsimage2 - Version upgrade to 2.4.17: See https://github.com/openprinting/cups/releases The new release 2.4.17 contains the following security fixes: * CVE-2026-27447: The scheduler treated local user and group names as case-insensitive (bsc#1261572) * CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS directory (bsc#1261571) * CVE-2026-34980: The scheduler did not filter control characters from option values (bsc#1261569) * CVE-2026-34979: The scheduler did not always allocate enough memory for a job's options string (bsc#1261570) * CVE-2026-34990: The scheduler incorrectly allowed local certificates over the loopback interface (bsc#1261568) * CVE-2026-39314: Fixed the range check for job password strings (bsc#1261743) * CVE-2026-39316: Fixed a printer subscription bug in the scheduler (bsc#1261742) * CVE-2026-NNNNN: Fixed a SNMP string conversion bug in the backends. The last CVE number is requested from Github for several days now, the number will be corrected once we have one, but we decided to make a release to share the other fixes ("we" means the CUPS upstream maintainers). - The release includes other fixes as well, listed in CHANGES.md. Issues are those at https://github.com/OpenPrinting/cups/issues Detailed list (from CHANGES.md): * The scheduler followed symbolic links when cleaning out its temporary directory (Issue #1448) * Updated `cupsFileGetConf` and `cupsFilePutConf` to escape more characters. * Updated man page `cancel` (Issue #984) * Updated `cupsRasterReadHeader` to validate more of the page header values (Issue #1501) * Fixed an issue with the class/printer CGI name checking. * Fixed infinite loop in `http_write()` on busy print servers (Issue #827) * Fixed potential TLS blocking issues (Issue #1128) * Fixed a job history bug in the scheduler (Issue #1440) * Fixed notifier logging bug that would result in nul bytes getting into the log (Issue #1450) * Fixed possible use-after-free in `cupsdReadClient()` (Issue #1454) * Fixed a document format bug in the IPP backend (Issue #1457) * Fixed DRAIN_OUTPUT race condition (Issue #1461) * Fixed a bug when then `ippFindXxx` and `ippSetXxx` functions were mixed. * Fixed the mapping of supply type keywords to SNMP names. * Fixed a bug in the IPP backend when SNMP was disabled. * Fixed a crash bug in the rastertoepson filter. * Fixed a bug in cgiCheckVariables. * Fixed handling read/write errors with OpenSSL (Issue #1506) * Fixed handling rehandshake error in `_httpTLSRead` (Issue #1508) * Fixed a debug printf bug on Windows (Issue #1529) * Fixed a recursion issue with encoding of nested collections (Issue #1539) * Fixed parsing of the `LimitRequestBody`, `MaxLogSize`, and `MaxRequestSize` directives in "cupsd.conf" (Issue #1540) * Fixed a parsing bug in `ipptool` (Issue #1542) * Fixed blank line detection in the `rastertolabel` filter (Issue #1545) * Fixed `httpPeek` edge case on compressed streams Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.17 ==== discount ==== - Explicitly BuildRequire update-alternatives and mark it as being used in post/postun: this was nicely masked by the fact that binutils, installed on every system, already dragged u-a in, which is no longer the case. ==== dnsmasq ==== - bsc#1262487, CVE-2026-6507, dnsmasq-CVE-2026-6507.patch: out-of-bounds write in DHCP BOOTREPLY processing can lead to denial of service. - Fix FTBFS with libnettle 4.0: (boo#1257934) * dnsmasq: missed hash->digest calls in 4070a74 (1eab169) * Add dnsmasq-Fix-FTBFS-nettle-4.0.patch and merge 4070a748.patch ==== emacs ==== Subpackages: emacs-el emacs-eln emacs-info emacs-nox etags - Add patch emacs-30.2-silent.patch * To silent the useless warning on memmove - Add patch emacs-30.2-tree-sitter-0.26.8.patch * Make it build with tree-sitter-0.26.8 security update (boo#1262007) ==== gimp ==== Version update (3.2.2 -> 3.2.4) Subpackages: gimp-plugin-aa gimp-plugin-python3 libgimp-3_0-0 libgimpui-3_0-0 - Update to 3.2.4 https://www.gimp.org/news/2026/04/19/gimp-3-2-4-released/ ==== git ==== Version update (2.53.0 -> 2.54.0) Subpackages: git-core git-email git-gui git-web gitk perl-Git - Update to 2.54.0: - UI, Workflows & Features - "git add -p" and friends note what the current status of the hunk being shown is. - "git history" history rewriting (experimental) command has been added. - "git replay" is taught to drop commits that become empty (not the ones that are empty in the original). - The help text and the documentation for the "--expire" option of "git worktree [list|prune]" have been improved. - When "git show-index" is run outside a repository, it silently defaults to SHA-1; the tool now warns when this happens. - "git merge-file" can be run outside a repository, but it ignored all configuration, even the per-user ones. The command now uses available configuration files to find its customization. - "auto filter" logic for large-object promisor remote. - "git rev-list" and friends learn "--maximal-only" to show only the commits that are not reachable by other commits. - Command line completion (in contrib/) update for "stash import/export". - "git repo info" learns "--keys" action to list known keys. - Extend the alias configuration syntax to allow aliases using characters outside ASCII alphanumeric (plus '-'). - A signature on a commit that was GPG signed a long time ago ought to be still valid after the key that was used to sign it has expired, but we showed them in alarming red. - "git subtree split --prefix=P " now checks the prefix P against the tree of the (potentially quite different from the current working tree) given commit. - "git add -p" learned a new mode that allows the user to revisit a file that was already dealt with. - Allow the directory in which reference backends store their data to be specified. - "gitweb" has been taught to be mobile friendly. - "git apply --directory=./un/../normalized/path" now normalizes the given path before using it. - "git maintenance" starts using the "geometric" strategy by default. - "git config list" is taught to show the values interpreted for specific type with "--type=" option. - "git add " has been taught to honor submodule..ignore that is set to "all" (and requires "git add -f" to override it). - Hook commands are now allowed to be defined (possibly centrally) in the configuration files, and run multiple of them for the same hook event. - The way end-users can add their own "git " subcommand by storing "git-" in a directory on their $PATH has not been documented clearly, which has been corrected. - "git send-email" learns to pass hostname/port to Authen::SASL module. - "git send-email" learns to support use of client-side certificates. - "git send-email" has learned to be a bit more careful when it accepts charset to use from the end-user, to avoid 'y' (mistaken 'yes' when expecting a charset like 'UTF-8') and other nonsense. - "git status" learned to show comparison between the current branch and various other branches listed on status.compareBranches configuration. - "git repo structure" command learns to report maximum values on various aspects of objects it inspects. - "git rebase" learns "--trailer" option to drive the interpret-trailers machinery. - "git fast-import" learned to optionally replace signature on commits whose signatures get invalidated due to replaying by signing afresh. - "git history" learned the "split" subcommand. - The reference-transaction hook was taught to be triggered before taking locks on references in the "preparing" phase. - "git apply" now reports the name of the input file along with the line number when it encounters a corrupt patch, and correctly resets the line counter when processing multiple patch files. - The HTTP transport learned to react to "429 Too Many Requests". - "git repo info -h" and "git repo structure -h" limit their help output to the part that is specific to the subcommand. - "git format-patch --cover-letter" learns to use a simpler format instead of the traditional shortlog format to list its commits with a new --commit-list-format option and format.commitListFormat configuration variable. - `git backfill` learned to accept revision and pathspec arguments. - "git replay" (experimental) learns, in addition to "pick" and "replay", a new operating mode "revert". - "git replay" now supports replaying down to the root commit. - Handling of signed commits and tags in fast-import has been made more configurable. - "git config list" is the official way to spell "git config - l" and "git config --list". Use it to update the documentation. - Performance, Internal Implementation, Development Support etc. - Avoid local submodule repository directory paths overlapping with each other by encoding submodule names before using them as path components. - The string_list API gains a new helper, string_list_sort_u(), ... changelog too long, skipping 303 lines ... jc/ci-github-actions-use-checkout-v5 later to maint). ==== gnome-calculator ==== Version update (50.0 -> 50.0+16) Subpackages: gnome-shell-search-provider-gnome-calculator - Update to version 50.0+16: + Set imaginary component to +0*i when inverting a real number + Updated translations. ==== gnome-remote-desktop ==== Version update (50.0 -> 50.1) - Update to version 50.1: + Test improvements + Misc bug fixes & cleanups + Fix black screen on some NVIDIA GPUs + Updated translations. ==== gstreamer-plugins-rs ==== - Revert the dropping of BuildRequiring clang/llvm. It's needed to build the package in SLFO. ==== highway ==== Version update (1.3.0 -> 1.4.0) - Update to release 1.4.0 * Added Fast* math functions, sum_array example, HWY_ARCH_MAX_BYTES, HWY_MIN_BYTES, HWY_NATIVE_MASK, HWY_REGISTERS HWY_EXPORT_AND_TEST_BEST_P, InterleaveLower/UpperBlocks, Lookup8, XorAndNot, MinMax algo, AtomicBitSet, RVV and LSX/LASX runtime dispatch. ==== libXpm ==== - updated 0001-Fix-CVE-2026-4367-Out-of-bounds-read-in-xpmNextWord.patch to the final version, which has been submitted to gitlab (CVE-2026-4367, bsc#1260928, comment#22) - 0001-Fix-CVE-2026-4367-Out-of-bounds-read-in-xpmNextWord.patch * fix Out of bounds read (CVE-2026-4367, bsc#1260928) ==== libgcrypt ==== Version update (1.12.1 -> 1.12.2) - Update to 1.12.2 * Various fixes on gcry_kem_* apis ==== libgme ==== Version update (0.6.4 -> 0.6.5) - Update to version 0.6.5 * Removed CPP demo as it uses private API. * Reworked demos so they no longer use private API. * Implemented some undocumented OPcodes for NES CPU. * Fixed several compile warnings.. * The fade length is now passed to the track info for SPC files. * The C++ runtime library is now properly exported. * Fixed several crashes and security vulnerabilities reported by people. * The YM2413 chip emulator has been updated to the version v1.5.9 * Added ADPCM support for the HES emulator, backported from Kode54's fork. ==== libkdcraw ==== Subpackages: libKDcrawQt6-5 libkdcraw-qt6 - Restore a Qt 5 based libkcdraw package until krita is ported to Qt 6 ==== libstorage-ng ==== Version update (4.5.313 -> 4.5.314) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#1069 - add support for XBOOTLDR partition type (jsc#PED-16142) - 4.5.314 ==== libxml2 ==== Version update (2.15.2 -> 2.15.3) Subpackages: libxml2-16 libxml2-tools - Update to version 2.15.3: * Security: - parser: Pass userData to SAX text callbacks in xmlParseReference (type-confusion) - entities: copy children in xmlCopyEntity - c14n: Fix Type confusion in xmlC14NProcessAttrsAxis - python: Do not decref string after adding to the list (double-free / use-after-free) - c14n: Reuse tmp_str, xmlStrcat reallocates *cur (double-free) * Improvements: - schemas: Fix relative schemaLocation resolution in XSI assembly in streaming mode - xmlreader: propagate reader resource loaders to validator parsers - python: Make python bindings python2 compatible - xmlregexp: Fix escape-sequence character range matching - xmlreader: Free input in xmlReaderForFd (memory-leak) - xmlstring: Free cur on every error for xmlStrncat (memory-leak) - catalog: Free xmlCatalogResolveCache on cleanup (memory leak) - Fix nanohttp.c build when --without-output - test: fix mismatched signed/unsigned comparison ==== mariadb ==== Subpackages: libmariadbd19 mariadb-client mariadb-errormessages - Returned provider_lzma.so plugin (boo#1262217). ==== mozilla-nss ==== Version update (3.121 -> 3.122.1) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-tools - update to NSS 3.122.1 * bmo#2030135 - improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey. * bmo#2029752 - Improving the allocation of S/MIME DecryptSymKey. * bmo#2029462 - store email on subject cache_entry in NSS trust domain. * bmo#2029425 - Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[] entry on NameConstraints violation. * bmo#2029323 - Improve size calculations in CMS content buffering. * bmo#2028001 - avoid integer overflow while escaping RFC822 Names. * bmo#2027378 - Reject excessively large ASN.1 SEQUENCE OF in quickder. * bmo#2027365 - Deep copy profile data in CERT_FindSMimeProfile. * bmo#2027345 - Improve input validation in DSAU signature decoding. * bmo#2026311 - avoid integer overflow in RSA_EMSAEncodePSS. * bmo#2026156 - Add a maximum cert uncompressed len and tests. * bmo#2026089 - Clarify extension negotiation mechanism for TLS Handshakes. * bmo#1935995 - make ss->ssl3.hs.cookie an owned-copy of the cookie. - update to NSS 3.122 * bmo#2023209 - ensure permittedSubtrees don't match wildcards that could be outside the permitted tree. * bmo#2023664 - run mach doc-lint from generate_release_doc.py. * bmo#2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag. * bmo#2020614 - tls13_CopyEchConfigs uses PR_LIST_TAIL instead of loop variable. * bmo#2021911 - fix cipher spec count intermittent CI failures. * bmo#2021913 - fix Mlkem768x25519ShareDamager intermittent CI failures. * bmo#2023437 - lint the legacy documentation. * bmo#2023437 - lint the NSS 3.112.3 release notes. * bmo#2023437 - add a doc-lint CI job. * bmo#2020224 - Add more useful coverage reports to CI and fail if new commit isn't tested. * bmo#1472747 - wrong alert for malformed TLS 1.3 Finished. * bmo#1916429 - Swap order of asserts and state check. * bmo#2022149 - set correct value of unused curve parameters in tls13_HandleKeyShare. * bmo#2017929 - GCM needs to check for various limits in FIPS mode. * bmo#2017938 - Get Key Length not working from ED and Montgomery keys. * bmo#2017927 - Not all ike modes are FIPS approved. Adjust the indicators when they aren't. * bmo#2020721 - fix intermittent ssl.sh test failures on windows runners. * bmo#2017918 - FIPS indicators on HKDF needs to be restricted to TLS usage. * bmo#2017920 - Generate keys not getting indicators. * bmo#2020612 - improve error handling in smime_init_once. * bmo#1987288 - Detect CPU features on OpenBSD using elf_aux_info. * bmo#2019357 - RSA_EMSAEncodePSS should validate the length of mHash. * bmo#2020442 - more robustly distinguish SFTKSessionObject and SFTKTokenObjects. * bmo#2019194 - fix missing .S file error in Solaris Makefile builds. * bmo#2020486 - fix memory leak in NSC_GenerateKey error path. * bmo#2020615 - Missing SECFailure return after FATAL_ERROR in tls13_HandleEncryptedExtensions. * bmo#2020613 - release xmit buf lock on dtls13_MaybeSendKeyUpdate error paths. * bmo#2020849 - release 1stHandshakeLock on SSL_ResetHandshake error path. * bmo#2020188 - avoid null deref in mp_div_d sign normalization. * bmo#2017945 - Temp private key lifecycle is broken. * bmo#1851073 - protect rwSessionCount with slotLock. * bmo#2019224 - Remove invalid PORT_Free(). * bmo#1828713 - Fix intermittent ClientGreaseKeyShare test failure. * bmo#2018200 - Fix kCtxStr len passed to tls_SignOrVerifyUpdate. * bmo#2019760 - patch upstream acvp-rust during checkout to avoid build failures. * bmo#2019760 - update acvp Dockerfile. * bmo#2017997 - CKA_PARAM_SET missing from the CK_ULONG list in softoken. * bmo#2018000 - CKA_SEED missing from isPrivate in the database. * bmo#2019717 - update abicheck expectation for __nss_InitLock. * bmo#2019327 - taskcluster: set NSS_DISABLE_LIBPKIX=1 in test env for static builds. * bmo#2019327 - tests: fix setup_policy to use ROOTCERTSFILE for root cert module path. * bmo#2019327 - tests: fix selfserv/httpserv PID handling and wait exit code for MSYS_NT. * bmo#2019327 - tests: add native_path helper for cross-platform path conversion. * bmo#2019327 - tstclnt, strsclnt: avoid DNS lookup for loopback addresses on Windows. * bmo#2019090 - avoid platform GCM for x64 iOS emulator builds. * bmo#2012002 - remove lock instrumentation feature. * bmo#2017923 - Move FIPS indicator structures out of fips_algorithms.h. * bmo#2018064 - all.sh is failing in FIPS SSL test in main tree. * bmo#1975973 - fix memory leaks in crmf tests. * bmo#2012547 - fix unsatisfiable condition in lg_getTrust. * bmo#2006218 - allow selfserv makefile build to use system zlib. * bmo#2002247 - Add allocation limit to pkcs12 decoding. * bmo#2012406 - Add text/html single-line example emails to NSS S/SMIME CMS tests. - Rebase patches nss-fips-aes-gcm-restrict.patch and nss-fips-approved-crypto-non-ec.patch due to upstreamed FIPS patches ==== mpc ==== Version update (1.3.1 -> 1.4.1) - update to 1.4.1: * mpc_fr_div: Fix memory leak introduced in release 1.4.0 - Fixup pkg-config install location - Update to 1.4.0: * New functions: mpc_exp10, mpc_exp2, mpc_log2 * mpc_tan and mpc_tanh: Fix wrong values and slowness for large imaginary part. * mpc_pow: Agree on and implement the sign of the imaginary part when both inputs are real. * mpc_fr_div and mpc_ui_div: Treat the imaginary part of the dividend as an exact zero and not as +0, following the C2Y draft of the C standard. This changes the signs of zeroes in some results. * Generate the pkg-config file mpc.pc ==== ncurses ==== Version update (6.6.20260328 -> 6.6.20260418) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Disable fix-mouse.patch as it conflicts with current patch level. Mask patch fix-mouse.patch as source to not lose it. - The fix-bsc1259924.patch is NOT required as at this patch level already included. In fact fix-bsc1259924.patch is a backport. - Add ncurses patch 20260418 + note in manpage that wgetch/wget_wch consistently set errno to EBADF for poll/select configurations when the input is closed. + improve check in test/ncurses for errors by limiting it to the latest wgetch/wget_wch (cf: 20260404). > fixes for problems found by Anthropic (report by David Korczynski): + correct a limit-check in _nc_write_object + correct a source-pointer in _nc_trim_sgr0 + add limit-check in read_SGR - Add ncurses patch 20260411 + if POLLNVAL is set in revents, set errno to EBADF to improve handling of closed input for poll() configuration. + cancel bce and rep in some screen.X's -TD - Add ncurses patch 20260404 + use xterm+direct in konsole-direct, add several features to konsole (report by Xu Che) + use dec+sl in mintty (prompted by Thomas Wolff) -TD + add linux-alt1049 (report by Sebastien Hinderer) -TD + add a limit-check in _nc_mouse_parse in case there are no valid events (report by Giorgos Xou, cf: 20260301). + amend recent change to test/ncurses to check errno before deciding to exit. ==== ntfs-3g_ntfsprogs ==== Subpackages: libntfs-3g89 ntfs-3g ntfsprogs - Add ntfs3g-heap-overflow.patch: bsc#1262216 CVE-2026-40706. ==== openSUSE-release ==== Version update (20260420 -> 20260425) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Update openssh-8.1p1-audit.patch (bsc#1252890). This prevents the connection from dropping due to message mismatches in the monitor protocol when concurrency is high. - Add missing patch tags. ==== ovmf ==== Subpackages: qemu-uefi-aarch64 - Update mbedtls to 3.6.6 to fix CVE-2026-25833, CVE-2026-25834, CVE-2026-25835, CVE-2026-34874 (bsc#1261476, bsc#1261477, bsc#1261478, bsc#1261469) - Requires Mbed TLS 3.6.6 or higher to mitigate vulnerability. - Add qcow2 format firmware images for snapshot support (jsc#PED-14634, bsc#1262549) - Convert all -code.bin and -vars.bin to qcow2 format via qemu-img to enable backing file and snapshot support; unified and special-purpose images (e.g., SEV, TDX, Xen) remain in raw format only. ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-x11 patterns-base-x11_enhanced - immutable_base: Pull in systemd-presets-branding-SLE_immutable rather than systemd-presets-branding-SLE_transactional (package has been renamed) ==== php8 ==== Version update (8.4.20 -> 8.5.5) Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter - php8-devel: require pkgconfig(capstone) now that we build with libcapstone enabled - version update to 8.5.5 Core: Fixed bug GH-20672 (Incorrect property_info sizing for locally shadowed trait properties). Fixed bugs GH-20875, GH-20873, GH-20854 (Propagate IN_GET guard in get_property_ptr_ptr for lazy proxies). Bz2: Fix truncation of total output size causing erroneous errors. DOM: Fixed bug GH-21486 (Dom\HTMLDocument parser mangles xml:space and xml:lang attributes). FFI: Fixed resource leak in FFI::cdef() onsymbol resolution failure. GD: Fixed bug GH-21431 (phpinfo() to display libJPEG 10.0 support). Opcache: Fixed bug GH-21052 (Preloaded constant erroneously propagated to file-cached script). Fixed bug GH-20838 (JIT compiler produces wrong arithmetic results). Fixed bug GH-21267 (JIT tracing: infinite loop on FETCH_OBJ_R with IS_UNDEF property in polymorphic context). Fixed bug GH-21395 (uaf in jit). OpenSSL: Fixed bug GH-21083 (Skip private_key_bits validation for EC/curve-based keys). Fix missing error propagation for BIO_printf() calls. PCNTL: Fixed signal handler installation on AIX by bumping the storage size of the num_signals global. PCRE: Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl, php_pcre_split_impl, and php_pcre_grep_impl. Phar: Fixed bug GH-21333 (use after free when unlinking entries during iteration of a compressed phar). SNMP: Fixed bug GH-21336 (SNMP::setSecurity() undefined behavior with NULL arguments). SOAP: Fixed Set-Cookie parsing bug wrong offset while scanning attributes. SPL: Fixed bug GH-21454 (missing write lock validation in SplHeap). Standard: Fixed bug GH-20906 (Assertion failure when messing up output buffers). Fixed bug GH-20627 (Cannot identify some avif images with getimagesize). Sysvshm: Fix memory leak in shm_get_var() when variable is corrupted. XSL: Fix GH-21357 (XSLTProcessor works with DOMDocument, but fails with Dom\XMLDocument). Fixed bug GH-21496 (UAF in dom_objects_free_storage). - version update to 8.5.4 Core: Fixed bug GH-21029 (zend_mm_heap corrupted on Aarch64, LTO builds). Fixed bug GH-21059 (Segfault when preloading constant AST closure). Fixed bug GH-21072 (Crash on (unset) cast in constant expression). Fix deprecation now showing when accessing null key of an array with JIT. Fixed bug GH-20657 (Assertion failure in zend_lazy_object_get_info triggered by setRawValueWithoutLazyInitialization() and newLazyGhost()). Fixed bug GH-20504 (Assertion failure in zend_get_property_guard when accessing properties on Reflection LazyProxy via isset()). Fixed OSS-Fuzz #478009707 (Borked assign-op/inc/dec on untyped hooked property backing value). Fixed bug GH-21215 (Build fails with -std=). Fixed bug GH-13674 (Build system installs libtool wrappers when using slibtool). Curl: Don't truncate length. Date: Fixed bug GH-20936 (DatePeriod::__set_state() cannot handle null start). Fix timezone offset with seconds losing precision. DOM: Fixed bug GH-21077 (Accessing Dom\Node::baseURI can throw TypeError). Fixed bug GH-21097 (Accessing Dom\Node properties can can throw TypeError). LDAP: Fixed bug GH-21262 (ldap_modify() too strict controls argument validation makes it impossible to unset attribute). MBString: Fixed bug GH-21223; mb_guess_encoding no longer crashes when passed huge list of candidate encodings (with 200,000+ entries). Opcache: Fixed bug GH-20718 ("Insufficient shared memory" when using JIT on Solaris). Fixed bug GH-21227 (Borked SCCP of array containing partial object). OpenSSL: Fix a bunch of leaks and error propagation. Windows: Fixed compilation with clang (missing intrin.h include). - version update to 8.5.3 Core: Fixed bug GH-20806 (preserve_none feature compatiblity with LTO). Fixed bug GH-20767 (build failure with musttail/preserve_none feature on macOs). Fixed bug GH-20837 (NULL dereference when calling ob_start() in shutdown function triggered by bailout in php_output_lock_error()). Fix OSS-Fuzz #471533782 (Infinite loop in GC destructor fiber). Fix OSS-Fuzz #472563272 (Borked block_pass JMP[N]Z optimization). Fixed bug GH-20914 (Internal enums can be cloned and compared). Fix OSS-Fuzz #474613951 (Leaked parent property default value). Fixed bug GH-20895 (ReflectionProperty does not return the PHPDoc of a property if it contains an attribute with a Closure). Fixed bug GH-20766 (Use-after-free in FE_FREE with GC interaction). Fix OSS-Fuzz #471486164 (Broken by-ref assignment to uninitialized hooked backing value). Fix OSS-Fuzz #438780145 (Nested finally with repeated return type check may uaf). Fixed bug GH-20905 (Lazy proxy bailing __clone assertion). Fixed bug GH-20479 (Hooked object properties overflow). Date: Update timelib to 2022.16. DOM: Fixed GH-21041 (Dom\HTMLDocument corrupts closing tags within scripts). MbString: Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is invalid in the encoding). Fixed bug GH-20836 (Stack overflow in mb_convert_variables with recursive array references). Opcache: Fixed bug GH-20818 (Segfault in Tracing JIT with object reference). OpenSSL: Fix memory leaks when sk_X509_new_null() fails. Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails. Fix crash in openssl_x509_parse() when X509_NAME_oneline() fails. ... changelog too long, skipping 513 lines ... * php-systzdata-v24.patch (refreshed) ==== pipewire ==== Version update (1.6.2 -> 1.6.4) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-jack pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.6.4: * This is a bugfix release that is API and ABI compatible with the previous 1.6.x releases. * Highlights - Small improvements and seqfault fixes. - Try to not emit ports that JACK doesn't understand. Fixes glitches in ardour and other JACK apps. * PipeWire - Refuse to load plugins and crash when pw_init() was not called. (!2784 (closed)) * SPA - Fix LADSPA plugin loading, support LADSPA_PATH ending with / - Fix segfault in alsa-seq when removing devices in some cases. (#5221 (closed)) - Allow negative gain in mixer. (#5228 (closed)) - Improve alsa-seq port names, add : between client and port. (#5229 (closed)) - ACP: don’t override user-selected port on availability changes. * Bluetooth - Backport some important fixes and minor improvements. * JACK - Ignore non DSP ports to avoid emitting extra callbacks. * GStreamer - Fix crop metadata. * Tools - Fix WAVEX saving in pw-cat. (#5233 (closed)) - Update to version 1.6.3: * Highlights - Fix some RAOP compatibility regressions. - Fix segfault in the mixer in some cases. - Most nodes now produce and consume MIDI1 again and avoid conversions to and from UMP. - Various small fixes and improvements. * PipeWire - Fix regression with sample rate changes. (#5207 (closed)) - Fix a potential integer overflow in the memory mapping. * Modules - Align RTP timestamps to make RAOP work on more devices. (#5167 (closed)) - Avoid crashes in RTP streams because of concurrent event emission. - Avoid invalid fd usage in native-protocol with special crafted messages. - Fix properties and params enumeration in filter-chain (#5202 (closed)). * SPA - Fix compilation with -Werror=discarded-qualifiers - Avoid OOB read in mix matrix. (#5176 (closed)) - Avoid loading plugins from absolute paths that are not in the search path. - Avoid MIDI conversions to and from UMP. (#5183 (closed)) * Bluetooth - Backport some fixes and avoid some crashes. * JACK - Make sure timebase callback is never called with 0 frames. - Increase the notify queue to avoid losing notifications. - Drop patch which is already included upstream: * pipewire-const-correctness-1.patch - Modify the service to use a tar.xz file for the sources instead of obscpio. ==== poppler ==== Subpackages: libpoppler-cpp3 libpoppler-glib8 libpoppler157 poppler-tools - %suse_version value will be bumped for each service pack (e. g. 1610 for 16sp1), thus using >= 1600 for SLE16 - SLE16 does not have extra-cmake-modules ==== poppler-qt6 ==== - %suse_version value will be bumped for each service pack (e. g. 1610 for 16sp1), thus using >= 1600 for SLE16 - SLE16 does not have extra-cmake-modules ==== postfix ==== - Yet another AVC denial from procmail ... (bsc#1261933) Set FD_CLOEXEC on the file descriptor of the db file o avoid-inherited-file-descriptor.patch ==== python-lxml ==== Version update (6.0.2 -> 6.1.0) - update to 6.1.0 (CVE-2026-41066): * This release fixes a possible external entity injection (XXE) vulnerability in ``iterparse()`` and the ``ETCompatXMLParser``. * GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in ``lxml.html.defs``. * The default chunk size for reading from file-likes in ``iterparse()`` is now configurable with a new ``chunk_size`` argument. * LP#2148019: Spurious MemoryError during namespace cleanup. * Several out of memory error cases now raise ``MemoryError`` that were not handled before. * Slicing with large step values (outside of ``+/- sys.maxsize``) could trigger undefined C behaviour. * LP#2125399: Some failing tests were fixed or disabled in PyPy. * LP#2138421: Memory leak in error cases when setting the ``public_id`` or ``system_url`` of a document. * Memory leak in case of a memory allocation failure when copying document subtrees. * When mapping an XPath result to Python failed, the result memory could leak. * When preparing an XSLT transform failed, the XSLT parameter memory could leak. ==== quadrapassel ==== Version update (50.0.1 -> 50.1) - Update to version 50.1: + Reduced the bonus for destroying the bottom row + Added the ability to hold pieces + Fixed a bug where the gamepad could start or unpause games when not in focus + Changed the GioApplicationFlags to 'G_APPLICATION_DEFAULT_FLAGS' + Updated translations. ==== raspberrypi-firmware ==== Version update (2025.06.05 -> 2026.02.11) - Update to 832291b92d49 (2026-02-11) * firmware: arm_crypto_hmac_sha256: Initialise mbedtls early * firmware: arm_ldconfig: Avoid double os_prefix on initramfs See: https://forums.raspberrypi.com/viewtopic.php?t=394238 * firmware: helpers/config_loader: Also support bootvar0 eeprom config on Pi4 See: https://github.com/raspberrypi/rpi-eeprom/issues/773 * firmware: extra: Add missing dt-blob.dts * firmware: arm-crypto: Implement rpi-fw-crypto service See: https://github.com/raspberrypi/utils/pull/139 * firmware: bootloader: Fix config key search which could cause camera_autodetect to fail * firmware: arm_loader: Also require the early-watchdog property See: https://github.com/raspberrypi/firmware/issues/1980 * firmware: extra: Add missing dt-blob.dts * firmware: arm_loader: Enable "Starting ARM" log message - ------------------------------------------------------------------ - Enable dwc2 overlay on pi0, pi1 and pi2 models. This is to properly enable USB hub to which in some cases the Ethernet controller is connected. See boo#1251192. Tested on: * RPi Zero 2 W Rev 1.0 * RPi 2 Model B Rev 1.1 amd Rev 1.2 ==== raspberrypi-firmware-config ==== Version update (2025.06.05 -> 2026.02.11) - Update to 832291b92d49 (2026-02-11) * firmware: arm_crypto_hmac_sha256: Initialise mbedtls early * firmware: arm_ldconfig: Avoid double os_prefix on initramfs See: https://forums.raspberrypi.com/viewtopic.php?t=394238 * firmware: helpers/config_loader: Also support bootvar0 eeprom config on Pi4 See: https://github.com/raspberrypi/rpi-eeprom/issues/773 * firmware: extra: Add missing dt-blob.dts * firmware: arm-crypto: Implement rpi-fw-crypto service See: https://github.com/raspberrypi/utils/pull/139 * firmware: bootloader: Fix config key search which could cause camera_autodetect to fail * firmware: arm_loader: Also require the early-watchdog property See: https://github.com/raspberrypi/firmware/issues/1980 * firmware: extra: Add missing dt-blob.dts * firmware: arm_loader: Enable "Starting ARM" log message - ------------------------------------------------------------------ ==== ruby4.0 ==== Version update (4.0.2 -> 4.0.3) Subpackages: libruby4_0-4_0 - Update to 4.0.3 (boo#1262441) This release only contains ERB 6.0.1.1, which fixes CVE-2026-41316. If your application calls Marshal.load on untrusted data AND has both erb and activesupport loaded, please update your ERB to 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later. You may use this Ruby 4.0.3 release to do so. https://www.ruby-lang.org/en/news/2026/04/21/erb-cve-2026-41316/ https://www.ruby-lang.org/en/news/2026/04/21/ruby-4-0-3-released/ ==== sdbootutil ==== Version update (1+git20260409.83d5678 -> 1+git20260421.88e40c4) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20260421.88e40c4: * Allow multiple lines and comment lines in cmdline files ==== sso-mib ==== Version update (0.8.0 -> 0.8.1) - Import version 0.8.1 This bugfix release hardens the codebase against various kinds of errors ==== tar ==== Subpackages: tar-rmt - Ensure the date in .info files is reproducible (boo#1047218) ==== tftp ==== - jsc#PED-14746: Fix packages for Immutable Mode * Remove /srv/tftpboot from package, system-user-tftp already provides that. ==== time ==== Version update (1.9 -> 1.10) - update to 1.10 * now opens the file specified by --output with its close-on-exec flag set. Previously the file descriptor would be leaked into the child process. * no longer appends the program name to the output when the format string contains a trailing backslash * now uses the more portable waitpid and getrusage system calls instead of wait3. * help output correctness - drop disable-time-max-rss-test.patch - drop time-gcc15.patch ==== xdg-user-dirs ==== Version update (0.18 -> 0.20) - Update to version 0.20: + Features: - user-dirs.defaults: add PROJECTS directory - Replace xdg-user-dir shell script with C implementation - Make printable-char validation for dir names stricter + Bugfixes: - build: Unhardcode bindir in .service file - Fix length accounting in concat_strings - Escape " as well when shell-escaping - Check that user dir name does not contain line breaks - git-tp-sync: prevent handling POT files + Miscellaneous: - Remove Automake support - Clean up user-dir lookup code a bit, split sources and data - Stop mixing tabs & spaces - Changes from version 0.19: + Features: - Add a systemd service to run xdg-user-dirs-update - Add initial Meson buildsystem support + Bugfixes: Fix autopoint invocation + Miscellaneous: - Update automake boilerplate - Update information in README + Updated translations. - Switch to meson buildsystem. - Drop 0001-Add-a-systemd-service-to-run-xdg-user-dirs-update.patch Fixed upstream. ==== xterm ==== Version update (406 -> 407) Subpackages: xterm-bin xterm-resize - update to 407: * add private modes 1020 to 1023 for reporting whether xterm uses UTF-8, whether CJK-width is set, whether Emoji-width is set, and whether private-width is set. * add resource privateWidth to control whether PUA (private use area) codes are neutral width or single-width. * improve fix for Debian #738794, to show boxes for codes which are neither combining characters or valid Unicode characters * improve switching to/from UTF-8 mode by saving, restoring and resetting the G0-G3 array (Debian #1124802). * use ST consistently in terminfo rather than legacy BEL minor updates to configure script and terminfo * add option --enable-resize-adjust for saving and repainting parts of the window which are lost when the user resizes the window ==== yast2-trans ==== Version update (84.87.20260325.bd0ff66bcc -> 84.87.20260414.0f82ab3540) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20260414.0f82ab3540: * Translated using Weblate (Arabic) ==== zlib ==== Subpackages: libminizip1 libz1 - Fix CVE-2026-27171, infinite loop via the crc32_combine64 and crc32_combine_gen64 functions due to missing checks for negative lengths (bsc#1258392) * CVE-2026-27171.patch