Packages changed:
  bash (5.2.32 -> 5.2.37)
  bluez
  brltty
  cairomm (1.16.1 -> 1.16.2)
  chrony (4.5 -> 4.6)
  curl (8.10.0 -> 8.10.1)
  cyrus-sasl
  expat
  folks
  fwupd (1.9.24 -> 1.9.25)
  gcc
  gcr
  gcr3
  gegl
  gettext-runtime
  gstreamer (1.24.7 -> 1.24.8)
  gstreamer-plugins-bad (1.24.7 -> 1.24.8)
  gstreamer-plugins-base (1.24.7 -> 1.24.8)
  gstreamer-plugins-good (1.24.7 -> 1.24.8)
  gstreamer-plugins-libav (1.24.7 -> 1.24.8)
  gstreamer-plugins-ugly (1.24.7 -> 1.24.8)
  gtk4 (4.16.1 -> 4.16.2)
  gucharmap
  gupnp (1.6.6 -> 1.6.7)
  harfbuzz (9.0.0 -> 10.0.1)
  kernel-firmware-nvidia-gspx-G06-cuda
  kernel-source (6.10.11 -> 6.11.0)
  libeconf (0.7.3 -> 0.7.4)
  libmbim (1.28.4 -> 1.30.0)
  libostree (2024.7 -> 2024.8)
  libpcap
  libpeas
  libvirt-glib
  lightsoff
  microos-tools (2.21+git13 -> 2.21+git16)
  openSUSE-release (20240924 -> 20240927)
  openssh (9.8p1 -> 9.9p1)
  openssh-askpass-gnome (9.8p1 -> 9.9p1)
  openssl-3
  orc (0.4.39 -> 0.4.40)
  pam_pkcs11
  pinentry
  pinentry-gui
  postfix
  postgresql17 (17~rc1 -> 17.0)
  python-Jinja2
  python-Twisted (24.3.0 -> 24.7.0)
  python-incremental (22.10.0 -> 24.7.2)
  python-lxml (5.2.2 -> 5.3.0)
  python-ptyprocess
  python-pycurl
  sac
  salt
  sddm
  sddm-qt6
  selinux-policy (20240912 -> 20240925)
  systemd (256.5 -> 256.6)
  tcl (8.6.14 -> 8.6.15)
  tigervnc
  timezone (2024a -> 2024b)
  transactional-update (4.8.2 -> 4.8.3)
  tree (2.1.1 -> 2.1.3)
  xfce4-dict (0.8.6 -> 0.8.7)
  xorg-x11-server
  xwayland

=== Details ===

==== bash ====
Version update (5.2.32 -> 5.2.37)
Subpackages: bash-sh

- Add upstream patches
  * bash52-037
    Fix the case where text to be completed from the line buffer (quoted) is
    compared to the common prefix of the possible matches (unquoted) and the
    quoting makes the former appear to be longer than the latter. Readline
    assumes the match doesn't add any characters to the word and doesn't display
    multiple matches.
  * bash52-036
    When readline is accumulating bytes until it reads a complete multibyte
    character, reading a byte that makes the multibyte character invalid can
    result in discarding the bytes in the partial character.
  * bash52-035
    There are systems that supply one of select or pselect, but not both.
  * bash52-034
    If we parse a compound assignment during an alias expansion, it's possible
    to have the current input string popped out from underneath the parse. In
    this case, we should not restore the input we were using when we began to
    parse the compound assignment.
  * bash52-033
    A typo in the autoconf test for strtold causes false negatives for strtold
    being available and working when compiled with gcc-14.
- Port patch bash-3.2-printf.patch to fit change in bash52-033

==== bluez ====
Subpackages: bluez-auto-enable-devices bluez-cups bluez-obexd bluez-zsh-completion libbluetooth3

- add Fix-crash-after-bt_uhid_unregister_all.patch to fix crashes
  when devices disconnect or go to sleep

==== brltty ====
Subpackages: brltty-driver-at-spi2 brltty-driver-brlapi brltty-driver-speech-dispatcher brltty-driver-xwindow libbrlapi0_8 python3-brlapi system-user-brltty xbrlapi

- For the correct generation of pkgIndex.tcl it is required that
  libbrlapi_tcl can runtime-link to libbrlapi at install time.
  Set LD_LIBRARY_PATH to allow that.
- Work around a syntactic change to TCL_PACKAGE_PATH to fix build
  with Tcl 8.6.15.

==== cairomm ====
Version update (1.16.1 -> 1.16.2)

- update to version 1.16.2:
  * meson.build: Avoid configuration warnings
  * MSVC build: Support VS2022 builds
    (Chun-wei Fan) Merge request !20
  * Meson build: When mm-common >= 1.0.4 is used, Perl is not required
  * Meson build: Specify 'check' option in run_command()
    Will be necessary with future versions of Meson.
    Require Meson >= 0.55.0
  * Meson build: Avoid unnecessary configuration warnings
    (Kjell Ahlstedt)

==== chrony ====
Version update (4.5 -> 4.6)
Subpackages: chrony-pool-openSUSE

- Update to version 4.6:
  * Add activate option to local directive to set activation threshold
  * Add ipv4 and ipv6 options to server/pool/peer directive
  * Add kod option to ratelimit directive for server KoD RATE support
  * Add leapseclist directive to read NIST/IERS leap-seconds.list file
  * Add ptpdomain directive to set PTP domain for NTP over PTP
  * Allow disabling pidfile
  * Improve copy server option to accept unsynchronised status instantly
  * Log one selection failure on start
  * Add offset command to modify source offset correction
  * Add timestamp sources to ntpdata report
  * Fix crash on sources reload during initstepslew or RTC initialisation
  * Fix source refreshment to not repeat failed name resolving attempts
  * Obsoletes chrony-124-tai.patch
- The project's new home is https://chrony-project.org/ .

==== curl ====
Version update (8.10.0 -> 8.10.1)
Subpackages: curl-zsh-completion libcurl4

- Update to 8.10.1:
  * Bugfixes:
  - autotools: fix `--with-ca-embed` build rule
  - cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync
  - cmake: fix MSH3 to appear on the feature list
  - connect: store connection info when really done
  - FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a
  - http2: when uploading data from stdin, fix eos forwarding
  - http: make max-filesize check not count ignored bodies
  - lib: fix AF_INET6 use outside of USE_IPV6
  - multi: check that the multi handle is valid in curl_multi_assign
  - QUIC: on connect, keep on trying on draining server
  - request: correctly reset the eos_sent flag
  - setopt: remove superfluous use of ternary expressions
  - singleuse: drop `Curl_memrchr()` for no-HTTP builds
  - tool_cb_wrt: use "curl_response" if no file name in URL
  - transfer: fix sendrecv() without interim poll
  - vtls: fix `Curl_ssl_conn_config_match` doc param

==== cyrus-sasl ====
Subpackages: cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-plain libsasl2-3

- Make DIGEST-MD5 work with openssl3 ( bsc#1230111 )
  RC4 is legacy provided since openSSL3 and requires explicit loading, dDisable openssl3 depricated API warnings.
  * Add cyrus-sasl-make-digestmd5-work-ssl3.patch

==== expat ====
Subpackages: libexpat1

- updated keyring [https://build.suse.de/request/show/345282]
- modified sources
  % expat.keyring

==== folks ====
Subpackages: folks-data libfolks-eds26 libfolks26

- BuildRequire gettext-devel instead of gettext: allow OBS to
  shortcut through gettext-runtime-mini.

==== fwupd ====
Version update (1.9.24 -> 1.9.25)
Subpackages: fwupd-bash-completion libfwupd2 typelib-1_0-Fwupd-2_0

- Update to version 1.9.25:
  + This release fixes the following bugs:
  - Fix checking new Synaptics MST firmware size
  - Make another ModemManager instance ID visible for firmware
    matching
  - Never set a zero-length device name when matching the vendor
    name
  - Recalculate the device supported flag when reparenting
    devices
  - Reduce idle power consumption of paired logitech-hidpp
    devices
  - Retry the open action to fix BC901 NVMe reload
  + This release adds support for the following hardware:
  - Algoltek devices supporting sector erase
  - Dell K2 dock
  - Intel USB4 hub 5787
  - More MediaTek scaler devices
  - Nordic HID devices supporting DFUv1

==== gcc ====
Subpackages: cpp libstdc++-devel

- Ensure every -build package conflicts and provides the non-build
  counterpart (related to boo#1230628)
- Make gcc-build-fortran provide and conflict gcc-fortran.

==== gcr ====
Subpackages: gcr-ssh-agent gcr-ssh-askpass gcr-viewer libgck-2-2 libgcr-4-4 typelib-1_0-Gck-2 typelib-1_0-Gcr-4

- BuildRequire gettext-devel instead of gettext: allow OBS to
  shortcut through gettext-runtime-mini.

==== gcr3 ====
Subpackages: gcr3-data gcr3-prompter gcr3-ssh-agent gcr3-ssh-askpass libgck-1-0 libgcr-3-1

- BuildRequire gettext-devel instead of gettext: allow OBS to
  shortcut through gettext-runtime-mini.

==== gegl ====
Subpackages: gegl-0_4 libgegl-0_4-0

- add revertleap.patch to get gegl build on older ffmpegs

==== gettext-runtime ====
Subpackages: libtextstyle0

- Move envsubst requires into main package, gettext.sh is not part of
  gettext-tools, but gettext-runtime (fixes boo#1227070)

==== gstreamer ====
Version update (1.24.7 -> 1.24.8)
Subpackages: gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0

- Update to version 1.24.8:
  + Highlighted bugfixes:
  - decodebin3: collection handling fixes
  - encodebin: Fix pad removal (and smart rendering in
    gst-editing-services)
  - glimagesink: Fix cannot resize viewport when video size
    changed in caps
  - matroskamux, webmmux: fix firefox compatibility issue with
    Opus audio streams
  - mpegtsmux: Wait for data on all pads before deciding on a
    best pad unless timing out
  - splitmuxsink: Override LATENCY query to pretend to downstream
    that we're not live
  - video: QoS event handling improvements
  - voamrwbenc: fix list of bitrates
  - vtenc: Restart encoding session when certain errors are
    detected
  - wayland: Fix ABI break in WL context type name
  - webrtcbin: Prevent crash when attempting to set answer on
    invalid SDP
  - cerbero: ship vp8/vp9 software encoders again, which went
    missing in 1.24.7; ship transcode plugin
  - Various bug fixes, memory leak fixes, and other stability and
    reliability improvements
  + gstreamer:
  - clock: Fix unchecked overflows in linear regression code
  - meta: Add missing include of gststructure.h
  - pad: Check data NULL-ness when probes are stopped
  - aggregator: Immediately return NONE from
    simple_get_next_time() on non-TIME segments

==== gstreamer-plugins-bad ====
Version update (1.24.7 -> 1.24.8)
Subpackages: libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0

- Update to version 1.24.8:
  + GstPlay: Name the different bus
  + GstPlay: check whether stream is seekable before seeking when
    state change
  + GstPlayer: Check GstPlayerSignalDispatcher type
  + mpegtsmux: Wait for data on all pads before deciding on a best
    pad unless timing out
  + mpegtsmux: Fix refcounting issue when selecting the best pad
  + uvcsink: fix caps event handling
  + v4l2codecs: h265: Minimize memory allocation
  + voamrwbenc: fix list of bitrates
  + vtenc: Restart encoding session when certain errors are
    detected
  + wayland: Fix ABI break in WL context type name
  + webrtcbin: Prevent crash when attempting to set answer on
    invalid SDP
  + wpe: fix gst-launch example

==== gstreamer-plugins-base ====
Version update (1.24.7 -> 1.24.8)
Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0

- Update to version 1.24.8:
  + decodebin3: Fix collection identity check
  + encodebin: Fix pad removal
  + glimagesink: Fix cannot resize viewport when video size changed
    in caps
  + video: Don't overshoot QoS earliest time by a factor of 2
  + meson: gst-play: link to libm
- Drop gst-plugins-base-decodebin3-collection-identity-check.patch:
  Fixed upstream.
- Rebase add_wayland_dep_to_tests.patch with quilt.

==== gstreamer-plugins-good ====
Version update (1.24.7 -> 1.24.8)
Subpackages: gstreamer-plugins-good-gtk

- Update to version 1.24.8:
  + jackaudiosrc: actually use the queried ports from JACK
  + matroskamux: Include end padding in the block duration for Opus
    streams, fixing firefox compatibility
  + osxaudio: Avoid dangling pointer on shutdown
  + splitmuxsink: Override LATENCY query to pretend to downstream
    that we're not live
  + v4l2bufferpool: actually queue back the empty buffer flagged
    LAST
  + v4l2videoenc: unref buffer pool after usage properly
  + v4l2: encoder: Add dynamic framerate support

==== gstreamer-plugins-libav ====
Version update (1.24.7 -> 1.24.8)

- Update to version 1.24.8:
  + No changes, stable version bump only.

==== gstreamer-plugins-ugly ====
Version update (1.24.7 -> 1.24.8)

- Update to version 1.24.8:
  + No changes, stable version bump only.

==== gtk4 ====
Version update (4.16.1 -> 4.16.2)
Subpackages: gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0

- Update to version 4.16.2:
  + GtkLabel: Fix centered text in RTL
  + Gsk:
  - Speed up some Vulkan operations
  - Improve startup speed by avoiding initialization of GL and
    Vulkan in most cases
  - Reduce critials at startup to warnings
  - Fix a crash on startup with some Vulkan drivers
  - Fix a big texture leak in NGL
  + Gdk: Speed up memory format conversions
  + Wayland: Be more careful with mimetypes during DND or
    copy-paste
  + Tools: builder-tool: Improve conversion of boxes
  + Updated translations.

==== gucharmap ====
Subpackages: libgucharmap_2_90-7

- BuildRequire gettext-devel instead of gettext: allow OBS to
  shortcut through gettext-runtime-mini.

==== gupnp ====
Version update (1.6.6 -> 1.6.7)

- Update to version 1.6.7:
  + Fix compatiblity with libxml2 2.12.x
  + Improve reproducability
  + ControlPoint: Fix re-scan
  + ContextManager: Fix boot-id update
  + Context: Fix crash if served URI is not an IP address
- Drop 00514fb6.patch: Fixed upstream.

==== harfbuzz ====
Version update (9.0.0 -> 10.0.1)
Subpackages: libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz-subset0 libharfbuzz0 typelib-1_0-HarfBuzz-0_0

- Update to version 10.0.1:
  + Relax sanitization checks for “morx” subtables to fix broken
    AAT shaping of macOS 15.0 version of GeezaPro.
- Switch to source service for tarball.
- Update to version 10.0.0:
  + Unicode 16.0.0 support.
  + Various documentation fixes.
  + Various build fixes.
  + Add API to allow HarfBuzz client to set what glyph to use when
    a Unicode Variation Selector is not supported by the font,
    which would allow the client to customize what happens in this
    case, by using a different font for example.
  + Add a callback to for “hb_face_t” for getting the list of table
    tags. This is now used to make calling
    “hb_face_get_table_tags()” work on a faces created by
    “hb_face_create_for_tables()” (e.g. faces returned by
    “hb_subset_or_fail()”).
  + CGJ and Mongolian Variation Selectors are now ignored during
    glyph positioning, previously they would block both glyph
    substitution and positioning across them.
  + Support cairo script as an output format for “hb-view” command
    line tool.
  + Drop an optimization that would cause HarfBuzz not apply pair
    positioning lookup subtables under certain circumstances, for
    compatibility with other implementations that do apply these
    subtables.
  + Subsetting will now fail if source font has no glyphs, so
    feeding the subsetter invalid data will not silently return an
    empty face.
  + If after partially instancing a font no variation data is left
    (the instance is fully static), don’t consider this a failure.
  + Workaround a Firefox bug in displaying SVGs generated be
    “hb-view” command line tool under certain circumstances.
  + Fix bug in macroman mapping for “cmap” table.
  + Fix difference shaping output when HarfBuzz is built with with
    “HB_NO_OT_RULESETS_FAST_PATH” enabled.
  + Various subsetting and instancing fixes.
  + Various fuzzing fixes.
  + Add “with_libstdcxx” meson build option.

==== kernel-firmware-nvidia-gspx-G06-cuda ====

- use SUSE-Firmware as License tag in specfile
- switch to official license for NVIDIA firmware files
  - -> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/LICENCE.nvidia

==== kernel-source ====
Version update (6.10.11 -> 6.11.0)

- Revert "PCI: Extend ACS configurability" (bsc#1229019).
- commit 4b97d57
- block: Fix elv_iosched_local_module handling of "none" scheduler
  (bsc#1230925).
- commit d8cfa46
- drm/amdgpu/display: Fix a mistake in revert commit (bsc#1228093
- commit 39574a1
- Refresh patches.suse/ALSA-hda-Enhance-pm_blacklist-option.patch.
- Refresh
  patches.suse/ALSA-hda-Keep-PM-disablement-for-deny-listed-instanc.patch.
  Update upstream status.
- commit 2244c0f

==== libeconf ====
Version update (0.7.3 -> 0.7.4)

- Update to version 0.7.4:
  * Fixed memory leaks (#219)
  * Fixed: econf_readDirs crashes if one of the paths is NULL (#211)
  * Added links to man page. E.g. "man econf_readConfig" is working now.
  * Handle groups correctly which do not have any key entry.

==== libmbim ====
Version update (1.28.4 -> 1.30.0)
Subpackages: libmbim-glib4 mbimcli-bash-completion

- Update to version 1.30.0:
  + New Intel Mutual Authentication service
  + New Intel Tools service
  + New Google service
  + Extended the Microsoft-defined Basic Connect Extensions service
- Drop patches included upstream:
  + 0001-intel-mutual-authentication-new-service-fcc-lock.patch
  + 0002-intel-tools-new-service-trace-config.patch

==== libostree ====
Version update (2024.7 -> 2024.8)
Subpackages: libostree-1-1

- Update to version 2024.8:
  + Adapt to a change in libcurl 8.10.1 that caused ostree to start
    crashing.
  + switchroot: Stop making /sysroot mount private.

==== libpcap ====

- enable rdma support (bsc#1230894)

==== libpeas ====
Subpackages: libpeas-1_0-0 libpeas-gtk-1_0-0 libpeas-loader-python3 typelib-1_0-Peas-1_0 typelib-1_0-PeasGtk-1_0

- BuildRequire gettext-devel instead of gettext: allow OBS to
  shortcut through gettext-runtime-mini.

==== libvirt-glib ====
Subpackages: libvirt-glib-1_0-0 typelib-1_0-LibvirtGLib-1_0

- BuildRequire gettext-devel instead of gettext: allow OBS to
  shortcut through gettext-runtime-mini.

==== lightsoff ====

- BuildRequire gettext-devel instead of gettext: allow OBS to
  shortcut through gettext-runtime-mini.

==== microos-tools ====
Version update (2.21+git13 -> 2.21+git16)

- Update to version 2.21+git16:
  * selinux: Avoid parameter duplication
  * 98selinux-microos: Use a single thread for relabelling /etc
  * Use all cores for SELinux restorecon (related to jsc#SMO-382)
- _service: Omit +git0 suffix in versions

==== openSUSE-release ====
Version update (20240924 -> 20240927)
Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd

- automatically generated by openSUSE-release-tools/pkglistgen

==== openssh ====
Version update (9.8p1 -> 9.9p1)
Subpackages: openssh-clients openssh-common openssh-server

- Add a const to the openssl 1.1/RSA section of sshkey_is_private
  to keep it similar to what it used before the 9.9 rebase:
  * openssh-8.1p1-audit.patch
- Add a openssl11 bcond to the spec file for the SLE12 case
  instead of checking suse_version in different parts.
- Move conditional patches to a number >= 1000.
- Update to openssh 9.9p1:
  = Future deprecation notice
  * OpenSSH plans to remove support for the DSA signature algorithm
    in early 2025. This release disables DSA by default at compile
    time. DSA, as specified in the SSHv2 protocol, is inherently
    weak - being limited to a 160 bit private key and use of the
    SHA1 digest. Its estimated security level is only 80 bits
    symmetric equivalent.
    OpenSSH has disabled DSA keys by default since 2015 but has
    retained run-time optional support for them. DSA was the only
    mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
    because alternative algorithms were encumbered by patents when
    the SSHv2 protocol was specified.
    This has not been the case for decades at this point and better
    algorithms are well supported by all actively-maintained SSH
    implementations. We do not consider the costs of maintaining
    DSA in OpenSSH to be justified and hope that removing it from
    OpenSSH can accelerate its wider deprecation in supporting
    cryptography libraries.
  = Potentially-incompatible changes
  * ssh(1): remove support for pre-authentication compression.
    OpenSSH has only supported post-authentication compression in
    the server for some years. Compression before authentication
    significantly increases the attack surface of SSH servers and
    risks creating oracles that reveal information about
    information sent during authentication.
  * ssh(1), sshd(8): processing of the arguments to the "Match"
    configuration directive now follows more shell-like rules for
    quoted strings, including allowing nested quotes and \-escaped
    characters. If configurations contained workarounds for the
    previous simplistic quote handling then they may need to be
    adjusted. If this is the case, it's most likely to be in the
    arguments to a "Match exec" confition. In this case, moving the
    command to be evaluated from the Match line to an external
    shell script is easiest way to preserve compatibility with both
    the old and new versions.
  = New features
  * ssh(1), sshd(8): add support for a new hybrid post-quantum key
    exchange based on the FIPS 203 Module-Lattice Key Enapsulation
    mechanism (ML-KEM) combined with X25519 ECDH as described by
    https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
    This algorithm "mlkem768x25519-sha256" is available by default.
  * ssh(1): the ssh_config "Include" directive can now expand
    environment as well as the same set of %-tokens "Match Exec"
    supports.
  * sshd(8): add a sshd_config "RefuseConnection" option that, if
    set will terminate the connection at the first authentication
    request.
  * sshd(8): add a "refuseconnection" penalty class to sshd_config
    PerSourcePenalties that is applied when a connection is dropped
    by the new RefuseConnection keyword.
  * sshd(8): add a "Match invalid-user" predicate to sshd_config
    Match options that matches when the target username is not
    valid on the server.
  * ssh(1), sshd(8): update the Streamlined NTRUPrime code to a
    substantially faster implementation.
  * ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key
    exchange algorithm now has an IANA-assigned name in addition to
    the "@openssh.com" vendor extension name. This algorithm is now
    also available under this name "sntrup761x25519-sha512"
  * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
    included in core dump files for most of their lifespans. This
    is in addition to pre-existing controls in ssh-agent(1) and
    sshd(8) that prevented coredumps. This feature is supported on
    OpenBSD, Linux and FreeBSD.
  * All: convert key handling to use the libcrypto EVP_PKEY API,
    with the exception of DSA.
  * sshd(8): add a random amount of jitter (up to 4 seconds) to the
    grace login time to make its expiry unpredictable.
  = Bugfixes
  * sshd(8): relax absolute path requirement back to what it was
    prior to OpenSSH 9.8, which incorrectly required that sshd was
    started with an absolute path in inetd mode. bz3717
  * sshd(8): fix regression introduced in openssh-9.8 that swapped
    the order of source and destination addresses in some sshd log
    messages.
  * sshd(8): do not apply authorized_keys options when signature
    verification fails. Prevents more restrictive key options being
    incorrectly applied to subsequent keys in authorized_keys.
    bz3733
  * ssh-keygen(1): include pathname in some of ssh-keygen's
    passphrase prompts. Helps the user know what's going on when
    ssh-keygen is invoked via other tools. Requested in GHPR503
  * ssh(1), ssh-add(1): make parsing user@host consistently look
    for the last '@' in the string rather than the first. This
    makes it possible to more consistently use usernames that
    contain '@' characters.
  * ssh(1), sshd(8): be more strict in parsing key type names. Only
    allow short names (e.g "rsa") in user-interface code and
    require full SSH protocol names (e.g. "ssh-rsa") everywhere
    else. bz3725
  * regress: many performance and correctness improvements to the
    re-keying regression test.
    ... changelog too long, skipping 41 lines ...
- Use gcc11 when building in SLE12 and SLE15.

==== openssh-askpass-gnome ====
Version update (9.8p1 -> 9.9p1)

- Update to openssh 9.9p1:
  * No changes for askpass, see main package changelog for
    details.

==== openssl-3 ====
Subpackages: libopenssl3

- Security fix: [bsc#1230698, CVE-2024-41996]
  * Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used
  * Added openssl-CVE-2024-41996.patch

==== orc ====
Version update (0.4.39 -> 0.4.40)

- Update to version 0.4.40:
  + Security: Minor follow-up fixes for CVE-2024-40897
  + Fix include header use from C++
  + orccodemem: Assorted memory mapping fixes
  + powerpc: fix div255w which still used the inexact substitution
  + powerpc: Disable VSX and ISA 2.07 for Apple targets
  + powerpc: Allow detection of ppc64 in Mac OS
  + x86: work around old GCC versions (pre 9.0) having broken
    xgetbv implementationsv
  + x86: consider MSYS2/Cygwin as Windows for ABI purposes only
  + x86: handle unnatural and misaligned array pointers
  + x86: Fix non-C11 typedefs
  + x86: try fixing AVX detection again by adding check for XSAVE
  + Some compatibility fixes for Musl
  + meson: Fix detecting XSAVE on older AppleClangv
  + Check return values of malloc() and realloc()

==== pam_pkcs11 ====

- Fix for boo#1230870:
  * Add patch 0001-memory-leak-fixes.patch
- Add -Wno-implicit-function-declaration to CFLAGS to fix build
  with gcc14 and newer

==== pinentry ====

- Make pinentry-efl optional

==== pinentry-gui ====
Subpackages: pinentry-gnome3 pinentry-gtk2 pinentry-qt6

- Make pinentry-efl optional

==== postfix ====

- Missing posttls-finger in postfix though changes mention it
  (bsc#1221501)

==== postgresql17 ====
Version update (17~rc1 -> 17.0)
Subpackages: libpq5 postgresql17-contrib postgresql17-llvmjit postgresql17-server

- Upgrade to 17.0.0:
  * New memory management system for VACUUM, which reduces memory
    consumption and can improve overall vacuuming performance.
  * New SQL/JSON capabilities, including constructors, identity
    functions, and the JSON_TABLE() function, which converts JSON
    data into a table representation.
  * Various query performance improvements, including for
    sequential reads using streaming I/O, write throughput under
    high concurrency, and searches over multiple values in a btree
    index.
  * Logical replication enhancements, including:
    + Failover control
    + pg_createsubscriber, a utility that creates logical replicas
    from physical standbys
    + pg_upgrade now preserves replication slots on both publishers
    and subscribers
  * New client-side connection option, sslnegotiation=direct, that
    performs a direct TLS handshake to avoid a round-trip
    negotiation.
  * pg_basebackup now supports incremental backup.
  * COPY adds a new option, ON_ERROR ignore, that allows a copy
    operation to continue in the event of an error.
  * https://www.postgresql.org/about/news/p-2936/
  * https://www.postgresql.org/docs/17/release-17.html

==== python-Jinja2 ====

- Fix build error under Leap.

==== python-Twisted ====
Version update (24.3.0 -> 24.7.0)
Subpackages: python311-Twisted python311-Twisted-tls

- Add upstream patch 12313-fix-test_manhole.patch to fix test failure
  with latest python312
- Update to 24.7.0
  * 24.7.0.rc2 fixed an unreleased regression caused by PR 12109. (#12279)
  * twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback
    response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810). (#9839)
  * The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined
    HTTP requests out-of-order, possibly resulting in information disclosure
    (CVE-2024-41671/GHSA-c8m8-j448-xjx7) (#12248)
  * twisted.protocols.ftp now supports the IPv6 extensions defined in RFC 2428. (#9645)
  * twisted.internet.defer.inlineCallbacks can now yield a coroutine. (#9972)
  * twisted.python._shellcomp.ZshArgumentsGenerator was updated for Python 3.13. (#12065)
  * twisted.web.wsgi request environment now contains the peer port number as `REMOTE_PORT`. (#12096)
  * twisted.internet.defer.Deferred.callback() and twisted.internet.defer.Deferred.addCallbacks()
    no longer use `assert` to check the type of the arguments. You should now use type checking
    to validate your code. These changes were done to reduce the CPU usage. (#12122)
  * Added two new methods, twisted.logger.Logger.failuresHandled and twisted.logger.Logger.\
    failureHandler, which allow for more concise and convenient handling of exceptions when
    dispatching out to application code.  The former can arbitrarily customize failure handling
    at the call site, and the latter can be used for performance-sensitive cases where no
    additional information needs to be logged. (#12188)
  * twisted.internet.defer.Deferred.addCallback now runs about 10% faster. (#12223)
  * twisted.internet.defer.Deferred error handling is now faster, taking 40% less time to run. (#12227)
  * twisted.internet.ssl.Certificate.__repr__ can now handle certificates without
    a common name (CN) in the certificate itself or the signing CA. (#5851)
  * Type annotations have been added to twisted.conch.interfaces.IKnownHostEntry
    and its implementations, twisted.conch.client.knownhosts.PlainHost and
    twisted.conch.client.knownhosts.HashedHost, correcting a variety of
    type confusion issues throughout the conch client code. (#9713)
  * twisted.python.failure.Failure once again utilizes the custom
    pickling logic it used to in the past. (#12112)
  * twisted.conch.client.knownhosts.KnownHostsFile.verifyHostKey no longer logs
    an exception when automatically adding an IP address host key, which means
    the interactive `conch` command-line no longer will either. (#12141)
  * The IRC server example found in the documentation was updated for readability. (#12097)
  * Remove contextvars from list of optional dependencies. (#12128)
  * The documentation for installing Twisted was moved into a single page. (#12145)
  * The project's compatibility policy now clearly indicates that the GitHub Actions
    test matrix defines the supported platforms. (#12167)
  * Updated imap4client.py example, it no longer references Python 2. (#12252)
  * twisted.internet.defer.returnValue has been deprecated. You can replace
    it with the standard `return` statement. (#9930)
  * The `twisted-iocpsupport` is no longer a hard dependency on Windows.
  * The IOCP support is now installed together with the other Windows soft
  * dependencies via `twisted[windows-platform]`. (#11893)
  * twisted.python.deprecate helper function will now always strip whitespaces from the docstrings.
  * This is done to have the same behaviour as with Python 3.13. (#12063)
  * twisted.conch.manhole.ManholeInterpreter.write, twisted.conch.manhole.ManholeInterpreter.
    addOutput, twisted.mail.imap4.IMAP4Server.sendUntaggedResponse `async` argument,
    deprecated since 18.9.0, has been removed. (#12130)
  * twisted.web.soap was removed.
  * The SOAP support was already broken, for at least the last 4 years.
  * The SOAP support in Twisted has no active maintainer. (#12146)
  * Fix #11744, #11771, #12113, #12154, #12169, #12179, #12193, #12195,
    [#12197], #12215, #12221, #12243, #12249, #12254, #12259, #12669
  * twisted.conch.insults.window.Widget.functionKeyReceived now dispatches
    functional key events to corresponding `func_KEYNAME` methods, where `KEYNAME` can be `F1`, `F2`,
    `HOME`, `UP_ARROW` etc. This is a regression introduced with #8214 in Twisted 16.5.0, where events
    changed from `const` objects to bytestrings in square brackets like `[F1]`. (#12046)
  * twisted.web.agent.Agent now allows duplicate Content-Length headers having the same value, per RFC
    9110 section 8.6. It is otherwise more strict when parsing Content-Length header values. (#9064)
  * twisted.web.client.HTTPConnectionPool used by HTTP clients now runs faster by using a little less CPU. (#12108)
  * twisted.web.http_headers now uses less CPU, making a small HTTP client request 10% faster or so. (#12116)
  * twisted.web's HTTP/1.1 server now runs a little faster, with about 10% lower CPU overhead. (#12133)
  * twisted.web's HTTP 1.1 server is an additional 5% faster. (#12155)
  * twisted.web.http.IM_A_TEAPOT was added and returns `I'm a teapot`
  * as default message for the status code 418,
  * as defined in RFC 2324 section 2.3.2. (#12104)
  * The HTTP 1.0/1.1 server provided by twisted.web is now more picky about the first line of a request,
    improving compliance with RFC 9112. (#12233)
  * The HTTP 1.0/1.1 server provided by twisted.web now constraints the character set of HTTP header names,
    improving compliance with RFC 9110. (#12235)
  * Fix ReverseProxyResource example in developer guide. (#12152)
  * twisted.web.util.ChildRedirector, which has never worked on Python 3, has been removed. (#9591)
  * ``twisted.web.http.Request.setResponseCode()`` no longer validates the types of inputs;
    we encourage you to use a type checker like mypy to catch these sort of errors. The
    long-deprecated ``twisted.web.server.string_date_time()`` and ``twisted.web.server.date_time_string()``
    APIs were removed altogether. (#12133)
  * twisted.web.http.HTTPClient is now deprecated in favor of twisted.web.client.Agent (#12158)
  * Fix #12098, #12194, #12200, #12241, #12257
- Drop CVE-2024-41671.patch, merged upstream
- Drop CVE-2024-41810.patch, merged upstream
- Refresh 1521_delegate_parseqs_stdlib_bpo42967.patch
- Refresh no-cython_test_exception_raiser.patch

==== python-incremental ====
Version update (22.10.0 -> 24.7.2)

- Update to 24.7.2
  * Incremental could mis-identify that a project had opted in to version management.
- from version 24.7.1
  * Incremental 24.7.0 would produce an error when parsing the ``pyproject.toml`` of
    a project that lacked the ``use_incremental=True`` or ``[tool.incremental]`` opt-in
    markers if that file lacked a ``[project]`` section containing the package name.
    This could cause a project that only uses ``pyproject.toml`` to configure tools to
    fail to build if Incremental is installed. Incremental now ignores such projects. (#100)
  * Fix issue #101
- from version 24.7.0
  * Incremental can now be configured using ``pyproject.toml``. (#90)
  * Incremental now provides a read-only `Hatchling version source plugin (#93)
  * Incremental no longer inserts a dot before the rc version component (i.e., ``1.2.3rc1``
    instead of ``1.2.3.rc1``), resulting in version numbers in the `canonical format. (#81)
  * Incremental's tests are now included in the sdist release artifact. (#80)
  * ``incremental[scripts]`` no longer depends on Twisted. (#88)
  * Support for Python 2.7 has been dropped for lack of test infrastructure.
    We no longer provide universal wheels. (#86)
  * Support for Python 3.5, 3.6, and 3.7 has been
    dropped for lack of test infrastructure. (#92)
- Limit Python files matched in %files section
- Switch build system from setuptools to pyproject.toml
  + Add python-pip and python-wheel to BuildRequires
  + Replace %python_build with %pyproject_wheel
  + Replace %python_install with %pyproject_install
  + Update name for dist directory in %files section
- Allow test_prereleaseAttributeDeprecated and test_prereleaseDeprecated tests again
- Skip tests from skip_examples.py
- Update BuildRequires from pyproject.toml

==== python-lxml ====
Version update (5.2.2 -> 5.3.0)

- 5.3.0 (2024-08-10)
  Features added
  - GH#421: Nested CDATA sections are no longer rejected but split
    on output to represent ]]> correctly. Patch by Gertjan Klein.
  Bugs fixed
  - LP#2060160: Attribute values serialised differently in
    xmlfile.element() and xmlfile.write().
  - LP#2058177: The ISO-Schematron implementation could fail on
    unknown prefixes. Patch by David Lakin.
  Other changes
  - LP#2067707: The strip_cdata option in HTMLParser() turned out
    to be useless and is now deprecated.
  - Built with Cython 3.0.11.

==== python-ptyprocess ====

- Fix build error under Leap.

==== python-pycurl ====

- Add upstream patch test-bottle-flask.patch to use Flask instead of
  bottle for tests.
  gh#pycurl/pycurl#838

==== sac ====

- Use SOURCE_DATE_EPOCH for reproducible jar mtime

==== salt ====
Subpackages: python3-salt salt-master salt-minion salt-transactional-update

- Avoid explicit reading of /etc/salt/minion (bsc#1220357)
- Allow NamedLoaderContexts to be returned from loader
- Revert the change making reactor less blocking (bsc#1230322)
- Use --cachedir for extension_modules in salt-call (bsc#1226141)
- Prevent using SyncWrapper with no reason
- Added:
  * avoid-explicit-reading-of-etc-salt-minion-bsc-122035.patch
  * allow-namedloadercontexts-to-be-returned-from-loader.patch
  * revert-the-change-making-reactor-less-blocking-bsc-1.patch
  * use-cachedir-for-extension_modules-in-salt-call-bsc-.patch
  * prevent-using-syncwrapper-with-no-reason.patch

==== sddm ====
Subpackages: sddm-branding-openSUSE sddm-greeter-qt5

- Move default value for [Autologin] Session
  0001-Read-the-DISPLAYMANAGER_AUTOLOGIN-value-from-sysconf.patch
  to 00-general.conf
- Add patches to make autologin with wayland more reliable (boo#1221507):
  * 0001-Remove-unused-Display-m_relogin-variable.patch
  * 0002-Set-Display-m_started-early.patch
  * 0003-Load-autologin-configuration-in-Display-Display.patch
  * 0004-Reset-daemonApp-first-in-the-Display-constructor.patch
  * 0005-If-autologin-is-used-avoid-starting-a-display-server.patch
- Rebase 0001-Read-the-DISPLAYMANAGER_AUTOLOGIN-value-from-sysconf.patch

==== sddm-qt6 ====
Subpackages: sddm-greeter-qt6

- Move default value for [Autologin] Session
  0001-Read-the-DISPLAYMANAGER_AUTOLOGIN-value-from-sysconf.patch
  to 00-general.conf
- Add patches to make autologin with wayland more reliable (boo#1221507):
  * 0001-Remove-unused-Display-m_relogin-variable.patch
  * 0002-Set-Display-m_started-early.patch
  * 0003-Load-autologin-configuration-in-Display-Display.patch
  * 0004-Reset-daemonApp-first-in-the-Display-constructor.patch
  * 0005-If-autologin-is-used-avoid-starting-a-display-server.patch
- Rebase 0001-Read-the-DISPLAYMANAGER_AUTOLOGIN-value-from-sysconf.patch

==== selinux-policy ====
Version update (20240912 -> 20240925)
Subpackages: selinux-policy-targeted

- Update to version 20240925:
  * Allow snapperd to manage unlabeled_t files (bsc#1230966)
- Update to version 20240924:
  * Revert "Allow virtstoraged to manage images (bsc#1228742)"
  * Label /etc/mdevctl.d with mdevctl_conf_t
  * Sync users with Fedora targeted users
  * Update policy for rpc-virtstorage
  * Allow virtstoraged get attributes of configfs dirs
  * Fix SELinux policy for sandbox X server to fix 'sandbox -X' command
  * Update bootupd policy when ESP is not mounted
  * Allow thumb_t map dri devices
  * Allow samba use the io_uring API
  * Allow the sysadm user use the secretmem API
  * Allow nut-upsmon read systemd-logind session files
  * Allow sysadm_t to create PF_KEY sockets
  * Update bootupd policy for the removing-state-file test
- Fix macros.selinux-policy (bsc#1230897)
  - %selinux_relabel_post should not relabel files in
    transactional systems in %post as the policy is not loaded
    into the kernel directly after install, instead the relabelling
    will happen on the next boot

==== systemd ====
Version update (256.5 -> 256.6)
Subpackages: libsystemd0 libudev1 systemd-container udev

- Import commit 8a0ae4d90aff1d067a125ff9366eafc7dd5d4701 (merge of v256.6)
  For a complete list of changes, visit:
  https://github.com/openSUSE/systemd/compare/bef0958f4db1b774c23505e93537ffe16f1b3894...8a0ae4d90aff1d067a125ff9366eafc7dd5d4701
- Don't try to restart the udev socket units anymore (bsc#1228809)
  There's currently no way to restart a socket activable service and its socket
  units "atomically" and safely.
- Move 80-container-host0.network back to the network sub-package (bsc#1229098)
  Rev 428 mistakenly moved it to the container sub-package.

==== tcl ====
Version update (8.6.14 -> 8.6.15)

- TCL_PACKAGE_PATH now needs to be a unix-style path separated by
  colons rather than a Tcl list.
- Version 8.6.15:
  * [d63061] remove private unicode 0xE000-0xF8FF from unicode
    control group
  * [1b8a89] TCL_PACKAGE_PATH in tclConfig.sh change from TCL list
    to ":" separated items
  * ** POTENTIAL INCOMPATIBILITY ***
  * [1acd17] fix compiled mapped ensembles
  * [f23022] fix encoding koi8-u codepoint 0xB4
  * [6811a0] speedup op unicode transformation related operations
  * Add encodings: koi8-ru, koi8-t
  * [7cb740] Fix Tcl_ParseArgsObjv with TCL_ARGV_GENFUNC option
  * Hash speedup for pointer compare. Option
    TCL_HASH_KEY_DIRECT_COMPARE for hash tables
  * [TIP 692] Deprecate Tcl_GetAlias()
  * [a5f4a7] Correct tcl::tm::path autoload
  * [3c26de] Remove empty all items from tclConfig.sh path
    variables.
  * [87271f] Fix crash in oo+coroutine
  * [7842f3] fix crash in oo destructors in same namespace
  * [79474c] Fix crash in reflected channels
  * [c6897e] Fix crash due to unchecked file descriptor size
  * [3fc328] Fix report of non ASCII computer names on Windows
  * [e3f4a8] Fix error message caused by interp limit
  * [1d26e5] Source files with BOM also in safe interpreters
  * [5fca83] Fix encoding system result for system locale
    ISO-8859-1
  * [0de6c1] Fix crash in [child invokehidden info frame]
  * [74b611] Fix removal of oo variable by [info exists]
  * [91b3a5] Make [self] work inside [$obj eval]
  * [154f09] Tcl_NewObjectInstance() errors on namespace re-use
  * ** POTENTIAL INCOMPATIBILITY -- breaks Itcl 4.2 ***
  * [2da1cb] Fix [$obj varname] for linked varnames
  * Unicode version 16
  * [7179c6] Fix byte compiled [incr] with wide int increment

==== tigervnc ====
Subpackages: libXvnc1 xorg-x11-Xvnc xorg-x11-Xvnc-module

- added conflicts to patterns-wsl-tmpfiles as this patterns package
  creates a symlink from /tmp/.X11-unix to /mnt/wslg/.X11-unix and
  therefore prevents Xvnc from creating this needed directory
  (bsc#1230755)

==== timezone ====
Version update (2024a -> 2024b)
Subpackages: tzselect

- Update to 2024b:
  * Improve historical data for Mexico, Mongolia, and Portugal.
  * System V names are now obsolescent.
  * The main data form now uses %z.
  * The code now conforms to RFC 8536 for early timestamps.
  * Support POSIX.1-2024, which removes asctime_r and ctime_r.
  * Assume POSIX.2-1992 or later for shell scripts.
  * SUPPORT_C89 now defaults to 1.

==== transactional-update ====
Version update (4.8.2 -> 4.8.3)
Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit

- Version 4.8.3
  - Check return value of register command [bsc#1230901]

==== tree ====
Version update (2.1.1 -> 2.1.3)

- update to 2.1.3:
  * Mostly a brown-paper bag release to fix the below
    regression and add a feature I forgot to add.
  * Fix regression in search() function that broke --fromfile
  * Allow the -L option to accept its parameter immediately
    (with no space) instead of requiring it be the next option
    word.
  * Fix issue where --gitignore does not think a pattern with
    a singular terminal '/' (indicating it matches only
    directories,) is a relative path.
  * Don't emit the error 'recursive, not followed' if when
    using -L, the depth would prevent descending anyway. This also
    fixes up a JSON output error (missing comma) when this happens.
  * Don't prematurely sort files/directories with
  - -from*file. (gitlab @jack6th)
  * Various seg-faults fixed
  - Make doubly sure that there is actually a previous path
    entry when reading from a tabbed file.
  - Make sure there is actually a file entity when applying
    the link info to it when reading fromfile using --fflinks.
  - Increase space for the path a little in listdir(), just
    to be sure.
  * Make sure that there is no topsort (--dirsfirst /
  - -filesfirst) if there is no basesort (-U).
  * Make sure gittrim() function can handle a null string.
- Source tarball URL was unresolvable, update it to the correct version based on
  https://gitlab.com/OldManProgrammer/unix-tree

==== xfce4-dict ====
Version update (0.8.6 -> 0.8.7)
Subpackages: xfce4-dict-lang

- Update to version 0.8.7
  * panel-plugin: Drop submenu (#2)
  * panel-plugin: Add submenus to toggle search mode (#2)
  * panel-plugin: Reduce default text size
  * panel-plugin: Restore function of the button in text entry
  * Change log level (#17)
  * prefs: Add radio buttons to correct group
  * scan-build: Fix deadcode.DeadStores
  * scan-build: Add false positive file
  * I18n: Update po/LINGUAS list
  * build: Use XDT_VERSION_INIT and get rid of configure.ac.in
  * build: Switch from intltool to gettext
  * Translation Updates

==== xorg-x11-server ====
Subpackages: xorg-x11-server-Xvfb xorg-x11-server-extra

- added conflicts to patterns-wsl-tmpfiles to Xserver packages
  as this patterns package creates a symlink from /tmp/.X11-unix to
  /mnt/wslg/.X11-unix and therefore prevents Xservers from creating
  this needed directory (bsc#1230755)

==== xwayland ====

- added conflicts to patterns-wsl-tmpfiles as this patterns package
  creates a symlink from /tmp/.X11-unix to /mnt/wslg/.X11-unix and
  therefore prevents Xwayland from creating this needed directory
  (bsc#1230755)