Packages changed: MozillaFirefox (143.0.3 -> 144.0) adaptec-firmware arphic-uming-fonts aws-lc (1.61.4 -> 1.62.0) btrfsprogs (6.16.1 -> 6.17) clamav (1.4.3 -> 1.5.1) git (2.51.0 -> 2.51.1) glu gnome-browser-connector gnome-shell (49.0+17 -> 49.1) gnome-sudoku (49.1 -> 49.2) gnome-tour (49.0.openSUSE+git20251009.a4002c9 -> 49.0.openSUSE+git20251016.669c499) grub2 gstreamer (1.26.6 -> 1.26.7) gstreamer-plugins-bad (1.26.6 -> 1.26.7) gstreamer-plugins-base (1.26.6 -> 1.26.7) gstreamer-plugins-good (1.26.6 -> 1.26.7) gstreamer-plugins-libav (1.26.6 -> 1.26.7) gstreamer-plugins-rs (1.26.6+git20.e287e869 -> 1.26.7+git0.6ab75814) gstreamer-plugins-ugly (1.26.6 -> 1.26.7) highway (1.2.0 -> 1.3.0) iproute2 (6.16 -> 6.17) kernel-firmware-i915 (20250903 -> 20251014) kernel-firmware-intel (20251011 -> 20251018) kernel-firmware-media (20251004 -> 20251018) kernel-firmware-mediatek kernel-firmware-nvidia (20250516 -> 20251018) kernel-firmware-realtek kernel-firmware-sound (20250930 -> 20251018) kernel-source (6.17.2 -> 6.17.3) kf6-kio (6.19.0 -> 6.19.1) kyotocabinet leancrypto libselinux libselinux-bindings libsoup libxslt lua54 mozilla-nss (3.115.1 -> 3.117) mutter (49.0+68 -> 49.1) nvidia-open-driver-G06-signed (580.95.05_k6.17.0_2 -> 580.95.05_k6.17.3_1) openSUSE-release (20251015 -> 20251020) opensuse-welcome-launcher orca (49.3 -> 49.4) pipewire (1.4.8+git68.636cbae9b -> 1.5.81) pixman poppler poppler-qt6 publicsuffix (20250904 -> 20251001) python-msgpack (1.1.1 -> 1.1.2) python311 (3.11.13 -> 3.11.14) python311-core (3.11.13 -> 3.11.14) python313 (3.13.7 -> 3.13.9) python313-core (3.13.7 -> 3.13.9) qalculate (5.7.0 -> 5.8.0) qt6-webengine samba (4.22.3+git.403.4e078bdb832 -> 4.22.5+git.431.dc5a539f124) selinux-policy (20251014 -> 20251016) simple-scan (49.0.1 -> 49.1) systemd-presets-common-SUSE tumbler (4.20.0 -> 4.20.1) util-linux (2.41.1 -> 2.41.2) util-linux-systemd (2.41.1 -> 2.41.2) wireplumber (0.5.11 -> 0.5.12) yast2 (5.0.15 -> 5.0.16) === Details === ==== MozillaFirefox ==== Version update (143.0.3 -> 144.0) Subpackages: MozillaFirefox-branding-upstream - Mozilla Firefox 144.0 please check https://www.firefox.com/en-US/firefox/144.0/releasenotes for all news MFSA 2025-81 (bsc#1251263) * CVE-2025-11708 (bmo#1988931) Use-after-free in MediaTrackGraphImpl::GetInstance() * CVE-2025-11709 (bmo#1989127) Out of bounds read/write in a privileged process triggered by WebGL textures * CVE-2025-11710 (bmo#1989899) Cross-process information leaked due to malicious IPC messages * CVE-2025-11711 (bmo#1989978) Some non-writable Object properties could be modified * CVE-2025-11716 (bmo#1818679) Sandboxed iframes allowed links to open in external apps (Android only) * CVE-2025-11717 (bmo#1872601) The password edit screen was not hidden in Android card view * CVE-2025-11712 (bmo#1979536) An OBJECT tag type attribute overrode browser behavior on web resources without a content-type * CVE-2025-11718 (bmo#1980808) Address bar could be spoofed on Android using visibilitychange * CVE-2025-11713 (bmo#1986142) Potential user-assisted code execution in “Copy as cURL” command * CVE-2025-11719 (bmo#1991950) Use-after-free caused by the native messaging web extension API on Windows * CVE-2025-11720 (bmo#1979534, bmo#1984370) Spoofing risk in Android custom tabs * CVE-2025-11714 (bmo#1973699, bmo#1989945, bmo#1990970, bmo#1991040, bmo#1992113) Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144 * CVE-2025-11715 (bmo#1983838, bmo#1987624, bmo#1988244, bmo#1988912, bmo#1989734, bmo#1990085, bmo#1991899) Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144 * CVE-2025-11721 (bmo#1986816) Memory safety bug fixed in Firefox 144 and Thunderbird 144 - requires NSS >= 3.116 rust = 1.88 (upstream uses 1.89 already which is not available everywhere) - switched to clang build temporarily because of bmo#1990430 and use clang 20 max (21 fails to build) - stop building for i586 as it failing to build and Mozilla officially discontinues any 32bit support for Linux with 145 https://blog.mozilla.org/futurereleases/2025/09/05/firefox-32-bit-linux-support-to-end-in-2026/ ==== adaptec-firmware ==== - use %license tag [bsc#1252133] ==== arphic-uming-fonts ==== - use %license tag [bsc#1252137] - Stop marking arphic-uming as essential for CJK locales (and thus essential enough to be on the openSUSE DVD) ==== aws-lc ==== Version update (1.61.4 -> 1.62.0) Subpackages: libcrypto-awslc0 libssl-awslc0 - update to version 1.62.0: * nginx now supports AWS-LC * Fix tests that assume X25519 will be negotiated * Fixing a bug in ML-DSA poly_uniform function * Migrate integration omnibus * Delete util/bot directory * Type fix in mldsa * Centralize password handling tool-openssl * crypto/pem: replace strncmp with CRYPTO_memcmp to fix -Wstring-compare error * Implement dgst CLI command * Add ASN.1 decoding for ML-KEM private keys as seeds * Implement genrsa command * Move udiv and sencond tweak calculations to when needed * Add null check on RSA key checks * Implement workaround for FORTIFY_SOURCE warning with jitterentropy * Implement coverity suggestions * Add minimal EC CLI tool implementation * Adding pkeyutl tool to the CLI * Add option ENABLE_SOURCE_MODIFICATION * Simple script to build/run tests * Add build-time option to opt-out of CPU Jitter Entropy ==== btrfsprogs ==== Version update (6.16.1 -> 6.17) Subpackages: btrfsprogs-bash-completion btrfsprogs-udev-rules libbtrfs0 libbtrfsutil1 - update to 6.17 * inspect list-chunks: more sorting keys, descending order * fi resize: add support for offline (unmounted) growing of single device * device stats: add support for offline (unmounted) reads * quota status: new command, overview what mode is enabled, tunables * fi commit-stats: new command, print various commit stats from sysfs (since kernel 6.1) * balance start: print warning and delay start if there's a missing device in the filesystem * mkfs: print zoned mode (native, emulated) * check: verify device bytes in super block item and in chunk tree * other * updated CI, new and updated tests * cleanups, refactoring * documentation updates ==== clamav ==== Version update (1.4.3 -> 1.5.1) Subpackages: libclamav12 libclammspack0 - New version: 1.5.1: * Fixed a significant performance issue when scanning some PE files. * Fixed an issue recording file entries from a ZIP archive central directory which resulted in "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the ClamScan --alert-exceeds-max command line option or ClamD AlertExceedsMax config file option. * Improved performance when scanning TNEF email attachments. * Fixed an issue with recording metadata for OOXML office documents. * Fixed an issue with signature matches for VBA in OLE2 office documents. * Loosened overly restrictive rules for embedded file identification and increased the limit for finding PE files embedded in other PE files. * Fixed an issue with extracting some RAR archives embedded in other files. * Fixed an issue with calculating fuzzy hashes affecting some images by updating the version for several Rust library dependencies. - Add json-c-json-c-0.18-20240915.tar.gz and link it statically into libclamav on SLE-12, because version 0.12 is too old. - New version 1.5.0: * Added checks to determine if an OLE2-based Microsoft Office document is encrypted. * Added the ability to record URIs found in HTML if the generate-JSON-metadata feature is enabled. * Added the ability to record URIs found in PDFs if the generate-JSON-metadata feature is enabled. * Added regex support for the clamd.conf OnAccessExcludePath config option. * Added CVD signing/verification with external .sign files. * Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like limits disabling MD5 and SHA1 from being used for verifying digital signatures or for being used to trust a file when checking for false positives * ClamD: Added an option to disable select administrative commands including SHUTDOWN, RELOAD, STATS and VERSION. * libclamav: Added extended hashing functions with a "flags" parameter that allows the caller to choose if they want to bypass FIPS hash algorithm limits. * See the release announcement for the full list of changes: https://blog.clamav.net/2025/10/clamav-150-released.html - Obsoleted patches: * clamav-freshclam_test.patch * clamav-disable-administrative-commands.patch * clamav-fips.patch - Use macros for library versions - Remove service symlinks: rcclamd, rcfreshclam, rcclamav-milter, and clamonacc. - Use rust 1.86 for SLE-12 and SLE-15-SP2. ==== git ==== Version update (2.51.0 -> 2.51.1) Subpackages: git-core git-email git-gui git-web gitk perl-Git - Update to 2.51.1: - Fixes since Git 2.51.0 * The "do you still use it?" message given by a command that is deeply deprecated and allow us to suggest alternatives has been updated. * The compatObjectFormat extension is used to hide an incomplete feature that is not yet usable for any purpose other than developing the feature further. Document it as such to discourage its use by mere mortals. * Manual page for "gitk" is updated with the current maintainer's name. * Update the instructions for using GGG in the MyFirstContribution document to say that a GitHub PR could be made against `git/git` instead of `gitgitgadget/git`. * Clang-format update to let our control macros be formatted the way we had them traditionally, e.g., "for_each_string_list_item()" without space before the parentheses. * A few places where a size_t value was cast to curl_off_t without checking has been updated to use the existing helper function. * The start_delayed_progress() function in the progress eye-candy API did not clear its internal state, making an initial delay value larger than 1 second ineffective, which has been corrected. * Makefile tried to run multiple "cargo build" which would not work very well; serialize their execution to work around this problem. * Adjust to the way newer versions of cURL selectively enable tracing options, so that our tests can continue to work. * During interactive rebase, using 'drop' on a merge commit led to an error, which has been corrected. * "git refs migrate" to migrate the reflog entries from a refs backend to another had a handful of bugs squashed. * "git push" had a code path that led to BUG() but it should have been a die(), as it is a response to a usual but invalid end-user action to attempt pushing an object that does not exist. * Various bugs about rename handling in "ort" merge strategy have been fixed. * "git diff --no-index" run inside a subdirectory under control of a Git repository operated at the top of the working tree and stripped the prefix from the output, and oddballs like "-" (stdin) did not work correctly because of it. Correct the set-up by undoing what the set-up sequence did to cwd and prefix. * Various options to "git diff" that make comparison ignore certain aspects of the differences (like "space changes are ignored", "differences in lines that match these regular expressions are ignored") did not work well with "--name-only" and friends. * Under a race against another process that is repacking the repository, especially a partially cloned one, "git fetch" may mistakenly think some objects we do have are missing, which has been corrected. * "git repack --path-walk" lost objects in some corner cases, which has been corrected. cf. * Fixes multiple crashes around midx write-out codepaths. * A broken or malicious "git fetch" can say that it has the same object for many many times, and the upload-pack serving it can exhaust memory storing them redundantly, which has been corrected. * A corner case bug in "git log -L..." has been corrected. * Some among "git add -p" and friends ignored color.diff and/or color.ui configuration variables, which is an old regression, which has been corrected. * "git rebase -i" failed to clean-up the commit log message when the command commits the final one in a chain of "fixup" commands, which has been corrected. * Deal more gracefully with directory / file conflicts when the files backend is used for ref storage, by failing only the ones that are involved in the conflict while allowing others. ==== glu ==== - added missing LICENSE file (bsc#1252149) ==== gnome-browser-connector ==== - add unzip as a requires, otherwise the extensions can't get extracted ==== gnome-shell ==== Version update (49.0+17 -> 49.1) Subpackages: gnome-extensions gnome-shell-calendar - Update to version 49.1: + Fix freeze when dragging quick settings sliders on touch + Fix key focus on choice list on login screen + Fix animation glitch when cancelling overview search + Also send activation token for notifications without app + Unify warning styling in dialogs + Update keyboard indicator on modifier-only layout switches + Improve accessibility of screenshot UI + Improve Hindi bolnagri input with on-screen keyboard + Do not expire notifications that are about to show + Improve accessibility icons on login screen + Make media messages follow notification policy + Misc. bug fixes and cleanups + Updated translations. - No longer explicitly exclude Soup from the typelib scanner, and consequently no longer add typelib(Soup) = 3.0 requires. This was needed before GNOME 45, as gnome-shell had fallback code and we needed to help take the decision. ==== gnome-sudoku ==== Version update (49.1 -> 49.2) - Update to verison 49.2: + Fix the grid not being keyboard focusable after the first game ==== gnome-tour ==== Version update (49.0.openSUSE+git20251009.a4002c9 -> 49.0.openSUSE+git20251016.669c499) Subpackages: gnome-tour-data opensuse-welcome - Add custom lang package for opensuse-welcome. This will remove the indirect dependency on gnome-tour. bsc#1252077 ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-arm64-efi-bls grub2-common grub2-snapper-plugin grub2-systemd-sleep-plugin - make grub plugin compatible with snapper's plugin API (bsc#1246172) - clean up some unused code ==== gstreamer ==== Version update (1.26.6 -> 1.26.7) Subpackages: gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.26.7: + Highlighted bugfixes in 1.26.7: - cea608overlay: improve handling of non-system memory - cuda: Fix runtime kernel compile with CUDA 13.0 - d3d12: Fix crop meta support in converter and passthrough handling in deinterlacer - fallbacksrc: source handling improvements; no-more-pads signal for streams-unaware parents - inter: add properties to fine tune the inner elements - qtdemux: surround sound channel layout handling fixes and performance improvements for GoPro videos - rtp: Add linear audio (L8, L16, L24) RTP payloaders / depayloaders - rtspsrc: Send RTSP keepalives in TCP/interleaved modes - rtpamrpay2: frame quality indicator flag related fixes - rtpbasepay2: reuse last PTS when possible, to work around problems with NVIDIA Jetson AV1 encoder - mpegtsmux, tsdemux: Opus audio handling fixes - threadshare: latency related improvements and many other fixes - matroskamux, tsmux, flvmux, cea608mux: Best pad determination fixes at EOS - unixfd: support buffers with a big payload - videorate unknown buffer duration assertion failure with variable framerates - editing services: Make GESTimeline respect SELECT_ELEMENT_TRACK signal discard decision; memory leak fixes - gobject-introspection annotation fixes - cerbero: Update meson to 1.9.0 to enable Xcode 26 compatibility - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - controller: Fix get_all() return type annotation - gst-launch: Do not assume error messages have a src element - multiqueue: Fix object reference handling in signal callbacks - netclientclock: Fix memory leak in error paths ==== gstreamer-plugins-bad ==== Version update (1.26.6 -> 1.26.7) Subpackages: libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstsctp-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.26.7: + cuda: Fix runtime kernel compile with CUDA 13.0 + d3d12convert: Fix crop meta support + d3d12deinterlace: Fix passthrough handling + gst: Fix a few small leaks + matroskamux: Properly check if pads are EOS in find_best_pad + tsdemux: Directly forward Opus AUs without opus_control_header + tsmux: Write a full Opus channel configuration if no matching Vorbis one is found + unixfd: Fix case of buffer with big payload + vacompositor: Correct scale-method properties + webrtc: nice: Fix a use-after-free and a mem leak + Fix all compiler warnings on Fedora + Fix issues with G_DISABLE_CHECKS & G_DISABLE_ASSERT ==== gstreamer-plugins-base ==== Version update (1.26.6 -> 1.26.7) Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.26.7: + discoverer: Mark gst_discoverer_stream_info_list_free() as transfer full + riff: Add channel reorder maps for 3 and 7 channel audio + sdp: proper usage of gst_buffer_append + videorate: fix assert fail due to invalid buffer duration + Fix build error with glib < 2.68 ==== gstreamer-plugins-good ==== Version update (1.26.6 -> 1.26.7) Subpackages: gstreamer-plugins-good-gtk - Update to version 1.26.7: + matroskamux: Properly check if pads are EOS in find_best_pad + qtdemux: - Bad performance with GoPro videos containing FDSC metadata tracks - Fix open/seek perf for GoPro files with SOS track - Handle unsupported channel layout tags gracefully - Set channel-mask to 0 for unknown layout tags + rtspsrc: Send RTSP keepalives in TCP/interleaved modes + v4l2: - Add GstV4l2Error handling in gst_v4l2_get_capabilities - Fix memory leak for DRM caps negotiation + v4l2transform: reconfigure v4l2object only if respective caps changed + Fix issues with G_DISABLE_CHECKS & G_DISABLE_ASSERT ==== gstreamer-plugins-libav ==== Version update (1.26.6 -> 1.26.7) - Update to version 1.26.7: + Fix all compiler warnings on Fedora. ==== gstreamer-plugins-rs ==== Version update (1.26.6+git20.e287e869 -> 1.26.7+git0.6ab75814) - Rebase and re-enable patch: * fix-reproducibility.patch - Update to version 1.26.7+git0.6ab75814: * tracers: Fix inverted append logic when writing log files * threadshare: - examples: standalone: also handle buffer lists - Pad push_list: downgrade Pad flushing log level - sinks: fix / handle query() - backpressure: abort pending items on flush start - udpsink: fix panic recalculating latency from certain executors - audiotestsrc: . support more Audio formats . use AudioInfo . fix latency . act as a pseudo live source by default - runtime task: execute action in downward transition - example cleanups - udpsink: distinguish sync status for latency & report added latency - sink elements: implement `send_event` - dataqueue elements: report min and max latency * rtp: - Add linear audio (L8, L16, L24) RTP payloaders / depayloaders * rtp: basedepay: reuse last PTS, when possible * skia: Update to skia-safe 0.89 * mp4: Update to mp4-atom 0.9 * Update dependencies * webrtc: livekit: Drop connection lock after take() * onvifmetadatapay: copy metadata from source buffer * fallbacksrc: Fix custom source reuse case * add `rust-tls-native-roots` feature to the `reqwest` dep * rtpamrpay2: - Actually forward the frame quality indicator - Set frame quality indicator flag - Disable patch that doesn't apply: * fix-reproducibility.patch - Remove a section in a json file that references the gstelevenlabs plugin (a proprietary plugin that isn't built) so it's clear to the legal review bot that there isn't any proprietary code. - Add patch developed by amyspark in https://gitlab.freedesktop.org/gstreamer/gst-plugins-rs/-/merge_requests/2162 to fix the .pc reproducibility issues (boo#1237097) * 0001-cargo_wrapper-deduplicate-Libs_private.patch - Add patch to fix reproducibility of package build (boo#1237097) * fix-reproducibility.patch ==== gstreamer-plugins-ugly ==== Version update (1.26.6 -> 1.26.7) - Update to version 1.26.7: + No changes, stable bump only ==== highway ==== Version update (1.2.0 -> 1.3.0) - Replace avx10_2.patch by a new one completely disabling AVX10.2 until upstream figures out how to the details of toolchain invocation. [boo#1248740] - Update to release 1.3.0 * Add AVX10_2 and Loongson LASX/LSX targets * Add AVX3_SPR F16, WASM_EMU256 F64 types * Add Complex number operations, F16/BF16 assignment operators * Add emulated bf16/f16 Load/StoreInterleaved - Add avx10_2.patch ==== iproute2 ==== Version update (6.16 -> 6.17) Subpackages: iproute2-bash-completion - Update to release 6.17 * ip: display the 'netns-immutable' property * color: Assume background is dark if unknown * color: Do not use dark blue in dark-background palette * bridge: mdb: Support offload failed flag * iplink_bridge: Add mdb_offload_fail_notification * ip ntable: Add support for "mcast_reprobes" parameter * ip neigh: Add support for "extern_valid" flag * Add support for 'tc-bw' attribute in devlink-rate ==== kernel-firmware-i915 ==== Version update (20250903 -> 20251014) - Update to version 20251014 (git commit bd4d2bde91e1): * i915: Xe2LPD DMC v2.29 * i915: Xe3LPD DMC v2.32 * i915: Xe3LPD_3002 DMC v2.27 ==== kernel-firmware-intel ==== Version update (20251011 -> 20251018) - Update to version 20251018 (git commit 8b4de42e3432): * Intel IPU7: Update product signed firmware binary ==== kernel-firmware-media ==== Version update (20251004 -> 20251018) - Update to version 20251018 (git commit 8b4de42e3432): * qcom: vpu: rename firmware binaries ==== kernel-firmware-mediatek ==== - Update aliases from 6.18-rc1 ==== kernel-firmware-nvidia ==== Version update (20250516 -> 20251018) - Update to version 20251018 (git commit 8b4de42e3432): * nvidia: add generic bootloader for GSP-enabled systems - Update to version 20251014 (git commit bd4d2bde91e1): * WHENCE: nvidia: rearrange GSP-RM firmware lines ==== kernel-firmware-realtek ==== - Update aliases from 6.18-rc1 ==== kernel-firmware-sound ==== Version update (20250930 -> 20251018) - Update to version 20251018 (git commit 8b4de42e3432): * linux-firmware: qcom: sync audioreach firmwares from v1.0.0 build - Update aliases from 6.18-rc1 ==== kernel-source ==== Version update (6.17.2 -> 6.17.3) Subpackages: kernel-64kb kernel-default - Delete patches.suse/Revert-net-bonding-add-broadcast_neighbor-netlink-op.patch. - Delete patches.suse/Revert-net-bonding-add-broadcast_neighbor-option-for.patch. - Delete patches.suse/Revert-net-bonding-send-peer-notify-when-failure-rec.patch. About to be replaced by a proper patch in the next commit. - commit a9d395c - net: bonding: update the slave array for broadcast mode (bsc#1250894). - commit 5508f45 - wifi: iwlwifi: Add missing firmware info for bz-b0-* models (bsc#1252084). - commit 4ff36a8 - Linux 6.17.3 (bsc#1012628). - drm/amdgpu/vcn: Fix double-free of vcn dump buffer (bsc#1012628). - scsi: ufs: core: Fix PM QoS mutex initialization (bsc#1012628). - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call (bsc#1012628). - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode (bsc#1012628). - usb: typec: tipd: Clear interrupts first (bsc#1012628). - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock (bsc#1012628). - net/9p: Fix buffer overflow in USB transport layer (bsc#1012628). - bus: fsl-mc: Check return value of platform_get_resource() (bsc#1012628). - pinctrl: check the return value of pinmux_ops::get_function_name() (bsc#1012628). - tee: fix register_shm_helper() (bsc#1012628). - thunderbolt: Fix use-after-free in tb_dp_dprx_work (bsc#1012628). - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release (bsc#1012628). - remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() (bsc#1012628). - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit() (bsc#1012628). - sunrpc: fix null pointer dereference on zero-length checksum (bsc#1012628). - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak (bsc#1012628). - Input: atmel_mxt_ts - allow reset GPIO to sleep (bsc#1012628). - misc: fastrpc: Skip reference for DMA handles (bsc#1012628). - misc: fastrpc: fix possible map leak in fastrpc_put_args (bsc#1012628). - misc: fastrpc: Fix fastrpc_map_lookup operation (bsc#1012628). - misc: fastrpc: Save actual DMA size in fastrpc_map structure (bsc#1012628). - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() (bsc#1012628). - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is disabled (bsc#1012628). - mm: hugetlb: avoid soft lockup when mprotect to large memory area (bsc#1012628). - fbdev: simplefb: Fix use after free in simplefb_detach_genpds() (bsc#1012628). - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid (bsc#1012628). - ext4: fix checks for orphan inodes (bsc#1012628). - ext4: fix potential null deref in ext4_mb_init() (bsc#1012628). - ksmbd: add max ip connections parameter (bsc#1012628). - ksmbd: fix error code overwriting in smb2_get_info_filesystem() (bsc#1012628). - ksmbd: Fix race condition in RPC handle list access (bsc#1012628). - mm/ksm: fix flag-dropping behavior in ksm_madvise (bsc#1012628). - LoongArch: BPF: Fix uninitialized symbol 'retval_off' (bsc#1012628). - LoongArch: BPF: Remove duplicated flags check (bsc#1012628). - LoongArch: BPF: No text_poke() for kernel text (bsc#1012628). - LoongArch: BPF: Remove duplicated bpf_flush_icache() (bsc#1012628). - LoongArch: BPF: Make error handling robust in arch_prepare_bpf_trampoline() (bsc#1012628). - LoongArch: BPF: Make trampoline size stable (bsc#1012628). - LoongArch: BPF: Don't align trampoline size (bsc#1012628). - LoongArch: BPF: No support of struct argument in trampoline programs (bsc#1012628). - LoongArch: BPF: Sign-extend struct ops return values properly (bsc#1012628). - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT (bsc#1012628). - LoongArch: Automatically disable kaslr if boot from kexec_file (bsc#1012628). - dm: fix NULL pointer dereference in __dm_suspend() (bsc#1012628). - dm: fix queue start/stop imbalance under suspend/load/resume races (bsc#1012628). - tracing: Stop fortify-string from warning in tracing_mark_raw_write() (bsc#1012628). - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf (bsc#1012628). - tracing: Have trace_marker use per-cpu data to read user space (bsc#1012628). - tracing: Fix irqoff tracers on failure of acquiring calltime (bsc#1012628). - tracing: Fix wakeup tracers on failure of acquiring calltime ... changelog too long, skipping 911 lines ... - commit f00dc5b ==== kf6-kio ==== Version update (6.19.0 -> 6.19.1) Subpackages: libKF6KIO6 - Update to 6.19.1 * Bump version for 6.19.1 release * Fix HTTP network error propagation * Forward all KIO error codes, not just ERR_ACCESS_DENIED * Delete network reply also when handling a redirection * CopyJob: Skip permission check if there is no UDS_ACCESS entry ==== kyotocabinet ==== - Add bug number bsc#1252197 ==== leancrypto ==== - Add patch to fix BTI on aarch64: * leancrypto-fix-aarch64-BTI.patch ==== libselinux ==== Subpackages: libselinux1 selinux-tools - Ship license file (bsc#1252160) - Add man_selinux_disabled_mismatch_kernel_config.patch to explain in the selinux(8) man page to not disable SELinux via /etc/selinux/config and enable it at the same time via kernel cmd line (bsc#1246549) ==== libselinux-bindings ==== - Ship license file (bsc#1252160) ==== libsoup ==== Subpackages: libsoup-3_0-0 typelib-1_0-Soup-3_0 - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ==== libxslt ==== Subpackages: libexslt0 libxslt-tools libxslt1 - security update - added patches CVE-2025-11731 [bsc#1251979], type confusion in exsltFuncResultCompfunction leading to denial of service * libxslt-CVE-2025-11731.patch ==== lua54 ==== - Clean up of the SPEC file. ==== mozilla-nss ==== Version update (3.115.1 -> 3.117) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-sysinit mozilla-nss-tools - update to NSS 3.117 * bmo#1992218 - fix memory leak in secasn1decode_unittest.cc * bmo#1988913 - Add OISTE roots * bmo#1976051 - Add runbook for certdata.txt changes * bmo#1991666 - dbtool: close databases before shutdown * bmo#1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates * bmo#1956754 - don’t flush base64 when buffer is null * bmo#1989541 - Set use_pkcs5_pbkd2_params2_only=1 for fuzzing builds * bmo#1989480 - mozilla::pkix: recognize the qcStatements extension for QWACs * bmo#1980465 - Fix a big-endian-problematic cast in zlib calls * bmo#1962321 - Revert removing out/ directory after ossfuzz build * bmo#1988524 - Add Cryptofuzz to OSS-Fuzz build * bmo#1984704 - Add PKCS#11 trust tests * bmo#1983308 - final disable dsa patch cert.sh * bmo#1983320 - ml-dsa: move tls 1.3 to use streaming signatures * bmo#1983320 - ml-dsa: Prep Create a FindOidTagByString function * bmo#1983320 - ml-dsa: softoken changes * bmo#1983320 - ml-dsa: der key decode * bmo#1983320 - ml-dsa: Prep colapse the overuse of keyType outside of pk11wrap and cryptohi * bmo#1983320 - ml-dsa: Prep Create a CreateSignatureAlgorithmID function - update to NSS 3.116 * bmo#1983308 - disable DSA in NSS script tests * bmo#1983308 - Disabling of some algorithms: generic cert.sh * bmo#1981046 - Need to update to new mechanisms * bmo#1983320 - Add ML-DSA public key printing support in NSS command-line utilities * bmo#1986802 - note embedded scts before revocation checks are performed * bmo#1983320 - Add support for ML-DSA keys and mechanisms in PKCS#11 interface * bmo#1983320 - Add support for ML-DSA key type and public key structure * bmo#1983320 - Enable ML-DSA integration via OIDs support and SECMOD flag * bmo#1983308 - disable kyber * bmo#1965329 - Implement PKCS #11 v3.2 PQ functions (use verify signature) * bmo#1983308 - Disable dsa - gtests * bmo#1983313 - make group and scheme support in test tools generic * bmo#1983770 - Create GH workflow to automatically close PRs * bmo#1983308 - Disable dsa - base code * bmo#1983308 - Disabling of some algorithms: remove dsa from pk11_mode * bmo#1983308 - Disable seed and RC2 bug fixes * bmo#1982742 - restore support for finding certificates by decoded serial number * bmo#1984165 - avoid CKR_BUFFER_TO_SMALL error in trust lookups * bmo#1983399 - lib/softtoken/{sdb.c,sftkdbti.h}: Align sftkdb_known_attributes_size type * bmo#1965329 - Use PKCS #11 v3.2 KEM mechanisms and functions ==== mutter ==== Version update (49.0+68 -> 49.1) - Add mutter-fix-xwayland-dnd-crash.patch: Fix crash when dragging and dropping from an app running via xwayland - Update to version 49.1: + Fix various glitches during resize/move drags + Fix lost keyboard focus in overview with some devices + Fix popup constraint rule and work around broken clients + Require pointer interaction prior to allowing pointer warp + Fix GTK apps locking up after entering popover submenu + Fix presentation timings with commit-timing-v1 + Be more robust against clients providing bogus window geometry + Fix maximized windows extending under panel + Fix switching keyboard layout via xkb-options + Advertise explicit sync only for dmabufs screencasts + Fix multi-touch handling on X11 + Fix keyboard driven resize drags + Fix DND actions not working reliably in some X11 clients + Do not force pointer focus on popups + Fixes for cancelling and restoring sizes after drags + Fix windows reverting to previous size after client resizes + Fix pointer constraints for some fullscreen X11 clients + Fixed crashes + Plugged leak + Misc. bug fixes and cleanups + Updated translations. ==== nvidia-open-driver-G06-signed ==== Version update (580.95.05_k6.17.0_2 -> 580.95.05_k6.17.3_1) - renamed check to %name-check package - changed Requires to * nvidia-modprobe = %version * nvidia-persitenced = %version it has been >= before ... - Check4WrongSupplements.sh * check for wrong Supplements in generated KMPs after build by misusing %post of a dummy "check" subpackage ==== openSUSE-release ==== Version update (20251015 -> 20251020) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== opensuse-welcome-launcher ==== - Make opensuse-welcome-launcher support a --unconditional parameter and launch it using this parameter when called via the desktop file from the launcher. Fixes the issue that the icon shown in the launcher did not actually start anything. ==== orca ==== Version update (49.3 -> 49.4) - Update to version 49.4: + Web: Fix regression in which table navigation in a grid switches to focus mode. + Updated translations. ==== pipewire ==== Version update (1.4.8+git68.636cbae9b -> 1.5.81) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-jack pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.5.81 (1.6 RC1): * This is the first 1.6 release candidate that is API and ABI compatible with previous 1.4.x, 1.2.x and 1.0.x releases. * In addition to all the changes backported to 1.4.x, this release also contains some new features: - Highlights * The link negotiation code was refactored and improved. Applications now have more options for selecting the default values and restricting the available options. The default negotiation code will now attempt to better match the application suggested values. * The loop now has support for locking with priority inversion. Most of the code was updated to use the locks instead of invoke to get proper concurrent updates with the loop. The Thread loop functionality of locks, signal and wait was moved to the SPA loop. This guarantees better real-time behaviour because inter-thread synchronization does not have to pass eventfd/epoll. * The control stream parser was rewritten to be safe against concurrent updates while parsing, which can occur when parsing shared memory. It also has extra checks to avoid integer overflows and undefined behaviour. * MIDI 2.0 clip support was added to the tools. * Bluetooth ASHA (Audio Streaming for Hearing Aid) support was added. * The ALSA node setup was tweaked to provide low latency with the ALSA Firewire driver. * Better support for explicit sync. It is now possible to negotiate extra features to know if a consumer will signal the sync objects and implement a fallback using a reliable transport. * Many bug fixes and improvements. - PipeWire * Avoid process calls in disconnect in pw-stream. (#3314) * Disable PipeWire services for root. * The link negotiation was refactored and improved. Drivers now always have a lower priority in deciding the final format. * Backwards compatibility with the v0 protocol was removed. * pw-stream and pw-filter will now refuse to queue a buffer that was not dequeued before. * Object properties will now be updated on the global as well. * The priority of config overrides is correct now. (#4816) * Async links now correctly report 1 extra quantum of latency. * node.exclusive and the new port.exclusive flag are now enforced by PipeWire itself. * A new timer-queue helper was added to schedule timeouts. * node.terminal and node.physical properties are now copied to the ports to make it possible to create virtual sources and sinks for JACK applications. * Port properties will now be dynamically updated when the node properties they depend on are updated. * Passive leaf nodes are now handled better. Now they will also run when the peer is active. (#4915) * Reliable transport has been added for output ports. This can be used in some cases if the producer wants to ensure buffers are consumed by a consumer. (#4885) * Context properties now support rlimit. properties to configure rlimits. (#4047) - Modules * Close SyncObj fds. * module-combine-stream has better Latency reporting. * The JACK tunnel can now optionally connect ports. * module-loopback has better Latency reporting. * A Dolby Surround and Dolby Pro Logic II example filter config was added. * Filter-chain can now resample to a specific rate before running the filters. This is useful when the filter-graph needs to run at a specific rate. * Avahi-poll now uses the timer-queue to schedule timeouts. * Modules are ported to timer-queue instead of using timerfd directly for non-realtime timers. - SPA * The loop now has support for locking with priority inversion. Most of the code was updated to use the locks instead of invoke to get proper concurrent updates with the loop. The Thread loop functionality of locks, signal and wait was moved to the SPA loop. * UMP to Midi 1.0 conversion was improved, some UMP events are now converted to multiple Midi 1.0 messages. (#4839) * The POD filter was refactored and improved. It is now possible to use the default value of the output by specifying an invalid input default value. * The POD parser was made safe for concurrent updates of the memory it is parsing. This is important when the POD is in shared memory and the parser should not access invalid memory. * Some hardcoded channel limits were removed and now use the global channel limit. More things can dynamically adapt to this global limit. The max number of channels was then bumped to 128. * The POD builder is safe to use on shared memory now and tries to avoid many integer overflows. * Most debug functions are safe to be used on shared memory. * User specified Commands and Events are now possible. * The SPA_IO_CLOCK_FLAG_DISCONT was added to spa_io_clock to signal a discont in the clock due to clock change. * AC3, DTS, EAC3, TRUEHD and MPEGH now have helper parser functions. * H265 was added as a video format. (#4674) ... changelog too long, skipping 120 lines ... - Adapt to newer libcamera changes. ==== pixman ==== - Reenable LTO on riscv64 as gcc has been fixed ==== poppler ==== Subpackages: libpoppler-cpp2 libpoppler-glib8 libpoppler153 poppler-tools - security update - added patches CVE-2025-52885 [bsc#1251940], raw pointers can lead to dangling pointers when the vector is resized * poppler-CVE-2025-52885.patch ==== poppler-qt6 ==== - security update - added patches CVE-2025-52885 [bsc#1251940], raw pointers can lead to dangling pointers when the vector is resized * poppler-CVE-2025-52885.patch ==== publicsuffix ==== Version update (20250904 -> 20251001) - Update to version 20251001: * util: gTLD data autopull updates for 2025-10-01T15:18:26 UTC * Add, remove and update number of domains allowing subdomain registration ==== python-msgpack ==== Version update (1.1.1 -> 1.1.2) - Update to 1.1.2 * Update Cython to v3.1.4 * Update cibuildwheel to v3.2.0 * Drop Python 3.8 * Add Python 3.14 * Add windows-arm ==== python311 ==== Version update (3.11.13 -> 3.11.14) Subpackages: python311-curses python311-dbm - Update to 3.11.14: - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with “zip64 extensible data” if there are no bytes prepended to the ZIP file. - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. * Whitespaces no longer accepted between does not end the script section. * Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. * Null character (U+0000) no longer ends the tag name. * Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the