Packages changed: MicroOS-release (20260420 -> 20260425) blog (2.38 -> 2.40) ca-certificates (2+git20260203.5937e9f -> 2+git20260420.2a8e251) coreutils (9.10 -> 9.11) coreutils-systemd (9.10 -> 9.11) crypto-policies cups (2.4.16 -> 2.4.17) highway (1.3.0 -> 1.4.0) libXpm libgcrypt (1.12.1 -> 1.12.2) libgme (0.6.4 -> 0.6.5) libkdcraw libxml2 (2.15.2 -> 2.15.3) mozilla-nss (3.121 -> 3.122.1) mpc (1.3.1 -> 1.4.1) ncurses (6.6.20260328 -> 6.6.20260418) ntfs-3g_ntfsprogs openssh patterns-base pipewire (1.6.2 -> 1.6.4) poppler poppler-qt6 python-Mako (1.3.10 -> 1.3.11) python-rpds-py (0.27.1 -> 0.30.0) raspberrypi-firmware (2025.06.05 -> 2026.02.11) raspberrypi-firmware-config (2025.06.05 -> 2026.02.11) sdbootutil (1+git20260409.83d5678 -> 1+git20260421.88e40c4) tar xdg-user-dirs (0.18 -> 0.20) xterm (406 -> 407) zlib === Details === ==== MicroOS-release ==== Version update (20260420 -> 20260425) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== blog ==== Version update (2.38 -> 2.40) Subpackages: libblogger2 - Update to version 2.40 * Protect password data stream on 3270 console as well On S390 the 3270 console is also logged and the passwords, even if hidden on the 3270 console, would be logged as well. - Update to version 2.39 * New feature to protect passwords to be logged On S390 now blogd use for 3215 console the command [#]CP SPOOL CONSOLE STOP to stop logging the plain password at prompting for the password. Also a warning is written out to warn the user that the password will be visible. With getting the password the CONSOLE log is enabled again if it was enabled before. ==== ca-certificates ==== Version update (2+git20260203.5937e9f -> 2+git20260420.2a8e251) - Update to version 2+git20260420.2a8e251: * update-ca-certificates requires mv and ln from coreutils ==== coreutils ==== Version update (9.10 -> 9.11) - Update to 9.11: Bug fixes * 'dd' now always diagnoses partial writes correctly upon write failure. Previously it may have indicated that only full writes were performed. [This bug was present in "the beginning".] * 'fold' will no longer truncate output when encountering 0xFF bytes. [bug introduced in coreutils-9.8] * 'fold' is again responsive to its input. Previously it would have delayed processing until 256KiB was read from the input. [bug introduced in coreutils-9.8] * 'kill --help' now has links to valid anchors in the html manual. [bug introduced in coreutils-9.10] * When configured with --enable-systemd, the commands 'pinky', 'uptime', 'users', and 'who' no longer consider the systemd session classes 'greeter', 'lock-screen', 'background', 'background-light', and 'none' to be users. [bug introduced in coreutils-9.4] * 'pwd' on ancient systems will no longer overflow a buffer when operating in deep paths longer than twice the system PATH_MAX. [bug introduced in coreutils-9.6] * 'stat --printf=%%N' no longer performs unnecessary checks of the QUOTING_STYLE environment variable. [bug introduced in coreutils-8.26] * 'timeout' no longer exits abruptly when its parent is the init process, e.g., when started by the entrypoint of a container. [bug introduced in coreutils-9.10] New Features * 'cut' now supports multi-byte input and delimiters. Consequently the -c option is now honored, and no longer an alias for -b, and the -n option is now honored, and no longer ignored. Also the -d option supports multi-byte delimiters. * 'cut' adds new options for better compatibility: The -w,--whitespace-delimited option was added to support blank aligned fields and for better compatibility with FreeBSD/macOS. The -O option was added as an alias for the --output-delimiter option, for better compatibility with busybox/toybox. The -F option was added as an alias for -w -O ' ' for better compatibility with busybox/toybox. * 'date --date' now parses dot delimited dd.mm.yy format common in Europe. This is in addition to the already supported mm/dd/yy and yy-mm-dd formats. Changes in behavior * 'cksum --check' now uses shell quoting when required, to more robustly escape file names output in diagnostics. This also affects md5sum, sha*sum, and b2sum. Improvements * 'cat' now uses zero-copy I/O on Linux when appropriate, to improve throughput. E.g., throughput improved 6x from 12.9GiB/s to 81.8GiB/s on a Power10 system. * 'df --local' recognises more file system types as remote. Specifically: autofs, ncpfs, smb, smb2, gfs, gfs2, userlandfs. * 'df' improves duplicate mount suppression, by checking each mount against all previously kept entries for the same device, not just the latest one. * 'expand' and 'unexpand' now support multi-byte characters. * 'groups' and 'id' will now exit sooner after a write error, which is significant when listing information for many users. * 'install' now allows the combination of the --compare and - -preserve-timestamps options. * 'fold', 'join', 'numfmt', 'uniq' now use more consistent blank character determination on non GLIBC platforms. For example \u3000 (ideographic space) will be considered a blank character on all platforms. * 'nl' now supports multi-byte --section-delimiter characters. * 'shuf -i' now operates up to two times faster on systems with unlocked stdio functions. * 'tac' will now exit sooner after a write error, which is significant when operating on a file with many lines. * 'timeout' now properly detects when it is reparented by a subreaper process on Linux instead of init, e.g., the 'systemd --user' process. * 'wc -l' now operates up to four and a half times faster on hosts that support Neon instructions. * 'wc -m' now operates up to 2.6 times faster on GLIBC when processing non-ASCII UTF-8 characters. * 'yes' now uses zero-copy I/O on Linux to significantly increase throughput. E.g., throughput improved 15x from 11.6GiB/s to 175GiB/s on a Power10 system. Build-related * ./configure --enable-single-binary=hardlinks is now supported on systems with dash as the system shell at /bin/sh. [issue introduced in coreutils-9.10] * The test suite may have failed with a "Hangup" error if run non-interactively. [issue introduced in coreutils-9.10] - coreutils-i18n.patch: Refresh patch. Remove now-upstream I18N patches for cut(1), expand(1) and unexpand(1). - Refresh all other patches. ==== coreutils-systemd ==== Version update (9.10 -> 9.11) - Update to 9.11: Bug fixes * 'dd' now always diagnoses partial writes correctly upon write failure. Previously it may have indicated that only full writes were performed. [This bug was present in "the beginning".] * 'fold' will no longer truncate output when encountering 0xFF bytes. [bug introduced in coreutils-9.8] * 'fold' is again responsive to its input. Previously it would have delayed processing until 256KiB was read from the input. [bug introduced in coreutils-9.8] * 'kill --help' now has links to valid anchors in the html manual. [bug introduced in coreutils-9.10] * When configured with --enable-systemd, the commands 'pinky', 'uptime', 'users', and 'who' no longer consider the systemd session classes 'greeter', 'lock-screen', 'background', 'background-light', and 'none' to be users. [bug introduced in coreutils-9.4] * 'pwd' on ancient systems will no longer overflow a buffer when operating in deep paths longer than twice the system PATH_MAX. [bug introduced in coreutils-9.6] * 'stat --printf=%%N' no longer performs unnecessary checks of the QUOTING_STYLE environment variable. [bug introduced in coreutils-8.26] * 'timeout' no longer exits abruptly when its parent is the init process, e.g., when started by the entrypoint of a container. [bug introduced in coreutils-9.10] New Features * 'cut' now supports multi-byte input and delimiters. Consequently the -c option is now honored, and no longer an alias for -b, and the -n option is now honored, and no longer ignored. Also the -d option supports multi-byte delimiters. * 'cut' adds new options for better compatibility: The -w,--whitespace-delimited option was added to support blank aligned fields and for better compatibility with FreeBSD/macOS. The -O option was added as an alias for the --output-delimiter option, for better compatibility with busybox/toybox. The -F option was added as an alias for -w -O ' ' for better compatibility with busybox/toybox. * 'date --date' now parses dot delimited dd.mm.yy format common in Europe. This is in addition to the already supported mm/dd/yy and yy-mm-dd formats. Changes in behavior * 'cksum --check' now uses shell quoting when required, to more robustly escape file names output in diagnostics. This also affects md5sum, sha*sum, and b2sum. Improvements * 'cat' now uses zero-copy I/O on Linux when appropriate, to improve throughput. E.g., throughput improved 6x from 12.9GiB/s to 81.8GiB/s on a Power10 system. * 'df --local' recognises more file system types as remote. Specifically: autofs, ncpfs, smb, smb2, gfs, gfs2, userlandfs. * 'df' improves duplicate mount suppression, by checking each mount against all previously kept entries for the same device, not just the latest one. * 'expand' and 'unexpand' now support multi-byte characters. * 'groups' and 'id' will now exit sooner after a write error, which is significant when listing information for many users. * 'install' now allows the combination of the --compare and - -preserve-timestamps options. * 'fold', 'join', 'numfmt', 'uniq' now use more consistent blank character determination on non GLIBC platforms. For example \u3000 (ideographic space) will be considered a blank character on all platforms. * 'nl' now supports multi-byte --section-delimiter characters. * 'shuf -i' now operates up to two times faster on systems with unlocked stdio functions. * 'tac' will now exit sooner after a write error, which is significant when operating on a file with many lines. * 'timeout' now properly detects when it is reparented by a subreaper process on Linux instead of init, e.g., the 'systemd --user' process. * 'wc -l' now operates up to four and a half times faster on hosts that support Neon instructions. * 'wc -m' now operates up to 2.6 times faster on GLIBC when processing non-ASCII UTF-8 characters. * 'yes' now uses zero-copy I/O on Linux to significantly increase throughput. E.g., throughput improved 15x from 11.6GiB/s to 175GiB/s on a Power10 system. Build-related * ./configure --enable-single-binary=hardlinks is now supported on systems with dash as the system shell at /bin/sh. [issue introduced in coreutils-9.10] * The test suite may have failed with a "Hangup" error if run non-interactively. [issue introduced in coreutils-9.10] - coreutils-i18n.patch: Refresh patch. Remove now-upstream I18N patches for cut(1), expand(1) and unexpand(1). - Refresh all other patches. ==== crypto-policies ==== - Modify the output of fips-mode-setup to hint the user when setting the FIPS mode in transactional systems to use the command 'transactional-update setup-fips'. (bsc#1262315) ==== cups ==== Version update (2.4.16 -> 2.4.17) Subpackages: cups-client cups-config libcups2 libcupsimage2 - Version upgrade to 2.4.17: See https://github.com/openprinting/cups/releases The new release 2.4.17 contains the following security fixes: * CVE-2026-27447: The scheduler treated local user and group names as case-insensitive (bsc#1261572) * CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS directory (bsc#1261571) * CVE-2026-34980: The scheduler did not filter control characters from option values (bsc#1261569) * CVE-2026-34979: The scheduler did not always allocate enough memory for a job's options string (bsc#1261570) * CVE-2026-34990: The scheduler incorrectly allowed local certificates over the loopback interface (bsc#1261568) * CVE-2026-39314: Fixed the range check for job password strings (bsc#1261743) * CVE-2026-39316: Fixed a printer subscription bug in the scheduler (bsc#1261742) * CVE-2026-NNNNN: Fixed a SNMP string conversion bug in the backends. The last CVE number is requested from Github for several days now, the number will be corrected once we have one, but we decided to make a release to share the other fixes ("we" means the CUPS upstream maintainers). - The release includes other fixes as well, listed in CHANGES.md. Issues are those at https://github.com/OpenPrinting/cups/issues Detailed list (from CHANGES.md): * The scheduler followed symbolic links when cleaning out its temporary directory (Issue #1448) * Updated `cupsFileGetConf` and `cupsFilePutConf` to escape more characters. * Updated man page `cancel` (Issue #984) * Updated `cupsRasterReadHeader` to validate more of the page header values (Issue #1501) * Fixed an issue with the class/printer CGI name checking. * Fixed infinite loop in `http_write()` on busy print servers (Issue #827) * Fixed potential TLS blocking issues (Issue #1128) * Fixed a job history bug in the scheduler (Issue #1440) * Fixed notifier logging bug that would result in nul bytes getting into the log (Issue #1450) * Fixed possible use-after-free in `cupsdReadClient()` (Issue #1454) * Fixed a document format bug in the IPP backend (Issue #1457) * Fixed DRAIN_OUTPUT race condition (Issue #1461) * Fixed a bug when then `ippFindXxx` and `ippSetXxx` functions were mixed. * Fixed the mapping of supply type keywords to SNMP names. * Fixed a bug in the IPP backend when SNMP was disabled. * Fixed a crash bug in the rastertoepson filter. * Fixed a bug in cgiCheckVariables. * Fixed handling read/write errors with OpenSSL (Issue #1506) * Fixed handling rehandshake error in `_httpTLSRead` (Issue #1508) * Fixed a debug printf bug on Windows (Issue #1529) * Fixed a recursion issue with encoding of nested collections (Issue #1539) * Fixed parsing of the `LimitRequestBody`, `MaxLogSize`, and `MaxRequestSize` directives in "cupsd.conf" (Issue #1540) * Fixed a parsing bug in `ipptool` (Issue #1542) * Fixed blank line detection in the `rastertolabel` filter (Issue #1545) * Fixed `httpPeek` edge case on compressed streams Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.17 ==== highway ==== Version update (1.3.0 -> 1.4.0) - Update to release 1.4.0 * Added Fast* math functions, sum_array example, HWY_ARCH_MAX_BYTES, HWY_MIN_BYTES, HWY_NATIVE_MASK, HWY_REGISTERS HWY_EXPORT_AND_TEST_BEST_P, InterleaveLower/UpperBlocks, Lookup8, XorAndNot, MinMax algo, AtomicBitSet, RVV and LSX/LASX runtime dispatch. ==== libXpm ==== - updated 0001-Fix-CVE-2026-4367-Out-of-bounds-read-in-xpmNextWord.patch to the final version, which has been submitted to gitlab (CVE-2026-4367, bsc#1260928, comment#22) - 0001-Fix-CVE-2026-4367-Out-of-bounds-read-in-xpmNextWord.patch * fix Out of bounds read (CVE-2026-4367, bsc#1260928) ==== libgcrypt ==== Version update (1.12.1 -> 1.12.2) - Update to 1.12.2 * Various fixes on gcry_kem_* apis ==== libgme ==== Version update (0.6.4 -> 0.6.5) - Update to version 0.6.5 * Removed CPP demo as it uses private API. * Reworked demos so they no longer use private API. * Implemented some undocumented OPcodes for NES CPU. * Fixed several compile warnings.. * The fade length is now passed to the track info for SPC files. * The C++ runtime library is now properly exported. * Fixed several crashes and security vulnerabilities reported by people. * The YM2413 chip emulator has been updated to the version v1.5.9 * Added ADPCM support for the HES emulator, backported from Kode54's fork. ==== libkdcraw ==== Subpackages: libKDcrawQt6-5 libkdcraw-qt6 - Restore a Qt 5 based libkcdraw package until krita is ported to Qt 6 ==== libxml2 ==== Version update (2.15.2 -> 2.15.3) Subpackages: libxml2-16 libxml2-tools - Update to version 2.15.3: * Security: - parser: Pass userData to SAX text callbacks in xmlParseReference (type-confusion) - entities: copy children in xmlCopyEntity - c14n: Fix Type confusion in xmlC14NProcessAttrsAxis - python: Do not decref string after adding to the list (double-free / use-after-free) - c14n: Reuse tmp_str, xmlStrcat reallocates *cur (double-free) * Improvements: - schemas: Fix relative schemaLocation resolution in XSI assembly in streaming mode - xmlreader: propagate reader resource loaders to validator parsers - python: Make python bindings python2 compatible - xmlregexp: Fix escape-sequence character range matching - xmlreader: Free input in xmlReaderForFd (memory-leak) - xmlstring: Free cur on every error for xmlStrncat (memory-leak) - catalog: Free xmlCatalogResolveCache on cleanup (memory leak) - Fix nanohttp.c build when --without-output - test: fix mismatched signed/unsigned comparison ==== mozilla-nss ==== Version update (3.121 -> 3.122.1) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs - update to NSS 3.122.1 * bmo#2030135 - improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey. * bmo#2029752 - Improving the allocation of S/MIME DecryptSymKey. * bmo#2029462 - store email on subject cache_entry in NSS trust domain. * bmo#2029425 - Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[] entry on NameConstraints violation. * bmo#2029323 - Improve size calculations in CMS content buffering. * bmo#2028001 - avoid integer overflow while escaping RFC822 Names. * bmo#2027378 - Reject excessively large ASN.1 SEQUENCE OF in quickder. * bmo#2027365 - Deep copy profile data in CERT_FindSMimeProfile. * bmo#2027345 - Improve input validation in DSAU signature decoding. * bmo#2026311 - avoid integer overflow in RSA_EMSAEncodePSS. * bmo#2026156 - Add a maximum cert uncompressed len and tests. * bmo#2026089 - Clarify extension negotiation mechanism for TLS Handshakes. * bmo#1935995 - make ss->ssl3.hs.cookie an owned-copy of the cookie. - update to NSS 3.122 * bmo#2023209 - ensure permittedSubtrees don't match wildcards that could be outside the permitted tree. * bmo#2023664 - run mach doc-lint from generate_release_doc.py. * bmo#2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag. * bmo#2020614 - tls13_CopyEchConfigs uses PR_LIST_TAIL instead of loop variable. * bmo#2021911 - fix cipher spec count intermittent CI failures. * bmo#2021913 - fix Mlkem768x25519ShareDamager intermittent CI failures. * bmo#2023437 - lint the legacy documentation. * bmo#2023437 - lint the NSS 3.112.3 release notes. * bmo#2023437 - add a doc-lint CI job. * bmo#2020224 - Add more useful coverage reports to CI and fail if new commit isn't tested. * bmo#1472747 - wrong alert for malformed TLS 1.3 Finished. * bmo#1916429 - Swap order of asserts and state check. * bmo#2022149 - set correct value of unused curve parameters in tls13_HandleKeyShare. * bmo#2017929 - GCM needs to check for various limits in FIPS mode. * bmo#2017938 - Get Key Length not working from ED and Montgomery keys. * bmo#2017927 - Not all ike modes are FIPS approved. Adjust the indicators when they aren't. * bmo#2020721 - fix intermittent ssl.sh test failures on windows runners. * bmo#2017918 - FIPS indicators on HKDF needs to be restricted to TLS usage. * bmo#2017920 - Generate keys not getting indicators. * bmo#2020612 - improve error handling in smime_init_once. * bmo#1987288 - Detect CPU features on OpenBSD using elf_aux_info. * bmo#2019357 - RSA_EMSAEncodePSS should validate the length of mHash. * bmo#2020442 - more robustly distinguish SFTKSessionObject and SFTKTokenObjects. * bmo#2019194 - fix missing .S file error in Solaris Makefile builds. * bmo#2020486 - fix memory leak in NSC_GenerateKey error path. * bmo#2020615 - Missing SECFailure return after FATAL_ERROR in tls13_HandleEncryptedExtensions. * bmo#2020613 - release xmit buf lock on dtls13_MaybeSendKeyUpdate error paths. * bmo#2020849 - release 1stHandshakeLock on SSL_ResetHandshake error path. * bmo#2020188 - avoid null deref in mp_div_d sign normalization. * bmo#2017945 - Temp private key lifecycle is broken. * bmo#1851073 - protect rwSessionCount with slotLock. * bmo#2019224 - Remove invalid PORT_Free(). * bmo#1828713 - Fix intermittent ClientGreaseKeyShare test failure. * bmo#2018200 - Fix kCtxStr len passed to tls_SignOrVerifyUpdate. * bmo#2019760 - patch upstream acvp-rust during checkout to avoid build failures. * bmo#2019760 - update acvp Dockerfile. * bmo#2017997 - CKA_PARAM_SET missing from the CK_ULONG list in softoken. * bmo#2018000 - CKA_SEED missing from isPrivate in the database. * bmo#2019717 - update abicheck expectation for __nss_InitLock. * bmo#2019327 - taskcluster: set NSS_DISABLE_LIBPKIX=1 in test env for static builds. * bmo#2019327 - tests: fix setup_policy to use ROOTCERTSFILE for root cert module path. * bmo#2019327 - tests: fix selfserv/httpserv PID handling and wait exit code for MSYS_NT. * bmo#2019327 - tests: add native_path helper for cross-platform path conversion. * bmo#2019327 - tstclnt, strsclnt: avoid DNS lookup for loopback addresses on Windows. * bmo#2019090 - avoid platform GCM for x64 iOS emulator builds. * bmo#2012002 - remove lock instrumentation feature. * bmo#2017923 - Move FIPS indicator structures out of fips_algorithms.h. * bmo#2018064 - all.sh is failing in FIPS SSL test in main tree. * bmo#1975973 - fix memory leaks in crmf tests. * bmo#2012547 - fix unsatisfiable condition in lg_getTrust. * bmo#2006218 - allow selfserv makefile build to use system zlib. * bmo#2002247 - Add allocation limit to pkcs12 decoding. * bmo#2012406 - Add text/html single-line example emails to NSS S/SMIME CMS tests. - Rebase patches nss-fips-aes-gcm-restrict.patch and nss-fips-approved-crypto-non-ec.patch due to upstreamed FIPS patches ==== mpc ==== Version update (1.3.1 -> 1.4.1) - update to 1.4.1: * mpc_fr_div: Fix memory leak introduced in release 1.4.0 - Fixup pkg-config install location - Update to 1.4.0: * New functions: mpc_exp10, mpc_exp2, mpc_log2 * mpc_tan and mpc_tanh: Fix wrong values and slowness for large imaginary part. * mpc_pow: Agree on and implement the sign of the imaginary part when both inputs are real. * mpc_fr_div and mpc_ui_div: Treat the imaginary part of the dividend as an exact zero and not as +0, following the C2Y draft of the C standard. This changes the signs of zeroes in some results. * Generate the pkg-config file mpc.pc ==== ncurses ==== Version update (6.6.20260328 -> 6.6.20260418) Subpackages: libncurses6 ncurses-utils terminfo-base - Disable fix-mouse.patch as it conflicts with current patch level. Mask patch fix-mouse.patch as source to not lose it. - The fix-bsc1259924.patch is NOT required as at this patch level already included. In fact fix-bsc1259924.patch is a backport. - Add ncurses patch 20260418 + note in manpage that wgetch/wget_wch consistently set errno to EBADF for poll/select configurations when the input is closed. + improve check in test/ncurses for errors by limiting it to the latest wgetch/wget_wch (cf: 20260404). > fixes for problems found by Anthropic (report by David Korczynski): + correct a limit-check in _nc_write_object + correct a source-pointer in _nc_trim_sgr0 + add limit-check in read_SGR - Add ncurses patch 20260411 + if POLLNVAL is set in revents, set errno to EBADF to improve handling of closed input for poll() configuration. + cancel bce and rep in some screen.X's -TD - Add ncurses patch 20260404 + use xterm+direct in konsole-direct, add several features to konsole (report by Xu Che) + use dec+sl in mintty (prompted by Thomas Wolff) -TD + add linux-alt1049 (report by Sebastien Hinderer) -TD + add a limit-check in _nc_mouse_parse in case there are no valid events (report by Giorgos Xou, cf: 20260301). + amend recent change to test/ncurses to check errno before deciding to exit. ==== ntfs-3g_ntfsprogs ==== Subpackages: libntfs-3g89 ntfs-3g ntfsprogs - Add ntfs3g-heap-overflow.patch: bsc#1262216 CVE-2026-40706. ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Update openssh-8.1p1-audit.patch (bsc#1252890). This prevents the connection from dropping due to message mismatches in the monitor protocol when concurrency is high. - Add missing patch tags. ==== patterns-base ==== Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11 - immutable_base: Pull in systemd-presets-branding-SLE_immutable rather than systemd-presets-branding-SLE_transactional (package has been renamed) ==== pipewire ==== Version update (1.6.2 -> 1.6.4) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.6.4: * This is a bugfix release that is API and ABI compatible with the previous 1.6.x releases. * Highlights - Small improvements and seqfault fixes. - Try to not emit ports that JACK doesn't understand. Fixes glitches in ardour and other JACK apps. * PipeWire - Refuse to load plugins and crash when pw_init() was not called. (!2784 (closed)) * SPA - Fix LADSPA plugin loading, support LADSPA_PATH ending with / - Fix segfault in alsa-seq when removing devices in some cases. (#5221 (closed)) - Allow negative gain in mixer. (#5228 (closed)) - Improve alsa-seq port names, add : between client and port. (#5229 (closed)) - ACP: don’t override user-selected port on availability changes. * Bluetooth - Backport some important fixes and minor improvements. * JACK - Ignore non DSP ports to avoid emitting extra callbacks. * GStreamer - Fix crop metadata. * Tools - Fix WAVEX saving in pw-cat. (#5233 (closed)) - Update to version 1.6.3: * Highlights - Fix some RAOP compatibility regressions. - Fix segfault in the mixer in some cases. - Most nodes now produce and consume MIDI1 again and avoid conversions to and from UMP. - Various small fixes and improvements. * PipeWire - Fix regression with sample rate changes. (#5207 (closed)) - Fix a potential integer overflow in the memory mapping. * Modules - Align RTP timestamps to make RAOP work on more devices. (#5167 (closed)) - Avoid crashes in RTP streams because of concurrent event emission. - Avoid invalid fd usage in native-protocol with special crafted messages. - Fix properties and params enumeration in filter-chain (#5202 (closed)). * SPA - Fix compilation with -Werror=discarded-qualifiers - Avoid OOB read in mix matrix. (#5176 (closed)) - Avoid loading plugins from absolute paths that are not in the search path. - Avoid MIDI conversions to and from UMP. (#5183 (closed)) * Bluetooth - Backport some fixes and avoid some crashes. * JACK - Make sure timebase callback is never called with 0 frames. - Increase the notify queue to avoid losing notifications. - Drop patch which is already included upstream: * pipewire-const-correctness-1.patch - Modify the service to use a tar.xz file for the sources instead of obscpio. ==== poppler ==== Subpackages: libpoppler-cpp3 libpoppler157 - %suse_version value will be bumped for each service pack (e. g. 1610 for 16sp1), thus using >= 1600 for SLE16 - SLE16 does not have extra-cmake-modules ==== poppler-qt6 ==== - %suse_version value will be bumped for each service pack (e. g. 1610 for 16sp1), thus using >= 1600 for SLE16 - SLE16 does not have extra-cmake-modules ==== python-Mako ==== Version update (1.3.10 -> 1.3.11) - Update to 1.3.11 * Fixed issue in TemplateLookup where a URI with a double-slash prefix (e.g. //../../) could bypass the directory traversal check in Template, allowing reads of arbitrary files outside of the template directory. The issue was caused by an inconsistency in how leading slashes were stripped between TemplateLookup.get_template() and Template initialization. (bsc#1262716, CVE-2026-41205) ==== python-rpds-py ==== Version update (0.27.1 -> 0.30.0) - Update to 0.30.0: * Update to PyO3 0.27.2 * Bump actions/download-artifact from 5 to 6 * Bump github/codeql-action from 4.30.9 to 4.31.0 * Bump actions/upload-artifact from 4 to 5 * Bump astral-sh/setup-uv from 7.1.1 to 7.1.2 * Bump github/codeql-action from 4.31.0 to 4.31.2 * Bump softprops/action-gh-release from 2.4.1 to 2.4.2 * Bump rpds from 1.1.2 to 1.2.0 * Bump PyO3 to 0.27 - Drop tar_scm use and switch to the PyPi sdist. - Ship the LICENSE and the README in the built packages. - Run the testsuite. ==== raspberrypi-firmware ==== Version update (2025.06.05 -> 2026.02.11) - Update to 832291b92d49 (2026-02-11) * firmware: arm_crypto_hmac_sha256: Initialise mbedtls early * firmware: arm_ldconfig: Avoid double os_prefix on initramfs See: https://forums.raspberrypi.com/viewtopic.php?t=394238 * firmware: helpers/config_loader: Also support bootvar0 eeprom config on Pi4 See: https://github.com/raspberrypi/rpi-eeprom/issues/773 * firmware: extra: Add missing dt-blob.dts * firmware: arm-crypto: Implement rpi-fw-crypto service See: https://github.com/raspberrypi/utils/pull/139 * firmware: bootloader: Fix config key search which could cause camera_autodetect to fail * firmware: arm_loader: Also require the early-watchdog property See: https://github.com/raspberrypi/firmware/issues/1980 * firmware: extra: Add missing dt-blob.dts * firmware: arm_loader: Enable "Starting ARM" log message - ------------------------------------------------------------------ - Enable dwc2 overlay on pi0, pi1 and pi2 models. This is to properly enable USB hub to which in some cases the Ethernet controller is connected. See boo#1251192. Tested on: * RPi Zero 2 W Rev 1.0 * RPi 2 Model B Rev 1.1 amd Rev 1.2 ==== raspberrypi-firmware-config ==== Version update (2025.06.05 -> 2026.02.11) - Update to 832291b92d49 (2026-02-11) * firmware: arm_crypto_hmac_sha256: Initialise mbedtls early * firmware: arm_ldconfig: Avoid double os_prefix on initramfs See: https://forums.raspberrypi.com/viewtopic.php?t=394238 * firmware: helpers/config_loader: Also support bootvar0 eeprom config on Pi4 See: https://github.com/raspberrypi/rpi-eeprom/issues/773 * firmware: extra: Add missing dt-blob.dts * firmware: arm-crypto: Implement rpi-fw-crypto service See: https://github.com/raspberrypi/utils/pull/139 * firmware: bootloader: Fix config key search which could cause camera_autodetect to fail * firmware: arm_loader: Also require the early-watchdog property See: https://github.com/raspberrypi/firmware/issues/1980 * firmware: extra: Add missing dt-blob.dts * firmware: arm_loader: Enable "Starting ARM" log message - ------------------------------------------------------------------ ==== sdbootutil ==== Version update (1+git20260409.83d5678 -> 1+git20260421.88e40c4) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper sdbootutil-tukit - Update to version 1+git20260421.88e40c4: * Allow multiple lines and comment lines in cmdline files ==== tar ==== - Ensure the date in .info files is reproducible (boo#1047218) ==== xdg-user-dirs ==== Version update (0.18 -> 0.20) - Update to version 0.20: + Features: - user-dirs.defaults: add PROJECTS directory - Replace xdg-user-dir shell script with C implementation - Make printable-char validation for dir names stricter + Bugfixes: - build: Unhardcode bindir in .service file - Fix length accounting in concat_strings - Escape " as well when shell-escaping - Check that user dir name does not contain line breaks - git-tp-sync: prevent handling POT files + Miscellaneous: - Remove Automake support - Clean up user-dir lookup code a bit, split sources and data - Stop mixing tabs & spaces - Changes from version 0.19: + Features: - Add a systemd service to run xdg-user-dirs-update - Add initial Meson buildsystem support + Bugfixes: Fix autopoint invocation + Miscellaneous: - Update automake boilerplate - Update information in README + Updated translations. - Switch to meson buildsystem. - Drop 0001-Add-a-systemd-service-to-run-xdg-user-dirs-update.patch Fixed upstream. ==== xterm ==== Version update (406 -> 407) Subpackages: xterm-bin xterm-resize - update to 407: * add private modes 1020 to 1023 for reporting whether xterm uses UTF-8, whether CJK-width is set, whether Emoji-width is set, and whether private-width is set. * add resource privateWidth to control whether PUA (private use area) codes are neutral width or single-width. * improve fix for Debian #738794, to show boxes for codes which are neither combining characters or valid Unicode characters * improve switching to/from UTF-8 mode by saving, restoring and resetting the G0-G3 array (Debian #1124802). * use ST consistently in terminfo rather than legacy BEL minor updates to configure script and terminfo * add option --enable-resize-adjust for saving and repainting parts of the window which are lost when the user resizes the window ==== zlib ==== Subpackages: libminizip1 libz1 - Fix CVE-2026-27171, infinite loop via the crc32_combine64 and crc32_combine_gen64 functions due to missing checks for negative lengths (bsc#1258392) * CVE-2026-27171.patch