Packages changed: MozillaFirefox (140.0.2 -> 141.0) avahi avahi-glib2 gdm ghostscript-fonts gstreamer (1.26.3 -> 1.26.4) gstreamer-plugins-bad (1.26.3 -> 1.26.4) gstreamer-plugins-base (1.26.3 -> 1.26.4) gstreamer-plugins-good (1.26.3 -> 1.26.4) gstreamer-plugins-libav (1.26.3 -> 1.26.4) gstreamer-plugins-ugly (1.26.3 -> 1.26.4) inkscape kernel-source (6.15.7 -> 6.15.8) libostree (2025.3 -> 2025.4) mozilla-nss (3.112 -> 3.113) mozjs128 (128.12.0 -> 128.13.0) openSUSE-release (20250725 -> 20250727) patterns-base patterns-gnome pixman poppler poppler-qt6 python-Babel python-kiwi (10.2.28 -> 10.2.29) sdl2-compat sysuser-tools virtualbox (7.1.10 -> 7.1.12a) virtualbox-kmp (7.1.10_k6.15.7_1 -> 7.1.12a_k6.15.8_1) === Details === ==== MozillaFirefox ==== Version update (140.0.2 -> 141.0) Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common - Mozilla Firefox 141.0 * https://www.mozilla.org/en-US/firefox/141.0/releasenotes/ MFSA 2025-56 (bsc#1246664) * CVE-2025-8027 (bmo#1968423) JavaScript engine only wrote partial return value to stack * CVE-2025-8028 (bmo#1971581) Large branch table could lead to truncated instruction * CVE-2025-8041 (bmo#1670725) Incorrect URL truncation in Firefox for Android * CVE-2025-8042 (bmo#1791322) Sandboxed iframe could start downloads * CVE-2025-8029 (bmo#1928021) javascript: URLs executed on object and embed tags * CVE-2025-8036 (bmo#1960834) DNS rebinding circumvents CORS * CVE-2025-8037 (bmo#1964767) Nameless cookies shadow secure cookies * CVE-2025-8030 (bmo#1968414) Potential user-assisted code execution in “Copy as cURL” command * CVE-2025-8043 (bmo#1970209) Incorrect URL truncation * CVE-2025-8031 (bmo#1971719) Incorrect URL stripping in CSP reports * CVE-2025-8032 (bmo#1974407) XSLT documents could bypass CSP * CVE-2025-8038 (bmo#1808979) CSP frame-src was not correctly enforced for paths * CVE-2025-8039 (bmo#1970997) Search terms persisted in URL bar * CVE-2025-8033 (bmo#1973990) Incorrect JavaScript state machine for generators * CVE-2025-8044 (bmo#1933572, bmo#1971116) Memory safety bugs fixed in Firefox 141 and Thunderbird 141 * CVE-2025-8034 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422) Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 * CVE-2025-8040 (bmo#1975058, bmo#1975058, bmo#1975998, bmo#1975998) Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 * CVE-2025-8035 (bmo#1975961, bmo#1975961, bmo#1975961) Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 - requires NSS 3.113 ==== avahi ==== Subpackages: avahi-lang libavahi-client3 libavahi-client3-32bit libavahi-common3 libavahi-common3-32bit libavahi-core7 - Add patch submitted to upstream at to enable building with Qt6 and add that flavor: 0001-Enable-building-with-Qt6.patch - Disable building the Qt5 flavor in SLE16. ==== avahi-glib2 ==== Subpackages: libavahi-glib1 libavahi-gobject0 libavahi-ui-gtk3-0 - Add patch submitted to upstream at to enable building with Qt6 and add that flavor: 0001-Enable-building-with-Qt6.patch - Disable building the Qt5 flavor in SLE16. ==== gdm ==== Subpackages: gdm-lang gdm-schema gdm-xdm-integration gdmflexiserver libgdm1 typelib-1_0-Gdm-1_0 - gdm-fingerprint.pamd: Fix inclusion of common-account instead of postlogin-account ==== ghostscript-fonts ==== - Remove the -converted subpackage that uses ttf-converter. Anyone using these fonts should actually use the urw-base35-fonts package. ==== gstreamer ==== Version update (1.26.3 -> 1.26.4) Subpackages: gstreamer-lang gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.26.4: + Highlighted bugfixes in 1.26.4: - adaptivedemux2: Fixed reverse playback - d3d12screencapture: Add support for monitor add/remove in device provider - rtmp2src: various fixes to make it play back AWS medialive streams - rtph265pay: add profile-id, tier-flag, and level-id to output rtp caps - vp9parse: Fix handling of spatial SVC decoding - vtenc: Fix negotiation failure with profile=main-422-10 - gtk4paintablesink: Add YCbCr memory texture formats and other improvements - livekit: add room-timeout - mp4mux: add TAI timestamp muxing support - rtpbin2: fix various race conditions, plus other bug fixes and performance improvements - threadshare: add a ts-rtpdtmfsrc element, implement run-time input switching in ts-intersrc - webrtcsink: fix deadlock on error setting remote description and other fixes. - cerbero: WiX installer: fix missing props files in the MSI packages - smaller macOS/iOS package sizes - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - tracers: Fix deadlock in latency tracer - Fix various valgrind/test errors when GST_DEBUG is enabled - More valgrind and test fixes - Various ASAN fixes ==== gstreamer-plugins-bad ==== Version update (1.26.3 -> 1.26.4) Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.26.4: + avtp: crf: Setup socket during state change to ensure we handle failure + d3d12screencapture: Add support for monitor add/remove in device provider + mpegtsmux: fix double free caused by shared PMT descriptor + openh264: Ensure src_pic is initialized before use + rtmp2src: various fixes to make it play back AWS medialive streams + ssdobjectdetector: Use correct tensor data index for the scores + v4l2codecs: h265dec: Fix zero-copy of cropped window located at position 0,0 + vp9parse: Fix handling of spatial SVC decoding + vp9parse: Revert "Always default to super-frame" + vtenc: Fix negotiation failure with profile=main-422-10 + vulkan: Fix drawing too many triangles in fullscreenquad + vulkanfullscreenquad: add locks for synchronisation + Fix various valgrind/test errors when GST_DEBUG is enabled + More valgrind and test fixes + Various ASAN fixes ==== gstreamer-plugins-base ==== Version update (1.26.3 -> 1.26.4) Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.26.4: + Revert "streamsynchronizer: Consider streams having received stream-start as waiting" + alsa: free conf cache under valgrind + gst-device-monitor: Fix caps filter splitting + Fix various valgrind/test errors when GST_DEBUG is enabled + More valgrind and test fixes + Various ASAN fixes ==== gstreamer-plugins-good ==== Version update (1.26.3 -> 1.26.4) Subpackages: gstreamer-plugins-good-gtk gstreamer-plugins-good-lang - Remove BuildRequires: libQt5PlatformHeaders-devel which isn't needed anymore - Update to version 1.26.4: + adaptivedemux2: Fixed reverse playback + matroskademux: Send tags after seeking + qtdemux: Fix incorrect FourCC used when iterating over sbgp atoms + qtdemux: Incorrect sibling type used in sbgp iteration loop + rtph265pay: add profile-id, tier-flag, and level-id to output rtp caps + rtpjpeg: fix copying of quant data if it spans memory segments + soup: Disable range requests when talking to Python's http.server + v4l2videodec: need replace acquired_caps on set_format success + Fix various valgrind/test errors when GST_DEBUG is enabled + More valgrind and test fixes + Various ASAN fixes ==== gstreamer-plugins-libav ==== Version update (1.26.3 -> 1.26.4) - Update to version 1.26.4: + Various ASAN fixes ==== gstreamer-plugins-ugly ==== Version update (1.26.3 -> 1.26.4) Subpackages: gstreamer-plugins-ugly-lang - Update to version 1.26.4: + No changes, stable bump only. ==== inkscape ==== Subpackages: inkscape-extensions-extra inkscape-extensions-gimp inkscape-lang - Extension manager needs Python module 'appdirs', add dependency for python313-appdirs to inkscape-extensions-extra ==== kernel-source ==== Version update (6.15.7 -> 6.15.8) - Linux 6.15.8 (bsc#1012628). - KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls (bsc#1012628). - smb: client: let smbd_post_send_iter() respect the peers max_send_size and transmit all data (bsc#1012628). - drm/xe: Move page fault init after topology init (bsc#1012628). - drm/xe/mocs: Initialize MOCS index early (bsc#1012628). - sched/ext: Prevent update_locked_rq() calls with NULL rq (bsc#1012628). - sched,freezer: Remove unnecessary warning in __thaw_task (bsc#1012628). - cifs: Fix reading into an ITER_FOLIOQ from the smbdirect code (bsc#1012628). - cifs: Fix the smbd_response slab to allow usercopy (bsc#1012628). - smb: client: make use of common smbdirect_socket_parameters (bsc#1012628). - smb: smbdirect: introduce smbdirect_socket_parameters (bsc#1012628). - smb: client: make use of common smbdirect_socket (bsc#1012628). - smb: smbdirect: add smbdirect_socket.h (bsc#1012628). - smb: smbdirect: add smbdirect.h with public structures (bsc#1012628). - smb: client: make use of common smbdirect_pdu.h (bsc#1012628). - smb: smbdirect: add smbdirect_pdu.h with protocol definitions (bsc#1012628). - rust: use `#[used(compiler)]` to fix build and `modpost` with Rust >= 1.89.0 (bsc#1012628). - net: libwx: fix multicast packets received count (bsc#1012628). - usb: dwc3: qcom: Don't leave BCR asserted (bsc#1012628). - usb: hub: Don't try to recover devices lost during warm reset (bsc#1012628). - usb: hub: Fix flushing of delayed work used for post resume purposes (bsc#1012628). - usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm (bsc#1012628). - usb: hub: fix detection of high tier USB3 devices behind suspended hubs (bsc#1012628). - sched: Change nr_uninterruptible type to unsigned long (bsc#1012628). - efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths (bsc#1012628). - libbpf: Fix handling of BPF arena relocations (bsc#1012628). - drm/mediatek: only announce AFBC if really supported (bsc#1012628). - drm/mediatek: Add wait_event_timeout when disabling plane (bsc#1012628). - Revert "cgroup_freezer: cgroup_freezing: Check if not frozen" (bsc#1012628). - rxrpc: Fix to use conn aborts for conn-wide failures (bsc#1012628). - rxrpc: Fix transmission of an abort in response to an abort (bsc#1012628). - rxrpc: Fix notification vs call-release vs recvmsg (bsc#1012628). - rxrpc: Fix recv-recv race of completed call (bsc#1012628). - rxrpc: Fix irq-disabled in local_bh_enable() (bsc#1012628). - net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (bsc#1012628). - net: bridge: Do not offload IGMP/MLD messages (bsc#1012628). - net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime (bsc#1012628). - tls: always refresh the queue when reading sock (bsc#1012628). - virtio-net: fix recursived rtnl_lock() during probe() (bsc#1012628). - hv_netvsc: Set VF priv_flags to IFF_NO_ADDRCONF before open to prevent IPv6 addrconf (bsc#1012628). - Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU (bsc#1012628). - drm/xe/pf: Resend PF provisioning after GT reset (bsc#1012628). - drm/xe/pf: Prepare to stop SR-IOV support prior GT reset (bsc#1012628). - drm/xe: Dont skip TLB invalidations on VF (bsc#1012628). - netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (bsc#1012628). - net: fix segmentation after TCP/UDP fraglist GRO (bsc#1012628). - ipv6: mcast: Delay put pmc->idev in mld_del_delrec() (bsc#1012628). - net: airoha: fix potential use-after-free in airoha_npu_get() (bsc#1012628). - net/mlx5: Correctly set gso_size when LRO is used (bsc#1012628). - Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID (bsc#1012628). - Bluetooth: hci_dev: replace 'quirks' integer by 'quirk_flags' bitmap (bsc#1012628). - Bluetooth: hci_core: add missing braces when using macro parameters (bsc#1012628). - Bluetooth: hci_core: fix typos in macros (bsc#1012628). - Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout (bsc#1012628). - Bluetooth: SMP: If an unallowed command is received consider it a failure (bsc#1012628). - Bluetooth: hci_sync: fix connectable extended advertising when using static random address (bsc#1012628). - Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() (bsc#1012628). - riscv: traps_misaligned: properly sign extend value in misaligned load handler (bsc#1012628). - riscv: Enable interrupt during exception handling (bsc#1012628). ... changelog too long, skipping 223 lines ... - commit e03d052 ==== libostree ==== Version update (2025.3 -> 2025.4) Subpackages: libostree-1-1 - Update to version 2025.4: + ostree-prepare-root: remove duplicate transient directory + Add root.transient-ro ==== mozilla-nss ==== Version update (3.112 -> 3.113) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-tools - update to NSS 3.113 * bmo#1963792 - Fix alias for mac workers on try. * bmo#198090 - Part 1: Use AES in the SDR (NSS) r=simonf,nss-reviewers,rrelyea * bmo#1968764 - Bump nssckbi version to 2.78. * bmo#1967548 - Turn off Websites Trust Bit for Chunghwa Telecom ePKI Root in FF 141. * bmo#1965556 - fix frame pointers in intel-gcm.s. * bmo#1971510 - Typo in release notes for NSS 101.4. * bmo#1968665 - Improve nss-release-helper.py. * bmo#1930800 - shlibsign is broken in System FIPS mode. * bmo#1954612 - Need up update NSS for PKCS 3.1: Move IPSEC to 3.1 * bmo#1965327 - PKCS #11 v3.2 header files. ==== mozjs128 ==== Version update (128.12.0 -> 128.13.0) - Update to version 128.13.0: + CVE-2025-8027: JavaScript engine only wrote partial return value to stack + CVE-2025-8028: Large branch table could lead to truncated instruction + CVE-2025-8029: javascript: URLs executed on object and embed tags + CVE-2025-8030: Potential user-assisted code execution in “Copy as cURL” command + CVE-2025-8031: Incorrect URL stripping in CSP reports + CVE-2025-8032: XSLT documents could bypass CSP + CVE-2025-8033: Incorrect JavaScript state machine for generators + CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 + CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 ==== openSUSE-release ==== Version update (20250725 -> 20250727) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-x11 patterns-base-x11_enhanced - Drop xsetmode and xsetpointer from x11_raspberrypi (boo#1246921) ==== patterns-gnome ==== Subpackages: patterns-gnome-gnome patterns-gnome-gnome_basic patterns-gnome-gnome_basis patterns-gnome-gnome_games patterns-gnome-gnome_imaging patterns-gnome-gnome_internet patterns-gnome-gnome_multimedia patterns-gnome-gnome_office patterns-gnome-gnome_utilities patterns-gnome-gnome_x11 patterns-gnome-gnome_yast patterns-gnome-sw_management_gnome - Explicitly recommends Google Noto Arabic fonts in GNOME (bsc#1246323). ==== pixman ==== - Disable LTO on riscv64 due to gcc bug 110812 ==== poppler ==== Subpackages: libpoppler-cpp2 libpoppler-glib8 libpoppler151 poppler-tools - Do not build the qt5 flavor in SLE16. ==== poppler-qt6 ==== - Do not build the qt5 flavor in SLE16. ==== python-Babel ==== - Add reproducible.patch to normalize date in .po (boo#1047218) ==== python-kiwi ==== Version update (10.2.28 -> 10.2.29) - Bump version: 10.2.28 → 10.2.29 - Fix return from repart stage If we return from the repart stage it's important to wait for the root device to appear. This is because the device setup from udev might still be held back due to a former lock on the device. This means if we return fast after locking for example when check_repart_possible() quickly finds out that it's not possible, then udev has not yet got the time to create the device nodes. This Fixes #2863 ==== sdl2-compat ==== - Change license to Zlib ==== sysuser-tools ==== - disable the buildroot virus scanning, as it needs the vscan user this package provides. (bsc#1246878) ==== virtualbox ==== Version update (7.1.10 -> 7.1.12a) - Update to release 7.1.12 * VMM: Fixed issue when running a nested VM caused Guru Meditation for outer VM * NAT: Fixed issue when VMs with long names were unable to start * Linux host: Fixed possible kernel panic when using bridged networking with a network interface handled by the ixgbe driver on newer kernels * Recording: Fixed issue when Windows Guest Machine was unable to start when recording was enabled in Display Settings * Support for Linux 6.16 * Linux Guest Additions (LGA): Fixed issue when 'rcvboxadd status-kernel' was reporting incorrect status when guest was running kernel 3.10 series and older * LGA: Fixed issue when VBoxClient was unable to start if guest was running kernel 2.6 series and older * LGA: Fixed issue which caused a warning in system log due to incorrect udev rule - Delete kernel-6.16-READ-WRITE.patch, kernel-6.16-from_timer.patch, kernel-6.16-page-index.patch ==== virtualbox-kmp ==== Version update (7.1.10_k6.15.7_1 -> 7.1.12a_k6.15.8_1) - Update to release 7.1.12 * VMM: Fixed issue when running a nested VM caused Guru Meditation for outer VM * NAT: Fixed issue when VMs with long names were unable to start * Linux host: Fixed possible kernel panic when using bridged networking with a network interface handled by the ixgbe driver on newer kernels * Recording: Fixed issue when Windows Guest Machine was unable to start when recording was enabled in Display Settings * Support for Linux 6.16 * Linux Guest Additions (LGA): Fixed issue when 'rcvboxadd status-kernel' was reporting incorrect status when guest was running kernel 3.10 series and older * LGA: Fixed issue when VBoxClient was unable to start if guest was running kernel 2.6 series and older * LGA: Fixed issue which caused a warning in system log due to incorrect udev rule - Delete kernel-6.16-READ-WRITE.patch, kernel-6.16-from_timer.patch, kernel-6.16-page-index.patch