Packages changed: aws-lc (1.71.0 -> 1.72.0) flatpak (1.16.3 -> 1.16.6) gnome-sudoku (50.0 -> 50.1) python-greenlet (3.3.2 -> 3.4.0) python-setuptools python-zope.event (5.0 -> 6.1) python-zope.interface (7.2 -> 8.3) python313-setuptools selinux-policy (20260311 -> 20260410) === Details === ==== aws-lc ==== Version update (1.71.0 -> 1.72.0) Subpackages: libcrypto-awslc0 libssl-awslc0 - Update to version 1.72.0: + Reject point at infinity in EC_KEY_set_public_key + Add SSL_use_cert_and_key for per-connection cert/key setting + Add Optimized and HOL Light verified AVX2 Keccak x4 + Fix intermittent WIN32_rename failures in openssl ca CLI tool due to transient file locks + Remove redundant definitions + fipsmodule/ml-kem: Import mlkem-native v1.1.0 + Zeroize sensitive stack buffers in DRBG, X25519, Ed25519, ECDSA, ECDH… + Fix entropy source selection for Apple cross-compilation targets + openssl-tool CLI: CA cleanup + + Remove redundant definitions + fipsmodule/ml-kem: Import mlkem-native v1.1.0 + Zeroize sensitive stack buffers in DRBG, X25519, Ed25519, ECDSA, ECDH… + Fix entropy source selection for Apple cross-compilation targets + openssl-tool CLI: CA cleanup + Fix PostgreSQL integration SSL test failures for upstream error string changes + Hardening fixes for ML-DSA digest mode, XTS key comparison, and urandom + Fix bind9 integration test for upstream build system changes + Consistently set outlen to zero for all error paths + Add -msg and -servername support to openssl s_client + Add NULL pointer validation to ML-KEM EVP encapsulate/decapsulate + Add openssl version -a and -p flag support + Rename __AWS_LC_ENSURE to AWS_LC_ENSURE to avoid reserved identifier + Upgrade custom libc++ to LLVM 19 and add sanitizer support to build_and_test.sh + Update PyOpenSSL patch + Harden OCSP response printing and fix integer overflow in x509v3_bytes_to_hex + Small fixes for RSA_METHOD and EVP_PKEY_derive_set_peer + Add OPENSSL_INIT_ATFORK compatibility stub + Bound ReadConsoleW by stack buffer size + Change ML-KEM PKCS#8 encoding from expanded to seed form + Add missing error return for short metadata keys + Lower default SSL peek test rounds and remove CI workarounds + Check RSA-PSS digest algorithms for X509 + Update target.h to support Loongarch64 ABI1.0 architecture + Make some more half-empty EVP_PKEY states impossible ==== flatpak ==== Version update (1.16.3 -> 1.16.6) Subpackages: flatpak-remote-flathub flatpak-selinux libflatpak0 system-user-flatpak - Install flatpak-selinux.if in distributed instead of contrib to avoid clashing with the interfaces from the main selinux-policy package (bsc#1262051) - Add 1262051-selinux-flatpak.if-should-be-installed-in-distribute.patch - Can be dropped when this comes back from upstream: https://github.com/flatpak/flatpak/pull/6622 - Update to version 1.16.6: + Bug fixes: - Fix the remaining regression for Chromium based browsers by not leaking file descriptors down to wrapped command - Fix a regression when installing extra-data without a runtime, which is the case for openh264 - Fix the remaining regression for Epiphany by ignoring unusable sandbox-expose paths for sub-sandboxes in the portal - Fix the installed tests by allowing to add a new ref to an existing temporary ostree repo - Avoid closing fds 0/1/2 when they are used as a bad argument to flatpak-run, and reduce duplication in handling file descriptor arguments - Update to version 1.16.5: + Bug fixes: Fix regressions caused by the sandbox escape security fix, which impact some browsers, browser-based apps and Steam + Enhancements: Expand test coverage of flatpak-run features used by flatpak-portal - Update to version 1.16.4: + Security fixes: - Fix a complete sandbox escape which leads to host file access and code execution in the host context (CVE-2026-34078) - Prevent arbitrary file deletion on the host filesystem (CVE-2026-34079) - Prevent arbitrary read-access to files in the system-helper context (GHSA-2fxp-43j9-pwvc) - Prevent orphaning cross-user pull operations (GHSA-89xm-3m96-w3jg) - Update suse_version macro for 1610 (jsc#PED-15828) ==== gnome-sudoku ==== Version update (50.0 -> 50.1) Subpackages: gnome-sudoku-lang - Update to version 50.1: + Updated translations. ==== python-greenlet ==== Version update (3.3.2 -> 3.4.0) - Update to 3.4.0 * Publish binary wheels for RISC-V 64. * Fix multiple rare crash paths during interpreter shutdown. Note that this now relies on the atexit module, and introduces subtle API changes during interpreter shutdown (for example, getcurrent is no longer available once the atexit callback fires). See PR #499 by Nicolas Bouvrette. * Address the results of an automated code audit performed by Daniel Diniz. This includes several minor correctness changes that theoretically could have been crashing bugs, but typically only in very rare circumstances. See PR 502. * Fix several race conditions that could arise in free-threaded builds when using greenlet objects from multiple threads, some of which could lead to assertion failures or interpreter crashes. See issue 503, with thanks to Nitay Dariel and Daniel Diniz. ==== python-setuptools ==== - add testsuite for tests ==== python-zope.event ==== Version update (5.0 -> 6.1) - update to 6.1: * Add support for Python 3.14. * Drop support for Python 3.9. * Remove no longer necessary setuptools runtime dependency. * Replace pkg_resources namespace with PEP 420 native namespace. * Require setuptools >= 75.8.2 to prevent problems with the new packaging standard. * Add support for Python 3.12 and 3.13. * Drop support for Python 3.7 and 3.8. - drop intersphinx.patch (upstream) ==== python-zope.interface ==== Version update (7.2 -> 8.3) - update to 8.3: * Add support for free-threaded Python 3.14t * Guard 4 unprotected ``PyErr_Clear()`` calls in the C extension with ``PyErr_ExceptionMatches`` checks, matching the pattern already used at 7 other sites in the same file. Without the guard * Move all supported package metadata into ``pyproject.toml``. * Ignore ``__annotate_func__`` added in Python 3.14b1. - Update to 8.1.1: * Drop support for Python 3.9. * Add support for Python 3.14. * Make tests resilient against different ways of calling them. * Remove run-time dependency on setuptools. * Replace pkg_resources namespace with PEP 420 native namespace. * Drop support for Python 3.8. * Allow using newer setuptools version. - Run the testsuite as upstream does. ==== python313-setuptools ==== - add testsuite for tests ==== selinux-policy ==== Version update (20260311 -> 20260410) Subpackages: selinux-policy-targeted - Update to version 20260410: * Add missing Nextcloud file contexts (bsc#1261535) * openSUSE uses /var/lib/php8 (bsc#1239177) * /srv/www/htdocs is DocumentRoot of apache (bsc#1261535) * Allow cloud init to domtrans into ssh keygen (bsc#1249964) * Allow accountsd dbus chat with systemd-homed * Allow accountsd read accountsd_share_t files * Fix file context specification for /usr/share/accountsservice * Allow xdm_exec_t be an entrypoint of login_userdomain * Allow sshd-session send a generic signal to sshd-auth * Allow virtnetworkd get attributes of filesystems with extended attributes * Allow Polkit to get attributes of user terminals * Allow nfsidmap connect to xdm over a unix stream socket * Label /usr/share/accountsservice with accountsd_share_t * Allow systemd-resolved write to systemd-networkd socket * Dontaudit setroubleshootd read root's home files like .rpmmacros * Support sandboxing features for sysadm_t * Allow unconfined_t mounton on itself (bsc#1261035) * update support for polkit agent helper (bsc#1251931) * Add auth_nnp_domtrans_chkpwd() * Allow staff_sudo_t read PID1's process state * Allow staff_sudo_t read logind sessions files * Allow nfs-server system generator the dac_read_search capability * Allow snmpd create and use netlink tcpdiag socket * Allow systemd-coredump signull containers * Allow named_filetrans_domain filetrans flatpak homedir (bsc#1253682) * Dontaudit logrotate perfmon and sys_admin capabilities * Allow samba-bgqd sendto over a unix dgram socket * Allow snapper sdbootutil plugin read kernel modules (bsc#1259867) * Move interfaces from other modules to optional block * Allow fedoratp_exec_t be an entrypoint of unconfined_t * Allow rasdaemon_t to list pstore (bsc#1259742) * Allow virtqemud_t send kill signal to svirt_tcg_t * Allow virtqemud_t get priority of a svirt_t process * Allow sysadm user connect to lvm over a unix stream socket * Allow staff user delete thump_tmp_t files * Allow staff user connect to systemd-logind over a unix stream socket * Allow staff user mount /proc * Allow virtqemud map vhost net device * Dontaudit ps to read proc (bsc#1257527) * Revert "Define file equivalency for /var/opt" (bsc#1259704) * Allow dovecot_deliver_t map its private tmp files * Allow rpcbind get attributes of the pidfs filesystem * Fix names in mysql.if * Allow create kerberos files in mysql db home * Allow systemd-resolved connect to systemd-networkd over a unix stream socket * Introduce local_login_allow_accountutils_fallback_mode boolean (bsc#1259119) * Make stalld stalld_var_run_t labeling rules more generic (bsc#1259438) - Syncing with upstream rawhide selinux-policy up to: * d3068ffe2a211a7e959bb1d0ad9dd434c2d7da5b - Update embedded container-selinux version to commit: * f336064bb5a086cab121c02acf285a68fa4b8352 (v2.247.0)