Packages changed: GraphicsMagick ImageMagick (7.1.2.18 -> 7.1.2.19) acpica (20251212 -> 20260408) bind (9.20.21 -> 9.20.22) blog (2.37 -> 2.38) brltty (6.9 -> 6.9.1) geoclue2 (2.8.0 -> 2.8.1) leancrypto (1.6.0 -> 1.7.2) libarchive (3.8.6 -> 3.8.7) libjpeg-turbo (3.1.2 -> 3.1.4.1) libpng16 (1.6.56 -> 1.6.57) libstorage-ng (4.5.309 -> 4.5.312) lilv (0.26.2 -> 0.26.4) ncurses openSUSE-release (20260415 -> 20260416) ovmf patterns-base python-requests selinux-policy (20260410 -> 20260414) sqlite3 (3.51.3 -> 3.53.0) texlive virtualbox virtualbox-kmp === Details === ==== GraphicsMagick ==== Subpackages: libGraphicsMagick++-Q16-12 libGraphicsMagick-Q16-3 libGraphicsMagick3-config - added patches CVE-2026-26284: Heap overflow in pcd decoder leads to out of bounds read. [bsc#1258765] * GraphicsMagick-CVE-2026-26284.patch ==== ImageMagick ==== Version update (7.1.2.18 -> 7.1.2.19) Subpackages: ImageMagick-config-7-SUSE libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - version update to 7.1.2.19 * Support for 4-bit (indexed 16-color) PCX #8655 * Increase code determinism when when compiling with fuzzing instrumentation #8544 * Fix MNG animation speed for sub-frame animations with offsets #8666 * Fix JXL animated export transparent blending and offset frames #8656 * build(deps): bump ImageMagick/code-signing-action from 1.0.0 to 1.0.1 #8660 * build(deps): bump github/codeql-action from 4.32.6 to 4.35.1 #8661 * Fix AVIF animation export error on sequences with mixed alpha #8657 * build(deps): bump msys2/setup-msys2 from 2.30.0 to 2.31.0 #8645 * build(deps): bump caphyon/advinst-github-action from 2.0.1 to 2.0.2 #8647 * build(deps): bump azure/login from 2.3.0 to 3.0.0 #8643 * Fix APNG output duration/framerate #8639 * Animated AVIF support (libheif 1.20.0+) #8640 * Set BackgroundDispose for animated JXL frames with alpha #8635 * Skip frame duplication for APNG in video coder #8636 - fixes CVE-2026-33905 [bsc#1262097] ==== acpica ==== Version update (20251212 -> 20260408) - Enable obs_scm in _service for git based tarball generation - Update to version 20260408: * Update version to 20260408 * Update the copyright year to 2026 * Enhance OEM ID and Table ID validation in AcpiExLoadTableOp to prevent buffer overflows * Fix NULL pointer dereference in AcpiNsCustomPackage * Enhance buffer validation in AcpiUtWalkAmlResources to prevent buffer overflows * Add validation for Node in AcpiNsBuildNormalizedPath to prevent use-after-free vulnerabilities * validate resource template buffer length and check allocation type * validate handler object type in AcpiEvHasDefaultHandler and AcpiEvFindRegionHandler * Fix integer overflow in AcpiExOpcode_3A_1T_1R (MidOp) * Prevent adding references for local, argument, and debug objects in AcpiUtCopySimpleObject ==== bind ==== Version update (9.20.21 -> 9.20.22) Subpackages: bind-doc bind-utils - Update to release 9.20.22 Security Fixes: * Fix crash when reconfiguring zone update policy during active updates. Bug Fixes: * Fix intermittent named crashes during asynchronous zone operations. * Count temporal problems with DNSSEC validation as attempts. * Fix a possible deadlock in RPZ processing. * Fix a crash triggered by rndc modzone on a zone from a configuration file. * Fix the processing of empty catalog zone ACLs. * Fix a crash triggered by rndc modzone on zone that already existed in NZF file. * Fix potential resource leak during resolver error handling. ==== blog ==== Version update (2.37 -> 2.38) Subpackages: libblogger2 - Update to version 2.38 * Silent debugging messages in epoll algorithm (boo#1261699) * Make it work on 3215 console of s390 means no tcdrain() for 3215, no blocking writes, not more then 130 characters per line, no \r, finalize lines with \n. Nevertheless use a blocking read for password requests. Make automatic CLEAR an kernel command line option with the parameter blog.timeout=0 (boo#1261697) ==== brltty ==== Version update (6.9 -> 6.9.1) Subpackages: brltty-driver-at-spi2 brltty-driver-brlapi brltty-driver-speech-dispatcher brltty-driver-xwindow brltty-lang libbrlapi0_8 python3-brlapi system-user-brltty xbrlapi - Update to version 6.9.1: + Too many changes; please read ChangeLog - Drop brltty-handytech-crash-fix.patch: fixed upstream. ==== geoclue2 ==== Version update (2.8.0 -> 2.8.1) Subpackages: system-user-srvGeoClue typelib-1_0-Geoclue-2_0 - Update to version 2.8.1 * Accept NMEA GGA sentences with 11 or more parts (needed 14 or more previously). * Use async D-bus 'Set' methods to set client properties in libgeoclue to improve robustness. * Do not change Client Location property on updates which are below threshold to avoid leaking location to D-bus. * Ignore wired WPA interfaces when finding an interface for WiFi scanning. ==== leancrypto ==== Version update (1.6.0 -> 1.7.2) Subpackages: libleancrypto1 libleancrypto1-32bit - Update to 1.7.2: * Fix RDSEED counter * Process code by AI code checkers and apply suggested cosmetic fixes * Heap memory: always munlock all mlock'ed memory * Fix ChaCha20 on Apple compiled with XCode 26.4 * Fix a potential crasher with Base64 and applied various fixes reported * Add X.509 certificate signing request (CSR) generator and parser * ML-DSA: add lc_dilithium_pk_from_sk API to derive the PK from a given SK * SLH-DSA: add lc_sphincs_pk_from_sk API to derive the PK from a given SK * ML-KEM: add lc_kyber_pk_from_sk API to derive the PK from a given SK * AES-CT: fix non-aligned data processing - reported * Apply suggestions from Claude code * X.509: Enforce path length restriction - Update to 1.7.1 * Offer a means to select the AES-C constant time / S-Box implementation via lc_init API * use the AES-C constant time implementation by default - it is about 3 times slower than the AES-C S-Box implementation, but more secure. As the leancrypto library is about secure by default, the CT implementation is just right. Furthermore, if a caller wants to have the faster AES-C S-Box, he can call lc_init(LC_INIT_AES_SBOX) at the beginning. * CVE-2026-34610: X.509: fix security issue (bsc#1261382) * FIPS: mark only seeded DRBG instances as FIPS-approved * ASN.1: add lc_x509_cert_check_issuer_ca convenience function * Enable side-channel-resistant AES implementation (and thus enable respective Timecop tests) * Fix some side channel test failures (all failures are due to test case issues, and no real problems) * AARCH64: enable GCS support (see https://community.arm.com/arm-community-blogs/b/tools-software-ides-blog/posts/gcc-15-continuously-improving#guarded and https://docs.kernel.org/next/arch/arm64/gcs.html) * Add PKCS#8 support for ML-DSA following RFC9881 including full support for the seed or full keys. The change adds OpenSSL interoperability testing as well. NOTE: The raw on-disk private key format that is generated with lc_x509_generate --create-keypair changed to comply with RFC9881. * Add PKCS#8 support for SLH-DSA. The change adds OpenSSL interoperability testing as well. NOTE: The raw on-disk private key format that is generated with lc_x509_generate --create-keypair changed to dump the raw key instead of wrapping it into a BIT STRING to comply with OpenSSL's format. * Provide full PKCS#7 interoperability with OpenSSL: OpenSSL artificially orders the parsing of the authenticated attributes. This implies that the message digest part of the authenticated attributes is parsed as last entry. This ordering is important for the signature generation and verification. Furthermore, for ML-DSA/SLH-DSA, the authenticated attributes are signed with the pure algorithm instead of the pre-hashed operation as suggested by RFC5652 section 9.2. * ML-KEM/DSA: add safety measures against compilers trying to reason about code they should not reason about. Derived from https://github.com/pq-code-package/ml[dsa|kem]-native/ * ML-DSA: reduce amount of duplicate code compilation suggested * ML-DSA: fix bug in poly_uniform which, however, is unlikely to be triggered * ChaCha20: fix crasher when assembler support is not compiled * Add AES constant time C implementation accessible with the lc_aes_*ct references. Yet, it is about 3 times slower than the default C implementation. Thus is is only provided if somebody truly relies on a constant time implementation. - Patches are merged upstream: * Drop fe9751f2.patch * Drop leancrypto_avx_detect1.patch * Drop leancrypto_avx_detect2.patch * Drop 0469d92f.patch - For full changelog, see: https://github.com/smuellerDD/leancrypto/releases/tag/v1.7.0 https://github.com/smuellerDD/leancrypto/releases/tag/v1.7.1 ==== libarchive ==== Version update (3.8.6 -> 3.8.7) - Update to 3.8.7: * CAB: fix NULL pointer dereference during skip (#2900) * CAB: Fix Heap OOB Write in CAB LZX decoder (#2919) * cpio: various fixes and improvements (#2899, #2908, #2910, #2939) * contrib/untar: fix out-of-bounds read (#2903) * iso9660: fix undefined behavior (#2897) * iso9660: fix posibble heap buffer overflow on 32-bit systems (#2934) * libarchive: fix handling of option failures (#2871) * libarchive: do not continue with truncated numbers (#2911) * libarchive: lzop and grzip filter support (#2947) * RAR: fix LZSS window size mismatch after PPMd block (#2898) - Added add-missing-tests.patch: the distributed tarball is missing a test file, add it back - Removed libarchive-3.8.6-add-missing-test.patch ==== libjpeg-turbo ==== Version update (3.1.2 -> 3.1.4.1) Subpackages: libjpeg8 libjpeg8-x86-64-v3 libturbojpeg0 libturbojpeg0-x86-64-v3 - update to 3.1.4.1: * Fixed an issue in the TurboJPEG 2.x compatibility wrapper whereby, if a calling program attempted to decompress a lossless JPEG image using `tjDecompress2()` with decompression scaling, the decompressed image was unexpectedly unscaled. * The SIMD dispatchers now use `getauxval()` or `elf_aux_info()`, if available, to detect support for Neon and AltiVec instructions on AArch32 and PowerPC Linux, Android, and * BSD systems. * Hardened the libjpeg API against hypothetical applications that may erroneously set one of the exposed quantization table values to 0 just before calling `jpeg_start_compress()`. * Fixed a division-by-zero error that occurred when attempting to use the jpegtran `-drop` option with a specially-crafted malformed drop * a memory leak that occurred if a pre-allocated JPEG destination buffer was passed to `tj3Compress*()` or `tj3Transform()`, `TJPARAM_NOREALLOC` was unset, and it was necessary for the library to re-allocate the buffer to accommodate the destination image * a potential caller double free that occurred if pre-allocated JPEG destination buffers were passed to `tj3Transform()`, multiple lossless transform operations were performed, and it was necessary for the library to re-allocate the second buffer to accommodate the second destination image. * Fixed an issue in `tj3Transform()` whereby, if `TJPARAM_SAVEMARKERS` was set to 2 or 4, `TJXOPT_COPYNONE` was not specified, an ICC profile was extracted from the source image, and another ICC profile was associated with the TurboJPEG instance using `tj3SetICCProfile()`, both profiles were embedded in the destination image. The documented API behavior is for `qTJXOPT_COPYNONE` to take precedence over `TJPARAM_SAVEMARKERS` and for `TJPARAM_SAVEMARKERS` to take precedence over the associated ICC profile. Thus, `tj3Transform()` now ignores the associated ICC profile unless `TJXOPT_COPYNONE` is specified or `TJPARAM_SAVEMARKERS` is set to something other than 2 or 4. * Fixed an oversight in the libjpeg API whereby, if a calling application manually set `cinfo.Ss` (the predictor selection value) to a value less than 1 or greater than 7 after calling `jpeg_enable_lossless()` and prior to calling `jpeg_start_compress()`, an incorrect (all white) lossless JPEG image was silently generated. * Further hardened the TurboJPEG Java API against hypothetical applications that may erroneously pass huge values to one of the compression, YUV encoding, decompression, YUV decoding, or packed-pixel image I/O methods, leading to signed integer overflow in the JNI wrapper's buffer size checks that rendered those checks ineffective. - update to 3.1.3: * Hardened the TurboJPEG API against hypothetical applications that may erroneously call `tj*Compress*()` or `tj*Transform()` with a reused JPEG destination buffer pointer while specifying a destination buffer size of 0. * Hardened the TurboJPEG API against hypothetical applications that may erroneously set `TJPARAM_LOSSLESS` or `TJPARAM_COLORSPACE` prior to calling `tj3EncodeYUV*8()` or `tj3CompressFromYUV*8()`. `tj3EncodeYUV*8()` and tj3CompressFromYUV*8()` now ignore `TJPARAM_LOSSLESS` and `TJPARAM_COLORSPACE`. * Hardened the TurboJPEG Java API against hypothetical applications that may erroneously pass huge X or Y offsets to one of the compression, YUV encoding, decompression, or YUV decoding methods, leading to signed integer overflow in the JNI wrapper's buffer size checks that rendered those checks ineffective. * Fixed an issue in the TurboJPEG Java API whereby `TJCompressor.getSourceBuf()` sometimes returned the buffer from a previous invocation of `TJCompressor.loadSourceImage()` if the target data precision was changed before the most recent invocation. * Fixed an issue in the PPM reader that caused incorrect pixels to be generated when using `tj3LoadImage*()` or `TJCompressor.loadSourceImage()` to load a PBMPLUS (PPM/PGM) file into a CMYK buffer with a different data precision than that of the file. ==== libpng16 ==== Version update (1.6.56 -> 1.6.57) Subpackages: libpng16-16 libpng16-16-x86-64-v3 - version update to 1.6.57: * Fixed CVE-2026-34757 (medium severity): Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST` leading to corrupted chunk data and potential heap information disclosure. Also hardened the append-style setters (`png_set_text`, `png_set_sPLT`, `png_set_unknown_chunks`) against a theoretical variant of the same aliasing pattern. (Reported by Iv4n .) * Fixed integer overflow in rowbytes computation in read transforms. (Contributed by Mohammad Seet.) - fixes [bsc#1261957] ==== libstorage-ng ==== Version update (4.5.309 -> 4.5.312) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#1067 - removed unneeded mockups - 4.5.312 - merge gh#openSUSE/libstorage-ng#1066 - handle invalid output from parted - 4.5.311 - merge gh#openSUSE/libstorage-ng#1065 - moved devicegraph copy function to impl - 4.5.310 ==== lilv ==== Version update (0.26.2 -> 0.26.4) - Update to 0.26.4 * Add clang nullability annotations * Address new warnings in clang and clang-tidy 21 * Fix default LV2 path on cross-compiled Windows builds * Fix loading of duplicate bundles with equivalent versions * Fix potential crash when UIs have multiple types or binaries * Use consistent quoting and punctuation in log messages - Set suse_version for enabling docs to >= to 1699 as we don't have python3-sphinxygen in SLES (jsc#PED-15821) ==== ncurses ==== Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - added fix-mouse.patch to fix regression introduced in patch 20260301 causing htop to crash (boo#1253379) ==== openSUSE-release ==== Version update (20260415 -> 20260416) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== ovmf ==== Subpackages: qemu-ovmf-x86_64 - Add DEBUG_TO_MEM build option for x86_64 and AArch64 - Linux kernel version 6.17 introduces a new boolean config option, OVMF_DEBUG_LOG. When enabled, the kernel exposes the firmware debug log via sysfs. If both the kernel and firmware support this feature, the log will be available under /sys/firmware/efi/ovmf_debug_log. - This option enables compatibility with the kernel feature, allowing firmware debug logs to be retrieved from the OS without relying on traditional debug interfaces. ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-x11 patterns-base-x11_enhanced - add hardware pattern used for SL-Micro equivalent images - extend the immutable base pattern content - add missing pattern-visible() provide to immutable_base pattern (bsc#1262133) ==== python-requests ==== Subpackages: python311-requests python313-requests - Recover fix-chardet-RequestsDependencyWarning.patch, bsc#1261500 * Fix RequestsDependencyWarning with chardet (6.0.0dev0) on Factory/TW (gh#psf/requests#7219) (gh#psf/requests#7220) (gh#psf/requests#7239) ==== selinux-policy ==== Version update (20260410 -> 20260414) Subpackages: selinux-policy-targeted - Update to version 20260414: * Allow snapper_sdbootutil_plugin_t linux_immutable (bsc#1261945) * allow unconfined services to read VM state (bsc#1251789) ==== sqlite3 ==== Version update (3.51.3 -> 3.53.0) Subpackages: libsqlite3-0 libsqlite3-0-x86-64-v3 sqlite3-tcl - Update to version 3.53.0: * https://sqlite.org/releaselog/3_53_0.html * Add the Query Result Formatter (QRF) library for formatting the results of SQL queries for human readability on a fixed-pitch font screen. * Enhance ALTER TABLE to permit adding and removing NOT NULL and CHECK constraints. * The REINDEX EXPRESSIONS statement rebuilds expression indexes. * The body of TEMP triggers may now modify and/or query tables in the main schema. * Enhance VACUUM INTO so that if a URI filename is used as the target and that filename has a reserve=N query parameter with N between 0 and 255, then the reserve amount for the generated database copy is set to N. * New SQL functions json_array_insert() and jsonb_array_insert(). * Renovations to the CLI. * New C-language interfaces: sqlite3_str_truncate(), sqlite3_str_free(), sqlite3_carray_bind_v2(). * Add the SQLITE_PREPARE_FROM_DDL option to sqlite3_prepare_v3(). * Added the SQLITE_UTF8_ZT constant which can be used as the encoding parameter to sqlite3_result_text64() or sqlite3_bind_text64() to indicate that the value is UTF-8 encoded and zero terminated. * The SQLITE_LIMIT_PARSER_DEPTH option is added to sqlite3_limit(). * The SQLITE_DBCONFIG_FP_DIGITS option is added to sqlite3_db_config(). * Query planner improvements. * Add new interfaces to the session extension that enable an application to add changes one at a time to the sqlite3_changegroup object. * Improvements to floating-point ↔ text conversions. * Added the self-healing index feature to deal with the stale expression index problem. * Add the "-p|--port" option to sqlite3_rsync. * Add the "opfs-wl" VFS, functionally identical to the "opfs" VFS but using Web Locks for locking, which can promise fairer lock sharing than the "opfs" bespoke protocol can. "opfs-wl" requires Atomics.waitAsync(), so requires newer browsers than "opfs" does. ==== texlive ==== - Add upstream patch source-tl-r78399.dif * Fix report on tlsecurity - Modify patch source-dvipdfmx.dif with the code change from Fabian - Add patch source-dvipdfmx.dif to make test in dvipdfmx tree work even on s390x (boo#1262008) - Correct cflags() shell function usage to catch g++ case as well ... here to use -std=g++17 (boo#1262013) ==== virtualbox ==== - Tweak the build conditions according to %suse_version=1610 change ==== virtualbox-kmp ==== - Tweak the build conditions according to %suse_version=1610 change