Packages changed: MicroOS-release (20260415 -> 20260416) blog (2.37 -> 2.38) leancrypto (1.6.0 -> 1.7.2) libarchive (3.8.6 -> 3.8.7) libjpeg-turbo libpng16 (1.6.56 -> 1.6.57) lilv (0.26.2 -> 0.26.4) ncurses patterns-base python-requests rust-keylime selinux-policy (20260410 -> 20260414) sqlite3 (3.51.3 -> 3.53.0) === Details === ==== MicroOS-release ==== Version update (20260415 -> 20260416) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== blog ==== Version update (2.37 -> 2.38) Subpackages: libblogger2 - Update to version 2.38 * Silent debugging messages in epoll algorithm (boo#1261699) * Make it work on 3215 console of s390 means no tcdrain() for 3215, no blocking writes, not more then 130 characters per line, no \r, finalize lines with \n. Nevertheless use a blocking read for password requests. Make automatic CLEAR an kernel command line option with the parameter blog.timeout=0 (boo#1261697) ==== leancrypto ==== Version update (1.6.0 -> 1.7.2) - Update to 1.7.2: * Fix RDSEED counter * Process code by AI code checkers and apply suggested cosmetic fixes * Heap memory: always munlock all mlock'ed memory * Fix ChaCha20 on Apple compiled with XCode 26.4 * Fix a potential crasher with Base64 and applied various fixes reported * Add X.509 certificate signing request (CSR) generator and parser * ML-DSA: add lc_dilithium_pk_from_sk API to derive the PK from a given SK * SLH-DSA: add lc_sphincs_pk_from_sk API to derive the PK from a given SK * ML-KEM: add lc_kyber_pk_from_sk API to derive the PK from a given SK * AES-CT: fix non-aligned data processing - reported * Apply suggestions from Claude code * X.509: Enforce path length restriction - Update to 1.7.1 * Offer a means to select the AES-C constant time / S-Box implementation via lc_init API * use the AES-C constant time implementation by default - it is about 3 times slower than the AES-C S-Box implementation, but more secure. As the leancrypto library is about secure by default, the CT implementation is just right. Furthermore, if a caller wants to have the faster AES-C S-Box, he can call lc_init(LC_INIT_AES_SBOX) at the beginning. * CVE-2026-34610: X.509: fix security issue (bsc#1261382) * FIPS: mark only seeded DRBG instances as FIPS-approved * ASN.1: add lc_x509_cert_check_issuer_ca convenience function * Enable side-channel-resistant AES implementation (and thus enable respective Timecop tests) * Fix some side channel test failures (all failures are due to test case issues, and no real problems) * AARCH64: enable GCS support (see https://community.arm.com/arm-community-blogs/b/tools-software-ides-blog/posts/gcc-15-continuously-improving#guarded and https://docs.kernel.org/next/arch/arm64/gcs.html) * Add PKCS#8 support for ML-DSA following RFC9881 including full support for the seed or full keys. The change adds OpenSSL interoperability testing as well. NOTE: The raw on-disk private key format that is generated with lc_x509_generate --create-keypair changed to comply with RFC9881. * Add PKCS#8 support for SLH-DSA. The change adds OpenSSL interoperability testing as well. NOTE: The raw on-disk private key format that is generated with lc_x509_generate --create-keypair changed to dump the raw key instead of wrapping it into a BIT STRING to comply with OpenSSL's format. * Provide full PKCS#7 interoperability with OpenSSL: OpenSSL artificially orders the parsing of the authenticated attributes. This implies that the message digest part of the authenticated attributes is parsed as last entry. This ordering is important for the signature generation and verification. Furthermore, for ML-DSA/SLH-DSA, the authenticated attributes are signed with the pure algorithm instead of the pre-hashed operation as suggested by RFC5652 section 9.2. * ML-KEM/DSA: add safety measures against compilers trying to reason about code they should not reason about. Derived from https://github.com/pq-code-package/ml[dsa|kem]-native/ * ML-DSA: reduce amount of duplicate code compilation suggested * ML-DSA: fix bug in poly_uniform which, however, is unlikely to be triggered * ChaCha20: fix crasher when assembler support is not compiled * Add AES constant time C implementation accessible with the lc_aes_*ct references. Yet, it is about 3 times slower than the default C implementation. Thus is is only provided if somebody truly relies on a constant time implementation. - Patches are merged upstream: * Drop fe9751f2.patch * Drop leancrypto_avx_detect1.patch * Drop leancrypto_avx_detect2.patch * Drop 0469d92f.patch - For full changelog, see: https://github.com/smuellerDD/leancrypto/releases/tag/v1.7.0 https://github.com/smuellerDD/leancrypto/releases/tag/v1.7.1 ==== libarchive ==== Version update (3.8.6 -> 3.8.7) - Update to 3.8.7: * CAB: fix NULL pointer dereference during skip (#2900) * CAB: Fix Heap OOB Write in CAB LZX decoder (#2919) * cpio: various fixes and improvements (#2899, #2908, #2910, #2939) * contrib/untar: fix out-of-bounds read (#2903) * iso9660: fix undefined behavior (#2897) * iso9660: fix posibble heap buffer overflow on 32-bit systems (#2934) * libarchive: fix handling of option failures (#2871) * libarchive: do not continue with truncated numbers (#2911) * libarchive: lzop and grzip filter support (#2947) * RAR: fix LZSS window size mismatch after PPMd block (#2898) - Added add-missing-tests.patch: the distributed tarball is missing a test file, add it back - Removed libarchive-3.8.6-add-missing-test.patch ==== libjpeg-turbo ==== - update to 3.1.4.1: * Fixed an issue in the TurboJPEG 2.x compatibility wrapper whereby, if a calling program attempted to decompress a lossless JPEG image using `tjDecompress2()` with decompression scaling, the decompressed image was unexpectedly unscaled. * The SIMD dispatchers now use `getauxval()` or `elf_aux_info()`, if available, to detect support for Neon and AltiVec instructions on AArch32 and PowerPC Linux, Android, and * BSD systems. * Hardened the libjpeg API against hypothetical applications that may erroneously set one of the exposed quantization table values to 0 just before calling `jpeg_start_compress()`. * Fixed a division-by-zero error that occurred when attempting to use the jpegtran `-drop` option with a specially-crafted malformed drop * a memory leak that occurred if a pre-allocated JPEG destination buffer was passed to `tj3Compress*()` or `tj3Transform()`, `TJPARAM_NOREALLOC` was unset, and it was necessary for the library to re-allocate the buffer to accommodate the destination image * a potential caller double free that occurred if pre-allocated JPEG destination buffers were passed to `tj3Transform()`, multiple lossless transform operations were performed, and it was necessary for the library to re-allocate the second buffer to accommodate the second destination image. * Fixed an issue in `tj3Transform()` whereby, if `TJPARAM_SAVEMARKERS` was set to 2 or 4, `TJXOPT_COPYNONE` was not specified, an ICC profile was extracted from the source image, and another ICC profile was associated with the TurboJPEG instance using `tj3SetICCProfile()`, both profiles were embedded in the destination image. The documented API behavior is for `qTJXOPT_COPYNONE` to take precedence over `TJPARAM_SAVEMARKERS` and for `TJPARAM_SAVEMARKERS` to take precedence over the associated ICC profile. Thus, `tj3Transform()` now ignores the associated ICC profile unless `TJXOPT_COPYNONE` is specified or `TJPARAM_SAVEMARKERS` is set to something other than 2 or 4. * Fixed an oversight in the libjpeg API whereby, if a calling application manually set `cinfo.Ss` (the predictor selection value) to a value less than 1 or greater than 7 after calling `jpeg_enable_lossless()` and prior to calling `jpeg_start_compress()`, an incorrect (all white) lossless JPEG image was silently generated. * Further hardened the TurboJPEG Java API against hypothetical applications that may erroneously pass huge values to one of the compression, YUV encoding, decompression, YUV decoding, or packed-pixel image I/O methods, leading to signed integer overflow in the JNI wrapper's buffer size checks that rendered those checks ineffective. - update to 3.1.3: * Hardened the TurboJPEG API against hypothetical applications that may erroneously call `tj*Compress*()` or `tj*Transform()` with a reused JPEG destination buffer pointer while specifying a destination buffer size of 0. * Hardened the TurboJPEG API against hypothetical applications that may erroneously set `TJPARAM_LOSSLESS` or `TJPARAM_COLORSPACE` prior to calling `tj3EncodeYUV*8()` or `tj3CompressFromYUV*8()`. `tj3EncodeYUV*8()` and tj3CompressFromYUV*8()` now ignore `TJPARAM_LOSSLESS` and `TJPARAM_COLORSPACE`. * Hardened the TurboJPEG Java API against hypothetical applications that may erroneously pass huge X or Y offsets to one of the compression, YUV encoding, decompression, or YUV decoding methods, leading to signed integer overflow in the JNI wrapper's buffer size checks that rendered those checks ineffective. * Fixed an issue in the TurboJPEG Java API whereby `TJCompressor.getSourceBuf()` sometimes returned the buffer from a previous invocation of `TJCompressor.loadSourceImage()` if the target data precision was changed before the most recent invocation. * Fixed an issue in the PPM reader that caused incorrect pixels to be generated when using `tj3LoadImage*()` or `TJCompressor.loadSourceImage()` to load a PBMPLUS (PPM/PGM) file into a CMYK buffer with a different data precision than that of the file. ==== libpng16 ==== Version update (1.6.56 -> 1.6.57) - version update to 1.6.57: * Fixed CVE-2026-34757 (medium severity): Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST` leading to corrupted chunk data and potential heap information disclosure. Also hardened the append-style setters (`png_set_text`, `png_set_sPLT`, `png_set_unknown_chunks`) against a theoretical variant of the same aliasing pattern. (Reported by Iv4n .) * Fixed integer overflow in rowbytes computation in read transforms. (Contributed by Mohammad Seet.) - fixes [bsc#1261957] ==== lilv ==== Version update (0.26.2 -> 0.26.4) - Update to 0.26.4 * Add clang nullability annotations * Address new warnings in clang and clang-tidy 21 * Fix default LV2 path on cross-compiled Windows builds * Fix loading of duplicate bundles with equivalent versions * Fix potential crash when UIs have multiple types or binaries * Use consistent quoting and punctuation in log messages - Set suse_version for enabling docs to >= to 1699 as we don't have python3-sphinxygen in SLES (jsc#PED-15821) ==== ncurses ==== Subpackages: libncurses6 ncurses-utils terminfo-base - added fix-mouse.patch to fix regression introduced in patch 20260301 causing htop to crash (boo#1253379) ==== patterns-base ==== Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11 - add hardware pattern used for SL-Micro equivalent images - extend the immutable base pattern content - add missing pattern-visible() provide to immutable_base pattern (bsc#1262133) ==== python-requests ==== - Recover fix-chardet-RequestsDependencyWarning.patch, bsc#1261500 * Fix RequestsDependencyWarning with chardet (6.0.0dev0) on Factory/TW (gh#psf/requests#7219) (gh#psf/requests#7220) (gh#psf/requests#7239) ==== rust-keylime ==== - Build with Clang <= 21 for now to work around boo#1260596. ==== selinux-policy ==== Version update (20260410 -> 20260414) Subpackages: selinux-policy-targeted - Update to version 20260414: * Allow snapper_sdbootutil_plugin_t linux_immutable (bsc#1261945) * allow unconfined services to read VM state (bsc#1251789) ==== sqlite3 ==== Version update (3.51.3 -> 3.53.0) - Update to version 3.53.0: * https://sqlite.org/releaselog/3_53_0.html * Add the Query Result Formatter (QRF) library for formatting the results of SQL queries for human readability on a fixed-pitch font screen. * Enhance ALTER TABLE to permit adding and removing NOT NULL and CHECK constraints. * The REINDEX EXPRESSIONS statement rebuilds expression indexes. * The body of TEMP triggers may now modify and/or query tables in the main schema. * Enhance VACUUM INTO so that if a URI filename is used as the target and that filename has a reserve=N query parameter with N between 0 and 255, then the reserve amount for the generated database copy is set to N. * New SQL functions json_array_insert() and jsonb_array_insert(). * Renovations to the CLI. * New C-language interfaces: sqlite3_str_truncate(), sqlite3_str_free(), sqlite3_carray_bind_v2(). * Add the SQLITE_PREPARE_FROM_DDL option to sqlite3_prepare_v3(). * Added the SQLITE_UTF8_ZT constant which can be used as the encoding parameter to sqlite3_result_text64() or sqlite3_bind_text64() to indicate that the value is UTF-8 encoded and zero terminated. * The SQLITE_LIMIT_PARSER_DEPTH option is added to sqlite3_limit(). * The SQLITE_DBCONFIG_FP_DIGITS option is added to sqlite3_db_config(). * Query planner improvements. * Add new interfaces to the session extension that enable an application to add changes one at a time to the sqlite3_changegroup object. * Improvements to floating-point ↔ text conversions. * Added the self-healing index feature to deal with the stale expression index problem. * Add the "-p|--port" option to sqlite3_rsync. * Add the "opfs-wl" VFS, functionally identical to the "opfs" VFS but using Web Locks for locking, which can promise fairer lock sharing than the "opfs" bespoke protocol can. "opfs-wl" requires Atomics.waitAsync(), so requires newer browsers than "opfs" does.