Packages changed: LibVNCServer dnsmasq dracut (110+suse.16.g47bca564 -> 110+suse.18.g5a7a17b3) edict (20251001 -> 20260325) fprintd (1.94.4 -> 1.94.5) freeipmi (1.6.16 -> 1.6.17) fribidi (1.0.15 -> 1.0.16) java-25-openjdk libHX (5.3 -> 5.4) libopenmpt (0.8.4 -> 0.8.6) libtpms (0.10.1 -> 0.10.2) llvm21 ncurses (6.6.20260307 -> 6.6.20260321) nghttp2 (1.68.0 -> 1.68.1) openSUSE-release (20260324 -> 20260326) pam_pkcs11 python-numpy python-pycares (4.11.0 -> 5.0.1) python-tornado6 rdma-core re2c (4.4 -> 4.5) sbc (2.1 -> 2.2) sdbootutil (1+git20260319.f4cfda0 -> 1+git20260324.bd0fc60) snapper tigervnc (1.16.0 -> 1.16.1) tnftp (20230507 -> 20260211) userspace-rcu (0.15.5 -> 0.15.6) wireplumber (0.5.13 -> 0.5.14) xscreensaver yast2 (5.0.19 -> 5.0.20) yast2-alternatives (5.0.0 -> 5.0.1) yast2-auth-client (5.0.3 -> 5.0.4) yast2-configuration-management (5.0.0 -> 5.0.1) yast2-country (5.0.4 -> 5.0.5) yast2-firewall (5.0.1 -> 5.0.2) yast2-firstboot (5.0.1 -> 5.0.2) yast2-ftp-server (5.0.0 -> 5.0.1) yast2-iscsi-client (5.0.11 -> 5.0.12) yast2-isns (5.0.0 -> 5.0.1) yast2-journal (5.0.2 -> 5.0.3) yast2-kdump (5.0.6 -> 5.0.7) yast2-nfs-client (5.0.1 -> 5.0.2) yast2-nfs-server (5.0.1 -> 5.0.2) yast2-ntp-client (5.0.0 -> 5.0.1) yast2-online-update (5.0.0 -> 5.0.1) yast2-printer (5.0.0 -> 5.0.1) yast2-proxy (5.0.0 -> 5.0.1) yast2-samba-client (5.0.3 -> 5.0.4) yast2-samba-server (5.0.1 -> 5.0.2) yast2-scanner (5.0.0 -> 5.0.1) yast2-security (5.0.4 -> 5.0.5) yast2-slp-server (5.0.0 -> 5.0.1) yast2-storage-ng (5.0.41 -> 5.0.42) yast2-sudo (5.0.0 -> 5.0.1) yast2-tftp-server (5.0.0 -> 5.0.1) yast2-theme (5.0.1 -> 5.0.2) yast2-transfer (5.0.0 -> 5.0.1) yast2-tune (5.0.0 -> 5.0.1) yast2-update (5.0.1 -> 5.0.2) yast2-users (5.0.7 -> 5.0.8) yast2-vm (5.0.0 -> 5.0.1) yast2-vpn (5.0.0 -> 5.0.1) zlib-ng-compat === Details === ==== LibVNCServer ==== - security update - added patches CVE-2026-32853 [bsc#1260431], crafted FramebufferUpdate message can lead to information disclosure or denial of service * LibVNCServer-CVE-2026-32853.patch CVE-2026-32854 [bsc#1260429], crafted HTTP requests can cause a denial of service * LibVNCServer-CVE-2026-32854.patch ==== dnsmasq ==== - boo#1257934, 4070a748.patch: Fix build with nettle 4.0. ==== dracut ==== Version update (110+suse.16.g47bca564 -> 110+suse.18.g5a7a17b3) - Update to version 110+suse.18.g5a7a17b3: * fix(zipl): repair parsing of rd.zipl=LABEL|UUID|...= (bsc#1259587) * fix(dracut): avoid calling log functions before dracut-logger is sourced ==== edict ==== Version update (20251001 -> 20260325) - Update to snapshot 20260325 * No changelog was recorded. ==== fprintd ==== Version update (1.94.4 -> 1.94.5) Subpackages: fprintd-lang fprintd-pam fprintd-pam-32bit - update to 1.94.5: * fprintd now depends on libfprint 1.94.9 * Improved handling of device errors * pam: reduce minimum timeout to 1 second * pam: support unlimited timeout ==== freeipmi ==== Version update (1.6.16 -> 1.6.17) - bsc#1260414 - CVE-2026-33554: freeipmi: improper memory handling and data validation can lead to stack buffer overflows and acceptance of malformed payloads/responses - > This got fixed by version upgrade (fix several out of bounds errors), see below - Update to version 1.6.17: * ipmi-oem: fix several memory out of bounds errors * libfreeipmi: Fix comment typo * Implement tcp proxy in ipmiconsole. * Refactor ipmiconsole: put most of the code from main() into functions. * man/ipmiconsole.8.pre.in: fix typo * libfreeipmi/locate/ipmi-locate-acpi-spmi.c: fix mem-leak ==== fribidi ==== Version update (1.0.15 -> 1.0.16) Subpackages: libfribidi0 - update to 1.0.16: * Update Unicode character databases to v16.0.0 ==== java-25-openjdk ==== Subpackages: java-25-openjdk-headless - Migrate to the new logic of FIPS patch developed by RedHat in https://github.com/rh-openjdk/jdk/tree/fips-25u - Add the sources of /nss-native-fips-key-import-export-adapter * This native library is an adapter for OpenJDK to use the NSS PKCS #11 software token (libsoftokn3.so) in FIPS mode. It provides support to import and export secret and private key material in plain. This enables Java applications to manage PKCS #12 key stores through the java.security.KeyStore API and benefit from FIPS-certified cryptography. Note: this library replaces the Java FIPS Key Importer Exporter in previous versions of this package (FIPSKeyImporter.java). - Modified patch: * fips.patch + diff the https://github.com/rh-openjdk/jdk/tree/fips-25u to the release tag jdk-25.0.2-ga and adapt for SUSE - Added patches: * nssadapter-Allow-overriding-of-gcc-name.patch + Allow specifying CC variables on system where the default gcc is too old for the features needed in the nssadapter * nssadapter-Fix-build-on-openSUSE.patch + make the build work well with SUSE packaging of NSS * 0001-Don-t-make-missing-system-crypto-policies-fatal.patch + prevent OpenJDK from throwing exception if an "include"d security config file is missing. + Allows the same package running on systems that don't provide the crypto-policies package as well as on those that provide it - Add create-crypto-properties-files.bash that generates during the build the config files for different fips and non-fips scenarios - Add TestSecurityProperties.java to test the loading of system security properties where applicable - Provide the timezone-java and tzdata-java (jsc#PED-15898) ==== libHX ==== Version update (5.3 -> 5.4) - Update to release 5.4 * Resolved some compile warnings/errors with newer compilers, libcs, and -std modes. ==== libopenmpt ==== Version update (0.8.4 -> 0.8.6) - Update to version 0.8.6: * [Sec] The security fix in libopenmpt 0.8.5 (r25042) was incomplete, causing a regression when playing short looped ("chip2) samples (r25084). - Update to 0.8.5: * [Sec] Possible out-of-bounds sample data read in a specific combination of reverse sample playback + offset past sample loop. (r25042). * MOD: ProTracker arpeggio wrapraound results in an effective period of 65536 on Paula, not pausing the sample entirely. * ULT: Loop points were incorrectly limited for 16-bit samples. ==== libtpms ==== Version update (0.10.1 -> 0.10.2) - Update to version 0.10.2: * tpm2: Fix memory leak by freeing KDF context * tpm2: Fix retrieval of updated IV when using OpenSSL >= 3.0 (CVE-2026-21444 bsc#1260439) - Add libtpms-fix-const-correctness.patch to fix build with new glibc (bsc#1257311) ==== llvm21 ==== - clang-riscv-triple.patch: Add riscv64-suse-linux to RISCV64Triples ==== ncurses ==== Version update (6.6.20260307 -> 6.6.20260321) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20260321 + build-fix for --enable-fvisibility option vs C++ shared library (adapted from patch by Nicholas Vinson). + improve a few configure-checks vs overly-strict compiler warnings. - Add ncurses patch 20260314 + fixes for pangoterm and wezterm, from tic warnings -TD + improve man page description of getmaxyx (report by Lucas Veltkamp). + add configure option --enable-conpty, and modify configure script to allow the low-level term-driver and conpty driver as part of termlib. ==== nghttp2 ==== Version update (1.68.0 -> 1.68.1) - Update to 1.68.1 (bsc#1259835): * Fixes CVE-2026-27135 ==== openSUSE-release ==== Version update (20260324 -> 20260326) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== pam_pkcs11 ==== - Fix for bsc#1259854: * Add patch pam_pkcs11-0.6.13-fix-null-deref.patch ==== python-numpy ==== Subpackages: python311-numpy python313-numpy - Add custom code for copy binaries for tests, the python-rpm-macros doesn't provide all the needed binaries automatically. ==== python-pycares ==== Version update (4.11.0 -> 5.0.1) - update to 5.0.1: * Fix IDNA 2008 test - update to 5.0.0: * Use Literal for type * Use CMake for compiling c-ares * build(deps): bump actions/setup-python from 5 to 6 * build(deps): bump pypa/cibuildwheel from 3.1.4 to 3.2.0 * Move project metadata to pyproject.toml * Remove gethostbyname * Remove getsock * Replace ares_{get,set}servers with ares_{get,set}_servers_csv * Remove ares_init and ares_mkquery, they are unused * build(deps): bump actions/download-artifact from 5 to 6 * build(deps): bump actions/upload-artifact from 4 to 5 * Make c-ares thread-safety mandatory * Migrate API to c-ares' dnsrec variants * Build wheels in parallel * build(deps): bump actions/checkout from 5 to 6 * Update bundled c-ares to v1.34.6 * Make callback a mandatory kwarg-only argument * Return bytes data for TXT records * Add support for TLSA, HTTP and URI queries * Remove event_thread option, make it implicit ==== python-tornado6 ==== - add pycares-getaddrinfo.patch to increase compatibility with newer pycares versions ==== rdma-core ==== Subpackages: libefa1 libhns1 libibverbs libibverbs1 libionic1 libmana1 libmlx4-1 libmlx5-1 librdmacm1 rdma-ndd - switch to systemd_requires - Don't BuildRequire valgrind on loongarch64 ==== re2c ==== Version update (4.4 -> 4.5) - Update to version 4.5 * The internal generator for Unicode include files and tests is now based directly on the official files from unicode.org (previously it was based on the Haskell charset library). It has been updated to the latest Unicode 17.0.0 standard. * New include files have been added for Unicode properties (include/unicode_properties.re) and blocks (include/unicode_blocks.re). * Case-insensitive string literals now use Unicode case mapping for UTF8, UTF16, UTF32 and UCS2 encodings. ==== sbc ==== Version update (2.1 -> 2.2) Subpackages: libsbc1 - update to 2.2: * Fix issue when compiling with C23 requirements. ==== sdbootutil ==== Version update (1+git20260319.f4cfda0 -> 1+git20260324.bd0fc60) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20260324.bd0fc60: * Add CAP_LINUX_IMMUTABLE when called by snapperd * get_timeout and default respect UPDATE_NVRAM (bsc#1243889) ==== snapper ==== Subpackages: libsnapper8 snapper-lang snapper-zypp-plugin - fix deleting LVM configs in case of empty directories (bsc#1260410) ==== tigervnc ==== Version update (1.16.0 -> 1.16.1) Subpackages: libXvnc1 tigervnc-selinux xorg-x11-Xvnc xorg-x11-Xvnc-module - update to 1.16.1: * updated translations * Fix for PAM support with w0vncserver ==== tnftp ==== Version update (20230507 -> 20260211) - update to 20260211: * Improve transfer performance by simplifying socket buffer and * transfer buffer handling. * Add -b BUFLEN to adjust size of buffer for HTTP response line parsing. * Add -h HEADER to support custom HTTP headers. * Add "connect" as a synonym for "open". * Fix ASCII mode transfers when progress bar is enabled. * Fix creation of empty downloaded files. * Exit non-zero if a HTTP transfer is shorter than expected. * Fix HTTPS through a proxy. ==== userspace-rcu ==== Version update (0.15.5 -> 0.15.6) - update to 0.15.6: * urcu-mb: Add missing TSAN annotation to _urcu_mb_read_lock_update * lfstack: Coding style cleanup * urcu-qsbr: Use CMM_SEQ_CST_FENCE for _urcu_qsbr_thread_online * urcu-mb: Use CMM_SEQ_CST_FENCE for _urcu_mb_read_lock_update * urcu-qsbr: Use CMM_SEQ_CST_FENCE for quiescent state update and offline * urcu-mb: Use CMM_SEQ_CST_FENCE for _urcu_mb_read_unlock_update_and_wakeup * Fix: Only include linux/time_types.h when __NR_futex_time64 is defined * Use __NR_futex_time64 in futex syscall wrapper ==== wireplumber ==== Version update (0.5.13 -> 0.5.14) Subpackages: libwireplumber-0_5-0 wireplumber-bash-completion wireplumber-lang - Update to version 0.5.14: * Additions & Enhancements: - Added per-device default volume configuration via the device.routes.default-{source,sink}-volume property, allowing device-specific volume defaults (e.g. a comfortable default for internal speakers or no attenuation for HDMI) - Added Lua 5.5 support; the bundled Lua subproject wrap has also been updated to 5.5.0 - Enhanced libcamera monitor to load camera nodes locally within the WirePlumber process instead of the PipeWire daemon, eliminating race conditions that could occur during initial enumeration and hotplug events - Enhanced Bluetooth loopback nodes to always be created when a device supports both A2DP and HSP/HFP profiles, simplifying the logic and making the BT profile autoswitch setting take effect immediately without requiring device reconnection - Enhanced Bluetooth loopback nodes to use target.object property instead of smart filters, fixing issues that prevented users from setting them as default nodes and also allowing smart filters to be used with them - Enhanced Bluetooth profile autoswitch logic with further robustness improvements, including better headset profile detection using profile name patterns and resolving race conditions by running profile switching after device/apply-profile in a dedicated event hook - Enhanced wpctl set-default command to accept virtual nodes (e.g. Audio/Source/Virtual) in addition to regular device nodes - Improved stream linking to make the full graph rescan optional when linkable items change, saving CPU on low-end systems and reducing audio startup latency when connecting multiple streams in quick succession (!800 (merged)) - Allowed installation of systemd service units without libsystemd being present, useful for distributions like Alpine Linux that allow systemd service subpackages - Allowed the mincore syscall in the WirePlumber systemd sandbox, required for Mesa/EGL (e.g. for the libcamera GPUISP pipeline) - Allowed passing WIREPLUMBER_CONFIG_DIR via the wp-uninstalled script, useful for passing additional configuration paths in an uninstalled environment * Fixes: - Removed Bluetooth sink loopback node, which was causing issues with KDE and GNOME - Fixed default audio source selection to never automatically use Audio/Sink nodes as the default source unless explicitly selected by the user - Fixed crash in state-stream when the Format parameter has a Choice for the number of channels - Fixed BAP Bluetooth device set channel properties, where audio.position was incorrectly serialized as a pointer address instead of the channel array - Fixed memory leaks in wp_interest_event_hook_get_matching_event_types and in the Lua LocalModule() implementation - Fixed HFP HF stream media class being incorrectly assigned due to api.bluez5.internal=true being set on HFP HF streams - Fixed Lua 5.4 compatibility in state-stream script - Updated translations: Bulgarian, Georgian, Kazakh, Swedish - Rebase patch: * set-profile-in-service.patch - Drop patches already included in this version: * 0001-monitors-bluez-request-device-ports-take-loopback-no.patch * 0002-autoswitch-bluetooth-profile-Fix-attempt-to-index-a-.patch * 0003-default-nodes-Never-consider-Audio_Sink-nodes-as-best-for.patch * 0004-event-hook-fix-interest-hook-event-type-memory-leak.patch * 0005-state-stream-fix-crash-in-case-the-Format-has-a-Choice-for.patch * 0006-state-stream-fix-Lua-5.4-compatibility.patch ==== xscreensaver ==== Subpackages: xscreensaver-data xscreensaver-lang - Drop dependency on gdmflexiserver: this no longer exists with GNOME 50. ==== yast2 ==== Version update (5.0.19 -> 5.0.20) Subpackages: yast2-logs - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.20 ==== yast2-alternatives ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-auth-client ==== Version update (5.0.3 -> 5.0.4) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.4 ==== yast2-configuration-management ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-country ==== Version update (5.0.4 -> 5.0.5) Subpackages: yast2-country-data - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.5 ==== yast2-firewall ==== Version update (5.0.1 -> 5.0.2) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.2 ==== yast2-firstboot ==== Version update (5.0.1 -> 5.0.2) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.2 ==== yast2-ftp-server ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-iscsi-client ==== Version update (5.0.11 -> 5.0.12) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.12 ==== yast2-isns ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-journal ==== Version update (5.0.2 -> 5.0.3) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.3 ==== yast2-kdump ==== Version update (5.0.6 -> 5.0.7) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.7 ==== yast2-nfs-client ==== Version update (5.0.1 -> 5.0.2) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.2 ==== yast2-nfs-server ==== Version update (5.0.1 -> 5.0.2) Subpackages: yast2-nfs-common - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.2 ==== yast2-ntp-client ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-online-update ==== Version update (5.0.0 -> 5.0.1) Subpackages: yast2-online-update-frontend - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-printer ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-proxy ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-samba-client ==== Version update (5.0.3 -> 5.0.4) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.4 ==== yast2-samba-server ==== Version update (5.0.1 -> 5.0.2) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.2 ==== yast2-scanner ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-security ==== Version update (5.0.4 -> 5.0.5) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.5 ==== yast2-slp-server ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-storage-ng ==== Version update (5.0.41 -> 5.0.42) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.42 - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.42 ==== yast2-sudo ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-tftp-server ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-theme ==== Version update (5.0.1 -> 5.0.2) Subpackages: yast2-theme-breeze - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.2 ==== yast2-transfer ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-tune ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-update ==== Version update (5.0.1 -> 5.0.2) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.2 ==== yast2-users ==== Version update (5.0.7 -> 5.0.8) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.8 ==== yast2-vm ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== yast2-vpn ==== Version update (5.0.0 -> 5.0.1) - jsc#PED-14507 - Removed reference to update-desktop-files from spec file - 5.0.1 ==== zlib-ng-compat ==== - Fix cmake *tagets.cmake and zlib.pc for the compat build, as the target dir {_libdir} is manually changed in the spec file to {_libdir}/zlib-ng-compat, we have to manually adjust the directory in the devel files as well.