Packages changed: flatpak (1.16.3 -> 1.16.6) python-SQLAlchemy (2.0.48 -> 2.0.49) python-greenlet (3.3.2 -> 3.4.0) python-maturin (1.12.6 -> 1.13.1) python313-setuptools selinux-policy (20260311 -> 20260410) === Details === ==== flatpak ==== Version update (1.16.3 -> 1.16.6) Subpackages: flatpak-selinux libflatpak0 system-user-flatpak - Install flatpak-selinux.if in distributed instead of contrib to avoid clashing with the interfaces from the main selinux-policy package (bsc#1262051) - Add 1262051-selinux-flatpak.if-should-be-installed-in-distribute.patch - Can be dropped when this comes back from upstream: https://github.com/flatpak/flatpak/pull/6622 - Update to version 1.16.6: + Bug fixes: - Fix the remaining regression for Chromium based browsers by not leaking file descriptors down to wrapped command - Fix a regression when installing extra-data without a runtime, which is the case for openh264 - Fix the remaining regression for Epiphany by ignoring unusable sandbox-expose paths for sub-sandboxes in the portal - Fix the installed tests by allowing to add a new ref to an existing temporary ostree repo - Avoid closing fds 0/1/2 when they are used as a bad argument to flatpak-run, and reduce duplication in handling file descriptor arguments - Update to version 1.16.5: + Bug fixes: Fix regressions caused by the sandbox escape security fix, which impact some browsers, browser-based apps and Steam + Enhancements: Expand test coverage of flatpak-run features used by flatpak-portal - Update to version 1.16.4: + Security fixes: - Fix a complete sandbox escape which leads to host file access and code execution in the host context (CVE-2026-34078) - Prevent arbitrary file deletion on the host filesystem (CVE-2026-34079) - Prevent arbitrary read-access to files in the system-helper context (GHSA-2fxp-43j9-pwvc) - Prevent orphaning cross-user pull operations (GHSA-89xm-3m96-w3jg) - Update suse_version macro for 1610 (jsc#PED-15828) ==== python-SQLAlchemy ==== Version update (2.0.48 -> 2.0.49) - update to 2.0.49: * https://docs.sqlalchemy.org/en/21/changelog/changelog_20.html#change-2.0.49 ==== python-greenlet ==== Version update (3.3.2 -> 3.4.0) - Update to 3.4.0 * Publish binary wheels for RISC-V 64. * Fix multiple rare crash paths during interpreter shutdown. Note that this now relies on the atexit module, and introduces subtle API changes during interpreter shutdown (for example, getcurrent is no longer available once the atexit callback fires). See PR #499 by Nicolas Bouvrette. * Address the results of an automated code audit performed by Daniel Diniz. This includes several minor correctness changes that theoretically could have been crashing bugs, but typically only in very rare circumstances. See PR 502. * Fix several race conditions that could arise in free-threaded builds when using greenlet objects from multiple threads, some of which could lead to assertion failures or interpreter crashes. See issue 503, with thanks to Nitay Dariel and Daniel Diniz. ==== python-maturin ==== Version update (1.12.6 -> 1.13.1) - Update to version 1.13.1 * fix: fall back to placeholder for abi3 when found interpreters are too old gh#PyO3/maturin#3126 - Changes in version 1.13.0: * Sync legacy_py.rs with upstream PyPI warehouse legacy.py gh#PyO3/maturin#3053 * Fix --strip conflicting with --include-debuginfo in develop gh#PyO3/maturin#3057 * Fix abi3 wheel producing version-specific tags for CPython below minimum gh#PyO3/maturin#3061 * Fix data symlink permission handling gh#PyO3/maturin#3069 * fix: correct bugs in audit.rs typo and module_writer gh#PyO3/maturin#3070 * perf: use lazy-initialized regexes instead of per-call compilation gh#PyO3/maturin#3071 * fix: skip legacy manylinux aliases not in PyPI allow-list gh#PyO3/maturin#3078 * fix: auto-generate .def file for zig + windows-gnu to export PyInit symbol gh#PyO3/maturin#3079 * fix: pass -undefined dynamic_lookup via CARGO_ENCODED_RUSTFLAGS on macOS gh#PyO3/maturin#3083 * feat: add Profile-Guided Optimization (PGO) support gh#PyO3/maturin#3085 * Respect metadata_directory in build_wheel per PEP 517 gh#PyO3/maturin#3086 * Fix cargo path with puccinialin for Windows gh#PyO3/maturin#3093 * build(deps): bump tar from 0.4.44 to 0.4.45 gh#PyO3/maturin#3095 * build(deps): bump rustls-webpki from 0.103.9 to 0.103.10 gh#PyO3/maturin#3096 * Upgrade pyo3 to 0.28 gh#PyO3/maturin#3101 * PyO3: Adds --generate_stubs build options gh#PyO3/maturin#3105 * fix: prevent panic when no interpreters match abi3 minimum version gh#PyO3/maturin#3108 * feat: re-implement delocate for repairing macOS wheels gh#PyO3/maturin#3114 * PyO3: Adds generate-stubs command gh#PyO3/maturin#3115 * feat: re-implement delvewheel for repairing Windows wheels gh#PyO3/maturin#3116 * Add auditwheel Warn mode, default to Warn on macOS/Windows gh#PyO3/maturin#3121 * feat: Support large zip files gh#PyO3/maturin#3118 ==== python313-setuptools ==== - add testsuite for tests ==== selinux-policy ==== Version update (20260311 -> 20260410) Subpackages: selinux-policy-targeted - Update to version 20260410: * Add missing Nextcloud file contexts (bsc#1261535) * openSUSE uses /var/lib/php8 (bsc#1239177) * /srv/www/htdocs is DocumentRoot of apache (bsc#1261535) * Allow cloud init to domtrans into ssh keygen (bsc#1249964) * Allow accountsd dbus chat with systemd-homed * Allow accountsd read accountsd_share_t files * Fix file context specification for /usr/share/accountsservice * Allow xdm_exec_t be an entrypoint of login_userdomain * Allow sshd-session send a generic signal to sshd-auth * Allow virtnetworkd get attributes of filesystems with extended attributes * Allow Polkit to get attributes of user terminals * Allow nfsidmap connect to xdm over a unix stream socket * Label /usr/share/accountsservice with accountsd_share_t * Allow systemd-resolved write to systemd-networkd socket * Dontaudit setroubleshootd read root's home files like .rpmmacros * Support sandboxing features for sysadm_t * Allow unconfined_t mounton on itself (bsc#1261035) * update support for polkit agent helper (bsc#1251931) * Add auth_nnp_domtrans_chkpwd() * Allow staff_sudo_t read PID1's process state * Allow staff_sudo_t read logind sessions files * Allow nfs-server system generator the dac_read_search capability * Allow snmpd create and use netlink tcpdiag socket * Allow systemd-coredump signull containers * Allow named_filetrans_domain filetrans flatpak homedir (bsc#1253682) * Dontaudit logrotate perfmon and sys_admin capabilities * Allow samba-bgqd sendto over a unix dgram socket * Allow snapper sdbootutil plugin read kernel modules (bsc#1259867) * Move interfaces from other modules to optional block * Allow fedoratp_exec_t be an entrypoint of unconfined_t * Allow rasdaemon_t to list pstore (bsc#1259742) * Allow virtqemud_t send kill signal to svirt_tcg_t * Allow virtqemud_t get priority of a svirt_t process * Allow sysadm user connect to lvm over a unix stream socket * Allow staff user delete thump_tmp_t files * Allow staff user connect to systemd-logind over a unix stream socket * Allow staff user mount /proc * Allow virtqemud map vhost net device * Dontaudit ps to read proc (bsc#1257527) * Revert "Define file equivalency for /var/opt" (bsc#1259704) * Allow dovecot_deliver_t map its private tmp files * Allow rpcbind get attributes of the pidfs filesystem * Fix names in mysql.if * Allow create kerberos files in mysql db home * Allow systemd-resolved connect to systemd-networkd over a unix stream socket * Introduce local_login_allow_accountutils_fallback_mode boolean (bsc#1259119) * Make stalld stalld_var_run_t labeling rules more generic (bsc#1259438) - Syncing with upstream rawhide selinux-policy up to: * d3068ffe2a211a7e959bb1d0ad9dd434c2d7da5b - Update embedded container-selinux version to commit: * f336064bb5a086cab121c02acf285a68fa4b8352 (v2.247.0)