Packages changed: MicroOS-release (20260414 -> 20260415) gstreamer (1.28.1 -> 1.28.2) gstreamer-plugins-bad (1.28.1 -> 1.28.2) gstreamer-plugins-base (1.28.1 -> 1.28.2) harfbuzz (12.3.2 -> 14.1.0) health-checker (1.13+git20251219.f90f390 -> 1.13+git20260414.bb3e4ad) kernel-source (6.19.11 -> 6.19.12) lcms2 (2.17 -> 2.18) libostree (2025.7 -> 2026.1) polkit-default-privs (1550+20260409.85cbda6 -> 1550+20260414.1647bf2) python313 (3.13.12 -> 3.13.13) python313-core (3.13.12 -> 3.13.13) systemd-presets-common-SUSE transactional-update xdg-desktop-portal (1.20.3 -> 1.20.4) xorg-x11-server xwayland === Details === ==== MicroOS-release ==== Version update (20260414 -> 20260415) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== gstreamer ==== Version update (1.28.1 -> 1.28.2) Subpackages: libgstreamer-1_0-0 - Update to version 1.28.2: + Highlighted bugfixes in 1.28.2 - Various security fixes and playback fixes - audioencoder: allow change of channel configuration with avenc_aac - audioinvert: fix float format handling - h264parse, h265parse, baseparse: Preserve upstream buffer duration if possible - compositor: fix segfault with force-live=true and no sink pads (regression) - fallbacksrc: send select-streams event to collection source element directly - hlsdemux2: fix seekable range for live HLS streams - glupload: Fix linking glupload with restrictive caps filter - nvcodec: Add capability caching to speed up plugin initialization - RTP and RTCP packet handling fixes - RTSP server fixes for clean-up of timed out play requests - video-converter: fix I420/A420 BGRA/ARGB output on big-endian - qtdemux: fix invalid WebVTT timestamps, and other fixes - qmlgl6sink: Qt6GLVideoItem caps update handling fixes - threadshare udp sink and source fixes - transcriberbin and speechmatics text-to-speech fixes and improvements - videorate: Fix wrong caps in case of PTS going backward - vtdec: more Apple VideoToolbox decoder fixes - wavparse: Fix parsing of RF64 wave files - wasapi2sink: Ignore transient device errors from default device - waylandsink: various fixes and improvements - WebRTC DTLS robustness/stability improvements - Cerbero: Various inno Windows installer fixes and improvements; new 'gstreamer_bundle' wheels meta-package - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - bin: iterator is not nullable - registry: Skip .dSYM bundles when loading plugins, try 3 - baseparse: . Preserve upstream buffer duration if possible . Fix out_buffer leak in frame_free and missing ref in frame_copy - filesink: Fix wrong open() in overwrite mode - queue: Fix potential use-after-free in log function - GThreadFunc return type fixes - Strange File-sink-file-mode property value in filesink plugin ==== gstreamer-plugins-bad ==== Version update (1.28.1 -> 1.28.2) Subpackages: libgstphotography-1_0-0 libgstplay-1_0-0 - Fix suse_version check to enable faad codec only in TW since SLE 16 SP1 will use a suse_version value of 1610 - Update to version 1.28.2: + analytics: Set default pixel-aspect-ratio for inference elements + av1dec: Enable VIDEO_META and VIDEO_ALIGNMENT for pool + av1parse, vp9parse: Remove segment clipping to let downstream handle frame boundaries + av1parse: - Avoid signed 32 bit integer overflow and OOB reads when parsing LEB128 values - Split the alignment and stream type logic - Misc fixes 2 typo - Invalid assertion in gst_av1_parse_detect_stream_format() + dashsink: test: use playbin3 for DASH playback verification + decklinkvideosink: fix element leak in decklink callback + dtls: unregister signal handlers from connection + gdppay: Fix null pointer dereference on duplicated caps event + h264parse, h265parse: Preserve upstream buffer duration if possible + h264parser: - Fix memory leak in gst_h264_parser_parse_nal() - Avoid NULL pointer dereferences when freeing partially parsed SPS/MVC data + h264: Memory Leak in gst_h264_parser_parse_nal() + h266parser: Avoid integer overflow when parsing profile / tier / level + jp2kdecimator: Avoid integer overflows and divisions by zero on invalid tile configurations + mxfdemux: hardening + nice: Fix leak of webrtc libnice thread + nvcodec: Add capability caching to speed up plugin initialization + tsmux: Fix integer overflow in SCTE35 NULL interval + sctp: Set number of outgoing & incoming streams to the same value + shm: fix shmsink exit code 1 on clean shutdown + soundtouch: Only allow up to 192kHz and 16 channels + srtpenc: preserve ROC when master key is updated for an ongoing session + svtav1: fix "Level of parallelism" property type discrepencies + vkswapper/vksink: Don't advertise unsupported formats + vmncdec: Set cursormask to NULL to prevent double free + vtdec: - vp9 support is only enabled in first vtdec element - Do not hold the stream lock when pushing out frames - Prefer outputting VulkanImage instead of sysmem, fix some leaks, ensure vulkansink provides a window - Store supplemental codec support in a global variable - Supplemental VideoToolbox decoders now registered via vtutil helper - Handle decoder error status for iOS, vtenc: restart if VTCompressionSessionCompleteFrames fails + vulkan: Clear mutex when GstVulkanImageMemory is freed + vulkanvp9dec: Fix case in device-specific factory name + wasapi2: Log target device information + wasapi2sink: Ignore device errors from default device + wayland: display: Add protection when replacing wl_output + waylandsink: - Fix waylandsink crash when call window flush - Properly reset the tag orientation + wlwindow: fix viewport source outside buffer when play resolution change stream + Fix a couple of const correctness bugs around strchr() usage + GThreadFunc return type fixes + meson: Fix downloading MoltenVK SDK, make it work when meson-installed - Split out gstreamer-plugins-bad-extra sub-package, move mpeg2 encoder/plexer in its own sub-package. Gstreamer-plugins-libav provides the prefered software plugin. ==== gstreamer-plugins-base ==== Version update (1.28.1 -> 1.28.2) Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 - Update to version 1.28.2: + GstAudio/VideoDecoder: Fix different seqnum for eos event error + gst-validate reports event::eos-has-wrong-seqnum in GstAudio/VideoDecoder + audioencoder: Remove fixed caps from srcpad + audio-resampler-neon: read array operand by hand to fix build errors with some armv7hf toolchains + audio-resampler: build error with some armv7hf toolchains: 'asm' operand has impossible constraints + compositor: move gst_compositor_init_blend() to element class_init + exiftag: - Add missing bounds check and integer overflow protections in various places - Ignore invalid fractions with numerator/denominator G_MININT - Unmap buffer if parsing a rational number gives a zero denominator + gl: upload: Fix linking glupload with restrictive caps filter + glupload: can't handle caps video/x-raw(memory:GLMemory) + glcolorconvert: Fix NULL pointer dereference on buffers without video meta + libs_gstglcolorconvert test failure in 1.28.1 + opusenc: - Use correct memcpy() size when copying Vorbis channel positions - Using invalid size for memcpy? + playback: Make sure to check for empty/any caps before getting the first structure + rtcp: Fix buffer overread in SDES packet parsing + rtpbuffer: Add validation for CSRC list length + rtsp: - gstrtspurl: Parse URL having user without password - Does not parse URL with user but no password as valid + subparse: - Avoid NULL-pointer dereferences in mdvdsub parsing code - Fix integer overflow when calculating qttext timestamp - Replace regex string matching / replacing with plain C string parsing + typefindfunctions: Avoid signed 32 bit integer overflow and OOB reads when parsing LEB128 values + video-converter: fix I420/A420 BGRA/ARGB output on big-endian + video: fix too small default stride for UYVP with odd widths + videorate: Fix unrestored caps on backward PTS + GThreadFunc return type fixes - Split put new gstreamer-plugins-base-extra sub-package. ==== harfbuzz ==== Version update (12.3.2 -> 14.1.0) Subpackages: libharfbuzz-gobject0 libharfbuzz-subset0 libharfbuzz0 typelib-1_0-HarfBuzz-0_0 - Disable the new libharfbuzz-gpu demo-tool behind a bcond (with gpu). Building this leads to a build-cycle unfortunately. - Update to version 14.1.0: + GPU library improvements: - Add anti-aliased rendering for small sizes. - Store font scale in blob header. - Port scale/ppem support to MSL, WGSL, and HLSL shaders. - Fix contour breaks and bounds quantization in encode. - Fix garbled rendering after font change in web demo. + Various robustness fixes. + Various fuzzing fixes for harfbuzz-raster, harfbuzz-gpu and harfbuzz-vector libraries. + Move HB_NO_CFF from HB_LEAN to HB_NO_DRAW closure, and fix HB_TINY build. - Changes from version 14.0.0: + New libharfbuzz-gpu library: GPU text rasterization based on the Slug algorithm by Eric Lengyel. Encodes glyph outlines on the CPU into compact blobs that the GPU decodes and rasterizes directly in the fragment shader, with no intermediate bitmap atlas. + Shader sources provided in GLSL, WGSL, MSL, and HLSL. + New hb-gpu installed utility for interactive GPU text rendering. + Live web demo: https://harfbuzz.github.io/hb-gpu-demo/ + New harfbuzz-world.cc amalgamated source for building a subset of all HarfBuzz libraries into one compilation unit, driven by a custom hb-features.h. + Updated README with libraries overview and project description. + Various bug fixes. - Add pkgconfig(glew) and pkgconfig(glfw3) BuildRequires: New dependencies. - Add new sub-package libharfbuzz-gpu0 following upstream changes. - Update to version 13.2.1: + Fix regression in tracing messages from previous release. - Changes from version 13.2.0: + Fix hb-view glyph positioning with --glyphs input from hb-shape - -ned. + Various fuzzing fixes for harfbuzz-subset, harfbuzz-raster and harfbuzz-vector libraries. + Various improvements to tracing messages. + Various documentation improvements. - Migrate to xz compression and manual service run - Update to version 13.1.1: + Support gzip-compressed SVG glyphs in harfbuzz-raster and harfbuzz-vector libraries. This new functionality requires zlib, and will not be available if HarfBuzz is built without zlib. + Improve handling of SVG glyphs in harfbuzz-raster and harfbuzz-vector libraries. + Further harden application of stch feature against malicious fonts. + Various fuzzing fixes. + Various build fixes: - Add missing chafa dependency to hb-raster utility, and remove accidental cairo dependency. - Don’t build raster and vector fuzzers if the library is disabled. - Add meson options for enabling / disabling libpng and zlib. - Support building harfbuzz-raster and harfbuzz-vector libraries with CMake. - Add new optional pkgconfig(zlib) BuildRequires. - Update to version 13.1.0: + The harfbuzz-raster library can now render bitmap color glyph formats (CBDT and sbix). It now also has an API to serialize / deserialize images to and from PNGs. This new functionality requires libpng, and will not be available if HarfBuzz is built without libpng. + Install hb-raster command line utility. + Fix overflow when applying stch feature with malicious fonts. + Fix memory leaks in harfbuzz-raster and harfbuzz-vector in error conditions, as well as more robust handling of allocation failures. + Various documentation improvements and build fixes. - Build the new optional libpng support, add pkgconfig(libpng) BuildRequires. - Update to version 13.0.1: + Bug fixes in rendering COLR v1 fonts. + Various build fixes. - Update to version 13.0.0: + New experimental drawing and rendering libraries: - New public hb-vector API for vector output of glyph outlines. The only supported output format currently is SVG. - The new API is available in a separate harfbuzz-vector library. - New public hb-raster API for rasterizing glyphs to A8 / BGRA32 images. - The new API is available in a separate harfbuzz-raster library. - Both APIs are still experimental and subject to change. - Both libraries support monochrome as well as vector color glyph formats (COLR v0, v1, and SVG). - Additionally, hb-vector supports also bitmap color glyph formats (CBDT and sbix). - New command line utilities to accompany the new APIs: hb-vector and hb-raster. They share many of the same options as hb-view. + New subset flag HB_SUBSET_FLAGS_DOWNGRADE_CFF2 to convert instantiated CFF2 table to CFF . This options will desubroutinize CFF2 table and convert it to CID-keyed CFF table. This is useful for compatibility with older renderers ... changelog too long, skipping 18 lines ... following upstream changes. ==== health-checker ==== Version update (1.13+git20251219.f90f390 -> 1.13+git20260414.bb3e4ad) Subpackages: health-checker-plugins-MicroOS - Update to version 1.13+git20260414.bb3e4ad: * Update configure.ac with autoupdate * Remove dependencies on cloud-init [bsc#1244078] and for removed plugins ==== kernel-source ==== Version update (6.19.11 -> 6.19.12) - usb: typec: ucsi: skip connector validation before init (git-fixes). - commit c7234f7 - Linux 6.19.12 (bsc#1012628). - drm/amd/pm: disable OD_FAN_CURVE if temp or pwm range invalid for smu v13 (bsc#1012628). - net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback (bsc#1012628). - net: mana: fix use-after-free in add_adev() error path (bsc#1012628). - scsi: target: file: Use kzalloc_flex for aio_cmd (bsc#1012628). - scsi: target: tcm_loop: Drain commands in target_reset handler (bsc#1012628). - xfs: only assert new size for datafork during truncate extents (bsc#1012628). - xfs: factor out xfs_attr3_node_entry_remove (bsc#1012628). - xfs: factor out xfs_attr3_leaf_init (bsc#1012628). - xfs: close crash window in attr dabtree inactivation (bsc#1012628). - arm64/scs: Fix handling of advance_loc4 (bsc#1012628). - HID: logitech-hidpp: Enable MX Master 4 over bluetooth (bsc#1012628). - wifi: mac80211: check tdls flag in ieee80211_tdls_oper (bsc#1012628). - HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq (bsc#1012628). - atm: lec: fix use-after-free in sock_def_readable() (bsc#1012628). - btrfs: don't take device_list_mutex when querying zone info (bsc#1012628). - tg3: replace placeholder MAC address with device property (bsc#1012628). - objtool: Fix Clang jump table detection (bsc#1012628). - HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure (bsc#1012628). - HID: core: Mitigate potential OOB by removing bogus memset() (bsc#1012628). - objtool/klp: fix mkstemp() failure with long paths (bsc#1012628). - HID: multitouch: Check to ensure report responses match the request (bsc#1012628). - btrfs: reserve enough transaction items for qgroup ioctls (bsc#1012628). - i2c: tegra: Don't mark devices with pins as IRQ safe (bsc#1012628). - btrfs: reject root items with drop_progress and zero drop_level (bsc#1012628). - drm/amd/display: Fix gamma 2.2 colorop TFs (bsc#1012628). - smb: client: fix generic/694 due to wrong ->i_blocks (bsc#1012628). - spi: geni-qcom: Check DMA interrupts early in ISR (bsc#1012628). - mshv: Fix error handling in mshv_region_pin (bsc#1012628). - dt-bindings: auxdisplay: ht16k33: Use unevaluatedProperties to fix common property warning (bsc#1012628). - wifi: iwlwifi: mld: Fix MLO scan timing (bsc#1012628). - wifi: iwlwifi: mvm: don't send a 6E related command when not supported (bsc#1012628). - wifi: iwlwifi: mld: correctly set wifi generation data (bsc#1012628). - wifi: ath11k: Pass the correct value of each TID during a stop AMPDU session (bsc#1012628). - cgroup: Wait for dying tasks to leave on rmdir (bsc#1012628). - selftests/cgroup: Don't require synchronous populated update on task exit (bsc#1012628). - cgroup: Fix cgroup_drain_dying() testing the wrong condition (bsc#1012628). - crypto: caam - fix DMA corruption on long hmac keys (bsc#1012628). - crypto: caam - fix overflow on long hmac keys (bsc#1012628). - crypto: deflate - fix spurious -ENOSPC (bsc#1012628). - crypto: af-alg - fix NULL pointer dereference in scatterwalk (bsc#1012628). - mpls: add seqcount to protect the platform_label{,s} pair (bsc#1012628). - net: mana: Fix RX skb truesize accounting (bsc#1012628). - netdevsim: fix build if SKB_EXTENSIONS=n (bsc#1012628). - net: fec: fix the PTP periodic output sysfs interface (bsc#1012628). - net: enetc: reset PIR and CIR if they are not equal when initializing TX ring (bsc#1012628). - net: enetc: add graceful stop to safely reinitialize the TX Ring (bsc#1012628). - net: enetc: do not access non-existent registers on pseudo MAC (bsc#1012628). - net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak (bsc#1012628). - net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak (bsc#1012628). - iommupt/amdv1: mark amdv1pt_install_leaf_entry as __always_inline (bsc#1012628). - net/ipv6: ioam6: prevent schema length wraparound in trace fill (bsc#1012628). - tg3: Fix race for querying speed/duplex (bsc#1012628). - net: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch (bsc#1012628). - ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() (bsc#1012628). - ip6_tunnel: clear skb2->cb[] in ip4ip6_err() (bsc#1012628). ... changelog too long, skipping 476 lines ... - commit 1b7d8a2 ==== lcms2 ==== Version update (2.17 -> 2.18) - Update to version 2.18 * Fix a signed integer overflow which could trigger a FPE_INTOVF. * Added documentation for PCS illuminants and chromatic adaptation. * Check for a possible out-of-bounds in softproofing transforms when using cmsCreateExtendedTransform * Fix for a out-of-bound read, issue #522. * Add an extra check for out-of-bounds read when misusing a support function. * avoid divide by zero, special case from spec. notes on CAM02. * Fix CGATS parser bug when number has a "+" sign. * Fix a typo when handling a special case for BPC. * Fixed a loss of precision when Lab16 is used as input color space on integer transforms. * Fixes hypotetical corrupted pointer in non-happy path. Cannot happen in real world. * Fix a theoretical memory leak. * Mark some tables as const. * Make the param of cmsCreateLab4Profile() to refer to the media white instead of the illuminant. * fix a warning in unit tests. * Remove redundant check. Fixes #497. * Update autotools. * fix plugins soname + add oklab to transicc (experimental). * meson: ability to disable .so.version libraries. * Fix black point detection when using darker colorant.. * testcms2.c: Fix incorrect string comparisons. * Fix CICp tag size.. * Fix broken linkicc. * Add a guard against a wrong use of flags. * Fix for #469 heap buffer overflow on convert_utf16_to_utf32(). - Use %ldconfig_scriptlets macro ==== libostree ==== Version update (2025.7 -> 2026.1) Subpackages: libostree-1-1 - Update to 2026.1: * fix soft-reboot handling for var, sysroot, and boot mounts, * preserve extension BLS keys across staged deployments. * libarchive integration now correctly handles UTF-8 filenames without locale dependency * ostree admin status --json now includes the deployment origin refspec. ==== polkit-default-privs ==== Version update (1550+20260409.85cbda6 -> 1550+20260414.1647bf2) - Update to version 1550+20260414.1647bf2: * profiles: systemd v260 follow-up (bsc#1259318) ==== python313 ==== Version update (3.13.12 -> 3.13.13) - Update to 3.13.13 - Security - gh-145986: xml.parsers.expat: Fixed a crash caused by unbounded C recursion when converting deeply nested XML content models with ElementDeclHandler(). This addresses CVE 2026-4224 (bsc#1259735, CVE-2026-4224). - gh-145599: Reject control characters in http.cookies.Morsel update() and js_output(). This addresses CVE 2026-3644 (bsc#1259734, CVE-2026-3644). - gh-145506: Fixes CVE 2026-2297 by ensuring that SourcelessFileLoader uses io.open_code() when opening .pyc files (bsc#1259240, CVE-2026-2297). - gh-144370: Disallow usage of control characters in status in wsgiref.handlers to prevent HTTP header injections. Patch by Benedikt Johannes. - gh-143930: Reject leading dashes in URLs passed to webbrowser.open() (bsc#1260026, CVE-2026-4519). - Library - gh-144503: Fix a regression introduced in 3.14.3 and 3.13.12 where the multiprocessing forkserver start method would fail with BrokenPipeError when the parent process had a very large sys.argv. The argv is now passed to the forkserver as separate command-line arguments rather than being embedded in the -c command string, avoiding the operating system’s per-argument length limit. - gh-146613: itertools: Fix a crash in itertools.groupby() when the grouper iterator is concurrently mutated. - gh-146080: ssl: fix a crash when an SNI callback tries to use an SSL object that has already been garbage-collected. Patch by Bénédikt Tran. - gh-146090: sqlite3: fix a crash when sqlite3.Connection.create_collation() fails with SQLITE_BUSY. Patch by Bénédikt Tran. - gh-146090: sqlite3: properly raise MemoryError instead of SystemError when a context callback fails to be allocated. Patch by Bénédikt Tran. - gh-145633: Fix struct.pack('f', float): use PyFloat_Pack4() to raise OverflowError. Patch by Sergey B Kirpichev and Victor Stinner. - gh-146310: The ensurepip module no longer looks for pip-*.whl wheel packages in the current directory. - gh-146083: Update bundled libexpat to version 2.7.5. - gh-146076: zoneinfo: fix crashes when deleting _weak_cache from a zoneinfo.ZoneInfo subclass. - gh-146054: Limit the size of encodings.search_function() cache. Found by OSS Fuzz in #493449985. - gh-145883: zoneinfo: Fix heap buffer overflow reads from malformed TZif data. Found by OSS Fuzz, issues #492245058 and #492230068. - gh-145750: Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module. Found by OSS Fuzz in #488466741. - gh-145492: Fix infinite recursion in collections.defaultdict __repr__ when a defaultdict contains itself. Based on analysis by KowalskiThomas in gh-145492. - gh-145623: Fix crash in struct when calling repr() or __sizeof__() on an uninitialized struct.Struct object created via Struct.__new__() without calling __init__(). - gh-145616: Detect Android sysconfig ABI correctly on 32-bit ARM Android on 64-bit ARM kernel - gh-145376: Fix null pointer dereference in unusual error scenario in hashlib. - gh-145551: Fix InvalidStateError when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Daan De Meyer. - gh-145417: venv: Prevent incorrect preservation of SELinux context when copying the Activate.ps1 script. The script inherited the SELinux security context of the system template directory, rather than the destination project directory. - gh-145301: hashlib: fix a crash when the initialization of the underlying C extension module fails. - gh-145264: Base64 decoder (see binascii.a2b_base64(), base64.b64decode(), etc) no longer ignores excess data after the first padded quad in non-strict (default) mode. Instead, in conformance with RFC 4648, section 3.3, it now ignores the pad character, “=”, if it is present before the end of the encoded data. - gh-145158: Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module. - gh-144984: Fix crash in xml.parsers.expat.xmlparser.ExternalEntityParserCreate() when an allocation fails. The error paths could dereference NULL handlers and double-decrement the parent parser’s reference count. - gh-88091: Fix unicodedata.decomposition() for Hangul characters. - gh-144835: Added missing explanations for some parameters in glob.glob() and glob.iglob(). - gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed. - gh-144259: Fix inconsistent display of long multiline pasted content in the REPL. - gh-144156: Fix the folding of headers by the email library when RFC 2047 encoded words are used. Now whitespace is correctly preserved and also correctly added between ... changelog too long, skipping 179 lines ... gh#python/cpython#146121). ==== python313-core ==== Version update (3.13.12 -> 3.13.13) Subpackages: libpython3_13-1_0 python313-base - Update to 3.13.13 - Security - gh-145986: xml.parsers.expat: Fixed a crash caused by unbounded C recursion when converting deeply nested XML content models with ElementDeclHandler(). This addresses CVE 2026-4224 (bsc#1259735, CVE-2026-4224). - gh-145599: Reject control characters in http.cookies.Morsel update() and js_output(). This addresses CVE 2026-3644 (bsc#1259734, CVE-2026-3644). - gh-145506: Fixes CVE 2026-2297 by ensuring that SourcelessFileLoader uses io.open_code() when opening .pyc files (bsc#1259240, CVE-2026-2297). - gh-144370: Disallow usage of control characters in status in wsgiref.handlers to prevent HTTP header injections. Patch by Benedikt Johannes. - gh-143930: Reject leading dashes in URLs passed to webbrowser.open() (bsc#1260026, CVE-2026-4519). - Library - gh-144503: Fix a regression introduced in 3.14.3 and 3.13.12 where the multiprocessing forkserver start method would fail with BrokenPipeError when the parent process had a very large sys.argv. The argv is now passed to the forkserver as separate command-line arguments rather than being embedded in the -c command string, avoiding the operating system’s per-argument length limit. - gh-146613: itertools: Fix a crash in itertools.groupby() when the grouper iterator is concurrently mutated. - gh-146080: ssl: fix a crash when an SNI callback tries to use an SSL object that has already been garbage-collected. Patch by Bénédikt Tran. - gh-146090: sqlite3: fix a crash when sqlite3.Connection.create_collation() fails with SQLITE_BUSY. Patch by Bénédikt Tran. - gh-146090: sqlite3: properly raise MemoryError instead of SystemError when a context callback fails to be allocated. Patch by Bénédikt Tran. - gh-145633: Fix struct.pack('f', float): use PyFloat_Pack4() to raise OverflowError. Patch by Sergey B Kirpichev and Victor Stinner. - gh-146310: The ensurepip module no longer looks for pip-*.whl wheel packages in the current directory. - gh-146083: Update bundled libexpat to version 2.7.5. - gh-146076: zoneinfo: fix crashes when deleting _weak_cache from a zoneinfo.ZoneInfo subclass. - gh-146054: Limit the size of encodings.search_function() cache. Found by OSS Fuzz in #493449985. - gh-145883: zoneinfo: Fix heap buffer overflow reads from malformed TZif data. Found by OSS Fuzz, issues #492245058 and #492230068. - gh-145750: Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module. Found by OSS Fuzz in #488466741. - gh-145492: Fix infinite recursion in collections.defaultdict __repr__ when a defaultdict contains itself. Based on analysis by KowalskiThomas in gh-145492. - gh-145623: Fix crash in struct when calling repr() or __sizeof__() on an uninitialized struct.Struct object created via Struct.__new__() without calling __init__(). - gh-145616: Detect Android sysconfig ABI correctly on 32-bit ARM Android on 64-bit ARM kernel - gh-145376: Fix null pointer dereference in unusual error scenario in hashlib. - gh-145551: Fix InvalidStateError when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Daan De Meyer. - gh-145417: venv: Prevent incorrect preservation of SELinux context when copying the Activate.ps1 script. The script inherited the SELinux security context of the system template directory, rather than the destination project directory. - gh-145301: hashlib: fix a crash when the initialization of the underlying C extension module fails. - gh-145264: Base64 decoder (see binascii.a2b_base64(), base64.b64decode(), etc) no longer ignores excess data after the first padded quad in non-strict (default) mode. Instead, in conformance with RFC 4648, section 3.3, it now ignores the pad character, “=”, if it is present before the end of the encoded data. - gh-145158: Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module. - gh-144984: Fix crash in xml.parsers.expat.xmlparser.ExternalEntityParserCreate() when an allocation fails. The error paths could dereference NULL handlers and double-decrement the parent parser’s reference count. - gh-88091: Fix unicodedata.decomposition() for Hangul characters. - gh-144835: Added missing explanations for some parameters in glob.glob() and glob.iglob(). - gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed. - gh-144259: Fix inconsistent display of long multiline pasted content in the REPL. - gh-144156: Fix the folding of headers by the email library when RFC 2047 encoded words are used. Now whitespace is correctly preserved and also correctly added between ... changelog too long, skipping 179 lines ... gh#python/cpython#146121). ==== systemd-presets-common-SUSE ==== - Enable the new update-desktop-database service that updates the desktop files database on boot for immutable systems (jsc#PED-14839). ==== transactional-update ==== Subpackages: dracut-transactional-update libtukit8 transactional-update-zypp-config tukit tukit-snapper-plugin tukitd - Enable soft-reboots by default again ==== xdg-desktop-portal ==== Version update (1.20.3 -> 1.20.4) - Update to version 1.20.4: + Prevent trashing of arbitrary host files (GHSA-rqr9-jwwf-wxgj) - Update suse_version macro for 1610 (jsc#PED-15832) ==== xorg-x11-server ==== Subpackages: xorg-x11-server-Xvfb - updated bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002) - bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch * XKB Integer Underflow in XkbSetCompatMap() (bsc#1260922, CVE-2026-33999) - bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch * XKB Out-of-bounds Read in CheckSetGeom() (bsc#1260923, CVE-2026-34000) - bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch * XSYNC Use-after-free in miSyncTriggerFence() (bsc#1260924, CVE-2026-34001) - bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002) - bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch * XKB Buffer overflow in CheckKeyTypes() (bsc#1260926, CVE-2026-34003) ==== xwayland ==== - updated bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002) - bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch * XKB Integer Underflow in XkbSetCompatMap() (bsc#1260922, CVE-2026-33999) - bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch * XKB Out-of-bounds Read in CheckSetGeom() (bsc#1260923, CVE-2026-34000) - bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch * XSYNC Use-after-free in miSyncTriggerFence() (bsc#1260924, CVE-2026-34001) - bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002) - bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch * XKB Buffer overflow in CheckKeyTypes() (bsc#1260926, CVE-2026-34003)