Packages changed: MozillaFirefox PackageKit (1.3.4 -> 1.3.5) ceph gpg2 (2.5.18 -> 2.5.19) java-25-openjdk (25.0.2.0 -> 25.0.3.0) kernel-source (6.19.12 -> 7.0.1) lcms2 (2.18 -> 2.19) leancrypto libphonenumber (9.0.27 -> 9.0.29) libupnp (1.18.4 -> 1.18.5) libzypp (17.38.5 -> 17.38.7) mozjs140 (140.8.0 -> 140.10.0) mpg123 (1.33.4 -> 1.33.5) open-vm-tools openSUSE-release (20260426 -> 20260428) python-anyio (4.12.1 -> 4.13.0) python-click (8.3.2 -> 8.3.3) python-cryptography (46.0.7 -> 47.0.0) python-gevent (25.9.1 -> 26.4.0) python-idna (3.11 -> 3.13) python-pip (26.0.1 -> 26.1) python-pyOpenSSL (26.0.0 -> 26.1.0) python-pylsqpack (0.3.23 -> 0.3.24) python-simplejson (3.20.2 -> 4.1.1) python-tzdata (2026.1 -> 2026.2) python-zope.interface (8.3 -> 8.4) salt sed (4.9 -> 4.10) strace (6.19 -> 7.0) sushi (50.rc.1 -> 50.0) tiff timezone (2026a -> 2026b) tnftp vim (9.2.0219 -> 9.2.0398) vlc xbitmaps (1.1.3 -> 1.1.4) xrandr (1.5.3 -> 1.5.4) xterm (407 -> 409) xwayland (24.1.9 -> 24.1.11) yast2-trans (84.87.20260414.0f82ab3540 -> 84.87.20260424.fdcdc295f0) zypper (1.14.95 -> 1.14.96) === Details === ==== MozillaFirefox ==== Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common - Fix failing builds (boo#1258744) mozilla-bmo2030493.patch ==== PackageKit ==== Version update (1.3.4 -> 1.3.5) Subpackages: PackageKit-backend-zypp PackageKit-gstreamer-plugin PackageKit-gtk3-module PackageKit-lang libpackagekit-glib2-18 typelib-1_0-PackageKitGlib-1_0 - Update to version 1.3.5: + This release fixes a critical security vulnerability that allows unprivileged local users to obtain root privileges on any distribution that uses PackageKit. Details will be disclosed very soon, please update to a fixed version of PackageKit immediately (ensure the patch from commit 76cfb675fb31acc3ad5595d4380bfff56d2a8697 is applied). + Drop slack backend + alpm: perform sysupgrade on install and update + freebsd: Fix crashing when libpkg asks about ABI mismatch + portage: Revamp backend + meson: test.depends does not accept a dummy dependency, give it an empty array instead + pkgcli: Set up proxy also if only PAC is available + Do not allow re-invoking methods on non-new transactions + packagekit/progress: updated old usage of raise StopIteration + pkgcli: Add TRANSLATORS comments for commands + pkgcli: Rename list-required-by to list-requiring - Drop 0001-Do-not-allow-re-invoking-methods-on-non-new-txn.patch: fixed upstream. - Drop 11c5f1f34f48b58ee10acec839dd01a31728704b.patch: fixed upstream. - Add 0001-Do-not-allow-re-invoking-methods-on-non-new-txn.patch: Do not allow re-invoking methods on non-new transactions (bsc#1262220, CVE-2026-41651). ==== ceph ==== Subpackages: librados2 librbd1 - Add ceph-liburing-build-fix.patch to fix build with glibc 2.43 ==== gpg2 ==== Version update (2.5.18 -> 2.5.19) Subpackages: dirmngr gpg2-lang - Update to 2.5.19: * gpg: New option --use-ocb-sym * gpg: New options --show-[only-]session-hash * gpgsm: Allow cipher mode to be part of the algo given to the - -cipher-algo option * gpgsm: Emit more details when failing to check a crlDP * agent: Improve pinentry behavior and texts in smartcard context * dirmngr: New keyword "clear" for --keyserver * gpg: Fix edge case in --refresh-keys * gpg: Don't call gcry_kdf_derive with empty passphrase * gpgsm: Skip the optional PKCS#12 PBES2 keyLength parameter to allow import of recently issued certificates by the German Telekom * gpgsm: Fix a bug so that a certificate can be signed using a different algo * gpgsm: Make GCM fully compliant in de-vs mode * gpgsm: Add a certificate chain check for de-vs compliance * gpgsm: Show rsaPSS certificates as de-vs compliant in listings * agent: Rework the trustlist reading code to finally allow a trustlist.txt with a missing trailing LF * ssh: Fix RSA padding in signature handling * gpgtar: Fix -C (--directory) to check the output directory * agent: Raise an error when p >= q for RSA keys to detect incorrect generated *PGP keys ==== java-25-openjdk ==== Version update (25.0.2.0 -> 25.0.3.0) Subpackages: java-25-openjdk-headless - Update to upstream tag jdk-25.0.3+9 (April 2026 CPU) * CVEs + CVE-2026-22007 (bsc#1262490) + CVE-2026-22008 (bsc#1262493) + CVE-2026-22013 (bsc#1262494) + CVE-2026-22016 (bsc#1262495) + CVE-2026-22018 (bsc#1262496) + CVE-2026-22021 (bsc#1262497) + CVE-2026-23865 (bsc#1259118) + CVE-2026-34268 (bsc#1262500) + CVE-2026-34282 (bsc#1262501) * Changes + JDK-7191877: TEST_BUG: java/rmi/transport/checkLeaseInfoLeak/ /CheckLeaseLeak.java failing intermittently + JDK-8030957: AIX: Implement OperatingSystemMXBean .getSystemCpuLoad() and .getProcessCpuLoad() on AIX + JDK-8068378: [TEST_BUG]The java/awt/Modal/PrintDialogsTest/ /PrintDialogsTest.java instruction need to update + JDK-8183336: Better cleanup for jdk/test/java/lang/module/ /customfs/ModulesInCustomFileSystem.java + JDK-8212084: G1: Implement UseGCOverheadLimit + JDK-8244336: Restrict algorithms at JCE layer + JDK-8246037: Shenandoah: update man pages to mention - XX:+UseShenandoahGC + JDK-8255463: java/nio/channels/spi/SelectorProvider/ /inheritedChannel/InheritedChannelTest.java failed with ThreadTimeoutException + JDK-8256289: java/awt/Focus/AppletInitialFocusTest/ /AppletInitialFocusTest1.java failed with "RuntimeException: Wrong focus owner: java.awt.Button[button1,41,36,56x23,label=Button1]" + JDK-8274082: Wrong test name in jtreg run tag for java/awt/print/PrinterJob/SwingUIText.java + JDK-8286258: [Accessibility,macOS,VoiceOver] VoiceOver reads the spinner value wrong and sometime partially + JDK-8286865: vmTestbase/vm/mlvm/meth/stress/jni/nativeAndMH/ /Test.java fails with Out of space in CodeCache + JDK-8287062: com/sun/jndi/ldap/LdapPoolTimeoutTest.java failed due to different timeout message + JDK-8293484: AArch64: TestUseSHA512IntrinsicsOptionOnSupportedCPU.java fails on CPU with SHA512 feature support + JDK-8299304: Test "java/awt/print/PrinterJob/ /PageDialogTest.java" fails on macOS 13 x64 because the Page Dialog blocks the Toolkit + JDK-8307495: Specialize atomic bitset functions for aix-ppc + JDK-8313770: jdk/internal/platform/docker/ /TestSystemMetrics.java fails on Ubuntu + JDK-8316274: javax/swing/ButtonGroup/ /TestButtonGroupFocusTraversal.java fails in Ubuntu 23.10 with Motif LAF + JDK-8317838: java/nio/channels/Channels/ /SocketChannelStreams.java running into timeout (aix) + JDK-8318662: Refactor some jdk/java/net/httpclient/http2 tests to JUnit + JDK-8320677: Printer tests use invalid '@run main/manual=yesno + JDK-8333857: Test sun/security/ssl/SSLSessionImpl/ /ResumeChecksServer.java failed: Existing session was used + JDK-8333871: Check return values of sysinfo + JDK-8334928: Test sun/security/ssl/SSLSocketImpl/ /ReuseAddr.java failed: java.net.BindException: Address already in use + JDK-8335646: Nimbus : JLabel not painted with LAF defined foreground color on Ubuntu 24.04 + JDK-8336695: Update Commons BCEL to Version 6.10.0 + JDK-8339791: Refactor MiscUndecorated/ActiveAWTWindowTest.java + JDK-8341039: compiler/cha/TypeProfileFinalMethod.java fails with assertEquals expected: 0 but was: 2 + JDK-8342175: MemoryEaterMT fails intermittently with ExceptionInInitializerError + JDK-8342401: [TESTBUG] javax/swing/JSpinner/8223788/ /JSpinnerButtonFocusTest.java test fails in ubuntu 22.04 on SBR Hosts + JDK-8342640: GenShen: Silently ignoring ShenandoahGCHeuristics considered poor user-experience + JDK-8342659: Test vmTestbase/nsk/jdi/ObjectReference/ /referringObjects/referringObjects002/referringObjects002.java failed: Class nsk.share.jdi.TestClass1 was not unloaded + JDK-8343316: Review and update tests using explicit provider names + JDK-8343340: Swapping checking do not work for MetricsMemoryTester failcount + JDK-8343474: [updates] Customize README.md to specifics of update project + JDK-8344073: Test runtime/cds/appcds/ /TestParallelGCWithCDS.java#id0 failed + JDK-8346154: [XWayland] Some tests fail intermittently in the CI, but not locally + JDK-8346962: Test CRLReadTimeout.java fails with -Xcomp on a fastdebug build + JDK-8348014: Enhance certificate processing + JDK-8349192: jvmti/scenarios/contention/TC05/tc05t001 fails: ERROR: tc05t001.cpp, 281: (waitedThreadCpuTime - waitThreadCpuTime) < (EXPECTED_ACCURACY * 1000000) + JDK-8352149: Test java/awt/Frame/MultiScreenTest.java fails: Window list is empty + JDK-8353755: Add a helper method to Util - findComponent() + JDK-8354244: Use random data in MinMaxRed_Long data arrays + JDK-8354469: Keytool exposes the password in plain text when ... changelog too long, skipping 490 lines ... DEFAULT_PROMOTED_VERSION_PRE=ea for release 25.0.3 ==== kernel-source ==== Version update (6.19.12 -> 7.0.1) - Re-enable ARM architectures and update configs Rather late (well, that's an understatement) but better than never. - commit 46dfbfa - Update config files. Set INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON=y (bsc#1262308) The same as for SL-16.*. - commit ccbbbdf - Linux 7.0.1 (bsc#1012628). - clockevents: Add missing resets of the next_event_forced flag (bsc#1012628). - mm/userfaultfd: fix hugetlb fault mutex hash calculation (bsc#1012628). - media: hackrf: fix to not free memory after the device is registered in hackrf_probe() (bsc#1012628). - media: vidtv: fix pass-by-value structs causing MSAN warnings (bsc#1012628). - nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map (bsc#1012628). - media: as102: fix to not free memory after the device is registered in as102_usb_probe() (bsc#1012628). - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit (bsc#1012628). - bcache: fix cached_dev.sb_bio use-after-free and crash (bsc#1012628). - ALSA: 6fire: fix use-after-free on disconnect (bsc#1012628). - hwmon: (powerz) Fix use-after-free on USB disconnect (bsc#1012628). - media: em28xx: fix use-after-free in em28xx_v4l2_open() (bsc#1012628). - media: mediatek: vcodec: fix use-after-free in encoder release path (bsc#1012628). - media: vidtv: fix nfeeds state corruption on start_streaming failure (bsc#1012628). - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() (bsc#1012628). - mm/kasan: fix double free for kasan pXds (bsc#1012628). - ASoC: qcom: q6apm: move component registration to unmanaged version (bsc#1012628). - KVM: x86: Use scratch field in MMIO fragment to hold small write values (bsc#1012628). - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache (bsc#1012628). - x86: rename and clean up __copy_from_user_inatomic_nocache() (bsc#1012628). - x86-64: rename misleadingly named '__copy_user_nocache()' function (bsc#1012628). - checkpatch: add support for Assisted-by tag (bsc#1012628). - mm: call ->free_folio() directly in folio_unmap_invalidate() (bsc#1012628). - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION (bsc#1012628). - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish (bsc#1012628). - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created (bsc#1012628). - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock (bsc#1012628). - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU (bsc#1012628). - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES migrate test (bsc#1012628). - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown (bsc#1012628). - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup (bsc#1012628). - ocfs2: handle invalid dinode in ocfs2_group_extend (bsc#1012628). - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY (bsc#1012628). - ocfs2: fix possible deadlock between unlink and dio_end_io_write (bsc#1012628). - media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections (bsc#1012628). - arm64: mm: Handle invalid large leaf mappings correctly (bsc#1012628). - vfio/xe: Reorganize the init to decouple migration from reset (bsc#1012628). - dcache: Limit the minimal number of bucket to two (bsc#1012628). - ALSA: ctxfi: Limit PTP to a single page (bsc#1012628). - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates race (bsc#1012628). - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race (bsc#1012628). - USB: serial: option: add Telit Cinterion FN990A MBIM composition (bsc#1012628). - selftests/mm: hmm-tests: don't hardcode THP size to 2MB (bsc#1012628). - staging: sm750fb: fix division by zero in ps_to_hz() (bsc#1012628). - wifi: rtw88: fix device leak on probe failure (bsc#1012628). - scripts: generate_rust_analyzer.py: avoid FD leak (bsc#1012628). - scripts/gdb/symbols: handle module path parameters (bsc#1012628). - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO (bsc#1012628). - usb: port: add delay after usb_hub_set_port_power() (bsc#1012628). - usb: gadget: f_hid: don't call cdev_init while cdev in use (bsc#1012628). - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC ... changelog too long, skipping 74 lines ... - commit 5844293 ==== lcms2 ==== Version update (2.18 -> 2.19) - Update to version 2.19 * CMake build system. * Large files support to use profiles up to 4Gb. * Black point compensation works on multi-channel profiles. * jpgicc banner is not shown on normal operation, only when help is requested. * Added a way to access internal transform pipelines. * Add a way to retrieve the CMM signature. * Added extra checks on postscript undocumented functions. * Added guard on integer overflow when reading .cube files. * Added unneeded checks as a try to get rid of spam reports about "vulnerabilities" that are not real. * Creating an output profile by cmsTransform2DeviceLink does not propagate correctly the colorant table. * Added some profile class definitions from iccMAX. * Deprecated uint16 and uint32 types removed from tifdiff. * fixed generation of tifdiff on Cmake and meson. ==== leancrypto ==== Subpackages: libleancrypto1 libleancrypto1-32bit - Fix build on kernel 7.0 * Add patch 0001-Linux-kernel-leancrypto_kernel_rng_tester-include-li.patch - Pick fix for ABI issue in AVX2 assembly for Curve448 causing test failures when building with GCC 16. * Add patch leancrypto-ABI-fix.patch ==== libphonenumber ==== Version update (9.0.27 -> 9.0.29) - update to 9.0.29: * Updated phone metadata for region code(s): BI, BL, GP, MF, MY, SK, TH, TR, TW * Updated short number metadata for region code(s): CH * New geocoding data for country calling code(s): 7 (kk) * Updated carrier data for country calling code(s): 7 (en, ru), 31 (en), 32 (en), 90 (en), 257 (en), 590 (en), 593 (en) - update to 9.0.28: * Update phone metadata for region code(s): BW, IL, MN, RE, SR, YT * Updated carrier data for country calling code(s): 34 (en), 267 (en), 359 (en), 972 (en), 976 (en) * Updated / refreshed time zone meta data. * Decreased the number of invocations of chooseFormattingPatternForNumber in PhoneNumberUtil#formatInOriginalFormat ==== libupnp ==== Version update (1.18.4 -> 1.18.5) Subpackages: libixml11 libupnp20 - Update to release 1.18.5 * Fixed CVE-2026-41682 ==== libzypp ==== Version update (17.38.5 -> 17.38.7) - Fix purge-kernel -rc kernel handling (bsc#1239718) - Explicitly_set_pool_DISTTYPE_RPM (fixes #726) - version 17.38.7 (35) - Check for trusted key updates when updating the general keyring (bsc#1259706) - Support multiple MirroredOrigin authorities (bsc#1253193) - Workaround doxygen bug: doxygen/doxygen#12057 - libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842) - version 17.38.6 (35) ==== mozjs140 ==== Version update (140.8.0 -> 140.10.0) - Add security fixes: + mozjs140-CVE-2026-32776.patch (bsc#1259728 CVE-2026-32776) + mozjs140-CVE-2026-32777.patch (bsc#1259713 CVE-2026-32777) + mozjs140-CVE-2026-32778.patch (bsc#1259731 CVE-2026-32778) - Update to version 140.10.0: + Security Vulnerabilities fixed in Firefox ESR 140.10 + See https://www.firefox.com/en-US/firefox/140.10.0/releasenotes/ + See https://www.firefox.com/en-US/firefox/140.9.0/releasenotes/ ==== mpg123 ==== Version update (1.33.4 -> 1.33.5) Subpackages: libmpg123-0 mpg123-openal - Update to version 1.33.5 * mpg123: Fix generic control mode for largefile-sensitive builds, where 32 bit off_t was used with mpg123 API calls expecting 64 bit off_t. * mpg123-id3dump, out123: Enable 64 bit offset usage on largefile-sensitive platforms (regression since 1.32.0). * libmpg123: Announce support for shadow stack / IBT in x86-64 assembly. * libmpg123: Also announce PAC/BTI for non-accurate neon64 (aarch64) synth. * libout123: Add a safeguard to ensure variable-length records from buffer communication are always zero-terminated. * libsyn123: Use union work buffer to avoid casts that may look like breaking strict aliasing. ==== open-vm-tools ==== Subpackages: libvmtools0 open-vm-tools-desktop - Fix build with glibc 2.43 (boo#1257312) + Add patch: - glibc243.patch ==== openSUSE-release ==== Version update (20260426 -> 20260428) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== python-anyio ==== Version update (4.12.1 -> 4.13.0) - update to 4.13.0: * Dropped support for Python 3.9 * Added a ttl parameter to the anyio.functools.lru_cache wrapper * Widened the type annotations of file I/O streams to accept IO[bytes] instead of just BinaryIO * Fixed anyio.Path not being compatible with Python 3.15 due to the removal of pathlib.Path.is_reserved() and the addition of pathlib.Path.__vfspath__() * Fixed the BrokenResourceError raised by the asyncio SocketStream not having the original exception as its cause * Fixed the TypeError raised when using "func" as a parameter name in pytest.mark.parametrize when using the pytest plugin * Fixed the pytest plugin not running tests that had the anyio marker added programmatically via pytest_collection_modifyitems * Fixed cancellation exceptions leaking from a CancelScope on asyncio when they are contained in an exception group alongside non-cancellation exceptions * Fixed Condition.wait() not passing on a notification when the task is cancelled but already received a notification * Fixed inverted condition in the process pool shutdown phase which would cause still-running pooled processes not to be terminated ==== python-click ==== Version update (8.3.2 -> 8.3.3) - update to 8.3.3: * Use :func:`shlex.split` to split pager and editor commands into argv lists for :class:`subprocess.Popen`, removing shell=True. :issue:`1026` :pr:`1477` :pr:`2775` * Fix TypeError when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as semver.Version. :issue:`3298` :pr:`3299` * Fix pager test pollution under parallel execution by using pytest's tmp_path fixture instead of a shared temporary file path. :pr:`3238` * Treat Sentinel.UNSET values in a default_map as absent, so they fall through to the next default source instead of being used as the value. :issue:`3224` :pr:`3240` * Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(), breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. :issue:`654` :issue:`824` :issue:`843` :pr:`951` :pr:`3235` * Add optional randomized parallel test execution using pytest- randomly and pytest-xdist to detect test pollution and race conditions. :pr:`3151` * Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. :pr:`3151` :pr:`3177` * Show custom show_default string in prompts, matching the existing help text behavior. :issue:`2836` :pr:`2837` :pr:`3165` :pr:`3262` :pr:`3280` :pr:`3328` * Fix default=True with boolean flag_value always returning the flag_value instead of True. The default=True to flag_value substitution now only applies to non-boolean flags, where True acts as a sentinel meaning "activate this flag by default". For boolean flags, default=True is returned as a literal value. :issue:`3111` :pr:`3239` * Mark make_default_short_help as private API. :issue:`3189` :pr:`3250` * CliRunner's redirected streams now expose the original file descriptor via fileno(), so that faulthandler, subprocess, and other C-level consumers no longer crash with io.UnsupportedOperation. :issue:`2865` * Change :class:`ParameterSource` to an :class:`~enum.IntEnum` and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. :issue:`2879` :pr:`3248` ==== python-cryptography ==== Version update (46.0.7 -> 47.0.0) Subpackages: python311-cryptography python313-cryptography - update to 47.0.0: * Support for Python 3.8 is deprecated and will be removed in the next cryptography release. * BACKWARDS INCOMPATIBLE: Support for binary elliptic curves (SECT* classes) has been removed. These curves are rarely used and have additional security considerations that make them undesirable. * BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been removed. OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC continue to be supported. * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1. * BACKWARDS INCOMPATIBLE: Loading keys with unsupported algorithms or keys with unsupported explicit curve encodings now raises :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of ValueError. This change affects :func:`~cryptograp hy.hazmat.primitives.serialization.load_pem_private_key`, :fu nc:`~cryptography.hazmat.primitives.serialization.load_der_pr ivate_key`, :func:`~cryptography.hazmat.primitives.serializat ion.load_pem_public_key`, :func:`~cryptography.hazmat.primiti ves.serialization.load_der_public_key`, and :meth:`~cryptography.x509.Certificate.public_key` when called on certificates with unsupported public key algorithms. * BACKWARDS INCOMPATIBLE: When parsing elliptic curve private keys, we now reject keys that incorrectly encode a private key of the wrong length because such keys are impossible to process in a constant-time manner. We do not believe keys with this problem are in wide use, however we may revert this change based on the feedback we receive. * Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to :class:`~cryptography.hazmat.decrepit.ciphers.algorithms.T ripleDES`. In a future release, only 192-bit (24-byte) keys will be accepted. Users should expand shorter keys themselves (e.g., for single DES: key + key + key, for two-key: key + key[:8]). * Updated the minimum supported Rust version (MSRV) to 1.83.0, from 1.74.0. * Support for x86_64 macOS (including publishing wheels) is deprecated and will be removed in the next release. We will switch to publishing an arm64 only wheel for macOS. * Support for 32-bit Windows (including publishing wheels) is deprecated and will be removed in the next release. Users should move to a 64-bit Python installation. * public_bytes and private_bytes methods on keys now raise TypeError (instead of ValueError) if an invalid encoding is provided for the given format. * Moved :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB`, :class:`~cryptography.hazmat.decrepit.ciphers.modes.OFB`, and :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB8` into :doc:`/hazmat/decrepit/index` and deprecated them in the modes module. They will be removed from the modes module in 49.0.0. * Moved :class:`~cryptography.hazmat.primitives.ciphers.algorit hms.Camellia` into :doc:`/hazmat/decrepit/index` and deprecated it in the cipher module. It will be removed from the cipher module in 49.0.0. * Added :meth:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF.extract` to :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`. The previous private implementation will be removed in 49.0.0. * Added support for loading elliptic curve keys that contain explicit encodings of the curves secp256r1, secp384r1, and secp521r1. * Added support for :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2d` and :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2i` when using OpenSSL 3.2.0+. * Added derive_into methods to :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`, :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDFExpand`, :class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatK DFHash`, :class:`~cryptography.hazmat.primitives.kdf.concatkd f.ConcatKDFHMAC`, :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id`, :class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC `, :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC`, :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`, :class:`~cryptography.hazmat.primitives.kdf.scrypt.Scrypt`, and :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF` to allow deriving keys directly into pre-allocated buffers. * Added encrypt_into and decrypt_into methods to :class:`~cryptography.hazmat.primitives.ciphers.aead.AESCCM`, :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM`, :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCMSI V`, :class:`~cryptography.hazmat.primitives.ciphers.aead.AESO CB3`, :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV`, and :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaC ha20Poly1305` to allow encrypting directly into a pre- allocated buffer. * Added support for PKCS1v15 signing without DigestInfo using : class:`~cryptography.hazmat.primitives.asymmetric.utils.NoDig estInfo`. * Added ... changelog too long, skipping 34 lines ... OpenSSL 4.0.0. ==== python-gevent ==== Version update (25.9.1 -> 26.4.0) - update to 26.4.0: * Make gevent.ssl stop reusing exception instances, as this could appear to cause a memory leak if there are many short reads or writes. Reported by 사재혁. See :issue:`2159`. * Fix Greenlet.dead returning true for an active greenlet during early bootstrap. Thanks to Taegyun Kim. See :issue:`2166`. * Fix some potential GIL-related crashes during interpreter shutdown by avoiding acquiring the GIL in libev callbacks when the interpreter is finalizing. Thanks to Thomas Kowalski. See :issue:`2170`. * Support for Python 3.9 has been removed. Manylinux wheels are built with version 2_28, up from 2014. ==== python-idna ==== Version update (3.11 -> 3.13) Subpackages: python311-idna python313-idna - update to 3.13: * Correct classification error for codepoint U+A7F1 * Update to Unicode 17.0.0. * Issue a deprecation warning for the transitional argument. * Added lazy-loading to provide some performance improvements. * Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython. ==== python-pip ==== Version update (26.0.1 -> 26.1) Subpackages: python311-pip python313-pip - Update to 26.1 (bsc#1262429, CVE-2026-3219): [#] Deprecations and Removals - Drop support for Python 3.9. [#] Features - Add experimental support to read requirements from standardized pylock.toml files (``-r pylock.toml``). - Allow ``--uploaded-prior-to`` to accept a duration in days (e.g., ``P3D`` for 3 days ago). [#] Enhancements - Speed up dependency resolution when there are complex conflicts. - Reduce memory usage when resolving large dependency trees. - Emit a deprecation warning when pip imports an unexpected module after installation of a distribution has started. - Allow URL constraints to apply to requirements with extras. - Allow unpinned requirements to use hashes from constraints. Constraints like ``{name}=={version} --hash=...`` feeds into hash verification for a corresponding requirement. - Improve conflict reports that involve direct URLs. - Show all errors instead of first error for faulty ``dependency_groups`` definitions. [#] Bug Fixes - Fix recovery hint for missing RECORD file to use ``--ignore-installed`` instead of ``--force-reinstall``. - Fix misleading error message when a constraint file cannot be opened. - Show the filename rather than the full URL when downloading files from non-PyPI indexes in non-verbose mode. - Remove the adjacent ``__pycache__`` directory when a .py file is removed. - Force UTF-8 encoding for :pep:`723` metadata. - Minor performance improvement when filtering candidates during resolution. - Fix a hang on Windows when stdout is closed during verbose output. - Common path prefixes are determined by path segment, not character by character. - Fix installing ``.tar.gz`` source distributions that look like a zip file. [#] Vendored Libraries - Upgrade certifi to 2026.2.25 - Upgrade packaging to 26.2 - Upgrade requests to 2.33.1 - Upgrade tomli to 2.3.1 - Upgrade urllib3 to 2.6.3 - Use ``packaging`` 26.1's new ``dependency_groups`` module, removing ``dependency-groups`` vendor. - Use ``packaging.direct_url`` to manipulate ``direct_url.json``. Besides difference in validation error messages, there should be no user-visible change. ==== python-pyOpenSSL ==== Version update (26.0.0 -> 26.1.0) Subpackages: python311-pyOpenSSL python313-pyOpenSSL - update to 26.1.0 (CVE-2026-40475, bsc#1262803): * Maximum supported cryptography version is now 47.x. * Fixed X509Name field setters to correctly pass the value length to OpenSSL. Previously, values containing NUL bytes would be silently truncated, causing a divergence between the stored ASN.1 value and the value visible from Python. Credit to BudongJW for reporting the issue. CVE-2026-40475 ==== python-pylsqpack ==== Version update (0.3.23 -> 0.3.24) - update to 0.3.24: * Do not crash if decoding an empty header name * Ensure encoder validates all input before starting encoding ==== python-simplejson ==== Version update (3.20.2 -> 4.1.1) - update to 4.1.1: * The C extension now accelerates encoding when ``indent=`` is set. * Previously the encoder fell back to the pure-Python implementation whenever a non-None ``indent`` was passed; * The C extension now emits PEP 678 ``exc.add_note()`` annotations on serialization failures, matching the pure-Python encoder. A chained error on ``{'a': [1, object(), 3]}`` produces the same three notes * Skip uploading Pyodide/wasm wheels to PyPI, which rejects them with "unsupported platform tag 'pyodide_2024_0_wasm32'". The wheels are still built in CI and preserved as workflow artifacts. * simplejson 4 requires Python 2.7 or Python 3.8+. Older Python * versions (2.5, 2.6, 3.0-3.7) are no longer supported. pip will not install simplejson 4 on unsupported versions. * Full support for Python 3.13+ free-threading (PEP 703). The C * extension is now safe to use with the GIL disabled (python3.14t): * - Converted all static types to heap types with per-module state * Numerous C extension memory safety fixes: * Fix use-after-free and leak in encoder ident handling * Fix NULL dereferences on OOM in module init and static string init * Fix reference leaks in dict encoder (skipkeys item, variable shadowing) * Fix member table copy-paste, exception clobbering, missing Py_VISIT * Fix error-as-truthy bugs in maybe_quote_bigint and is_raw_json * Fix iterable_as_array swallowing MemoryError and KeyboardInterrupt * Fix for_json and _asdict swallowing MemoryError, KeyboardInterrupt, ==== python-tzdata ==== Version update (2026.1 -> 2026.2) - update to 2026.2: * 2026b released * British Columbia moved to permanent -07 on 2026-03-09. Some more overflow bugs have been fixed in zic. ==== python-zope.interface ==== Version update (8.3 -> 8.4) - update to 8.4: * Add support for automatically building and publishing Windows/ARM64 wheels. ==== salt ==== Subpackages: python311-salt salt-master salt-minion - BDSA-2025-60810: Harden Tornado from invalid HTTP reason phrases - Read full URI from ldap pillar config (bsc#1254900) - Added: * bdsa-2025-60810-harden-against-invalid-http-reason-p.patch * read-full-uri-from-ldap-pillar-config-753.patch ==== sed ==== Version update (4.9 -> 4.10) Subpackages: sed-lang - Update to 4.10: * sed 's/a/b/g' (and other global substitutions) now works on input lines longer than 2GB. Previously, matches beyond the 2^31 byte offset would evoke a "panic" (exit 4). * 'sed --follow-symlinks -i' no longer has a TOCTOU race that could let an attacker swap a symlink between resolution and open, causing sed to read attacker-chosen content and write it to the original target. (bsc#1262144, CVE-2026-5958) * sed no longer falsely matches when back-references are combined with optional groups (.?) and the $ anchor. For example, this no longer falsely matches the empty string at beginning of line: $ echo ab | sed -E 's/^(.?)(.?).?\2\1$/X/' Xab * In --posix mode, sed no longer mishandles backslash escapes (\n, \t, \a, etc.) after a named character class like [[:alpha:]]. For example, 's/^A\n[[:alpha:]]\n*/XXX/' would fail to match the trailing newline, treating \n as a literal backslash and an 'n' rather than a newline. This happened when an earlier backslash escape in the same regex had already been converted, shifting the in-place normalization buffer. * sed --debug no longer crashes when a label (":") command is compiled before the --debug option is processed, e.g., sed -f<(...) --debug. * sed no longer rejects the documented GNU extension 'a**' (equivalent to 'a*') in Basic Regular Expression (BRE) mode. Previously, this worked only with -E (ERE mode), even though grep has always accepted it in BRE mode. * sed no longer rejects "\c[" in regular expressions * 'sed --follow-symlinks -i' no longer mishandles an operand that is a short symbolic link to a long symbolic link to a file. * Fix some some longstanding but unlikely integer overflows. Internally, 'sed' now more often prefers signed integer arithmetic, which can be checked automatically via 'gcc -fsanitize=undefined'. * In the default C locale, diagnostics now quote 'like this' (with apostrophes) instead of `like this' (with a grave accent and an apostrophe). This tracks the GNU coding standards. * 'sed --posix' now warns about uses of backslashes in the 's' command that are handled by GNU sed but are not portable to other implementations. * builds no longer fail on platforms without the header or getopt_long function. - Add disable-backref-test.patch * The bug for back references combined with optional groups and anchor hasn't been fixed in glibc yet, so the tests fail when building with "--without-included-regex". Disable the tests for now. ==== strace ==== Version update (6.19 -> 7.0) - Update to strace 7.0 * Implemented optional colorized trace output. * Implemented decoding of rseq and rseq_slice_yield syscalls. * Implemented decoding of BPF_TRACE_FSESSION bpf attach type. * Implemented decoding of BPF_PROG_ASSOC_STRUCT_OPS bpf command. * Implemented decoding of UDMABUF_CREATE, UDMABUF_CREATE_LIST, and VIDIOC_QUERYMENU ioctl commands. * Updated decoding of statmount syscall flags. * Updated lists of BPF_*, BTRFS_*, FS_*, IORING_*, KEY_*, KVM_*, NT_*, OPEN_TREE_*, PR_*, V4L2_*, and *_MAGIC constants. * Updated lists of ioctl commands from Linux 7.0. ==== sushi ==== Version update (50.rc.1 -> 50.0) Subpackages: sushi-lang - Update to version 50.0: + Fix a typo. + Updated translations. ==== tiff ==== - * CVE-2026-4775: Signed integer overflow in putcontig8bitYCbCr44tile (bsc#1260411) Add tiff-CVE-2026-4775.patch ==== timezone ==== Version update (2026a -> 2026b) Subpackages: tzselect - Update to 2026b: * British Columbia moved to permanent -07 on 2026-03-09 * Some more overflow bugs have been fixed in zic ==== tnftp ==== - Fix broken man page symlink (bsc#1260040). ==== vim ==== Version update (9.2.0219 -> 9.2.0398) Subpackages: vim-data vim-data-common xxd - Fix bsc#1261833 / CVE-2026-39881). - Update to 9.2.0398. - Changes: * 9.2.0398: MS-Windows: missing strptime() support * 9.2.0397: tabpanel: double-click opens a new tab * 9.2.0396: tests: Test_error_callback_terminal is flaky on macOS * 9.2.0395: tests: Test_backupskip() may read from $HOME * 9.2.0394: xxd: offsets greater than LONG_MAX print as negative * 9.2.0393: MS-Windows: link error with XPM support on UCRT64 * 9.2.0392: tests: Some tests are flaky * 9.2.0391: tests: Comment in test_vim9_cmd breaks syntax highlighting * 9.2.0390: filetype: some Beancount files are not recognized * 9.2.0389: DECRQM still leaves stray "pp" on Apple Terminal.app * 9.2.0388: strange indent in update_topline() * 9.2.0387: DECRQM request may leave stray chars in terminal * 9.2.0386: No scroll/scrollbar support in the tabpanel * 9.2.0385: Integer overflow with "ze" and large 'sidescrolloff' * 9.2.0384: stale Insstart after cursor move breaks undo * 9.2.0383: [security]: runtime(netrw): shell-injection via sftp: and file: URLs * 9.2.0382: Wayland: focus-stealing is non-working * 9.2.0381: Vim9: Missing check_secure() in exec_instructions() * 9.2.0380: completion: a few issues in completion code * 9.2.0379: gui.color_approx is never used * 9.2.0378: Using int as bool type in win_T struct * 9.2.0377: Using int as bool type in gui_T struct * 9.2.0376: Vim9: elseif condition compiled in dead branch * 9.2.0375: prop_find() does not find a virt text in starting line * 9.2.0374: c_CTRL-{G,T} does not handle offset * 9.2.0373: Ctrl-R mapping not triggered during completion * 9.2.0372: pum: rendering issues with multibyte text and opacity * 9.2.0371: filetype: ghostty config files are not recognized * 9.2.0370: duplicate code with literal string_T assignment * 9.2.0369: multiple definitions of STRING_INIT macro * 9.2.0368: too many strlen() calls when adding strings to dicts * 9.2.0367: runtime(netrw): ~ note expanded on MS Windows * 9.2.0366: pum: flicker when updating pum in place * 9.2.0365: using int as bool * 9.2.0364: tests: test_smoothscroll_textoff_showbreak() fails * 9.2.0363: Vim9: variable shadowed by script-local function * 9.2.0362: division by zero with smoothscroll and small windows * 9.2.0361: tests: no tests for ch_listen() with IPs * 9.2.0360: Cannot handle mouse-clicks in the tabpanel * 9.2.0359: wrong VertSplitNC highlighting on winbar * 9.2.0358: runtime(vimball): still path traversal attacks possible * 9.2.0357: [security]: command injection via backticks in tag files * 9.2.0356: Cannot apply 'scrolloff' context lines at end of file * 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract() * 9.2.0354: filetype: not all Bitbake include files are recognized * 9.2.0353: Missing out-of-memory check in register.c * 9.2.0352: 'winhighlight' of left window blends into right window * 9.2.0351: repeat_string() can be improved * 9.2.0350: Enabling modelines poses a risk * 9.2.0349: cannot style non-current window separator * 9.2.0348: potential buffer underrun when setting statusline like option * 9.2.0347: Vim9: script-local variable not found * 9.2.0346: Wrong cursor position when entering command line window * 9.2.0345: Wrong autoformatting with 'autocomplete' * 9.2.0344: channel: ch_listen() can bind to network interface * 9.2.0343: tests: test_clientserver may fail on slower systems * 9.2.0342: tests: test_excmd.vim leaves swapfiles behind * 9.2.0341: some functions can be run from the sandbox * 9.2.0340: pum_redraw() may cause flicker * 9.2.0339: regexp: nfa_regmatch() allocates and frees too often * 9.2.0338: Cannot handle mouseclicks in the tabline * 9.2.0337: list indexing broken on big-endian 32-bit platforms * 9.2.0336: libvterm: no terminal reflow support * 9.2.0335: json_encode() uses recursive algorithm * 9.2.0334: GTK: window geometry shrinks with with client-side decorations * 9.2.0333: filetype: PklProject files are not recognized * 9.2.0332: popup: still opacity rendering issues * 9.2.0331: spellfile: stack buffer overflows in spell file generation * 9.2.0330: tests: some patterns in tar and zip plugin tests not strict enough * 9.2.0329: tests: test_indent.vim leaves swapfiles behind * 9.2.0328: Cannot handle mouseclicks in the statusline * 9.2.0327: filetype: uv scripts are not detected * 9.2.0326: runtime(tar): but with dotted path * 9.2.0325: runtime(tar): bug in zstd handling * 9.2.0324: 0x9b byte not unescaped in mapping * 9.2.0323: filetype: buf.lock files are not recognized * 9.2.0322: tests: test_popupwin fails * 9.2.0321: MS-Windows: No OpenType font support * 9.2.0320: several bugs with text properties * 9.2.0319: popup: rendering issues with partially transparent popups * 9.2.0318: cannot configure opacity for popup menu * 9.2.0317: listener functions do not check secure flag * 9.2.0316: [security]: command injection in netbeans interface via defineAnnoType * 9.2.0315: missing bound-checks * 9.2.0314: channel: can bind to all network interfaces * 9.2.0313: Callback channel not registered in GUI * 9.2.0312: C-type names are marked as translatable * 9.2.0311: redrawing logic with text properties can be improved * 9.2.0310: unnecessary work in vim_strchr() and find_term_bykeys() * 9.2.0309: Missing out-of-memory check to may_get_cmd_block() * 9.2.0308: Error message E1547 is wrong * 9.2.0307: more mismatches between return types and documentation * 9.2.0306: runtime(tar): some issues with lz4 support * 9.2.0305: mismatch between return types and documentation * 9.2.0304: tests: test for 9.2.0285 doesn't always fail without the fix * 9.2.0303: tests: zip plugin tests don't check for warning message properly ... changelog too long, skipping 88 lines ... * 9.2.0220: MS-Windows: some defined cannot be set on Cygwin/Mingw ==== vlc ==== Subpackages: libvlc5 libvlccore9 vlc-codec-gstreamer vlc-lang vlc-noX vlc-qt - Fix Requires for ffmpeg library: For building the package ffmpeg-7-mini-libs may be installed which is used for building only, so the name package cannot be used to determine Requires. ==== xbitmaps ==== Version update (1.1.3 -> 1.1.4) - Update to version 1.1.4 * This release adds support for building with meson as well as autoconf. - switch to meson ==== xrandr ==== Version update (1.5.3 -> 1.5.4) - Update to version 1.5.4 * This release detects when the X server is Xwayland and warns that not all features will work, as rootless Xwayland provides a read-only emulation of RANDR and does not allow changing output configurations with RANDR. * This release also adds support for building with meson as well as autoconf. - switch to meson ==== xterm ==== Version update (407 -> 409) Subpackages: xterm-bin xterm-resize - update to 409: * correct one of the special cases added for Debian #1123877 in patch * update version for Extended Window Manager Hints (EWMH), in manpage. ==== xwayland ==== Version update (24.1.9 -> 24.1.11) - Update to 24.1.11 - This release addresses a number of regressions found in Xwayland 24.1.10: * Avoids spurious focus changes with KDE when listening for mouse buttons is enabled for legacy X11 application support * Fix tablet tools not working anymore as "slave" devices * Fix a crash when running some XTS tests * Fix a crash in window damage handling caused a NULL pointer dereference - supersedes the folloging security patches for CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003 (bsc#1260922, bsc#1260923, bsc#1260924, bsc#1260925, bsc#1260926) * bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch * bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch * bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch * bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch * bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch * bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch ==== yast2-trans ==== Version update (84.87.20260414.0f82ab3540 -> 84.87.20260424.fdcdc295f0) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20260424.fdcdc295f0: * Translated using Weblate (Spanish) * Translated using Weblate (Swedish) * Translated using Weblate (Swedish) * Translated using Weblate (Swedish) * Translated using Weblate (Swedish) * Translated using Weblate (Swedish) ==== zypper ==== Version update (1.14.95 -> 1.14.96) Subpackages: zypper-log zypper-needs-restarting - Autorefresh ris-services the way as plugin-services (bsc#1246504) It's actually wrong to treat service refreshes different depending on the service type. For the purpose of a service it makes no difference how the data about the repos to use are acquired. - version 1.14.96