------------------------------------------------------------------ --- Changelog.all ----------- Sat Jun 6 00:20:28 UTC 2026 ------ ------------------------------------------------------------------ ------------------------------------------------------------------ ------------------ 2026-6-4 - Jun 4 2026 ------------------- ------------------------------------------------------------------ ++++ libsoup: - Add libsoup-CVE-2026-1801.patch: Use CRLF as line boundary when parsing chunk encoding data (bsc#1257649 CVE-2026-1801 glgo#GNOME/libsoup#481). ------------------------------------------------------------------ ------------------ 2026-6-3 - Jun 3 2026 ------------------- ------------------------------------------------------------------ ++++ rpcbind: - Tue Jun 2 11:32:51 UTC 2026 - Thomas Blume Update to rpcbind 1.2.9 (bsc#1267212) https://lore.kernel.org/linux-nfs/5cad3ab4-d24a-45fa-b1e9-d57b2c47a5e4@redhat.com/ rpcinfo: stack buffer overflow in rpcinfo rpcbaddrlist() * rpcbind: Stop unauthenticated oversized allocation in PMAPPROC_CALLIT decode * rpcbind: fix memory leak in read_warmstart() * rpcbind: fix memory leaks in network_init() * rpcbind: fix memory leak in init_transport() - Update to rpcbind 1.2.8 https://lore.kernel.org/linux-nfs/b553cc5a-46eb-453b-80f0-cfe69ccb7b21@redhat.com/ * Added -v (print version and compile flags) * rpcinfo: Removed a number of "old-style function definition" warnings * man/rpcbind: Update list of options * Comment out ListenStream=@/run/rpcbind.sock * [nfs/nfs-utils/rpcbind] rpcbind: avoid dereferencing NULL from realloc() * systemd/rpcbind.service.in: Add various hardenings options * man/rpcbind: Add Files section to manpage * Moved rpcbind.lock and default configs to /run instead of /var/run - systemd: Upstream added systemd EnvironmentFile: 1) /etc/rpcbind.conf 2) /etc/default/rpcbind 3) /etc/sysconfig/rpcbind (the only one originally used in openSUSE patch for boo#1117217) - systemd: Add 'systemd-tmpfiles-setup.service' into 'Wants' and 'After' targets (originally openSUSE patch for boo#1117217 added 'After=sysinit.target') - Removed patches (accepted upstream): * 0001-systemd-unit-files.patch * harden_rpcbind.service.patch * 0001-change-lockingdir-to-run.patch - Update to rpcbind 1.2.7 * rpcinfo: try connecting using abstract address * Listen on an AF_UNIX abstract address if supported * autotools/systemd: call rpcbind with -w only on enabled warm starts * rpcbind: fix double free in init_transport ------------------------------------------------------------------ ------------------ 2026-5-29 - May 29 2026 ------------------- ------------------------------------------------------------------ ++++ libzypp: - Fix potential crash on malformed or malicious repository metadata (fixes #740) - version 17.38.11 (35) ------------------------------------------------------------------ ------------------ 2026-5-28 - May 28 2026 ------------------- ------------------------------------------------------------------ ++++ libsolv: - fix solv_chksum_free segfault when called with a NULL pointer - bump version to 0.7.39 ------------------------------------------------------------------ ------------------ 2026-5-27 - May 27 2026 ------------------- ------------------------------------------------------------------ ++++ libsoup: - Add libsoup-CVE-2026-4271.patch: Protect message io while reading and writing (bsc#1259767, CVE-2026-4271, glgo#GNOME/libsoup#496). ++++ libsoup: - Add libsoup-CVE-2026-4271.patch: Protect message io while reading and writing (bsc#1259767, CVE-2026-4271, glgo#GNOME/libsoup#496). ++++ libzypp: - Repo metadata: discard entries referring to a location outside the repo (bsc#1259802, CVE-2026-25707) Mirroring those data locally would refer to a location outside the repo's local cache directory. Those data entries are reported and discarded. - zypp.conf: Allow [env] section to add environment variables. This feature is designed to enable environment-specific settings or debugging options over an extended period. See zypp.conf(5). - version 17.38.10 (35) ------------------------------------------------------------------ ------------------ 2026-5-26 - May 26 2026 ------------------- ------------------------------------------------------------------ ++++ libsolv: - made repo_add_solv more robust against corrupt files [bsc#1265935] [CVE-2026-9149] - fix potential buffer overflow when verifying EdDSA signatures [bsc#1266039] [CVE-2026-48863] - added limit checks in multiple places to catch overflows - reduce the size of the language id cache - fixed Debian canon selection - fixed dbpath detection in repo_rpmdb_librpm - reduced stack usage in repo page compression (needed for musl) - bump version to 0.7.38 ------------------------------------------------------------------ ------------------ 2026-5-25 - May 25 2026 ------------------- ------------------------------------------------------------------ ++++ python-idna: - CVE-2026-45409: Specially crafted inputs to idna.encode() can bypass earlier security fix(bsc#1265413) Add patch CVE-2026-45409.patch ++++ qemu: - Bug and CVE fixes: * virtio-snd: tighten read amount in in_cb (bsc#1259079, CVE-2026-3196, bsc#1259080, CVE-2026-3195) * virtio-snd: fix max_size bounds check in input cb (bsc#1259079, CVE-2026-3196, bsc#1259080, CVE-2026-3195) * virtio-snd: handle 5.14.6.2 for PCM_INFO properly (bsc#1259079, CVE-2026-3196, bsc#1259080, CVE-2026-3195:) * virtio-snd: remove TODO comments (bsc#1259079, CVE-2026-3196, bsc#1259080, CVE-2026-3195) * block/vmdk: fix OOB read in vmdk_read_extent() (bsc#1258509, CVE-2026-2243) * hyperv/syndbg: check length returned by cpu_physical_memory_map() (bsc#1262089, CVE-2026-3842) * cryptodev-builtin: Limit the maximum size (bsc#1255400, CVE-2025-14876) * hw/virtio/virtio-crypto: verify asym request size (bsc#1255400, CVE-2025-14876) * hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq() (bsc#1256484, CVE-2026-0665) * [openSUSE][RPM} spec: delete old specfile constructs ++++ vim: - Update to v9.2.0530. - Fix for SG#71948, bsc#1262395: * vim-9.1.1732-fix-inc-detection.patch: Fix for incorrectly detecting scientific parameter files as bitbake recipies. - Upstream fixed the following bugs / CVEs: * bsc#1264706 CVE-2026-42307 * bsc#1265360 CVE-2026-46483 * bsc#1264708 CVE-2026-45130 * bsc#1264707 CVE-2026-44656 * bsc#1265349 CVE-2026-43961 - Changes: * 9.2.0530: WinBar row vertical separator not refreshed on window change * 9.2.0529: GTK4: clipboard returns empty after a foreign app takes the selection * 9.2.0528: possible overflow in XIM resource handling * 9.2.0527: Possible double free in fill_partial_and_closure() * 9.2.0526: missing out-of-memory check in ex_substitute() * 9.2.0525: spell: memory leak in spell_read_dic() * 9.2.0524: spell: buffer overflow with many affix or compound flags * 9.2.0523: tests: no test for using shellescape() in combination with :! * 9.2.0522: event_nr2name() in autocmd.c can be improved * 9.2.0521: GTK4: cannot resize shell after the window is shown * 9.2.0520: Reversed text opacity in popup when termguicolor is set * 9.2.0519: GTK4: GUI tabline is not displayed correctly * 9.2.0518: GTK4: input method cannot compose text * 9.2.0517: quickfix: can set quickfixtextfunc in restricted/sandbox mode * 9.2.0516: socketserver: spurious error when servername is taken * 9.2.0515: virtualedit=insert doesn't work during change operation * 9.2.0514: GTK4: build errors when socketserver is enabled * 9.2.0513: [security]: memory safety issues in spellfile.c * 9.2.0512: clientserver uses binary protocol * 9.2.0511: configure: when GTK4 is used also links in X11 libs * 9.2.0510: setline() mapping may trigger autoindent * 9.2.0509: term.c: compile error when LOG_TRN is enabled * 9.2.0508: completion: cannot complete user cmd :K with 'ignorecase' * 9.2.0507: Vim9 class: public/protected member name clash uses same error * 9.2.0506: home_replace() function can be improved * 9.2.0505: GTK4: text looks blurry on HiDPI displays * 9.2.0504: configure: requires X11 libraries for GTK4 build * 9.2.0503: Makefile: Missing dependencies for new GTK4 source files * 9.2.0502: runtime(netrw): bookmark handling can be improved * 9.2.0501: GTK4: there is no GTK4 UI available * 9.2.0500: filetype: some html files wrongly recognized as htmlangular * 9.2.0499: modeline: allow to disable modelines with modelinestrict * 9.2.0498: potential heap buffer overflow in if_xcmdsrv.c * 9.2.0497: Cannot jump to remote tags * 9.2.0496: [security]: Code Injection in cucumber filetype plugin * 9.2.0495: [security]: runtime(netrw): code injection via NetrwBookHistSave() * 9.2.0494: User commands cannot handle single args with spaces * 9.2.0493: popup: missing Popup, PopupBorder and PopupTitle hi groups * 9.2.0492: popup: decoration wrongly drawn with clipping on border * 9.2.0491: VMS: various build issues * 9.2.0490: matchfuzzy() can crash on long multi-word patterns * 9.2.0489: filetype: some Objective-C files are not recognized * 9.2.0488: statusline: status line highlight blends into adjacent vsep cells * 9.2.0487: viminfo: possible signed int overflow in register array * 9.2.0486: out-of-bound read when recovering swap files * 9.2.0485: clipboard provider callback can be called recursively * 9.2.0484: TextPutPre triggers clipboard provider callback twice * 9.2.0483: popup: terminal embedded in an opacity popup freezes Vim on input * 9.2.0482: runtime(osc52): triggered twice with TextPutPoste autocmd * 9.2.0481: runtime(netrw): command injection possible via maps * 9.2.0480: [security]: runtime(netrw): code injection via mf command * 9.2.0479: [security]: runtime(tar): command injection in tar plugin * 9.2.0478: channel: redundant str/length assignments in channel_part_info() * 9.2.0477: popup: leftover content after popup_free under layout change * 9.2.0476: pattern completion leaks memory on alloc failures * 9.2.0475: runtime(netrw): bookmark paths not normalized * 9.2.0474: MS-Windows: hard to tell which Visual Studio version was selected with MSVC * 9.2.0473: Pasting ". register without autocommands breaks TextPut* * 9.2.0472: popup: column jitters when scrolled outside viewport * 9.2.0471: vimvars di_key initialized at runtime * 9.2.0470: No way to hook into put commands * 9.2.0469: popup: textprop-anchored popups bleed past host window edges * 9.2.0468: popups: not correctly updated from a CmdlineChanged autocommand * 9.2.0467: multi-line statusline loses highlighting attributes * 9.2.0466: popup: redraw can use stale blended cells * 9.2.0465: modeline: foldmarker cannot be set with modelinestrict * 9.2.0464: runtime(netrw): bookmarking directory uses current dir * 9.2.0463: Not able to use legacy expression evaluation in a vim9script maps * 9.2.0462: MS-Windows: workaround for assert error on GUI * 9.2.0461: Corrupted undofile causes use-after-free * 9.2.0460: did_set_shellpipe_redir() in wrong file * 9.2.0459: tests: test_termcodes fails (after v9.2.0456) * 9.2.0458: Crash with invalid shellredir/shellpipe value * 9.2.0457: Compile warning about unused variable * 9.2.0456: stray p character displayed on some terms * 9.2.0455: 'findfunc' only allows extra info for cmdline completion * 9.2.0454: tests: no test that "abbr" in customlist completion is shown * 9.2.0453: vertical separator of statusline blend into active statusline * 9.2.0452: screen.c popup opacity blend logic is duplicated * 9.2.0451: 'findfunc' can't return extra info for cmdline completion * 9.2.0450: [security]: heap buffer overflow in spellfile.c read_compound() * 9.2.0449: Make proto fails in non GTK builds * 9.2.0448: Vim9: dangling cmdline pointer after skip_expr_cctx() * 9.2.0447: cindent does not ignore comments * 9.2.0446: runtime(netrw): off-by-one bug in s:NetrwUnMarkFile() * 9.2.0445: win_fix_scroll() called before win_comp_pos() in command_height() * 9.2.0444: Cannot set 'path' option via modeline * 9.2.0443: GUI: cancelling save dialog overwrites or discards unnamed buffer * 9.2.0442: completion: i_CTRL-X_CTRL-V doesn't use dict from customlist * 9.2.0441: statusline: click handler not called on multi-line statusline * 9.2.0440: MS-Windows: cursor flicker during update_screen() * 9.2.0439: completion: info popup not removed in cmdline mode * 9.2.0438: tests: test_plugin_termdebug is flaky * 9.2.0437: MS-Windows: cursor flicker in vtp mode * 9.2.0436: Buffer overflow when parsing overlong errorformat lines * 9.2.0435: [security]: backticks in 'path' may cause shell execution on completion * 9.2.0434: cscope: filename interpreted by /bin/sh * 9.2.0433: customlist completion cannot supply pum metadata * 9.2.0432: blob to string conversion can be improved * 9.2.0431: blob encoding can be improved * 9.2.0430: tests: Test_shortmess_F3() is flaky on MS-Windows * 9.2.0429: tests: flaky screendump Test_smoothscroll_incsearch() * 9.2.0428: popup: no opacity support for completepopup/previewpopup * 9.2.0427: popup: opacity blend may leaks white bg color * 9.2.0426: tests: still some flaky screendump tests * 9.2.0425: Cannot silence undo/redo messages * 9.2.0424: popup: flicker when wildtrigger() refreshes the popup menu * 9.2.0423: popup: wrapped cmdline truncated with wildoptions=pum * 9.2.0422: popup: leave stray char when scrollbar changes * 9.2.0421: vimball: can smuggle Vimscript into VimballRecord file * 9.2.0420: channel: cannot handle binary data via channel callbacks * 9.2.0419: popup: rendering issues * 9.2.0418: wildcards in expanded env vars reinterpreted by glob * 9.2.0417: completion: no support for "noinsert" with 'wildmode' * 9.2.0416: Unix: filename completion splits at space for single-file Ex commands * 9.2.0415: Wrong behavior when executing register that ends in Insert mode * 9.2.0414: Flicker when drawing window separator and pum is shown * 9.2.0413: Scrolling wrong with 'splitkeep' when changing 'cmdheight' * 9.2.0412: channel: term_start() out_cb/err_cb no longer deliver raw chunks * 9.2.0411: tabpanel: no Vim script functions for the tabpanel * 9.2.0410: test suite races when run with parallel make * 9.2.0409: memory leaks in copy_substring_from_pos() * 9.2.0408: Insert-mode edits can corrupt undo * 9.2.0407: tabpanel: A few issues with the tabpanel * 9.2.0406: VisualNOS not used when Wayland selection ownership lost * 9.2.0405: when jumping to tags, will open URLs * 9.2.0404: redraw_listener_add() does not check secure flag * 9.2.0403: Vim9: def function sandbox bypass * 9.2.0402: pum: opacity not applied to wildmenu pum * 9.2.0401: tests: still a few flaky tests * 9.2.0400: sandbox callbacks selected through 'complete' * 9.2.0399: MS-Windows: compile warning in strptime.c ------------------------------------------------------------------ ------------------ 2026-5-22 - May 22 2026 ------------------- ------------------------------------------------------------------ ++++ ignition: - Add CVE-2026-33814.patch * Fixes [bsc#1265751] ------------------------------------------------------------------ ------------------ 2026-5-21 - May 21 2026 ------------------- ------------------------------------------------------------------ ++++ unbound: - Add security patch unbound-patch_combined-1.25.1_v3.diff: * CVE-2026-33278, bsc#1265587: Possible remote code execution during DNSSEC validation * CVE-2026-42944, bsc#1265578: Heap overflow and crash with multiple nsid, cookie, padding EDNS options * CVE-2026-42959, bsc#1265586: Crash during DNSSEC validation of malicious content * CVE-2026-32792, bsc#1265583: Packet of death with DNSCrypt * CVE-2026-40622, bsc#1265581: "Ghost domain name" variant * CVE-2026-41292, bsc#1265580: Parsing a long list of incoming EDNS options degrades performance * CVE-2026-42534, bsc#1265585: Jostle logic bypass degrades resolution performance * CVE-2026-42923, bsc#1265589: Degradation of service with unbounded NSEC3 hash calculations * CVE-2026-42960, bsc#1265588: Possible cache poisoning attack while following delegation * CVE-2026-44390, bsc#1265584: Unbounded name compression in certain cases causes degradation of service * CVE-2026-44608, bsc#1265582: Use after free and crash in RPZ code. ------------------------------------------------------------------ ------------------ 2026-5-20 - May 20 2026 ------------------- ------------------------------------------------------------------ ++++ salt: - Use non vendored tornado with Python 3.11 (bsc#1257583, bsc#1259700) - Added: * use-non-vendored-tornado-with-python-3.11.patch ------------------------------------------------------------------ ------------------ 2026-5-19 - May 19 2026 ------------------- ------------------------------------------------------------------ ++++ libzypp: - Prevent configured scripts from escaping the sigcheck directory (bsc#1265223, CVE-2026-44933) - StringV: guard hasPrefix/hasPrefixCI against reading past the view end (fixes #735) - version 17.38.9 (35) ++++ timezone: - Update to 2026b: * British Columbia moved to permanent -07 on 2026-03-09. (bsc#1264965) * Some more overflow bugs have been fixed in zic. - Refresh revert-philippines-historical-data.patch ------------------------------------------------------------------ ------------------ 2026-5-18 - May 18 2026 ------------------- ------------------------------------------------------------------ ++++ cockpit: - Add CVE-2026-4802.patch to backport upstreams fix for bsc#1265040/CVE-2026-4802 - Update dependencies to fix bsc#1257836/CVE-2026-25547 ++++ xz: - Fix buffer overflow in lzma_index_append (bsc#1261280, CVE-2026-34743) * CVE-2026-34743.patch ++++ python-urllib3: - CVE-2026-44431: sensitive information disclosure due to sensitive headers being forwarded across origins in proxied low-level redirects (bsc#1265267) Add patch CVE-2026-44431.patch ++++ rsync: - Security update: - bsc#1234100, CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing - bsc#1234101, CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR - bsc#1234102, CVE-2024-12086: server leaks arbitrary client files - bsc#1234103, CVE-2024-12087: server can make client write files outside of destination directory using symbolic links - bsc#1234104, CVE-2024-12088: --safe-links bypass - bsc#1235475, CVE-2024-12747: Race Condition in rsync Handling Symbolic Links - bsc#1254441, CVE-2025-10158: Out of bounds array access via negative index - bsc#1262223, CVE-2026-41035: Count of entries mismatch can lead to a use-after-free - bsc#1264511, CVE-2026-29518: Symlink-Race TOCTOU in Daemon (use chroot = no) - bsc#1264515, CVE-2026-43617: Authorization Bypass via Hostname Resolution - bsc#1264512, CVE-2026-43618: Integer Overflow Information Disclosure - bsc#1264514, CVE-2026-43619: Symlink Race Condition via Path-Based Syscalls - bsc#1264513, CVE-2026-43620: Out-of-Bounds Array Read via recv_files() - bsc#1265296, CVE-2026-45232: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing - With the big security update above-mentioned, we received a big amount of harderning patches that are pre-requisitoes that we added to this version: - rsync-hardening-0001-Fix-warning-about-conflicting-lseek-lseek64-prototyp.patch - rsync-hardening-0002-hlink-Fix-function-pointer-cast-in-qsort.patch - rsync-hardening-0003-bool-is-a-keyword-in-C23.patch - rsync-hardening-0004-Fix-warning-about-missing-bomb-.-prototype.patch - rsync-hardening-0005-CVE-2024-12084-Some-checksum-buffer-fixes.patch (replaces: rsync-CVE-2024-12084-overflow-01.patch) - rsync-hardening-0006-CVE-2024-12084-Another-cast-when-multiplying-integers.patch (replaces: rsync-CVE-2024-12084-overflow-02.patch) - rsync-hardening-0007-CVE-2024-12085-prevent-information-leak-off-the-stack.patch (replaces: rsync-CVE-2024-12085.patch) - rsync-hardening-0008-CVE-2024-12086-refuse-fuzzy-options-when-fuzzy-not-selected.patch (replaces: rsync-CVE-2024-12086_01.patch) - rsync-hardening-0009-added-secure_relative_open.patch (replaces: rsync-CVE-2024-12086_02.patch) - rsync-hardening-0010-receiver-use-secure_relative_open-for-basis-file.patch (replaces: rsync-CVE-2024-12086_03.patch) - rsync-hardening-0011-disallow-.-elements-in-relpath-for-secure_relative_o.patch (replaces: rsync-CVE-2024-12086_04.patch) - rsync-hardening-0012-CVE-2024-12087-Refuse-a-duplicate-dirlist.patch (replaces: rsync-CVE-2024-12087_01.patch) - rsync-hardening-0013-CVE-2024-12087-range-check-dir_ndx-before-use.patch (replaces:: rsync-CVE-2024-12087_02.patch) - rsync-hardening-0014-CVE-2024-12088-make-safe-links-stricter.patch (replaces: rsync-CVE-2024-12088.patch) - rsync-hardening-0015-CVE-2024-12747-fixed-symlink-race-condition-in-sender.patch (replaces: rsync-CVE-2024-12747.patch) - rsync-hardening-0016-syscall-fix-a-Y2038-bug-by-replacing-Int32x32To64-wi.patch - rsync-hardening-0017-options.c-Fix-segv-if-poptGetContext-returns-NULL.patch - rsync-hardening-0018-Using-a-correct-time-in-log-file.patch - rsync-hardening-0019-configure.ac-check-for-xattr-support-both-in-libc-an.patch (replaces: rsync-no-libattr.patch) - rsync-hardening-0020-util-fixed-issue-in-clean_fname.patch - rsync-hardening-0021-testsuite-added-clean-fname-underflow-test.patch - rsync-hardening-0022-CVE-2025-10158-fixed-an-invalid-access-to-files-array.patch (replaces: rsync-CVE-2025-10158.patch) - rsync-hardening-0023-fix-uninitialized-buf1-in-get_checksum2-MD4-path.patch - rsync-hardening-0024-reject-negative-token-values-in-compressed-stream-re.patch - rsync-hardening-0025-acl-fixed-ACL-ID-mapping-for-non-root.patch - rsync-hardening-0026-fix-uninitialized-mul_one-in-AVX2-checksum-and-add-S.patch - rsync-hardening-0027-Fix-glibc-2.43-constness-warnings.patch - rsync-hardening-0029-fix-signed-integer-overflow-in-proxy-protocol-v2-hea.patch - rsync-hardening-0030-zero-all-new-memory-from-allocations.patch - rsync-hardening-0031-CVE-2026-41035-xattrs-fixed-count-in-qsort.patch - rsync-hardening-0032-call-tzset-before-chroot-to-cache-timezone-data.patch - rsync-hardening-0033-testsuite-xattrs-ignore-SUNWattr_-in-the-Solaris-xls.patch - rsync-hardening-0034-syscall-use-openat2-RESOLVE_BENEATH-on-Linux-for-sec.patch - rsync-hardening-0035-syscall-also-use-O_RESOLVE_BENEATH-on-FreeBSD-and-Ma.patch - rsync-hardening-0036-testsuite-skip-symlink-dirlink-basis-on-platforms-wi.patch - rsync-hardening-0037-CVE-2026-29518-syscall-clientserver-am_chrooted-and-use_secure_syml.patch - rsync-hardening-0038-CVE-2026-29518-sender-fix-read-path-TOCTOU-by-opening-from-module-r.patch - rsync-hardening-0039-CVE-2026-43619-syscall-receiver-secure-receiver-side-do_chmod-again.patch - rsync-hardening-0040-CVE-2026-43619-util1-secure-change_dir-against-symlink-race-chdir-e.patch - rsync-hardening-0041-CVE-2026-43619-syscall-add-symlink-race-safe-do_-_at-wrappers-and-h.patch - rsync-hardening-0042-CVE-2026-43619-util1-syscall-secure-copy_file-source-dest-opens-bar.patch - rsync-hardening-0043-CVE-2026-43619-testsuite-end-to-end-regression-test-for-chdir-symli.patch - rsync-hardening-0044-CVE-2026-43618-token-harden-compressed-token-decoding-against-integ.patch - rsync-hardening-0045-CVE-2026-43618-testsuite-cover-refuse-options-compress-for-the-daem.patch - rsync-hardening-0046-CVE-2026-43620-receiver-add-parent_ndx-0-guard-mirroring-797e17f.patch - rsync-hardening-0047-CVE-2026-43617-clientserver-fix-hostname-ACL-bypass-when-using-daem.patch - rsync-hardening-0048-CVE-2026-43618-defence-in-depth-bound-wire-supplied-counts-and-leng.patch - rsync-hardening-0049-CVE-2026-43618-defence-in-depth-guard-cumulative-snprintf-against-l.patch - rsync-hardening-0050-CVE-2026-43620-defence-in-depth-receiver-block-index-bounds-read_de.patch - rsync-hardening-0052-exclude-fix-crashes-with-fortified-strlcpy.patch (replaces: rsync-fortified-strlcpy-fix.patch) - rsync-hardening-0053-testsuite-use-integer-sleep-in-clean-fname-underflow.patch - rsync-hardening-0055-popt-fix-poptDupArgv-strlcpy-size-argument.patch - rsync-hardening-0056-testsuite-fixes-for-3.2.7-backport.patch - rsync-hardening-0057-rsync.h-lower-MAX_WIRE_DEL_STAT-to-avoid-signed-int-.patch - rsync-hardening-0058-CVE-2026-45232-socket-reject-over-long-proxy-response-line.patch - rsync-hardening-0059-main-reject-hyphen-prefixed-remote-shell-hostnames.patch - rsync-hardening-0060-util1-handle-out-of-range-times-in-timestring.patch - A few hardening patches were discarded, as the don't affect SUSE distributions: - rsync-hardening-0028-zlib-convert-K-R-function-definitions-to-ANSI-style (we don't bundle zlib, nothing to patch) - rsync-hardening-0051-CI-added-workflows-from-master-for-backport-testing (fixes CI Github Actions, not present in release tarballs) - rsync-hardening-0054-ci-update-RSYNC_EXPECT_SKIPPED-for-3.2.7-backport-ba (fixes CI Github Actions, not present in release tarballs) - Rename rsync-fix-FLAG_GOT_DIR_FLIST.patch to rsync-fix-duplicate.patch to align codestreams. ------------------------------------------------------------------ ------------------ 2026-5-15 - May 15 2026 ------------------- ------------------------------------------------------------------ ++++ util-linux: - loopdev: Prevent unauthorized read access to symlinked filesystem images (bsc#1261606, CVE-2026-27456, util-linux-CVE-2026-27456.patch). ++++ util-linux-systemd: - loopdev: Prevent unauthorized read access to symlinked filesystem images (bsc#1261606, CVE-2026-27456, util-linux-CVE-2026-27456.patch). ------------------------------------------------------------------ ------------------ 2026-5-13 - May 13 2026 ------------------- ------------------------------------------------------------------ ++++ docker: - Update to Docker 29.4.0. See upstream changelog online at - Update to buildx 0.33.0. See upstream changelog online at - Rebased patches: * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-openSUSE-point-users-to-docker-buildx-package.patch * cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch - Removed patch * 0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch (applicable only when docker version < v29.1.0) ++++ iproute2: - update to a copy of SLE15 SP6 package * update to upstream 6.4 release - bridge: mdb: added underlay destination IP support, UDP destination port support, destination VNI support, source VNI support, outgoing interface support - macvlan: added the "bclim" parameter * existing patches moved to patches.tar.xz: - adjust-installation-directories-for-openSUSE-SLE.patch - use-sysconf-_SC_CLK_TCK-if-HZ-undefined.patch - add-explicit-typecast-to-avoid-gcc-warning.patch - split-link-and-compile-steps-for-binaries.patch - support display of bound but unconnected sockets (bsc#1204562) * ss-Add-support-for-dumping-TCP-bound-inactive-socket.patch - avoid spurious cgroup warning (bsc#1234383): - ss-Tone-down-cgroup-path-resolution.patch - add post-6.4 follow-up fixes (bsc#1243005): * bond-fix-stack-smash-in-xstats.patch * bpf-fix-warning-from-basename.patch * bridge-fdb-add-an-error-print-for-unknown-command.patch * bridge-vni-Accept-del-command.patch * bridge-vni-Fix-duplicate-group-and-remote-error-mess.patch * bridge-vni-Fix-vni-filter-help-strings.patch * bridge-vni-Remove-dead-code-in-group-argument-parsin.patch * bridge-vni-Report-duplicate-vni-argument-using-dupar.patch * f_flower-Treat-port-0-as-valid.patch * genl-ctrl.c-spelling-fix-in-error-message.patch * ip-Add-missing-echo-option-to-usage.patch * ip-Add-missing-stats-command-to-usage.patch * ip-ipmroute-use-preferred_family-to-get-prefix.patch * ip-remove-non-existent-amt-subcommand-from-usage.patch * iplink-fix-fd-leak-when-playing-with-netns.patch * iplink_bridge-fix-incorrect-root-id-dump.patch * iplink_xstats-spelling-fix-in-error-message.patch * iproute2-fix-type-incompatibility-in-ifstat.c.patch * iproute2-prevent-memory-leak.patch * libnetlink-validate-nlmsg-header-length-first.patch * man-devlink-resource-add-missing-words-in-the-exampl.patch * mnl_utils-sanitize-incoming-netlink-payload-size-in-.patch * rdma-Fix-help-information-of-rdma-resource.patch * rdma-Fix-the-error-of-accessing-string-variable-outs.patch * rdma-use-print_XXX-instead-of-COLOR_NONE.patch * ss-Fix-socket-type-check-in-packet_show_line.patch * ss-fix-directory-leak-when-T-option-is-used.patch * ss-mptcp-display-info-counters-as-unsigned.patch * ss-prevent-Process-column-from-being-printed-unless-.patch * ss-show-extra-info-when-processes-is-not-used.patch * tc-gred-fix-debug-print.patch * tc-taprio-don-t-print-netlink-attributes-which-weren.patch * tc-taprio-fix-JSON-output-when-TCA_TAPRIO_ATTR_ADMIN.patch * tc-taprio-fix-parsing-of-fp-option-when-it-doesn-t-a.patch * vdpa-consume-device_features-parameter.patch - devlink: support ipsec_crypto and ipsec_packet cap (bsc#1248660) * add devlink-Support-setting-port-function-ipsec_crypto-c.patch * add devlink-Support-setting-port-function-ipsec_packet-c.patch * refresh ss-Tone-down-cgroup-path-resolution.patch - sync UAPI header copies with SLE15-SP6 kernel * sync-UAPI-header-copies-with-SLE15-SP6.patch - add CVE fix (CVE-2024-58251 bsc#1254324) * ss-escape-characters-in-command-name.patch ++++ zypper: - Add --filter-version-change to zypper lu. Adds filtering by version change significance to reduce noise in update listings. Supports levels: rebuild (hides rebuild-only changes) and package (hides all release-only changes). - version 1.14.97 ------------------------------------------------------------------ ------------------ 2026-5-12 - May 12 2026 ------------------- ------------------------------------------------------------------ ++++ dnsmasq: - Update to security release 2.92rel2: * CVE-2026-2291, bsc#1258251: dnsmasq can be abused to record false cached data enabling DoS or attacker redirect. * CVE-2026-4890, bsc#1265001: DoS vulnerability in the DNSSEC validation. * CVE-2026-4891, bsc#1265002: heap-based out-of-bounds read vulnerability in the DNSSEC validation. * CVE-2026-4892, bsc#1265003: heap-based out-of-bounds write vulnerability in the DHCPv6 implementation. * CVE-2026-4893, bsc#1265004: information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks. * CVE-2026-5172, bsc#1265006: buffer overflow in dnsmasq’s extract_addresses() function. ++++ libzypp: - Mandatory signature verification plugin support (PED#11922) - version 17.38.8 (35) ++++ libzypp: - Mandatory signature verification plugin support (PED#11922) - version 17.38.8 (35) ------------------------------------------------------------------ ------------------ 2026-5-11 - May 11 2026 ------------------- ------------------------------------------------------------------ ++++ glibc: - ungetwc-byte-stream.patch: libio: Fix ungetwc operating on byte stream (CVE-2026-5928, bsc#1262464, BZ #33998) - scanf-mc-buffer-overflow.patch: stdio-common: Fix buffer overflow in scanf %mc (CVE-2026-5450, bsc#1262465, BZ #34008) ++++ freeipmi: - bsc#1260414 - CVE-2026-33554: freeipmi: improper memory handling and data validation can lead A ipmi-oem-fix-several-memory-out-of-bounds-errors.patch ------------------------------------------------------------------ ------------------ 2026-5-8 - May 8 2026 ------------------- ------------------------------------------------------------------ ++++ busybox: - Fix heap buffer overflow vulnerability in the DHCPv6 client (CVE-2026-29004, bsc#1263989) * 0001-udhcpc6-fix-buffer-overflow.patch * 0002-udhcpc6-check-the-size-of-D6_OPT_IAPREFIX-option.patch ++++ openssh: - Added openssh-cve-2026-35385-scp-setuid-modes.patch (bsc#1261427), ensuring setuid bits default to being masked out by scp. - Added openssh-cve-2026-35414-mishandled-ca-commas.patch (bsc#1261430), fixing mishandling of comma characters in CA in certain situations. ------------------------------------------------------------------ ------------------ 2026-5-7 - May 7 2026 ------------------- ------------------------------------------------------------------ ++++ rsync: - Security update (CVE-2026-41035, bsc#1262223): rsync: count of entries mismatch can lead to a use-after-free - Add rsync-CVE-2026-41035.patch ++++ rsync: - Security update (CVE-2026-41035, bsc#1262223): rsync: count of entries mismatch can lead to a use-after-free - Add rsync-CVE-2026-41035.patch ------------------------------------------------------------------ ------------------ 2026-5-6 - May 6 2026 ------------------- ------------------------------------------------------------------ ++++ gnutls: - Security fixes: * CVE-2026-33846: buffers: add more checks to DTLS reassembly (bsc#1263705) * CVE-2026-42009: lib/buffers: ensure packets have differing sequence numbers (bsc#1263708) * CVE-2026-33845: buffers: switch from end_offset over to frag_length (bsc#1263704) * CVE-2026-42010: lib/auth/rsa_psk: fix binary PSK identity lookup (bsc#1263709) * CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive (bsc#1263707) * CVE-2026-42011: x509/name_constraints: fix intersecting empty constraints (bsc#1263710) * CVE-2026-42012: x509/hostname-verify: make URI/SRV SAN preclude CN fallback (bsc#1263711) * CVE-2026-42013: x509: prevent fallback on oversized SAN (bsc#1263712) * CVE-2026-42014: pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin (bsc#1263713) * CVE-2026-42015: x509/pkcs12_bag: fix off-by-one in bag element bounds check (bsc#1263714) * CVE-2026-5260: lib/pkcs11_privkey: guard against overreading on short ciphertexts (bsc#1263715) * CVE-2026-5419: gnutls_cipher_decrypt3: make PKCS#7 unpadding branch free (bsc#1263716) * Add patches: gnutls-CVE-2026-33846.patch gnutls-CVE-2026-42009.patch gnutls-CVE-2026-33845.patch gnutls-CVE-2026-42010.patch gnutls-CVE-2026-3833.patch gnutls-CVE-2026-42011.patch gnutls-CVE-2026-42012.patch gnutls-CVE-2026-42013.patch gnutls-CVE-2026-42014.patch gnutls-CVE-2026-5260.patch gnutls-CVE-2026-42015.patch gnutls-CVE-2026-5419.patch ++++ krb5: - Fix Fix two NegoEx parsing vulnerabilities: * CVE-2026-40355, bsc#1263366 * CVE-2026-40356, bsc#1263367 - Add patch 0014-Fix-two-NegoEx-parsing-vulnerabilities.patch ------------------------------------------------------------------ ------------------ 2026-5-5 - May 5 2026 ------------------- ------------------------------------------------------------------ ++++ glibc: - ibm139x-pending-char-state.patch: Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046, bsc#1261206, BZ #33980) ++++ python-lxml: - CVE-2026-41066: Information disclosure via untrusted XML input leading to local file read (bsc#1263254) Add patches: * CVE-2026-41066.patch * disable-external-entity-resolution.patch - Add upstream patch to fix tests with libexpat 2.6, gh#lxml/lxml@3ccc7d583, libexpat-2.6.patch ------------------------------------------------------------------ ------------------ 2026-5-4 - May 4 2026 ------------------- ------------------------------------------------------------------ ++++ python-pyOpenSSL: - CVE-2026-40475: improper input handling of null bytes can lead to silent data truncation and security-state inconsistency (bsc#1262803) * CVE-2026-40475.patch ------------------------------------------------------------------ ------------------ 2026-4-30 - Apr 30 2026 ------------------- ------------------------------------------------------------------ ++++ containerd: - Add patch for CVE-2026-33186 (bsc#1260296): * 0002-CVE-2026-33186-containerd-google.golang.org-grpc-aut.patch ------------------------------------------------------------------ ------------------ 2026-4-28 - Apr 28 2026 ------------------- ------------------------------------------------------------------ ++++ cups: - Version upgrade to 2.4.19: See https://github.com/openprinting/cups/releases Release 2.4.19 contains another hotfix after CVE-2026-27447 fix: * Fixed a regression in shared printing from non-local accounts (Issue #1557) Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.19 - Added 'Michael R Sweet' key to cups.keyring because cups-2.4.19-source.tar.gz.sig belongs to him. ++++ firewalld: - FIX CVE-2026-4948: local unprivileged users can modify firewall state due to D-Bus setter mis-authorizations [+ 0001-Fix-CVE-2026-4948-local-unprivileged-users-can-modif.patch] ------------------------------------------------------------------ ------------------ 2026-4-27 - Apr 27 2026 ------------------- ------------------------------------------------------------------ ++++ avahi: - Add avahi-CVE-2026-34933.patch: refuse to accept publish flags where both wide_area and multicast are set. (CVE-2026-34933, bsc#1261546) ++++ tiff: - * CVE-2026-4775: Signed integer overflow in putcontig8bitYCbCr44tile (bsc#1260411) Add tiff-CVE-2026-4775.patch ++++ libzypp: - Fix purge-kernel -rc kernel handling (bsc#1239718) - Explicitly_set_pool_DISTTYPE_RPM (fixes #726) - version 17.38.7 (35) ++++ libzypp: - Fix purge-kernel -rc kernel handling (bsc#1239718) - Explicitly_set_pool_DISTTYPE_RPM (fixes #726) - version 17.38.7 (35) ++++ salt: - BDSA-2025-60810: Harden Tornado from invalid HTTP reason phrases - Read full URI from ldap pillar config (bsc#1254900) - Added: * bdsa-2025-60810-harden-against-invalid-http-reason-p.patch * read-full-uri-from-ldap-pillar-config-753.patch ------------------------------------------------------------------ ------------------ 2026-4-26 - Apr 26 2026 ------------------- ------------------------------------------------------------------ ++++ vim: - Fix bsc#1261833 / CVE-2026-39881. - Update to 9.2.0398. - Changes: * 9.2.0398: MS-Windows: missing strptime() support * 9.2.0397: tabpanel: double-click opens a new tab * 9.2.0396: tests: Test_error_callback_terminal is flaky on macOS * 9.2.0395: tests: Test_backupskip() may read from $HOME * 9.2.0394: xxd: offsets greater than LONG_MAX print as negative * 9.2.0393: MS-Windows: link error with XPM support on UCRT64 * 9.2.0392: tests: Some tests are flaky * 9.2.0391: tests: Comment in test_vim9_cmd breaks syntax highlighting * 9.2.0390: filetype: some Beancount files are not recognized * 9.2.0389: DECRQM still leaves stray "pp" on Apple Terminal.app * 9.2.0388: strange indent in update_topline() * 9.2.0387: DECRQM request may leave stray chars in terminal * 9.2.0386: No scroll/scrollbar support in the tabpanel * 9.2.0385: Integer overflow with "ze" and large 'sidescrolloff' * 9.2.0384: stale Insstart after cursor move breaks undo * 9.2.0383: [security]: runtime(netrw): shell-injection via sftp: and file: URLs * 9.2.0382: Wayland: focus-stealing is non-working * 9.2.0381: Vim9: Missing check_secure() in exec_instructions() * 9.2.0380: completion: a few issues in completion code * 9.2.0379: gui.color_approx is never used * 9.2.0378: Using int as bool type in win_T struct * 9.2.0377: Using int as bool type in gui_T struct * 9.2.0376: Vim9: elseif condition compiled in dead branch * 9.2.0375: prop_find() does not find a virt text in starting line * 9.2.0374: c_CTRL-{G,T} does not handle offset * 9.2.0373: Ctrl-R mapping not triggered during completion * 9.2.0372: pum: rendering issues with multibyte text and opacity * 9.2.0371: filetype: ghostty config files are not recognized * 9.2.0370: duplicate code with literal string_T assignment * 9.2.0369: multiple definitions of STRING_INIT macro * 9.2.0368: too many strlen() calls when adding strings to dicts * 9.2.0367: runtime(netrw): ~ note expanded on MS Windows * 9.2.0366: pum: flicker when updating pum in place * 9.2.0365: using int as bool * 9.2.0364: tests: test_smoothscroll_textoff_showbreak() fails * 9.2.0363: Vim9: variable shadowed by script-local function * 9.2.0362: division by zero with smoothscroll and small windows * 9.2.0361: tests: no tests for ch_listen() with IPs * 9.2.0360: Cannot handle mouse-clicks in the tabpanel * 9.2.0359: wrong VertSplitNC highlighting on winbar * 9.2.0358: runtime(vimball): still path traversal attacks possible * 9.2.0357: [security]: command injection via backticks in tag files * 9.2.0356: Cannot apply 'scrolloff' context lines at end of file * 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract() * 9.2.0354: filetype: not all Bitbake include files are recognized * 9.2.0353: Missing out-of-memory check in register.c * 9.2.0352: 'winhighlight' of left window blends into right window * 9.2.0351: repeat_string() can be improved * 9.2.0350: Enabling modelines poses a risk * 9.2.0349: cannot style non-current window separator * 9.2.0348: potential buffer underrun when setting statusline like option * 9.2.0347: Vim9: script-local variable not found * 9.2.0346: Wrong cursor position when entering command line window * 9.2.0345: Wrong autoformatting with 'autocomplete' * 9.2.0344: channel: ch_listen() can bind to network interface * 9.2.0343: tests: test_clientserver may fail on slower systems * 9.2.0342: tests: test_excmd.vim leaves swapfiles behind * 9.2.0341: some functions can be run from the sandbox * 9.2.0340: pum_redraw() may cause flicker * 9.2.0339: regexp: nfa_regmatch() allocates and frees too often * 9.2.0338: Cannot handle mouseclicks in the tabline * 9.2.0337: list indexing broken on big-endian 32-bit platforms * 9.2.0336: libvterm: no terminal reflow support * 9.2.0335: json_encode() uses recursive algorithm * 9.2.0334: GTK: window geometry shrinks with with client-side decorations * 9.2.0333: filetype: PklProject files are not recognized * 9.2.0332: popup: still opacity rendering issues * 9.2.0331: spellfile: stack buffer overflows in spell file generation * 9.2.0330: tests: some patterns in tar and zip plugin tests not strict enough * 9.2.0329: tests: test_indent.vim leaves swapfiles behind * 9.2.0328: Cannot handle mouseclicks in the statusline * 9.2.0327: filetype: uv scripts are not detected * 9.2.0326: runtime(tar): but with dotted path * 9.2.0325: runtime(tar): bug in zstd handling * 9.2.0324: 0x9b byte not unescaped in mapping * 9.2.0323: filetype: buf.lock files are not recognized * 9.2.0322: tests: test_popupwin fails * 9.2.0321: MS-Windows: No OpenType font support * 9.2.0320: several bugs with text properties * 9.2.0319: popup: rendering issues with partially transparent popups * 9.2.0318: cannot configure opacity for popup menu * 9.2.0317: listener functions do not check secure flag * 9.2.0316: [security]: command injection in netbeans interface via defineAnnoType * 9.2.0315: missing bound-checks * 9.2.0314: channel: can bind to all network interfaces * 9.2.0313: Callback channel not registered in GUI * 9.2.0312: C-type names are marked as translatable * 9.2.0311: redrawing logic with text properties can be improved * 9.2.0310: unnecessary work in vim_strchr() and find_term_bykeys() * 9.2.0309: Missing out-of-memory check to may_get_cmd_block() * 9.2.0308: Error message E1547 is wrong * 9.2.0307: more mismatches between return types and documentation * 9.2.0306: runtime(tar): some issues with lz4 support * 9.2.0305: mismatch between return types and documentation * 9.2.0304: tests: test for 9.2.0285 doesn't always fail without the fix * 9.2.0303: tests: zip plugin tests don't check for warning message properly * 9.2.0302: runtime(netrw): RFC2396 decoding double escaping spaces * 9.2.0301: Vim9: void function return value inconsistent * 9.2.0300: The vimball plugin needs some love * 9.2.0299: runtime(zip): may write using absolute paths * 9.2.0298: Some internal variables are not modified * 9.2.0297: libvterm: can improve CSI overflow code * 9.2.0296: Redundant and incorrect integer pointer casts in drawline.c * 9.2.0295: 'showcmd' shows wrong Visual block size with 'linebreak' * 9.2.0294: if_lua: lua interface does not work with lua 5.5 * 9.2.0293: :packadd may lead to heap-buffer-overflow * 9.2.0292: E340 internal error when using method call on void value * 9.2.0291: too many strlen() calls * 9.2.0290: Amiga: no support for AmigaOS 3.x * 9.2.0289: 'linebreak' may lead to wrong Visual block highlighting * 9.2.0288: libvterm: signed integer overflow parsing long CSI args * 9.2.0287: filetype: not all ObjectScript routines are recognized * 9.2.0286: still some unnecessary (int) casts in alloc() * 9.2.0285: :syn sync grouphere may go beyond end of line * 9.2.0284: tabpanel: crash when tabpanel expression returns variable line count * 9.2.0283: unnecessary (int) casts before alloc() calls * 9.2.0282: tests: Test_viminfo_len_overflow() fails * 9.2.0281: tests: Test_netrw_FileUrlEdit.. fails on Windows ++++ vim: - Fix bsc#1261833 / CVE-2026-39881. - Update to 9.2.0398. - Changes: * 9.2.0398: MS-Windows: missing strptime() support * 9.2.0397: tabpanel: double-click opens a new tab * 9.2.0396: tests: Test_error_callback_terminal is flaky on macOS * 9.2.0395: tests: Test_backupskip() may read from $HOME * 9.2.0394: xxd: offsets greater than LONG_MAX print as negative * 9.2.0393: MS-Windows: link error with XPM support on UCRT64 * 9.2.0392: tests: Some tests are flaky * 9.2.0391: tests: Comment in test_vim9_cmd breaks syntax highlighting * 9.2.0390: filetype: some Beancount files are not recognized * 9.2.0389: DECRQM still leaves stray "pp" on Apple Terminal.app * 9.2.0388: strange indent in update_topline() * 9.2.0387: DECRQM request may leave stray chars in terminal * 9.2.0386: No scroll/scrollbar support in the tabpanel * 9.2.0385: Integer overflow with "ze" and large 'sidescrolloff' * 9.2.0384: stale Insstart after cursor move breaks undo * 9.2.0383: [security]: runtime(netrw): shell-injection via sftp: and file: URLs * 9.2.0382: Wayland: focus-stealing is non-working * 9.2.0381: Vim9: Missing check_secure() in exec_instructions() * 9.2.0380: completion: a few issues in completion code * 9.2.0379: gui.color_approx is never used * 9.2.0378: Using int as bool type in win_T struct * 9.2.0377: Using int as bool type in gui_T struct * 9.2.0376: Vim9: elseif condition compiled in dead branch * 9.2.0375: prop_find() does not find a virt text in starting line * 9.2.0374: c_CTRL-{G,T} does not handle offset * 9.2.0373: Ctrl-R mapping not triggered during completion * 9.2.0372: pum: rendering issues with multibyte text and opacity * 9.2.0371: filetype: ghostty config files are not recognized * 9.2.0370: duplicate code with literal string_T assignment * 9.2.0369: multiple definitions of STRING_INIT macro * 9.2.0368: too many strlen() calls when adding strings to dicts * 9.2.0367: runtime(netrw): ~ note expanded on MS Windows * 9.2.0366: pum: flicker when updating pum in place * 9.2.0365: using int as bool * 9.2.0364: tests: test_smoothscroll_textoff_showbreak() fails * 9.2.0363: Vim9: variable shadowed by script-local function * 9.2.0362: division by zero with smoothscroll and small windows * 9.2.0361: tests: no tests for ch_listen() with IPs * 9.2.0360: Cannot handle mouse-clicks in the tabpanel * 9.2.0359: wrong VertSplitNC highlighting on winbar * 9.2.0358: runtime(vimball): still path traversal attacks possible * 9.2.0357: [security]: command injection via backticks in tag files * 9.2.0356: Cannot apply 'scrolloff' context lines at end of file * 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract() * 9.2.0354: filetype: not all Bitbake include files are recognized * 9.2.0353: Missing out-of-memory check in register.c * 9.2.0352: 'winhighlight' of left window blends into right window * 9.2.0351: repeat_string() can be improved * 9.2.0350: Enabling modelines poses a risk * 9.2.0349: cannot style non-current window separator * 9.2.0348: potential buffer underrun when setting statusline like option * 9.2.0347: Vim9: script-local variable not found * 9.2.0346: Wrong cursor position when entering command line window * 9.2.0345: Wrong autoformatting with 'autocomplete' * 9.2.0344: channel: ch_listen() can bind to network interface * 9.2.0343: tests: test_clientserver may fail on slower systems * 9.2.0342: tests: test_excmd.vim leaves swapfiles behind * 9.2.0341: some functions can be run from the sandbox * 9.2.0340: pum_redraw() may cause flicker * 9.2.0339: regexp: nfa_regmatch() allocates and frees too often * 9.2.0338: Cannot handle mouseclicks in the tabline * 9.2.0337: list indexing broken on big-endian 32-bit platforms * 9.2.0336: libvterm: no terminal reflow support * 9.2.0335: json_encode() uses recursive algorithm * 9.2.0334: GTK: window geometry shrinks with with client-side decorations * 9.2.0333: filetype: PklProject files are not recognized * 9.2.0332: popup: still opacity rendering issues * 9.2.0331: spellfile: stack buffer overflows in spell file generation * 9.2.0330: tests: some patterns in tar and zip plugin tests not strict enough * 9.2.0329: tests: test_indent.vim leaves swapfiles behind * 9.2.0328: Cannot handle mouseclicks in the statusline * 9.2.0327: filetype: uv scripts are not detected * 9.2.0326: runtime(tar): but with dotted path * 9.2.0325: runtime(tar): bug in zstd handling * 9.2.0324: 0x9b byte not unescaped in mapping * 9.2.0323: filetype: buf.lock files are not recognized * 9.2.0322: tests: test_popupwin fails * 9.2.0321: MS-Windows: No OpenType font support * 9.2.0320: several bugs with text properties * 9.2.0319: popup: rendering issues with partially transparent popups * 9.2.0318: cannot configure opacity for popup menu * 9.2.0317: listener functions do not check secure flag * 9.2.0316: [security]: command injection in netbeans interface via defineAnnoType * 9.2.0315: missing bound-checks * 9.2.0314: channel: can bind to all network interfaces * 9.2.0313: Callback channel not registered in GUI * 9.2.0312: C-type names are marked as translatable * 9.2.0311: redrawing logic with text properties can be improved * 9.2.0310: unnecessary work in vim_strchr() and find_term_bykeys() * 9.2.0309: Missing out-of-memory check to may_get_cmd_block() * 9.2.0308: Error message E1547 is wrong * 9.2.0307: more mismatches between return types and documentation * 9.2.0306: runtime(tar): some issues with lz4 support * 9.2.0305: mismatch between return types and documentation * 9.2.0304: tests: test for 9.2.0285 doesn't always fail without the fix * 9.2.0303: tests: zip plugin tests don't check for warning message properly * 9.2.0302: runtime(netrw): RFC2396 decoding double escaping spaces * 9.2.0301: Vim9: void function return value inconsistent * 9.2.0300: The vimball plugin needs some love * 9.2.0299: runtime(zip): may write using absolute paths * 9.2.0298: Some internal variables are not modified * 9.2.0297: libvterm: can improve CSI overflow code * 9.2.0296: Redundant and incorrect integer pointer casts in drawline.c * 9.2.0295: 'showcmd' shows wrong Visual block size with 'linebreak' * 9.2.0294: if_lua: lua interface does not work with lua 5.5 * 9.2.0293: :packadd may lead to heap-buffer-overflow * 9.2.0292: E340 internal error when using method call on void value * 9.2.0291: too many strlen() calls * 9.2.0290: Amiga: no support for AmigaOS 3.x * 9.2.0289: 'linebreak' may lead to wrong Visual block highlighting * 9.2.0288: libvterm: signed integer overflow parsing long CSI args * 9.2.0287: filetype: not all ObjectScript routines are recognized * 9.2.0286: still some unnecessary (int) casts in alloc() * 9.2.0285: :syn sync grouphere may go beyond end of line * 9.2.0284: tabpanel: crash when tabpanel expression returns variable line count * 9.2.0283: unnecessary (int) casts before alloc() calls * 9.2.0282: tests: Test_viminfo_len_overflow() fails * 9.2.0281: tests: Test_netrw_FileUrlEdit.. fails on Windows ------------------------------------------------------------------ ------------------ 2026-4-24 - Apr 24 2026 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fixes: * CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631) * CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632) * CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635) * CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636) * CVE-2026-6429: netrc credential leak with reused proxy connection (bsc#1262638) * sws: prevent "connection monitor" to say disconnect twice (bsc#1259362) * Add patches: - curl-CVE-2026-4873.patch - curl-CVE-2026-5545.patch - curl-CVE-2026-6253.patch - curl-CVE-2026-6276.patch - curl-CVE-2026-6429.patch - curl-CVE-2026-1965-disable-ntlm-fix.patch ++++ mozilla-nss: - update to NSS 3.112.5 * bmo#2033783 - reject DTLS 1.3 Server Hello after HVR without capping ss->vrange.max. * bmo#2034185 - update to version 2.84 of builtins module. ------------------------------------------------------------------ ------------------ 2026-4-23 - Apr 23 2026 ------------------- ------------------------------------------------------------------ ++++ Mesa: - bsc1261998-CVE-2026-40393-nir-Use-STACK_ARRAY-instead-of-NIR_VLA.patch bsc1261998-CVE-2026-40393-spirv-Use-STACK_ARRAY-instead-of-NIR_VLA.patch * Mesa: out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party (bsc#1261998, CVE-2026-40393) ++++ Mesa-drivers: - bsc1261998-CVE-2026-40393-nir-Use-STACK_ARRAY-instead-of-NIR_VLA.patch bsc1261998-CVE-2026-40393-spirv-Use-STACK_ARRAY-instead-of-NIR_VLA.patch * Mesa: out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party (bsc#1261998, CVE-2026-40393) ++++ cups: - Version upgrade to 2.4.18: See https://github.com/openprinting/cups/releases The new release 2.4.18 contains hotfix after CVE-2026-27447 fix: * Fixed cupsd crash if user does not exist (Issue #1555) Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.18 ++++ libsolv: - fix parsing of sha512 checksums in debian repositories - improve speed of dirpool_add_dir makeing parsing of filelists.xml twice as fast - fix parsing of recommands in the old Mandriva synthesis format - bump version to 0.7.37 ++++ libsolv: - fix parsing of sha512 checksums in debian repositories [bsc#1265938] [CVE-2026-9150] - improve speed of dirpool_add_dir makeing parsing of filelists.xml twice as fast - fix parsing of recommends in the old Mandriva synthesis format - bump version to 0.7.37 ------------------------------------------------------------------ ------------------ 2026-4-22 - Apr 22 2026 ------------------- ------------------------------------------------------------------ ++++ dnsmasq: - bsc#1262487, CVE-2026-6507, dnsmasq-CVE-2026-6507.patch: out-of-bounds write in DHCP BOOTREPLY processing can lead to denial of service. ------------------------------------------------------------------ ------------------ 2026-4-20 - Apr 20 2026 ------------------- ------------------------------------------------------------------ ++++ cups: - Version upgrade to 2.4.17: See https://github.com/openprinting/cups/releases The new release 2.4.17 contains the following security fixes: * CVE-2026-27447: The scheduler treated local user and group names as case-insensitive (bsc#1261572) * CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS directory (bsc#1261571) * CVE-2026-34980: The scheduler did not filter control characters from option values (bsc#1261569) * CVE-2026-34979: The scheduler did not always allocate enough memory for a job's options string (bsc#1261570) * CVE-2026-34990: The scheduler incorrectly allowed local certificates over the loopback interface (bsc#1261568) * CVE-2026-39314: Fixed the range check for job password strings (bsc#1261743) * CVE-2026-39316: Fixed a printer subscription bug in the scheduler (bsc#1261742) * CVE-2026-41079: Fixed a SNMP string conversion bug in the backends (bsc#1263116) - The release includes other fixes as well, listed in CHANGES.md. Issues are those at https://github.com/OpenPrinting/cups/issues Detailed list (from CHANGES.md): * The scheduler followed symbolic links when cleaning out its temporary directory (Issue #1448) * Updated `cupsFileGetConf` and `cupsFilePutConf` to escape more characters. * Updated man page `cancel` (Issue #984) * Updated `cupsRasterReadHeader` to validate more of the page header values (Issue #1501) * Fixed an issue with the class/printer CGI name checking. * Fixed infinite loop in `http_write()` on busy print servers (Issue #827) * Fixed potential TLS blocking issues (Issue #1128) * Fixed a job history bug in the scheduler (Issue #1440) * Fixed notifier logging bug that would result in nul bytes getting into the log (Issue #1450) * Fixed possible use-after-free in `cupsdReadClient()` (Issue #1454) * Fixed a document format bug in the IPP backend (Issue #1457) * Fixed DRAIN_OUTPUT race condition (Issue #1461) * Fixed a bug when then `ippFindXxx` and `ippSetXxx` functions were mixed. * Fixed the mapping of supply type keywords to SNMP names. * Fixed a bug in the IPP backend when SNMP was disabled. * Fixed a crash bug in the rastertoepson filter. * Fixed a bug in cgiCheckVariables. * Fixed handling read/write errors with OpenSSL (Issue #1506) * Fixed handling rehandshake error in `_httpTLSRead` (Issue #1508) * Fixed a debug printf bug on Windows (Issue #1529) * Fixed a recursion issue with encoding of nested collections (Issue #1539) * Fixed parsing of the `LimitRequestBody`, `MaxLogSize`, and `MaxRequestSize` directives in "cupsd.conf" (Issue #1540) * Fixed a parsing bug in `ipptool` (Issue #1542) * Fixed blank line detection in the `rastertolabel` filter (Issue #1545) * Fixed `httpPeek` edge case on compressed streams Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.17 ++++ dnsmasq: - Fix FTBFS with libnettle 4.0: (boo#1257934) * dnsmasq: missed hash->digest calls in 4070a74 (1eab169) * Add dnsmasq-Fix-FTBFS-nettle-4.0.patch and merge 4070a748.patch ++++ haproxy: - VUL-0: CVE-2026-33555: haproxy: Request smuggling via HTTP/3 parser desynchronization (bsc#1262103) Add upstream patch 0001-BUG-MAJOR-h3-check-body-size-with-content-length-on-.patch ++++ libzypp: - Check for trusted key updates when updating the general keyring (bsc#1259706) - Support multiple MirroredOrigin authorities (bsc#1253193) - Workaround doxygen bug: doxygen/doxygen#12057 - libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842) - version 17.38.6 (35) ++++ libzypp: - Check for trusted key updates when updating the general keyring (bsc#1259706) - Support multiple MirroredOrigin authorities (bsc#1253193) - Workaround doxygen bug: doxygen/doxygen#12057 - libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842) - version 17.38.6 (35) ++++ zypper: - Autorefresh ris-services the way as plugin-services (bsc#1246504) It's actually wrong to treat service refreshes different depending on the service type. For the purpose of a service it makes no difference how the data about the repos to use are acquired. - version 1.14.96 ------------------------------------------------------------------ ------------------ 2026-4-17 - Apr 17 2026 ------------------- ------------------------------------------------------------------ ++++ opensc: - Security fix: * CVE-2025-66037: crafted input can cause an out-of-bounds read (bsc#1261218) * CVE-2025-66038: improper compact-TLV length validation can lead to crash or unexpected behavior (bsc#1261219) * CVE-2025-49010: stack-buffer-overflow via crafted smart card or USB device responses (bsc#1261214) * CVE-2025-66215: crafted smart card or USB device can cause a stack-buffer-overflow write (bsc#1261220) * Added opensc-CVE-2025-49010.patch * Added opensc-CVE-2025-66037.patch * Added opensc-CVE-2025-66038.patch * Added opensc-CVE-2025-66215.patch ++++ salt: - Fix testsuite failures - Backport of the CVE-2026-31958 fix (bsc#1259554) - Add x86_64_v2 as a possible rpm package architecture - Make users with backslash working for salt-ssh (bsc#1254629) - Fix ansible.playbooks extra-vars quoting (bsc#1257831) - Fix virtualenv call in test helper to use proper python version - Added: * fix-test-failures-754.patch * backport-of-the-cve-2026-31958-fix-bsc-1259554.patch * add-x86_64_v2-as-a-possible-rpm-package-architecture.patch * make-users-with-backslash-working-for-salt-ssh-bsc-1.patch * fix-ansible.playbooks-extra-vars-quoting-bsc-1257831.patch * fix-virtualenv-call-in-test-helper-to-use-proper-pyt.patch ------------------------------------------------------------------ ------------------ 2026-4-16 - Apr 16 2026 ------------------- ------------------------------------------------------------------ ++++ ncurses: - Add patch fix-bsc1259924.patch (bsc#1259924, CVE-2025-69720) * Backport from ncurses-6.5-20251213.patch ++++ libpng16: - added patches CVE-2026-34757: Information disclosure and data corruption via use-after-free vulnerability [bsc#1261957] * libpng16-CVE-2026-34757.patch ------------------------------------------------------------------ ------------------ 2026-4-15 - Apr 15 2026 ------------------- ------------------------------------------------------------------ ++++ mozilla-nss: - Added "Suggests: p11-kit-nss-trust" to favor over mozilla-nss-certs (Jira: PED-15633) ++++ python311-core: - Add CVE-2026-3446-base64-padding.patch preventing ignoring excess Base64 data after the first padded quad (bsc#1261970, CVE-2026-3446, gh#python/cpython#145264). ++++ python311: - Add CVE-2026-3446-base64-padding.patch preventing ignoring excess Base64 data after the first padded quad (bsc#1261970, CVE-2026-3446, gh#python/cpython#145264). ++++ sed: - Add CVE-2026-5958.patch * Fix CVE-2026-5958 (bsc#1262144): A TOCTOU race can allow to read attacker-controlled content and write it to an unintended file ------------------------------------------------------------------ ------------------ 2026-4-14 - Apr 14 2026 ------------------- ------------------------------------------------------------------ ++++ mozilla-nss: - update to NSS 3.112.4 * bmo#2030135 - improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey. * bmo#2029752 - Improving the allocation of S/MIME DecryptSymKey. * bmo#2029462 - store email on subject cache_entry in NSS trust domain. * bmo#2029425 - Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[] entry on NameConstraints violation. * bmo#2029323 - Improve size calculations in CMS content buffering. * bmo#2028001 - avoid integer overflow while escaping RFC822 Names. * bmo#2027378 - Reject excessively large ASN.1 SEQUENCE OF in quickder. * bmo#2027365 - Deep copy profile data in CERT_FindSMimeProfile. * bmo#2027345 - Improve input validation in DSAU signature decoding. * bmo#2026311 - avoid integer overflow in RSA_EMSAEncodePSS. * bmo#2019357 - RSA_EMSAEncodePSS should validate the length of mHash. * bmo#2026156 - Add a maximum cert uncompressed len and tests. * bmo#2026089 - Clarify extension negotiation mechanism for TLS Handshakes. * bmo#2023209 - ensure permittedSubtrees don't match wildcards that could be outside the permitted tree. * bmo#2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag. * bmo#2019224 - Remove invalid PORT_Free(). * bmo#1964722 - free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed. * bmo#1935995 - make ss->ssl3.hs.cookie an owned-copy of the cookie. ++++ timezone: - Update to 2026a: * Moldova has used EU transition times since 2022. * The "right" TZif files are no longer installed by default. * -DTZ_RUNTIME_LEAPS=0 disables runtime support for leap seconds. * TZif files are no longer limited to 50 bytes of abbreviations. * zic is no longer limited to 50 leap seconds. * Several integer overflow bugs have been fixed. - Changes from 2025c: * update Baja California DST rules in 1953, 1961-1975 * An unset TZ is no longer invalid when /etc/localtime is missing, and is abbreviated "UTC" not "-00". This reverts to 2024b behavior * tzset etc. are now more cautious about questionable TZ settings. * tzset etc. now treat ' ' like '_' in time zone abbreviations * tzfree now preserves errno, consistently with POSIX.1-2024 ‘free’. * zic has new options inspired by FreeBSD. ‘-D’ skips creation of output ancestor directories, ‘-m MODE’ sets output files’ mode, and ‘-u OWNER[:GROUP]’ sets output files’ owner and group. * multiple changes visible to developers - Use "REDO=posix_right" to keep installing "right" TZif files. ------------------------------------------------------------------ ------------------ 2026-4-13 - Apr 13 2026 ------------------- ------------------------------------------------------------------ ++++ openvswitch: - Fix CVE-2026-34956 [bsc#1261273] -- Invalid memory access in conntrack FTP alg * Add CVE-2026-34956.patch ------------------------------------------------------------------ ------------------ 2026-4-10 - Apr 10 2026 ------------------- ------------------------------------------------------------------ ++++ libcap: - CVE-2026-4878: Fixed a a potential TOCTOU race condition in cap_set_file() (bsc#1261809) 0001-Address-a-potential-TOCTOU-race-condition-in-cap_set.patch: ------------------------------------------------------------------ ------------------ 2026-4-9 - Apr 9 2026 ------------------- ------------------------------------------------------------------ ++++ cockpit-podman: - Update dependencies to fix bsc#1257836/CVE-2026-25547 bsc#1258641/CVE-2026-26996 ++++ cockpit-tukit: - Update dependencies to fix bsc#1257836/CVE-2026-25547 bsc#1258641/CVE-2026-26996 ++++ gdk-pixbuf: - Add gdk-pixbuf-CVE-2026-5201.patch: jpeg: Reject unsupported number of components (bsc#1261210 CVE-2026-5201 glgo#GNOME/gdk-pixbuf#266). ------------------------------------------------------------------ ------------------ 2026-4-8 - Apr 8 2026 ------------------- ------------------------------------------------------------------ ++++ cockpit-machines: - Update dependencies to fix bsc#1257836/CVE-2026-25547 bsc#1258641/CVE-2026-26996 ++++ openssl-3: - Security fix: * CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo (bsc#1261678) * Add openssl-CVE-2026-28390.patch ------------------------------------------------------------------ ------------------ 2026-4-7 - Apr 7 2026 ------------------- ------------------------------------------------------------------ ++++ sudo: - CVE-2026-35535: potential privilege escalation when running the mailer (bsc#1261420) * fix-CVE-2026-35535.patch ------------------------------------------------------------------ ------------------ 2026-4-2 - Apr 2 2026 ------------------- ------------------------------------------------------------------ ++++ avahi: - Add avahi-CVE-2026-24401.patch: Fix unsolicited mDNS response containing a recursive CNAME record (bsc#1257235). ++++ avahi: - Add avahi-CVE-2026-24401.patch: Fix unsolicited mDNS response containing a recursive CNAME record (bsc#1257235). ++++ python311-core: - Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has the same security model as open(). The documented limitations ensure compatibility with non-filesystem loaders; Python doesn't check that. (bsc#1259989, CVE-2026-3479, gh#python/cpython#146121). ++++ python311: - Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has the same security model as open(). The documented limitations ensure compatibility with non-filesystem loaders; Python doesn't check that. (bsc#1259989, CVE-2026-3479, gh#python/cpython#146121). ++++ vim: - Fix bsc#1261191 / CVE-2026-34714. - Fix bsc#1261271 / CVE-2026-34982. - Fix bsc#1259985 / CVE-2026-33412. - Update to 9.2.0280: * patch 9.2.0280: [security]: path traversal issue in zip.vim * patch 9.2.0279: terminal: out-of-bounds write with overlong CSI argument list * patch 9.2.0278: viminfo: heap buffer overflow when reading viminfo file * patch 9.2.0277: tests: test_modeline.vim fails * patch 9.2.0276: [security]: modeline security bypass * patch 9.2.0275: tests: test_options.vim fails * patch 9.2.0274: BSU/ESU are output directly to the terminal * patch 9.2.0273: tabpanel: undefined behaviour with large tabpanelop columns * patch 9.2.0272: [security]: 'tabpanel' can be set in a modeline * patch 9.2.0271: buffer underflow in vim_fgets() * patch 9.2.0270: test: trailing spaces used in tests * patch 9.2.0269: configure: Link error on Solaris * patch 9.2.0268: memory leak in call_oc_method() * patch 9.2.0267: 'autowrite' not triggered for :term * patch 9.2.0266: typeahead buffer overflow during mouse drag event * patch 9.2.0265: unnecessary restrictions for defining dictionary function names * patch 9.2.0264: Cannot disable kitty keyboard protocol in vim :terminal * patch 9.2.0263: hlset() cannot handle attributes with spaces * patch 9.2.0262: invalid lnum when pasting text copied blockwise * patch 9.2.0261: terminal: redraws are slow * patch 9.2.0260: statusline not redrawn after closing a popup window * patch 9.2.0259: tabpanel: corrupted display during scrolling causing flicker * patch 9.2.0258: memory leak in add_mark() * patch 9.2.0257: unnecessary memory allocation in set_callback() * patch 9.2.0256: visual selection size not shown in showcmd during test * patch 9.2.0255: tests: Test_popup_opacity_vsplit() fails in a wide terminal * patch 9.2.0254: w_locked can be bypassed when setting recursively * patch 9.2.0253: various issues with wrong b_nwindows after closing buffers * patch 9.2.0252: Crash when ending Visual mode after curbuf was unloaded * patch 9.2.0251: Link error when building without channel feature * patch 9.2.0250: system() does not support bypassing the shell * patch 9.2.0249: clipboard: provider reacts to autoselect feature * patch 9.2.0248: json_decode() is not strict enough * patch 9.2.0247: popup: popups may not wrap as expected * patch 9.2.0246: memory leak in globpath() * patch 9.2.0245: xxd: color output detection is broken * patch 9.2.0244: memory leak in eval8() * patch 9.2.0243: memory leak in change_indent() * patch 9.2.0242: memory leak in check_for_cryptkey() * patch 9.2.0241: tests: Test_visual_block_hl_with_autosel() is flaky * patch 9.2.0240: syn_name2id() is slow due to linear search * patch 9.2.0239: signcolumn may cause flicker * patch 9.2.0238: showmode message may not be displayed * patch 9.2.0237: filetype: ObjectScript routines are not recognized * patch 9.2.0236: stack-overflow with deeply nested data in json_encode/decode() * patch 9.2.0235: filetype: wks files are not recognized. * patch 9.2.0234: test: Test_close_handle() is flaky * patch 9.2.0233: Compiler warning in strings.c * patch 9.2.0232: fileinfo not shown after :bd of last listed buffer * patch 9.2.0231: Amiga: Link error for missing HAVE_LOCALE_H * patch 9.2.0230: popup: opacity not working accross vert splits * patch 9.2.0229: keypad keys may overwrite keycode for another key * patch 9.2.0228: still possible flicker * patch 9.2.0227: MS-Windows: CSI sequences may be written to screen * patch 9.2.0226: No 'incsearch' highlighting support for :uniq * patch 9.2.0225: runtime(compiler): No compiler plugin for just * patch 9.2.0224: channel: 2 issues with out/err callbacks * patch 9.2.0223: Option handling for key:value suboptions is limited * patch 9.2.0222: "zb" scrolls incorrectly with cursor on fold * patch 9.2.0221: Visual selection drawn incorrectly with "autoselect" * patch 9.2.0220: MS-Windows: some defined cannot be set on Cygwin/Mingw * patch 9.2.0219: call stack can be corrupted * patch 9.2.0218: visual selection highlighting in X11 GUI is wrong. * patch 9.2.0217: filetype: cto files are not recognized * patch 9.2.0216: MS-Windows: Rendering artifacts with DirectX * patch 9.2.0215: MS-Windows: several tests fail in the Windows CUI. * patch 9.2.0214: tests: Test_gui_system_term_scroll() is flaky * patch 9.2.0213: Crash when using a partial or lambda as a clipboard provider * patch 9.2.0212: MS-Windows: version packing may overflow * patch 9.2.0211: possible crash when setting 'winhighlight' * patch 9.2.0210: tests: Test_xxd tests are failing * patch 9.2.0209: freeze during wildmenu completion * patch 9.2.0208: MS-Windows: excessive scroll-behaviour with go+=! * patch 9.2.0207: MS-Windows: freeze on second :hardcopy * patch 9.2.0206: MS-Window: stripping all CSI sequences * patch 9.2.0205: xxd: Cannot NUL terminate the C include file style * patch 9.2.0204: filetype: cps files are not recognized * patch 9.2.0203: Patch v9.2.0185 was wrong * patch 9.2.0202: [security]: command injection via newline in glob() * patch 9.2.0201: filetype: Wireguard config files not recognized * patch 9.2.0200: term: DECRQM codes are sent too early * patch 9.2.0199: tests: test_startup.vim fails * patch 9.2.0198: cscope: can escape from restricted mode * patch 9.2.0197: tabpanel: frame width not updated for existing tab pages * patch 9.2.0196: textprop: negative IDs and can cause a crash * patch 9.2.0195: CI: test-suite gets killed for taking too long * patch 9.2.0194: tests: test_startup.vim leaves temp.txt around * patch 9.2.0193: using copy_option_part() can be improved * patch 9.2.0192: not correctly recognizing raw key codes * patch 9.2.0191: Not possible to know if Vim was compiled with Android support * patch 9.2.0190: Status line height mismatch in vertical splits * patch 9.2.0189: MS-Windows: opacity popups flicker during redraw in the console * patch 9.2.0188: Can set environment variables in restricted mode * patch 9.2.0187: MS-Windows: rendering artifacts with DirectX renderer * patch 9.2.0186: heap buffer overflow with long generic function name * patch 9.2.0185: buffer overflow when redrawing custom tabline * patch 9.2.0184: MS-Windows: screen flicker with termguicolors and visualbell * patch 9.2.0183: channel: using deprecated networking APIs * patch 9.2.0182: autocmds may leave windows with w_locked set * patch 9.2.0181: line('w0') moves cursor in terminal-normal mode * patch 9.2.0180: possible crash with winminheight=0 * patch 9.2.0179: MS-Windows: Compiler warning for converting from size_t to int * patch 9.2.0178: DEC mode requests are sent even when not in raw mode * patch 9.2.0177: Vim9: Can set environment variables in restricted mode * patch 9.2.0176: external diff is allowed in restricted mode * patch 9.2.0175: No tests for what v9.2.0141 and v9.2.0156 fixes * patch 9.2.0174: diff: inline word-diffs can be fragmented * patch 9.2.0173: tests: Test_balloon_eval_term_visual is flaky * patch 9.2.0172: Missing semicolon in os_mac_conv.c * patch 9.2.0171: MS-Windows: version detection is deprecated * patch 9.2.0170: channel: some issues in ch_listen() * patch 9.2.0169: assertion failure in syn_id2attr() * patch 9.2.0168: invalid pointer casting in string_convert() arguments * patch 9.2.0167: terminal: setting buftype=terminal may cause a crash * patch 9.2.0166: Coverity warning for potential NULL dereference * patch 9.2.0165: tests: perleval fails in the sandbox * patch 9.2.0164: build error when XCLIPBOARD is not defined * patch 9.2.0163: MS-Windows: Compile warning for unused variable * patch 9.2.0162: tests: unnecessary CheckRunVimInTerminal in test_quickfix * patch 9.2.0161: intro message disappears on startup in some terminals * patch 9.2.0160: terminal DEC mode handling is overly complex * patch 9.2.0159: Crash when reading quickfix line * patch 9.2.0158: Visual highlighting might be incorrect * patch 9.2.0157: Vim9: concatenation can be improved * patch 9.2.0156: perleval() and rubyeval() ignore security settings * patch 9.2.0155: filetype: ObjectScript are not recognized * patch 9.2.0154: if_lua: runtime error with lua 5.5 * patch 9.2.0153: No support to act as a channel server * patch 9.2.0152: concatenating strings is slow * patch 9.2.0151: blob_from_string() is slow for long strings * patch 9.2.0150: synchronized terminal update may cause display artifacts * patch 9.2.0149: Vim9: segfault when unletting an imported variable * patch 9.2.0148: Compile error when FEAT_DIFF is not defined * patch 9.2.0147: blob: concatenation can be improved * patch 9.2.0146: dictionary lookups can be improved * patch 9.2.0145: UTF-8 decoding and length calculation can be improved * patch 9.2.0144: 'statuslineopt' is a global only option * patch 9.2.0143: termdebug: no support for thread and condition in :Break * patch 9.2.0142: Coverity: Dead code warning * patch 9.2.0141: :perl ex commands allowed in restricted mode * patch 9.2.0140: file reading performance can be improved * patch 9.2.0139: Cannot configure terminal resize event * patch 9.2.0138: winhighlight option handling can be improved * patch 9.2.0137: [security]: crash with composing char in collection range * patch 9.2.0136: memory leak in add_interface_from_super_class() * patch 9.2.0135: memory leak in eval_tuple() * patch 9.2.0134: memory leak in socket_server_send_reply() * patch 9.2.0133: memory leak in netbeans_file_activated() * patch 9.2.0132: tests: Test_recover_corrupted_swap_file1 fails on be systems * patch 9.2.0131: potential buffer overflow in regdump() * patch 9.2.0130: missing range flags for the :tab command * patch 9.2.0129: popup: wrong handling of wide-chars and opacity:0 * patch 9.2.0128: Wayland: using _Boolean instead of bool type * patch 9.2.0127: line('w0') and line('w$') return wrong values in a terminal * patch 9.2.0126: String handling can be improved * patch 9.2.0125: tests: test_textformat.vim leaves swapfiles behind * patch 9.2.0124: auto-format may swallow white space * patch 9.2.0123: GTK: using deprecated gdk_pixbuf_new_from_xpm_data() * patch 9.2.0122: Vim still supports compiling on NeXTSTEP * patch 9.2.0120: tests: test_normal fails * patch 9.2.0119: incorrect highlight initialization in win_init() * patch 9.2.0118: memory leak in w_hl when reusing a popup window * patch 9.2.0117: tests: test_wayland.vim fails * patch 9.2.0116: terminal: synchronized output sequences are buffered * patch 9.2.0115: popup: screen flickering possible during async callbacks * patch 9.2.0114: MS-Windows: terminal output may go to wrong terminal * patch 9.2.0113: winhighlight pointer may be used uninitialized * patch 9.2.0112: popup: windows flicker when updating text * patch 9.2.0111: 'winhighlight' option not always applied ++++ vim: - Fix bsc#1261191 / CVE-2026-34714. - Fix bsc#1261271 / CVE-2026-34982. - Fix bsc#1259985 / CVE-2026-33412. - Update to 9.2.0280: * patch 9.2.0280: [security]: path traversal issue in zip.vim * patch 9.2.0279: terminal: out-of-bounds write with overlong CSI argument list * patch 9.2.0278: viminfo: heap buffer overflow when reading viminfo file * patch 9.2.0277: tests: test_modeline.vim fails * patch 9.2.0276: [security]: modeline security bypass * patch 9.2.0275: tests: test_options.vim fails * patch 9.2.0274: BSU/ESU are output directly to the terminal * patch 9.2.0273: tabpanel: undefined behaviour with large tabpanelop columns * patch 9.2.0272: [security]: 'tabpanel' can be set in a modeline * patch 9.2.0271: buffer underflow in vim_fgets() * patch 9.2.0270: test: trailing spaces used in tests * patch 9.2.0269: configure: Link error on Solaris * patch 9.2.0268: memory leak in call_oc_method() * patch 9.2.0267: 'autowrite' not triggered for :term * patch 9.2.0266: typeahead buffer overflow during mouse drag event * patch 9.2.0265: unnecessary restrictions for defining dictionary function names * patch 9.2.0264: Cannot disable kitty keyboard protocol in vim :terminal * patch 9.2.0263: hlset() cannot handle attributes with spaces * patch 9.2.0262: invalid lnum when pasting text copied blockwise * patch 9.2.0261: terminal: redraws are slow * patch 9.2.0260: statusline not redrawn after closing a popup window * patch 9.2.0259: tabpanel: corrupted display during scrolling causing flicker * patch 9.2.0258: memory leak in add_mark() * patch 9.2.0257: unnecessary memory allocation in set_callback() * patch 9.2.0256: visual selection size not shown in showcmd during test * patch 9.2.0255: tests: Test_popup_opacity_vsplit() fails in a wide terminal * patch 9.2.0254: w_locked can be bypassed when setting recursively * patch 9.2.0253: various issues with wrong b_nwindows after closing buffers * patch 9.2.0252: Crash when ending Visual mode after curbuf was unloaded * patch 9.2.0251: Link error when building without channel feature * patch 9.2.0250: system() does not support bypassing the shell * patch 9.2.0249: clipboard: provider reacts to autoselect feature * patch 9.2.0248: json_decode() is not strict enough * patch 9.2.0247: popup: popups may not wrap as expected * patch 9.2.0246: memory leak in globpath() * patch 9.2.0245: xxd: color output detection is broken * patch 9.2.0244: memory leak in eval8() * patch 9.2.0243: memory leak in change_indent() * patch 9.2.0242: memory leak in check_for_cryptkey() * patch 9.2.0241: tests: Test_visual_block_hl_with_autosel() is flaky * patch 9.2.0240: syn_name2id() is slow due to linear search * patch 9.2.0239: signcolumn may cause flicker * patch 9.2.0238: showmode message may not be displayed * patch 9.2.0237: filetype: ObjectScript routines are not recognized * patch 9.2.0236: stack-overflow with deeply nested data in json_encode/decode() * patch 9.2.0235: filetype: wks files are not recognized. * patch 9.2.0234: test: Test_close_handle() is flaky * patch 9.2.0233: Compiler warning in strings.c * patch 9.2.0232: fileinfo not shown after :bd of last listed buffer * patch 9.2.0231: Amiga: Link error for missing HAVE_LOCALE_H * patch 9.2.0230: popup: opacity not working accross vert splits * patch 9.2.0229: keypad keys may overwrite keycode for another key * patch 9.2.0228: still possible flicker * patch 9.2.0227: MS-Windows: CSI sequences may be written to screen * patch 9.2.0226: No 'incsearch' highlighting support for :uniq * patch 9.2.0225: runtime(compiler): No compiler plugin for just * patch 9.2.0224: channel: 2 issues with out/err callbacks * patch 9.2.0223: Option handling for key:value suboptions is limited * patch 9.2.0222: "zb" scrolls incorrectly with cursor on fold * patch 9.2.0221: Visual selection drawn incorrectly with "autoselect" * patch 9.2.0220: MS-Windows: some defined cannot be set on Cygwin/Mingw * patch 9.2.0219: call stack can be corrupted * patch 9.2.0218: visual selection highlighting in X11 GUI is wrong. * patch 9.2.0217: filetype: cto files are not recognized * patch 9.2.0216: MS-Windows: Rendering artifacts with DirectX * patch 9.2.0215: MS-Windows: several tests fail in the Windows CUI. * patch 9.2.0214: tests: Test_gui_system_term_scroll() is flaky * patch 9.2.0213: Crash when using a partial or lambda as a clipboard provider * patch 9.2.0212: MS-Windows: version packing may overflow * patch 9.2.0211: possible crash when setting 'winhighlight' * patch 9.2.0210: tests: Test_xxd tests are failing * patch 9.2.0209: freeze during wildmenu completion * patch 9.2.0208: MS-Windows: excessive scroll-behaviour with go+=! * patch 9.2.0207: MS-Windows: freeze on second :hardcopy * patch 9.2.0206: MS-Window: stripping all CSI sequences * patch 9.2.0205: xxd: Cannot NUL terminate the C include file style * patch 9.2.0204: filetype: cps files are not recognized * patch 9.2.0203: Patch v9.2.0185 was wrong * patch 9.2.0202: [security]: command injection via newline in glob() * patch 9.2.0201: filetype: Wireguard config files not recognized * patch 9.2.0200: term: DECRQM codes are sent too early * patch 9.2.0199: tests: test_startup.vim fails * patch 9.2.0198: cscope: can escape from restricted mode * patch 9.2.0197: tabpanel: frame width not updated for existing tab pages * patch 9.2.0196: textprop: negative IDs and can cause a crash * patch 9.2.0195: CI: test-suite gets killed for taking too long * patch 9.2.0194: tests: test_startup.vim leaves temp.txt around * patch 9.2.0193: using copy_option_part() can be improved * patch 9.2.0192: not correctly recognizing raw key codes * patch 9.2.0191: Not possible to know if Vim was compiled with Android support * patch 9.2.0190: Status line height mismatch in vertical splits * patch 9.2.0189: MS-Windows: opacity popups flicker during redraw in the console * patch 9.2.0188: Can set environment variables in restricted mode * patch 9.2.0187: MS-Windows: rendering artifacts with DirectX renderer * patch 9.2.0186: heap buffer overflow with long generic function name * patch 9.2.0185: buffer overflow when redrawing custom tabline * patch 9.2.0184: MS-Windows: screen flicker with termguicolors and visualbell * patch 9.2.0183: channel: using deprecated networking APIs * patch 9.2.0182: autocmds may leave windows with w_locked set * patch 9.2.0181: line('w0') moves cursor in terminal-normal mode * patch 9.2.0180: possible crash with winminheight=0 * patch 9.2.0179: MS-Windows: Compiler warning for converting from size_t to int * patch 9.2.0178: DEC mode requests are sent even when not in raw mode * patch 9.2.0177: Vim9: Can set environment variables in restricted mode * patch 9.2.0176: external diff is allowed in restricted mode * patch 9.2.0175: No tests for what v9.2.0141 and v9.2.0156 fixes * patch 9.2.0174: diff: inline word-diffs can be fragmented * patch 9.2.0173: tests: Test_balloon_eval_term_visual is flaky * patch 9.2.0172: Missing semicolon in os_mac_conv.c * patch 9.2.0171: MS-Windows: version detection is deprecated * patch 9.2.0170: channel: some issues in ch_listen() * patch 9.2.0169: assertion failure in syn_id2attr() * patch 9.2.0168: invalid pointer casting in string_convert() arguments * patch 9.2.0167: terminal: setting buftype=terminal may cause a crash * patch 9.2.0166: Coverity warning for potential NULL dereference * patch 9.2.0165: tests: perleval fails in the sandbox * patch 9.2.0164: build error when XCLIPBOARD is not defined * patch 9.2.0163: MS-Windows: Compile warning for unused variable * patch 9.2.0162: tests: unnecessary CheckRunVimInTerminal in test_quickfix * patch 9.2.0161: intro message disappears on startup in some terminals * patch 9.2.0160: terminal DEC mode handling is overly complex * patch 9.2.0159: Crash when reading quickfix line * patch 9.2.0158: Visual highlighting might be incorrect * patch 9.2.0157: Vim9: concatenation can be improved * patch 9.2.0156: perleval() and rubyeval() ignore security settings * patch 9.2.0155: filetype: ObjectScript are not recognized * patch 9.2.0154: if_lua: runtime error with lua 5.5 * patch 9.2.0153: No support to act as a channel server * patch 9.2.0152: concatenating strings is slow * patch 9.2.0151: blob_from_string() is slow for long strings * patch 9.2.0150: synchronized terminal update may cause display artifacts * patch 9.2.0149: Vim9: segfault when unletting an imported variable * patch 9.2.0148: Compile error when FEAT_DIFF is not defined * patch 9.2.0147: blob: concatenation can be improved * patch 9.2.0146: dictionary lookups can be improved * patch 9.2.0145: UTF-8 decoding and length calculation can be improved * patch 9.2.0144: 'statuslineopt' is a global only option * patch 9.2.0143: termdebug: no support for thread and condition in :Break * patch 9.2.0142: Coverity: Dead code warning * patch 9.2.0141: :perl ex commands allowed in restricted mode * patch 9.2.0140: file reading performance can be improved * patch 9.2.0139: Cannot configure terminal resize event * patch 9.2.0138: winhighlight option handling can be improved * patch 9.2.0137: [security]: crash with composing char in collection range * patch 9.2.0136: memory leak in add_interface_from_super_class() * patch 9.2.0135: memory leak in eval_tuple() * patch 9.2.0134: memory leak in socket_server_send_reply() * patch 9.2.0133: memory leak in netbeans_file_activated() * patch 9.2.0132: tests: Test_recover_corrupted_swap_file1 fails on be systems * patch 9.2.0131: potential buffer overflow in regdump() * patch 9.2.0130: missing range flags for the :tab command * patch 9.2.0129: popup: wrong handling of wide-chars and opacity:0 * patch 9.2.0128: Wayland: using _Boolean instead of bool type * patch 9.2.0127: line('w0') and line('w$') return wrong values in a terminal * patch 9.2.0126: String handling can be improved * patch 9.2.0125: tests: test_textformat.vim leaves swapfiles behind * patch 9.2.0124: auto-format may swallow white space * patch 9.2.0123: GTK: using deprecated gdk_pixbuf_new_from_xpm_data() * patch 9.2.0122: Vim still supports compiling on NeXTSTEP * patch 9.2.0120: tests: test_normal fails * patch 9.2.0119: incorrect highlight initialization in win_init() * patch 9.2.0118: memory leak in w_hl when reusing a popup window * patch 9.2.0117: tests: test_wayland.vim fails * patch 9.2.0116: terminal: synchronized output sequences are buffered * patch 9.2.0115: popup: screen flickering possible during async callbacks * patch 9.2.0114: MS-Windows: terminal output may go to wrong terminal * patch 9.2.0113: winhighlight pointer may be used uninitialized * patch 9.2.0112: popup: windows flicker when updating text * patch 9.2.0111: 'winhighlight' option not always applied ++++ vim: - Fix bsc#1261191 / CVE-2026-34714. - Fix bsc#1261271 / CVE-2026-34982. - Fix bsc#1259985 / CVE-2026-33412. - Update to 9.2.0280: * patch 9.2.0280: [security]: path traversal issue in zip.vim * patch 9.2.0279: terminal: out-of-bounds write with overlong CSI argument list * patch 9.2.0278: viminfo: heap buffer overflow when reading viminfo file * patch 9.2.0277: tests: test_modeline.vim fails * patch 9.2.0276: [security]: modeline security bypass * patch 9.2.0275: tests: test_options.vim fails * patch 9.2.0274: BSU/ESU are output directly to the terminal * patch 9.2.0273: tabpanel: undefined behaviour with large tabpanelop columns * patch 9.2.0272: [security]: 'tabpanel' can be set in a modeline * patch 9.2.0271: buffer underflow in vim_fgets() * patch 9.2.0270: test: trailing spaces used in tests * patch 9.2.0269: configure: Link error on Solaris * patch 9.2.0268: memory leak in call_oc_method() * patch 9.2.0267: 'autowrite' not triggered for :term * patch 9.2.0266: typeahead buffer overflow during mouse drag event * patch 9.2.0265: unnecessary restrictions for defining dictionary function names * patch 9.2.0264: Cannot disable kitty keyboard protocol in vim :terminal * patch 9.2.0263: hlset() cannot handle attributes with spaces * patch 9.2.0262: invalid lnum when pasting text copied blockwise * patch 9.2.0261: terminal: redraws are slow * patch 9.2.0260: statusline not redrawn after closing a popup window * patch 9.2.0259: tabpanel: corrupted display during scrolling causing flicker * patch 9.2.0258: memory leak in add_mark() * patch 9.2.0257: unnecessary memory allocation in set_callback() * patch 9.2.0256: visual selection size not shown in showcmd during test * patch 9.2.0255: tests: Test_popup_opacity_vsplit() fails in a wide terminal * patch 9.2.0254: w_locked can be bypassed when setting recursively * patch 9.2.0253: various issues with wrong b_nwindows after closing buffers * patch 9.2.0252: Crash when ending Visual mode after curbuf was unloaded * patch 9.2.0251: Link error when building without channel feature * patch 9.2.0250: system() does not support bypassing the shell * patch 9.2.0249: clipboard: provider reacts to autoselect feature * patch 9.2.0248: json_decode() is not strict enough * patch 9.2.0247: popup: popups may not wrap as expected * patch 9.2.0246: memory leak in globpath() * patch 9.2.0245: xxd: color output detection is broken * patch 9.2.0244: memory leak in eval8() * patch 9.2.0243: memory leak in change_indent() * patch 9.2.0242: memory leak in check_for_cryptkey() * patch 9.2.0241: tests: Test_visual_block_hl_with_autosel() is flaky * patch 9.2.0240: syn_name2id() is slow due to linear search * patch 9.2.0239: signcolumn may cause flicker * patch 9.2.0238: showmode message may not be displayed * patch 9.2.0237: filetype: ObjectScript routines are not recognized * patch 9.2.0236: stack-overflow with deeply nested data in json_encode/decode() * patch 9.2.0235: filetype: wks files are not recognized. * patch 9.2.0234: test: Test_close_handle() is flaky * patch 9.2.0233: Compiler warning in strings.c * patch 9.2.0232: fileinfo not shown after :bd of last listed buffer * patch 9.2.0231: Amiga: Link error for missing HAVE_LOCALE_H * patch 9.2.0230: popup: opacity not working accross vert splits * patch 9.2.0229: keypad keys may overwrite keycode for another key * patch 9.2.0228: still possible flicker * patch 9.2.0227: MS-Windows: CSI sequences may be written to screen * patch 9.2.0226: No 'incsearch' highlighting support for :uniq * patch 9.2.0225: runtime(compiler): No compiler plugin for just * patch 9.2.0224: channel: 2 issues with out/err callbacks * patch 9.2.0223: Option handling for key:value suboptions is limited * patch 9.2.0222: "zb" scrolls incorrectly with cursor on fold * patch 9.2.0221: Visual selection drawn incorrectly with "autoselect" * patch 9.2.0220: MS-Windows: some defined cannot be set on Cygwin/Mingw * patch 9.2.0219: call stack can be corrupted * patch 9.2.0218: visual selection highlighting in X11 GUI is wrong. * patch 9.2.0217: filetype: cto files are not recognized * patch 9.2.0216: MS-Windows: Rendering artifacts with DirectX * patch 9.2.0215: MS-Windows: several tests fail in the Windows CUI. * patch 9.2.0214: tests: Test_gui_system_term_scroll() is flaky * patch 9.2.0213: Crash when using a partial or lambda as a clipboard provider * patch 9.2.0212: MS-Windows: version packing may overflow * patch 9.2.0211: possible crash when setting 'winhighlight' * patch 9.2.0210: tests: Test_xxd tests are failing * patch 9.2.0209: freeze during wildmenu completion * patch 9.2.0208: MS-Windows: excessive scroll-behaviour with go+=! * patch 9.2.0207: MS-Windows: freeze on second :hardcopy * patch 9.2.0206: MS-Window: stripping all CSI sequences * patch 9.2.0205: xxd: Cannot NUL terminate the C include file style * patch 9.2.0204: filetype: cps files are not recognized * patch 9.2.0203: Patch v9.2.0185 was wrong * patch 9.2.0202: [security]: command injection via newline in glob() * patch 9.2.0201: filetype: Wireguard config files not recognized * patch 9.2.0200: term: DECRQM codes are sent too early * patch 9.2.0199: tests: test_startup.vim fails * patch 9.2.0198: cscope: can escape from restricted mode * patch 9.2.0197: tabpanel: frame width not updated for existing tab pages * patch 9.2.0196: textprop: negative IDs and can cause a crash * patch 9.2.0195: CI: test-suite gets killed for taking too long * patch 9.2.0194: tests: test_startup.vim leaves temp.txt around * patch 9.2.0193: using copy_option_part() can be improved * patch 9.2.0192: not correctly recognizing raw key codes * patch 9.2.0191: Not possible to know if Vim was compiled with Android support * patch 9.2.0190: Status line height mismatch in vertical splits * patch 9.2.0189: MS-Windows: opacity popups flicker during redraw in the console * patch 9.2.0188: Can set environment variables in restricted mode * patch 9.2.0187: MS-Windows: rendering artifacts with DirectX renderer * patch 9.2.0186: heap buffer overflow with long generic function name * patch 9.2.0185: buffer overflow when redrawing custom tabline * patch 9.2.0184: MS-Windows: screen flicker with termguicolors and visualbell * patch 9.2.0183: channel: using deprecated networking APIs * patch 9.2.0182: autocmds may leave windows with w_locked set * patch 9.2.0181: line('w0') moves cursor in terminal-normal mode * patch 9.2.0180: possible crash with winminheight=0 * patch 9.2.0179: MS-Windows: Compiler warning for converting from size_t to int * patch 9.2.0178: DEC mode requests are sent even when not in raw mode * patch 9.2.0177: Vim9: Can set environment variables in restricted mode * patch 9.2.0176: external diff is allowed in restricted mode * patch 9.2.0175: No tests for what v9.2.0141 and v9.2.0156 fixes * patch 9.2.0174: diff: inline word-diffs can be fragmented * patch 9.2.0173: tests: Test_balloon_eval_term_visual is flaky * patch 9.2.0172: Missing semicolon in os_mac_conv.c * patch 9.2.0171: MS-Windows: version detection is deprecated * patch 9.2.0170: channel: some issues in ch_listen() * patch 9.2.0169: assertion failure in syn_id2attr() * patch 9.2.0168: invalid pointer casting in string_convert() arguments * patch 9.2.0167: terminal: setting buftype=terminal may cause a crash * patch 9.2.0166: Coverity warning for potential NULL dereference * patch 9.2.0165: tests: perleval fails in the sandbox * patch 9.2.0164: build error when XCLIPBOARD is not defined * patch 9.2.0163: MS-Windows: Compile warning for unused variable * patch 9.2.0162: tests: unnecessary CheckRunVimInTerminal in test_quickfix * patch 9.2.0161: intro message disappears on startup in some terminals * patch 9.2.0160: terminal DEC mode handling is overly complex * patch 9.2.0159: Crash when reading quickfix line * patch 9.2.0158: Visual highlighting might be incorrect * patch 9.2.0157: Vim9: concatenation can be improved * patch 9.2.0156: perleval() and rubyeval() ignore security settings * patch 9.2.0155: filetype: ObjectScript are not recognized * patch 9.2.0154: if_lua: runtime error with lua 5.5 * patch 9.2.0153: No support to act as a channel server * patch 9.2.0152: concatenating strings is slow * patch 9.2.0151: blob_from_string() is slow for long strings * patch 9.2.0150: synchronized terminal update may cause display artifacts * patch 9.2.0149: Vim9: segfault when unletting an imported variable * patch 9.2.0148: Compile error when FEAT_DIFF is not defined * patch 9.2.0147: blob: concatenation can be improved * patch 9.2.0146: dictionary lookups can be improved * patch 9.2.0145: UTF-8 decoding and length calculation can be improved * patch 9.2.0144: 'statuslineopt' is a global only option * patch 9.2.0143: termdebug: no support for thread and condition in :Break * patch 9.2.0142: Coverity: Dead code warning * patch 9.2.0141: :perl ex commands allowed in restricted mode * patch 9.2.0140: file reading performance can be improved * patch 9.2.0139: Cannot configure terminal resize event * patch 9.2.0138: winhighlight option handling can be improved * patch 9.2.0137: [security]: crash with composing char in collection range * patch 9.2.0136: memory leak in add_interface_from_super_class() * patch 9.2.0135: memory leak in eval_tuple() * patch 9.2.0134: memory leak in socket_server_send_reply() * patch 9.2.0133: memory leak in netbeans_file_activated() * patch 9.2.0132: tests: Test_recover_corrupted_swap_file1 fails on be systems * patch 9.2.0131: potential buffer overflow in regdump() * patch 9.2.0130: missing range flags for the :tab command * patch 9.2.0129: popup: wrong handling of wide-chars and opacity:0 * patch 9.2.0128: Wayland: using _Boolean instead of bool type * patch 9.2.0127: line('w0') and line('w$') return wrong values in a terminal * patch 9.2.0126: String handling can be improved * patch 9.2.0125: tests: test_textformat.vim leaves swapfiles behind * patch 9.2.0124: auto-format may swallow white space * patch 9.2.0123: GTK: using deprecated gdk_pixbuf_new_from_xpm_data() * patch 9.2.0122: Vim still supports compiling on NeXTSTEP * patch 9.2.0120: tests: test_normal fails * patch 9.2.0119: incorrect highlight initialization in win_init() * patch 9.2.0118: memory leak in w_hl when reusing a popup window * patch 9.2.0117: tests: test_wayland.vim fails * patch 9.2.0116: terminal: synchronized output sequences are buffered * patch 9.2.0115: popup: screen flickering possible during async callbacks * patch 9.2.0114: MS-Windows: terminal output may go to wrong terminal * patch 9.2.0113: winhighlight pointer may be used uninitialized * patch 9.2.0112: popup: windows flicker when updating text * patch 9.2.0111: 'winhighlight' option not always applied ------------------------------------------------------------------ ------------------ 2026-4-1 - Apr 1 2026 ------------------- ------------------------------------------------------------------ ++++ python-cryptography: - CVE-2026-34073: X.509 bypass of name constraints on wildcard SANs with matching peer names (bsc#1260876) Add patch CVE-2026-34073.patch ++++ suseconnect-ng: - Update version to 1.21.1: - Fix nil token handling (bsc#1261155) - Switch to using go1.24-openssl as the default Go version to install to support building the package (jsc#SCC-585). ------------------------------------------------------------------ ------------------ 2026-3-31 - Mar 31 2026 ------------------- ------------------------------------------------------------------ ++++ ignition: - Add CVE-2026-33186.patch * Fixes [bsc#1260251] ++++ ignition: - Add CVE-2026-33186.patch * Fixes [bsc#1260251] ++++ libpng16: - added patches CVE-2026-33416: use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE` can lead to arbitrary code execution (bsc#1260754) * libpng16-CVE-2026-33416-1.patch * libpng16-CVE-2026-33416-2.patch * libpng16-CVE-2026-33416-3.patch * libpng16-CVE-2026-33416-4.patch CVE-2026-33636: out-of-bounds read/write in the palette expansion on ARM Neon can lead to information leak and crashes (bsc#1260755) * libpng16-CVE-2026-33636.patch ++++ libpng16: - added patches CVE-2026-33416: use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE` can lead to arbitrary code execution (bsc#1260754) * libpng16-CVE-2026-33416-1.patch * libpng16-CVE-2026-33416-2.patch * libpng16-CVE-2026-33416-3.patch * libpng16-CVE-2026-33416-4.patch CVE-2026-33636: out-of-bounds read/write in the palette expansion on ARM Neon can lead to information leak and crashes (bsc#1260755) * libpng16-CVE-2026-33636.patch ------------------------------------------------------------------ ------------------ 2026-3-30 - Mar 30 2026 ------------------- ------------------------------------------------------------------ ++++ glibc: - resolv-count-resource-records.patch: resolv: Count records correctly (CVE-2026-4437, bsc#1260078, BZ #34014) - resolv-check-hostname.patch: resolv: Check hostname for validity (CVE-2026-4438, bsc#1260082, BZ #34015) ++++ glibc: - resolv-count-resource-records.patch: resolv: Count records correctly (CVE-2026-4437, bsc#1260078, BZ #34014) - resolv-check-hostname.patch: resolv: Check hostname for validity (CVE-2026-4438, bsc#1260082, BZ #34015) ++++ libtpms: - CVE-2025-49133: Fixed potential out of bounds (OOB) read vulnerability (bsc#1244528) 0001-tpm2-Fix-potential-out-of-bound-access-abort-due-to-.patch ++++ python-requests: - CVE-2026-25645: `extract_zipped_paths()` uses predictable filenames when extracting files from zip archives and reuses target files that already exist without validation (bsc#1260589) Add patch CVE-2026-25645.patch ------------------------------------------------------------------ ------------------ 2026-3-27 - Mar 27 2026 ------------------- ------------------------------------------------------------------ ++++ dpdk: - Update to version 22.11.11 - upstream bugfix release https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id29 - Summary: * app/testpmd: fix conntrack action query, fix DCB Rx queues, fix DCB Tx port, fix flex item link parsing * common/cnxk: fix async event handling * common/mlx5: release unused mempool entries * crypto/ipsec_mb: fix QP release in secondary * dmadev: fix debug build with tracepoints * dma/hisilicon: fix stop with pending transfers * doc: improve documentation for conntrack state inspect command, device argument in txgbe and ionic * eal: fix DMA mask validation with IOVA mode option * efd: fix AVX2 support * event/cnxk: fix Rx offload flags * eventdev: fix listing timer adapters with telemetry * fib6: fix tbl8 allocation check logic * graph: fix unaligned access in stats * hash: fix unaligned access in predictable RSS * net/af_packet: fix crash in secondary process * net/ark: remove double mbuf free * net/bonding: fix MAC address propagation in 802.3ad mode * net/dpaa2: fix duplicate call of close * net/dpaa2: fix L3/L4 checksum results * net/dpaa2: receive packets with additional parse errors * net/dpaa: fix resource leak * net/ena/base: fix unsafe memcpy on invalid memory * net/ena: fix PCI BAR mapping on 64K page size * net/enetfec: fix checksum flag handling and error return * net/enetfec: fix file descriptor leak on read error * net/enetfec: fix memory leak in Rx buffer cleanup * net/enetfec: fix out-of-bounds access in UIO mapping * net/enetfec: fix Tx queue free * net: fix L2 length for GRE packets * net/hns3: fix VLAN resources freeing * net/hns3: fix VLAN tag loss for short tunnel frame * net/i40e: fix symmetric Toeplitz hashing for SCTP * net/ice/base: fix integer overflow on NVM init * net/ice/base: fix memory leak in HW profile handling * net/ice/base: fix memory leak in recipe handling * net/ice: fix initialization with 8 ports * net/ice: fix memory leak in raw pattern parse * net/ice: fix path selection for QinQ Tx offload * net/ice: fix vector Rx VLAN offload flags * net/mlx5: fix connection tracking state item validation * net/mlx5: fix control flow leakage for external SQ * net/mlx5: fix ESP header match after UDP for group 0 * net/mlx5: fix flow aging race condition * net/mlx5: fix min and max MTU reporting * net/mlx5/hws: fix buddy memory allocation * net/ngbe: reduce memory size of ring descriptors * net/tap: fix interrupt callback crash after failed start * net/txgbe: various FDIR fixes * net/vmxnet3: fix mapping of mempools to queues * test/crypto: fix vector initialization * test/debug: fix crash with mlx5 devices * test/debug: fix IOVA mode on PPC64 without huge pages * vfio: fix custom containers in multiprocess * vhost: fix double fetch when dequeue offloading - Add libarchive as dependency, avoid errors like '/lib/firmware/... cannot be decompressed' (bsc#1260007) ++++ polkit: - avoid reading endless amounts of memory (CVE-2026-4897 bsc#1260859) 0001-CVE-2026-4897-getline-string-overflow.patch ++++ python311-core: - Add CVE-2026-4519-webbrowser-open-dashes.patch to reject leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519, gh#python/cpython#143930). ++++ python311: - Add CVE-2026-4519-webbrowser-open-dashes.patch to reject leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519, gh#python/cpython#143930). ------------------------------------------------------------------ ------------------ 2026-3-26 - Mar 26 2026 ------------------- ------------------------------------------------------------------ ++++ expat: - security update: * CVE-2026-32776: expat: libexpat: NULL pointer dereference when processing empty external parameter entities inside an entity declaration value (bsc#1259726) - Added patch expat-CVE-2026-32776.patch * CVE-2026-32777: expat: libexpat: denial of service due to infinite loop in DTD content parsing (bsc#1259711) - Added patch expat-CVE-2026-32777.patch * CVE-2026-32778: expat: libexpat: NULL pointer dereference in `setContext` on retry after an out-of-memory condition (bsc#1259729) - Added patch expat-CVE-2026-32778.patch ++++ openssl-3: - Security fixes: * CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441) * CVE-2026-28388: NULL Pointer Dereference When Processing a Delta (bsc#1260442) * CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443) * CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444) * CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE encapsulation (bsc#1260445) * CVE-2026-31791: NULL pointer dereference when processing an OCSP response (bsc#1260446) * Add patches: openssl-CVE-2026-28387.patch openssl-CVE-2026-28388.patch openssl-CVE-2026-28388-tests.patch openssl-CVE-2026-28389.patch openssl-CVE-2026-31789.patch openssl-CVE-2026-31790.patch openssl-CVE-2026-31790-tests.patch openssl-CVE-2026-31791.patch ++++ openssl-3: - Security fixes: * CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441) * CVE-2026-28388: NULL Pointer Dereference When Processing a Delta (bsc#1260442) * CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443) * CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444) * CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE encapsulation (bsc#1260445) * NULL pointer dereference when processing an OCSP response (bsc#1260446) * Add patches: openssl-CVE-2026-28387.patch openssl-CVE-2026-28388.patch openssl-CVE-2026-28388-tests.patch openssl-CVE-2026-28389.patch openssl-CVE-2026-31789.patch openssl-CVE-2026-31790.patch openssl-CVE-2026-31790-tests.patch openssl-NULL-pointer-dereference-in-ocsp_find_signer_sk.patch ------------------------------------------------------------------ ------------------ 2026-3-25 - Mar 25 2026 ------------------- ------------------------------------------------------------------ ++++ dnsmasq: - boo#1257934, 4070a748.patch: Fix build with nettle 4.0. ++++ python311-core: - Add CVE-2025-13462-tarinfo-header-parse.patch which skips TarInfo DIRTYPE normalization during GNU long name handling (bsc#1259611, CVE-2025-13462). ++++ python311: - Add CVE-2025-13462-tarinfo-header-parse.patch which skips TarInfo DIRTYPE normalization during GNU long name handling (bsc#1259611, CVE-2025-13462). ------------------------------------------------------------------ ------------------ 2026-3-23 - Mar 23 2026 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Recognize fuse "portal" as a virtual file system (boo#1234736, util-linux-libmount-fuse-portal.patch). - fdisk: Fix possible partition overlay and data corruption if EBR gap is missing (boo#1222465, util-linux-libfdisk-ebr-missing-gap-1.patch, util-linux-tests-fdisk-ebr-missing-gap-1.patch, util-linux-tests-fdisk-ebr-missing-gap-2.patch, util-linux-libfdisk-ebr-missing-gap-2.patch, util-linux-tests-fdisk-ebr-missing-gap-3.patch). ++++ python311-core: - Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding unbound C recursion in conv_content_model in pyexpat.c (bsc#1259735, CVE-2026-4224). - Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject control characters in http.cookies.Morsel.update() and http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644). ++++ python311: - Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding unbound C recursion in conv_content_model in pyexpat.c (bsc#1259735, CVE-2026-4224). - Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject control characters in http.cookies.Morsel.update() and http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644). ++++ python-pyOpenSSL: - CVE-2026-27459: large cookie value can lead to a buffer overflow (bsc#1259808) Add patch CVE-2026-27459.patch - CVE-2026-27448: unhandled exception can result in connection not being cancelled (bsc#1259804) Add patch CVE-2026-27448.patch ++++ python-pyOpenSSL: - CVE-2026-27459: large cookie value can lead to a buffer overflow (bsc#1259808) Add patch CVE-2026-27459.patch - CVE-2026-27448: unhandled exception can result in connection not being cancelled (bsc#1259804) Add patch CVE-2026-27448.patch ++++ tar: - Fix bsc#1246399 / CVE-2025-45582. - Add patch: * CVE-2025-45582.patch ++++ util-linux-systemd: - Recognize fuse "portal" as a virtual file system (boo#1234736, util-linux-libmount-fuse-portal.patch). - fdisk: Fix possible partition overlay and data corruption if EBR gap is missing (boo#1222465, util-linux-libfdisk-ebr-missing-gap-1.patch, util-linux-tests-fdisk-ebr-missing-gap-1.patch, util-linux-tests-fdisk-ebr-missing-gap-2.patch, util-linux-libfdisk-ebr-missing-gap-2.patch, util-linux-tests-fdisk-ebr-missing-gap-3.patch). ------------------------------------------------------------------ ------------------ 2026-3-20 - Mar 20 2026 ------------------- ------------------------------------------------------------------ ++++ cloud-regionsrv-client: - Update to version 11.0.2 (bsc#1260421) + Add iputils as a dependency to make automatic NVIDIA repo enablement work - Update to version 11.0.1 + Fix attempt to read a deleted file resulting in an error. Refresh the file list for repos and services for each pass over the server domains we are looking to clean up the registration. + Update user visible messages only showing messages for the application configuration file. ++++ cockpit: - Update dependencies to fix bsc#1258641/CVE-2026-26996 ++++ cockpit: - Update dependencies to fix bsc#1258641/CVE-2026-26996 ++++ docker-compose: - Add patch for CVE-2025-62725 (bsc#1252752) 0002-CVE-2025-62725-fix-Enforce-compose-files-from-OCI-ar.patch ++++ nghttp2: - added patches CVE-2026-27135: assertion failure due to missing state validation can lead to DoS (bsc#1259845) * nghttp2-CVE-2026-27135.patch ++++ rust-keylime: - Suggests only the IMA policy package, and keep it as example (bsc#1259963) - Add Cargo_toml.patch to re-generate TSS bindings - Update to version 0.2.9+8: * build(deps): bump thiserror from 2.0.17 to 2.0.18 * build(deps): bump docker/login-action from 3 to 4 * build(deps): bump docker/metadata-action from 5 to 6 * Remove generate-bindings feature from tss-esapi * Use port constants instead of hardcoded values in tests * push-attestation: Use registrar TLS port when TLS is enabled * build(deps): bump docker/build-push-action from 6 to 7 * build(deps): bump actions/upload-artifact from 6 to 7 * dist: Make the services to conflict with each other * Bump version to 0.2.9 * build(deps): bump mockoon/cli-action from 2 to 3 * cargo: Bump tracing_subscriber to version 0.3.20 * cargo: Bump time to version 0.3.47 * build(deps): bump http from 1.3.1 to 1.4.0 * Update reqwest from 0.12 to 0.13 * build(deps): bump serde from 1.0.219 to 1.0.228 * auth: Load CA certificate in authentication client * packit: Add missing e2e tests * registrar: Rename insecure option to disable_tls * push-attestation: Drop self-signed mTLS certificate generation * config: Add missing config options to keylime-agent.conf * config: Add support for "default" in registrar_api_versions option * config: Add support for "default" in registrar_tls_ca_cert option * config: Drop unused config options and constants * push-attestation: Drop support for mTLS to registrar * push-attestation: Drop mTLS support and require PoP authentication * build(deps): bump clap from 4.5.45 to 4.5.54 * build(deps): bump actix-web from 4.11.0 to 4.12.1 * auth: Reuse existing ContextInfo to avoid duplicate TPM objects * resilient_client: Reauthenticate if a 403 error is received ------------------------------------------------------------------ ------------------ 2026-3-19 - Mar 19 2026 ------------------- ------------------------------------------------------------------ ++++ crypto-policies: - Add PQC support for OpenSSH (bsc#1258311, bsc#1259825) * Enable and prioritize sntrup761x25519-sha512 for OpenSSH by default * Add crypto-policies-OpenSSH-PQC.patch ++++ systemd: - Import commit a943e3ce2f655b8509038e31f03f5ded18f24683 a943e3ce2f machined: reject invalid class types when registering machines (bsc#1259650 CVE-2026-4105) 71593f77db udev: fix review mixup 73a89810b4 udev-builtin-net-id: print cescaped bad attributes 0f360bfdc0 udev-builtin-net_id: do not assume the current interface name is ethX 40905232e2 udev: ensure tag parsing stays within bounds 7bce9026e3 udev: ensure there is space for trailing NUL before calling sprintf d018ac1ea3 udev: check for invalid chars in various fields received from the kernel (bsc#1259697) ++++ python-PyJWT: - Add CVE-2026-32597_crit-header.patch to validate the crit (Critical) Header Parameter defined in RFC 7515 (bsc#1259616, CVE-2026-32597). ------------------------------------------------------------------ ------------------ 2026-3-18 - Mar 18 2026 ------------------- ------------------------------------------------------------------ ++++ python311-core: - Fix changelog ++++ python311-core: - Fix changelog ++++ libzypp: - Fix preloader not caching packages from arch specific subrepos (bsc#1253740) - Deprioritize invalid mirrors (fixes openSUSE/zypper#636) - version 17.38.5 (35) ++++ libzypp: - Fix preloader not caching packages from arch specific subrepos (bsc#1253740) - Deprioritize invalid mirrors (fixes openSUSE/zypper#636) - version 17.38.5 (35) ++++ libzypp: - Fix preloader not caching packages from arch specific subrepos (bsc#1253740) - Deprioritize invalid mirrors (fixes openSUSE/zypper#636) - version 17.38.5 (35) ++++ python311: - Fix changelog ++++ python311: - Fix changelog ------------------------------------------------------------------ ------------------ 2026-3-17 - Mar 17 2026 ------------------- ------------------------------------------------------------------ ++++ pcr-oracle: - Add fix-bsc1258119-fix-stop-event-crash.patch to fix the potential crash when processing the stop event (bsc#1258119) ++++ python-tornado6: - CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service (bsc#1259553) * added CVE-2026-31958.patch - VUL-0: incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes (bsc#1259630) * added VUL-0-cookie-attribute-validation.patch ------------------------------------------------------------------ ------------------ 2026-3-13 - Mar 13 2026 ------------------- ------------------------------------------------------------------ ++++ python311-core: - Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ensuring that `SourcelessFileLoader` uses `io.open_code` when opening `.pyc` files (bsc#1259240, CVE-2026-2297). ++++ python311-core: - Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ensuring that `SourcelessFileLoader` uses `io.open_code` when opening `.pyc` files (bsc#1259240, CVE-2026-2297). ++++ sqlite3: - Update to version 3.51.3: * Fix the WAL-reset database corruption bug: https://sqlite.org/wal.html#walresetbug * Other minor bug fixes. ++++ python311: - Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ensuring that `SourcelessFileLoader` uses `io.open_code` when opening `.pyc` files (bsc#1259240, CVE-2026-2297). ++++ python311: - Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ensuring that `SourcelessFileLoader` uses `io.open_code` when opening `.pyc` files (bsc#1259240, CVE-2026-2297). ------------------------------------------------------------------ ------------------ 2026-3-12 - Mar 12 2026 ------------------- ------------------------------------------------------------------ ++++ libsolv: - respect the "default" attribute in environment optionlist in the comps parser - support suse namespace deps in boolean dependencies [bsc#1258193] - support for the Elbrus2000 (e2k) architecture - support language() suse namespace rewriting - bump version to 0.7.36 ++++ libsolv: - respect the "default" attribute in environment optionlist in the comps parser - support suse namespace deps in boolean dependencies [bsc#1258193] - support for the Elbrus2000 (e2k) architecture - support language() suse namespace rewriting - bump version to 0.7.36 ++++ libsolv: - respect the "default" attribute in environment optionlist in the comps parser - support suse namespace deps in boolean dependencies [bsc#1258193] - support for the Elbrus2000 (e2k) architecture - support language() suse namespace rewriting - bump version to 0.7.36 ++++ suseconnect-ng: - Update version to 1.21: - Add expanded metric collection for kernel modules and hardware detection (jsc#TEL-226). - Support new profile based metric collection - Fix ignored --root parameter hanbling when reading and writing configuration (bsc#1257667) - Add expanded metric collection for system vendor/manfacturer (jsc#TEL-260). - Removed backport patch: fix-libsuseconnect-and-pci.patch - Add missing product id to allow yast2-registration to not break (bsc#1257825) - Fix libsuseconnect APIError detection logic (bsc#1257825) ------------------------------------------------------------------ ------------------ 2026-3-11 - Mar 11 2026 ------------------- ------------------------------------------------------------------ ++++ NetworkManager: - Add NetworkManager-CVE-2025-9615.patch: avoid that non-admin user using other users' certificates (bsc#1257359, CVE-2025-9615, glfd#NetworkManager/NetworkManager!2324). ++++ vim: * Update Vim to version 9.2.0110 (from 9.2.0045). * Specifically, this fixes bsc#1259051 / CVE-2026-28417. ++++ vim: * Update Vim to version 9.2.0110 (from 9.2.0045). * Specifically, this fixes bsc#1259051 / CVE-2026-28417. ++++ vim: * Update Vim to version 9.2.0110 (from 9.2.0045). * Specifically, this fixes bsc#1259051 / CVE-2026-28417. ++++ vim: * Update Vim to version 9.2.0110 (from 9.2.0045). * Specifically, this fixes bsc#1259051 / CVE-2026-28417. ------------------------------------------------------------------ ------------------ 2026-3-10 - Mar 10 2026 ------------------- ------------------------------------------------------------------ ++++ cloud-regionsrv-client: - Update to version 11.0.0 (bsc#1254960, bsc#1254982, bsc#1253777) + Major version bump for main package and plugin sub-packages due to interpreter change in SLE 15 SP4+ from Python 3.6 to Python 3.11 + Create cache directory in code and drop from package (jsc#PED-14732) + Fix race condition between license watcher timer and registration (bsc#1254984) + Fix cleanup issue in hosts (bsc#1254702) + Fix cache clean up + Fix exit condition from container registry setup + Lock the registration process to ensure single execution (bsc#1254984) + Fix traceback on FP and cert mismatch + Switch remaining code to updated logging implementation + Increase loggin information in log to help with issue debugging + Fix exit code on partial registration success + Remove obsolete switchcloudguestservices ++++ cockpit-machines: - add drop-virtinterfaced-usage.patch (bsc#1228187) ++++ cockpit-machines: - add drop-virtinterfaced-usage.patch (bsc#1228187) ++++ libzypp: - Fix Product::referencePackage lookup (bsc#1259311) Use a provided autoproduct() as hint to the package name of the release package. It might be that not just multiple versions of the same release package provide the same product version, but also different release packages. - version 17.38.4 (35) ++++ libzypp: - Fix Product::referencePackage lookup (bsc#1259311) Use a provided autoproduct() as hint to the package name of the release package. It might be that not just multiple versions of the same release package provide the same product version, but also different release packages. - version 17.38.4 (35) ++++ libzypp: - Fix Product::referencePackage lookup (bsc#1259311) Use a provided autoproduct() as hint to the package name of the release package. It might be that not just multiple versions of the same release package provide the same product version, but also different release packages. - version 17.38.4 (35) ------------------------------------------------------------------ ------------------ 2026-3-9 - Mar 9 2026 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fixes: * CVE-2026-1965: Bad reuse of HTTP Negotiate connection (bsc#1259362) * CVE-2026-3783: Token leak with redirect and netrc (bsc#1259363) * CVE-2026-3784: Wrong proxy connection reuse with credentials (bsc#1259364) * CVE-2026-3805: Use after free in SMB connection reuse (bsc#1259365) * Add patches: - curl-CVE-2026-1965.patch - curl-CVE-2026-3783.patch - curl-CVE-2026-3784.patch - curl-CVE-2026-3805.patch ++++ curl: - Security fixes: * CVE-2026-1965: Bad reuse of HTTP Negotiate connection (bsc#1259362) * CVE-2026-3783: Token leak with redirect and netrc (bsc#1259363) * CVE-2026-3784: Wrong proxy connection reuse with credentials (bsc#1259364) * CVE-2026-3805: Use after free in SMB connection reuse (bsc#1259365) * Add patches: - curl-CVE-2026-1965.patch - curl-CVE-2026-3783.patch - curl-CVE-2026-3784.patch - curl-CVE-2026-3805.patch ------------------------------------------------------------------ ------------------ 2026-3-6 - Mar 6 2026 ------------------- ------------------------------------------------------------------ ++++ busybox: - Additional fix for use-after-realloc in awk (CVE-2021-42380, bsc#1192869) * 0001-awk-fix-use-after-realloc-CVE-2021-42380-closes-1560.patch - Fix use-after-free in the awk.c copyvar (CVE-2023-42365, bsc#1217585) * 0002-awk-fix-precedence-of-relative-to.patch - Fix use-after-free vulnerability in xasprintf (CVE-2023-42363, bsc#1217580) * 0003-awk-fix-use-after-free-CVE-2023-42363.patch - Fix use-after-free in the awk.c (CVE-2023-42364, bsc#1217584) * 0004-awk-restore-assignment-precedence-to-be-lower-than-t.patch - Fix hidden files in tar listing using escape chars (CVE-2025-46394, bsc#1241661) * 0005-archival-libarchive-sanitize-filenames-on-output-pre.patch - Fix file overwrite, modification, privilege escalation, potential code execution in tar (CVE-2026-26157, bsc#1258163) (CVE-2026-26158, bsc#1258167) * 0006-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch * 0007-tar-only-strip-unsafe-components-from-hardlinks-not-.patch - Fix wget request header injection (CVE-2025-60876, bsc#1253245) * wget-don-t-allow-control-characters-in-url.patch ++++ busybox: - Additional fix for use-after-realloc in awk (CVE-2021-42380, bsc#1192869) * 0001-awk-fix-use-after-realloc-CVE-2021-42380-closes-1560.patch - Fix use-after-free in the awk.c copyvar (CVE-2023-42365, bsc#1217585) * 0002-awk-fix-precedence-of-relative-to.patch - Fix use-after-free vulnerability in xasprintf (CVE-2023-42363, bsc#1217580) * 0003-awk-fix-use-after-free-CVE-2023-42363.patch - Fix use-after-free in the awk.c (CVE-2023-42364, bsc#1217584) * 0004-awk-restore-assignment-precedence-to-be-lower-than-t.patch - Fix hidden files in tar listing using escape chars (CVE-2025-46394, bsc#1241661) * 0005-archival-libarchive-sanitize-filenames-on-output-pre.patch - Fix file overwrite, modification, privilege escalation, potential code execution in tar (CVE-2026-26157, bsc#1258163) (CVE-2026-26158, bsc#1258167) * 0006-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch * 0007-tar-only-strip-unsafe-components-from-hardlinks-not-.patch - Fix wget request header injection (CVE-2025-60876, bsc#1253245) * wget-don-t-allow-control-characters-in-url.patch ++++ python311-core: - Update to 3.11.15: - Security - gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650). - gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs (bsc#1257029 CVE-2025-11468). - gh-143925: Reject control characters in data: URL media types (bsc#1257046, CVE-2025-15282). - gh-143919: Reject control characters in http.cookies.Morsel fields and values (bsc#1257031, CVE-2026-0672). - gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters (bsc#1257042, CVE-2026-0865). - gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. In order to do this without breaking existing users, we also add the ownerDocument attribute to xml.dom.minidom elements and attributes created by directly instantiating the Element or Attr class. Note that this way of creating nodes is not supported; creator functions like xml.dom.Document.documentElement() should be used instead (bsc#1254997, CVE-2025-12084). - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (bsc#1252974, CVE-2025-6075). - gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13836, bsc#1254400). - gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes. - gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (bsc#1254401, CVE-2025-13837). - Library - gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed. - gh-144363: Update bundled libexpat to 2.7.4 - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran. - Core and Builtins - gh-120384: Fix an array out of bounds crash in list_ass_subscript, which could be invoked via some specificly tailored input: including concurrent modification of a list object, where one thread assigns a slice and another clears it. - gh-120298: Fix use-after free in list_richcompare_impl which can be invoked via some specificly tailored evil input. Remove upstreamed patches: - CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2025-12084-minidom-quad-search.patch - CVE-2025-13836-http-resp-cont-len.patch - CVE-2025-13837-plistlib-mailicious-length.patch - CVE-2025-6075-expandvars-perf-degrad.patch - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15282-urllib-ctrl-chars.patch ++++ python311-core: - Update to 3.11.15: - Security - gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650) (bsc#1257181, CVE-2026-1299). - gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs (bsc#1257029 CVE-2025-11468). - gh-143925: Reject control characters in data: URL media types (bsc#1257046, CVE-2025-15282). - gh-143919: Reject control characters in http.cookies.Morsel fields and values (bsc#1257031, CVE-2026-0672). - gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters (bsc#1257042, CVE-2026-0865). - gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. In order to do this without breaking existing users, we also add the ownerDocument attribute to xml.dom.minidom elements and attributes created by directly instantiating the Element or Attr class. Note that this way of creating nodes is not supported; creator functions like xml.dom.Document.documentElement() should be used instead (bsc#1254997, CVE-2025-12084). - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (bsc#1252974, CVE-2025-6075). - gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13836, bsc#1254400). - gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes. - gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (bsc#1254401, CVE-2025-13837). - Library - gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed. - gh-144363: Update bundled libexpat to 2.7.4 - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran. - Core and Builtins - gh-120384: Fix an array out of bounds crash in list_ass_subscript, which could be invoked via some specificly tailored input: including concurrent modification of a list object, where one thread assigns a slice and another clears it. - gh-120298: Fix use-after free in list_richcompare_impl which can be invoked via some specificly tailored evil input. Remove upstreamed patches: - CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2025-12084-minidom-quad-search.patch - CVE-2025-13836-http-resp-cont-len.patch - CVE-2025-13837-plistlib-mailicious-length.patch - CVE-2025-6075-expandvars-perf-degrad.patch - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15282-urllib-ctrl-chars.patch ++++ python311-core: - Update to 3.11.15: - Security - gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650) (bsc#1257181, CVE-2026-1299). - gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs (bsc#1257029 CVE-2025-11468). - gh-143925: Reject control characters in data: URL media types (bsc#1257046, CVE-2025-15282). - gh-143919: Reject control characters in http.cookies.Morsel fields and values (bsc#1257031, CVE-2026-0672). - gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters (bsc#1257042, CVE-2026-0865). - gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. In order to do this without breaking existing users, we also add the ownerDocument attribute to xml.dom.minidom elements and attributes created by directly instantiating the Element or Attr class. Note that this way of creating nodes is not supported; creator functions like xml.dom.Document.documentElement() should be used instead (bsc#1254997, CVE-2025-12084). - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (bsc#1252974, CVE-2025-6075). - gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13836, bsc#1254400). - gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes. - gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (bsc#1254401, CVE-2025-13837). - Library - gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed. - gh-144363: Update bundled libexpat to 2.7.4 - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran. - Core and Builtins - gh-120384: Fix an array out of bounds crash in list_ass_subscript, which could be invoked via some specificly tailored input: including concurrent modification of a list object, where one thread assigns a slice and another clears it. - gh-120298: Fix use-after free in list_richcompare_impl which can be invoked via some specificly tailored evil input. Remove upstreamed patches: - CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2025-12084-minidom-quad-search.patch - CVE-2025-13836-http-resp-cont-len.patch - CVE-2025-13837-plistlib-mailicious-length.patch - CVE-2025-6075-expandvars-perf-degrad.patch - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15282-urllib-ctrl-chars.patch ++++ libzypp: - specfile: on fedora use %{_prefix}/share as zyppconfdir if %{_distconfdir} is undefined (fixes #693) This will set '-DZYPPCONFDIR=%{zyppconfdir}' for cmake. - Fall back to a writable location when precaching packages without root (bsc#1247948) - version 17.38.3 (35) ++++ libzypp: - specfile: on fedora use %{_prefix}/share as zyppconfdir if %{_distconfdir} is undefined (fixes #693) This will set '-DZYPPCONFDIR=%{zyppconfdir}' for cmake. - Fall back to a writable location when precaching packages without root (bsc#1247948) - version 17.38.3 (35) ++++ libzypp: - specfile: on fedora use %{_prefix}/share as zyppconfdir if %{_distconfdir} is undefined (fixes #693) This will set '-DZYPPCONFDIR=%{zyppconfdir}' for cmake. - Fall back to a writable location when precaching packages without root (bsc#1247948) - version 17.38.3 (35) ++++ python311: - Update to 3.11.15: - Security - gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650). - gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs (bsc#1257029 CVE-2025-11468). - gh-143925: Reject control characters in data: URL media types (bsc#1257046, CVE-2025-15282). - gh-143919: Reject control characters in http.cookies.Morsel fields and values (bsc#1257031, CVE-2026-0672). - gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters (bsc#1257042, CVE-2026-0865). - gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. In order to do this without breaking existing users, we also add the ownerDocument attribute to xml.dom.minidom elements and attributes created by directly instantiating the Element or Attr class. Note that this way of creating nodes is not supported; creator functions like xml.dom.Document.documentElement() should be used instead (bsc#1254997, CVE-2025-12084). - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (bsc#1252974, CVE-2025-6075). - gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13836, bsc#1254400). - gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes. - gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (bsc#1254401, CVE-2025-13837). - Library - gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed. - gh-144363: Update bundled libexpat to 2.7.4 - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran. - Core and Builtins - gh-120384: Fix an array out of bounds crash in list_ass_subscript, which could be invoked via some specificly tailored input: including concurrent modification of a list object, where one thread assigns a slice and another clears it. - gh-120298: Fix use-after free in list_richcompare_impl which can be invoked via some specificly tailored evil input. Remove upstreamed patches: - CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2025-12084-minidom-quad-search.patch - CVE-2025-13836-http-resp-cont-len.patch - CVE-2025-13837-plistlib-mailicious-length.patch - CVE-2025-6075-expandvars-perf-degrad.patch - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15282-urllib-ctrl-chars.patch ++++ python311: - Update to 3.11.15: - Security - gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650) (bsc#1257181, CVE-2026-1299). - gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs (bsc#1257029 CVE-2025-11468). - gh-143925: Reject control characters in data: URL media types (bsc#1257046, CVE-2025-15282). - gh-143919: Reject control characters in http.cookies.Morsel fields and values (bsc#1257031, CVE-2026-0672). - gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters (bsc#1257042, CVE-2026-0865). - gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. In order to do this without breaking existing users, we also add the ownerDocument attribute to xml.dom.minidom elements and attributes created by directly instantiating the Element or Attr class. Note that this way of creating nodes is not supported; creator functions like xml.dom.Document.documentElement() should be used instead (bsc#1254997, CVE-2025-12084). - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (bsc#1252974, CVE-2025-6075). - gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13836, bsc#1254400). - gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes. - gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (bsc#1254401, CVE-2025-13837). - Library - gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed. - gh-144363: Update bundled libexpat to 2.7.4 - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran. - Core and Builtins - gh-120384: Fix an array out of bounds crash in list_ass_subscript, which could be invoked via some specificly tailored input: including concurrent modification of a list object, where one thread assigns a slice and another clears it. - gh-120298: Fix use-after free in list_richcompare_impl which can be invoked via some specificly tailored evil input. Remove upstreamed patches: - CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2025-12084-minidom-quad-search.patch - CVE-2025-13836-http-resp-cont-len.patch - CVE-2025-13837-plistlib-mailicious-length.patch - CVE-2025-6075-expandvars-perf-degrad.patch - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15282-urllib-ctrl-chars.patch ++++ python311: - Update to 3.11.15: - Security - gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650) (bsc#1257181, CVE-2026-1299). - gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs (bsc#1257029 CVE-2025-11468). - gh-143925: Reject control characters in data: URL media types (bsc#1257046, CVE-2025-15282). - gh-143919: Reject control characters in http.cookies.Morsel fields and values (bsc#1257031, CVE-2026-0672). - gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters (bsc#1257042, CVE-2026-0865). - gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. In order to do this without breaking existing users, we also add the ownerDocument attribute to xml.dom.minidom elements and attributes created by directly instantiating the Element or Attr class. Note that this way of creating nodes is not supported; creator functions like xml.dom.Document.documentElement() should be used instead (bsc#1254997, CVE-2025-12084). - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (bsc#1252974, CVE-2025-6075). - gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13836, bsc#1254400). - gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes. - gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (bsc#1254401, CVE-2025-13837). - Library - gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed. - gh-144363: Update bundled libexpat to 2.7.4 - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran. - Core and Builtins - gh-120384: Fix an array out of bounds crash in list_ass_subscript, which could be invoked via some specificly tailored input: including concurrent modification of a list object, where one thread assigns a slice and another clears it. - gh-120298: Fix use-after free in list_richcompare_impl which can be invoked via some specificly tailored evil input. Remove upstreamed patches: - CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2025-12084-minidom-quad-search.patch - CVE-2025-13836-http-resp-cont-len.patch - CVE-2025-13837-plistlib-mailicious-length.patch - CVE-2025-6075-expandvars-perf-degrad.patch - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15282-urllib-ctrl-chars.patch ++++ zypper: - Report download progress for command line rpms (fixes #613) - Hint to '-vv ref' to see the mirrors used to download the metadata (bsc#1257882) - Service: Allow "zypper ls SERVICE ..." to test whether a service with this alias is defined (bsc#1252744) The command prints an abstract of all services passed on the command line. It returns 3-ZYPPER_EXIT_ERR_INVALID_ARGS if some argument does not name an existing service. - Keep repo data when updating the service settings (bsc#1252744) - info: Enhance pattern content table (bsc#1158038) Alternatives (multiple packages providing the same requirement) are now listed as a single entry in the content table. The entry shows either the installed package which satisfies the requirement or the requirement itself as type 'Provides'. Listing all potential alternatives was miss leading, especially if the alternatives were mutual exclusive. It looked like an installed pattern had not-installed requirements and it was not possible to install all requirements at the same time. - version 1.14.95 ++++ zypper: - Report download progress for command line rpms (fixes #613) - Hint to '-vv ref' to see the mirrors used to download the metadata (bsc#1257882) - Service: Allow "zypper ls SERVICE ..." to test whether a service with this alias is defined (bsc#1252744) The command prints an abstract of all services passed on the command line. It returns 3-ZYPPER_EXIT_ERR_INVALID_ARGS if some argument does not name an existing service. - Keep repo data when updating the service settings (bsc#1252744) - info: Enhance pattern content table (bsc#1158038) Alternatives (multiple packages providing the same requirement) are now listed as a single entry in the content table. The entry shows either the installed package which satisfies the requirement or the requirement itself as type 'Provides'. Listing all potential alternatives was miss leading, especially if the alternatives were mutual exclusive. It looked like an installed pattern had not-installed requirements and it was not possible to install all requirements at the same time. - version 1.14.95 ------------------------------------------------------------------ ------------------ 2026-3-4 - Mar 4 2026 ------------------- ------------------------------------------------------------------ ++++ salt: - Make syntax in httputil_test compatible with Python 3.6 - Fix KeyError in postgres module with PostgreSQL 17 (bsc#1254325) - Use internal deb classes instead of external aptsource lib - Speed up wheel key.finger call (bsc#1240532) - Backport security patches for Salt vendored tornado: * CVE-2025-67724: missing validation of supplied reason phrase (bsc#1254903) * CVE-2025-67725: fix DoS via malicious HTTP request (bsc#1254905) * CVE-2025-67726: fix HTTP header parameter parsing algorithm (bsc#1254904) - Simplify and speed up utils.find_json function (bsc#1246130) - Extend warn_until period to 2027 - Added: * fix-tornado-s-httputil_test-syntax-for-python-3.6.patch * backport-add-maintain-m-privilege-to-postgres-module.patch * use-internal-salt.utils.pkg.deb-classes-instead-of-a.patch * speedup-wheel-key.finger-call-bsc-1240532-713.patch * fixes-for-security-issues-cve-2025-13836-cve-2025-67.patch * simplify-utils.json.find_json-function.patch * extend-fails-to-warnings-until-2027-742.patch ++++ salt: - Make syntax in httputil_test compatible with Python 3.6 - Fix KeyError in postgres module with PostgreSQL 17 (bsc#1254325) - Use internal deb classes instead of external aptsource lib - Speed up wheel key.finger call (bsc#1240532) - Backport security patches for Salt vendored tornado: * CVE-2025-67724: missing validation of supplied reason phrase (bsc#1254903) * CVE-2025-67725: fix DoS via malicious HTTP request (bsc#1254905) * CVE-2025-67726: fix HTTP header parameter parsing algorithm (bsc#1254904) - Simplify and speed up utils.find_json function (bsc#1246130) - Extend warn_until period to 2027 - Added: * fix-tornado-s-httputil_test-syntax-for-python-3.6.patch * backport-add-maintain-m-privilege-to-postgres-module.patch * use-internal-salt.utils.pkg.deb-classes-instead-of-a.patch * speedup-wheel-key.finger-call-bsc-1240532-713.patch * fixes-for-security-issues-cve-2025-13836-cve-2025-67.patch * simplify-utils.json.find_json-function.patch * extend-fails-to-warnings-until-2027-742.patch ++++ suseconnect-ng: - Regressions found during QA test runs: - Ignore product in announce call (bsc#1257490) - Registration to SMT server with failed (bsc#1257625) ++++ suseconnect-ng: - Regressions found during QA test runs: - Ignore product in announce call (bsc#1257490) - Registration to SMT server with failed (bsc#1257625) - Backported by PATCH: fix-libsuseconnect-and-pci.patch ++++ tar: - Add tar-fix-deletion-from-archive.patch * Fixes tar creating invalid tarballs when used with --delete (bsc#1246607) * Add makeinfo build requirement, needed after the addition of the patch ++++ tar: - Add tar-fix-deletion-from-archive.patch * Fixes tar creating invalid tarballs when used with --delete (bsc#1246607) * Add makeinfo build requirement, needed after the addition of the patch ++++ vim: * Update Vim to version 9.2.0045 (from 9.1.1629). * Fix bsc#1258229 CVE-2026-26269 as 9.2.0045 is not impacted (fixed upstream). * Fix bsc#1246602 CVE-2025-53906 as 9.2.0045 is not impacted (fixed upstream). * Drop obsolete or upstreamed patches: - vim-7.3-filetype_spec.patch - vim-7.4-filetype_apparmor.patch - vim-8.2.2411-globalvimrc.patch * Refresh the following patches: - vim-7.3-filetype_changes.patch - vim-7.3-filetype_ftl.patch - vim-7.3-sh_is_bash.patch - vim-9.1.1134-revert-putty-terminal-colors.patch * Remove autoconf from BuildRequires and drop the autoconf call in %build. * Package new Swedish (sv) man pages and clean up duplicate encodings (sv.ISO8859-1 and sv.UTF-8) during %install. ++++ vim: * Update Vim to version 9.2.0045 (from 9.1.1629). * Fix bsc#1258229 CVE-2026-26269 as 9.2.0045 is not impacted (fixed upstream). * Fix bsc#1246602 CVE-2025-53906 as 9.2.0045 is not impacted (fixed upstream). * Drop obsolete or upstreamed patches: - vim-7.3-filetype_spec.patch - vim-7.4-filetype_apparmor.patch - vim-8.2.2411-globalvimrc.patch * Refresh the following patches: - vim-7.3-filetype_changes.patch - vim-7.3-filetype_ftl.patch - vim-7.3-sh_is_bash.patch - vim-9.1.1134-revert-putty-terminal-colors.patch * Remove autoconf from BuildRequires and drop the autoconf call in %build. * Package new Swedish (sv) man pages and clean up duplicate encodings (sv.ISO8859-1 and sv.UTF-8) during %install. ++++ vim: * Update Vim to version 9.2.0045 (from 9.1.1629). * Fix bsc#1258229 CVE-2026-26269 as 9.2.0045 is not impacted (fixed upstream). * Fix bsc#1246602 CVE-2025-53906 as 9.2.0045 is not impacted (fixed upstream). * Drop obsolete or upstreamed patches: - vim-7.3-filetype_spec.patch - vim-7.4-filetype_apparmor.patch - vim-8.2.2411-globalvimrc.patch * Refresh the following patches: - vim-7.3-filetype_changes.patch - vim-7.3-filetype_ftl.patch - vim-7.3-sh_is_bash.patch - vim-9.1.1134-revert-putty-terminal-colors.patch * Remove autoconf from BuildRequires and drop the autoconf call in %build. * Package new Swedish (sv) man pages and clean up duplicate encodings (sv.ISO8859-1 and sv.UTF-8) during %install. ++++ vim: * Update Vim to version 9.2.0045 (from 9.1.1629). * Fix bsc#1258229 CVE-2026-26269 as 9.2.0045 is not impacted (fixed upstream). * Fix bsc#1246602 CVE-2025-53906 as 9.2.0045 is not impacted (fixed upstream). * Drop obsolete or upstreamed patches: - vim-7.3-filetype_spec.patch - vim-7.4-filetype_apparmor.patch - vim-8.2.2411-globalvimrc.patch * Refresh the following patches: - vim-7.3-filetype_changes.patch - vim-7.3-filetype_ftl.patch - vim-7.3-sh_is_bash.patch - vim-9.1.1134-revert-putty-terminal-colors.patch * Remove autoconf from BuildRequires and drop the autoconf call in %build. * Package new Swedish (sv) man pages and clean up duplicate encodings (sv.ISO8859-1 and sv.UTF-8) during %install. ++++ vim: * Update Vim to version 9.2.0045 (from 9.1.1629). * Fix bsc#1258229 CVE-2026-26269 as 9.2.0045 is not impacted (fixed upstream). * Fix bsc#1246602 CVE-2025-53906 as 9.2.0045 is not impacted (fixed upstream). * Drop obsolete or upstreamed patches: - vim-7.3-filetype_spec.patch - vim-7.4-filetype_apparmor.patch - vim-8.2.2411-globalvimrc.patch * Refresh the following patches: - vim-7.3-filetype_changes.patch - vim-7.3-filetype_ftl.patch - vim-7.3-sh_is_bash.patch - vim-9.1.1134-revert-putty-terminal-colors.patch * Remove autoconf from BuildRequires and drop the autoconf call in %build. * Package new Swedish (sv) man pages and clean up duplicate encodings (sv.ISO8859-1 and sv.UTF-8) during %install. ------------------------------------------------------------------ ------------------ 2026-3-3 - Mar 3 2026 ------------------- ------------------------------------------------------------------ ++++ freetype2: - update to 2.14.2 - Important changes * Several changes related to LCD filtering are implemented to achieve better performance and encourage sound practices. + Instead of blanket LCD filtering over the entire bitmap, it is now applied only to non-zero spans using direct rendering. This speeds up the ClearType-like rendering by more than 40% at sizes above 32 ppem. + Setting the filter weights with FT_Face_Properties is no longer supported. The default and light filters are optimized to work with any face. + The legacy libXft LCD filter algorithm is no longer provided. - Important bug fixes * A bunch of potential security problems have been found (bsc#1259118, CVE-2026-23865). All users should update. * The italic angle in `PS_FontInfo` is now stored as a fixed-point value in degrees for all Type 1 fonts and their derivatives, consistent with CFF fonts and common practices. The broken underline position and thickness values are fixed for CFF fonts. - Miscellaneous * The `x` field in the `FT_Span` structure is now unsigned. * Demo program `ftgrid` got an option `-m` to select a start character to display. * Similarly, demo program `ftmulti` got an option `-m` to select a text string for rendering. * Option `-d` in the demo program `ttdebug` is now called `-a`, expecting a comma-separated list of axis values. The user interface is also slightly improved. * The `ftinspect` demo program can now be compiled with Qt6, too. ------------------------------------------------------------------ ------------------ 2026-3-2 - Mar 2 2026 ------------------- ------------------------------------------------------------------ ++++ virtiofsd: - Add CVE-2026-25727.patch: Avoid denial of service when parsing Rfc2822(bsc#1257912 CVE-2026-25727). ------------------------------------------------------------------ ------------------ 2026-3-1 - Mar 1 2026 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Use full hostname for PAM to ensure correct access control for "login -h" (bsc#1258859, CVE-2026-3184, util-linux-CVE-2026-3184.patch). ++++ util-linux: - Use full hostname for PAM to ensure correct access control for "login -h" (bsc#1258859, CVE-2026-3184, util-linux-CVE-2026-3184.patch). ++++ util-linux-systemd: - Use full hostname for PAM to ensure correct access control for "login -h" (bsc#1258859, CVE-2026-3184, util-linux-CVE-2026-3184.patch). ++++ util-linux-systemd: - Use full hostname for PAM to ensure correct access control for "login -h" (bsc#1258859, CVE-2026-3184, util-linux-CVE-2026-3184.patch). ------------------------------------------------------------------ ------------------ 2026-2-27 - Feb 27 2026 ------------------- ------------------------------------------------------------------ ++++ systemd: - Import commit aef6e11921f8c46a2b7ee8cfab024c9c641d74d8 aef6e11921 core/cgroup: avoid one unnecessary strjoina() cc7426f38a sd-json: fix off-by-one issue when updating parent for array elements 26a748f727 core: validate input cgroup path more prudently (bsc#1259418 CVE-2026-29111) 99d8308fde core/dbus-manager: propagate meaningful dbus errors from EnqueueMarkedJobs ------------------------------------------------------------------ ------------------ 2026-2-25 - Feb 25 2026 ------------------- ------------------------------------------------------------------ ++++ libsoup: - Add libsoup-CVE-2026-1760.patch: server: close the connection after responsing a request containing... (bsc#1257597, CVE-2026-1760, glgo#GNOME/libsoup#475). - Add libsoup-CVE-2026-1467.patch: uri-utils: do host validation when checking if a GUri is valid (bsc#1257398, CVE-2026-1467, glgo#GNOME/libsoup#488). - Add libsoup-CVE-2026-1539.patch: Also remove Proxy-Authorization header on cross origin redirect (bsc#1257441, CVE-2026-1539, glgo#GNOME/libsoup#489). ++++ libsoup: - Add libsoup-CVE-2026-1760.patch: server: close the connection after responsing a request containing... (bsc#1257597, CVE-2026-1760, glgo#GNOME/libsoup#475). - Add libsoup-CVE-2026-1467.patch: uri-utils: do host validation when checking if a GUri is valid (bsc#1257398, CVE-2026-1467, glgo#GNOME/libsoup#488). - Add libsoup-CVE-2026-1539.patch: Also remove Proxy-Authorization header on cross origin redirect (bsc#1257441, CVE-2026-1539, glgo#GNOME/libsoup#489). ++++ libsoup: - Add libsoup-CVE-2026-1760.patch: server: close the connection after responsing a request containing... (bsc#1257597, CVE-2026-1760, glgo#GNOME/libsoup#475). - Add libsoup-CVE-2026-1467.patch: uri-utils: do host validation when checking if a GUri is valid (bsc#1257398, CVE-2026-1467, glgo#GNOME/libsoup#488). - Add libsoup-CVE-2026-1539.patch: Also remove Proxy-Authorization header on cross origin redirect (bsc#1257441, CVE-2026-1539, glgo#GNOME/libsoup#489). ++++ qemu: - Bug and CVE fixes: * cryptodev-builtin: Limit the maximum size (bsc#1255400, CVE-2025-14876) * hw/virtio/virtio-crypto: verify asym request size (bsc#1255400, CVE-2025-14876) * hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq() (bsc#1256484, CVE-2026-0665) ++++ qemu: - Bug and CVE fixes: * cryptodev-builtin: Limit the maximum size (bsc#1255400, CVE-2025-14876) * hw/virtio/virtio-crypto: verify asym request size (bsc#1255400, CVE-2025-14876) * hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq() (bsc#1256484, CVE-2026-0665) ------------------------------------------------------------------ ------------------ 2026-2-24 - Feb 24 2026 ------------------- ------------------------------------------------------------------ ++++ gnutls: - Add the functionality to allow to specify the hash algorithm for the PSK. This fixes a bug in the current implementation where the binder is always calculated with SHA256. * (bsc#1258083, jsc#PED-15752, jsc#PED-15753) * lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2 * tests/psk-file: Add testing for _credentials2 functions * lib/psk: add null check for binder algo * pre_shared_key: fix memleak when retrying with different binder algo * pre_shared_key: add null check on pskcred * Add patches: - gnutls-PSK-hash.patch - gnutls-PSK-hash-tests.patch - gnutls-PSK-hash-NULL-check.patch - gnutls-PSK-hash-NULL-check-pskcred.patch - gnutls-PSK-hash-fix-memleak.patch ++++ gnutls: - Add the functionality to allow to specify the hash algorithm for the PSK. This fixes a bug in the current implementation where the binder is always calculated with SHA256. * (bsc#1258083, jsc#PED-15752, jsc#PED-15753) * lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2 * tests/psk-file: Add testing for _credentials2 functions * lib/psk: add null check for binder algo * pre_shared_key: fix memleak when retrying with different binder algo * pre_shared_key: add null check on pskcred * Add patches: - gnutls-PSK-hash.patch - gnutls-PSK-hash-tests.patch - gnutls-PSK-hash-NULL-check.patch - gnutls-PSK-hash-NULL-check-pskcred.patch - gnutls-PSK-hash-fix-memleak.patch ------------------------------------------------------------------ ------------------ 2026-2-23 - Feb 23 2026 ------------------- ------------------------------------------------------------------ ++++ dnsmasq: - bsc#1258251, CVE-2026-2291, dnsmasq-CVE-2026-2291.patch: dnsmasq can be abused to record false cached data enabling DoS or attacker redirect. ------------------------------------------------------------------ ------------------ 2026-2-20 - Feb 20 2026 ------------------- ------------------------------------------------------------------ ++++ mozilla-nss: - update to NSS 3.112.3 * bmo#2009552 - avoid integer overflow in platform-independent ghash ++++ libsoup: - Add more CVE fixes: + libsoup-CVE-2025-12105.patch (bsc#1252555 CVE-2025-12105 glgo#GNOME/libsoup!481) + libsoup-CVE-2025-32049.patch (bsc#1240751 CVE-2025-32049 glgo#GNOME/libsoup#390) + libsoup-CVE-2026-2443.patch (bsc#1258170 CVE-2026-2443 glgo#GNOME/libsoup#487) + libsoup-CVE-2026-2369.patch (bsc#1258120 CVE-2026-2369 glgo#GNOME/libsoup!508) + libsoup-CVE-2026-2708.patch (bsc#1258508 CVE-2026-2708 glgo#GNOME/libsoup#500) ++++ libsoup: - Add more CVE fixes: + libsoup-CVE-2025-12105.patch (bsc#1252555 CVE-2025-12105 glgo#GNOME/libsoup!481) + libsoup-CVE-2025-32049.patch (bsc#1240751 CVE-2025-32049 glgo#GNOME/libsoup#390) + libsoup-CVE-2026-2443.patch (bsc#1258170 CVE-2026-2443 glgo#GNOME/libsoup#487) + libsoup-CVE-2026-2369.patch (bsc#1258120 CVE-2026-2369 glgo#GNOME/libsoup!508) + libsoup-CVE-2026-2708.patch (bsc#1258508 CVE-2026-2708 glgo#GNOME/libsoup#500) ++++ libsoup: - Add more CVE fixes: + libsoup-CVE-2025-12105.patch (bsc#1252555 CVE-2025-12105 glgo#GNOME/libsoup!481) + libsoup-CVE-2025-32049.patch (bsc#1240751 CVE-2025-32049 glgo#GNOME/libsoup#390) + libsoup-CVE-2026-2443.patch (bsc#1258170 CVE-2026-2443 glgo#GNOME/libsoup#487) + libsoup-CVE-2026-2369.patch (bsc#1258120 CVE-2026-2369 glgo#GNOME/libsoup!508) + libsoup-CVE-2026-2708.patch (bsc#1258508 CVE-2026-2708 glgo#GNOME/libsoup#500) ++++ libsoup: - Add more CVE fixes: + libsoup-CVE-2025-12105.patch (bsc#1252555 CVE-2025-12105 glgo#GNOME/libsoup!481) + libsoup-CVE-2025-32049.patch (bsc#1240751 CVE-2025-32049 glgo#GNOME/libsoup#390) + libsoup-CVE-2026-2443.patch (bsc#1258170 CVE-2026-2443 glgo#GNOME/libsoup#487) + libsoup-CVE-2026-2369.patch (bsc#1258120 CVE-2026-2369 glgo#GNOME/libsoup!508) + libsoup-CVE-2026-2708.patch (bsc#1258508 CVE-2026-2708 glgo#GNOME/libsoup#500) ------------------------------------------------------------------ ------------------ 2026-2-18 - Feb 18 2026 ------------------- ------------------------------------------------------------------ ++++ zlib: - Fix CVE-2026-27171, infinite loop via the crc32_combine64 and crc32_combine_gen64 functions due to missing checks for negative lengths (bsc#1258392) * CVE-2026-27171.patch ------------------------------------------------------------------ ------------------ 2026-2-17 - Feb 17 2026 ------------------- ------------------------------------------------------------------ ++++ python-cryptography: - CVE-2026-26007: Subgroup Attack Due to Missing Subgroup Validation for SECT Curves (bsc#1258074) * added CVE-2026-26007.patch ++++ python-cryptography: - CVE-2026-26007: Subgroup Attack Due to Missing Subgroup Validation for SECT Curves (bsc#1258074) * added CVE-2026-26007.patch ------------------------------------------------------------------ ------------------ 2026-2-13 - Feb 13 2026 ------------------- ------------------------------------------------------------------ ++++ libxml2: - CVE-2026-0990: call stack overflow leading to application crash due to infinite recursion in `xmlCatalogXMLResolveURI` (bsc#1256807, bsc#1256811) * Add patch libxml2-CVE-2026-0990.patch - CVE-2026-0992: excessive resource consumption when processing XML catalogs due to exponential behavior when handling `` elements (bsc#1256808, bsc#1256809, bsc#1256812) * Add patch libxml2-CVE-2026-0992.patch - CVE-2025-8732: infinite recursion in catalog parsing functions when processing malformed SGML catalog files (bsc#1247858, bsc#1247850) * Add patch libxml2-CVE-2025-8732.patch ++++ libxml2-python: - CVE-2026-0990: call stack overflow leading to application crash due to infinite recursion in `xmlCatalogXMLResolveURI` (bsc#1256807, bsc#1256811) * Add patch libxml2-CVE-2026-0990.patch - CVE-2026-0992: excessive resource consumption when processing XML catalogs due to exponential behavior when handling `` elements (bsc#1256808, bsc#1256809, bsc#1256812) * Add patch libxml2-CVE-2026-0992.patch - CVE-2025-8732: infinite recursion in catalog parsing functions when processing malformed SGML catalog files (bsc#1247858, bsc#1247850) * Add patch libxml2-CVE-2025-8732.patch ------------------------------------------------------------------ ------------------ 2026-2-12 - Feb 12 2026 ------------------- ------------------------------------------------------------------ ++++ libpng16: - added patches CVE-2026-25646: Heap buffer overflow vulnerability in png_set_dither/png_set_quantize (bsc#1258020) * libpng16-CVE-2026-25646.patch ++++ libpng16: - added patches CVE-2026-25646: Heap buffer overflow vulnerability in png_set_dither/png_set_quantize (bsc#1258020) * libpng16-CVE-2026-25646.patch ++++ libpng16: - added patches CVE-2026-25646: Heap buffer overflow vulnerability in png_set_dither/png_set_quantize (bsc#1258020) * libpng16-CVE-2026-25646.patch ------------------------------------------------------------------ ------------------ 2026-2-11 - Feb 11 2026 ------------------- ------------------------------------------------------------------ ++++ gpg2: - Fix Y2K38 FTBFS: * gpg2 quick-key-manipulation test FTBFS-2038 (bsc#1251214) * Upstream issue: dev.gnupg.org/T8096 * Add gnupg-gpgscm-New-operator-long-time-t-to-detect-proper-tim.patch ++++ python311-core: - CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch - CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch - CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch - CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch ++++ python311-core: - CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch - CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch - CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch - CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch ++++ python311-core: - CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch - CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch - CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch - CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch ++++ python311-core: - CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch - CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch - CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch - CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch ++++ libssh: - Security fixes: * CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request() (bsc#1258049) * CVE-2026-0965: Possible Denial of Service when parsing unexpected configuration files (bsc#1258045) * CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054) * CVE-2026-0967: Specially crafted patterns could cause DoS (bsc#1258081) * CVE-2026-0968: OOB Read in sftp_parse_longname() (bsc#1258080) * Add patches: - libssh-CVE-2026-0964-scp-Reject-invalid-paths-received-thro.patch - libssh-CVE-2026-0965-config-Do-not-attempt-to-read-non-regu.patch - libssh-CVE-2026-0966-misc-Avoid-heap-buffer-underflow-in-ss.patch - libssh-CVE-2026-0966-tests-Test-coverage-for-ssh_get_hexa.patch - libssh-CVE-2026-0966-doc-Update-guided-tour-to-use-SHA256-f.patch - libssh-CVE-2026-0967-match-Avoid-recursive-matching-ReDoS.patch - libssh-CVE-2026-0968-sftp-Sanitize-input-handling-in-sftp_p.patch ++++ python311: - CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch - CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch - CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch - CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch ++++ python311: - CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch - CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch - CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch - CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch ++++ python311: - CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch - CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch - CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch - CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch ++++ python311: - CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch - CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch - CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch - CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch ------------------------------------------------------------------ ------------------ 2026-2-10 - Feb 10 2026 ------------------- ------------------------------------------------------------------ ++++ avahi: - Add avahi-CVE-2024-52615.patch: Backport 4e2e1ea from upstream, Resolve fixed source ports for wide-area DNS queries cause DNS responses be injected. (CVE-2024-52615, bsc#1233421) - Add avahi-CVE-2025-68468.patch: Backport f66be13 from upstream, fix DoS bug by removing incorrect assertion. (CVE-2025-68468, bsc#1256499) - Add avahi-CVE-2025-68471.patch: Backport 9c6eb53 from upstream, fix DoS bug by changing assert to return. (CVE-2025-68471, bsc#1256500) - Add avahi-CVE-2025-68276.patch: Backport 0c013e2 from upstream, refuse to create wide-area record browsers when wide-area is off. (CVE-2025-68276, bsc#1256498) ++++ avahi: - Add avahi-CVE-2024-52615.patch: Backport 4e2e1ea from upstream, Resolve fixed source ports for wide-area DNS queries cause DNS responses be injected. (CVE-2024-52615, bsc#1233421) - Add avahi-CVE-2025-68468.patch: Backport f66be13 from upstream, fix DoS bug by removing incorrect assertion. (CVE-2025-68468, bsc#1256499) - Add avahi-CVE-2025-68471.patch: Backport 9c6eb53 from upstream, fix DoS bug by changing assert to return. (CVE-2025-68471, bsc#1256500) - Add avahi-CVE-2025-68276.patch: Backport 0c013e2 from upstream, refuse to create wide-area record browsers when wide-area is off. (CVE-2025-68276, bsc#1256498) ++++ avahi: - Add avahi-CVE-2024-52615.patch: Backport 4e2e1ea from upstream, Resolve fixed source ports for wide-area DNS queries cause DNS responses be injected. (CVE-2024-52615, bsc#1233421) - Add avahi-CVE-2025-68468.patch: Backport f66be13 from upstream, fix DoS bug by removing incorrect assertion. (CVE-2025-68468, bsc#1256499) - Add avahi-CVE-2025-68471.patch: Backport 9c6eb53 from upstream, fix DoS bug by changing assert to return. (CVE-2025-68471, bsc#1256500) - Add avahi-CVE-2025-68276.patch: Backport 0c013e2 from upstream, refuse to create wide-area record browsers when wide-area is off. (CVE-2025-68276, bsc#1256498) ++++ ca-certificates-mozilla: - Updated to 2.84 state (bsc#1258002) - Removed: - Baltimore CyberTrust Root - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 - DigiNotar Root CA - Added: - e-Szigno TLS Root CA 2023 - OISTE Client Root ECC G1 - OISTE Client Root RSA G1 - OISTE Server Root ECC G1 - OISTE Server Root RSA G1 - SwissSign RSA SMIME Root CA 2022 - 1 - SwissSign RSA TLS Root CA 2022 - 1 - TrustAsia SMIME ECC Root CA - TrustAsia SMIME RSA Root CA - TrustAsia TLS ECC Root CA - TrustAsia TLS RSA Root CA ++++ gnutls: - Security fix: * CVE-2025-14831: DoS via excessive resource consumption during certificate verification (bsc#1257960) * Add gnutls-CVE-2025-14831.patch ++++ gnutls: - Security fix: * CVE-2025-14831: DoS via excessive resource consumption during certificate verification (bsc#1257960) * Add gnutls-CVE-2025-14831.patch ++++ libpng16: - added patches CVE-2026-22695: Heap buffer over-read in png_image_finish_read (bsc#1256525) * libpng16-CVE-2026-22695.patch CVE-2026-22801: Integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526) * libpng16-CVE-2026-22801.patch ++++ libpng16: - added patches CVE-2026-22695: Heap buffer over-read in png_image_finish_read (bsc#1256525) * libpng16-CVE-2026-22695.patch CVE-2026-22801: Integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526) * libpng16-CVE-2026-22801.patch ++++ libpng16: - added patches CVE-2026-22695: Heap buffer over-read in png_image_finish_read (bsc#1256525) * libpng16-CVE-2026-22695.patch CVE-2026-22801: Integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526) * libpng16-CVE-2026-22801.patch ------------------------------------------------------------------ ------------------ 2026-2-9 - Feb 9 2026 ------------------- ------------------------------------------------------------------ ++++ rust-keylime: - Update vendored crates (bsc#1257908, CVE-2026-25727) * time 0.3.47 - Update to version 0.2.8+116: * build(deps): bump bytes from 1.7.2 to 1.11.1 * api: Modify /version endpoint output in version 2.5 * Add API v2.5 with backward-compatible /v2.5/quotes/integrity * tests: add unit test for resolve_agent_id (#1182) * (pull-model): enable retry logic for registration * rpm: Update specfiles to apply on master * workflows: Add test to detect unused crates * lib: Drop unused crates * push-model: Drop unused crates * keylime-agent: Drop unused crates * build(deps): bump uuid from 1.18.1 to 1.19.0 * Update reqwest-retry to 0.8, retry-policies to 0.5 * rpm: Fix cargo_build macro usage on CentOS Stream * fix(push-model): resolve hash_ek uuid to actual EK hash * build(deps): bump thiserror from 2.0.16 to 2.0.17 * workflows: Separate upstream test suite from e2e coverage * Send UEFI measured boot logs as raw bytes (#1173) * auth: Add unit tests for SecretToken implementation * packit: Enable push-attestation tests * resilient_client: Prevent authentication token leakage in logs ++++ rust-keylime: - Update vendored crates (bsc#1257908, CVE-2026-25727) * time 0.3.47 - Update to version 0.2.8+116: * build(deps): bump bytes from 1.7.2 to 1.11.1 * api: Modify /version endpoint output in version 2.5 * Add API v2.5 with backward-compatible /v2.5/quotes/integrity * tests: add unit test for resolve_agent_id (#1182) * (pull-model): enable retry logic for registration * rpm: Update specfiles to apply on master * workflows: Add test to detect unused crates * lib: Drop unused crates * push-model: Drop unused crates * keylime-agent: Drop unused crates * build(deps): bump uuid from 1.18.1 to 1.19.0 * Update reqwest-retry to 0.8, retry-policies to 0.5 * rpm: Fix cargo_build macro usage on CentOS Stream * fix(push-model): resolve hash_ek uuid to actual EK hash * build(deps): bump thiserror from 2.0.16 to 2.0.17 * workflows: Separate upstream test suite from e2e coverage * Send UEFI measured boot logs as raw bytes (#1173) * auth: Add unit tests for SecretToken implementation * packit: Enable push-attestation tests * resilient_client: Prevent authentication token leakage in logs ------------------------------------------------------------------ ------------------ 2026-2-5 - Feb 5 2026 ------------------- ------------------------------------------------------------------ ++++ regionServiceClientConfigGCE: - Update to version 5.2.0 + Drop the if condition for gcemetdata requirement ------------------------------------------------------------------ ------------------ 2026-2-4 - Feb 4 2026 ------------------- ------------------------------------------------------------------ ++++ cockpit-machines: - Update dependencies for bsc#1257325/CVE-2025-13465 ++++ cockpit-machines: - Update dependencies for bsc#1257325/CVE-2025-13465 ++++ cockpit-machines: - Update dependencies for bsc#1257325/CVE-2025-13465 ++++ docker: - Places a hard cap on the amount of mechanisms that can be specified and encoded in the payload. (bcs#1253904, CVE-2025-58181) * 0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch ++++ docker: - Places a hard cap on the amount of mechanisms that can be specified and encoded in the payload. (bcs#1253904, CVE-2025-58181) * 0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch ++++ libxslt: - CVE-2025-10911 will be fixed on libxml2 side instead [bsc#1250553] - deleted patches * libxslt-CVE-2025-10911.patch ++++ libxml2: - CVE-2026-1757: memory leak in the `xmllint` interactive shell (bsc#1257593, bsc#1257594, bsc#1257595) * Add patch libxml2-CVE-2026-1757.patch - CVE-2025-10911: use-after-free with key data stored cross-RVT (bsc#1250553) * Add patch libxml2-CVE-2025-10911.patch ++++ libxml2-python: - CVE-2026-1757: memory leak in the `xmllint` interactive shell (bsc#1257593, bsc#1257594, bsc#1257595) * Add patch libxml2-CVE-2026-1757.patch - CVE-2025-10911: use-after-free with key data stored cross-RVT (bsc#1250553) * Add patch libxml2-CVE-2025-10911.patch ------------------------------------------------------------------ ------------------ 2026-2-3 - Feb 3 2026 ------------------- ------------------------------------------------------------------ ++++ cockpit: - Update dependencies for bsc#1257324/CVE-2025-13465 ++++ cockpit: - Update dependencies for bsc#1257324/CVE-2025-13465 ++++ cockpit: - Update dependencies for bsc#1257324/CVE-2025-13465 ++++ crun: - make sure the opened .krun_config.json is below the rootfs directory and we don't follow any symlink. (CVE-2025-24965, bsc#1237421) * krun-fix-CVE-2025-24965.patch ++++ docker-compose: - Add patch for CVE-2025-47914 (bsc#1254041), CVE-2025-47913 (bsc#1253584): 0001-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch ++++ docker-compose: - Add patch for CVE-2025-47914 (bsc#1254041), CVE-2025-47913 (bsc#1253584): 0001-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch ++++ expat: - security update - added patches CVE-2026-24515 [bsc#1257144], NULL dereference (CWE-476) due to function XML_ExternalEntityParserCreate() failing to copy the encoding handler data passed to XML_SetUnknownEncodingHandler() from the parent to the subparser * expat-CVE-2026-24515.patch CVE-2026-25210 [bsc#1257496], lack of buffer size check can lead to an integer overflow * expat-CVE-2026-25210.patch ++++ expat: - security update - added patches CVE-2026-24515 [bsc#1257144], NULL dereference (CWE-476) due to function XML_ExternalEntityParserCreate() failing to copy the encoding handler data passed to XML_SetUnknownEncodingHandler() from the parent to the subparser * expat-CVE-2026-24515.patch CVE-2026-25210 [bsc#1257496], lack of buffer size check can lead to an integer overflow * expat-CVE-2026-25210.patch ++++ libsoup: - Add libsoup-CVE-2026-1536.patch: Always validate the headers value when coming from untrusted source (bsc#1257440, CVE-2026-1536, glgo#GNOME/libsoup/commit/5c1a2e9c). - Add libsoup-CVE-2026-1761.patch: multipart: check length of bytes read soup_filter_input_stream_read_until() (bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496). ++++ libsoup: - Add libsoup-CVE-2026-1536.patch: Always validate the headers value when coming from untrusted source (bsc#1257440, CVE-2026-1536, glgo#GNOME/libsoup/commit/5c1a2e9c). - Add libsoup-CVE-2026-1761.patch: multipart: check length of bytes read soup_filter_input_stream_read_until() (bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496). ++++ libsoup: - Add libsoup-CVE-2026-1536.patch: Always validate the headers value when coming from untrusted source (bsc#1257440, CVE-2026-1536, glgo#GNOME/libsoup/commit/5c1a2e9c). - Add libsoup-CVE-2026-1761.patch: multipart: check length of bytes read soup_filter_input_stream_read_until() (bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496). ++++ libsoup: - Add libsoup-CVE-2026-1536.patch: Always validate the headers value when coming from untrusted source (bsc#1257440, CVE-2026-1536, glgo#GNOME/libsoup/commit/5c1a2e9c). - Add libsoup-CVE-2026-1761.patch: multipart: check length of bytes read soup_filter_input_stream_read_until() (bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496). ++++ libsoup: - Add libsoup-CVE-2026-1536.patch: Always validate the headers value when coming from untrusted source (bsc#1257440, CVE-2026-1536, glgo#GNOME/libsoup/commit/5c1a2e9c). - Add libsoup-CVE-2026-1761.patch: multipart: check length of bytes read soup_filter_input_stream_read_until() (bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496). ------------------------------------------------------------------ ------------------ 2026-1-30 - Jan 30 2026 ------------------- ------------------------------------------------------------------ ++++ cockpit-podman: - Update dependencies to fix building on non-x86 arches - Update lodash to 4.17.23 for bsc#1257324 ++++ cockpit-podman: - Update dependencies to fix building on non-x86 arches - Update lodash to 4.17.23 for bsc#1257324 ------------------------------------------------------------------ ------------------ 2026-1-29 - Jan 29 2026 ------------------- ------------------------------------------------------------------ ++++ libzypp: - Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros. See the ZYPP.CONF(5) man page for details. - Fix runtime check for broken rpm --runposttrans (bsc#1257068) - version 17.38.2 (35) ++++ libzypp: - Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros. See the ZYPP.CONF(5) man page for details. - Fix runtime check for broken rpm --runposttrans (bsc#1257068) - version 17.38.2 (35) ++++ libzypp: - Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros. See the ZYPP.CONF(5) man page for details. - Fix runtime check for broken rpm --runposttrans (bsc#1257068) - version 17.38.2 (35) ++++ libzypp: - Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros. See the ZYPP.CONF(5) man page for details. - Fix runtime check for broken rpm --runposttrans (bsc#1257068) - version 17.38.2 (35) ++++ podman: - Add symlink to catatonit in /usr/libexec/podman (bsc#1248988) ------------------------------------------------------------------ ------------------ 2026-1-28 - Jan 28 2026 ------------------- ------------------------------------------------------------------ ++++ glib2: - Add CVE fixes: + glib2-CVE-2026-1484.patch (bsc#1257355 CVE-2026-1484 glgo#GNOME/glib!4979). + glib2-CVE-2026-1485.patch (bsc#1257354 CVE-2026-1485 glgo#GNOME/glib!4981). + glib2-CVE-2026-1489.patch (bsc#1257353 CVE-2026-1489 glgo#GNOME/glib!4984). ++++ gpg2: - Security fix [bsc#1257396, CVE-2026-24882] - gpg2: stack-based buffer overflow in TPM2 PKDECRYPT for TPM-backed RSA and ECC keys - Added gnupg-CVE-2026-24882.patch - Security fix [bsc#1256389] (gpg.fail/filename) * Added gnupg-accepts-path-separators-literal-data.patch * GnuPG Accepts Path Separators and Path Traversals in Literal Data ++++ gpg2: - Security fix [bsc#1257396, CVE-2026-24882] * gpg2: stack-based buffer overflow in TPM2 PKDECRYPT for TPM-backed RSA and ECC keys * Added gnupg-CVE-2026-24882.patch - Security fix [bsc#1256389] (gpg.fail/filename) * Added gnupg-accepts-path-separators-literal-data.patch * GnuPG Accepts Path Separators and Path Traversals in Literal Data ++++ libpng16: - security update - added patches CVE-2025-28162 [bsc#1257364], memory leaks when running `pngimage` CVE-2025-28164 [bsc#1257365], memory leaks when running `pngimage` * libpng16-CVE-2025-28162,28164.patch ++++ libpng16: - security update - added patches CVE-2025-28162 [bsc#1257364], memory leaks when running `pngimage` CVE-2025-28164 [bsc#1257365], memory leaks when running `pngimage` * libpng16-CVE-2025-28162,28164.patch ++++ libpng16: - security update - added patches CVE-2025-28162 [bsc#1257364], memory leaks when running `pngimage` CVE-2025-28164 [bsc#1257365], memory leaks when running `pngimage` * libpng16-CVE-2025-28162,28164.patch ++++ regionServiceClientConfigGCE: - Update to version 5.1.0 (jsc#PCT-590) + Add licenses info in the metdata - Accomodate build setup ------------------------------------------------------------------ ------------------ 2026-1-26 - Jan 26 2026 ------------------- ------------------------------------------------------------------ ++++ python-urllib3: - Add security patches: * CVE-2025-66471 (bsc#1254867) * CVE-2025-66418 (bsc#1254866) ++++ python-urllib3: - Add security patches: * CVE-2025-66471 (bsc#1254867) * CVE-2025-66418 (bsc#1254866) ------------------------------------------------------------------ ------------------ 2026-1-24 - Jan 24 2026 ------------------- ------------------------------------------------------------------ ++++ dnsmasq: - update to 2.92 * Redesign the interaction between DNSSEC validation and per-domain servers, specified as --server=//. This should just work in all cases now. If the normal chain-of-trust exists into the delegated domain then whether the domain is signed or not, DNSSEC validation will function normally. In the case the delegated domain is an "overlay" on top of the global DNS and no NS and/or DS records exist connecting it to the global dns, then if the domain is unsigned the situation will be handled by synthesising a proof-of-non-existence-of-DS for the domain and queries will be answered unvalidated; this action will be logged. A signed domain without chain-of-trust can be validated if a suitable trust-anchor is provided using --trust-anchor. This change should be backwards compatible for all existing working configurations; it extends the space of possible configurations which are functional. * Fix a couple of problems with DNSSEC validation and DNAME. One could cause validation failure on correct domains, and the other would fail to spot an invalid domain. Thanks to Graham Clinch for spotting the problem. * Add --log-queries=auth option to only log replies from the auth DNS facility. * Fix some edge-cases with domains and --address and --server. There has been some regressions with this in previous releases. This change fixes the priority order from lower to highest as: - -address with a IPv4 or IPv6 address (as long as the query matches the type) - -address with # for all-zeros, as long as the query is A or AAAA) - -address with no address, which returns NXDOMAIN or NOERROR for all types. - -server with address set to # to use the unqualified servers. - -server with matching domain. - -server without domain or from /etc/resolv.conf. * Fix problems with ipset or nftset and TCP DNS transport. Previously this was racy, and insertion of addresses could fail on a busy server when DNS-over-TCP transport was involved. * DNSSEC validation change for reverse lookups in RFC-1918 ranges and friends. The large public DNS services seem not to return proof-of-nonexistence for DS records at the start of RFC-1918 in-addr.arpa domains and the their IPv6 equivalents. 10.in-addr.arpa, 168.192.in-addr.arpa etc. Since dnsmasq already has an option which instructs it not bother upstream servers with pointless queries about these address ranges, namely --bogus-priv, we extend that to enable behaviour which allows dnsmasq to assume that insecure NXDOMAIN replies for these domains are expected and to assume that the domains are legitimately unsigned. This behaviour only matters when some address range is directed to another upstream server using --rev-server. In that case it allows replies from that server to pass DNSSEC validation. Without such a server configured, queries are never sent upstream so they are never validated and the new behaviour is moot. * Add support for leasequery to the dnsmasq DHCPv4 server. This has to be specifically enabled with the --leasequery option. Many thanks to JAXPORT, Jacksonville Port Authority for sponsoring this enhancement to dnsmasq. * Fix failure to cache PTR RRs when a reply contains more than one answer. Thanks to Dmitry for spotting this. * Add TFTP options windowsize (RFC 7440) and timeout (RFC 2349). * Change the behaviour of the DHCPv6 server when a REBIND message is received but no lease exists. Under these circumstances a new lease is created _only_ when the --dhcp-authoritative option is set. This matches the behavior of the DHCPv4 server. * Add --dhcp-split-relay option. This makes a DHCPv4 relay which is functional when client and server networks aren't mutually route-able. * Fix failure to add client MAC address to queries in TCP mode. The options which cause dnsmasq to decorate a DNS query with the MAC address on the originating client can fail when the query is sent using TCP. Thanks to Bruno Ravara for spotting and characterising this bug. ------------------------------------------------------------------ ------------------ 2026-1-22 - Jan 22 2026 ------------------- ------------------------------------------------------------------ ++++ sqlite3: - Update to version 3.51.2: * bsc#1259619, CVE-2025-70873: zipfile extension may disclose uninitialized heap memory during inflation. * Fix an obscure deadlock in the new broken-posix-lock detection logic. * Fix multiple problems in the EXISTS-to-JOIN optimization. * Other minor bug fixes. ++++ libxml2: - Add patch libxml2-CVE-2026-0989.patch, to fix call stack exhaustion leading to application crash due to RelaxNG parser not limiting the recursion depth when resolving `` directives CVE-2026-0989, bsc#1256805, https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374 ++++ libxml2: - CVE-2026-0989: call stack exhaustion leading to application crash due to RelaxNG parser not limiting the recursion depth when resolving `` directives (bsc#1256804, bsc#1256805, bsc#1256810) * Add patch libxml2-CVE-2026-0989.patch * https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374 ++++ libxml2-python: - CVE-2026-0989: call stack exhaustion leading to application crash due to RelaxNG parser not limiting the recursion depth when resolving `` directives (bsc#1256804, bsc#1256805, bsc#1256810) * Add patch libxml2-CVE-2026-0989.patch * https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374 ++++ suseconnect-ng: - Update version to 1.20: - Update error message for Public Cloud instances with registercloudguest installed. SUSEConnect -d is disabled on PYAG and BYOS when the registercloudguest command is available. (bsc#1230861) - Enhanced SAP detected. Take TREX into account and remove empty values when only /usr/sap but no installation exists (bsc#1241002) - Fixed modules and extension link to point to version less documentation. (bsc#1239439) - Fixed SAP instance detection (bsc#1244550) - Remove link to extensions documentation (bsc#1239439) - Migrate to the public library ++++ suseconnect-ng: - Update version to 1.20: - Update error message for Public Cloud instances with registercloudguest installed. SUSEConnect -d is disabled on PYAG and BYOS when the registercloudguest command is available. (bsc#1230861) - Enhanced SAP detected. Take TREX into account and remove empty values when only /usr/sap but no installation exists (bsc#1241002) - Fixed modules and extension link to point to version less documentation. (bsc#1239439) - Fixed SAP instance detection (bsc#1244550) - Remove link to extensions documentation (bsc#1239439) - Migrate to the public library ++++ suseconnect-ng: - Update version to 1.20: - Update error message for Public Cloud instances with registercloudguest installed. SUSEConnect -d is disabled on PYAG and BYOS when the registercloudguest command is available. (bsc#1230861) - Enhanced SAP detected. Take TREX into account and remove empty values when only /usr/sap but no installation exists (bsc#1241002) - Fixed modules and extension link to point to version less documentation. (bsc#1239439) - Fixed SAP instance detection (bsc#1244550) - Remove link to extensions documentation (bsc#1239439) - Migrate to the public library ------------------------------------------------------------------ ------------------ 2026-1-21 - Jan 21 2026 ------------------- ------------------------------------------------------------------ ++++ cups: - Version upgrade to 2.4.16: See https://github.com/openprinting/cups/releases The hotfix release 2.4.16 includes fix for infinite loop in GTK, which was caused by change of internal behavior in libcups on which GTK depended on, and workaround for stopping the scheduler if configuration includes unknown directives. Detailed list (from CHANGES.md): * 'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences, potentially reading past the end of the source string (Issue #1438) * The web interface did not support domain usernames fully (Issue #1441) * Fixed an infinite loop issue in the GTK+ print dialog (Issue #1439 boo#1254353) * Fixed stopping scheduler on unknown directive in configuration (Issue #1443) Issues are those at https://github.com/OpenPrinting/cups/issues - Version upgrade to 2.4.15: See https://github.com/openprinting/cups/releases The release CUPS 2.4.15 brings two CVE fixes: Fix various cupsd issues which cause local DoS (CVE-2025-61915 bsc#1253783) Fix unresponsive cupsd process caused by slow client (CVE-2025-58436 bsc#1244057) and several bug fixes described in CHANGES.md. Detailed list (from CHANGES.md): * Fixed potential crash in 'cups-driverd' when there are duplicate PPDs (Issue #1355) * Fixed error recovery when scanning for PPDs in 'cups-driverd' (Issue #1416) Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.16 - Fixed entry below dated "Sat Sep 30 08:52:42 UTC 2017" which contained needless UTF-8 Unicode characters that are now replaced by plain ASCII text in "... line - the ..." to fix a rpmlint "non-break-space" warning. - Adapted and enhanced 'tmpfiles.d' related things in cups.spec to "Fix packages for Immutable Mode - cups" (implementation task jsc#PED-14775 from epic jsc#PED-14688) ++++ cups: - Version upgrade to 2.4.16: See https://github.com/openprinting/cups/releases The hotfix release 2.4.16 includes fix for infinite loop in GTK, which was caused by change of internal behavior in libcups on which GTK depended on, and workaround for stopping the scheduler if configuration includes unknown directives. Detailed list (from CHANGES.md): * 'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences, potentially reading past the end of the source string (Issue #1438) * The web interface did not support domain usernames fully (Issue #1441) * Fixed an infinite loop issue in the GTK+ print dialog (Issue #1439 boo#1254353) * Fixed stopping scheduler on unknown directive in configuration (Issue #1443) Issues are those at https://github.com/OpenPrinting/cups/issues - Version upgrade to 2.4.15: See https://github.com/openprinting/cups/releases The release CUPS 2.4.15 brings two CVE fixes: Fix various cupsd issues which cause local DoS (CVE-2025-61915 bsc#1253783) Fix unresponsive cupsd process caused by slow client (CVE-2025-58436 bsc#1244057) and several bug fixes described in CHANGES.md. Detailed list (from CHANGES.md): * Fixed potential crash in 'cups-driverd' when there are duplicate PPDs (Issue #1355) * Fixed error recovery when scanning for PPDs in 'cups-driverd' (Issue #1416) Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.16 - Fixed entry below dated "Sat Sep 30 08:52:42 UTC 2017" which contained needless UTF-8 Unicode characters that are now replaced by plain ASCII text in "... line - the ..." to fix a rpmlint "non-break-space" warning. - Adapted and enhanced 'tmpfiles.d' related things in cups.spec to "Fix packages for Immutable Mode - cups" (implementation task jsc#PED-14775 from epic jsc#PED-14688) ++++ glib2: - Add glib2-CVE-2026-0988.patch: fix a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049 CVE-2026-0988 glgo#GNOME/glib#3851). ------------------------------------------------------------------ ------------------ 2026-1-19 - Jan 19 2026 ------------------- ------------------------------------------------------------------ ++++ glibc: - memalign-overflow-check.patch: memalign: reinstate alignment overflow check (CVE-2026-0861, bsc#1256766, BZ #33796) - nss-dns-getnetbyaddr.patch: resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915, bsc#1256822, BZ #33802) - wordexp-wrde-reuse.patch: posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281, bsc#1257005, BZ #33814) ++++ glibc: - memalign-overflow-check.patch: memalign: reinstate alignment overflow check (CVE-2026-0861, bsc#1256766, BZ #33796) - nss-dns-getnetbyaddr.patch: resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915, bsc#1256822, BZ #33802) - wordexp-wrde-reuse.patch: posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281, bsc#1257005, BZ #33814) ++++ glibc: - memalign-overflow-check.patch: memalign: reinstate alignment overflow check (CVE-2026-0861, bsc#1256766, BZ #33796) - nss-dns-getnetbyaddr.patch: resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915, bsc#1256822, BZ #33802) - wordexp-wrde-reuse.patch: posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281, bsc#1257005, BZ #33814) ++++ openssl-3: - Security fixes: * Missing ASN1_TYPE validation in PKCS#12 parsing - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795] * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function - openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796] * Missing ASN1_TYPE validation in TS_RESP_verify_response() function - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420] * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421] * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419] * Heap out-of-bounds write in BIO_f_linebuffer on short writes - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160] * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418] * Stack buffer overflow in CMS AuthEnvelopedData parsing - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467] - openssl-CVE-2025-15467-comments.patch - openssl-CVE-2025-15467-test.patch ++++ openssl-3: - Security fixes: * Missing ASN1_TYPE validation in PKCS#12 parsing - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795] * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function - openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796] * Missing ASN1_TYPE validation in TS_RESP_verify_response() function - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420] * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421] * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419] * Heap out-of-bounds write in BIO_f_linebuffer on short writes - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160] * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418] * Stack buffer overflow in CMS AuthEnvelopedData parsing - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467] - openssl-CVE-2025-15467-comments.patch - openssl-CVE-2025-15467-test.patch ++++ openssl-3: - Security fixes: * Missing ASN1_TYPE validation in PKCS#12 parsing - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795] * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function - openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796] * Missing ASN1_TYPE validation in TS_RESP_verify_response() function - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420] * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421] * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419] * Heap out-of-bounds write in BIO_f_linebuffer on short writes - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160] * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418] * Stack buffer overflow in CMS AuthEnvelopedData parsing - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467] - openssl-CVE-2025-15467-comments.patch - openssl-CVE-2025-15467-test.patch ------------------------------------------------------------------ ------------------ 2026-1-14 - Jan 14 2026 ------------------- ------------------------------------------------------------------ ++++ libsoup: - Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). - Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ++++ libsoup: - Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). - Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ++++ libsoup: - Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). - Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ++++ libsoup: - Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). - Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ++++ libsoup: - Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). - Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ++++ libsoup: - Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). - Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ++++ libzypp: - Avoid libcurl-mini4 when building as it does not support ftp protocol. - Translation: updated .pot file. - version 17.38.1 (35) ++++ libzypp: - Avoid libcurl-mini4 when building as it does not support ftp protocol. - Translation: updated .pot file. - version 17.38.1 (35) ++++ libzypp: - Avoid libcurl-mini4 when building as it does not support ftp protocol. - Translation: updated .pot file. - version 17.38.1 (35) ++++ libzypp: - Avoid libcurl-mini4 when building as it does not support ftp protocol. - Translation: updated .pot file. - version 17.38.1 (35) ------------------------------------------------------------------ ------------------ 2026-1-13 - Jan 13 2026 ------------------- ------------------------------------------------------------------ ++++ systemd: - Name libsystemd-{shared,core} based on the major version of systemd and the package release number (bsc#1228081 bsc#1256427) This way, both the old and new versions of the shared libraries will be present during the update. This should prevent issues during package updates when incompatible changes are introduced in the new versions of the shared libraries. - Import commit 8bbac1d508acb8aa4e7262f47c7f4076b8350f72 8bbac1d508 detect-virt: bare-metal GCE only for x86 and i386 (bsc#1254293) ++++ linuxptp: - Move to DevicePolicy=closed instead of -PrivateDevices=true to allow access to devices (bsc#1256059) ++++ python-urllib3: - Add CVE-2026-21441.patch to fix excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331, CVE-2026-21441) ++++ python-urllib3: - Add CVE-2026-21441.patch to fix excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331, CVE-2026-21441) ++++ python-urllib3: - Add CVE-2026-21441.patch to fix excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331, CVE-2026-21441) ------------------------------------------------------------------ ------------------ 2026-1-12 - Jan 12 2026 ------------------- ------------------------------------------------------------------ ++++ kernel-firmware: - Update AMD ucode to 20251203 (bsc#1256483) ++++ net-snmp: - Fix snmptrapd buffer overflow (bsc#1255491, CVE-2025-68615). Add net-snmp-5.9.4-fix-out-of-bounds-trapOid-access.patch ------------------------------------------------------------------ ------------------ 2026-1-11 - Jan 11 2026 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Fix heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666, CVE-2025-14104, util-linux-CVE-2025-14104-1.patch, util-linux-CVE-2025-14104-2.patch). ++++ util-linux: - Fix heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666, CVE-2025-14104, util-linux-CVE-2025-14104-1.patch, util-linux-CVE-2025-14104-2.patch). ++++ util-linux: - Fix heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666, CVE-2025-14104, util-linux-CVE-2025-14104-1.patch, util-linux-CVE-2025-14104-2.patch). ++++ libzypp: - zypp.conf: follow the UAPI configuration file specification (PED-14658) In short terms it means we will no longer ship an /etc/zypp/zypp.conf, but store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config file settings completely, or - the preferred way - to overwrite specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files. See the ZYPP.CONF(5) man page for details. - cmake: correctly detect rpm6 (fixes #689) - Use 'zypp.tmp' as temp directory component to ease setting up SELinux policies (bsc#1249435) - zyppng: Update Provider to current MediaCurl2 download approach, drop Metalink ( fixes #682 ) - version 17.38.0 (35) ++++ libzypp: - zypp.conf: follow the UAPI configuration file specification (PED-14658) In short terms it means we will no longer ship an /etc/zypp/zypp.conf, but store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config file settings completely, or - the preferred way - to overwrite specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files. See the ZYPP.CONF(5) man page for details. - cmake: correctly detect rpm6 (fixes #689) - Use 'zypp.tmp' as temp directory component to ease setting up SELinux policies (bsc#1249435) - zyppng: Update Provider to current MediaCurl2 download approach, drop Metalink ( fixes #682 ) - version 17.38.0 (35) ++++ libzypp: - zypp.conf: follow the UAPI configuration file specification (PED-14658) In short terms it means we will no longer ship an /etc/zypp/zypp.conf, but store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config file settings completely, or - the preferred way - to overwrite specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files. See the ZYPP.CONF(5) man page for details. - cmake: correctly detect rpm6 (fixes #689) - Use 'zypp.tmp' as temp directory component to ease setting up SELinux policies (bsc#1249435) - zyppng: Update Provider to current MediaCurl2 download approach, drop Metalink ( fixes #682 ) - version 17.38.0 (35) ++++ libzypp: - zypp.conf: follow the UAPI configuration file specification (PED-14658) In short terms it means we will no longer ship an /etc/zypp/zypp.conf, but store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config file settings completely, or - the preferred way - to overwrite specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files. See the ZYPP.CONF(5) man page for details. - cmake: correctly detect rpm6 (fixes #689) - Use 'zypp.tmp' as temp directory component to ease setting up SELinux policies (bsc#1249435) - zyppng: Update Provider to current MediaCurl2 download approach, drop Metalink ( fixes #682 ) - version 17.38.0 (35) ++++ util-linux-systemd: - Fix heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666, CVE-2025-14104, util-linux-CVE-2025-14104-1.patch, util-linux-CVE-2025-14104-2.patch). ++++ util-linux-systemd: - Fix heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666, CVE-2025-14104, util-linux-CVE-2025-14104-1.patch, util-linux-CVE-2025-14104-2.patch). ++++ util-linux-systemd: - Fix heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666, CVE-2025-14104, util-linux-CVE-2025-14104-1.patch, util-linux-CVE-2025-14104-2.patch). ------------------------------------------------------------------ ------------------ 2026-1-9 - Jan 9 2026 ------------------- ------------------------------------------------------------------ ++++ libsoup: - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ++++ libsoup: - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ++++ libsoup: - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ++++ libsoup: - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ++++ libsoup: - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ++++ libsoup: - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ++++ libsoup: - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ++++ libtasn1: - Security fix: [bsc#1256341, CVE-2025-13151] * Stack-based buffer overflow. The function asn1_expend_octet_string() fails to validate the size of input data resulting in a buffer overflow. * Add libtasn1-CVE-2025-13151.patch ------------------------------------------------------------------ ------------------ 2026-1-8 - Jan 8 2026 ------------------- ------------------------------------------------------------------ ++++ gpg2: - Security fix: [bsc#1255715, CVE-2025-68973] (gpg.fail/memcpy) * gpg: Fix possible memory corruption in the armor parser [T7906] * Add gnupg-CVE-2025-68973.patch - Security fix: [bsc#1256246] (gpg.fail/sha1) * gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures [T7904] * Add gnupg-gpg-Avoid-potential-downgrade-to-SHA1-in-3rd-party-keysig.patch - Security fix: [bsc#1256244] (gpg.fail/detached) * gpg: Error out on unverified output for non-detached signatures [T7903] * Add gnupg-gpg-Error-out-on-unverified-output-for-non-detached-signatures.patch - Security fix: [bsc#1256243] * gpg2 agent: Fix a memory leak * Add patch gnupg-agent-memleak.patch - Security fix: [bsc#1256390] (gpg.fail/notdash) * gpg2: Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG * Add patch gnupg-CVE-2025-68972.patch ++++ gpg2: - Security fix: [bsc#1255715, CVE-2025-68973] (gpg.fail/memcpy) * gpg: Fix possible memory corruption in the armor parser [T7906] * Add gnupg-CVE-2025-68973.patch - Security fix: [bsc#1256246] (gpg.fail/sha1) * gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures [T7904] * Add gnupg-gpg-Avoid-potential-downgrade-to-SHA1-in-3rd-party-keysig.patch - Security fix: [bsc#1256244] (gpg.fail/detached) * gpg: Error out on unverified output for non-detached signatures [T7903] * Add gnupg-gpg-Error-out-on-unverified-output-for-non-detached-signatures.patch - Security fix: [bsc#1256243] * gpg2 agent: Fix a memory leak * Add patch gnupg-agent-memleak.patch - Security fix: [bsc#1256390] (gpg.fail/notdash) * gpg2: Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG * Add patch gnupg-CVE-2025-68972.patch ++++ gpg2: - Security fix: [bsc#1255715, CVE-2025-68973] (gpg.fail/memcpy) * gpg: Fix possible memory corruption in the armor parser [T7906] * Add gnupg-CVE-2025-68973.patch - Security fix: [bsc#1256246] (gpg.fail/sha1) * gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures [T7904] * Add gnupg-gpg-Avoid-potential-downgrade-to-SHA1-in-3rd-party-keysig.patch - Security fix: [bsc#1256244] (gpg.fail/detached) * gpg: Error out on unverified output for non-detached signatures [T7903] * Add gnupg-gpg-Error-out-on-unverified-output-for-non-detached-signatures.patch - Security fix: [bsc#1256243] * gpg2 agent: Fix a memory leak * Add patch gnupg-agent-memleak.patch - Security fix: [bsc#1256390] (gpg.fail/notdash) * gpg2: Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG * Add patch gnupg-CVE-2025-68972.patch ++++ libsodium: - Security fix: [bsc#1256070, CVE-2025-15444] * check Y==Z in addition to X==0 * Add patch libsodium-CVE-2025-15444.patch - Security fix: [bsc#1256070, CVE-2025-15444, bsc#1255764, CVE-2025-69277] * check Y==Z in addition to X==0 * Add patch libsodium-CVE-2025-15444.patch ------------------------------------------------------------------ ------------------ 2026-1-7 - Jan 7 2026 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fix: [bsc#1256105, CVE-2025-14017] * call ldap_init() before setting the options * Add patch curl-CVE-2025-14017.patch ++++ curl: - Security fix: [bsc#1256105, CVE-2025-14017] * call ldap_init() before setting the options * Add patch curl-CVE-2025-14017.patch ++++ curl: - Security fix: [bsc#1256105, CVE-2025-14017] * call ldap_init() before setting the options * Add patch curl-CVE-2025-14017.patch ++++ ovmf: - Add backported patches for bsc#1218680 (CVE-2022-36765) - ovmf-UefiPayloadPkg-Hob-Integer-Overflow-in-CreateHob.patch 59f024c76ee5 UefiPayloadPkg/Hob: Integer Overflow in CreateHob() - ovmf-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch aeaee8944f0e EmbeddedPkg/Hob: Integer Overflow in CreateHob() - ovmf-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch 9a75b030cf27 StandaloneMmPkg/Hob: Integer Overflow in CreateHob() (bsc#1218680, CVE-2022-36765) ++++ rust-keylime: - Use tmpfiles.d for /var directories (PED-14736) + tmpfiles.keylime renamed to rust-keylime.conf and extended - Update to version 0.2.8+96: * build(deps): bump wiremock from 0.6.4 to 0.6.5 * build(deps): bump actions/checkout from 5 to 6 * build(deps): bump chrono from 0.4.41 to 0.4.42 * packit: Get coverage from Fedora 43 runs * Fix issues pointed out by clippy * Replace mutex unwraps with proper error handling in TPM library * Remove unused session request methods from StructureFiller * Fix config panic on missing ek_handle in push model agent * build(deps): bump tempfile from 3.21.0 to 3.23.0 * build(deps): bump actions/upload-artifact from 4 to 6 (#1163) * Fix clippy warnings project-wide * Add KEYLIME_DIR support for verifier TLS certificates in push model agent * Thread privileged resources and use MeasurementList for IMA reading * Add privileged resource initialization and privilege dropping to push model agent * Fix privilege dropping order in run_as() * add documentation on FQDN hostnames * Remove confusing logs for push mode agent * Set correct default Verifier port (8891->8881) (#1159) * Add verifier_url to reference configuration file (#1158) * Add TLS support for Registrar communication (#1139) * Fix agent handling of 403 registration responses (#1154) * Add minor README.md rephrasing (#1151) * build(deps): bump actions/checkout from 5 to 6 (#1153) * ci: update spec files for packit COPR build * docs: improve challenge encoding and async TPM documentation * refactor: improve middleware and error handling * feat: add authentication client with middleware integration * docker: Include keylime_push_model_agent binary * Include attestation_interval configuration (#1146) * Persist payload keys to avoid attestation failure on restart * crypto: Implement the load or generate pattern for keys * Use simple algorithm specifiers in certification_keys object (#1140) * tests: Enable more tests in CI * Fix RSA2048 algorithm reporting in keylime agent * Remove disabled_signing_algorithms configuration * rpm: Fix metadata patches to apply to current code * workflows/rpm.yml: Use more strict patching * build(deps): bump uuid from 1.17.0 to 1.18.1 * Fix ECC algorithm selection and reporting for keylime agent * Improve logging consistency and coherency * Implement minimal RFC compliance for Location header and URI parsing (#1125) * Use separate keys for payload mechanism and mTLS * docker: update rust to 1.81 for distroless Dockerfile * Ensure UEFI log capabilities are set to false * build(deps): bump http from 1.1.0 to 1.3.1 * build(deps): bump log from 0.4.27 to 0.4.28 * build(deps): bump cfg-if from 1.0.1 to 1.0.3 * build(deps): bump actix-rt from 2.10.0 to 2.11.0 * build(deps): bump async-trait from 0.1.88 to 0.1.89 * build(deps): bump trybuild from 1.0.105 to 1.0.110 * Accept evidence handling structures null entries * workflows: Add test to check if RPM patches still apply * CI: Enable test add-agent-with-malformed-ek-cert * config: Fix singleton tests * FSM: Remove needless lifetime annotations (#1105) * rpm: Do not remove wiremock which is now available in Fedora * Use latest Fedora httpdate version (1.0.3) * Enhance coverage with parse_retry_after test * Fix issues reported by CI regarding unwrap() calls * Reuse max retries indicated to the ResilientClient * Include limit of retries to 5 for Retry-After * Add policy to handle Retry-After response headers * build(deps): bump wiremock from 0.6.3 to 0.6.4 * build(deps): bump serde_json from 1.0.140 to 1.0.143 * build(deps): bump pest_derive from 2.8.0 to 2.8.1 * build(deps): bump syn from 2.0.90 to 2.0.106 * build(deps): bump tempfile from 3.20.0 to 3.21.0 * build(deps): bump thiserror from 2.0.12 to 2.0.16 * rpm: Fix patches to apply to current master code * build(deps): bump anyhow from 1.0.98 to 1.0.99 * state_machine: Automatically clean config override during tests * config: Implement singleton and factory pattern * testing: Support overriding configuration during tests * feat: implement standalone challenge-response authentication module * structures: rename session structs for clarity and fix typos * tpm: refactor certify_credential_with_iak() into a more generic function * Add Push Model Agent Mermaid FSM chart (#1095) * Add state to avoid exiting on wrong attestation (#1093) * Add 6 alphanumeric lowercase X-Request-ID header * Enhance Evidence Handling response parsing * build(deps): bump quote from 1.0.35 to 1.0.40 * build(deps): bump libc from 0.2.172 to 0.2.175 * build(deps): bump glob from 0.3.2 to 0.3.3 * build(deps): bump actix-web from 4.10.2 to 4.11.0 ++++ rust-keylime: - Use tmpfiles.d for /var directories (PED-14736) + tmpfiles.keylime renamed to rust-keylime.conf and extended - Update to version 0.2.8+96: * build(deps): bump wiremock from 0.6.4 to 0.6.5 * build(deps): bump actions/checkout from 5 to 6 * build(deps): bump chrono from 0.4.41 to 0.4.42 * packit: Get coverage from Fedora 43 runs * Fix issues pointed out by clippy * Replace mutex unwraps with proper error handling in TPM library * Remove unused session request methods from StructureFiller * Fix config panic on missing ek_handle in push model agent * build(deps): bump tempfile from 3.21.0 to 3.23.0 * build(deps): bump actions/upload-artifact from 4 to 6 (#1163) * Fix clippy warnings project-wide * Add KEYLIME_DIR support for verifier TLS certificates in push model agent * Thread privileged resources and use MeasurementList for IMA reading * Add privileged resource initialization and privilege dropping to push model agent * Fix privilege dropping order in run_as() * add documentation on FQDN hostnames * Remove confusing logs for push mode agent * Set correct default Verifier port (8891->8881) (#1159) * Add verifier_url to reference configuration file (#1158) * Add TLS support for Registrar communication (#1139) * Fix agent handling of 403 registration responses (#1154) * Add minor README.md rephrasing (#1151) * build(deps): bump actions/checkout from 5 to 6 (#1153) * ci: update spec files for packit COPR build * docs: improve challenge encoding and async TPM documentation * refactor: improve middleware and error handling * feat: add authentication client with middleware integration * docker: Include keylime_push_model_agent binary * Include attestation_interval configuration (#1146) * Persist payload keys to avoid attestation failure on restart * crypto: Implement the load or generate pattern for keys * Use simple algorithm specifiers in certification_keys object (#1140) * tests: Enable more tests in CI * Fix RSA2048 algorithm reporting in keylime agent * Remove disabled_signing_algorithms configuration * rpm: Fix metadata patches to apply to current code * workflows/rpm.yml: Use more strict patching * build(deps): bump uuid from 1.17.0 to 1.18.1 * Fix ECC algorithm selection and reporting for keylime agent * Improve logging consistency and coherency * Implement minimal RFC compliance for Location header and URI parsing (#1125) * Use separate keys for payload mechanism and mTLS * docker: update rust to 1.81 for distroless Dockerfile * Ensure UEFI log capabilities are set to false * build(deps): bump http from 1.1.0 to 1.3.1 * build(deps): bump log from 0.4.27 to 0.4.28 * build(deps): bump cfg-if from 1.0.1 to 1.0.3 * build(deps): bump actix-rt from 2.10.0 to 2.11.0 * build(deps): bump async-trait from 0.1.88 to 0.1.89 * build(deps): bump trybuild from 1.0.105 to 1.0.110 * Accept evidence handling structures null entries * workflows: Add test to check if RPM patches still apply * CI: Enable test add-agent-with-malformed-ek-cert * config: Fix singleton tests * FSM: Remove needless lifetime annotations (#1105) * rpm: Do not remove wiremock which is now available in Fedora * Use latest Fedora httpdate version (1.0.3) * Enhance coverage with parse_retry_after test * Fix issues reported by CI regarding unwrap() calls * Reuse max retries indicated to the ResilientClient * Include limit of retries to 5 for Retry-After * Add policy to handle Retry-After response headers * build(deps): bump wiremock from 0.6.3 to 0.6.4 * build(deps): bump serde_json from 1.0.140 to 1.0.143 * build(deps): bump pest_derive from 2.8.0 to 2.8.1 * build(deps): bump syn from 2.0.90 to 2.0.106 * build(deps): bump tempfile from 3.20.0 to 3.21.0 * build(deps): bump thiserror from 2.0.12 to 2.0.16 * rpm: Fix patches to apply to current master code * build(deps): bump anyhow from 1.0.98 to 1.0.99 * state_machine: Automatically clean config override during tests * config: Implement singleton and factory pattern * testing: Support overriding configuration during tests * feat: implement standalone challenge-response authentication module * structures: rename session structs for clarity and fix typos * tpm: refactor certify_credential_with_iak() into a more generic function * Add Push Model Agent Mermaid FSM chart (#1095) * Add state to avoid exiting on wrong attestation (#1093) * Add 6 alphanumeric lowercase X-Request-ID header * Enhance Evidence Handling response parsing * build(deps): bump quote from 1.0.35 to 1.0.40 * build(deps): bump libc from 0.2.172 to 0.2.175 * build(deps): bump glob from 0.3.2 to 0.3.3 * build(deps): bump actix-web from 4.10.2 to 4.11.0 ++++ selinux-policy: - Update to version 20230523+git34.7b0eea050: * rsync: add rsync_exec_commands boolean and enable it by default (bsc#1231494, bsc#1255372) ------------------------------------------------------------------ ------------------ 2026-1-6 - Jan 6 2026 ------------------- ------------------------------------------------------------------ ++++ bluez: - Add input.conf-Change-default-of-ClassicBondedOnly.patch to change default of ClassicBondedOnly in input.conf. 25a471a83e02 input.conf: Change default of ClassicBondedOnly (bsc#1217877, CVE-2023-45866) - Fixed the date in bluez.changes: - Mon Sep2y 09:36:31 CEST 2008 - seife@suse.de +Mon Sep 29 09:36:31 CEST 2008 - seife@suse.de ------------------------------------------------------------------ ------------------ 2026-1-5 - Jan 5 2026 ------------------- ------------------------------------------------------------------ ++++ libpcap: - Security fix: [bsc#1255765, CVE-2025-11961] * Fix out-of-bound-write and out-of-bound-read in pcap_ether_aton() due to missing validation of provided MAC-48 address string * Add libpcap-CVE-2025-11961.patch ------------------------------------------------------------------ ------------------ 2026-1-2 - Jan 2 2026 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fixes: * [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer * [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth * [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache * [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file * Add patches: - curl-CVE-2025-14524.patch - curl-CVE-2025-15224.patch - curl-CVE-2025-14819.patch - curl-CVE-2025-15079.patch ++++ curl: - Security fixes: * [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer * [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth * [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache * [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file * Add patches: - curl-CVE-2025-14524.patch - curl-CVE-2025-15224.patch - curl-CVE-2025-14819.patch - curl-CVE-2025-15079.patch ++++ curl: - Security fixes: * [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer * [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth * [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache * [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file * Add patches: - curl-CVE-2025-14524.patch - curl-CVE-2025-15224.patch - curl-CVE-2025-14819.patch - curl-CVE-2025-15079.patch ++++ curl: - Security fixes: * [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer * [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth * [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache * [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file * Add patches: - curl-CVE-2025-14524.patch - curl-CVE-2025-15224.patch - curl-CVE-2025-14819.patch - curl-CVE-2025-15079.patch ------------------------------------------------------------------ ------------------ 2025-12-24 - Dec 24 2025 ------------------- ------------------------------------------------------------------ ++++ ovmf: - Add the following patches from edk2-stable202402 for CVE-2023-45230: - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch f31453e8d654 NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch - ovmf-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch 8014ac2d7bbb NetworkPkg: : Add Unit tests to CI and create Host Test DSC - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch 5f3658197bf2 NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests (bsc#1218880, CVE-2023-45230) - Add the following patches from edk2-stable202402 for CVE-2023-45229: - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch 1dbb10cc52dc NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch 07362769ab7a NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests - ovmf-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch 1d0b95f6457d NetworkPkg: : Adds a SecurityFix.yaml file - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch 1c440a5eceed NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch - ovmf-NetworkPkg-Updating-SecurityFixes.yaml.patch 5fd3078a2e08 NetworkPkg: Updating SecurityFixes.yaml (bsc#1218879, CVE-2023-45229) ++++ ovmf: - Add the following patches from edk2-stable202402 for CVE-2023-45230: - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch f31453e8d654 NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch - ovmf-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch 8014ac2d7bbb NetworkPkg: : Add Unit tests to CI and create Host Test DSC - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch 5f3658197bf2 NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests (bsc#1218880, CVE-2023-45230) - Add the following patches from edk2-stable202402 for CVE-2023-45229: - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch 1dbb10cc52dc NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch 07362769ab7a NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests - ovmf-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch 1d0b95f6457d NetworkPkg: : Adds a SecurityFix.yaml file - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch 1c440a5eceed NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch - ovmf-NetworkPkg-Updating-SecurityFixes.yaml.patch 5fd3078a2e08 NetworkPkg: Updating SecurityFixes.yaml (bsc#1218879, CVE-2023-45229) ------------------------------------------------------------------ ------------------ 2025-12-23 - Dec 23 2025 ------------------- ------------------------------------------------------------------ ++++ capstone: - fix bsc#1255309 (CVE-2025-67873) Patch added: * fix-unchecked-lenght-cbef76.patch ------------------------------------------------------------------ ------------------ 2025-12-22 - Dec 22 2025 ------------------- ------------------------------------------------------------------ ++++ qemu: - More spec file cleanup: * [openSUSE][RPM} spec: delete old specfile constructs ++++ qemu: - More spec file cleanup: * [openSUSE][RPM} spec: delete old specfile constructs ++++ qemu: - More spec file cleanup: * [openSUSE][RPM} spec: delete old specfile constructs ------------------------------------------------------------------ ------------------ 2025-12-19 - Dec 19 2025 ------------------- ------------------------------------------------------------------ ++++ capstone: - Fix bsc#1255310 (CVE-2025-68114) Patch added: * fix-buffer-overflow-2c7797.patch ++++ podman: - Add patch for CVE-2025-47914 (bsc#1253993), CVE-2025-47913 (bsc#1253542): * 0012-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch ++++ podman: - Add patch for CVE-2025-47914 (bsc#1253993), CVE-2025-47913 (bsc#1253542): * 0012-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch ------------------------------------------------------------------ ------------------ 2025-12-18 - Dec 18 2025 ------------------- ------------------------------------------------------------------ ++++ python311-core: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311-core: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311-core: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311-core: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311-core: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ qemu: - We *always* want a display driver in x86 too: * [openSUSE][RPM] spec: require qemu-hw-display-virtio-gpu-pci for x86 too ++++ qemu: - We *always* want a display driver in x86 too: * [openSUSE][RPM] spec: require qemu-hw-display-virtio-gpu-pci for x86 too ++++ qemu: - We *always* want a display driver in x86 too: * [openSUSE][RPM] spec: require qemu-hw-display-virtio-gpu-pci for x86 too ------------------------------------------------------------------ ------------------ 2025-12-17 - Dec 17 2025 ------------------- ------------------------------------------------------------------ ++++ selinux-policy: - Fix systemd generator.early and generator.late file contexts (bsc#1255027) ++++ selinux-policy: - Fix systemd generator.early and generator.late file contexts (bsc#1255027) ------------------------------------------------------------------ ------------------ 2025-12-16 - Dec 16 2025 ------------------- ------------------------------------------------------------------ ++++ libvirt: - CVE-2025-13193: qemu: Set umask for 'qemu-img' when creating external inactive snapshots bsc#1253703 - CVE-2025-12748: Check ACLs before parsing the whole domain XML bsc#1253278 ++++ qemu: - Bug and CVE fixes: * [openSUSE][RPM]: really fix *-virtio-gpu-pci dependency on ARM (bsc#1254286) * net: pad packets to minimum length in qemu_receive_packet() (bsc#1253002, CVE-2025-12464) ++++ qemu: - Bug and CVE fixes: * [openSUSE][RPM]: really fix *-virtio-gpu-pci dependency on ARM (bsc#1254286) * net: pad packets to minimum length in qemu_receive_packet() (bsc#1253002, CVE-2025-12464) ++++ qemu: - Bug and CVE fixes: * [openSUSE][RPM]: really fix *-virtio-gpu-pci dependency on ARM (bsc#1254286) * net: pad packets to minimum length in qemu_receive_packet() (bsc#1253002, CVE-2025-12464) ++++ rsync: - Security update (CVE-2025-10158, bsc#1254441): rsync: Out of bounds array access via negative index - Add rsync-CVE-2025-10158.patch ++++ rsync: - Security update (CVE-2025-10158, bsc#1254441): rsync: Out of bounds array access via negative index - Add rsync-CVE-2025-10158.patch ++++ rsync: - Security update (CVE-2025-10158, bsc#1254441): rsync: Out of bounds array access via negative index - Add rsync-CVE-2025-10158.patch ++++ shim: - shim-install: Add ca_string for SL Micro to update fallback loader The fallback loader, /boot/efi/EFI/BOOT/bootaa64.efi or bootx64.efi, cannot be upgraded by shim-install on SL Micro. The issue case is SL Micro 6.0. It causes that system gets regression bug because it's fallback to a old shim. So this patch adds ca_string to SL Micro. (bsc#1254336) ------------------------------------------------------------------ ------------------ 2025-12-15 - Dec 15 2025 ------------------- ------------------------------------------------------------------ ++++ glib2: - Add CVE fixes: + glib2-CVE-2025-13601-1.patch, glib2-CVE-2025-13601-2.patch (bsc#1254297 CVE-2025-13601 glgo#GNOME/glib#3827). + glib2-CVE-2025-14087-1.patch, glib2-CVE-2025-14087-2.patch, glib2-CVE-2025-14087-3.patch (bsc#1254662 CVE-2025-14087 glgo#GNOME/glib#3834). + glib2-CVE-2025-14512.patch (bsc#1254878 CVE-2025-14512 glgo#GNOME/glib#3845). ++++ glib2: - Add CVE fixes: + glib2-CVE-2025-13601-1.patch, glib2-CVE-2025-13601-2.patch (bsc#1254297 CVE-2025-13601 glgo#GNOME/glib#3827). + glib2-CVE-2025-14087-1.patch, glib2-CVE-2025-14087-2.patch, glib2-CVE-2025-14087-3.patch (bsc#1254662 CVE-2025-14087 glgo#GNOME/glib#3834). + glib2-CVE-2025-14512.patch (bsc#1254878 CVE-2025-14512 glgo#GNOME/glib#3845). ++++ systemd: - Import commit 9ecd16228492f44212e2771bec11ec78245b4094 9ecd162284 timer: rebase last_trigger timestamp if needed cd4a9103ef timer: rebase the next elapse timestamp only if timer didn't already run c3f4407e97 timer: don't run service immediately after restart of a timer (bsc#1254563) 05bcfe3295 test: check the next elapse timer timestamp after deserialization fe8f656975 test: restarting elapsed timer shouldn't trigger the corresponding service e4dd315b6c units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356) b58e72215a units: add dep on systemd-logind.service by user@.service 97ceca445c detect-virt: add bare-metal support for GCE (bsc#1244449 - Sync systemd-update-helper with the version shipped in Base:System This includes the following changes: - systemd-update-helper: do not stop or disable services when they are migrated to other packages. This can occur during package renaming or splitting. - systemd-update-helper: Fix invalid use of "break" in case statement - systemd-update-helper: fix regression introduced when support for package renaming/splitting was added (bsc#1245551) - systemd-update-helper: backport commit 2d0af8bc354f4a1429ce Since user@.service has `Type=notify-reload` (making the reloading process synchronous) and reloading implies reexecuting with `ReloadSignal=RTMIN+25`, reexecuting user managers synchronously can be achieved with `systemctl reload user@*.service" now. ++++ systemd: - Import commit 9ecd16228492f44212e2771bec11ec78245b4094 9ecd162284 timer: rebase last_trigger timestamp if needed cd4a9103ef timer: rebase the next elapse timestamp only if timer didn't already run c3f4407e97 timer: don't run service immediately after restart of a timer (bsc#1254563) 05bcfe3295 test: check the next elapse timer timestamp after deserialization fe8f656975 test: restarting elapsed timer shouldn't trigger the corresponding service e4dd315b6c units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356) b58e72215a units: add dep on systemd-logind.service by user@.service 97ceca445c detect-virt: add bare-metal support for GCE (bsc#1244449 - Sync systemd-update-helper with the version shipped in Base:System This includes the following changes: - systemd-update-helper: do not stop or disable services when they are migrated to other packages. This can occur during package renaming or splitting. - systemd-update-helper: Fix invalid use of "break" in case statement - systemd-update-helper: fix regression introduced when support for package renaming/splitting was added (bsc#1245551) - systemd-update-helper: backport commit 2d0af8bc354f4a1429ce Since user@.service has `Type=notify-reload` (making the reloading process synchronous) and reloading implies reexecuting with `ReloadSignal=RTMIN+25`, reexecuting user managers synchronously can be achieved with `systemctl reload user@*.service" now. ++++ python-tornado6: - Add security patches: * CVE-2025-67724.patch (bsc#1254903) * CVE-2025-67725.patch (bsc#1254905) * CVE-2025-67726.patch (bsc#1254904) ++++ python-tornado6: - Add security patches: * CVE-2025-67724.patch (bsc#1254903) * CVE-2025-67725.patch (bsc#1254905) * CVE-2025-67726.patch (bsc#1254904) ++++ shim: - Add DER format certificate files for the pretrans script to verify that the necessary certificate is in the UEFI db - openSUSE Secure Boot CA, 2013-2035 openSUSE_Secure_Boot_CA_2013.crt - SUSE Linux Enterprise Secure Boot CA, 2013-2035 SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt - Microsoft Corporation UEFI CA 2011, 2011-2026 Microsoft_Corporation_UEFI_CA_2011.crt - Microsoft UEFI CA 2023, 2023-2038 Microsoft_UEFI_CA_2023.crt - shim.spec: Add a pretrans script to verify that the necessary certificate is in the UEFI db. - Always put SUSE Linux Enterprise Secure Boot CA to target array. (bsc#1254679) ------------------------------------------------------------------ ------------------ 2025-12-12 - Dec 12 2025 ------------------- ------------------------------------------------------------------ ++++ shim: - Update to 16.1 - RPMs shim-16.1-150300.4.31.1.x86_64.rpm shim-debuginfo-16.1-150300.4.31.1.x86_64.rpm shim-debugsource-16.1-150300.4.31.1.x86_64.rpm shim-16.1-150300.4.31.1.aarch64.rpm shim-debuginfo-16.1-150300.4.31.1.aarch64.rpm shim-debugsource-16.1-150300.4.31.1.aarch64.rpm - submitreq: https://build.suse.de/request/show/395247 - repo: https://build.suse.de/package/show/SUSE:Maintenance:39913/shim.SUSE_SLE-15-SP3_Update - Patches (git log --oneline --reverse 16.0..16.1) 4040ec4 shim_start_image(): fix guid/handle pairing when uninstalling protocols 39c0aa1 str2ip6(): parsing of "uncompressed" ipv6 addresses 3133d19 test-mock-variables: make our filter list entries safer. d44405e mock-variables: remove unused variable 0e8459f Update CI to use ubuntu-24.04 instead of ubuntu-20.04 d16a5a6 SbatLevel_Variable.txt: minor typo fix. 32804cf Realloc() needs one more byte for sprintf() 431d370 IPv6: Add more check to avoid multiple double colon and illegal char 5e4d93c Loader Proto: make freeing of bprop.buffer conditional. 33deac2 Prepare to move things from shim.c to verify.c 030e7df Move a bunch of stuff from shim.c to verify.c f3ddda7 handle_image(): make verification conditional 774f226 Cache sections of a loaded image and sub-images from them. eb0d20b loader-protocol: handle sub-section loading for UKIs 2f64bb9 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages 1abc7ca loader-protocol: NULL output variable in load_image on failure fb77b44 Generate Authenticode for the entire PE file b86b909 README: mention new loader protocol and interaction with UKIs 8522612 ci: add mkosi configuration and CI 9ebab84 mkosi workflow: fix the branch name for main. 72a4c41 shim: change automatically enable MOK_POLICY_REQUIRE_NX a2f0dfa This is an organizational patch to move some things around in mok.c 54b9946 Update to the shim-16.1 branch of gnu-efi to get AsciiSPrint() a5a6922 get_max_var_sz(): add more debugging for apple platforms 77a2922 Add a "VariableInfo" variable to mok-variables. efc71c9 build: Avoid passing *FLAGS to sub-make 7670932 Fixes for 'make TOPDIR=... clean' 13ab598 add SbatLevel entry 2025051000 for PSA-2025-00012-1 617aed5 Update version to 16.1~rc1 d316ba8 format_variable_info(): fix wrong size test. f5fad0e _do_sha256_sum(): Fix missing error check. 3a9734d doc: add howto for running mkosi locally ced5f71 mkosi: remove spurious slashes from script 0076155 ci: update mkosi commit 5481105 fix http boot 121cddf loader-protocol: Handle UnloadImage after StartImage properly 6a1d1a9 loader-protocol: Fix memory leaks 27a5d22 gitignore: add more mkosi dirs and vscode dir 346ed15 mkosi: disable repository key check on Fedora afc4955 Update version to 16.1 - 16.1 release note https://github.com/rhboot/shim/releases shim_start_image(): fix guid/handle pairing when uninstalling protocols by @vathpela in #738 Fix uncompressed ipv6 netboot by @hrvach in #742 fix test segfaults caused by uninitialized memory by @Fabian-Gruenbichler in #739 Update CI to use ubuntu-24.04 instead of ubuntu-20.04 by @vathpela in #749 SbatLevel_Variable.txt: minor typo fix. by @vathpela in #751 Realloc() needs to allocate one more byte for sprintf() by @dennis-tseng99 in #746 IPv6: Add more check to avoid multiple double colon and illegal char by @dennis-tseng99 in #753 Loader proto v2 by @vathpela in #748 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages by @bluca in #750 Generate Authenticode for the entire PE file by @esnowberg in #604 README: mention new loader protocol and interaction with UKIs by @bluca in #755 ci: add mkosi configuration and CI by @bluca in #764 shim: change automatically enable MOK_POLICY_REQUIRE_NX by @vathpela in #761 Save var info by @vathpela in #763 build: Avoid passing *FLAGS to sub-make by @rosslagerwall in #758 Fixes for 'make TOPDIR=... clean' by @bluca in #762 add SbatLevel entry 2025051000 for PSA-2025-00012-1 by @Fabian-Gruenbichler in #766 Coverity fixes 20250804 by @vathpela in #767 ci: fixlets and docs for mkosi workflow by @bluca in #768 fix http boot by @jsetje in #770 Fix double free and leak in the loader protocol by @rosslagerwall in #769 gitignore: add more mkosi dirs and vscode dir by @bluca in #771 - Drop upstreamed patch: The following patches are merged to 16.1 - shim-alloc-one-more-byte-for-sprintf.patch - 32804cf5d9 Realloc() needs one more byte for sprintf() [16.1] - shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch (bsc#1205588) - 72a4c41877 shim: change automatically enable MOK_POLICY_REQUIRE_NX [16.1] - Building MokManager.efi and fallback.efi with POST_PROCESS_PE_FLAGS=-n (bsc#1205588) - Building with the latest version of gcc in the codebase: - The gcc13 can workaround dxe_get_mem_attrs() hsi_status problem - We prefer that building shim with the latest version of gcc in codebase. - Set the minimum version is gcc-13. (bsc#1247432) - SLE shim should includes vendor-dbx-sles.esl instead of vendor-dbx-opensuse.esl. Fixed it in shim.spec. ++++ supportutils: - Changes to version 3.2.12 + Optimized lsof usage and honors OPTION_OFILES (bsc#1232351, PR#274) + Run in containers without errors (bsc#1245667, PR#272) + Removed pmap PID from memory.txt (bsc#1246011, PR#263) + Added missing /proc/pagetypeinfo to memory.txt (bsc#1246025, PR#264) + Improved database perforce with kGraft patching (bsc#1249657, PR#273) + Using last boot for journalctl for optimization (bsc#1250224, PR#287) + Fixed extraction failures (bsc#1252318, PR#275) + Update supportconfig.conf path in docs (bsc#1254425, PR#281) + drm_sub_info: Catch error when dir doesn't exist (PR#265) + Replace remaining `egrep` with `grep -E` (PR#261, PR#266) + Add process affinity to slert logs (PR#269) + Reintroduce cgroup statistics (and v2) (PR#270) + Minor changes to basic-health-check: improve information level (PR#271) + Collect important machine health counters (PR#276) + powerpc: collect hot-pluggable PCI and PHB slots (PR#278) + podman: collect podman disk usage (PR#279) + Exclude binary files in crondir (PR#282) + kexec/kdump: collect everything under /sys/kernel/kexec dir (PR#284) + Use short-iso for journalctl (PR#288) ------------------------------------------------------------------ ------------------ 2025-12-5 - Dec 5 2025 ------------------- ------------------------------------------------------------------ ++++ libpng16: - security update - added patches CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite * libpng16-CVE-2025-66293-1.patch * libpng16-CVE-2025-66293-2.patch ++++ libpng16: - security update - added patches CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite * libpng16-CVE-2025-66293-1.patch * libpng16-CVE-2025-66293-2.patch ++++ libpng16: - security update - added patches CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite * libpng16-CVE-2025-66293-1.patch * libpng16-CVE-2025-66293-2.patch ++++ libpng16: - security update - added patches CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite * libpng16-CVE-2025-66293-1.patch * libpng16-CVE-2025-66293-2.patch ------------------------------------------------------------------ ------------------ 2025-11-28 - Nov 28 2025 ------------------- ------------------------------------------------------------------ ++++ libpng16: - security update - added patches CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index * libpng16-CVE-2025-64505.patch CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled * libpng16-CVE-2025-64506.patch CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication * libpng16-CVE-2025-64720.patch CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` * libpng16-CVE-2025-65018.patch ++++ libpng16: - security update - added patches CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index * libpng16-CVE-2025-64505.patch CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled * libpng16-CVE-2025-64506.patch CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication * libpng16-CVE-2025-64720.patch CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` * libpng16-CVE-2025-65018.patch ++++ libpng16: - security update - added patches CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index * libpng16-CVE-2025-64505.patch CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled * libpng16-CVE-2025-64506.patch CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication * libpng16-CVE-2025-64720.patch CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` * libpng16-CVE-2025-65018.patch ++++ libpng16: - security update - added patches CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index * libpng16-CVE-2025-64505.patch CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled * libpng16-CVE-2025-64506.patch CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication * libpng16-CVE-2025-64720.patch CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` * libpng16-CVE-2025-65018.patch ++++ sqlite3: - Update to version 3.51.1: * Fix incorrect results from nested EXISTS queries caused by the optimization in item 6b in the 3.51.0 release. * Fix a latent bug in fts5vocab virtual table, exposed by new optimizations in the 3.51.0 release - Changes in version 3.51.0: * New macros in sqlite3.h: - SQLITE_SCM_BRANCH → the name of the branch from which the source code is taken. - SQLITE_SCM_TAGS → space-separated list of tags on the source code check-in. - SQLITE_SCM_DATETIME → ISO-8601 date and time of the source code check-in. * Two new JSON functions, jsonb_each() and jsonb_tree() work the same as the existing json_each() and json_tree() functions except that they return JSONB for the "value" column when the "type" is 'array' or 'object'. * The carray and percentile extensions are now built into the amalgamation, though they are disabled by default and must be activated at compile-time using the -DSQLITE_ENABLE_CARRAY and/or -DSQLITE_ENABLE_PERCENTILE options, respectively. * Enhancements to TCL Interface: - Add the -asdict flag to the eval command to have it set the row data as a dict instead of an array. - User-defined functions may now break to return an SQL NULL. * CLI enhancements: - Increase the precision of ".timer" to microseconds. - Enhance the "box" and "column" formatting modes to deal with double-wide characters. - The ".imposter" command provides read-only imposter tables that work with VACUUM and do not require the --unsafe-testing option. - Add the --ifexists option to the CLI command-line option and to the .open command. - Limit columns widths set by the ".width" command to 30,000 or less, as there is not good reason to have wider columns, but supporting wider columns provides opportunity to malefactors. * Performance enhancements: - Use fewer CPU cycles to commit a read transaction. - Early detection of joins that return no rows due to one or more of the tables containing no rows. - Avoid evaluation of scalar subqueries if the result of the subquery does not change the result of the overall expression. - Faster window function queries when using "BETWEEN :x FOLLOWING AND :y FOLLOWING" with a large :y. * Add the PRAGMA wal_checkpoint=NOOP; command and the SQLITE_CHECKPOINT_NOOP argument for sqlite3_wal_checkpoint_v2(). * Add the sqlite3_set_errmsg() API for use by extensions. * Add the sqlite3_db_status64() API, which works just like the existing sqlite3_db_status() API except that it returns 64-bit results. * Add the SQLITE_DBSTATUS_TEMPBUF_SPILL option to the sqlite3_db_status() and sqlite3_db_status64() interfaces. * In the session extension add the sqlite3changeset_apply_v3() interface. * For the built-in printf() and the format() SQL function, omit the leading '-' from negative floating point numbers if the '+' flag is omitted and the "#" flag is present and all displayed digits are '0'. Use '%#f' or similar to avoid outputs like '-0.00' and instead show just '0.00'. * Improved error messages generated by FTS5. * Enforce STRICT typing on computed columns. * Improved support for VxWorks * JavaScript/WASM now supports 64-bit WASM. The canonical builds continue to be 32-bit but creating one's own 64-bit build is now as simple as running "make". * Improved resistance to database corruption caused by an application breaking Posix advisory locks using close(). ++++ runc: - Update to runc v1.3.4. Upstream changelog is available from . bsc#1254362 ------------------------------------------------------------------ ------------------ 2025-11-26 - Nov 26 2025 ------------------- ------------------------------------------------------------------ ++++ openvswitch: - OpenvSwitch upstream bugfix updates: * https://www.openvswitch.org/releases/NEWS-3.1.7.txt * v3.1.7 - Bug fixes - OVS validated with DPDK 22.11.7. * v3.1.6 - Bug fixes - OVS validated with DPDK 22.11.6. * v3.1.5 - Bug fixes - OVS validated with DPDK 22.11.5. * v3.1.4 - Bug fixes - Fixed vulnerabilities CVE-2023-3966 (bsc#1219465) and CVE-2023-5366 (bsc#1216002). - OVS validated with DPDK 22.11.4. * v3.1.3 - Bug fixes * v3.1.2 - Bug fixes * v3.1.1 - Bug fixes - Fixed vulnerability CVE-2023-1668 (bsc#1210054) - Remove included patches: CVE-2023-1668.patch - OVN upstream bugfix updates: * https://github.com/ovn-org/ovn/blob/branch-23.03/NEWS - Fix CVE-2025-0650 (bsc#1236353) ovn: egress ACLs may be bypassed via specially crafted UDP packet (CVE-2025-0650.patch) * v23.03.3 - Bug fixes - Add "garp-max-timeout-sec" config option to vswitchd external-ids to cap the time between when ovn-controller sends gARP packets. - Security: Fixed vulnerability CVE-2024-2182 (bsc#1255435). - Updated patches install-ovsdb-tools.patch * v23.03.2 - Bug fixes * v23.03.1 - Bug fixes - CT entries are not flushed by default anymore whenever a load balancer backend is removed. A new, per-LB, option 'ct_flush' can be used to restore the previous behavior. Disabled by default. - Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast Listener Discovery protocols, regardless of ACLs defined. - Send ICMP Fragmentation Needed packets back to offending ports when communicating with multichassis ports using frames that don't fit through a tunnel. This is done only for logical switches that are attached to a physical network via a localnet port, in which case multichassis ports may have an effective MTU different from regular ports and hence may need this mechanism to maintain connectivity with other peers in the network. - ECMP routes use L4_SYM dp-hash by default if the datapath supports it. Existing sessions might get re-hashed to a different ECMP path when OVN detects the algorithm support in the datapath during an upgrade or restart of ovn-controller. - Add CoPP for the svc_monitor_mac. This addresses CVE-2023-3153 (bsc#1212125). - Remove included patches: CVE-2023-3152.patch ++++ openvswitch: - OpenvSwitch upstream bugfix updates: * https://www.openvswitch.org/releases/NEWS-3.1.7.txt * v3.1.7 - Bug fixes - OVS validated with DPDK 22.11.7. * v3.1.6 - Bug fixes - OVS validated with DPDK 22.11.6. * v3.1.5 - Bug fixes - OVS validated with DPDK 22.11.5. * v3.1.4 - Bug fixes - Fixed vulnerabilities CVE-2023-3966 (bsc#1219465) and CVE-2023-5366 (bsc#1216002). - OVS validated with DPDK 22.11.4. * v3.1.3 - Bug fixes * v3.1.2 - Bug fixes * v3.1.1 - Bug fixes - Fixed vulnerability CVE-2023-1668 (bsc#1210054) - Remove included patches: CVE-2023-1668.patch - OVN upstream bugfix updates: * https://github.com/ovn-org/ovn/blob/branch-23.03/NEWS - Fix CVE-2025-0650 (bsc#1236353) ovn: egress ACLs may be bypassed via specially crafted UDP packet (CVE-2025-0650.patch) * v23.03.3 - Bug fixes - Add "garp-max-timeout-sec" config option to vswitchd external-ids to cap the time between when ovn-controller sends gARP packets. - Security: Fixed vulnerability CVE-2024-2182 (bsc#1255435). - Updated patches install-ovsdb-tools.patch * v23.03.2 - Bug fixes * v23.03.1 - Bug fixes - CT entries are not flushed by default anymore whenever a load balancer backend is removed. A new, per-LB, option 'ct_flush' can be used to restore the previous behavior. Disabled by default. - Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast Listener Discovery protocols, regardless of ACLs defined. - Send ICMP Fragmentation Needed packets back to offending ports when communicating with multichassis ports using frames that don't fit through a tunnel. This is done only for logical switches that are attached to a physical network via a localnet port, in which case multichassis ports may have an effective MTU different from regular ports and hence may need this mechanism to maintain connectivity with other peers in the network. - ECMP routes use L4_SYM dp-hash by default if the datapath supports it. Existing sessions might get re-hashed to a different ECMP path when OVN detects the algorithm support in the datapath during an upgrade or restart of ovn-controller. - Add CoPP for the svc_monitor_mac. This addresses CVE-2023-3153 (bsc#1212125). - Remove included patches: CVE-2023-3152.patch ------------------------------------------------------------------ ------------------ 2025-11-25 - Nov 25 2025 ------------------- ------------------------------------------------------------------ ++++ salt: - Add minimum_auth_version to enforce security (CVE-2025-62349) - Backport security fixes for vendored tornado * BDSA-2024-3438 * BDSA-2024-3439 * BDSA-2024-9026 - Junos module yaml loader fix (CVE-2025-62348) - Require Python dependencies only for used Python version - Fix TLS and x509 modules for OSes with older cryptography module - Require python-legacy-cgi only for Python > 3.12 - Builds with py >=3.13 require python-legacy-cgi - Fix Salt for Python > 3.11 (bsc#1252285) (bsc#1252244) - * Use external tornado on Python > 3.11 - * Make tls and x509 to use python-cryptography - * Remove usage of spwd - Fix payload signature verification on Tumbleweed (bsc#1251776) - Fix broken symlink on migration to Leap 16.0 (bsc#1250755) - Use versioned python interpreter for salt-ssh - Fix known_hosts error on gitfs (bsc#1250520) (bsc#1227207) - Add python3.11 as preferable for salt-ssh to avoid tests fails - Make test_pillar_timeout test more reliable - Modify README and other doc files for openSUSE - Set python-CherryPy as required for python-salt-testsuite (#115) - Revert require M2Crypto >= 0.44.0 for SUSE Family distros - This reverts commit aa40615dcf7a15325ef71bbc09a5423ce512491d. - Improve SL Micro 6.2 detection with grains - Fix functional.states.test_user for SLES 16 and Micro systems - Fix the tests failing on AlmaLinux 10 and other clones - Added: * backport-3006.17-security-fixes-739.patch * fix-tls-and-x509-modules-for-older-cryptography-modu.patch * fix-salt-for-python-3.11.patch * do-not-break-signature-verification-on-latest-m2cryp.patch * use-versioned-python-interpreter-for-salt-ssh.patch * allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch * add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch * even-more-reliable-pillar-timeout-test.patch * modify-readme-for-opensuse-728.patch * improve-sl-micro-6.2-detection-with-grains.patch * fix-functional.states.test_user-for-sles-16-and-micr.patch * fix-the-tests-failing-on-almalinux-10-and-other-clon.patch ++++ salt: - Add minimum_auth_version to enforce security (CVE-2025-62349) - Backport security fixes for vendored tornado * BDSA-2024-3438 * BDSA-2024-3439 * BDSA-2024-9026 - Junos module yaml loader fix (CVE-2025-62348) - Require Python dependencies only for used Python version - Fix TLS and x509 modules for OSes with older cryptography module - Require python-legacy-cgi only for Python > 3.12 - Builds with py >=3.13 require python-legacy-cgi - Fix Salt for Python > 3.11 (bsc#1252285) (bsc#1252244) - * Use external tornado on Python > 3.11 - * Make tls and x509 to use python-cryptography - * Remove usage of spwd - Fix payload signature verification on Tumbleweed (bsc#1251776) - Fix broken symlink on migration to Leap 16.0 (bsc#1250755) - Use versioned python interpreter for salt-ssh - Fix known_hosts error on gitfs (bsc#1250520) (bsc#1227207) - Add python3.11 as preferable for salt-ssh to avoid tests fails - Make test_pillar_timeout test more reliable - Modify README and other doc files for openSUSE - Set python-CherryPy as required for python-salt-testsuite (#115) - Revert require M2Crypto >= 0.44.0 for SUSE Family distros - This reverts commit aa40615dcf7a15325ef71bbc09a5423ce512491d. - Improve SL Micro 6.2 detection with grains - Fix functional.states.test_user for SLES 16 and Micro systems - Fix the tests failing on AlmaLinux 10 and other clones - Added: * backport-3006.17-security-fixes-739.patch * fix-tls-and-x509-modules-for-older-cryptography-modu.patch * fix-salt-for-python-3.11.patch * do-not-break-signature-verification-on-latest-m2cryp.patch * use-versioned-python-interpreter-for-salt-ssh.patch * allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch * add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch * even-more-reliable-pillar-timeout-test.patch * modify-readme-for-opensuse-728.patch * improve-sl-micro-6.2-detection-with-grains.patch * fix-functional.states.test_user-for-sles-16-and-micr.patch * fix-the-tests-failing-on-almalinux-10-and-other-clon.patch ++++ salt: - Add minimum_auth_version to enforce security (CVE-2025-62349) - Backport security fixes for vendored tornado * BDSA-2024-3438 * BDSA-2024-3439 * BDSA-2024-9026 - Junos module yaml loader fix (CVE-2025-62348) - Require Python dependencies only for used Python version - Fix TLS and x509 modules for OSes with older cryptography module - Require python-legacy-cgi only for Python > 3.12 - Builds with py >=3.13 require python-legacy-cgi - Fix Salt for Python > 3.11 (bsc#1252285) (bsc#1252244) - * Use external tornado on Python > 3.11 - * Make tls and x509 to use python-cryptography - * Remove usage of spwd - Fix payload signature verification on Tumbleweed (bsc#1251776) - Fix broken symlink on migration to Leap 16.0 (bsc#1250755) - Use versioned python interpreter for salt-ssh - Fix known_hosts error on gitfs (bsc#1250520) (bsc#1227207) - Add python3.11 as preferable for salt-ssh to avoid tests fails - Make test_pillar_timeout test more reliable - Modify README and other doc files for openSUSE - Set python-CherryPy as required for python-salt-testsuite (#115) - Revert require M2Crypto >= 0.44.0 for SUSE Family distros - This reverts commit aa40615dcf7a15325ef71bbc09a5423ce512491d. - Improve SL Micro 6.2 detection with grains - Fix functional.states.test_user for SLES 16 and Micro systems - Fix the tests failing on AlmaLinux 10 and other clones - Added: * backport-3006.17-security-fixes-739.patch * fix-tls-and-x509-modules-for-older-cryptography-modu.patch * fix-salt-for-python-3.11.patch * do-not-break-signature-verification-on-latest-m2cryp.patch * use-versioned-python-interpreter-for-salt-ssh.patch * allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch * add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch * even-more-reliable-pillar-timeout-test.patch * modify-readme-for-opensuse-728.patch * improve-sl-micro-6.2-detection-with-grains.patch * fix-functional.states.test_user-for-sles-16-and-micr.patch * fix-the-tests-failing-on-almalinux-10-and-other-clon.patch ------------------------------------------------------------------ ------------------ 2025-11-24 - Nov 24 2025 ------------------- ------------------------------------------------------------------ ++++ gnutls: - Security fix bsc#1254132 CVE-2025-9820 * Fix buffer overflow in gnutls_pkcs11_token_init * Added gnutls-CVE-2025-9820.patch ++++ gnutls: - Security fix bsc#1254132 CVE-2025-9820 * Fix buffer overflow in gnutls_pkcs11_token_init * Added gnutls-CVE-2025-9820.patch ++++ gnutls: - Security fix bsc#1254132 CVE-2025-9820 * Fix buffer overflow in gnutls_pkcs11_token_init * Added gnutls-CVE-2025-9820.patch ------------------------------------------------------------------ ------------------ 2025-11-21 - Nov 21 2025 ------------------- ------------------------------------------------------------------ ++++ libmicrohttpd: - Fix for the following bugs: * bsc#1253177 CVE-2025-59777 * bsc#1253178 CVE-2025-62689 - Add patch: * CVE-2025-59777.patch * this same patch fixes both CVEs * git commit ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b ------------------------------------------------------------------ ------------------ 2025-11-19 - Nov 19 2025 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch ++++ curl: - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch ++++ curl: - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch ++++ curl: - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch ++++ curl: - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch ++++ kmod: - man: modprobe.d: document the config file order handling (bsc#1253741) * man-modprobe.d-document-the-config-file-order-handling.patch ------------------------------------------------------------------ ------------------ 2025-11-18 - Nov 18 2025 ------------------- ------------------------------------------------------------------ ++++ sssd: - Install file in krb5.conf.d to include sssd krb5 config snippets; (bsc#1244325); - Disable Kerberos localauth an2ln plugin for AD; (CVE-2025-11561); (bsc#1251827); Add patch 0006-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch ------------------------------------------------------------------ ------------------ 2025-11-17 - Nov 17 2025 ------------------- ------------------------------------------------------------------ ++++ dpdk: - Upstream bugfix update: - Version 22.11.10 - net/mlx5: fix out-of-order completions in ordinary Rx burst (CVE-2025-23259, bsc#1254161) - Version 22.11.9 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id24 - Version 22.11.8 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id21 - Version 22.11.7 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id18 - Remove included fix dpdk-CVE-2024-11614.patch - Version 22.11.6 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id15 - Version 22.11.5 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id12 - Version 22.11.4 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id8 - Version 22.11.3 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id4 Remove included fixes: - 0001-kni-fix-build-with-Linux-6.3.patch - Version 22.11.2 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id2 - Fix [bsc#1214724], SUSE provided DPDK modules taint the kernel as unsupported + Add kernel support flag for rte_kni.ko ++++ dpdk: - Upstream bugfix update: - Version 22.11.10 - net/mlx5: fix out-of-order completions in ordinary Rx burst (CVE-2025-23259, bsc#1254161) - Version 22.11.9 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id24 - Version 22.11.8 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id21 - Version 22.11.7 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id18 - Remove included fix dpdk-CVE-2024-11614.patch - Version 22.11.6 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id15 - Version 22.11.5 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id12 - Version 22.11.4 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id8 - Version 22.11.3 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id4 Remove included fixes: - 0001-kni-fix-build-with-Linux-6.3.patch - Version 22.11.2 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id2 - Fix [bsc#1214724], SUSE provided DPDK modules taint the kernel as unsupported + Add kernel support flag for rte_kni.ko ++++ glib2: - Add glib2-CVE-2025-7039.patch: fix computation of temporary file name (bsc#1249055 CVE-2025-7039 glgo#GNOME/glib#3716). ++++ glib2: - Add glib2-CVE-2025-7039.patch: fix computation of temporary file name (bsc#1249055 CVE-2025-7039 glgo#GNOME/glib#3716). ++++ glib2: - Add glib2-CVE-2025-7039.patch: fix computation of temporary file name (bsc#1249055 CVE-2025-7039 glgo#GNOME/glib#3716). ++++ freetype2: - update to 2.14.1: * The auto-hinter got new abilities. It can now better separate diacritic glyphs from base glyphs at small sizes by artificially moving diacritics up (or down) if necessary * Tilde accent glyphs get vertically stretched at small sizes so that they don't degenerate to horizontal lines. * Diacritics directly attached to a base glyph (like the ogonek in character 'ę') no longer distort the shape of the base glyph * The TrueType instruction interpreter was optimized to produce a 15% gain in the glyph loading speed. * Handling of Variation Fonts is now considerably faster * TrueType and CFF glyph loading speed has been improved by 5-10% on modern 64-bit platforms as a result of better handling of fixed-point multiplication. * The BDF driver now loads fonts 75% faster. ------------------------------------------------------------------ ------------------ 2025-11-13 - Nov 13 2025 ------------------- ------------------------------------------------------------------ ++++ python311-core: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311-core: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311-core: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311-core: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311-core: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311-core: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ unbound: - Fix CVE-2025-11411 (possible domain hijacking attack). Since this minimal patch interferes with most of the unit tests, the '%check' section has been removed from the spec file. [CVE-2025-11411, bsc#1252525, unbound-1.22-CVE-2025-11411.patch] ++++ unbound: - Fix CVE-2025-11411 (possible domain hijacking attack). Since this minimal patch interferes with most of the unit tests, the '%check' section has been removed from the spec file. [CVE-2025-11411, bsc#1252525, unbound-1.22-CVE-2025-11411.patch] ++++ python311: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ qemu: - Bugfixes: * io: fix use after free in websocket handshake code (bsc#1250984, CVE-2025-11234) * io: move websock resource release to close method (bsc#1250984, CVE-2025-11234) * io: release active GSource in TLS channel finalizer (bsc#1250984, CVE-2025-11234) * block/curl: fix curl internal handles handling (bsc#1252768, CVE-2025-11234) ++++ qemu: - Bugfixes: * io: fix use after free in websocket handshake code (bsc#1250984, CVE-2025-11234) * io: move websock resource release to close method (bsc#1250984, CVE-2025-11234) * io: release active GSource in TLS channel finalizer (bsc#1250984, CVE-2025-11234) * block/curl: fix curl internal handles handling (bsc#1252768, CVE-2025-11234) ++++ qemu: - Bugfixes: * io: fix use after free in websocket handshake code (bsc#1250984, CVE-2025-11234) * io: move websock resource release to close method (bsc#1250984, CVE-2025-11234) * io: release active GSource in TLS channel finalizer (bsc#1250984, CVE-2025-11234) * block/curl: fix curl internal handles handling (bsc#1252768, CVE-2025-11234) ------------------------------------------------------------------ ------------------ 2025-11-12 - Nov 12 2025 ------------------- ------------------------------------------------------------------ ++++ grub2: - Fix CVE-2025-54771 (bsc#1252931) * 0001-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch - Fix CVE-2025-54770 (bsc#1252930) * 0002-net-net-Unregister-net_set_vlan-command-on-unload.patch - Fix CVE-2025-61662 (bsc#1252933) * 0003-gettext-gettext-Unregister-gettext-command-on-module.patch - Fix CVE-2025-61663 (bsc#1252934) - Fix CVE-2025-61664 (bsc#1252935) * 0004-normal-main-Unregister-commands-on-module-unload.patch * 0005-tests-lib-functional_test-Unregister-commands-on-mod.patch - Fix CVE-2025-61661 (bsc#1252932) * 0006-commands-usbtest-Use-correct-string-length-field.patch * 0007-commands-usbtest-Ensure-string-length-is-sufficient-.patch - Bump upstream SBAT generation to 6 ------------------------------------------------------------------ ------------------ 2025-11-11 - Nov 11 2025 ------------------- ------------------------------------------------------------------ ++++ cloud-init: - Fix dependency replace -serial with -pyserial ------------------------------------------------------------------ ------------------ 2025-11-9 - Nov 9 2025 ------------------- ------------------------------------------------------------------ ++++ containerd: - Update to containerd v1.7.29. Upstream release notes: * CVE-2024-25621 bsc#1253126 * CVE-2025-64329 bsc#1253132 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch ++++ containerd: - Update to containerd v1.7.29. Upstream release notes: * CVE-2024-25621 bsc#1253126 * CVE-2025-64329 bsc#1253132 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch ------------------------------------------------------------------ ------------------ 2025-11-7 - Nov 7 2025 ------------------- ------------------------------------------------------------------ ++++ openssh: - Add openssh-cve-2025-61984-username-validation.patch (bsc#1251198, CVE-2025-61984). - Add openssh-cve-2025-61985-nul-url-encode.patch (bsc#1251199, CVE-2025-61985). ++++ openssh: - Add openssh-cve-2025-61984-username-validation.patch (bsc#1251198, CVE-2025-61984). - Add openssh-cve-2025-61985-nul-url-encode.patch (bsc#1251199, CVE-2025-61985). ------------------------------------------------------------------ ------------------ 2025-11-6 - Nov 6 2025 ------------------- ------------------------------------------------------------------ ++++ podman: - Add patch for CVE-2025-31133,CVE-2025-52565,CVE-2025-52881 (bsc#1252376): * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch - Add patch for bsc#1252543: * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch ++++ podman: - Add patch for CVE-2025-31133,CVE-2025-52565,CVE-2025-52881 (bsc#1252376): * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch - Add patch for bsc#1252543: * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch ++++ podman: - Add patch for CVE-2025-31133,CVE-2025-52565,CVE-2025-52881 (bsc#1252376): * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch - Add patch for bsc#1252543: * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch ------------------------------------------------------------------ ------------------ 2025-11-5 - Nov 5 2025 ------------------- ------------------------------------------------------------------ ++++ runc: - Update to runc v1.3.3. Upstream changelog is available from . bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 - Remove upstreamed patches for bsc#1252232: - 2025-11-05-CVEs.patch ++++ runc: - Update to runc v1.3.3. Upstream changelog is available from . bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 - Remove upstreamed patches for bsc#1252232: - 2025-11-05-CVEs.patch ------------------------------------------------------------------ ------------------ 2025-11-4 - Nov 4 2025 ------------------- ------------------------------------------------------------------ ++++ dracut: - Update to version 059+suse.607.g05002594: * fix(kernel-modules-extra): remove stray \ before / (bsc#1253029) ------------------------------------------------------------------ ------------------ 2025-10-28 - Oct 28 2025 ------------------- ------------------------------------------------------------------ ++++ libgcrypt: - Fix running the test suite in FIPS mode [bsc#1246934] * Add libgcrypt-fix-pkcs12-test-in-FIPS-mode.patch * Rebase libgcrypt-FIPS-SLI-kdf-leylength.patch ------------------------------------------------------------------ ------------------ 2025-10-27 - Oct 27 2025 ------------------- ------------------------------------------------------------------ ++++ docker: - Enable SELinux in default daemon.json config (--selinux-enabled). This has no practical impact on non-SELinux systems. bsc#1252290 ++++ docker: - Enable SELinux in default daemon.json config (--selinux-enabled). This has no practical impact on non-SELinux systems. bsc#1252290 ++++ docker: - Enable SELinux in default daemon.json config (--selinux-enabled). This has no practical impact on non-SELinux systems. bsc#1252290 ------------------------------------------------------------------ ------------------ 2025-10-22 - Oct 22 2025 ------------------- ------------------------------------------------------------------ ++++ gpgme: - Treat empty DISPLAY variable as unset. [bsc#1252425, bsc#1231055] * To avoid gpgme constructing an invalid gpg command line when the DISPLAY variable is empty it can be treated as unset. * Add gpgme-Treat-empty-DISPLAY-variable-as-unset.patch * Reported upstream: dev.gnupg.org/T7919 ------------------------------------------------------------------ ------------------ 2025-10-21 - Oct 21 2025 ------------------- ------------------------------------------------------------------ ++++ sqlite3: - bsc#1252217: Add a %license file. ++++ sqlite3: - bsc#1252217: Add a %license file. ------------------------------------------------------------------ ------------------ 2025-10-19 - Oct 19 2025 ------------------- ------------------------------------------------------------------ ++++ util-linux: - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682, util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch). ++++ util-linux: - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682, util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch). ++++ util-linux: - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682, util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch). ++++ util-linux-systemd: - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682, util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch). ++++ util-linux-systemd: - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682, util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch). ++++ util-linux-systemd: - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682, util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch). ------------------------------------------------------------------ ------------------ 2025-10-17 - Oct 17 2025 ------------------- ------------------------------------------------------------------ ++++ freetype2: - package FTL.TXT and GPLv2.TXT [bsc#1252148] ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ------------------------------------------------------------------ ------------------ 2025-10-16 - Oct 16 2025 ------------------- ------------------------------------------------------------------ ++++ runc: [ This update was only released for SLE 12 and 15. ] - Backport patches for three CVEs. All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files. bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 + 2025-11-05-CVEs.patch ++++ runc: [ This update was only released for SLE 12 and 15. ] - Backport patches for three CVEs. All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files. bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 + 2025-11-05-CVEs.patch ------------------------------------------------------------------ ------------------ 2025-10-15 - Oct 15 2025 ------------------- ------------------------------------------------------------------ ++++ libxslt: - security update - added patches CVE-2025-11731 [bsc#1251979], type confusion in exsltFuncResultCompfunction leading to denial of service * libxslt-CVE-2025-11731.patch ++++ libxslt: - security update - added patches CVE-2025-11731 [bsc#1251979], type confusion in exsltFuncResultCompfunction leading to denial of service * libxslt-CVE-2025-11731.patch ++++ python311-core: - Update to 3.11.14: - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with “zip64 extensible data” if there are no bytes prepended to the ZIP file (CVE-2025-8291, bsc#1251305). - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. * Whitespaces no longer accepted between does not end the script section. * Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. * Null character (U+0000) no longer ends the tag name. * Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the