Packages changed: MicroOS-release (20260313 -> 20260314) curl (8.18.0 -> 8.19.0) docker (29.2.1_ce -> 29.3.0_ce) fcoe-utils (1.0.34 -> 1.0.34+9.3d27180c86c) grub2 kernel-source (6.19.6 -> 6.19.7) libplacebo (7.360.0 -> 7.360.1) libsolv (0.7.35 -> 0.7.36) libvpl nghttp3 (1.14.0 -> 1.15.0) ngtcp2 (1.19.0 -> 1.21.0) open-iscsi python-gobject python-tornado6 (6.5.4 -> 6.5.5) qt6-base systemd (259.3 -> 259.5) === Details === ==== MicroOS-release ==== Version update (20260313 -> 20260314) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== curl ==== Version update (8.18.0 -> 8.19.0) Subpackages: libcurl4 - Update to 8.19.0: * Security fixes: - CVE-2026-1965: Bad reuse of HTTP Negotiate connection (bsc#1259362) - CVE-2026-3783: Token leak with redirect and netrc (bsc#1259363) - CVE-2026-3784: Wrong proxy connection reuse with credentials (bsc#1259364) - CVE-2026-3805: Use after free in SMB connection reuse (bsc#1259365) * Changes: - BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026 - cmake: add 'CURL_BUILD_EVERYTHING' option - mqtt: initial support for MQTTS - tool: support fractions for --limit-rate and --max-filesize - tool_cb_hdr: with -J, use the redirect name as a backup - vquic: drop support for OpenSSL-QUIC * Bugfixes: - altsvc: only accept 17 byte dates from files - asyn-ares: abort with OOM error when Curl_dnscache_mk_entry fails - build: move curl stat struct type to the curlx namespace - build: require POSIX 'strdup()' - build: tidy up and dedupe 'strdup' functions - cf-socket: ignore SOCK_CLOEXEC etc for socktype equality checks - cf-socket: use SOCK_CLOEXEC in socket_open when available - cmake: reference OpenSSL and ZLIB imported targets only when enabled - cmake: skip binutils ld hack if zlib/openssl target is not 'IMPORTED' - config2setopts: acknowledge OOM error from CURLOPT_MIMEPOST - curl: add -I and -i to -h important - curl_setup.h: simplify curl memory macro mappings - curlx: drop unused 'curlx_saferealloc()' - digest: escape double quotes and backslashes in realm and nonce - digest: fix memory leak in auth_create_digest_http_message() - digest: handle quotes in the path - easy: reset errorbuf on eyeballing success - easy: reset pausing when resetting request - ftp: replace a 'curlx_free()' with 'curlx_dyn_free()' - ftp: split ftp_state_use_port into sub functions - GOVERNANCE.md: Post-Daniel BDFL - gss: exclude verbose error logic from non-verbose builds - h2+h3: align stream close handling - hostip.c: fix leak of addrinfo - hostip6: remove debug-only code - hostip: fix unreachable code in rare build configuration - http/3: add description for known server error codes - http1: fix potential NULL dereference in 'Curl_h1_req_parse_read()' - http: only send bearer if auth is allowed - imap: add a check for Curl_meta_get() - imap: check 'imap_sendf()' printf masks at compile-time - imap: skip literals inside quoted strings - include: mask computed auth/proto bitmasks to 32 bits - lib: disable websockets early if no http - lib: make sigpipe handling more lazy - lib: reorder protocol functions to avoid forward declarations (email,ftp, misc, ssh) - lib: separate scheme info from protocol implementation - lib: use (u)int64_t instead of long long - mbedtls: guard TLS 1.3 + session tickets usage inside ifdef - mbedtls: no pinnedpubkey wo MBEDTLS_SSL_KEEP_PEER_CERTIFICATE - md4, md5: drop redundant forward declarations - md4, md5: replace custom types with 'uint32_t' - mimepost: allocate main struct on-demand - mk-ca-bundle.pl: drop support for obsolete/insecure fingerprint algos - mqtt: better too-big-message-check - mqtt: fix EOF handling - mqtt: verify Remaining Length for CONNACK and PUBACK - multi: avoid a theoretical 32-bit wrap - multi: probe for IPv6 functionality in multi_init() - noproxy: simplify, don't mix const non-const in strchr() - openldap: avoid forward declarations in ldaps code - openssl+ech: workaround for insecure handshakes - openssl: adapt to OpenSSL master adding const to more APIs - OpenSSL: check reuse of sessions for verify status - openssl: disable local keylog feature if built-in upstream - openssl: fix compiler warning with OpenSSL master - openssl: fix potential OOB read in debug/verbose logging - quiche: use PRIu64 for outputting the stream id - request.h: rename parameter 'buf' to 'req' in Curl_req_send - rtsp: fix assertion failure on zero-length RTP payload - rtspd: fix to check 'realloc()' result - setopt: refuse blobs with zero length - ssh: dedupe state change function - tftp: correct the filename length check - timeout handling: auto-detect effective timeout - tls: add new SSLSUPP flags for several options - tls: remove checks for DEFAULT - tool: enable header separation for HTTPS proxies - tool_cb_hdr: suppress header output when --out-null - tool_operate: reset the URL --url-query between --next - url: fix reuse of connections using HTTP Negotiate - urlapi: use U_CURLU_URLDECODE when toggling it off unsigned - urldata: byebye 'conn->hostname_resolve' - urldata: change 'keep_post' into three distinct bitfields - urldata: convert 'long' fields to fixed variable types - urldata: switch to uint* types - usercertinmem: use the correct cert BIO - vquic: handle SOCKEMSGSIZE correctly - vtls: dedupe common on-session-reuse logic - vtls: use ALPN http/1.0 & http/1.1 for HTTP/1.0 requests - VULN-DISCLOSURE-POLICY.md: push reports to the web form - VULN-DISCLOSURE-POLICY.md: use hackerone - x509asn1: make encodeOID stop on too long input * Remove now unrecognized option --with-openssl-quic * Rebase patches: - curl-disabled-redirect-protocol-message.patch - dont-mess-with-rpmoptflags.patch - libcurl-ocloexec.patch - Build with --enable-ntlm. Certain Exchange Server endpoints oddly permit NTLM but not Basic-type authentication. ==== docker ==== Version update (29.2.1_ce -> 29.3.0_ce) Subpackages: docker-buildx docker-rootless-extras - Update to Docker 29.3.0. See upstream changelog online at - Update to buildx 0.32.1. See upstream changelog online at - Rebased patches: * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-openSUSE-point-users-to-docker-buildx-package.patch * cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch ==== fcoe-utils ==== Version update (1.0.34 -> 1.0.34+9.3d27180c86c) - Update to version 1.0.34+9.3d27180c86c, removing the need for 3 existing patches (see below): * Fix build against glibc 2.43 (patch fcoe-utils-glibc-2.43.patch, no longer needed) * updated path * using vendor directory (e.g. /usr/etc) as fallback for /etc (patch usr_etc.patch no longer needed) * fcoemon: add snprintf string precision modifiers in fcm_netif_advance * Fix GCC 12 warning. (patch fcoe-utils-Fix-GCC-12-warning.patch no longer needed) * Preparing for version v1.0.34 - Add fcoe-utils-glibc-2.43.patch: Fix build against glibc 2.43. - Moved /etc/fcoe/cfg-ethx and /etc/fcoe/config to /usr/etc. - This patch is upstream: https://github.com/openSUSE/fcoe-utils/pull/24 and is called usr_etc.patch ==== grub2 ==== Subpackages: grub2-common grub2-i386-efi grub2-i386-efi-bls grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi grub2-x86_64-efi-bls - Fix LoaderConfigTimeout and LoaderConfigTimeoutOneshot (bsc#1259477) * grub2-bls-loader-config-timeout-fix.patch ==== kernel-source ==== Version update (6.19.6 -> 6.19.7) - Linux 6.19.7 (bsc#1012628). - perf/core: Fix refcount bug and potential UAF in perf_mmap (bsc#1012628). - drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release (bsc#1012628). - drm/vmwgfx: Return the correct value in vmw_translate_ptr functions (bsc#1012628). - debugobject: Make it work with deferred page initialization - again (bsc#1012628). - drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() (bsc#1012628). - KVM: arm64: Hide S1POE from guests when not supported by the host (bsc#1012628). - KVM: arm64: Fix ID register initialization for non-protected pKVM guests (bsc#1012628). - drm/fourcc: fix plane order for 10/12/16-bit YCbCr formats (bsc#1012628). - drm/tiny: sharp-memory: fix pointer error dereference (bsc#1012628). - irqchip/sifive-plic: Fix frozen interrupt due to affinity setting (bsc#1012628). - scsi: lpfc: Properly set WC for DPP mapping (bsc#1012628). - scsi: pm8001: Fix use-after-free in pm8001_queue_command() (bsc#1012628). - accel: ethosu: Fix shift overflow in cmd_to_addr() (bsc#1012628). - drm/imx: parallel-display: check return value of devm_drm_bridge_add() in imx_pd_probe() (bsc#1012628). - drm/bridge: synopsys: dw-dp: Check return value of devm_drm_bridge_add() in dw_dp_bind() (bsc#1012628). - ALSA: scarlett2: Fix DSP filter control array handling (bsc#1012628). - ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices (bsc#1012628). - ALSA: usb-audio: Add QUIRK_FLAG_SKIP_IFACE_SETUP (bsc#1012628). - gpio: shared: fix memory leaks (bsc#1012628). - x86/fred: Correct speculative safety in fred_extint() (bsc#1012628). - x86/bug: Handle __WARN_printf() trap in early_fixup_exception() (bsc#1012628). - x86/cfi: Fix CFI rewrite for odd alignments (bsc#1012628). - sched/fair: Rename cfs_rq::avg_load to cfs_rq::sum_weight (bsc#1012628). - sched/fair: Rename cfs_rq::avg_vruntime to ::sum_w_vruntime, and helper functions (bsc#1012628). - sched/fair: Introduce and use the vruntime_cmp() and vruntime_op() wrappers for wrapped-signed aritmetics (bsc#1012628). - sched/fair: Fix zero_vruntime tracking (bsc#1012628). - sched/fair: Only set slice protection at pick time (bsc#1012628). - sched/eevdf: Update se->vprot in reweight_entity() (bsc#1012628). - sched/fair: Fix lag clamp (bsc#1012628). - rseq: Clarify rseq registration rseq_size bound check comment (bsc#1012628). - perf/core: Fix invalid wait context in ctx_sched_in() (bsc#1012628). - accel/amdxdna: Remove buffer size check when creating command BO (bsc#1012628). - accel/amdxdna: Switch to always use chained command (bsc#1012628). - accel/amdxdna: Fix crash when destroying a suspended hardware context (bsc#1012628). - accel/amdxdna: Reduce log noise during process termination (bsc#1012628). - accel/amdxdna: Fix dead lock for suspend and resume (bsc#1012628). - accel/amdxdna: Fix suspend failure after enabling turbo mode (bsc#1012628). - accel/amdxdna: Fix command hang on suspended hardware context (bsc#1012628). - accel/amdxdna: Fix out-of-bounds memset in command slot handling (bsc#1012628). - accel/amdxdna: Prevent ubuf size overflow (bsc#1012628). - accel/amdxdna: Validate command buffer payload count (bsc#1012628). - drm/xe/wa: Steer RMW of MCR registers while building default LRC (bsc#1012628). - cgroup/cpuset: Fix incorrect change to effective_xcpus in partition_xcpus_del() (bsc#1012628). - cgroup/cpuset: Fix incorrect use of cpuset_update_tasks_cpumask() in update_cpumasks_hier() (bsc#1012628). - clk: scu/imx8qxp: do not register driver in probe() (bsc#1012628). - cxl: Move devm_cxl_add_nvdimm_bridge() to cxl_pmem.ko (bsc#1012628). - cxl: Fix race of nvdimm_bus object when creating nvdimm objects (bsc#1012628). - cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed() (bsc#1012628). - scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume (bsc#1012628). - regulator: fp9931: Fix PM runtime reference leak in fp9931_hwmon_read() (bsc#1012628). - regulator: bq257xx: Fix device node reference leak in bq257xx_reg_dt_parse_gpio() (bsc#1012628). - irqchip/ls-extirq: Fix devm_of_iomap() error check ... changelog too long, skipping 482 lines ... - commit 7f7ff04 ==== libplacebo ==== Version update (7.360.0 -> 7.360.1) - Update libplacebo to version 7.360.1. See details in: https://code.videolan.org/videolan/libplacebo/-/tags/v7.360.1 ==== libsolv ==== Version update (0.7.35 -> 0.7.36) Subpackages: libsolv-tools-base libsolv1 - respect the "default" attribute in environment optionlist in the comps parser - support suse namespace deps in boolean dependencies [bsc#1258193] - support for the Elbrus2000 (e2k) architecture - support language() suse namespace rewriting - bump version to 0.7.36 ==== libvpl ==== - adjusted logic for %suse_version bump with SLE16.1 Beta2 (jsc#PED-15824) ==== nghttp3 ==== Version update (1.14.0 -> 1.15.0) - Update to 1.15.0: * Add nghttp3_conn_submit_request2 to set client-side scheduling hint * Make client-side scheduling incremental by default * Remove nghttp3_conn_submit_request2 * Introduce nghttp3_strlen_lit * Move aux objects into the individual frames * Add const to nghttp3_frame_settings.local_settings ==== ngtcp2 ==== Version update (1.19.0 -> 1.21.0) Subpackages: libngtcp2-16 libngtcp2_crypto_gnutls8 - Update tto 1.21.0: * Fix Initial/Handshake packet construction * bbr: Rework spurious loss handling based on the latest draft * Assert that nwrite is not larger than the provided buffer length * log: Remove unused ngtcp2_log_tx_cancel * Remove ngtcp2_datagram.rdata * Rename in6_addr to s6_addr * bbr: Add const qualifier ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0 - Update to version 2.1.11.suse+88.8e0635b3: * Make iface.example a doc file. (#526) * Updated SPEC file to deliver iface.example as a %doc file, no longer in the database directory. ==== python-gobject ==== Subpackages: python313-gobject python313-gobject-Gdk python313-gobject-cairo - Update URL ==== python-tornado6 ==== Version update (6.5.4 -> 6.5.5) - Update to 6.5.5 (CVE-2026-31958, bsc#1259553) * ``multipart/form-data`` requests are now limited to 100 parts by default, to prevent a denial-of-service attack via very large requests with many parts. This limit is configurable via `tornado.httputil.ParseMultipartConfig`. Multipart parsing can also be disabled completely if not required for the application. Thanks to 0x-Apollyon and bekkaze for reporting this issue * The ``domain``, ``path``, and ``samesite`` arguments to `.RequestHandler.set_cookie` are now validated for illegal characters, which could be abused to inject other attributes on the cookie. Thanks to Dhiral Vyas (Praetorian) for reporting this issue. * Carriage return characters are no longer accepted in ``multipart/form-data`` headers. Thanks to sergeykochanov for reporting this issue. - add fix-tests-with-curl-8-19.patch to fix tests with curl 8.19 ==== qt6-base ==== Subpackages: libQt6Concurrent6 libQt6Core6 libQt6DBus6 libQt6Gui6 libQt6Network6 libQt6OpenGL6 libQt6OpenGLWidgets6 libQt6PrintSupport6 libQt6Sql6 libQt6Test6 libQt6WaylandClient6 libQt6Widgets6 libQt6WlShellIntegration6 libQt6Xml6 qt6-network-tls qt6-networkinformation-glib qt6-networkinformation-nm qt6-printsupport-cups qt6-sql-sqlite qt6-wayland - Added patch to fix ignore broken unicode filenames without skipping the rest of the directory (QTBUG-142913) * 0001-Do-not-persist-unicode-error-state-across-dirents.patch - Just build with renderdoc on TW, since Leap 16.1 won't have it neither. - Also build without renderdoc on Leap 16 ==== systemd ==== Version update (259.3 -> 259.5) Subpackages: libsystemd0 libudev1 systemd-boot systemd-container udev - Import commit (merge of v259.5) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/e53173d15f11454a5770e7732e3eaed3105c11fc...58a9b1726da0e2c89665897ca7e107315b2389e0 - systemd-container: require libarchive instead of tar, since https://github.com/systemd/systemd/commit/a7c8f92d1f937113a279adbe62399f6f0773473f - systemd-update-helper: fix the clean-state command only removing $STATE_DIR/system instead of $STATE_DIR/. - systemd-update-helper: add --root option for testing convenience It allows the tests to redirect them under a temporary directory via --root instead of patching the script with sed. - Import commit e53173d15f11454a5770e7732e3eaed3105c11fc (merge of v259.4) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/1e9dbf558f2578c5f0a38a20cd93950de5d7b648...e53173d15f11454a5770e7732e3eaed3105c11fc - systemd-update-helper: fix incorrect skipping of systemctl disable during package removal (bsc#1245551) This bug was caused by stale dont-disable markers left over from a previous install transaction. Introduce a new command 'clean-state' for systemd-update-helper, which is called once via a %transfiletriggerin in the systemd package at the end of any transaction installing unit files, ensuring markers cannot persist across transactions. - systemd.spec: introduce %bcond_without docs to allow skipping man pages and devel-doc Add a new %bcond_without docs conditional that disables man page and HTML doc generation (-Dman, -Dhtml meson options) when building with --without docs. - systemd-update-helper: fix do_install_units() incorrectly returning 1 when no units need preset.