Packages changed: MicroOS-release (20260512 -> 20260517) apparmor (4.1.7 -> 5.0.0) aurorae6 (6.6.4 -> 6.6.5) bluedevil6 (6.6.4 -> 6.6.5) breeze6 (6.6.4 -> 6.6.5) breeze6-gtk (6.6.4 -> 6.6.5) container-selinux (2.247.0 -> 2.248.0) discover6 (6.6.4 -> 6.6.5) distrobox docker (29.3.0_ce -> 29.4.0_ce) dracut (110+suse.29.g16072cee -> 110+suse.31.ga81148a) expat (2.7.5 -> 2.8.1) ffmpeg-8 flatpak-kcm6 (6.6.4 -> 6.6.5) fwupd (2.1.1 -> 2.1.3) glib2-branding-openSUSE glibc gpg2 (2.5.19 -> 2.5.20) gstreamer (1.28.2 -> 1.28.3) gstreamer-plugins-bad (1.28.2 -> 1.28.3) gstreamer-plugins-base (1.28.2 -> 1.28.3) kactivitymanagerd6 (6.6.4 -> 6.6.5) kde-cli-tools6 (6.6.4 -> 6.6.5) kde-gtk-config6 (6.6.4 -> 6.6.5) kdecoration6 (6.6.4 -> 6.6.5) kdeplasma6-addons (6.6.4 -> 6.6.5) kernel-source (7.0.5 -> 7.0.7) keylime (7.14.0 -> 7.14.2) kgamma6 (6.6.4 -> 6.6.5) kglobalacceld6 (6.6.4 -> 6.6.5) kinfocenter6 (6.6.4 -> 6.6.5) kmenuedit6 (6.6.4 -> 6.6.5) knighttime6 (6.6.4 -> 6.6.5) kpipewire6 (6.6.4 -> 6.6.5) kscreen6 (6.6.4 -> 6.6.5) kscreenlocker6 (6.6.4 -> 6.6.5) ksshaskpass6 (6.6.4 -> 6.6.5) ksystemstats6 (6.6.4 -> 6.6.5) kwayland-integration6 (6.6.4 -> 6.6.5) kwayland6 (6.6.4 -> 6.6.5) kwin6 (6.6.4 -> 6.6.5) layer-shell-qt6 (6.6.4 -> 6.6.5) libei (1.5.0 -> 1.6.0) libinput (1.31.1 -> 1.31.2) libksba (1.7.0 -> 1.8.0) libkscreen6 (6.6.4 -> 6.6.5) libksysguard6 (6.6.4 -> 6.6.5) libmodulemd libplasma6 (6.6.4 -> 6.6.5) librsvg (2.62.0 -> 2.62.2) libselinux libselinux-bindings libsolv (0.7.36 -> 0.7.37) libzypp (17.38.7 -> 17.38.8) milou6 (6.6.4 -> 6.6.5) net-snmp ntfs-3g_ntfsprogs open-vm-tools (13.0.10 -> 13.1.0) openexr (3.4.9 -> 3.4.11) openssh openssl-3 patterns-base permissions (1699_20260217 -> 1699_20260512) pipewire (1.6.4 -> 1.6.5) plasma5support6 (6.6.4 -> 6.6.5) plasma6-activities (6.6.4 -> 6.6.5) plasma6-activities-stats (6.6.4 -> 6.6.5) plasma6-browser-integration (6.6.4 -> 6.6.5) plasma6-desktop (6.6.4 -> 6.6.5) plasma6-integration (6.6.4 -> 6.6.5) plasma6-nm (6.6.4 -> 6.6.5) plasma6-openSUSE plasma6-pa (6.6.4 -> 6.6.5) plasma6-print-manager (6.6.4 -> 6.6.5) plasma6-systemmonitor (6.6.4 -> 6.6.5) plasma6-workspace (6.6.4 -> 6.6.5) polkit-default-privs (1550+20260428.f2a5d2e -> 1550+20260513.3b99372) polkit-kde-agent-6 (6.6.4 -> 6.6.5) powerdevil6 (6.6.4 -> 6.6.5) python-gobject (3.56.2 -> 3.56.3) python-urllib3 (2.6.3 -> 2.7.0) python313-packaging (26.0 -> 26.2) qqc2-breeze-style6 (6.6.4 -> 6.6.5) rsync sddm-kcm6 (6.6.4 -> 6.6.5) selinux-policy (20260414 -> 20260508) shaderc (2026.1 -> 2026.2) spectacle (6.6.4 -> 6.6.5) ssh-pairing (0.3 -> 0.4) suse-module-tools (16.1.4 -> 16.1.5) systemsettings6 (6.6.4 -> 6.6.5) transactional-update (6.0.7 -> 6.1.0) vulkan-loader (1.4.341 -> 1.4.350) vulkan-tools (1.4.341 -> 1.4.350) xdg-desktop-portal-kde6 (6.6.4 -> 6.6.5) yast2 (5.0.20 -> 5.0.21) zypper (1.14.96 -> 1.14.97) === Details === ==== MicroOS-release ==== Version update (20260512 -> 20260517) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== apparmor ==== Version update (4.1.7 -> 5.0.0) - add lsusb.diff: fix lsusb profile - add wpa_supplicant.diff: fix wpa_supplicant profile (boo#1265377) - add syslog-ng-slashes.diff: avoid double slashes (and therefore a path mismatch) in syslog-ng profile - Use %{_tmpfilesdir} macro and package apparmor.conf tmpfiles configuration. - add allow-read-slash.diff and postfix-profiles-slash.diff to allow reading / in samba, dovecot and postfix profiles (boo#1263051) - update to AppArmor 5.0 - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_5.0.0 for the full upstream changelog - update lessopen.sh profile to abi/5.0 - enable all tests in profiles/ - Add and use tmpfiles.d/apparmor.conf for log and cache path creation (jsc#PED-14916) (jsc#PED-14917) + drop removal of pre-2.12 cache location + retain "apparmor_parser --purge-cache" calls for non-transactional systems - update to AppArmor 5.0rc5 - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_5.0.0-rc5 - drop upstreamed parser-lib-path.diff - update to AppArmor 5.0rc4 - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_5.0.0-rc4 for the full upstream changelog - add BR libzstd-devel - add parser-lib-path.diff to ensure parser finds libapparmor in make check - refresh apache-extra-profile-include-if-exists.diff - add 'make -C init' (apparmor.service and aa-teardown now live in a separate directory) ==== aurorae6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== bluedevil6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== breeze6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: breeze6-cursors breeze6-decoration breeze6-style breeze6-wallpapers - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * kdecoration: Use correct scale when computing border outline thickness ==== breeze6-gtk ==== Version update (6.6.4 -> 6.6.5) Subpackages: gtk3-metatheme-breeze6 metatheme-breeze6-common - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== container-selinux ==== Version update (2.247.0 -> 2.248.0) - Update to version 2.248.0: * Condition ptrace permission on deny_ptrace boolean ==== discover6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: discover6-backend-flatpak discover6-backend-fwupd discover6-notifier - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * ProgressView: Don't conditionally invert text color * rpmostree: Connect to this when connecting to a lambda that captures this ==== distrobox ==== Subpackages: distrobox-bash-completion distrobox-branding-openSUSE - Add 892f93baaa066ea36b31b2f721332ca49c9e5ad7.patch: fix: flags for read-only and recursive slave mount. ==== docker ==== Version update (29.3.0_ce -> 29.4.0_ce) Subpackages: docker-buildx docker-rootless-extras - Update to Docker 29.4.0. See upstream changelog online at - Update to buildx 0.33.0. See upstream changelog online at - Rebased patches: * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-openSUSE-point-users-to-docker-buildx-package.patch * cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch ==== dracut ==== Version update (110+suse.29.g16072cee -> 110+suse.31.ga81148a) Subpackages: dracut-ima - Update to version 110+suse.31.ga81148a: Support NTP configuration for airgapped scenarios (jsc#PED-16110): * feat(chrony): introducing the chrony module * feat(network-manager): write info about NTP servers in dhcpopts file ==== expat ==== Version update (2.7.5 -> 2.8.1) - update to 2.8.1 (bsc#1264713, CVE-2026-45186, bsc#1262263, CVE-2026-41080): * Fix quadratic runtime from attribute name collision checks that allowed denial of service attacks through moderately sized crafted XML input (CWE-407). Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * CVE-2026-41080 -- The existing hash flooding protection only used 4 to 8 bytes of entropy for * a salt, when 16 bytes of salt are supported by the * implementation of SipHash used by Expat. Now full 16 bytes * of entropy are used to improve protection against hash * flooding attacks. * Existing API function XML_SetHashSalt is now deprecated * because of its limitations, and its use should be * considered a vulnerability. Please either use the new API * function XML_SetHashSalt16Bytes (with known-high-quality * entropy input only!) instead, or leave the derivation of * a 16-bytes hash salt from high quality entropy to Expat's * internal machinery (by *not* calling either of the two * XML_SetHashSalt* functions). ==== ffmpeg-8 ==== Subpackages: libavcodec62 libavfilter11 libavformat62 libavutil60 libswresample6 libswscale9 - Enable glslang filters ==== flatpak-kcm6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - No code changes since 6.6.4 ==== fwupd ==== Version update (2.1.1 -> 2.1.3) Subpackages: libfwupd3 typelib-1_0-Fwupd-2_0 - Update to version 2.1.3: + This release adds the following features: - Add support for Redfish bearer token authentication - Add support for several XMC SPI chips - Parse JCat files in libfwupd without using libjcat + This release fixes the following bugs: - Allow configuring a Redfish URI with a path prefix - Avoid firmware matching errors for Cat-6 and Cat-12 modems - Calculate and export a floating point percentage progress value - Do not print clean remote success message if aborted - Do not probe all Nordic devices with USB VID 0x1915 - Fix force table support in Elan IC types 0x13 and 0x14 - Fix Raydium information check flow to avoid incorrect validation - Fix the Thunderbolt version number by ignoring the reserved bits - Load well-known paths in dbxtool to prevent a regression - Match a specific Raydium device to prevent resetting older hardware - Only copy the HIDRAW USB properties if a DS-20 has been provided - Use CA1 for a SK Hynix NVMe drive + This release adds support for the following hardware: - SHIFT6mq and SHIFTphone 8 - Update to version 2.1.2: + This release adds the following features: - Add an HSI check for AMD SB-7033 aka EntrySign - Add native CBOR parsing and drop libcbor2 as a dep - Add server platform detection to suspend HSI checks - Allow setting a maximum version number for a device - Allow setting context flags from HWID matches - Increment the progressbar when waiting for replug - Require Windows 8+ for the MSI build artifact - Support loading EFI authenticated variables with ContentInfo headers + This release fixes the following bugs: - Add daemon support for modems that export ttyUSB devices - Add decompression ratio limit to prevent parsing emulation ZIP bombs - Add device activation flag for Dell servers after firmware upgrade - Allow using a custom Telink HidToolVer quirk - Check the UEFI capsule payload is less than 4GiB in size - Cleanup all the user inhibits when required - Do not allow using non-regular files like devnull as metadata - Do not use capsule-on-disk on Lenovo ThinkCentre M60e Tiny - Fix a buffer overread when parsing a malicious PE file - Fix a CRC validation mistake in ZIP firmware parser - Fix a maybe-impossible NULL pointer dereference when parsing netlink data - Fix a small memory leak when writing Redfish firmware - Fix accessing Nordic devices connected through a dongle - Fix handling snapd payloads with only a default image - Fix potential NULL pointer dereference in QMI firmware write - Fix the auto-generated Redfish HBA device name - Fix the displayed Thunderbolt version number by ignoring reserved bits - Fix UF2 race with UDisks2 volume discovery during replug - Fix warning when probing removable USB devices with no medium - Guard HSI feature with platforms requirements - Hardcode the modification timestamp in generated zip archive - Increase the resolution of the progress bar updates - Limit the maximum number of files that can be parsed from ZIP archives - Prevent users from asking for unlimited system inhibits - Properly handle Dell iDRAC when using Redfish - Reject DFU sectors with zero size to prevent a possible infinite loop - Restore the VID check in Algoltek USBCR probe function - Set sensible parsing limits in each FuFirmware subclass - Show a suitable version when the Novatek update is interrupted - Support CAB image filenames longer than 255 chars - Update the Focal touch firmware format to the latest release - Use overflow-checked arithmetic for all offset calculations - Use prepared queries when querying silos - Validate CCGX record data size before flash write - Validate Nordic HID peer index before accessing peers cache array - Validate Synaptics cxaudio EEPROM size before trusting it - Wait for mock snapd API socket to appear when running tests - Wait for the new version when updating the Nordic TK059 Keyboard + This release adds support for the following hardware: - Elan TP IC type 0x19 - Google Moonstone - HP 400 and 405 Mouse - Lenovo USB-4 dock - LX Semicon SW42101 touch controller - Parade USB hubs with GPIO control - Pixart PLP239 devices - Raydium TP devices - Sunplus cameras - Drop pkgconfig(libcbor) BuildRequires: no longer needed. ==== glib2-branding-openSUSE ==== - Update .gschema.override.in: fix key name typo of monospace-font-name (bsc#1263043). ==== glibc ==== Subpackages: glibc-locale glibc-locale-base - ungetwc-byte-stream.patch: libio: Fix ungetwc operating on byte stream (CVE-2026-5928, bsc#1262464, BZ #33998) - scanf-mc-buffer-overflow.patch: stdio-common: Fix buffer overflow in scanf %mc (CVE-2026-5450, bsc#1262465, BZ #34008) ==== gpg2 ==== Version update (2.5.19 -> 2.5.20) - Update to 2.5.20: * gpgsm: Implement GCM encryption. Note that decryption works since version 2 * gpgsm: New option --attribute and server command SETATTR to include arbitrary signed or unsigned attributes into a signature. Enable only with libksba 1 * gpgsm: Introduce system attribute _signingCertificateV2. * gpg: Fix wrong assertion failure which could very rarely occur during key signature checking * gpg: Consider certify-only keys for revocation signature check. * gpgsm: Fix possible double free in the CMS parser * gpgsm: Fix possible too early removal of ephemeral keys * gpgsm: Avoid emitting a final FAILURE status line if --status-fd is not used * gpgsm: Fix a regression in 2.5.19 for password encrypted GCM data * agent: Fix not using cache for pinentry loopback * agent: Fix command PUT_SECRET by saving input line * keyboxd: Mark keys searched but not imported via LDAP correctly as ephemeral * scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA keys > 2k * dirmngr: Fix uninitialized use of the dns_any union in dns_rr_cmp ==== gstreamer ==== Version update (1.28.2 -> 1.28.3) Subpackages: libgstreamer-1_0-0 - Update to version 1.28.3: + Highlighted bugfixes: - Various security fixes and playback fixes - applemedia: vtdec stability, MoltenVK integration and planar video format handling fixes - audioresample: Fix regression on armv7hf - bpmdetect: Fixes for stereo and multi-channel modes - devicemonitor: wait for start thread to finish when listing devices so all the info is there for e.g. v4l2 provider - fallbacksrc: Add fallback-source and enable-dummy properties - nvidia: fix cudaconvert performance regression and nvdec device creation regression - opengl: add GBRA swizzle support, and fix glcolorconvert vertical flip issue on crop - rtspsrc: include user-agent property in HTTP tunnel requests and fix mikey regression - threadshare: add leaky mode to dataqueue-based elements - v4l2: fix negotiation error when trying to force stateful decoders to output dmabufs - webrtcsink: Add support imx8mp vpuenc_hevc hardware H.265 encoder - cerbero: Extend gst-plugins-rs melding to Darwin platforms for smaller binary sizes and static linking improvements - inno Windows installer fixes, including silent install mode via the command line - macOS: provide script to allow uninstalling the package; relocate absolute paths to Python.framework in wheels - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - pad: fix potential buffer leak in get_range_failed error handler - aggregator: Fix documentation - allocator: Use g_try_malloc() instead of g_malloc() for sysmem - baseparse: Fix memory leak when subclass returns error - bitwriter: Allow unsetting set bits when overwriting them - devicemonitor: Wait for start thread to finish when listing devices - streams: Add METADATA to the valid stream flags for serialization - value: On buffer deserialization errors first unmap the buffer and then unref it - gst-inspect-1.0: type for string caps fields should be 'string' not 'gchararray' ==== gstreamer-plugins-bad ==== Version update (1.28.2 -> 1.28.3) Subpackages: libgstphotography-1_0-0 libgstplay-1_0-0 - Update to version 1.28.3: + ajasink: Correctly set reference source + analytics: fix meta transform function for copy cases + av1parse: Fix null pointer deference + bpmdetect: Fix calculation of number of samples for >1 channels + codecparsers: Stack Buffer Overflow in H.265 Buffering Period SEI Parser + cudaconvert: fix performance regression caused by double precision floating point constants + decklink: Fix various refcount issues and related leaks + h263parse: - Fix wrong ratio masking - Missing handling of reserved invalid EPAR_D value + h265parser: - Use sub-layer 0 CPB count in buffering_period SEI loops - Add missing clearing function for H266 SEI message - Avoid out-of-bounds write when parsing PPS tile slices + mpegdemux: Add various bounds checks related to PES header parsing + interlace: Revert "Drop framerate from query caps of sinkpad" + mpegtsdemux: Various fixes + mpegtspacketizer: Avoid potential overflow + mse: Also disable the library if the meson option is disabled + mxf: - Fix multiple writing / parsing issues when handling VANC packets - Theoretical heap Buffer Overflow in MXF AES3 Audio Descriptor write_tags + mxfdemux: Fix reverse temporal offsets array upper bounds check + mxfmux: aes-bwf: Use correct size when serializing user data / channel status mode + nvcodec: Fix missing adapter-luid when loading decoders + nvdec regression in 1.28.2: "Couldn't create new device with adapter luid 0" + pngparse: Fix Use-after-free bug + qml6d3d11sink: Clear texture on Paused-to-Ready transition + qt6d3d11: fix null check in SetForceAspectRatio() + tsdemux: - Fix parsing of PES ESCR and following PES header fields - Fix segfault when trying to handle SCTE-35 with incorrect program specified + va: do not post error message when push fails + vkupload/vkdownload: Fix possible corrupted image due to mismatched stride/padding + vtdec: - Avoid blocking decoder output callback - Avoid locking up during a decoder reset - Deadlock when restarting pipeline - Fix deadlock when restarting pipeline + webrtc: take ownership of src_bin and sink_bin and don't leak error message + Require C std gnu11 or c11, remove custom 'restrict' definition, fixing build with Qt 6.11 ==== gstreamer-plugins-base ==== Version update (1.28.2 -> 1.28.3) Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 - Update to version 1.28.3: + appsink, appsrc: Allow passing NULL callbacks + appsrc: Fix dropped counting with bufferlist + audioaggregator: - Don't drop pending input buffers on sinkpads on srcpad caps changes - Don't reset samples_per_buffer unless sample rate / output-buffer-duration has changed - Don't try converting buffers on caps changes if impossible + audioresample: Fix extra samples produced at speech-to-silence transitions + audio-resampler-neon: fix Thumb encoding and use Clang O2 calculation for strides + audio sounds strange on release 1.28.2 for armv7hf + decodebin2: fix leak of endpads list on shutdown while exposing + discoverer: Take the DISCO_LOCK while parsing stream topology + exiftag: Use a hashtable instead of a linked list for storing the pending tags + gl: add GBRA swizzle support + id3v2: - Add input validation and refactor id3v2_ununsync_data - Check valid frame sizes more + opengl: Fix glcolorconvert vertical flip issue on crop + glcolorconvert: GBRA input hits unreachable swizzle path + subparse / samiparse: Various robustness fixes and minor other fixes + subparse: - Fix memory leakage for text colour and background colour - O(N^2) complexity in SAMI parser causes timeout with crafted large input + tag: - Prevent ubsan and wrong fraction usage - Off-by-one checking for id3v2 unnsync tag parsing + video: add precondition check on dma helpers + videodmabufpool: Break ref cycle between the pool and its thread ==== kactivitymanagerd6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kde-cli-tools6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kde-gtk-config6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: kde-gtk-config6-gtk3 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kdecoration6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libkdecorations3-6 libkdecorations3private2 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kdeplasma6-addons ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * applets/weather: Fix typo on fallback icon name ==== kernel-source ==== Version update (7.0.5 -> 7.0.7) Subpackages: kernel-64kb kernel-default - Update patches.kernel.org/7.0.2-014-f2fs-fix-to-avoid-uninit-value-access-in-f2fs_s.patch (bsc#1012628 CVE-2026-43349 bsc#1265131). - Update patches.kernel.org/7.0.2-024-smb-client-require-a-full-NFS-mode-SID-before-r.patch (bsc#1012628 CVE-2026-43350 bsc#1264985). - Update patches.kernel.org/7.0.2-042-mshv_vtl-Fix-vmemmap_shift-exceeding-MAX_FOLIO_.patch (bsc#1012628 CVE-2026-43348 bsc#1264981). - Update patches.kernel.org/7.0.7-306-ksmbd-validate-inherited-ACE-SID-length.patch (bsc#1012628 CVE-2026-43490). suse-add-cves - commit f1d450c - ptrace: slightly saner 'get_dumpable()' logic (bsc#1265308). - commit 67ebcde - selftests/namespaces: Skip efault tests when listns() is not available (poo#196367). - selftests/namespaces: Fix waitpid race in listns_efault_test cleanup (poo#196367). - selftests/namespaces: Kill grandchild in nsid fixture teardown (poo#196367). - commit 37898a9 - Linux 7.0.7 (bsc#1012628). - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() (bsc#1012628). - ipmi: Add limits to event and receive message requests (bsc#1012628). - ipmi: Check event message buffer response for bad data (bsc#1012628). - ipmi:si: Return state to normal if message allocation fails (bsc#1012628). - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free (bsc#1012628). - ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states (bsc#1012628). - ACPI: scan: Use acpi_dev_put() in object add error paths (bsc#1012628). - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO (bsc#1012628). - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug (bsc#1012628). - ACPI: video: force native backlight on HP OMEN 16 (8A44) (bsc#1012628). - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() (bsc#1012628). - iommufd: Fix a race with concurrent allocation and unmap (bsc#1012628). - ASoC: SOF: Don't allow pointer operations on unconfigured streams (bsc#1012628). - wifi: mt76: mt7925: fix incorrect TLV length in CLC command (bsc#1012628). - spi: rockchip: fix controller deregistration (bsc#1012628). - ksmbd: rewrite stop_sessions() with restartable iteration (bsc#1012628). - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (bsc#1012628). - flow_dissector: do not dissect PPPoE PFC frames (bsc#1012628). - smb: client/smbdirect: fix MR registration for coalesced SG lists (bsc#1012628). - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked (bsc#1012628). - exit: prevent preemption of oopsing TASK_DEAD task (bsc#1012628). - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr (bsc#1012628). - wifi: mt76: mt7925: fix incorrect length field in txpower command (bsc#1012628). - wifi: mt76: mt7921: fix a potential clc buffer length underflow (bsc#1012628). - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work (bsc#1012628). - wifi: b43legacy: enforce bounds check on firmware key index in RX path (bsc#1012628). - wifi: mac80211: drop stray 'static' from fast-RX rx_result (bsc#1012628). - wifi: rsi: fix kthread lifetime race between self-exit and external-stop (bsc#1012628). - wifi: mac80211: use safe list iteration in radar detect work (bsc#1012628). - wifi: ath5k: do not access array OOB (bsc#1012628). - wifi: mac80211: remove station if connection prep fails (bsc#1012628). - wifi: b43: enforce bounds check on firmware key index in b43_rx() (bsc#1012628). - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task (bsc#1012628). - usb: usblp: fix heap leak in IEEE 1284 device ID via short response (bsc#1012628). - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl (bsc#1012628). - ALSA: usb-audio: midi2: Restart output URBs on resume (bsc#1012628). - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() (bsc#1012628). - ALSA: usb-audio: Fix UAC3 cluster descriptor size check (bsc#1012628). - usb: dwc3: Move GUID programming after PHY initialization (bsc#1012628). ... changelog too long, skipping 631 lines ... - commit 6661b4c ==== keylime ==== Version update (7.14.0 -> 7.14.2) Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tenant keylime-tpm_cert_store keylime-verifier python313-keylime - Update to version 7.14.2 (CVE-2026-6420, bsc#1264265): * Bump to version 7.14.2 * verifier: Fix hardcoded attestation challenge nonce (CVE-2026-6420) * verifier: Extend TOCTOU race guard to TENANT_FAILED state * test: Add unit tests for _complete_deletion_if_terminated * verifier: Fix pyright reportArgumentType for mtls_cert * verifier: Fix TOCTOU race in process_agent state writes * docs: address wildcard bind feedback, document 0.0.0.0 / :: instead of * * Document verifier wildcard bind address * Place attestation fields in correct API version docs * Add attestation_status, attestation_period, maximum_attestation_interval * verifier: Fix type error in mtls_cert guard * ci: Replace /var/run/dbus with /run/dbus in test wrapper * installer: Replace /var/run/keylime with /run/keylime * Replace /var/run/keylime with /run/keylime in Python code * shared_data: Remove log calls from cleanup * shared_data: Use temp dir when /var/run/keylime/ is not usable * [Automatic] Update Keylime base image 2026-05-04 * [Automatic] Update Keylime base image 2026-05-01 * installer: Add tmpfiles.d config for all keylime directories * shared_data: Move SyncManager socket to /var/run/keylime/ * test: Support test execution for installed package * timestamp: Fix timezone handling in Unix timestamp conversion * shared_data: Ignore SIGTERM and SIGINT on Manager and parent processes * verifier: Cancel pending poll timer on agent stop * test: Add tests for pending-event and attestation storage * verifier: Prevent race condition when deleting agent * verifier: Replace assert with proper error handling * json: Suppress mypy call-overload false positive * Switch from CA organization of MITLL to Keylime * [Automatic] Update Keylime base image 2026-04-01 * Add unit tests for shutdown coordination and drain logic * Add graceful shutdown and lifecycle hooks to new Server architecture * Cancel pending retries and drain in-flight work on verifier shutdown * Add shutdown coordination module * Fix SharedDataManager cleanup crash in forked worker processes * docs: Add tables with push-attestation configuration options * templates: Sync agent config options with keylime-agent.conf * templates: Remove unused ima_ml_count_file option * Remove enable_authentication agent config option * fix(mem leak) - remove unbounded functools.cache from latest_attestation * fix: Add fork-safety to DBManager via dispose() * fix: Check active flag in _extract_identity and guard receive_pop * db: Clean up scoped session after each request * refactor: Remove dead code AuthSession.authenticate_agent() * Align black configuration between tox and pre-commit * Fix linter errors in PersistableModel.get() and .all() * Fix race condition on in SessionManager * Address some improvements from code review * Include thread-safe session management * Close DB sessions to prevent connection exhaustion * docs: Add v3.0 registrar API reference and changelog entry * tests: Add unit tests for v3 registrar routes and VersionController * registrar: Add routes for API version 3.0 * [Automatic] Update Keylime base image 2026-03-02 * [Automatic] Update Keylime base image 2026-03-01 * Document agent-driven (push) attestation * fix misspelling of overridden (#1856) * web: fix typo in base/route.py * Bump to version 7.14.1 * ca: Add Subject Alternative Names to the certificates * config: move push-mode options to [verifier] section in template * packit: Add missing tests * Fix session_lifetime default to prevent immediate token expiry * migrations: Fix migration to drop invalid sessions * tenant: Only negotiate API version v2.x * Fix leftover formatting issues * tests: fix measured boot tests to skip when efivarlibs is missing * tests: fix setup-rpm-tests to define _topdir ==== kgamma6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kglobalacceld6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libKGlobalAccelD6-0 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Load shortcuts from desktop file and config in the same order * Remove duplicate key sanitization logic ==== kinfocenter6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kmenuedit6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== knighttime6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libKNightTime0 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Resubscribe to the daemon if it is restarted ==== kpipewire6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: kpipewire6-imports libKPipeWire6 libKPipeWireDmaBuf6 libKPipeWireRecord6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kscreen6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * kcm: hide ddc/ci option when HDR is enabled (kde#518532) * kcm: do not allow gaps when creating replicas (kde#515754,kde#519397) * output_model: remove off-by-one causing if statement (kde#515754) ==== kscreenlocker6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libKScreenLocker6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * PamAuthenticator: Emit failed on authentication attempts that happen too soon (kde#515299) ==== ksshaskpass6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== ksystemstats6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kwayland-integration6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kwayland6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libKWaylandClient6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kwin6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libkwin6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * backends/x11: Fix interactive output resizing * Temporarily reference Windows during compositing * backends/drm: only update outputs on GPUs that actually changed (kde#519461) * rules: make checkGeometrySafe actually safe (kde#466119) * backends/drm: drop dmabuf import modes * backends/drm: don't attempt multi GPU copies with unsupported formats (kde#517987) * input: Map devices to device outputs, not logical (kde#514688) * Fix passing fullscreen to the X11 backend * input: Process key repeat before A11yKeyboardMonitor (kde#519143) * backends/drm: Check flags when comparing modes * virtualdesktops: add missing connection to save desktop names (kde#512212) * opengl/eglcontext: add asserts for eglMakeCurrent * backends/drm: Fix restoring custom modes after reboot * backends/drm: Match output modes differently * Make removed flag separate state in OutputMode * Track preferred output mode flags * Fix saving custom output modes * Cleanup keyboard grabs * activation: restore code updating layers of fullscreen windows (kde#484155) * backends/libinput: Fix dangling InputDevices on shutdown * plugins/highlightwindow: Better handling of windows during highlight/ghost operations * plugins/highlightwindow: Don't animate deleted or invisible windows * backends/drm: set COLOR_RANGE to full for RGB planes on NVIDIA * plugins/colorpicker: use GL_RGBA instead of GL_RGB, to support OpenGL ES (kde#518770) ==== layer-shell-qt6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libLayerShellQtInterface6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== libei ==== Version update (1.5.0 -> 1.6.0) - Update to release 1.6.0 * A new ei_text interface that provides the ei_text.keysym and ei_text.utf8 requests and events. These allow an emulating client to send keysyms or straight utf8, useful for situations where a keysym needs to be sent independent of the available keymap on the ei_keyboard device. * Preparatory work for future table support: * ei_device.ready is a request sent by compatible clients after ei_device.done to notify the EIS implementation that the client is done with any device-specific configuration. * ei_seat.request_device is a request sent by compatible clients to request a device with specific capabilities. The EIS implementation is not required to honor this request. ==== libinput ==== Version update (1.31.1 -> 1.31.2) - Update to release 1.31.2 * A bunch of device-specific quirks * Fix for the new fast-swipe interaction during 3fg dragging. A wrong timestamp calculation could cause slow movements to be interpreted as swipes in some cases. * A fix for the Acer Swift SFX14-73G (and likely other devices with a similar touchpad) fixes a stuttering cursor caused by wrong SYN_REPORT handling in libinput. ==== libksba ==== Version update (1.7.0 -> 1.8.0) - Update to 1.8.0: * New function ksba_cms_get_attribute. [rKf40bfced7c] * Support building of unsigned attributes with ksba_cms_add_attribute. [rK54d7e3bea8] * Release-info: https://dev.gnupg.org/T8253 ==== libkscreen6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libKF6Screen8 libKF6ScreenDpms8 libkscreen6-plugin - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== libksysguard6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: ksysguardsystemstats6-data libKSysGuardSystemStats2 libksysguard6-imports - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Choices.qml: Add Kirigami.OverlayZStacking ==== libmodulemd ==== - Build different flavors for Python subpackages ==== libplasma6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libPlasma7 libplasma6-components libplasma6-desktoptheme - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Update height instead of width when implicitHeightChanged ==== librsvg ==== Version update (2.62.0 -> 2.62.2) - Update to version 2.62.2: + librsvg crate version 2.62.2 + librsvg-rebind crate version 0.3.0 + Fix blurry embeded SVG images by rasterizing them at device resolution. + Fix build when gobject-introspection is enabled but gdk-pixbuf is disabled. - Changes from version 2.62.1: + librsvg crate version 2.62.1 + librsvg-rebind crate version 0.3.0 + There are no changes from 2.62.0, just an update of the image-rs crate to align it with the rest of GNOME 50's versions for dependencies. ==== libselinux ==== Subpackages: libselinux1 selinux-tools - Change License from SUSE-Public-Domain to LicenseRef-SUSE-Public-Domain due to rpmlint invalid-license warning. ==== libselinux-bindings ==== - Change License from SUSE-Public-Domain to LicenseRef-SUSE-Public-Domain due to rpmlint invalid-license warning. ==== libsolv ==== Version update (0.7.36 -> 0.7.37) Subpackages: libsolv-tools-base libsolv1 - fix parsing of sha512 checksums in debian repositories - improve speed of dirpool_add_dir makeing parsing of filelists.xml twice as fast - fix parsing of recommands in the old Mandriva synthesis format - bump version to 0.7.37 ==== libzypp ==== Version update (17.38.7 -> 17.38.8) - Mandatory signature verification plugin support (PED#11922) - version 17.38.8 (35) ==== milou6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== net-snmp ==== Subpackages: libsnmp45 snmp-mibs - net-snmp Immutable Mode adaptation * implementation task jsc#PED-14728 from epic jsc#PED-14688 * modify net-snmp.spec * modify net-snmp-tmpfs.conf ==== ntfs-3g_ntfsprogs ==== Subpackages: libntfs-3g89 ntfs-3g ntfsprogs - Remove last remnants of update-alternatives. ==== open-vm-tools ==== Version update (13.0.10 -> 13.1.0) Subpackages: libvmtools0 - update to 13.1.0 release based on build 25218885: (boo#1265304) Please refer to the Release Notes at https://github.com/vmware/open-vm-tools/blob/stable-13.1.0/ReleaseNotes.md. Support for GNOME Toolkit version 4. This release of open-vm-tools supports building with either the GNOME Toolkit version 4 (GTK4) or to continue using version 3 (GTK3). The configure script will accept options to restrict the build to either GTK3 or GTK4. If no restriction is applied, the latest version for which the required development package(s) are installed will be used. Please see the What's New section of the Release Notes for details. The following github issues have been resolved: - issue #707 - issue #763 The granular changes that have gone into the open-vm-tools 13.1.0 release are in the ChangeLog at https://github.com/vmware/open-vm-tools/blob/stable-13.1.0/open-vm-tools/ChangeLog. For a more complete description of what is new in this release, see the What's New and Resolved Issues sections of the Release Notes. https://github.com/vmware/open-vm-tools/blob/stable-13.1.0/ReleaseNotes.md#whatsnew https://github.com/vmware/open-vm-tools/blob/stable-13.1.0/ReleaseNotes.md#resolved-issues ==== openexr ==== Version update (3.4.9 -> 3.4.11) Subpackages: libIex-3_4-33 libIlmThread-3_4-33 libOpenEXR-3_4-33 libOpenEXRCore-3_4-33 - version update to 3.4.11 * [CVE-2026-42217](https://www.cve.org/CVERecord?id=CVE-2026-42217) Shift exponent overflow in `readVariableLengthInteger()` (`ImfIDManifest.cpp`) * [CVE-2026-42216](https://www.cve.org/CVERecord?id=CVE-2026-42216) Out-of-bounds read in `IDManifest::init()` during prefix expansion * [CVE-2026-41142](https://www.cve.org/CVERecord?id=CVE-2026-41142) Integer overflow in `ImageChannel::resize` leads to heap OOB write via OpenEXRUtil public API * OSS-fuzz [504280155](https://issues.oss-fuzz.com/issues/504280155) Heap-buffer-overflow in `DwaCompressor_uncompress` * OSS-fuzz [505062709](https://issues.oss-fuzz.com/issues/505062709) Null-dereference READ in `Imf_3_3::prefixFromLayerName` - version update to 3.4.10 * [CVE-2026-39886](https://www.cve.org/CVERecord?id=CVE-2026-39886) HTJ2K Signed Integer Overflow in `ht_undo_impl()` * [CVE-2026-40244](https://www.cve.org/CVERecord?id=CVE-2026-40244) Integer overflow in DWA `setupChannelData` `planarUncRle` pointer arithmetic (missed variant of CVE-2026-34589) * [CVE-2026-40250](https://www.cve.org/CVERecord?id=CVE-2026-40250) Integer overflow in DWA decoder `outBufferEnd` pointer arithmetic (missed variant of CVE-2026-34589) - fixes [bsc#1264354], [bsc#1264356], [bsc#1264353] ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Update openssh-7.7p1-fips.patch (bsc#1264787): Add the rijndael alias to the list of all ciphers, making the FIPS list a strict subset. ==== openssl-3 ==== Subpackages: libopenssl3 - POWER performance enhancements * Optimized MLDSA NTT, supports p8 and above architectures (jsc#PED-14569) * Add patch: openssl-ppc64le-Optimized-MLKEM-NTT-supports-p8-ISA-2.07-and-above-architectures.patch ==== patterns-base ==== Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11 - use distrobox instead of toolbox on SLE (jsc#PED-13820) - do not require vim-small if vim is installed (bsc#1262334) ==== permissions ==== Version update (1699_20260217 -> 1699_20260512) Subpackages: permctl permissions-config - Update to version 1699_20260512: * iputils: Fix capability permissions for clockdiff * profiles: drop nfs-utils rmtab entry * README: document RPM installation time race condition ==== pipewire ==== Version update (1.6.4 -> 1.6.5) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.6.5: * This is a bugfix release that is API and ABI compatible with the previous 1.6.x releases. * Highlights - Fix muted output in some cases. - Removed the pipe filter in filter-graph. - More fixes and improvements. * PipeWire - Fix an issue in pw-filter where it could end up in a loop where buffers are stuck on a port and the port becomes silent. (#5249 (closed)) * Modules - Improve ROC receiver start/stop, fixes memory leaks. (#5250 (closed)) - Remove the pipe filter from filter-graph, it's broken by design and a security nightmare. - Fix the midi buffer size in jack-tunnel. * SPA - Rate limit out-of-buffers errors. (#5249 (closed)) - Partially revert the line-out mute patch, it seems to break things and leave audio muted when plugging-unplugging jacks. (#5246) - Improve renegotiation in audioconvert when the graph rate changes and the resampler was disabled. (#4933 (closed)). - Fix potential crash in alsa when logging. * Pulse-server - A whole bunch of extra security checks and hardening fixes. ==== plasma5support6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libPlasma5Support6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== plasma6-activities ==== Version update (6.6.4 -> 6.6.5) Subpackages: libPlasmaActivities7 plasma6-activities-imports - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== plasma6-activities-stats ==== Version update (6.6.4 -> 6.6.5) Subpackages: libPlasmaActivitiesStats1 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== plasma6-browser-integration ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== plasma6-desktop ==== Version update (6.6.4 -> 6.6.5) Subpackages: plasma6-desktop-emojier - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * applets/kicker: open category on return again * applets/kicker: don't show sidebar scrollbar without screen (kde#517535) * kcms/tablet: Improve line drawing * kcms/tablet: Initially set start position (kde#519600) * kcm_keys_test: Fix shortcut element name * kcms/keyboard: Fix KeyBindings resetButton positioning * keysrunner: Align dbus path sanitization with kglobalacceld which fixes triggering plasma-systemmonitor actions using krunner * applets/kicker: don't activate when dropping * applets/kicker: match background opacity in submenus (kde#517495) ==== plasma6-integration ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * qt6/KFontSettingsData: Chop off extra fontString items for versions under 6.11 (kde#519185) ==== plasma6-nm ==== Version update (6.6.4 -> 6.6.5) Subpackages: plasma6-nm-openconnect plasma6-nm-openvpn - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * applet: Fix accessibility of switches (kde#519217) * Ensure that placeholder is not visible when applet closes (kde#511367) * Keep focus on password field when hovering another delegate (kde#454523,kde#510784) ==== plasma6-openSUSE ==== - Update to 6.6.5 ==== plasma6-pa ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Explictly set text format on label ==== plasma6-print-manager ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Port PrinterDelegate to required properties (kde#518705) ==== plasma6-systemmonitor ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== plasma6-workspace ==== Version update (6.6.4 -> 6.6.5) Subpackages: plasma6-session plasma6-workspace-libs - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * applets/kicker: show separator after service runner Recent Files (kde#518978) * kcms/font: Make buttons accessible (kde#519471) * runners/helprunner: Fix broken icon and text * xembedsniproxy: fix icon transparency * libkworkspace: Handle new states from logind (kde#518174) * ktimezoned.cpp: Fix what appears a copy-paste error * appiumtests: fix race condition in mediacontrollertest MPRIS player * appiumtests: fix D-Bus Properties Get return type in mediacontrollertest * appiumtests: fix unstable D-Bus activated plasmoid test in CI * kcms/soundtheme: Use on(Double)Clicked from GridDelegate instead of custom TapHandler * logout: Fix broken text legiblity with themes like Air and Breeze Light (kde#518001) * klipper: always set clipboard when moving entry to top (kde#514095) * SourcesPage: Fix sourceDelegate padding calculations * kcms/region_language: fix locale suffix matching (kde#518878) * applets/systemtray: Fix scroll orientation string case mismatch * applets/notifications: fix null-guard bugs in Globals.qml (kde#519046) * Fix kde_output_device_v2 bind version in devicenotifications * libclock: Fix stale transition metadata on timezone change * applets/activitybar: import Kirigami * libclock: fix lockscreen timezone init race on multi-screen - Drop patches, now upstream: * 0001-libkworkspace-Handle-new-states-from-logind.patch ==== polkit-default-privs ==== Version update (1550+20260428.f2a5d2e -> 1550+20260513.3b99372) - Update to version 1550+20260513.3b99372: * profiles: whitelist apparmor aa-notify.from_file action (bsc#1265157) ==== polkit-kde-agent-6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== powerdevil6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Fix screen brightness stuck at 30% after PowerDevil restart (kde#513809) ==== python-gobject ==== Version update (3.56.2 -> 3.56.3) Subpackages: python313-gobject python313-gobject-Gdk python313-gobject-cairo - Update to version 3.56.3: + Fix crash when user_data is defined before callback + Add missing msg argument to asyncio cancel() + Fix potential buffer overflow errors + Fix memory leak when initializing GTK templates ==== python-urllib3 ==== Version update (2.6.3 -> 2.7.0) - Update to 2.7.0 (CVE-2026-44432, bsc#1265266, CVE-2026-44431, bsc#1265267): [#]# Security Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal. * Decompression-bomb safeguards of the streaming API were bypassed: See GHSA-mf9v-mfxr-j63j for details. * HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc) [#]# Deprecations and Removals * Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (#3763) * Removed support for end-of-life Python 3.9. (#3720) * Removed support for end-of-life PyPy3.10. (#4979) * Bumped the minimum supported pyOpenSSL version to 19.0.0. (#3777) [#]# Bugfixes * Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (#3636) * Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (#4967) * Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (#3793) * Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (#3798) * Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (#3352) * Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (#3764) ==== python313-packaging ==== Version update (26.0 -> 26.2) - Add missing test BuildRequires on hypothesis. - update to 26.2: * Fix incorrect sysconfig var name for pyemscripten in * Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe and backward-compatible with pickles created in 25.0-26.1 (including references to the removed packaging._structures module) (:pull:`1163`, :pull:`1168`, :pull:`1170`, :pull:`1171`) * Re-export ExceptionGroup in metatadata for now in (:pull:`1164`) * Add errors section and fix missing details in (:pull:`1159`) * Document our property-based test suite in (:pull:`1167`) * Fix a DirectUrl typo in (:pull:`1167`) * Add example of is_unsatisfiable in (:pull:`1166`) * Enable the auditor persona on zizmor in (:pull:`1158`) * Test new pickle gaurentees in (:pull:`1174`) * Use new native ReadTheDocs uv integration in (:pull:`1175`) * PEP 783: add handling for Emscripten wheel tags in (:pull:`804`) (old name used in implementation, fixed in next release) * PEP 803: add handling for the abi3.abi3t free-threading tag * PEP 723: add packaging.dependency_groups module, based on the dependency-groups package in (:pull:`1065`) * Add the packaging.direct_url module in (:pull:`944`) * Add the packaging.errors module in (:pull:`1071`) * Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) in (:pull:`1119`) * Add create_compatible_tags_selector to select compatible tags in (:pull:`1110`) * Add a key argument to SpecifierSet.filter() in (:pull:`1068`) * Support & and | for Marker's in (:pull:`1146`) * Normalize Version.__replace__ and add Version.from_parts in * Add an option to validate compressed tag set sort order in parse_wheel_filename in (:pull:`1150`) * Narrow exclusion of pre-releases for V to match spec in * Rename format_full_version to _format_full_version to make it visibly private in (:pull:`1125`) * Restrict local version to ASCII in (:pull:`1102`) * Add pylock select function in (:pull:`1092`) * Document pylock select() method and PylockSelectError in (:pull:`1153`) * Add filename property to PackageSdist and PackageWheel, more validation in (:pull:`1095`) ==== qqc2-breeze-style6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Revert "ToolButton: Fix flat mode not inheriting background color scheme" ==== rsync ==== - Security update (CVE-2026-41035, bsc#1262223): rsync: count of entries mismatch can lead to a use-after-free - Add rsync-CVE-2026-41035.patch ==== sddm-kcm6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== selinux-policy ==== Version update (20260414 -> 20260508) Subpackages: selinux-policy-targeted - Update to version 20260508: * Add boolean ntp_refclock_access (bsc#1262711) * Add /var/log/ntp in ntp named filetrans interface (bsc#1262711) * Allow thump_t setattr on thumb_tmp_t lnk_files * Allow accounts-daemon read accountsd_share_t symlinks (bsc#1262502) * Label /usr/bin/sudo-rs and /usr/bin/su-rs * Allow pwupdd to read cracklib (bsc#1259138) * Allow pwupdd to log to audit log (bsc#1259138) * Move accountutils_pwaccessd_varlink_socket_connect from auth_use_pam (bsc#1259138) * Allow gpsd the setcap process capability * Add note about the process to merge template * Add mgetty_allow_sendfax boolean (bsc#1258666) * Do not backslash-escape underscores in file context specifications * Label /var/log/mgetty.* getty_log_t (bsc#1258666) * Allow systemd_homework_t to delete systemd_homed_record_t dirs (bsc#1261359) * Allow sshd-auth/sshd-session get attributes of their sshd parent * Allow systemd-tmpfiles to adjust resource limits * Allow logwatch to getattr nsfs files * Allow xdm dbus chat with rhsmcertd * Allow dhcpc_hook_t unix_dgram_socket and module_request * Allow accountsd list accountsd_share_t dirs ==== shaderc ==== Version update (2026.1 -> 2026.2) - Update to release 2026.2 * Test GL_EXT_descriptor_heap ==== spectacle ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * OptionsMenu: Drop double ownership of delay widgets * Keep spectacle alive briefly after copying screenshots (kde#) * SelectionEditor: Don't call setShowMagnifier in hoverMoveEvent (kde#509776,kde#509777) * CaptureOverlay: Fix checking the wrong showMagnifier property when activating the magnifier loader * fix: viewer window not hiding when quit-after-export is enabled ==== ssh-pairing ==== Version update (0.3 -> 0.4) - Update to version 0.4: * Skip showing fingerprints for DSA host keys (boo#1264665) - Add dependency on /usr/bin/awk ==== suse-module-tools ==== Version update (16.1.4 -> 16.1.5) Subpackages: suse-module-tools-scriptlets - Update to version 16.1.5: * Support XBOOTLDR (jsc#PED-16142) * modprobe.conf: split RNDIS blacklist, add interactive unblacklist support (boo#1262299, boo#1217268) * weak-modules2: don't remove symlinks in the rpm --reinstall case (bsc#1257055) ==== systemsettings6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Set accessible text for back button (kde#519333) * Fix empty category in sidebar when "Highlight Changed Settings" is enabled (kde#518868) * systemsettingsrunner: add correct file URLs to the kickoff and krunner entries. (kde#500259) * Ignore warnings from qt.qpa.services ==== transactional-update ==== Version update (6.0.7 -> 6.1.0) Subpackages: dracut-transactional-update libtukit8 transactional-update-zypp-config tukit tukit-snapper-plugin tukitd - Version 6.1.0: * t-u: Reintroduce kdump command for fadump functionality * t-u: Fix skipped error paths due to querying wrong return code * libtukit: Integrate OCI functionality into tukit core * libtukit: Allow configuration of snapshot manager * libtukit: Allow manually setting configuration options * tukitd: Extend D-Bus interfaces with generic option field * doc: Rework documentation generation with central HTML document and D-Bus interface - Add build dependencies for documentation - Add -doc package for HTML documentation ==== vulkan-loader ==== Version update (1.4.341 -> 1.4.350) - Update to tag SDK-1.4.350.0 * Fix the wrong extension being used for GGP ==== vulkan-tools ==== Version update (1.4.341 -> 1.4.350) - Update to tag SDK-1.4.350.0 * vulkaninfo: Enable device groups extension * vulkaninfo: Check extensions before querying properties ==== xdg-desktop-portal-kde6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * PortalDialog: fix standard button handling (kde#519631) * ci: disable qmllint ==== yast2 ==== Version update (5.0.20 -> 5.0.21) - Drop the logic for checking TPM2 availability. - The TPM2 check is now provided by yast2-storage-ng (related to jsc#PED-10703). - 5.0.21 ==== zypper ==== Version update (1.14.96 -> 1.14.97) Subpackages: zypper-needs-restarting - Add --filter-version-change to zypper lu. Adds filtering by version change significance to reduce noise in update listings. Supports levels: rebuild (hides rebuild-only changes) and package (hides all release-only changes). - version 1.14.97