Packages changed: Mesa (26.0.5 -> 26.0.6) Mesa-drivers (26.0.5 -> 26.0.6) MicroOS-release (20260430 -> 20260504) SDL3 (3.4.4 -> 3.4.6) accountsservice avahi avahi-glib2 bubblewrap (0.11.1 -> 0.11.2) colord curl (8.19.0 -> 8.20.0) libcontainers-common (20260112 -> 20260429) net-tools (2.10+1 -> 3.14~alpha~git.20251212.7011617) perl (5.42.0 -> 5.42.1) python-Mako (1.3.11 -> 1.3.12) python-greenlet (3.4.0 -> 3.5.0) qtkeychain-qt6 (0.15.0 -> 0.16.0) sdl2-compat (2.32.66 -> 2.32.68) sensors sssd update-alternatives (1.22.21 -> 1.22.22) === Details === ==== Mesa ==== Version update (26.0.5 -> 26.0.6) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to 26.0.6 bugfix release - -> https://docs.mesa3d.org/relnotes/26.0.6 ==== Mesa-drivers ==== Version update (26.0.5 -> 26.0.6) Subpackages: Mesa-dri Mesa-vulkan-device-select libvulkan_lvp - Update to 26.0.6 bugfix release - -> https://docs.mesa3d.org/relnotes/26.0.6 ==== MicroOS-release ==== Version update (20260430 -> 20260504) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== SDL3 ==== Version update (3.4.4 -> 3.4.6) - Update to release 3.4.6 * Fixed scaled cursor image selection on Wayland * Fixed horizontal touchpad scrolling direction on X11 * Fixed crash on exit when using KMSDRM in atomic mode * Fixed multi-threaded crashes using SDL GPU on Vulkan ==== accountsservice ==== - Add accountsservice.tmpfiles file to create directories under /var using systemd-tmpfiles (jsc#PED-14834). ==== avahi ==== Subpackages: libavahi-client3 libavahi-common3 libavahi-core7 - Add avahi-CVE-2026-34933.patch: refuse to accept publish flags where both wide_area and multicast are set. (CVE-2026-34933, bsc#1261546) - Make /var/lib/avahi-autoipd a ghost dir instead of packaging it since avahi-autoipd creates it on start (jsc#PED-14836). ==== avahi-glib2 ==== - Add avahi-CVE-2026-34933.patch: refuse to accept publish flags where both wide_area and multicast are set. (CVE-2026-34933, bsc#1261546) - Make /var/lib/avahi-autoipd a ghost dir instead of packaging it since avahi-autoipd creates it on start (jsc#PED-14836). ==== bubblewrap ==== Version update (0.11.1 -> 0.11.2) - Update to version 0.11.2 (bsc#1262113): * In setuid mode, don't run the low-privileged parts of the setup as dumpable, as that allows it to be ptraced which can lead to problems. This is CVE-2026-41163. * New build option `-Dsupport_setuid`, which if set to false (which is the default) disables the support for setuid. Binaries built with this will refuse to run if made setuid. ==== colord ==== - Mark both /var/lib/colord and /var/lib/colord/icc as %ghost directories since both are created from a systemd-tmpfiles config file provided by upstream (jsc#PED-14837) - Make colord-color-profiles noarch since it doesn't contain binary files. ==== curl ==== Version update (8.19.0 -> 8.20.0) Subpackages: libcurl4 - Update to 8.20.0: * Security fixes: - CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631) - CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632) - CVE-2026-5773: wrong reuse of SMB connection (bsc#1262633) - CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635) - CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636) - CVE-2026-6429: curl: netrc credential leak with reused proxy connection (bsc#1262638) * Changes: - async-thrdd: use thread queue for resolving - lib: add thread pool and queue - lib: drop support for < c-ares 1.16.0 - lib: make SMB support opt-in - multi.h: add CURLMNWC_CLEAR_ALL - rtmp: drop support * Bugfixes: - altsvc: cap the list at 5,000 entries - altsvc: drop the prio field from the struct - altsvc: skip expired entries read from file - asyn-ares: connect async - asyn-ares: drop orphaned variable references - asyn-ares: fix HTTPS-lookup when not on port 443 - asyn-thrdd: drop redundant `result` check - asyn-thrdd: fix clang-tidy unused value warning - async-ares: fix query counter handling - cf-ip-happy: limit concurrent attempts - cf-socket: avoid low risk integer overflow on ancient Solaris - cfilters: fix Curl_pollset_poll() return code mixup - config2setopts: make --capath work in proxy disabled builds - cookie: fix rejection when tabs in value - curl.h: replace macros with C++-friendly method to enforce 3 args - curl_ctype.h: fix spelling in a couple of locally used macros - curl_get_line: error out on read errors - curl_get_line: fix potential infinite loop when filename is a directory - curl_ngtcp2: extend and update callbacks for 1.22.0+ - curl_ntlm_core: drop redundant PP condition - curl_ntlm_core: use wolfCrypt DES API with wolfSSL - curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard - curl_sha512_256: support delegating to wolfSSL API - curlx_now(), prevent zero timestamp - digest: pass in the username quoted (as well) - dns: https-eyeballing async - dnscache: own source file, improvements - doh: fix memory-leak when doing a second DoH resolve - doh: remove superfluous doh_req check - file: init fd to -1 to prevent close fd 0 on early failure - fopen: for temp files, inherit permissions only for owner - ftp: do not strdup DATA hostname - ftp: make the MDTM date parser stricter (again) - ftp: reject PWD responses containing control characters - generate.bat: remove extra % from VC11 and VC12 runs - genserv.pl: make external calls safe - getinfo: initialize `PureInfo` field `used_proxy` - getinfo: repair CURLINFO_TLS_SESSION - h3: HTTPS-RR use in HTTP/3 - Happy Eyeballs: add resolution time delay - hostip: clear the sockaddr_in6 structure before use - hostip: init the curl_jmpenv_lock appropriately - hostip: resolve user supplied ip addresses - HSTS: cap the list - hsts: make the HSTS read callback handle name dupes - hsts: skip expired HSTS entries read from file - hsts: when a dupe host adds subdomains, use that - http2: clear the h2 session at delete - http2: prevent secure schemes pushed over insecure connections - http2: return error on OOM in push headers - http: clear credentials better on redirect - http: clear digest nonce on cross-origin redirect - http: clear the proxy credentials as well on port or scheme change - http: fix auth_used and auth_avail - http: fix Curl_compareheader for multi value headers - http: make Curl_compareheader handle multiple commas in header - http: on 303, switch to GET - http: use header_has_value() instead of duplicate code - imap: reset the UIDVALIDITY state between transfers - lib: accept larger input to md5/hmac/sha256/sha512 functions - lib: always use Curl_1st_fatal instead of Curl_1st_err - lib: make resolving HTTPS DNS records reliable: - lib: move request specific allocations to the request struct - lib: replace `PRI*32` printf masks with C89 ones - libssh2: allocate libssh2-friendly memory in kbd_callback - libssh2: fix error handling on quote errors - libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0 - libssh: path length precaution - libssh: propagate error back in SFTP function - location/follow: mention netrc - man: fix argument type for `CURLSHOPT_[UN]SHARE` options - md4, md5: switch to wolfCrypt API in wolfSSL builds - mime: only allow 40 levels of calls - misc: fix code quality findings - multi: enhance pending handles fairness - multi: fix connection retry for non-http - multi: improve wakeup and wait code - netrc: find login-less password when user is given in URL - netrc: remove unused parsenetrc() macro for netrc-disabled - netrc: skip malformed macdef lines - openssl channel_binding: lookup digest algorithm without NID - openssl: drop obsolete SSLv2 logic - openssl: fix build with 4.0.0-beta1 no-deprecated ... changelog too long, skipping 59 lines ... * Rebased patches: dont-mess-with-rpmoptflags.patch libcurl-ocloexec.patch ==== libcontainers-common ==== Version update (20260112 -> 20260429) Subpackages: libcontainers-default-policy registries-conf-default - New release 20260429 * bump bundled c/common to 0.67.1 - Switch source to the new upstream monorepo containers/container-libs. - Drop SUSE patches: * 0001-containers.conf-SUSE-clear-cni-config-dir-for-ALP.patch (replaced by containers.conf.d/01-suse-cni.conf drop-in) * 0002-storage-conf-prio-list.patch (no-op btrfs storage_priority patch) * 0003-containers-conf-suse-defaults.patch (replaced by containers.conf.d/00-suse-containers.conf drop-in) - Split SUSE-specific sigstore entries out of default.yaml into per-registry files (registry.suse.com.yaml, registry.suse.de.yaml). - Ship search-registries via a registries.conf.d/ drop-in instead of modifying the base registries.conf in the subpackages. ==== net-tools ==== Version update (2.10+1 -> 3.14~alpha~git.20251212.7011617) - Switch to the latest snapshot of the new active upstream: https://github.com/ecki/net-tools (jsc#PED-14308). - Update to version 3.14~alpha~git.20251212.7011617: * Merges all useful downstream contributions. Obsoletes following patches: 0007-Introduce-T-notrim-option-in-netstat.patch, net-tools-CVE-2025-46836.patch, net-tools-CVE-2025-46836-regression.patch, net-tools-CVE-2025-46836-error-reporting.patch, net-tools-parse_hex-stack-overflow.patch, net-tools-proc_gen_fmt-buffer-overflow.patch, net-tools-ifconfig-avoid-unsafe-memcpy.patch, net-tools-ax25+netrom-overflow-1.patch, net-tools-ax25+netrom-overflow-2.patch, net-tools-ifconfig-long-name-warning.patch. * Translation updates. * Minor fixes. * Defaults changes: * Enable Bluetooth protocol family, Token ring (generic) support and SELinux support. - Prevent denial of service via terminal escape sequences injection (bsc#1254323, gh#ecki/net-tools#2109, CVE-2024-58251, net-tools-netstat-ansi-injection.patch). ==== perl ==== Version update (5.42.0 -> 5.42.1) Subpackages: perl-base - update to 5.42.1 * fix transition to/from daylight savings time * fix crashes in some two-variable "for" loop cases * fix autovivification for ternary condition operators ==== python-Mako ==== Version update (1.3.11 -> 1.3.12) - update to 1.3.12: * Fixed issue in :class:`.TemplateLookup` where a URI with backslash path separators (e.g. ``\..\secret.txt``) could bypass the directory traversal check on Windows, allowing reads of arbitrary files outside of the template directory. Backslash characters in URIs are now normalized to forward slashes before path resolution. ==== python-greenlet ==== Version update (3.4.0 -> 3.5.0) - update to 3.5.0: * Remove the atexit callback. This callback caused greenlet APIs to become unavailable far too soon during interpreter shutdown. Now they remain available while all atexit callbacks run. Sometime after Py_IsFinalizing becomes true, they may begin misbehaving. Because the order in which C extensions are finalized is undefined, C extensions that are sensitive to this need to check the results of that function before invoking greenlet APIs. As a convenience, PyGreenlet_GetCurrent sets an exception and returns NULL when this happens (and greenlet.getcurrent begins returning None); other greenlet C API functions have undefined behaviour. Methods invoked directly on pre-existing greenlet.greenlet objects will continue to function at least until the greenlet C extension has been garbage collected and finalized. See PR 508. ==== qtkeychain-qt6 ==== Version update (0.15.0 -> 0.16.0) - Update to 0.16.0 * Add support for selecting backend via environment variable * Use default DBus timeout for KWallet check * Fix the crash caused by timeout when reading or writing keychain on macOS * Fix restore-after-deletion issue by creating QKeychain jobs dynamically * Add legacy support for KWallet maps * Added Swedish translation * Added Georgian translation * Fixes for various build/build system issues ==== sdl2-compat ==== Version update (2.32.66 -> 2.32.68) - Update to release 2.32.68 * Fixed gamepad rumble in Middle-earth: Shadow of Mordor and other games on Linux * Added an "SDL3_VERSION" hint that can be read by games using sdl2-compat ==== sensors ==== - Add sensors-detect-udevadm-path.patch to deal with the move of udevadm from /sbin to /usr/bin (boo#1259511). - Add pwm-fix-bad-scaling-due-to-use-of-integer-type.patch which fixes PWM values being scaled to 0-128% instead of 0-100% (boo#1255928). ==== sssd ==== Subpackages: libsss_certmap0 libsss_idmap0 sssd-krb5-common sssd-ldap - Add support for UsrEtc; (bsc#1257643); Add patch 0016-UsrEtc.patch - The default configuration file is installed now in /usr/etc/sssd/sssd.conf. It can be completely overridden by manually creating the system specific config file /etc/sssd/sssd.conf, or partially overridden by creating config snippets in /etc/sssd/conf.d/ directory. Check sssd.conf manpage for more details. - Use %pre scriptlet instead of %pretrans to migrate from sssd-common [bsc#1257509]. - The AD backend now uses realmd to update the machine account password. The realmd package is recommended when installing the ad backend. ==== update-alternatives ==== Version update (1.22.21 -> 1.22.22) - Fix 'dpkg' package for immutable mode (jsc#PED-14790). - Add dpkg.tmpfiles. - Update to 1.22.22 (minor bump from 1.22.21). - Changelog: * dpkg-query: Fix segfault with empty -S argument. * Perl modules: - Dpkg::OpenPGP: Do not run verify with no keyrings. - Dpkg::Shlibs::Objdump::Object: Add support for "Version References" symbols. - Dpkg::OpenPGP::Backend::GnuPG: Add missing Dpkg::Gettext import. * Code internals: - libdpkg: Terminate zstd decompression when we have no more data. Fixes CVE-2026-2219. - Remove patch file: * CVE-2026-2219.patch * oldperl.patch This patch has been removed as Leap 15.X has reached end-of-life.