Packages changed: Mesa (26.0.5 -> 26.0.6) Mesa-drivers (26.0.5 -> 26.0.6) MozillaFirefox (150.0 -> 150.0.1) SDL3 (3.4.4 -> 3.4.6) accountsservice apache2 apache2-manual apache2-prefork apache2-utils avahi avahi-glib2 bubblewrap (0.11.1 -> 0.11.2) colord curl (8.19.0 -> 8.20.0) gdm gdm-branding-openSUSE gnome-control-center gnome-session gnome-settings-daemon gnome-shell gnome-software mutter net-tools (2.10+1 -> 3.14~alpha~git.20251212.7011617) nvidia-open-driver-G07-signed nvidia-open-driver-G07-signed-cuda openSUSE-release (20260430 -> 20260504) perl (5.42.0 -> 5.42.1) python-greenlet (3.4.0 -> 3.5.0) qtkeychain-qt6 (0.15.0 -> 0.16.0) sdl2-compat (2.32.66 -> 2.32.68) sensors sssd update-alternatives (1.22.21 -> 1.22.22) xf86-video-nv (2.1.23 -> 2.1.24) === Details === ==== Mesa ==== Version update (26.0.5 -> 26.0.6) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to 26.0.6 bugfix release - -> https://docs.mesa3d.org/relnotes/26.0.6 ==== Mesa-drivers ==== Version update (26.0.5 -> 26.0.6) Subpackages: Mesa-dri Mesa-libva Mesa-vulkan-device-select libvulkan_lvp - Update to 26.0.6 bugfix release - -> https://docs.mesa3d.org/relnotes/26.0.6 ==== MozillaFirefox ==== Version update (150.0 -> 150.0.1) Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common - Mozilla Firefox 150.0.1 MFSA 2026-35 (boo#1263110) * CVE-2026-7320 (bmo#2027433) Information disclosure due to incorrect boundary conditions in the Audio/Video component * CVE-2026-7322 (bmo#2021904, bmo#2022731, bmo#2027158, bmo#2027733, bmo#2027973, bmo#2027976, bmo#2028231, bmo#2028731, bmo#2028886, bmo#2029067, bmo#2029700, bmo#2029724, bmo#2029806, bmo#2029814, bmo#2030108, bmo#2030111, bmo#2031524, bmo#2031921, bmo#2032040) Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1, Thunderbird ESR 140.10.1, Firefox 150.0.1 and Thunderbird 150.0.1 * CVE-2026-7323 (bmo#2028537, bmo#2029911, bmo#2031121, bmo#2033602) Memory safety bugs fixed in Firefox ESR 140.10.1, Thunderbird ESR 140.10.1, Firefox 150.0.1 and Thunderbird 150.0.1 * CVE-2026-7324 (bmo#2029419, bmo#2029717, bmo#2029769, bmo#2029886) Memory safety bugs fixed in Firefox 150.0.1 and Thunderbird 150.0.1 * Fixed: Fixed an issue where Facebook and other websites might not load properly for users with Bitdefender security software installed (bmo#2034178) * Fixed: Fixed an issue where denying a geolocation permission prompt could cause Firefox to show the system permission dialog again on a second attempt. (bmo#2034120) * Fixed: Fixed an issue that prevented tabs from being added to some older saved tab groups. (bmo#2031961) * Fixed: Fixed a layout issue where some drop-down menus expanded to display all list items at once. (bmo#2033117) - drop mozilla-bmo2031958.patch, included - requires NSS >= 3.122.2 ==== SDL3 ==== Version update (3.4.4 -> 3.4.6) - Update to release 3.4.6 * Fixed scaled cursor image selection on Wayland * Fixed horizontal touchpad scrolling direction on X11 * Fixed crash on exit when using KMSDRM in atomic mode * Fixed multi-threaded crashes using SDL GPU on Vulkan ==== accountsservice ==== Subpackages: accountsservice-lang libaccountsservice0 typelib-1_0-AccountsService-1_0 - Add accountsservice.tmpfiles file to create directories under /var using systemd-tmpfiles (jsc#PED-14834). ==== apache2 ==== - cgi-bin is disabled by default in modern Apache configurations; creating it unconditionally via tmpfiles.d is unnecessary - Remove /srv/www/cgi-bin from apache2.tmpfiles - Drop %ghost %dir %{cgidir} from %files - Drop %{cgidir} from %check mkdir invocation - Fix bsc#1262159. - MaxRequestWorkers (256) must be a multiple of ThreadsPerChild (25). Decreased to 250. - use tmpfiles.d for runtime directory creation This improves compatibility with immutable OSs, such as MicroOS. - Add apache2.tmpfiles. - Drop buildroot mkdir calls for log, cache and lib directories: these are now created at runtime via tmpfiles.d - Mark /srv/www, htdocs, cgi-bin, log, cache and lib dirs as %ghost in %files: RPM registers ownership without packaging the paths ==== apache2-manual ==== - cgi-bin is disabled by default in modern Apache configurations; creating it unconditionally via tmpfiles.d is unnecessary - Remove /srv/www/cgi-bin from apache2.tmpfiles - Drop %ghost %dir %{cgidir} from %files - Drop %{cgidir} from %check mkdir invocation - Fix bsc#1262159. - MaxRequestWorkers (256) must be a multiple of ThreadsPerChild (25). Decreased to 250. - use tmpfiles.d for runtime directory creation This improves compatibility with immutable OSs, such as MicroOS. - Add apache2.tmpfiles. - Drop buildroot mkdir calls for log, cache and lib directories: these are now created at runtime via tmpfiles.d - Mark /srv/www, htdocs, cgi-bin, log, cache and lib dirs as %ghost in %files: RPM registers ownership without packaging the paths ==== apache2-prefork ==== - cgi-bin is disabled by default in modern Apache configurations; creating it unconditionally via tmpfiles.d is unnecessary - Remove /srv/www/cgi-bin from apache2.tmpfiles - Drop %ghost %dir %{cgidir} from %files - Drop %{cgidir} from %check mkdir invocation - Fix bsc#1262159. - MaxRequestWorkers (256) must be a multiple of ThreadsPerChild (25). Decreased to 250. - use tmpfiles.d for runtime directory creation This improves compatibility with immutable OSs, such as MicroOS. - Add apache2.tmpfiles. - Drop buildroot mkdir calls for log, cache and lib directories: these are now created at runtime via tmpfiles.d - Mark /srv/www, htdocs, cgi-bin, log, cache and lib dirs as %ghost in %files: RPM registers ownership without packaging the paths ==== apache2-utils ==== - cgi-bin is disabled by default in modern Apache configurations; creating it unconditionally via tmpfiles.d is unnecessary - Remove /srv/www/cgi-bin from apache2.tmpfiles - Drop %ghost %dir %{cgidir} from %files - Drop %{cgidir} from %check mkdir invocation - Fix bsc#1262159. - MaxRequestWorkers (256) must be a multiple of ThreadsPerChild (25). Decreased to 250. - use tmpfiles.d for runtime directory creation This improves compatibility with immutable OSs, such as MicroOS. - Add apache2.tmpfiles. - Drop buildroot mkdir calls for log, cache and lib directories: these are now created at runtime via tmpfiles.d - Mark /srv/www, htdocs, cgi-bin, log, cache and lib dirs as %ghost in %files: RPM registers ownership without packaging the paths ==== avahi ==== Subpackages: avahi-lang libavahi-client3 libavahi-client3-32bit libavahi-common3 libavahi-common3-32bit libavahi-core7 - Add avahi-CVE-2026-34933.patch: refuse to accept publish flags where both wide_area and multicast are set. (CVE-2026-34933, bsc#1261546) - Make /var/lib/avahi-autoipd a ghost dir instead of packaging it since avahi-autoipd creates it on start (jsc#PED-14836). ==== avahi-glib2 ==== - Add avahi-CVE-2026-34933.patch: refuse to accept publish flags where both wide_area and multicast are set. (CVE-2026-34933, bsc#1261546) - Make /var/lib/avahi-autoipd a ghost dir instead of packaging it since avahi-autoipd creates it on start (jsc#PED-14836). ==== bubblewrap ==== Version update (0.11.1 -> 0.11.2) - Update to version 0.11.2 (bsc#1262113): * In setuid mode, don't run the low-privileged parts of the setup as dumpable, as that allows it to be ptraced which can lead to problems. This is CVE-2026-41163. * New build option `-Dsupport_setuid`, which if set to false (which is the default) disables the support for setuid. Binaries built with this will refuse to run if made setuid. ==== colord ==== Subpackages: colord-color-profiles colord-lang libcolord2 libcolorhug2 - Mark both /var/lib/colord and /var/lib/colord/icc as %ghost directories since both are created from a systemd-tmpfiles config file provided by upstream (jsc#PED-14837) - Make colord-color-profiles noarch since it doesn't contain binary files. ==== curl ==== Version update (8.19.0 -> 8.20.0) Subpackages: libcurl4 - Update to 8.20.0: * Security fixes: - CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631) - CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632) - CVE-2026-5773: wrong reuse of SMB connection (bsc#1262633) - CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635) - CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636) - CVE-2026-6429: curl: netrc credential leak with reused proxy connection (bsc#1262638) * Changes: - async-thrdd: use thread queue for resolving - lib: add thread pool and queue - lib: drop support for < c-ares 1.16.0 - lib: make SMB support opt-in - multi.h: add CURLMNWC_CLEAR_ALL - rtmp: drop support * Bugfixes: - altsvc: cap the list at 5,000 entries - altsvc: drop the prio field from the struct - altsvc: skip expired entries read from file - asyn-ares: connect async - asyn-ares: drop orphaned variable references - asyn-ares: fix HTTPS-lookup when not on port 443 - asyn-thrdd: drop redundant `result` check - asyn-thrdd: fix clang-tidy unused value warning - async-ares: fix query counter handling - cf-ip-happy: limit concurrent attempts - cf-socket: avoid low risk integer overflow on ancient Solaris - cfilters: fix Curl_pollset_poll() return code mixup - config2setopts: make --capath work in proxy disabled builds - cookie: fix rejection when tabs in value - curl.h: replace macros with C++-friendly method to enforce 3 args - curl_ctype.h: fix spelling in a couple of locally used macros - curl_get_line: error out on read errors - curl_get_line: fix potential infinite loop when filename is a directory - curl_ngtcp2: extend and update callbacks for 1.22.0+ - curl_ntlm_core: drop redundant PP condition - curl_ntlm_core: use wolfCrypt DES API with wolfSSL - curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard - curl_sha512_256: support delegating to wolfSSL API - curlx_now(), prevent zero timestamp - digest: pass in the username quoted (as well) - dns: https-eyeballing async - dnscache: own source file, improvements - doh: fix memory-leak when doing a second DoH resolve - doh: remove superfluous doh_req check - file: init fd to -1 to prevent close fd 0 on early failure - fopen: for temp files, inherit permissions only for owner - ftp: do not strdup DATA hostname - ftp: make the MDTM date parser stricter (again) - ftp: reject PWD responses containing control characters - generate.bat: remove extra % from VC11 and VC12 runs - genserv.pl: make external calls safe - getinfo: initialize `PureInfo` field `used_proxy` - getinfo: repair CURLINFO_TLS_SESSION - h3: HTTPS-RR use in HTTP/3 - Happy Eyeballs: add resolution time delay - hostip: clear the sockaddr_in6 structure before use - hostip: init the curl_jmpenv_lock appropriately - hostip: resolve user supplied ip addresses - HSTS: cap the list - hsts: make the HSTS read callback handle name dupes - hsts: skip expired HSTS entries read from file - hsts: when a dupe host adds subdomains, use that - http2: clear the h2 session at delete - http2: prevent secure schemes pushed over insecure connections - http2: return error on OOM in push headers - http: clear credentials better on redirect - http: clear digest nonce on cross-origin redirect - http: clear the proxy credentials as well on port or scheme change - http: fix auth_used and auth_avail - http: fix Curl_compareheader for multi value headers - http: make Curl_compareheader handle multiple commas in header - http: on 303, switch to GET - http: use header_has_value() instead of duplicate code - imap: reset the UIDVALIDITY state between transfers - lib: accept larger input to md5/hmac/sha256/sha512 functions - lib: always use Curl_1st_fatal instead of Curl_1st_err - lib: make resolving HTTPS DNS records reliable: - lib: move request specific allocations to the request struct - lib: replace `PRI*32` printf masks with C89 ones - libssh2: allocate libssh2-friendly memory in kbd_callback - libssh2: fix error handling on quote errors - libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0 - libssh: path length precaution - libssh: propagate error back in SFTP function - location/follow: mention netrc - man: fix argument type for `CURLSHOPT_[UN]SHARE` options - md4, md5: switch to wolfCrypt API in wolfSSL builds - mime: only allow 40 levels of calls - misc: fix code quality findings - multi: enhance pending handles fairness - multi: fix connection retry for non-http - multi: improve wakeup and wait code - netrc: find login-less password when user is given in URL - netrc: remove unused parsenetrc() macro for netrc-disabled - netrc: skip malformed macdef lines - openssl channel_binding: lookup digest algorithm without NID - openssl: drop obsolete SSLv2 logic - openssl: fix build with 4.0.0-beta1 no-deprecated ... changelog too long, skipping 59 lines ... * Rebased patches: dont-mess-with-rpmoptflags.patch libcurl-ocloexec.patch ==== gdm ==== Subpackages: gdm-lang gdm-schema gdm-systemd gdm-xdm-integration libgdm1 typelib-1_0-Gdm-1_0 - Drop all X11/XOrg related BuildRequires: pkgconfig(x11), pkgconfig(xau), pkgconfig(xcb), pkgconfig(xdmcp), pkgconfig(xi), pkgconfig(xinerama), pkgconfig(xrandr) and pkgconfig(xorg-server). - Drop check-devel, we already have pkgconfig(check) BuildRequires. ==== gdm-branding-openSUSE ==== - [git]: Do not store *.changes as LFS object. ==== gnome-control-center ==== Subpackages: gnome-control-center-color gnome-control-center-goa gnome-control-center-lang gnome-control-center-user-faces gnome-control-center-users - Align with what meson setup checks for: Drop /usr/bin/Xvfb, pkgconfig(gl), pkgconfig(x11), pkgconfig(xcursor), pkgconfig(xft) and pkgconfig(xi) BuildRequires. ==== gnome-session ==== Subpackages: gnome-session-lang - [git]: Do not store *.changes as LFS object. - Drop X11, OpenGL and glib2 BuildRequires: pkgconfig(egl), pkgconfig(epoxy), pkgconfig(gio-2.0), pkgconfig(gio-unix-2.0), pkgconfig(gl), pkgconfig(glesv2), pkgconfig(glib-2.0), pkgconfig(ice), pkgconfig(sm), pkgconfig(x11), pkgconfig(xcomposite) and pkgconfig(xtrans). ==== gnome-settings-daemon ==== Subpackages: gnome-settings-daemon-lang - Drop unused pkgconfig(xi) and pkgconfig(xkbfile) BuildRequires. ==== gnome-shell ==== Subpackages: gnome-extensions gnome-shell-calendar gnome-shell-lang - Align BuildRequires with what meson setup checks for: + Add: pkgconfig(xext), pkgconfig(xfixes) and pkgconfig(xfixes) + Drop: pkgconfig(gdk-x11-3.0), pkgconfig(gnome-bluetooth-3.0), pkgconfig(gtk+-3.0), pkgconfig(libcanberra) and pkgconfig(libcanberra-gtk3) ==== gnome-software ==== Subpackages: gnome-software-lang gnome-software-plugin-packagekit - Add fdupes BuildRequires and macro, remove duplicate files. ==== mutter ==== Subpackages: mutter-lang - Align with what meson setup checks for: + Drop xvfb-run, pkgconfig(xcb-randr), pkgconfig(xkbcommon-x11), pkgconfig(xkbfile), pkgconfig(xrender) and pkgconfig(xtst) BuildRequires. + Add pkgconfig(xcb-res) and pkgconfig(xkeyboard-config-2) ==== net-tools ==== Version update (2.10+1 -> 3.14~alpha~git.20251212.7011617) Subpackages: net-tools-lang - Switch to the latest snapshot of the new active upstream: https://github.com/ecki/net-tools (jsc#PED-14308). - Update to version 3.14~alpha~git.20251212.7011617: * Merges all useful downstream contributions. Obsoletes following patches: 0007-Introduce-T-notrim-option-in-netstat.patch, net-tools-CVE-2025-46836.patch, net-tools-CVE-2025-46836-regression.patch, net-tools-CVE-2025-46836-error-reporting.patch, net-tools-parse_hex-stack-overflow.patch, net-tools-proc_gen_fmt-buffer-overflow.patch, net-tools-ifconfig-avoid-unsafe-memcpy.patch, net-tools-ax25+netrom-overflow-1.patch, net-tools-ax25+netrom-overflow-2.patch, net-tools-ifconfig-long-name-warning.patch. * Translation updates. * Minor fixes. * Defaults changes: * Enable Bluetooth protocol family, Token ring (generic) support and SELinux support. - Prevent denial of service via terminal escape sequences injection (bsc#1254323, gh#ecki/net-tools#2109, CVE-2024-58251, net-tools-netstat-ansi-injection.patch). ==== nvidia-open-driver-G07-signed ==== - fix-objtool-warnings.patch (not applied on aarch64) * Get rid of "'naked' return found in MITIGATION_RETHUNK build" objtool warnings (boo#1212841, boo#1263834) - remove again disable-objtool-override.patch ==== nvidia-open-driver-G07-signed-cuda ==== - fix-objtool-warnings.patch (not applied on aarch64) * Get rid of "'naked' return found in MITIGATION_RETHUNK build" objtool warnings (boo#1212841, boo#1263834) - remove again disable-objtool-override.patch ==== openSUSE-release ==== Version update (20260430 -> 20260504) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== perl ==== Version update (5.42.0 -> 5.42.1) Subpackages: perl-base - update to 5.42.1 * fix transition to/from daylight savings time * fix crashes in some two-variable "for" loop cases * fix autovivification for ternary condition operators ==== python-greenlet ==== Version update (3.4.0 -> 3.5.0) - update to 3.5.0: * Remove the atexit callback. This callback caused greenlet APIs to become unavailable far too soon during interpreter shutdown. Now they remain available while all atexit callbacks run. Sometime after Py_IsFinalizing becomes true, they may begin misbehaving. Because the order in which C extensions are finalized is undefined, C extensions that are sensitive to this need to check the results of that function before invoking greenlet APIs. As a convenience, PyGreenlet_GetCurrent sets an exception and returns NULL when this happens (and greenlet.getcurrent begins returning None); other greenlet C API functions have undefined behaviour. Methods invoked directly on pre-existing greenlet.greenlet objects will continue to function at least until the greenlet C extension has been garbage collected and finalized. See PR 508. ==== qtkeychain-qt6 ==== Version update (0.15.0 -> 0.16.0) Subpackages: libqt6keychain1 qtkeychain-qt6-lang - Update to 0.16.0 * Add support for selecting backend via environment variable * Use default DBus timeout for KWallet check * Fix the crash caused by timeout when reading or writing keychain on macOS * Fix restore-after-deletion issue by creating QKeychain jobs dynamically * Add legacy support for KWallet maps * Added Swedish translation * Added Georgian translation * Fixes for various build/build system issues ==== sdl2-compat ==== Version update (2.32.66 -> 2.32.68) - Update to release 2.32.68 * Fixed gamepad rumble in Middle-earth: Shadow of Mordor and other games on Linux * Added an "SDL3_VERSION" hint that can be read by games using sdl2-compat ==== sensors ==== Subpackages: libsensors4 - Add sensors-detect-udevadm-path.patch to deal with the move of udevadm from /sbin to /usr/bin (boo#1259511). - Add pwm-fix-bad-scaling-due-to-use-of-integer-type.patch which fixes PWM values being scaled to 0-128% instead of 0-100% (boo#1255928). ==== sssd ==== Subpackages: libnfsidmap-sss libsss_certmap0 libsss_idmap0 sssd-krb5-common sssd-ldap - Add support for UsrEtc; (bsc#1257643); Add patch 0016-UsrEtc.patch - The default configuration file is installed now in /usr/etc/sssd/sssd.conf. It can be completely overridden by manually creating the system specific config file /etc/sssd/sssd.conf, or partially overridden by creating config snippets in /etc/sssd/conf.d/ directory. Check sssd.conf manpage for more details. - Use %pre scriptlet instead of %pretrans to migrate from sssd-common [bsc#1257509]. - The AD backend now uses realmd to update the machine account password. The realmd package is recommended when installing the ad backend. ==== update-alternatives ==== Version update (1.22.21 -> 1.22.22) - Fix 'dpkg' package for immutable mode (jsc#PED-14790). - Add dpkg.tmpfiles. - Update to 1.22.22 (minor bump from 1.22.21). - Changelog: * dpkg-query: Fix segfault with empty -S argument. * Perl modules: - Dpkg::OpenPGP: Do not run verify with no keyrings. - Dpkg::Shlibs::Objdump::Object: Add support for "Version References" symbols. - Dpkg::OpenPGP::Backend::GnuPG: Add missing Dpkg::Gettext import. * Code internals: - libdpkg: Terminate zstd decompression when we have no more data. Fixes CVE-2026-2219. - Remove patch file: * CVE-2026-2219.patch * oldperl.patch This patch has been removed as Leap 15.X has reached end-of-life. ==== xf86-video-nv ==== Version update (2.1.23 -> 2.1.24) - Update to version 1.24 * Quiet -Wredundant-decls from xorg/os.h fallbacks for new libc functions * Don't try to load xaa module if not compiled with XAA support * man page: stop claiming to use XAA on Xorg 1.13 & later * Improve man page formatting * g80: Avoid segfault if AccelMethod isn't set and XAA isn't built * Strip trailing whitespace from source files * gitlab CI: drop the ci-fairy check-mr job * use XNFalloc() instead of xnfalloc * use XNFcallocarray() instead of xnfcalloc macro * g80: dont set accelmethod to xaa when xaa is disabled * nv: support 0xf0 device id range * g80/display: Annotate functions * g80/disp: preinit all heads we know in display * g80/output: update known PCI rom sigs * nv: support GT 320M....hopefully * nv/man: link the gitlab issue tracker * treewide: replace XNFcallocarray with XNFcalloc and add wrap it * FreeBSD: nv_driver: Disable check for pci driver in FreeBSD. * netbsd: Try getting the EDID via wscons if the DDC2 method fails. * netbsd: disable not-useful check for an existing kernel driver