Packages changed: MicroOS-release (20260207 -> 20260212) aaa_base (84.87+git20260112.8f614f3 -> 84.87+git20260210.ecce285) audit audit-secondary bash ca-certificates-mozilla (2.74 -> 2.84) checkpolicy (3.9 -> 3.10) coreutils coreutils-systemd createrepo_c (1.2.1 -> 1.2.2) ddcutil (2.2.1 -> 2.2.5) dracut (059+suse.787.gfb86123e -> 109+suse.37.geed860c2) ell (0.80 -> 0.81) gnutls (3.8.11 -> 3.8.12) gpg2 grub2 gstreamer (1.26.10 -> 1.28.0) gstreamer-plugins-bad (1.26.10 -> 1.28.0) gstreamer-plugins-base (1.26.10 -> 1.28.0) hplip hwinfo (25.1 -> 25.2) irqbalance (1.9.5.0.git+cf76396 -> 1.9.5.3.git+48ab93a) kernel-source (6.18.8 -> 6.18.9) keylime (7.13.0+55 -> 7.14.0+0) less (685 -> 692) libX11 (1.8.12 -> 1.8.13) libXfixes libblockdev (3.3.1 -> 3.4.0) libfontenc (1.1.8 -> 1.1.9) libfyaml (0.9.3 -> 0.9.4) libnfs libpng16 (1.6.54 -> 1.6.55) libselinux (3.9 -> 3.10) libselinux-bindings (3.9 -> 3.10) libsemanage (3.9 -> 3.10) libsepol (3.9 -> 3.10) liburing (2.13 -> 2.14) libwacom (2.17.0 -> 2.18.0) libxml2 p11-kit (0.26.1 -> 0.26.2) patterns-microos policycoreutils (3.9 -> 3.10) python-SQLAlchemy (2.0.44 -> 2.0.46) python-maturin (1.11.2 -> 1.11.5) python-semanage (3.9 -> 3.10) python313-packaging rust-keylime (0.2.8+96 -> 0.2.8+116) sdbootutil (1+git20260206.54f4a16 -> 1+git20260210.81c4815) sof-firmware (2025.12 -> 2025.12.2) sqlite3 (3.51.1 -> 3.51.2) systemd-presets-branding-Aeon upower vlc xorg-x11-fonts === Details === ==== MicroOS-release ==== Version update (20260207 -> 20260212) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== aaa_base ==== Version update (84.87+git20260112.8f614f3 -> 84.87+git20260210.ecce285) - Update to version 84.87+git20260210.ecce285: * For boo#1257875 get intrinsic DEFAULT_WM back * DIR_COLORS: add vt220 and .jxl ==== audit ==== Subpackages: libaudit1 libauparse0 - Configure runstatedir as "/run" to get rid of systemd deprecation warnings. ==== audit-secondary ==== Subpackages: audit audit-rules python3-audit system-group-audit - Configure runstatedir as "/run" to get rid of systemd deprecation warnings. ==== bash ==== Subpackages: bash-sh - Remove obsolete qemu workaround ==== ca-certificates-mozilla ==== Version update (2.74 -> 2.84) - Updated to 2.84 state (bsc#1258002) - Removed: - Baltimore CyberTrust Root - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 - DigiNotar Root CA - Added: - e-Szigno TLS Root CA 2023 - OISTE Client Root ECC G1 - OISTE Client Root RSA G1 - OISTE Server Root ECC G1 - OISTE Server Root RSA G1 - SwissSign RSA SMIME Root CA 2022 - 1 - SwissSign RSA TLS Root CA 2022 - 1 - TrustAsia SMIME ECC Root CA - TrustAsia SMIME RSA Root CA - TrustAsia TLS ECC Root CA - TrustAsia TLS RSA Root CA ==== checkpolicy ==== Version update (3.9 -> 3.10) - Update to version 3.10 https://github.com/SELinuxProject/selinux/releases/tag/3.10 - Fix problem with bounds statements in optional blocks - Provide a better error message for implicit role and user bounds - Allow type attributes to be associated with other type attributes - checkpolicy/tests: Modify tests to check handling of initial sids - keyring: Add key of Jason Zaman * added 63191CE94183098689CAB8DB7EF137EC935B0EAF [expires: 2026-02-08] ==== coreutils ==== - Skip env-signal-handler test in qemu emulation ==== coreutils-systemd ==== - Skip env-signal-handler test in qemu emulation ==== createrepo_c ==== Version update (1.2.1 -> 1.2.2) Subpackages: libcreaterepo_c1 python3-createrepo_c - Update to version 1.2.2: + Don't try to use imported targets of turned-off dependencies + cmake: Allow builds without Doxygen being present with CMake 4+ + Use RPMTAG_SHA1HEADER instead of RPMTAG_HDRID + Do not build python docs unless python is enabled - Drop createrepo_c-1.2.1-cmake4.patch: fixed upstream. ==== ddcutil ==== Version update (2.2.1 -> 2.2.5) - Update to 2.2.5 * Bugfixes - Fixes FTBFS on aarch64 * Changes - Updates related to detecting and reporting display connection and disconnection - 2.2.3 -> 2.2.4 * Bugfixes - Display selection has been reworked to be more flexible, while also simpler internally - "eDP" is once again an (almost) absolute indicator or a laptop display which can be excluded from further processing. To handle the error case where "eDP" is in the name for an external display, option --edp-ambiguous has been added - Segfault in the capabilities command when parsing a malformed capabilities string returned by a monitor. - Very slow response when the EDID is obtained from /sys but is not readable using I2C. * Changes - Option --edid. If the value given starts with "...", the remainder of the value is some number of hex digits. - Added option --ignore-bus. Specifies the number of a /dev/i2c bus that should be completely ignored, providing a workaround for obscure bugs. - 2.2.1 -> 2.2.3 * Bugfixes - Starting with release 2.2.0, verification on command setvcp and API functions that set a feature value did not not occur, even if option --verify was explicitly given. As a result of this fix, scripts and applications that hitherto appeared to succeed when setting a feature value many now fail the operation because of verification. - Command getvcp --verbose: output was partially in a format intended for syslog. - Fix permission denied errors and incorrectly formed path name for examining /sys/class/drm with environment --verbose - Fix out-of-tree build reference to generated file /src/base/build_details.h (gh#rockowitz/ddcutil#544) - Fix FTBFS when --disable-drm set - configure option --disable-drm forces --disable-watch-displays * Changes - Relax the check of the device class when determining if a device is a video controller (gh#rockowitz/ddcutil#530) - Additional messages reporting configuration file errors - If possible, obtain the list of PNP ids from /usr/share/hwdata/pnp.ids instead of using a hardcoded list. Affects output of command detect. - Reword the parser explanation of options --verify and - -noverify for clarity. ==== dracut ==== Version update (059+suse.787.gfb86123e -> 109+suse.37.geed860c2) Subpackages: dracut-ima - Update to version 109+suse.37.geed860c2: * fix(dracut): remove wrong auto-detection logic for output file (bsc#1258071) * feat(dracut-install): do not return non-zero if a dependency cannot be resolved (bsc#1258038) - Update to version 109+suse.35.g1fdbb27e: Switch from https://github.com/dracutdevs/dracut to https://github.com/dracut-ng/dracut-ng Full list of changes: * https://github.com/dracut-ng/dracut-ng/releases/tag/109 * https://github.com/dracut-ng/dracut-ng/releases/tag/108 * https://github.com/dracut-ng/dracut-ng/releases/tag/107 * https://github.com/dracut-ng/dracut-ng/releases/tag/106 * https://github.com/dracut-ng/dracut-ng/releases/tag/105 * https://github.com/dracut-ng/dracut-ng/releases/tag/104 * https://github.com/dracut-ng/dracut-ng/releases/tag/103 * https://github.com/dracut-ng/dracut-ng/releases/tag/102 * https://github.com/dracut-ng/dracut-ng/releases/tag/101 * https://github.com/dracut-ng/dracut-ng/releases/tag/100 * https://github.com/dracut-ng/dracut-ng/releases/tag/060 The most important ones had already been backported to 059, see: * https://github.com/openSUSE/dracut/blob/SUSE/059/suse/README.susemaint Additional openSUSE-specific changes and post-release fixes: * fix(systemd-networkd): check if units exist before enabling them * feat(systemd-import): introducing the systemd-import module * fix(systemd-networkd): install and enable systemd-networkd-resolve-hook.socket * feat(systemd): install new dlopened libraries * fix(dracut-systemd): do not error out with new root= options handled by systemd * fix(systemd-pcrphase): do not print an error if an optional binary is not found * fix(dracut): avoid calling dwarning before dracut-logger is sourced * chore(suse): accommodate to the new Git workflow * fix(dracut.spec): switch to tmpfiles based file creation * fix(nfs): do not execute logic in nfs hooks if netroot is not nfs * feat(dracut): print $initrdname with --printconfig * fix(dracut): --printconfig does not work without --force * feat(network-manager): add systemd generator if available * fix(nfs): set the default group of the rpcbind user to the state dir * perf(nfs): remove references to old rpcbind state dir * fix(dracut-systemd): use expected PS1 in the emergency shell * feat(dracut-systemd): add back and fix printing fs help in the emergency shell * fix(qemu-net): in hostonly mode, only install if network is needed * feat(resume): add openSUSE-specific sanity check * perf(resume): do not search cmdline options in /etc/cmdline{,.d} * perf(resume): do not attempt to install systemd-hibernate-resume@.service * fix(rngd): revert changes that removed the custom systemd service * chore(suse): add openSUSE-specific spec, conf and doc * fix(systemd-pcrphase): revert changes related to inclusion and dependencies * fix(plymouth): avoid warning if /etc/plymouth/plymouthd.conf is not present * fix(lsinitrd, dracut-initramfs-restore): detect initrd for BLS Type #1 entries * ci: change openSUSE code owners * fix(dracut.sh): improve detection of installed kernel versions * feat: add openSUSE-specific code related to networking * feat(tpm2-tss): add openSUSE support * feat(pcsc): add openSUSE support * feat(convertfs): add openSUSE-specific code * feat(fips): add openSUSE-specific code * chore(suse): add openSUSE-specific modules ==== ell ==== Version update (0.80 -> 0.81) - Update to version 0.81 * Fix issue with systemd watchdog protocol handling. ==== gnutls ==== Version update (3.8.11 -> 3.8.12) - Update to 3.8.12: * Security fixes: - CVE-2026-1584: NULL pointer dereference in PSK binder verification (bsc#1257978) - CVE-2025-14831: Fix name constraint processing performance issue (bsc#1257960) * libgnutls: Fix NULL pointer dereference in PSK binder verification A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello could lead to a denial of service attack via crashing the server. The updated code guards against the problematic dereference. [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584] * libgnutls: Fix name constraint processing performance issue Verifying certificates with pathological amounts of name constraints could lead to a denial of service attack via resource exhaustion. Reworked processing algorithms exhibit better performance characteristics. [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831] * libgnutls: Fix multiple unexploitable overflows (#1783, #1786). * libgnutls: Fall back to thread-unsafe module initialization Improve fallback handling for PKCS#11 modules that don't support thread-safe initialization (#1774). Also return filename from p11_kit_module_get_name() for unconfigured modules. * libgnutls: Accept NULL as digest argument for gnutls_hash_output The accelerated implementation of gnutls_hash_output() now properly accepts NULL as the digest argument, matching the behavior of the reference implementation (#1769). * srptool: Avoid a stack buffer overflow when processing large SRP groups (#1777). * Rebase patches: - gnutls-FIPS-jitterentropy.patch - gnutls-FIPS-140-3-references.patch ==== gpg2 ==== - Fix Y2K38 FTBFS: * gpg2 quick-key-manipulation test FTBFS-2038 (bsc#1251214) * Upstream issue: dev.gnupg.org/T8096 * Add gnupg-gpgscm-New-operator-long-time-t-to-detect-proper-tim.patch ==== grub2 ==== Subpackages: grub2-common grub2-i386-efi grub2-i386-efi-bls grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi grub2-x86_64-efi-bls - Fix error "grub-core/script/lexer.c:352:out of memory" after PowerPC CAS Reboot (bsc#1254299) * 0001-Fix-PowerPC-CAS-reboot-to-evaluate-menu-context.patch - Fix screen flickering in BLS due to rendering graphical and text terminals at the same time (bsc#1256480) - Add automatic fwsetup menu entry in BLS * 0001-bls-Allow-configuration-of-active-console-type.patch * 0002-grubbls-Add-automatic-fwsetup-menu-entry.patch - Add efifwsetup module to EFI BLS image ==== gstreamer ==== Version update (1.26.10 -> 1.28.0) Subpackages: libgstreamer-1_0-0 - Update to version 1.28.0: + Highlights: - AMD HIP plugin and integration helper library - Vulkan Video AV1 and VP9 decoding, H.264 encoding, and 10-bit support for H.265 decoder - waylandsink: Parse and set the HDR10 metadata and other color management improvements - Audio source separation element based on demucs in Rust - Analytics combiner and splitter elements plus batch meta to batch buffers from one or more streams - LiteRT inference element; move modelinfo to analytics lib; add script to help with modelinfo generation and upgrade - Add general classifier tensor-decoder, facedetector, and more analytics convenience API - New tensordecodebin element to auto-plug compatible tensor decoders based on their caps and many other additions and improvements - Add a burn-based YOLOX inference element and a YOLOX tensor decoder in Rust - applemedia: VideoToolbox VP9 and AV1 hardware-accelerated decoding support, and 10-bit HEVC encoding - Add new GIF decoder element in Rust with looping support - input-selector: implements a two-phase sinkpad switch now to avoid races when switching input pads - The inter wormhole sink and source elements gained a way to forward upstream events to the producer as well as new fine-tuning properties - webrtcsink: add renegotiation support and support for va hardware encoders - webrtc WHEP client and server signaller - New ST-2038 ancillary data combiner and extractor elements - fallbacksrc gained support for encoded streams - flv: enhanced rtmp H.265 video support, and support for multitrack audio - glupload: Implement udmabuf uploader to share buffers between software decoders/sources and GPUs, display engines (wayland), and other dma devices - video: Add crop, scale, rotate, flip, shear and more GstMeta transformation - New task pool GstContext to share a thread pool amongst elements for better resource management and performance, especially for video conversion and compositing - New Deepgram speech-to-text transcription plugin and many other translation and transcription improvements - Speech synthesizers: expose new "compress" overflow mode that can speed up audio while preserving pitch - ElevenLabs voice cloning element and support for Speechmatics speaker identification API - textaccumulate: new element for speech synthesis or translation preprocessing - New vmaf element to calculate perceptual video quality assessment scores using Netflix's VMAF framework - decodebin3: expose KLV, ID3 PES and ST-2038 ancillary data streams with new metadata GstStream type - New MPEG-H audio decoding plugin plus MP4 demuxing support - LCEVC: Add autoplugging decoding support for LCEVC H265 and H266 video streams and LCEVC H.265 and H.266 encoders - RTP "robust MPEG audio", raw audio (L8, L16, L24), and SMPTE ST291 ancillary metadata payloaders/depayloaders in Rust - Add a Rust-based icecastsink element with AAC support - The Windows IPC plugin gained support for passing generic data in addition to raw audio/video, and various properties - New D3D12 interlace and overlay compositor elements, plus many other D3D12 improvements - Blackmagic Decklink elements gained support for capturing and outputting all types of VANC via GstAncillaryMeta - GstLogContext API to reduce log spam in several components and `GST_DEBUG_ONCE` (etc) convenience macros to log things only once - hlssink3, hlscmafsink: Support the use of a single media file, plus I-frame only playlist support - Webkit: New wpe2 plugin making use of the "WPE Platform API" - MPEG-TS demuxer can now disable skew corrections - New Qt6 QML render source element - qml6gloverlay: support directly passing a QQuickItem for QML the render tree - unifxfdsink: Add a property to allow copying to make sink usable with more upstream elements - dots-viewer: Improve dot file generation and interactivity - Python bindings: more syntactic sugar, analytics API improvements and type annotations - cerbero: add support for Python wheel packaging, Windows ARM64, new iOS xcframework, Gtk4 on macOS and Windows, and more plugins - Smaller binary sizes of Rust plugins in Windows and Android binary packages - Peel: New C++ bindings for GStreamer - Lots of new plugins, features, performance improvements and bug fixes - Countless bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements ==== gstreamer-plugins-bad ==== Version update (1.26.10 -> 1.28.0) Subpackages: libgstphotography-1_0-0 libgstplay-1_0-0 - Also build libgsthip-1_0-0 as biarch -32bit library. - Update to version 1.28.0: + Please see changes in gstreamer main package. - Pass mpeghdec=disabled to meson setup, mpeghdec dependency is not yet available in openSUSE. - Pass tflite=disabled meson setup, tflite dependency is not yet available in openSUSE. - Pass wpe2=disabled to meson setup, dependencies only partly available in openSUSE so far. - Add new sub-packages: libgsthip-1_0-0, typelib-1_0-GstHip-1_0 and typelib-1_0-GstHipGL-1_0 ==== gstreamer-plugins-base ==== Version update (1.26.10 -> 1.28.0) Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 - Update to version 1.28.0: + Please see changes in gstreamer main package. ==== hplip ==== Subpackages: hplip-common hplip-cups hplip-driver-hpcups libhplip0 - Fix PPD lookup by moving PPDs from manufacturer-PPDs/hplip-fax to manufacturer-PPDs/hplip/fax etc (boo#1257529) ==== hwinfo ==== Version update (25.1 -> 25.2) Subpackages: libhd25 - merge gh#openSUSE/hwinfo#176 - fix compiler warnings (bsc#1257658) - 25.2 - merge gh#openSUSE/hwinfo#174 - docs: Updates source repository URL to GitHub(#131) - merge gh#openSUSE/hwinfo#173 - fix: incorrect format specifier for sizeof in logging(#140) - merge gh#openSUSE/hwinfo#172 - fix: file descriptor not closes after WLAN scan(#166) - merge gh#openSUSE/hwinfo#171 - resolve memory leaks in net, monitor and hddb ==== irqbalance ==== Version update (1.9.5.0.git+cf76396 -> 1.9.5.3.git+48ab93a) - Update to version 1.9.5.3.git+48ab93a: * Change warnings about un-affine-able irqs to LOG_DEBUG * Fix irqbalance for Xen virtual event interrupts ==== kernel-source ==== Version update (6.18.8 -> 6.18.9) - mm, shmem: prevent infinite loop on truncate race (git-fixes). - commit 6d9f8a8 - Linux 6.18.9 (bsc#1012628). - readdir: require opt-in for d_type flags (bsc#1012628). - btrfs: zlib: fix the folio leak on S390 hardware acceleration (bsc#1012628). - can: at91_can: Fix memory leak in at91_can_probe() (bsc#1012628). - Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work (bsc#1012628). - Bluetooth: MGMT: Fix memory leak in set_ssp_complete (bsc#1012628). - net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup() (bsc#1012628). - can: gs_usb: gs_usb_receive_bulk_callback(): fix error message (bsc#1012628). - net: bcmasp: fix early exit leak with fixed phy (bsc#1012628). - octeon_ep: Fix memory leak in octep_device_setup() (bsc#1012628). - bonding: annotate data-races around slave->last_rx (bsc#1012628). - sfc: fix deadlock in RSS config read (bsc#1012628). - net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins() (bsc#1012628). - ipv6: use the right ifindex when replying to icmpv6 from localhost (bsc#1012628). - net: wwan: t7xx: fix potential skb->frags overflow in RX path (bsc#1012628). - net/mlx5: Fix return type mismatch in mlx5_esw_vport_vhca_id() (bsc#1012628). - rocker: fix memory leak in rocker_world_port_post_fini() (bsc#1012628). - mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() (bsc#1012628). - net: spacemit: Check for netif_carrier_ok() in emac_stats_update() (bsc#1012628). - nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame() (bsc#1012628). - bonding: fix use-after-free due to enslave fail after slave array update (bsc#1012628). - ixgbe: fix memory leaks in the ixgbe_recovery_probe() path (bsc#1012628). - ixgbe: don't initialize aci lock in ixgbe_recovery_probe() (bsc#1012628). - ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues (bsc#1012628). - ice: stop counting UDP csum mismatch as rx_errors (bsc#1012628). - net/mlx5e: TC, delete flows only for existing peers (bsc#1012628). - net/mlx5e: Account for netdev stats in ndo_get_stats64 (bsc#1012628). - nfc: nci: Fix race between rfkill and nci_unregister_device() (bsc#1012628). - net: bridge: fix static key check (bsc#1012628). - net/mlx5e: don't assume psp tx skbs are ipv6 csum handling (bsc#1012628). - net: phy: micrel: fix clk warning when removing the driver (bsc#1012628). - net/mlx5: fs, Fix inverted cap check in tx flow table root disconnect (bsc#1012628). - net/mlx5: Initialize events outside devlink lock (bsc#1012628). - net/mlx5: Fix vhca_id access call trace use before alloc (bsc#1012628). - net/mlx5e: Skip ESN replay window setup for IPsec crypto offload (bsc#1012628). - wifi: mac80211: parse all TTLM entries (bsc#1012628). - wifi: mac80211: apply advertised TTLM from association response (bsc#1012628). - wifi: mac80211: correctly decode TTLM with default link map (bsc#1012628). - scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg() (bsc#1012628). - ASoC: soc-acpi-intel-ptl-match: fix name_prefix of rt1320-2 (bsc#1012628). - drm/xe: Skip address copy for sync-only execs (bsc#1012628). - ASoC: Intel: sof_es8336: fix headphone GPIO logic inversion (bsc#1012628). - gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler (bsc#1012628). - gpio: virtuser: fix UAF in configfs release path (bsc#1012628). - drm/amd/pm: fix race in power state check before mutex lock (bsc#1012628). - gpio: brcmstb: correct hwirq to bank map (bsc#1012628). - kbuild: rpm-pkg: Generate debuginfo package manually (bsc#1012628). - kbuild: Fix permissions of modules.builtin.modinfo (bsc#1012628). - of/reserved_mem: Simplify the logic of fdt_scan_reserved_mem_reg_nodes() (bsc#1012628). - of: reserved_mem: Allow reserved_mem framework detect "cma=" kernel param (bsc#1012628). - bcache: fix improper use of bi_end_io (bsc#1012628). - bcache: use bio cloning for detached device requests (bsc#1012628). - bcache: fix I/O accounting leak in detached_dev_do_request (bsc#1012628). - dma/pool: distinguish between missing and exhausted atomic pools (bsc#1012628). - drm/xe/configfs: Fix is_bound() pci_dev lifetime (bsc#1012628). - drm/xe/nvm: Manage nvm aux cleanup with devres (bsc#1012628). ... changelog too long, skipping 122 lines ... - commit 3cd0051 ==== keylime ==== Version update (7.13.0+55 -> 7.14.0+0) Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tenant keylime-tpm_cert_store keylime-verifier python313-keylime - Update to version 7.14.0+0 (CVE-2026-1709, bsc#1257895): * Bump version to 7.14.0 * verifier: Delete sessions from the DB and then from the cache * authentication: Do not persist plaintext tokens * crypto: Add operation to calculate the hash of a token * Fix session management bugs and improve security * authorization: Add documentation explaining authorization framework * authorization: Add unit tests * authorization: Add metadata to routes with auth requirement * authorization: Integrate authorization to action_handler * authorization: Add access requirement metadata to all routes * authorization: Add authorization provider manager * authorization: Add pluggable authorization provider framework * keylime_oneshot_attestation: Fix measured boot log encoding * tenant: Log the API version used to communicate with the agent * tenant: Negotiate API version with the registrar * scripts: Do not take TPM ownership * scripts: Remove verifier key parameters from keylime_oneshot_attestation * /verify/evidence: Return error 400 if no policy is provided * tpm: handle policies provided as empty strings * /verify/evidence: Require a policy for TPM evidence type * ima: Fix deserialization of empty runtime policy * scripts: Fix keylime_oneshot_attestation for API v2.5 * [Automatic] Update Keylime base image 2026-02-03 * tpm_engine: Fix evidence_class filtering for ima_log * tpm_engine: Move _add_error() calls to self.attestation * tpm_engine: Validate that available_subjects is a dict * verifier: Add missing identity controller and fix routing mixup * templates: Remove unused agent options, fixed incorrect ones * templates: Add missing options to the templates * templates: Fix values to be TOML compatible * tests: Add unit tests for negotiate_version * verifier: Only check for version downgrade after first attestation * docs: Fix documentation regarding behavior of /verify/evidence * docs: Update v2.5 doc with new agent /version behavior * tenant, verifier: Implement API version negotiation * Introduce new API version v2.5 * Fix HTTP 500 error when accessing attestations for agents with no records * Remove @Controller.require_json_api from GET attestations endpoints * mba: Fix linting warnings on measured boot code * CI: Update e2e test plan with new tests * CI: Switch code coverage measurement to Fedora43 * workflows: Separate upstream test suite from e2e coverage ==== less ==== Version update (685 -> 692) - update to 692: * Revert HOME key to scroll to beginning of file and END key to scroll to end of file (#658) * Configure tty to leave CR and NL unmodified (#703) * Add commands to lesskey parser (forw-bell-hilite, goto-pos and osc8-jump) * Add key sequences to lesskey parser (\kE, \kF, \kH, \kI, \kM, and \kS) * Fix bug using negative value with -z option (#709) * Fix bug handling empty terminfo capabilties (#710) * Fix memory leak in setupterm (#707) * Make lesstest ignore system locale (nl_langinfo) (#708) - includes 691: * Add --autosave option (#678) * Add ESC-f command (#680) * Add column number to long prompt and = message. * Add prompt prototype sequences %C, %W, %Q and ?Q (#685) * Map keypad keys, and use terminfo rather than termcap since keypad definitions don't exist in termcap (#650) * Change HOME key to scroll fully left and END key to scroll fully right. Add shift-HOME and ctrl-HOME to scroll left and jump to top, and add shift-END and ctrl-END to scroll right and jump to end (#658) * Add LESSNOCONFIG environment variable. * Add --without-termlib to configure (#701) * When setting line number colors (-DN), don't force bold attribute. To set bold, you must append "d" or "*" to the color string (#684) * While waiting for file data, only ^C or ^X will interrupt, not any command. This reverts to behavior that existed before less-670 (#700) * When --save-marks is not used, retain any marks saved in the history file (#662) * Defer sending the terminal init string until the first char is read from the input file (#682) * Make SIGHUP do an orderly exit like SIGTERM. * Implement modeline handling in Windows build. * Fix bugs and improve behavior of screen resize on Windows. * Fix bug when entering search modifier key at start of non- empty search string (#668) * Fix bug repainting screen with --form-feed (#672) * Fix bugs passing invalid negative values to some command line options (#675) * Fix incorrect display of Lit indicator (#670) * Fix incorrect display when returning to a mark after resizeing window (#681) * Fix bug using --pattern with --incsearch (#696) * Disallow mouse click to open OSC8 link in SECURE mode (#676) * Add SECURE_COMPILE environment variable for Windows builds. * Update Unicode tables. - don't autoreconf again - explicitly list files - remove chmod hack - remove funcs.h rebuild ==== libX11 ==== Version update (1.8.12 -> 1.8.13) Subpackages: libX11-6 libX11-data libX11-xcb1 - Update to 1.8.13; this release includes * Ignore XkbMapNotify events that don't belong to the core keyboard (!293) * xkb: Fix invalid level names count for key types without level names (!292) * xkb: Fix default key types (!292) * xkb: fix include of config.h and drop unused DEBUG check (!290) * xcb_io: fix build with configure --disable-xthreads (#232, !289) * Improve man page formatting (!286) * imDefIc: Clear fabricated state on unfocus. (!283) * Avoid memory leak in XKeysymToString (!282) - supersedes libX11-ignore-incompatible-XkbMapNotify.patch ==== libXfixes ==== - re-added tarball signature and keyring ==== libblockdev ==== Version update (3.3.1 -> 3.4.0) Subpackages: libbd_crypto3 libbd_fs3 libbd_loop3 libbd_lvm3 libbd_mdraid3 libbd_nvme3 libbd_part3 libbd_smart3 libbd_swap3 libbd_utils3 libblockdev3 - Update to version 3.4.0: + bd_nvme_connect() now defaults to port 4420 or 8009 for discovery NQN respectively when the transport_svcid argument is not specified. ==== libfontenc ==== Version update (1.1.8 -> 1.1.9) - update to 1.1.9 * configure: Use pkg-config to handle zlib dependency if possible * meson: Add option to build with meson * gitlab CI: drop the ci-fairy check-mr job - switch to meson ==== libfyaml ==== Version update (0.9.3 -> 0.9.4) - Update to 0.9.4 * Major: Full Windows Support * Major: Comment Support Now Stable * API Additions: + fy_node_set_style(): Set the style of a node (block, flow, plain, etc.) - Fixes #78 + fy_token_set_comment(): Attach comments to tokens programmatically + fy_event_to_string(): Convert events to string representation + fy_diag_get_collect_errors(): Query if error collection is enabled + fy_atom_lines_containing(): Get lines containing an atom (useful for diagnostics) * Critical Fixes: + Token creation now properly clears memory (prevents UB on invalid input) + Reference loop nesting now respected when checking link validity + Fixed crash when setting document root to NULL; input size clamping fix + Walk expression bugs with improved debug infrastructure + Early error on FYECF_EXTENDED_CFG with helper emit methods + Walk double-free on node delete + Walk error path handling for recursive alias resolution + Off-by-one error in fy_accel_grow + Parser crash on corrupted UTF-8 at end of file + Superfluous document end marker with version/tag directives + Depth limit for node copy (prevents stack overflow) * Other Fixes: + Document root now correctly marked as attached + Emit state reset at end of document (fixes multi-document streams) + Flow quoting error on ANY style + Empty file/stream handling on various platforms + Removed notice for multiple alias declarations (valid YAML) ==== libnfs ==== - fix build with glibc 2.43 boo#1257260 add libnfs-5.0.3-glibc-2_43.patch ==== libpng16 ==== Version update (1.6.54 -> 1.6.55) - version update to 1.6.55: * Fixed CVE-2026-25646 (high severity): Heap buffer overflow in `png_set_quantize`. (Reported and fixed by Joshua Inscoe.) * Resolved an oss-fuzz build issue involving nalloc. (Contributed by Philippe Antoine.) - fixes [bsc#1258020] ==== libselinux ==== Version update (3.9 -> 3.10) Subpackages: libselinux1 selinux-tools - Update to version 3.10 https://github.com/SELinuxProject/selinux/releases/tag/3.10 * libselinux: fix parsing of the enforcing kernel cmdline parameter * libselinux: remove out2 labels * libselinux: refactor selinux_getenforcemode * libselinux: load_policy: log using selinux_log instead of fprintf * libselinux: refactor selinux_check_securetty_context * libselinux: Ignore files removed during relabeling * libselinux/src/Makefile: build python module without isolation - keyring: Add key of Jason Zaman * added 63191CE94183098689CAB8DB7EF137EC935B0EAF [expires: 2026-02-08] ==== libselinux-bindings ==== Version update (3.9 -> 3.10) - Update to version 3.10 https://github.com/SELinuxProject/selinux/releases/tag/3.10 * libselinux: fix parsing of the enforcing kernel cmdline parameter * libselinux: remove out2 labels * libselinux: refactor selinux_getenforcemode * libselinux: load_policy: log using selinux_log instead of fprintf * libselinux: refactor selinux_check_securetty_context * libselinux: Ignore files removed during relabeling * libselinux/src/Makefile: build python module without isolation - keyring: Add key of Jason Zaman * added 63191CE94183098689CAB8DB7EF137EC935B0EAF [expires: 2026-02-08] ==== libsemanage ==== Version update (3.9 -> 3.10) Subpackages: libsemanage-conf libsemanage2 - Update to version 3.10 https://github.com/SELinuxProject/selinux/releases/tag/3.10 * libsemanage: get_home_dirs: cleanup parsing of values from conf files * libsemanage: semanage_store: recursively create SEMANAGE_ROOT - keyring: Add key of Jason Zaman * added 63191CE94183098689CAB8DB7EF137EC935B0EAF [expires: 2026-02-08] ==== libsepol ==== Version update (3.9 -> 3.10) - Update to version 3.10 https://github.com/SELinuxProject/selinux/releases/tag/3.10 * libsepol: fix TARGET and LIBSO on Darwin * libsepol: add bpf_token_perms polcap * libsepol: Fix erroneous genfscon asterisks * libsepol: Fix sid handling when writing out policy from binary * libsepol: Fix an error in the policyd validation of user datums * libsepol: Fix processing of levels for user rule in an optional block * libsepol: Fix problem with handling type attributes in role-types rule * libsepol: Expand role attributes when expanding instead of when linking * libsepol: Fix expand_role_attributes_in_attributes() * libsepol: Allow type attributes to be associated with other type attributes * libsepol: Tighten checks on MLS range and level when validating * libsepol: Check for an unset sensitivity in module_to_cil * libsepol: Handled required users in module_to_cil * libsepol: Fix potential NULL dereference in policydb_read() * libsepol: Fix potential use of an uninitialized value in link.c * libsepol: Fix possible use-after-free when expanding attributes * libsepol: Support functionfs_seclabel policycap * libsepol: add memfd_class capability - keyring: Add key of Jason Zaman * added 63191CE94183098689CAB8DB7EF137EC935B0EAF [expires: 2026-02-08] ==== liburing ==== Version update (2.13 -> 2.14) - update to 2.14: * updates to man pages, the entire liburing API is now documented * updates to tests * various bug fixes ==== libwacom ==== Version update (2.17.0 -> 2.18.0) Subpackages: libwacom-data libwacom9 - Update to version 2.18.0 * New devices: - Added Lenovo ThinkVision M14t Gen2 - XP Pen Deco02 - Huion Kamvas Pro 19 (4K) (GT1902) * Device fixes: - drop the firmware match for the Huion Kamvas 13 GS1333 - fix the Huion Inspiroy Q620M layout - add bluetooth match for the XP-Pen Deco MW - Update huion-hs611.tablet - Update huion-inspiroy-q620m.tablet * Device other: - libwacom_stylus_is_generic() to detect generic styli ==== libxml2 ==== Subpackages: libxml2-16 libxml2-tools - security update - added patches CVE-2026-1757 [bsc#1257593], memory leak in the `xmllint` interactive shell * libxml2-CVE-2026-1757.patch - security update - added patches CVE-2025-10911 [bsc#1250553], use-after-free with key data stored cross-RVT * libxml2-CVE-2025-10911.patch ==== p11-kit ==== Version update (0.26.1 -> 0.26.2) Subpackages: libp11-kit0 p11-kit-tools - Update to 0.26.2 rpc: CVE-2026-2100: NULL dereference via C_DeriveKey with specific NULL parameters (bsc#1257820) ==== patterns-microos ==== Subpackages: patterns-microos-alt_onlyDVD patterns-microos-base patterns-microos-base-packagekit patterns-microos-base-zypper patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-desktop-common patterns-microos-desktop-kde patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-ra_agent patterns-microos-ra_verifier patterns-microos-selinux patterns-microos-sssd_ldap - Remove mentions to libdnf-plugin-txnupd from base-packagekit. This is now obsolete with the switch to DNF5. (boo#1257508) ==== policycoreutils ==== Version update (3.9 -> 3.10) Subpackages: policycoreutils-python-utils python313-policycoreutils - Update to version 3.10 https://github.com/SELinuxProject/selinux/releases/tag/3.10 * setfiles: Add -A option to disable SELINUX_RESTORECON_ADD_ASSOC * semanage: Reset active value when deleting boolean customizations * python/sepolicy: Add support for DNF5 * Man page improvments - keyring: Add key of Jason Zaman * added 63191CE94183098689CAB8DB7EF137EC935B0EAF [expires: 2026-02-08] - Move /var/lib/sepolgen/perm_map to /usr/share/sepolgen and create a symlink instead (boo#1233024) ==== python-SQLAlchemy ==== Version update (2.0.44 -> 2.0.46) - Update to version 2.0.46 * Add BuildRequires for - python-pytest-cov * Reinstate tests - test_parseconnect - CreateEngineTest - test_bad_args These tests are passing with version 2.0.46 * Change version numbers according to specification * Changelog: https://docs.sqlalchemy.org/en/21/changelog/changelog_20.html#change-2.0.46 - Changes in version 2.0.45 * Changelog: https://docs.sqlalchemy.org/en/21/changelog/changelog_20.html#change-2.0.45 ==== python-maturin ==== Version update (1.11.2 -> 1.11.5) - Update to 1.11.5 * Allow combining --compatibility pypi with other --compatibility values - Update to 1.11.4 * Support armv6l and armv7l in pypi compatibility * Improve the reliability of maturin's own CI - Add CVE-2026-25727.patch to bump time crate to 0.3.47 to fix CVE-2026-25727 (bsc#1257918) ==== python-semanage ==== Version update (3.9 -> 3.10) - Update to version 3.10 https://github.com/SELinuxProject/selinux/releases/tag/3.10 * libsemanage: get_home_dirs: cleanup parsing of values from conf files * libsemanage: semanage_store: recursively create SEMANAGE_ROOT - keyring: Add key of Jason Zaman * added 63191CE94183098689CAB8DB7EF137EC935B0EAF [expires: 2026-02-08] ==== python313-packaging ==== - Add pythons_for_pypi macro. This macro will help to build the python minimal stack for different python versions. ==== rust-keylime ==== Version update (0.2.8+96 -> 0.2.8+116) - Update vendored crates (bsc#1257908, CVE-2026-25727) * time 0.3.47 - Update to version 0.2.8+116: * build(deps): bump bytes from 1.7.2 to 1.11.1 * api: Modify /version endpoint output in version 2.5 * Add API v2.5 with backward-compatible /v2.5/quotes/integrity * tests: add unit test for resolve_agent_id (#1182) * (pull-model): enable retry logic for registration * rpm: Update specfiles to apply on master * workflows: Add test to detect unused crates * lib: Drop unused crates * push-model: Drop unused crates * keylime-agent: Drop unused crates * build(deps): bump uuid from 1.18.1 to 1.19.0 * Update reqwest-retry to 0.8, retry-policies to 0.5 * rpm: Fix cargo_build macro usage on CentOS Stream * fix(push-model): resolve hash_ek uuid to actual EK hash * build(deps): bump thiserror from 2.0.16 to 2.0.17 * workflows: Separate upstream test suite from e2e coverage * Send UEFI measured boot logs as raw bytes (#1173) * auth: Add unit tests for SecretToken implementation * packit: Enable push-attestation tests * resilient_client: Prevent authentication token leakage in logs ==== sdbootutil ==== Version update (1+git20260206.54f4a16 -> 1+git20260210.81c4815) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper sdbootutil-tukit - Update to version 1+git20260210.81c4815: * Recover old predictions if service fails - Update to version 1+git20260210.1bc4b9e (bsc#1257612): * Limit kernel measures because combinatorial explosion ==== sof-firmware ==== Version update (2025.12 -> 2025.12.2) - update to 2025.12.2: * 2 totally new DSP topologies (Intel Panther Lake and newer). * 22 totally new DSP topologies for Intel PTL, WCL, LNL and MTL based products ==== sqlite3 ==== Version update (3.51.1 -> 3.51.2) - Update to version 3.51.2: * Fix an obscure deadlock in the new broken-posix-lock detection logic. * Fix multiple problems in the EXISTS-to-JOIN optimization. * Other minor bug fixes. ==== systemd-presets-branding-Aeon ==== - Re-number role/sub-distro preset to 87 (SUSE default is 95, openSUSE sub is 90, display managers will be 85 - systemd counts down regardless of directory) ==== upower ==== Subpackages: libupower-glib3 - Mark /var/lib/upower as ghost (jsc#PED-14851) This is created at runtime via systemd upower.service nowadays - Add NEWS and HACKING.md to %docs - Fix rpmlint warning by correcting changelog: [ 47s] upower.spec:252: W: non-break-space line 252, char 70 ==== vlc ==== Subpackages: libvlc5 libvlccore9 vlc-noX vlc-qt - Replace the content of vlc-gstreamer-1.28-build-fix.patch with the upstream proposed variant from https://code.videolan.org/videolan/vlc/-/merge_requests/8479 - Fix build with gstreamer 1.28: vlc-gstreamer-1.28-build-fix.patch - Disable faad support on Leap 15.x, unless in BUILD_ORIG case (3rd party repos): faad2 does not exist in Leap 15.x. ==== xorg-x11-fonts ==== - font-alias 1.0.6 * Add a meson build system * gitlab CI: drop the ci-fairy check-mr job