Packages changed: ca-certificates (2+git20251006.0b604c2 -> 2+git20260203.5937e9f) dnsmasq (2.91 -> 2.92) gcc15 (15.2.1+git10392 -> 15.2.1+git10776) gdk-pixbuf (2.44.5 -> 2.44.4) libzio oath-toolkit (2.6.11.12 -> 2.6.14) openSUSE-release (20260204 -> 20260205) python-packaging (25.0 -> 26.0) python-setuptools python313-setuptools sdl12_compat (1.2.72 -> 1.2.74) sdl2-compat (2.32.62 -> 2.32.64) systemd (257.9 -> 258.3) unbound === Details === ==== ca-certificates ==== Version update (2+git20251006.0b604c2 -> 2+git20260203.5937e9f) - Update to version 2+git20260203.5937e9f: * Remove files in /etc and /var from spec file [jsc#PED-14792] ==== dnsmasq ==== Version update (2.91 -> 2.92) - update to 2.92 * Redesign the interaction between DNSSEC validation and per-domain servers, specified as --server=//. This should just work in all cases now. If the normal chain-of-trust exists into the delegated domain then whether the domain is signed or not, DNSSEC validation will function normally. In the case the delegated domain is an "overlay" on top of the global DNS and no NS and/or DS records exist connecting it to the global dns, then if the domain is unsigned the situation will be handled by synthesising a proof-of-non-existence-of-DS for the domain and queries will be answered unvalidated; this action will be logged. A signed domain without chain-of-trust can be validated if a suitable trust-anchor is provided using --trust-anchor. This change should be backwards compatible for all existing working configurations; it extends the space of possible configurations which are functional. * Fix a couple of problems with DNSSEC validation and DNAME. One could cause validation failure on correct domains, and the other would fail to spot an invalid domain. Thanks to Graham Clinch for spotting the problem. * Add --log-queries=auth option to only log replies from the auth DNS facility. * Fix some edge-cases with domains and --address and --server. There has been some regressions with this in previous releases. This change fixes the priority order from lower to highest as: - -address with a IPv4 or IPv6 address (as long as the query matches the type) - -address with # for all-zeros, as long as the query is A or AAAA) - -address with no address, which returns NXDOMAIN or NOERROR for all types. - -server with address set to # to use the unqualified servers. - -server with matching domain. - -server without domain or from /etc/resolv.conf. * Fix problems with ipset or nftset and TCP DNS transport. Previously this was racy, and insertion of addresses could fail on a busy server when DNS-over-TCP transport was involved. * DNSSEC validation change for reverse lookups in RFC-1918 ranges and friends. The large public DNS services seem not to return proof-of-nonexistence for DS records at the start of RFC-1918 in-addr.arpa domains and the their IPv6 equivalents. 10.in-addr.arpa, 168.192.in-addr.arpa etc. Since dnsmasq already has an option which instructs it not bother upstream servers with pointless queries about these address ranges, namely --bogus-priv, we extend that to enable behaviour which allows dnsmasq to assume that insecure NXDOMAIN replies for these domains are expected and to assume that the domains are legitimately unsigned. This behaviour only matters when some address range is directed to another upstream server using --rev-server. In that case it allows replies from that server to pass DNSSEC validation. Without such a server configured, queries are never sent upstream so they are never validated and the new behaviour is moot. * Add support for leasequery to the dnsmasq DHCPv4 server. This has to be specifically enabled with the --leasequery option. Many thanks to JAXPORT, Jacksonville Port Authority for sponsoring this enhancement to dnsmasq. * Fix failure to cache PTR RRs when a reply contains more than one answer. Thanks to Dmitry for spotting this. * Add TFTP options windowsize (RFC 7440) and timeout (RFC 2349). * Change the behaviour of the DHCPv6 server when a REBIND message is received but no lease exists. Under these circumstances a new lease is created _only_ when the --dhcp-authoritative option is set. This matches the behavior of the DHCPv4 server. * Add --dhcp-split-relay option. This makes a DHCPv4 relay which is functional when client and server networks aren't mutually route-able. * Fix failure to add client MAC address to queries in TCP mode. The options which cause dnsmasq to decorate a DNS query with the MAC address on the originating client can fail when the query is sent using TCP. Thanks to Bruno Ravara for spotting and characterising this bug. ==== gcc15 ==== Version update (15.2.1+git10392 -> 15.2.1+git10776) Subpackages: cpp15 gcc15-locale libasan8 libatomic1 libgcc_s1 libgcc_s1-32bit libgccjit0 libgfortran5 libgomp1 libhwasan0 libitm1 liblsan0 libobjc4 libquadmath0 libstdc++6 libstdc++6-32bit libstdc++6-locale libstdc++6-pp libstdc++6-pp-32bit libtsan2 libubsan1 - Update to GCC 15 branch head, 15.2.1+git10776 * includes fix for bogus expression simplification [bsc#1257463] - Add gcc15-bsc1253043.patch to enable the use of _dl_find_object even when not available at build time. [bsc#1253043] ==== gdk-pixbuf ==== Version update (2.44.5 -> 2.44.4) Subpackages: gdk-pixbuf-lang gdk-pixbuf-query-loaders libgdk_pixbuf-2_0-0 typelib-1_0-GdkPixbuf-2_0 ==== libzio ==== - Move from sourceforge to gitlab ==== oath-toolkit ==== Version update (2.6.11.12 -> 2.6.14) - Update to version 2.6.14 * pam_oath: Support null_usersfile_okay parameter. The argument no_usersfile_okay forces the module to act as if the user is not present in the config, if the config file does not exist. This has security implications only use if you know what you are doing. E.g. if the file is in a mount like home and that fails to be mounted, then this will succeed even if the OTP if configured for that user. Patch by Luna, Jan Zerebecki, and Miika Alikirri; see https://codeberg.org/oath-toolkit/oath-toolkit/pulls/94. * pam_oath README: Suggest KbdInteractiveAuthentication. Instead of deprecated ChallengeResponseAuthentication. see https://codeberg.org/oath-toolkit/oath-toolkit/pulls/112. * Various build fixes including updated gnulib files. Fixes building with glibc 2.43. - Update to version 2.6.13 * liboath/libpskc: Fix _FORTIFY_SOURCE build problem and allow configuration. * liboath: Fix --with-openssl builds * Git hosting moved from gitlab.com to codeberg.org. The new URL is https://codeberg.org/oath-toolkit/oath-toolkit although the old GitLab project will continue to be used for pipelines. https://gitlab.com/oath-toolkit/oath-toolkit/-/pipelines * Various build fixes including updated gnulib files. Gnulib files are no longer stored in git version control. As a consequence, gnulib is a required build dependency when building from git, see CONTRIBUTING.md. - Update to version 2.6.12 * Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191. See https://codeberg.org/oath-toolkit/oath-toolkit/issues/43. Security bug triggered by new feature in pam_oath v2.6.7 released on 2021-05-01 with the USER/HOME placeholder strings, https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12. Quoting a writeup in an alternate patch by Matthias Gerstner (SUSE): With the addition of the possibility to place a usersfile also into a the usersfile= path specification, security issues sneaked in. The PAM process usually runs with root privileges. The file operations in an unprivileged user’s home directory follow symlinks both when reading and creating files, allowing for a potential local root exploit, because of the fchown() performed on the newly created usersfile. * We drop privileges to the user that is being logged into, assuming it has the necessary permissions for the usersfile belonging in their home directory. This restricts the ability for non-root users to affect files beyond their control via liboath. * liboath: Don’t follow symbolic links for usersfile updates. Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191. See https://codeberg.org/oath-toolkit/oath-toolkit/issues/43. Security bug triggered by new feature in pam_oath v2.6.7 released on 2021-05-01 with the USER/HOME placeholder strings, see https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12. The fix is to open files for writing in exclusive mode (i.e., fail if the file exists including if it is a symbolic link). * oathtool: Fix test suite on 32-bit big-endian platforms. * libpskc: Don’t call deprecated xmlMemoryDump. * Various build fixes including updated gnulib files. - Drop not longer needed patches (fixed upstream): * 0001-usersfile-fix-potential-security-issues-in-PAM-modul.patch * 42-null_usersfile_okay.patch - Use %ldconfig_scriptlets macro. ==== openSUSE-release ==== Version update (20260204 -> 20260205) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== python-packaging ==== Version update (25.0 -> 26.0) - update to 26.0: * Features: - PEP 751: support pylock (PR #900) - PEP 794: import name metadata (PR #948) - Support for writing metadata to a file (PR #846) - Support __replace__ on Version (PR #1003) - Support positional pattern matching for Version and SpecifierSet (PR #1004) * Behavior adaptations: - PEP 440 handling of prereleases for Specifier.contains, SpecifierSet.contains, and SpecifierSet.filter (PR #897) - Handle PEP 440 edge case in SpecifierSet.filter (PR #942) - Adjust arbitrary equality intersection preservation in SpecifierSet (PR #951) - Return False instead of raising for .contains with invalid version (PR #932) - Support arbitrary equality on arbitrary strings for Specifier and SpecifierSet’s filter and contains method. (PR #954) - Only try to parse as Version on certain marker keys, return False on unequal ordered comparisons (PR #939) * Fixes: - Update _hash when unpickling Tag() (PR #860) - Correct comment and simplify implicit prerelease handling in Specifier.prereleases (PR #896) - Use explicit _GLibCVersion NamedTuple in _manylinux (PR #868) - Detect invalid license expressions containing () (PR #879) - Correct regex for metadata 'name' format (PR #925) - Improve the message around expecting a semicolon (PR #833) - Support nested parens in license expressions (PR #931) - Add space before at symbol in Requirements string (PR #953) - A root logger use found, use a packaging logger instead (PR #965) - Better support for subclassing Marker and Requirement (PR #1022) - Normalize all extras, not just if it comes first (PR #1024) - Don’t produce a broken repr if Marker fails to construct (PR #1033) * Performance: - Avoid recompiling regexes in the tokenizer for a 3x speedup (PR #1019) - Improve performance in _manylinux.py (PR #869) - Minor cleanups to Version (PR #913) - Skip redundant creation of Version’s in specifier comparison (PR #986) - Cache the Specifier’s Version (PR #985) - Make Version a little faster (PR #987) - Minor Version regex cleanup (PR #990) - Faster regex on Python 3.11.5+ for Version (PR #988, PR #1055) - Lazily calculate _key in Version (PR #989, PR #1048) - Faster canonicalize_version (PR #993) - Use re.fullmatch in a couple more places (PR #992, PR #1029) - Use map instead of generator (PR #996) - Deprecate ._version (_Version, a NamedTuple) (PR #995, PR #1062) - Avoid duplicate Version creation in canonicalize_version (PR #994) - Add __slots__ to core classes (PR #1001, PR #1002, PR #1032) - Use Version.__replace__ in specifier comparison (PR #999) - Use _get_spec_version in more places in Specifier (PR #1005) - Pull set construction out of function (PR #1012) - Letter normalization dict for prereleases and the like (PR #1014) - Use str.partition in _parse_project_urls (PR #1013) - Avoid normalizing extras again when comparing (PR #1028) - Speed up Version.__str__ by about 10% (PR #997) - Much faster canonicalize_name by avoiding a regex (PR #1030, PR #1047, PR #1064) - Faster zero stripping (PR #1058) * Type annotations: - Fix a type annotation (PR #907) - Fix type hint of function used with contextlib.contextmanager (PR #1046) - Fix tags return type in parse_wheel_filename docs (PR #973) - Add type hint for _version in .version.Version (PR #927) - Changed static type annotations in prereleases setter method in specifier.py (PR #930) - Statically type our test suite (PR #982) * Internal: - Test and declare support for Python 3.14 (PR #901) - Change our license metadata to use an SPDX license expression (PR #881, PR #924) - Expand the Ruff checks run on our codebase (PR #835, PR #957, PR #959, PR #963, PR #956, PR #961, PR #964, PR #958, PR #960, PR #968, PR #967, PR #966, PR #969, PR #980, PR #979, PR #962, PR #984, PR #972) - Add spell checking (PR #904, PR #910, PR #1015) - Improve links back to source in the documentation (PR #991) - Add case insensitivity tests for arbitrary equality (PR #975) - Fix incorrectly implicitly concatenated string in specifiers test (PR #946) - Simpler else instead of assert in a check (PR #1027, PR #1031) - Synchronize documentation and code for markers (PR #1008) - Use the GitHub Actions slim runner for the all pass check (PR #1021) - Use actionlint to check CI workflows (PR #1052) - Use Trusted Publishing (PR #893, PR #1043, PR #1045, PR #1051) - Use zizmor to check CI (PR #1035) - Test on first public release of CPython 3.11 and newer (PR #1056) Since the final release candidate: Faster canonicalize_name, especially on Python 3.12 and 3.13, where performance regressed previously (PR #1064), and reintroduce (deprecated) support for Version._.version (PR #1062). - Move %sle15_python_module_pythons macro just above the Name, outside of all the if-else logic ==== python-setuptools ==== - Fix suse_version check to make sure that primary builds for SLE-16 series - Add pythons_for_pypi macro. This macro will help to build the python minimal stack for different python versions. ==== python313-setuptools ==== - Fix suse_version check to make sure that primary builds for SLE-16 series - Add pythons_for_pypi macro. This macro will help to build the python minimal stack for different python versions. ==== sdl12_compat ==== Version update (1.2.72 -> 1.2.74) - Update to release 1.2.74 * Fixed transition from intro video to main menu in Sid Meier's Alpha Centauri ==== sdl2-compat ==== Version update (2.32.62 -> 2.32.64) - Update to relesae 2.32.64 * Fixed surface memory leak in some circumstances * Fixed mouse grab not persisting past window recreation * Fixed picking the correct fullscreen resolution ==== systemd ==== Version update (257.9 -> 258.3) Subpackages: libsystemd0 libsystemd0-32bit libudev1 systemd-32bit systemd-boot systemd-container systemd-lang udev - Import commit 2ffdb7879d1913b91d75fb7638023689ad49d6ff 2ffdb7879d pam_systemd: fix regression introduced in v258 by preserving the FIFO fd (bsc#1255658) ab7770cb7e repart: support "nodatacow" in btrfs subvolumes 245645f444 basic: Use xopenat_full() in mkdir_p_root_full() d197900c28 ssh-generator: suppress error message for vsock EADDRNOTAVAIL (bsc#1255656) 7dcca22a3a ssh-generator: split out one more helper function 1fb6114132 ssh-generator: split out common helper function 2f836405c4 core/dbus-manager: propagate meaningful dbus errors from EnqueueMarkedJobs 9480762ccd core/transaction: when isolating, keep triggered units only if their triggers are actually active - Drop 0003-pam_systemd-fix-regression-introduced-in-v258-by-pre.patch and 5003-core-when-isolating-keep-triggered-units-only-if-the.patch as they have been merged by upstream and is part of the last batch of backported commits (see above). - Add 0003-pam_systemd-fix-regression-introduced-in-v258-by-pre.patch (bsc#1255658) This patch will be removed once either logind supports restarts or a sufficient amount of time has passed to ensure that systems have transitioned to a version of logind greater than 257. - Drop most of the workarounds contained in the fixlets These workarounds were hold to address old issues that no longer exist in recent versions of systemd. For systems upgrading to this version, we assume these issues have already been fixed by the fixlet scripts in the previous distribution. Only the logig warning users about the deprecated usage of the main configuration files (favoring drop-in files) is preserved. - systemd-update-helper: clean up the flags immediately after they have been consumed (no functional changes). - systemd.spec: don't reexecute PID1 on transactional updates. - Drop %filetriggers build flag. It was introduced to ease backport of Base:System to SLE distros where file-triggers were unreliable but that is no longer the case on the latest SLE distros. - Import commit 25181d4e4c8307a3621d115f99279c4d3c28a9fa (merge of v258.3) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/e103ce013ed270c0a43318743ab822cac9325f00...25181d4e4c8307a3621d115f99279c4d3c28a9fa - Add 5003-core-when-isolating-keep-triggered-units-only-if-the.patch until https://github.com/systemd/systemd/pull/39925 is merged. - Import commit e103ce013ed270c0a43318743ab822cac9325f00 e103ce013e pam_systemd: fix OSC write failure message appearing in error logs c81c546411 pam-util: fix pam_syslog_errno() ignoring the level parameter - Drop 1001-Temporarily-remove-mountfsd-nsresourced-new-Polkit-a.patch The relevant polkit actions have been reviewed by the security team. - Import commit 71c9223a1df429ae23bf113dc9eeb49154d8b734 (merge of v258.2) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/1898fac58dd5170dbe85f4c3d01e564889dba0de...71c9223a1df429ae23bf113dc9eeb49154d8b734 - Drop 1002-core-unit-fail-earlier-before-spawning-executor-when.patch as it's part of v258.2. - Import commit 1898fac58dd5170dbe85f4c3d01e564889dba0de 1898fac58d main: switch explicitly to tty1 on soft-reboot (bsc#1231986) 5fdd32dbe1 units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356) - Temporarily add 1002-core-unit-fail-earlier-before-spawning-executor-when.patch until v258.2 is released. - pam.systemd-user: skip common-account to avoid issues with pam_sss and other network user directories (bsc#1250691) - systemd.spec: drop the %{release} number from the SBAT version (1251948) - Add 0001-Drop-or-soften-some-upstream-warnings.patch (bsc#1228728) (bsc#1251981) For now it just drops the 'unmerged-bin' taint flag. - Upgrade to v258.1 (commit 67a1069b7269cc23c3d04a2fb0cf110abe7abf31) See https://github.com/openSUSE/systemd/blob/SUSE/v258/NEWS for details. This upgrade includes the following fix: c058ff41cb timer: don't run service immediately after restart of a timer (bsc#1254563) 3e14d02500 detect-virt: bare-metal GCE only for x86 and i386 (bsc#1254293) - Drop 0001-Drop-support-for-efivar-SystemdOptions.patch, upstream removed support for SystemdOptions efi var, see 14871a652925d08926c2d2d7cf2a95cd. - Drop 0009-pid1-handle-console-specificities-weirdness-for-s390.patch, upstream gained a new auto-detection logic to setup $TERM on various systems including s390x (bsc#1238117) - Support for System V style system state control has been removed: drop initctl, runlevel, runlevel*.target, etc.. from the sysvcompat sub-package - Add 1001-Temporarily-remove-mountfsd-nsresourced-new-Polkit-a.patch. This temporary patch disables the new polkit actions introduced by mountfsd and nsresourced until these actions are validated by the Security team. - Our testsuite sub-package is functional again and has been updated to work with the meson + mkosi infra. ==== unbound ==== Subpackages: libunbound8 unbound-anchor - Create /var/lib/unbound with systemd-tmpfiles, move root.key to /usr/share/unbound and copy it to /var/lib/unbound/root.key to improve immutable os compatibility. - Add BuildRequires for pkgconfig(systemd) to avoid tmpfiles not found error in install section.