Packages changed: MozillaFirefox (149.0.2 -> 150.0) apache2-mod_php8 at-spi2-core (2.60.0 -> 2.60.1) bubblewrap (0.11.0 -> 0.11.1) cups (2.4.17 -> 2.4.18) emacs ethtool (6.15 -> 6.19) gcc16 (16.0.1+git8711 -> 16.0.1+git8812) gdb gdm geoclue2 gnome-bluetooth (47.1 -> 47.2) gnome-maps (50.0 -> 50.1) gnome-settings-daemon (50.0 -> 50.1) gnome-shell (50.0 -> 50.1) gsettings-desktop-schemas (50.0 -> 50.1) gtk4 (4.22.2 -> 4.22.3) gvfs harfbuzz (14.1.0 -> 14.2.0) libshumate (1.6.0 -> 1.6.1) libsigc++3 localsearch (3.11.0 -> 3.11.1) md4c (0.5.2 -> 0.5.3) mutter (50.0 -> 50.1) ngtcp2 (1.22.0 -> 1.22.1) openSUSE-release (20260425 -> 20260426) openexr openssh (10.2p1 -> 10.3p1) openssh-askpass-gnome (10.2p1 -> 10.3p1) orca (50.0.9 -> 50.1) php8 simple-scan (49.1 -> 50.0) systemd (259.5 -> 260.1) tinysparql (3.11.0 -> 3.11.1) webkitgtk3 (2.52.2 -> 2.52.3) webkitgtk4 (2.52.2 -> 2.52.3) xdg-dbus-proxy (0.1.6 -> 0.1.7) === Details === ==== MozillaFirefox ==== Version update (149.0.2 -> 150.0) Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common - Mozilla Firefox 150.0 * https://www.firefox.com/en-US/firefox/150.0/releasenotes MFSA 2026-30 (bsc#1262230) * CVE-2026-6746 (bmo#2014596) Use-after-free in the DOM: Core & HTML component * CVE-2026-6747 (bmo#2021769) Use-after-free in the WebRTC component * CVE-2026-6748 (bmo#2022604) Uninitialized memory in the Audio/Video: Web Codecs component * CVE-2026-6749 (bmo#2022610) Information disclosure due to uninitialized memory in the Graphics: Canvas2D component * CVE-2026-6750 (bmo#2023407) Privilege escalation in the Graphics: WebRender component * CVE-2026-6751 (bmo#2025883) Uninitialized memory in the Audio/Video: Web Codecs component * CVE-2026-6752 (bmo#2027499) Incorrect boundary conditions in the WebRTC component * CVE-2026-6753 (bmo#2027501) Incorrect boundary conditions in the WebRTC component * CVE-2026-6754 (bmo#2027541) Use-after-free in the JavaScript Engine component * CVE-2026-6755 (bmo#1880429) Mitigation bypass in the DOM: postMessage component * CVE-2026-6756 (bmo#1992585) Mitigation bypass in Firefox for Android * CVE-2026-6757 (bmo#2013588) Invalid pointer in the JavaScript: WebAssembly component * CVE-2026-6758 (bmo#2013619) Use-after-free in the JavaScript: WebAssembly component * CVE-2026-6759 (bmo#2016164) Use-after-free in the Widget: Cocoa component * CVE-2026-6760 (bmo#2016923) Mitigation bypass in the Networking: Cookies component * CVE-2026-6761 (bmo#2017857) Privilege escalation in the Networking component * CVE-2026-6762 (bmo#2021080) Spoofing issue in the DOM: Core & HTML component * CVE-2026-6763 (bmo#2021666) Mitigation bypass in the File Handling component * CVE-2026-6764 (bmo#2022162) Incorrect boundary conditions in the DOM: Device Interfaces component * CVE-2026-6765 (bmo#2022419) Information disclosure in the Form Autofill component * CVE-2026-6766 (bmo#2023207) Incorrect boundary conditions in the Libraries component in NSS * CVE-2026-6767 (bmo#2023209) Other issue in the Libraries component in NSS * CVE-2026-6768 (bmo#2023615) Mitigation bypass in the Networking: Cookies component * CVE-2026-6769 (bmo#2023753) Privilege escalation in the Debugger component * CVE-2026-6770 (bmo#2024220) Other issue in the Storage: IndexedDB component * CVE-2026-6771 (bmo#2025067) Mitigation bypass in the DOM: Security component * CVE-2026-6772 (bmo#2026089) Incorrect boundary conditions in the Libraries component in NSS * CVE-2026-6773 (bmo#2015959) Denial-of-service due to integer overflow in the Graphics: WebGPU component * CVE-2026-6774 (bmo#2016915) Mitigation bypass in the DOM: Security component * CVE-2026-6775 (bmo#2021768) Incorrect boundary conditions in the WebRTC component * CVE-2026-6776 (bmo#2021770) Incorrect boundary conditions in the WebRTC: Networking component * CVE-2026-6777 (bmo#2022726) Other issue in the Networking: DNS component * CVE-2026-6778 (bmo#2022746) Invalid pointer in the Audio/Video: Playback component * CVE-2026-6779 (bmo#2023343) Other issue in the JavaScript Engine component * CVE-2026-6780 (bmo#2025179) Denial-of-service in the Audio/Video: Playback component * CVE-2026-6781 (bmo#2025583) Denial-of-service in the Audio/Video: Playback component * CVE-2026-6782 (bmo#2026571) Information disclosure in the IP Protection component * CVE-2026-6783 (bmo#2027564) Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component * CVE-2026-6784 (bmo#1536243, bmo#1745382, bmo#1851073, bmo#1893400, bmo#1963301, bmo#2001319, bmo#2002899, bmo#2012436, bmo#2014435, bmo#2016901, bmo#2019916, bmo#2020486, bmo#2020612, bmo#2020817, bmo#2021788, bmo#2022051, bmo#2022367, bmo#2022431, bmo#2023302, bmo#2023670, bmo#2024225, bmo#2024238, bmo#2024240, bmo#2024265, bmo#2024367, bmo#2024369, bmo#2024424, bmo#2024760, bmo#2025281, bmo#2025361, bmo#2025387, bmo#2025466, bmo#2025954, bmo#2025958, bmo#2026278, bmo#2026292, bmo#2026297, bmo#2026378, bmo#2027148, bmo#2027287, bmo#2027341, bmo#2027384, bmo#2027427, bmo#2027694, bmo#2027993, bmo#2028009, bmo#2028270, bmo#2028416, bmo#2028524, bmo#2029295, bmo#2029301, bmo#2029461, bmo#2029699, bmo#2029800, bmo#2029801) Memory safety bugs fixed in Firefox 150 and Thunderbird 150 * CVE-2026-6785 (bmo#1935995, bmo#1999158, bmo#2015952, bmo#2021909, bmo#2022026, bmo#2022041, bmo#2022088, bmo#2022276, ... changelog too long, skipping 59 lines ... (bmo#2031958) ==== apache2-mod_php8 ==== - php8: provide builtin php-opcache - php8-devel: require libraries from "php-config --libs" ==== at-spi2-core ==== Version update (2.60.0 -> 2.60.1) Subpackages: at-spi2-core-lang libatk-1_0-0 libatk-bridge-2_0-0 libatspi0 typelib-1_0-Atk-1_0 typelib-1_0-Atspi-2_0 - Update to version 2.60.1: + Detect unresponsive applications, and do not expose them as children of the desktop. + Attempt to fix a crash when opening a group chat in pidgin that contains new messages. ==== bubblewrap ==== Version update (0.11.0 -> 0.11.1) - Really drop the nobwrap.helper script as intended on Sep 29 2025. - update to 0.11.1: * Reset disposition of `SIGCHLD`, restoring normal subprocess management if bwrap was run from a process that was ignoring that signal, such as Erlang or volumeicon * Don't ignore `--userns 0`, `--userns2 0` or `--pidns 0` if used * Note that using a fd number ≥ 3 for these purposes is still * preferred, to avoid confusion with the stdin, stdout, stderr * that will be inherited by the command inside the container. * Fix grammar in an error message * Fix a broken link in the documentation * Enable user namespaces in Github Actions configuration, fixing a CI regression with newer Ubuntu * Clarify comments - Drop the nobwrap.helper again: glycin could find a solution to detect it running in a CI/BuildEnvironment and it disarms bubblewrap in this case, making this wrapper obsolete ==== cups ==== Version update (2.4.17 -> 2.4.18) Subpackages: cups-client cups-config libcups2 libcupsimage2 - Version upgrade to 2.4.18: See https://github.com/openprinting/cups/releases The new release 2.4.18 contains hotfix after CVE-2026-27447 fix: * Fixed cupsd crash if user does not exist (Issue #1555) Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.18 ==== emacs ==== Subpackages: emacs-el emacs-eln emacs-info emacs-nox etags - Modify patch emacs-30.2-tree-sitter-0.26.8.patch * Let find the tree-sitter code find the libraries below %{_libdir}/tree-sitter/ without using LD_LIBRARY_PATH - Add patch emacs-30.2-boo1262611.patch * Fix CVE-2026-6861: Memory corruption vulnerability when processing SVG CSS (boo#1262611) - Let treesit test find its ruby shared library - Modify patch emacs-30.2-tree-sitter-0.26.8.patch * Add commit to reflect new syntax ot tree-sitter like :equal changed to :eq? ==== ethtool ==== Version update (6.15 -> 6.19) - Update to release 6.19 * tsinfo: Add support for PTP hardware source * monitor: Add notification handling for PLCA configuration * rxfh: IPv6 Flow Label hash support * netlink: fec: add errors histogram statistics - Delete 5a6848026277296a151664666ef1c25821787043.patch (merged) - Move bash-completions into main package. - add netlink support for RX CQE Coalescing params (bsc#1261256) 5a6848026277296a151664666ef1c25821787043.patch d35d87fbcda97fe31df79d62277743214641892a.patch bf023af442f63e16f1699128c7ce467eddc6d340.patch ==== gcc16 ==== Version update (16.0.1+git8711 -> 16.0.1+git8812) Subpackages: cpp16 gcc16-locale libasan8 libatomic1 libgcc_s1 libgcc_s1-32bit libgccjit0 libgfortran5 libgomp1 libhwasan0 libitm1 liblsan0 libobjc4 libquadmath0 libstdc++6 libstdc++6-32bit libstdc++6-locale libstdc++6-pp libstdc++6-pp-32bit libtsan2 libubsan1 - Update to 16.0.1+git8812, includes GCC 16.1 release candidate #2. - Update to 16.0.1+git8809, GCC 16.1 release candidate. ==== gdb ==== - Reduce scope of debuginfo query workaround. No longer require "set debuginfod enabled off" in .gdbearlyinit or similar to be able to use "gdb -tui" (osc#1261254). Patches added: * gdb-tui-v3-fix-crash-with-debuginfod-query.patch * gdb-tui-reduce-scope-of-debuginfod-query-crash-worka.patch - Report helpful error on ptrace permission denied due to yama/selinux (jsc#PED-15928). Patches added: * gdb-linux-consider-ptrace_scope-when-building-attach.patch ==== gdm ==== Subpackages: gdm-lang gdm-schema gdm-systemd gdm-xdm-integration libgdm1 typelib-1_0-Gdm-1_0 - Enforce dependency on gsettings-backend-dconf, greeter doesn't work properly without it. ==== geoclue2 ==== Subpackages: system-user-srvGeoClue typelib-1_0-Geoclue-2_0 - Create the home directory for srvGeoClue under /var with tmpfiles.d (jsc#PED-14837). ==== gnome-bluetooth ==== Version update (47.1 -> 47.2) Subpackages: gnome-bluetooth-lang libgnome-bluetooth-3_0-13 libgnome-bluetooth-ui-3_0-13 typelib-1_0-GnomeBluetooth-3_0 - Update to version 47.2: + This version adds mnemonics to some buttons, fixes a couple memory leaks, makes it possible to run the tests with pygobject >= 3.52 + Updated translations. ==== gnome-maps ==== Version update (50.0 -> 50.1) Subpackages: gnome-maps-lang - Update to version 50.1: + Fix showing highway shields when clicking on a symbol in the case when the Overpass query e.g. times-out + Updated translations. ==== gnome-settings-daemon ==== Version update (50.0 -> 50.1) Subpackages: gnome-settings-daemon-lang - Update to version 50.1: + Build improvements for systemd-less systems ==== gnome-shell ==== Version update (50.0 -> 50.1) Subpackages: gnome-extensions gnome-shell-calendar gnome-shell-lang - Update to version 50.1: + Use triangular noise shape for dithering lightbox vignette + Fix glitch in quick settings with wrapped text in menu + Fit on-screen keyboard better on very small screens + Enable network agent on lock screen + Add basic zoom support to captive portal + Plugged leak + Misc. bug fixes and cleanups + Update translations. ==== gsettings-desktop-schemas ==== Version update (50.0 -> 50.1) Subpackages: gsettings-desktop-schemas-lang - Update to version 50.1: + Updated translations. ==== gtk4 ==== Version update (4.22.2 -> 4.22.3) Subpackages: gtk4-lang gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0 - Update to version 4.22.3: + Bugs fixed: - Input panel misplaced when typing with an input method in a GTKPopover widget - Snapshot with too small an angle shift freezes - gtk-demo: Make --autoquit work again - cssprovider: Fix gtk-application-prefer-dark-theme setting - gdksettings-wayland: Apply reduced-motion setting - Revert "testutils: Warn if setting up language didn't work" - transform: Better float comparisons - print dialog: Fix GTask lifecycle management + Updated translations. - Update to version 4.22.2+25: * imcontextwayland: Translate cursor rectangle to correct native surface * gdksettings-wayland: Apply reduced-motion setting * gtkpango: Don't land on a single char of a wrapped line twice ==== gvfs ==== Subpackages: gvfs-backend-afc gvfs-backend-goa gvfs-backend-gphoto gvfs-backend-samba gvfs-backends gvfs-fuse gvfs-lang - Split out cdda in own separate sub package (gvfs-backend-cdda). ==== harfbuzz ==== Version update (14.1.0 -> 14.2.0) Subpackages: libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz-subset0 libharfbuzz0 typelib-1_0-HarfBuzz-0_0 - Update to version 14.2.0: + In this release, the experimental raster, vector, and GPU libraries went through several rounds of code review and cleanup to make sure they follow the high standards expected of HarfBuzz code. The API has also been extensively reviewed based on experience gained from using these libraries. We consider the code and API to be ready for stabilization, and we expect to graduate them from experimental in the near future. If you are using or planning to use these libraries and have any concerns about the API, it is time to raise them. Once a library is deemed stable, we will never change the API or ABI in an incompatible way. ==== libshumate ==== Version update (1.6.0 -> 1.6.1) Subpackages: libshumate-1_0-1 libshumate-lang typelib-1_0-Shumate-1_0 - Update to version 1.6.1: + Add missing gettext domains ==== libsigc++3 ==== - Migrate to xz compression and manual service run ==== localsearch ==== Version update (3.11.0 -> 3.11.1) Subpackages: localsearch-lang - Update to version 3.11.1: + Fix possible failures when extracting metadata from EPUB, ODF and OOXML documents + Updated translations. - Drop localsearch-zip-private-library.patch: Fixed upstream. ==== md4c ==== Version update (0.5.2 -> 0.5.3) - Update to 0.5.3 * Avoid repeated prefix language- in code block language specification if the input already explicitly includes the prefix * Permissive autolink extensions (MD_FLAG_PERMISSIVExxxAUTOLINKS) are now tiny bit more permissive, allowing + and - characters to be anywhere in the path portion of the URL. This also improves compatibility with GFM * Make Unicode-specific code compliant to Unicode 18.0 * Fix quadratic time behavior caused by one-by-one walking over block lines instead of calling md_lookup_line() * Fix quadratic time and output size behavior caused by malicious misuse of link reference definitions * The strike-through extension (with flag MD_FLAG_STRIKETHROUGH) now follows same logic as other emphasis spans in respect to punctuation character and word boundaries * Fix handling tab when removing trailing whitespace, especially in connection with ATX headers * We now correctly abort the parser when a callback returns non-zero. (Previously it worked correctly only for negative values, values greater than zero were causing strange and inconsistent behavior) * Fix handling a code span whose closer is on the next line and yet another text follows. In the case we erroneously outputted the closer code span mark as part of the text * Fix md_decode_utf16le_before__(). (Only affected MD4C builds built with -MD4C_USE_UTF16 on Windows) * Do not try to interpret characters in a link URL as Markdown syntax characters * Fix detection of closing code block fence if it has a trailing tabulator * Fix invalid free() in an error path ==== mutter ==== Version update (50.0 -> 50.1) Subpackages: mutter-lang - Update to version 50.1: + Allow setting paint debug flags from environment + Fix applying pango scale attributes to text + Fix moving minimized maximized windows to a different monitor + Configure primary GPU in headless mode if it does't support KMS + Use fewer buffers for screencast streams + Only queue clipped redraws when mapped + Fix XReconfigureWMWindow() resizing window when not requested + Fix DND sometimes failing with reused data sources + Fix performance regression with some nvidia driver versions + Use modifiers for secondary GPU FBOs + Fix freeze with nvidia driver + Fixed crash + Misc. bug fixes and cleanups + Updated translations. ==== ngtcp2 ==== Version update (1.22.0 -> 1.22.1) Subpackages: libngtcp2-16 libngtcp2-16-32bit libngtcp2_crypto_gnutls8 libngtcp2_crypto_gnutls8-32bit libngtcp2_crypto_ossl0 - update to 1.22.1 (bsc#1262273, CVE-2026-40170): * Fixes CVE-2026-40170 ==== openSUSE-release ==== Version update (20260425 -> 20260426) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openexr ==== Subpackages: libIex-3_4-33 libIex-3_4-33-x86-64-v3 libIlmThread-3_4-33 libIlmThread-3_4-33-x86-64-v3 libOpenEXR-3_4-33 libOpenEXR-3_4-33-x86-64-v3 libOpenEXRCore-3_4-33 libOpenEXRCore-3_4-33-x86-64-v3 - Disable testLargeDataWindowOffsets on 32-bit arm ==== openssh ==== Version update (10.2p1 -> 10.3p1) Subpackages: openssh-clients openssh-common openssh-server - Update to openssh 10.3p1: = Potentially-incompatible changes * ssh(1), sshd(8): remove bug compatibility for implementations that don't support rekeying. If such an implementation tries to interoperate with OpenSSH, it will now eventually fail when the transport needs rekeying. * sshd(8): prior to this release, a certificate that had an empty principals section would be treated as matching any principal (i.e. as a wildcard) when used via authorized_keys principals="" option. This was intentional, but created a surprising and potentially risky situation if a CA accidentally issued a certificate with an empty principals section: instead of being useless as one might expect, it could be used to authenticate as any user who trusted the CA via authorized_keys. [Note that this condition did not apply to CAs trusted via the sshd_config(5) TrustedUserCAKeys option.] This release treats an empty principals section as never matching any principal, and also fixes interpretation of wildcard characters in certificate principals. Now they are consistently implemented for host certificates and not supported for user certificates. * ssh(1): the -J and equivalent -oProxyJump="..." options now validate user and host names for ProxyJump/-J options passed via the command-line (no such validation is performed for this option in configuration files). This prevents shell injection in situations where these were directly exposed to adversarial input, which would have been a terrible idea to begin with. Reported by rabbit. = Security * ssh(1): validation of shell metacharacters in user names supplied on the command-line was performed too late to prevent some situations where they could be expanded from %-tokens in ssh_config. For certain configurations, such as those that use a "%u" token in a "Match exec" block, an attacker who can control the user name passed to ssh(1) could potentially execute arbitrary shell commands. Reported by Florian Kohnhäuser. We continue to recommend against directly exposing ssh(1) and other tools' command-lines to untrusted input. Mitigations such as this can not be absolute given the variety of shells and user configurations in use. * sshd(8): when matching an authorized_keys principals="" option against a list of principals in a certificate, an incorrect algorithm was used that could allow inappropriate matching in cases where a principal name in the certificate contains a comma character. Exploitation of the condition requires an authorized_keys principals="" option that lists more than one principal *and* a CA that will issue a certificate that encodes more than one of these principal names separated by a comma (typical CAs strongly constrain which principal names they will place in a certificate). This condition only applies to user- trusted CA keys in authorized_keys, the main certificate authentication path (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported by Vladimir Tokarev. * scp(1): when downloading files as root in legacy (-O) mode and without the -p (preserve modes) flag set, scp did not clear setuid/setgid bits from downloaded files as one might typically expect. This bug dates back to the original Berkeley rcp program. Reported by Christos Papakonstantinou of Cantina and Spearbit. * sshd(8): fix incomplete application of PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard to ECDSA keys. Previously if one of these directives contains any ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA algorithm would be accepted in its place regardless of whether it was listed or not. Reported by Christos Papakonstantinou of Cantina and Spearbit. * ssh(1): connection multiplexing confirmation (requested using "ControlMaster ask/autoask") was not being tested for proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported by Michalis Vasileiadis. = New features * ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new names is advertised via the EXT_INFO message. If a server offers support for the new names, then they are used preferentially. Support for the pre-standardisation "@openssh.com" extensions for agent forwarding remains supported. * ssh-agent(1): implement support for draft-ietf-sshm-ssh-agent "query" extension. * ssh-add(1): support querying the protocol extensions via the agent "query" extension with a new -Q flag. * ssh(1): support multiple files in a ssh_config RevokedHostKeys directive. * sshd(8): support multiple files in a sshd_config RevokedKeys directive. * ssh(1): add a ~I escape option that shows information about the current SSH connection. * ssh(1): add an "ssh -Oconninfo user@host" multiplexing command that shows connection information, similar to the ~I escapechar. * ssh(1): add an "ssh -O channels user@host" multiplexing command to get a running mux process to show information about what channels are currently open. * sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is applied to login attempts for usernames that do not match real accounts. Defaults to 5s to match 'authfail' but allows administrators to block such attempts for longer if desired. * sshd(8): add a GSSAPIDelegateCredentials option for the server, controlling whether it accepts delegated credentials offered by the client. This option mirrors the same option in ssh_config. * ssh(1), sshd(8): support the VA DSCP codepoint in the IPQoS ... changelog too long, skipping 134 lines ... * 0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch ==== openssh-askpass-gnome ==== Version update (10.2p1 -> 10.3p1) - "Update" to openssh 10.3p1: * No changes for askpass, see main package changelog for details. ==== orca ==== Version update (50.0.9 -> 50.1) Subpackages: orca-lang - Update to version 50.1: + Web: - Fix presentation of multiline-text web combo boxes. - Fix presentation of link file size. - Fix double-presentation of "focus mode" when page load completes. - Fix say all looping in content, and eliminate some chattiness. + Preferences: - Fix preferences saving to old profile path after rename. - Fix bug preventing restoration of default voice values. - Fix left-over JSONism that prevented spiel from being saved as the speech server. - Handle TypeError resulting from speech synthesizer crashing during prefs save. + Updated translations. ==== php8 ==== Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter - php8: provide builtin php-opcache - php8-devel: require libraries from "php-config --libs" ==== simple-scan ==== Version update (49.1 -> 50.0) Subpackages: simple-scan-lang - Update to version 50.0: + Update cursor names to be correctly displayed on Wayland. + Fix scanner selection disappearing after failed scan. + Use AdwToggleGroup in preferences dialog. + Bump minimum libadwaita version. + Show in-app notification after export with open folder action. + Fix if multiple pages in book-view the horizontal scroll bar is not shown, except a resize event occurs. + Updated translations. ==== systemd ==== Version update (259.5 -> 260.1) Subpackages: libsystemd0 libsystemd0-32bit libudev1 systemd-32bit systemd-boot systemd-container systemd-lang udev - Upgrade to v260.1 (commit c0a5a2516d28601fb3afc1a77d7b42fcfe38fced) See https://github.com/openSUSE/systemd/blob/SUSE/v260/NEWS for details. - Drop support for System V service scripts. - Drop 0002-rc-local-fix-ordering-startup-for-etc-init.d-boot.lo.patch - Drop 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch - Required versions of various library dependencies have been raised. - systemd-update-helper: switch to the new command 'enqueue-marked'. - Restore autovt@.service alias (a fallout from upstream commit 072e72424b2e6da1c96489ef6996f49fabd46474) - systemd.spec: introduce %{container} bcond for container subpackage - Enable systemd-boot on loongarch64. ==== tinysparql ==== Version update (3.11.0 -> 3.11.1) Subpackages: libtracker-sparql-3_0-0 tinysparql-lang typelib-1_0-Tracker-3_0 - Update to version 3.11.1: + Fixes to memory leaks and issues spotted by ASAN + Make lifetime of some mutexes explicit ==== webkitgtk3 ==== Version update (2.52.2 -> 2.52.3) Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update to version 2.52.3: + Add support for the "scrollbar-color" CSS property. + Fix some emoji glyphs being rendered as missing glyph boxes. + Fix JavaScriptCore crashes on architectures other than x86_64. + Fix the build on s390x. + Fix several crashes and rendering issues. + Updated translations. ==== webkitgtk4 ==== Version update (2.52.2 -> 2.52.3) Subpackages: WebKitGTK-6.0-lang libjavascriptcoregtk-6_0-1 libwebkitgtk-6_0-4 typelib-1_0-JavaScriptCore-6_0 typelib-1_0-WebKit-6_0 webkitgtk-6_0-injected-bundles - Update to version 2.52.3: + Add support for the "scrollbar-color" CSS property. + Fix some emoji glyphs being rendered as missing glyph boxes. + Fix JavaScriptCore crashes on architectures other than x86_64. + Fix the build on s390x. + Fix several crashes and rendering issues. + Updated translations. ==== xdg-dbus-proxy ==== Version update (0.1.6 -> 0.1.7) - Update to version 0.1.7: + Drop the autotools build system + Prevent a crash on disconnect + Fix building with glibc >= 2.43 + Fix the eavesdrop filtering to prevent message interception + Fix CVE-2026-34080