Packages changed: ImageMagick (7.1.2.16 -> 7.1.2.17) blog (2.35 -> 2.36) elfutils (0.192 -> 0.194) elfutils-debuginfod (0.192 -> 0.194) gpg2 (2.5.17 -> 2.5.18) gspell (1.14.2 -> 1.14.3) kdump (2.1.6 -> 2.1.7) kernel-source (6.19.7 -> 6.19.8) libgsf (1.14.55 -> 1.14.56) libspelling openSUSE-build-key openSUSE-release (20260317 -> 20260318) salt zlib-ng-compat (2.3.2 -> 2.3.3) === Details === ==== ImageMagick ==== Version update (7.1.2.16 -> 7.1.2.17) Subpackages: ImageMagick-config-7-SUSE libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - version lupdate to 7.1.2.17 * Add cast to unsigned char helper method to check for out of band data * eliminate compiler warning * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rwgm-46rq-f86h * ImageMagick/ImageMagick#8609 * ImageMagick/ImageMagick#8608 * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-354p-2qx7-jg9g * Corrected out of bounds write of a single zero byte (GHSA-gc62-2v5p-qpmp) * https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-354p-2qx7-jg9g * ImageMagick/ImageMagick#8603 * ImageMagick/ImageMagick#5807 * Apply correct patch for GHSA-cqw9-w2m7-r2m2. - modified patches * ImageMagick-library-installable-in-parallel.patch (refreshed) - fixes CVE-2026-32259 [bsc#1259612] ==== blog ==== Version update (2.35 -> 2.36) Subpackages: libblogger2 - Update to version 2.36 * If SYS_pidfd_open is not defined use a fallback Include to get __NR_pidfd_open for the definition of SYS_pidfd_open. * Changes to let systemd find plymouth replacements which means to add the appropiate Alias in systemd-ask-password-blog.path and also in systemd-ask-password-blog.service with new Install sections. Also change description in systemd-ask-password-blog.path to hint for blogd as replacement. * Rework password asking method to be asynchronous ==== elfutils ==== Version update (0.192 -> 0.194) Subpackages: elfutils-lang libasm1 libdw1 libelf1 - Add elfutils-fix-const-correctness.patch to fix build with new glibc - update to 0.194 elfclassify: New options --has-debug-sections and --any-ar-member. elflint: Presence of vendor- and application-specific ELF note types no longer triggers compliance errors. libdwfl_stacktrace: New function dwflst_sample_getframes. The libdwfl_stacktrace library interface is experimental and may be subject to API/ABI changes. Experimental new library interface for unwinding stack samples into call chains, and tracking and caching Elf data for multiple processes, building on libdwfl. Initially supports perf_events stack sample data. libelf: Manual pages have been added for many libelf library functions. Additional manual pages are planned for future releases. elf_scnshndx has been rewritten to be more robust, particularily for ELF files with more than 64K sections. readelf: Up to 13% faster when using the -N option. Improved handling of corrupt ELF data. - -section-headers output now includes a "Key to Flags" explaining section flag meanings. libdw: Add dwarf_language and dwarf_language_lower_bound functions. Improved support for DWARF6 language metadata as well as DWARF language constants for Nim, Dylan, Algol68, V and Mojo. dwarf_srclang is now forward-compatible with DWARF6 language constants. - Drop no longer necessary fix-static-linking.patch ==== elfutils-debuginfod ==== Version update (0.192 -> 0.194) Subpackages: debuginfod-client debuginfod-profile libdebuginfod1 - Add elfutils-fix-const-correctness.patch to fix build with new glibc - update to 0.194 debuginfod: Add CORS (webapp access) support to webapi and --cors option. Add --listen-address option for binding the HTTP listen socket to a specific IPv4 or IPv6 address. debuginfod client now caches x-debuginfod-* HTTP headers alongside downloaded files. debuginfod-find: Fixed caching bug preventing user-cancelled downloads from being re-downloaded at a later time. ==== gpg2 ==== Version update (2.5.17 -> 2.5.18) Subpackages: dirmngr gpg2-lang - Update to 2.5.18: * gpg: Support deleting a composite secret key in gpg-agent * gpg: Fix armor parsing when no CRC is found * gpgsm: New option --assert-validsig * agent: Fix the recent regression in pkdecrypt with TPM RSA * scdaemon: Add support for D-Trust Card 6.1/6.4 * dirmngr: Let KS_SEARCH print all uid records for a key Fixes regression since 2015 * gpg-authcode-sign.sh: Keep the log file even on success * Remove patch upstream: - gnupg-gpgscm-New-operator-long-time-t-to-detect-proper-tim.patch ==== gspell ==== Version update (1.14.2 -> 1.14.3) Subpackages: gspell-lang libgspell-1-3 - Update to version 1.14.3: + Updated translations. ==== kdump ==== Version update (2.1.6 -> 2.1.7) - upgrade to version 2.1.7 * fix VLAN interface naming (bsc#1255300) * fix bonding options for VLAN slaves * fix return value of kdumptool commandline -d (bsc#1257471) * use primary IP address (bsc#1259058) * dracut: avoid error message if /etc/sysctl.conf does not exist * dracut: update dracut hooks path from /lib/dracut to /var/lib/dracut ==== kernel-source ==== Version update (6.19.7 -> 6.19.8) - Linux 6.19.8 (bsc#1012628). - apparmor: fix race between freeing data and fs accessing it (bsc#1012628). - apparmor: fix race on rawdata dereference (bsc#1012628). - apparmor: fix differential encoding verification (bsc#1012628). - apparmor: fix unprivileged local user can do privileged policy management (bsc#1012628). - apparmor: Fix double free of ns_name in aa_replace_profiles() (bsc#1012628). - apparmor: fix missing bounds check on DEFAULT table in verify_dfa() (bsc#1012628). - apparmor: fix side-effect bug in match_char() macro usage (bsc#1012628). - apparmor: fix: limit the number of levels of policy namespaces (bsc#1012628). - apparmor: replace recursive profile removal with iterative approach (bsc#1012628). - apparmor: fix memory leak in verify_header (bsc#1012628). - apparmor: validate DFA start states are in bounds in unpack_pdb (bsc#1012628). - net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks (bsc#1012628). - net/sched: act_gate: snapshot parameters with RCU on replace (bsc#1012628). - commit 5a5a4f4 - Update patches.kernel.org/6.19.1-003-smb-client-split-cached_fid-bitfields-to-avoid.patch (bsc#1012628 CVE-2026-23230 bsc#1258430). - Update patches.kernel.org/6.19.1-004-ksmbd-fix-infinite-loop-caused-by-next_smb2_rc.patch (bsc#1012628 CVE-2026-23220 bsc#1258432). - Update patches.kernel.org/6.19.1-005-ksmbd-add-chann_lock-to-protect-ksmbd_chann_li.patch (bsc#1012628 CVE-2026-23226 bsc#1258820). - Update patches.kernel.org/6.19.1-006-smb-server-fix-leak-of-active_num_conn-in-ksmb.patch (bsc#1012628 CVE-2026-23228 bsc#1258431). - Update patches.kernel.org/6.19.1-030-crypto-iaa-Fix-out-of-bounds-index-in-find_emp.patch (bsc#1012628 CVE-2025-71231 bsc#1258424). - Update patches.kernel.org/6.19.1-032-crypto-omap-Allocate-OMAP_CRYPTO_FORCE_COPY-sc.patch (bsc#1012628 CVE-2026-23222 bsc#1258484). - Update patches.kernel.org/6.19.1-033-crypto-virtio-Add-spinlock-protection-with-vir.patch (bsc#1012628 CVE-2026-23229 bsc#1258429). - Update patches.kernel.org/6.19.1-035-nilfs2-Fix-potential-block-overflow-that-cause.patch (bsc#1012628 CVE-2025-71237 bsc#1258467). - Update patches.kernel.org/6.19.1-036-hfs-ensure-sb-s_fs_info-is-always-cleaned-up.patch (bsc#1012628 CVE-2025-71230 bsc#1258413). - Update patches.kernel.org/6.19.1-037-wifi-rtw88-Fix-alignment-fault-in-rtw_core_ena.patch (bsc#1012628 CVE-2025-71229 bsc#1258415). - Update patches.kernel.org/6.19.1-038-scsi-qla2xxx-Validate-sp-before-freeing-associ.patch (bsc#1012628 CVE-2025-71236 bsc#1258442). - Update patches.kernel.org/6.19.1-040-scsi-qla2xxx-Delay-module-unload-while-fabric-.patch (bsc#1012628 CVE-2025-71235 bsc#1258469). - Update patches.kernel.org/6.19.1-041-scsi-qla2xxx-Free-sp-in-error-path-to-fix-syst.patch (bsc#1012628 CVE-2025-71232 bsc#1258422). - Update patches.kernel.org/6.19.1-043-sched-mmcid-Don-t-assume-CID-is-CPU-owned-on-m.patch (bsc#1012628 CVE-2026-23225 bsc#1258474). - Update patches.kernel.org/6.19.1-044-bus-fsl-mc-fix-use-after-free-in-driver_overri.patch (bsc#1012628 CVE-2026-23221 bsc#1258660). - Update patches.kernel.org/6.19.1-045-erofs-fix-UAF-issue-for-file-backed-mounts-w-d.patch (bsc#1012628 CVE-2026-23224 bsc#1258461). - Update patches.kernel.org/6.19.1-046-xfs-fix-UAF-in-xchk_btree_check_block_owner.patch (bsc#1012628 CVE-2026-23223 bsc#1258483). - Update patches.kernel.org/6.19.1-047-drm-exynos-vidi-use-ctx-lock-to-protect-struct.patch (bsc#1012628 CVE-2026-23227 bsc#1258472). - Update patches.kernel.org/6.19.1-048-PCI-endpoint-Avoid-creating-sub-groups-asynchr.patch (bsc#1012628 CVE-2025-71233 bsc#1258421). - Update patches.kernel.org/6.19.1-049-wifi-rtl8xxxu-fix-slab-out-of-bounds-in-rtl8xx.patch (bsc#1012628 CVE-2025-71234 bsc#1258419). - Update patches.kernel.org/6.19.3-001-scsi-qla2xxx-Fix-bsg_done-causing-double-free.patch (bsc#1012628 CVE-2025-71238 bsc#1259186). - Update patches.kernel.org/6.19.3-005-fbdev-smscufx-properly-copy-ioctl-memory-to-ke.patch (bsc#1012628 CVE-2026-23236 bsc#1259199). - Update patches.kernel.org/6.19.3-009-f2fs-fix-out-of-bounds-access-in-sysfs-attribu.patch (bsc#1012628 CVE-2026-23235 bsc#1259195). - Update patches.kernel.org/6.19.3-010-f2fs-fix-to-avoid-UAF-in-f2fs_write_end_io.patch (bsc#1012628 CVE-2026-23234 bsc#1259194). - Update patches.kernel.org/6.19.3-012-f2fs-fix-to-avoid-mapping-wrong-physical-block.patch ... changelog too long, skipping 14 lines ... - commit b7e70c1 ==== libgsf ==== Version update (1.14.55 -> 1.14.56) Subpackages: gsf-office-thumbnailer libgsf-1-114 libgsf-lang - Update to version 1.14.56: + Fix problems with ole files using codepage 1200 (unicode). + Restore check for ole cycles accidentally removed. ==== libspelling ==== Subpackages: libspelling-lang libspelling1-2 - Update URL to current home. ==== openSUSE-build-key ==== - move the pqkeys out of gnupg, its not gpg style. ==== openSUSE-release ==== Version update (20260317 -> 20260318) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== salt ==== Subpackages: python311-salt salt-master salt-minion - Backport security patch for Salt vendored tornado (bsc#1259554): * CVE-2026-31958: Add limits on multipart form data parsing - Added: * backport-of-the-cve-2026-31958-fix-bsc-1259554.patch - Add x86_64_v2 as a possible rpm package architecture - Make users with backslash working for salt-ssh (bsc#1254629) - Fix ansible.playbooks extra-vars quoting (bsc#1257831) - Fix virtualenv call in test helper to use proper python version - Added: * add-x86_64_v2-as-a-possible-rpm-package-architecture.patch * make-users-with-backslash-working-for-salt-ssh-bsc-1.patch * fix-ansible.playbooks-extra-vars-quoting-bsc-1257831.patch * fix-virtualenv-call-in-test-helper-to-use-proper-pyt.patch ==== zlib-ng-compat ==== Version update (2.3.2 -> 2.3.3) - update to 2.3.3: * Make deflate output deterministic if stream is reused after deflateReset #2102 * minigzip: Fix integer overflow in gz_compress_mmap #2110 * Use GCC's may_alias attribute for access to buffers in crc32_chorba #2078 * Fix false-positive infinite loop warning detected by GCC-14 static analyzer #2101 * Fix warning for potentially uninitialized local variable ft used. #2043