Packages changed: acpica binutils discount dnsmasq gnome-calculator (50.0 -> 50.0+16) libXpm libgcrypt (1.12.1 -> 1.12.2) libgme (0.6.4 -> 0.6.5) libstorage-ng (4.5.313 -> 4.5.314) mozilla-nss (3.121 -> 3.122.1) mpc (1.3.1 -> 1.4.1) openSUSE-release (20260422 -> 20260423) openssh patterns-base pipewire (1.6.2 -> 1.6.4) poppler poppler-qt6 postfix ruby4.0 (4.0.2 -> 4.0.3) sdbootutil (1+git20260409.83d5678 -> 1+git20260421.88e40c4) sso-mib (0.8.0 -> 0.8.1) time (1.9 -> 1.10) === Details === ==== acpica ==== - Use scm/git service for wmidump - Update to version 20260323 (bsc#1262171): * Modernize repo: C17, tests, CI, license, and bug fixes * Print object_id or notify_id based on ACPI_WMI_EVENT flag * add support for '//' comments * Remove old README * README.md: sync with previous changes * README.md: convert to markdown * wmidump: remove unused code and fix build. - Patches not needed anymore due to mainline changes: D wmidump_add_she_bang.patch ==== binutils ==== Subpackages: libctf-nobfd0 libctf0 - Migrate from update-alternatives to libalternatives (jsc#PED-15667). - Update %suse_version > 1600 checks (jsc#PED-15792). - Split new libsframe2 package from binutils (shared lib policy). - Make (currently inactive) gold subpackage no require binutils in a specific version. - Add binutils-workaround-premature-libsframe-uninst.diff for this to temporarily avoid 99-check-remove-rpms getting in the way. - Add binutils-fix-c23.diff to fix a compile error with new glibc. ==== discount ==== - Explicitly BuildRequire update-alternatives and mark it as being used in post/postun: this was nicely masked by the fact that binutils, installed on every system, already dragged u-a in, which is no longer the case. ==== dnsmasq ==== - bsc#1262487, CVE-2026-6507, dnsmasq-CVE-2026-6507.patch: out-of-bounds write in DHCP BOOTREPLY processing can lead to denial of service. - Fix FTBFS with libnettle 4.0: (boo#1257934) * dnsmasq: missed hash->digest calls in 4070a74 (1eab169) * Add dnsmasq-Fix-FTBFS-nettle-4.0.patch and merge 4070a748.patch ==== gnome-calculator ==== Version update (50.0 -> 50.0+16) Subpackages: gnome-calculator-lang gnome-shell-search-provider-gnome-calculator - Update to version 50.0+16: + Set imaginary component to +0*i when inverting a real number + Updated translations. ==== libXpm ==== - updated 0001-Fix-CVE-2026-4367-Out-of-bounds-read-in-xpmNextWord.patch to the final version, which has been submitted to gitlab (CVE-2026-4367, bsc#1260928, comment#22) - 0001-Fix-CVE-2026-4367-Out-of-bounds-read-in-xpmNextWord.patch * fix Out of bounds read (CVE-2026-4367, bsc#1260928) ==== libgcrypt ==== Version update (1.12.1 -> 1.12.2) Subpackages: libgcrypt20 libgcrypt20-32bit libgcrypt20-x86-64-v3 - Update to 1.12.2 * Various fixes on gcry_kem_* apis ==== libgme ==== Version update (0.6.4 -> 0.6.5) - Update to version 0.6.5 * Removed CPP demo as it uses private API. * Reworked demos so they no longer use private API. * Implemented some undocumented OPcodes for NES CPU. * Fixed several compile warnings.. * The fade length is now passed to the track info for SPC files. * The C++ runtime library is now properly exported. * Fixed several crashes and security vulnerabilities reported by people. * The YM2413 chip emulator has been updated to the version v1.5.9 * Added ADPCM support for the HES emulator, backported from Kode54's fork. ==== libstorage-ng ==== Version update (4.5.313 -> 4.5.314) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#1069 - add support for XBOOTLDR partition type (jsc#PED-16142) - 4.5.314 ==== mozilla-nss ==== Version update (3.121 -> 3.122.1) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-tools - update to NSS 3.122.1 * bmo#2030135 - improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey. * bmo#2029752 - Improving the allocation of S/MIME DecryptSymKey. * bmo#2029462 - store email on subject cache_entry in NSS trust domain. * bmo#2029425 - Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[] entry on NameConstraints violation. * bmo#2029323 - Improve size calculations in CMS content buffering. * bmo#2028001 - avoid integer overflow while escaping RFC822 Names. * bmo#2027378 - Reject excessively large ASN.1 SEQUENCE OF in quickder. * bmo#2027365 - Deep copy profile data in CERT_FindSMimeProfile. * bmo#2027345 - Improve input validation in DSAU signature decoding. * bmo#2026311 - avoid integer overflow in RSA_EMSAEncodePSS. * bmo#2026156 - Add a maximum cert uncompressed len and tests. * bmo#2026089 - Clarify extension negotiation mechanism for TLS Handshakes. * bmo#1935995 - make ss->ssl3.hs.cookie an owned-copy of the cookie. - update to NSS 3.122 * bmo#2023209 - ensure permittedSubtrees don't match wildcards that could be outside the permitted tree. * bmo#2023664 - run mach doc-lint from generate_release_doc.py. * bmo#2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag. * bmo#2020614 - tls13_CopyEchConfigs uses PR_LIST_TAIL instead of loop variable. * bmo#2021911 - fix cipher spec count intermittent CI failures. * bmo#2021913 - fix Mlkem768x25519ShareDamager intermittent CI failures. * bmo#2023437 - lint the legacy documentation. * bmo#2023437 - lint the NSS 3.112.3 release notes. * bmo#2023437 - add a doc-lint CI job. * bmo#2020224 - Add more useful coverage reports to CI and fail if new commit isn't tested. * bmo#1472747 - wrong alert for malformed TLS 1.3 Finished. * bmo#1916429 - Swap order of asserts and state check. * bmo#2022149 - set correct value of unused curve parameters in tls13_HandleKeyShare. * bmo#2017929 - GCM needs to check for various limits in FIPS mode. * bmo#2017938 - Get Key Length not working from ED and Montgomery keys. * bmo#2017927 - Not all ike modes are FIPS approved. Adjust the indicators when they aren't. * bmo#2020721 - fix intermittent ssl.sh test failures on windows runners. * bmo#2017918 - FIPS indicators on HKDF needs to be restricted to TLS usage. * bmo#2017920 - Generate keys not getting indicators. * bmo#2020612 - improve error handling in smime_init_once. * bmo#1987288 - Detect CPU features on OpenBSD using elf_aux_info. * bmo#2019357 - RSA_EMSAEncodePSS should validate the length of mHash. * bmo#2020442 - more robustly distinguish SFTKSessionObject and SFTKTokenObjects. * bmo#2019194 - fix missing .S file error in Solaris Makefile builds. * bmo#2020486 - fix memory leak in NSC_GenerateKey error path. * bmo#2020615 - Missing SECFailure return after FATAL_ERROR in tls13_HandleEncryptedExtensions. * bmo#2020613 - release xmit buf lock on dtls13_MaybeSendKeyUpdate error paths. * bmo#2020849 - release 1stHandshakeLock on SSL_ResetHandshake error path. * bmo#2020188 - avoid null deref in mp_div_d sign normalization. * bmo#2017945 - Temp private key lifecycle is broken. * bmo#1851073 - protect rwSessionCount with slotLock. * bmo#2019224 - Remove invalid PORT_Free(). * bmo#1828713 - Fix intermittent ClientGreaseKeyShare test failure. * bmo#2018200 - Fix kCtxStr len passed to tls_SignOrVerifyUpdate. * bmo#2019760 - patch upstream acvp-rust during checkout to avoid build failures. * bmo#2019760 - update acvp Dockerfile. * bmo#2017997 - CKA_PARAM_SET missing from the CK_ULONG list in softoken. * bmo#2018000 - CKA_SEED missing from isPrivate in the database. * bmo#2019717 - update abicheck expectation for __nss_InitLock. * bmo#2019327 - taskcluster: set NSS_DISABLE_LIBPKIX=1 in test env for static builds. * bmo#2019327 - tests: fix setup_policy to use ROOTCERTSFILE for root cert module path. * bmo#2019327 - tests: fix selfserv/httpserv PID handling and wait exit code for MSYS_NT. * bmo#2019327 - tests: add native_path helper for cross-platform path conversion. * bmo#2019327 - tstclnt, strsclnt: avoid DNS lookup for loopback addresses on Windows. * bmo#2019090 - avoid platform GCM for x64 iOS emulator builds. * bmo#2012002 - remove lock instrumentation feature. * bmo#2017923 - Move FIPS indicator structures out of fips_algorithms.h. * bmo#2018064 - all.sh is failing in FIPS SSL test in main tree. * bmo#1975973 - fix memory leaks in crmf tests. * bmo#2012547 - fix unsatisfiable condition in lg_getTrust. * bmo#2006218 - allow selfserv makefile build to use system zlib. * bmo#2002247 - Add allocation limit to pkcs12 decoding. * bmo#2012406 - Add text/html single-line example emails to NSS S/SMIME CMS tests. - Rebase patches nss-fips-aes-gcm-restrict.patch and nss-fips-approved-crypto-non-ec.patch due to upstreamed FIPS patches ==== mpc ==== Version update (1.3.1 -> 1.4.1) - update to 1.4.1: * mpc_fr_div: Fix memory leak introduced in release 1.4.0 - Fixup pkg-config install location - Update to 1.4.0: * New functions: mpc_exp10, mpc_exp2, mpc_log2 * mpc_tan and mpc_tanh: Fix wrong values and slowness for large imaginary part. * mpc_pow: Agree on and implement the sign of the imaginary part when both inputs are real. * mpc_fr_div and mpc_ui_div: Treat the imaginary part of the dividend as an exact zero and not as +0, following the C2Y draft of the C standard. This changes the signs of zeroes in some results. * Generate the pkg-config file mpc.pc ==== openSUSE-release ==== Version update (20260422 -> 20260423) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Update openssh-8.1p1-audit.patch (bsc#1252890). This prevents the connection from dropping due to message mismatches in the monitor protocol when concurrency is high. - Add missing patch tags. ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-x11 patterns-base-x11_enhanced - immutable_base: Pull in systemd-presets-branding-SLE_immutable rather than systemd-presets-branding-SLE_transactional (package has been renamed) ==== pipewire ==== Version update (1.6.2 -> 1.6.4) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-jack pipewire-lang pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.6.4: * This is a bugfix release that is API and ABI compatible with the previous 1.6.x releases. * Highlights - Small improvements and seqfault fixes. - Try to not emit ports that JACK doesn't understand. Fixes glitches in ardour and other JACK apps. * PipeWire - Refuse to load plugins and crash when pw_init() was not called. (!2784 (closed)) * SPA - Fix LADSPA plugin loading, support LADSPA_PATH ending with / - Fix segfault in alsa-seq when removing devices in some cases. (#5221 (closed)) - Allow negative gain in mixer. (#5228 (closed)) - Improve alsa-seq port names, add : between client and port. (#5229 (closed)) - ACP: don’t override user-selected port on availability changes. * Bluetooth - Backport some important fixes and minor improvements. * JACK - Ignore non DSP ports to avoid emitting extra callbacks. * GStreamer - Fix crop metadata. * Tools - Fix WAVEX saving in pw-cat. (#5233 (closed)) - Update to version 1.6.3: * Highlights - Fix some RAOP compatibility regressions. - Fix segfault in the mixer in some cases. - Most nodes now produce and consume MIDI1 again and avoid conversions to and from UMP. - Various small fixes and improvements. * PipeWire - Fix regression with sample rate changes. (#5207 (closed)) - Fix a potential integer overflow in the memory mapping. * Modules - Align RTP timestamps to make RAOP work on more devices. (#5167 (closed)) - Avoid crashes in RTP streams because of concurrent event emission. - Avoid invalid fd usage in native-protocol with special crafted messages. - Fix properties and params enumeration in filter-chain (#5202 (closed)). * SPA - Fix compilation with -Werror=discarded-qualifiers - Avoid OOB read in mix matrix. (#5176 (closed)) - Avoid loading plugins from absolute paths that are not in the search path. - Avoid MIDI conversions to and from UMP. (#5183 (closed)) * Bluetooth - Backport some fixes and avoid some crashes. * JACK - Make sure timebase callback is never called with 0 frames. - Increase the notify queue to avoid losing notifications. - Drop patch which is already included upstream: * pipewire-const-correctness-1.patch - Modify the service to use a tar.xz file for the sources instead of obscpio. ==== poppler ==== Subpackages: libpoppler-cpp3 libpoppler-glib8 libpoppler157 poppler-tools - %suse_version value will be bumped for each service pack (e. g. 1610 for 16sp1), thus using >= 1600 for SLE16 - SLE16 does not have extra-cmake-modules ==== poppler-qt6 ==== - %suse_version value will be bumped for each service pack (e. g. 1610 for 16sp1), thus using >= 1600 for SLE16 - SLE16 does not have extra-cmake-modules ==== postfix ==== - Yet another AVC denial from procmail ... (bsc#1261933) Set FD_CLOEXEC on the file descriptor of the db file o avoid-inherited-file-descriptor.patch ==== ruby4.0 ==== Version update (4.0.2 -> 4.0.3) Subpackages: libruby4_0-4_0 - Update to 4.0.3 (boo#1262441) This release only contains ERB 6.0.1.1, which fixes CVE-2026-41316. If your application calls Marshal.load on untrusted data AND has both erb and activesupport loaded, please update your ERB to 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later. You may use this Ruby 4.0.3 release to do so. https://www.ruby-lang.org/en/news/2026/04/21/erb-cve-2026-41316/ https://www.ruby-lang.org/en/news/2026/04/21/ruby-4-0-3-released/ ==== sdbootutil ==== Version update (1+git20260409.83d5678 -> 1+git20260421.88e40c4) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20260421.88e40c4: * Allow multiple lines and comment lines in cmdline files ==== sso-mib ==== Version update (0.8.0 -> 0.8.1) - Import version 0.8.1 This bugfix release hardens the codebase against various kinds of errors ==== time ==== Version update (1.9 -> 1.10) - update to 1.10 * now opens the file specified by --output with its close-on-exec flag set. Previously the file descriptor would be leaked into the child process. * no longer appends the program name to the output when the format string contains a trailing backslash * now uses the more portable waitpid and getrusage system calls instead of wait3. * help output correctness - drop disable-time-max-rss-test.patch - drop time-gcc15.patch