Packages changed: 7zip alsa (1.2.14 -> 1.2.15) alsa-ucm-conf (1.2.14 -> 1.2.15) alsa-utils (1.2.14 -> 1.2.15) apache2 (2.4.65 -> 2.4.66) apache2-manual (2.4.65 -> 2.4.66) apache2-prefork (2.4.65 -> 2.4.66) apache2-utils (2.4.65 -> 2.4.66) blueman (2.4.2 -> 2.4.6) container-selinux (2.243.0 -> 2.244.0) gcc glib2 (2.86.2 -> 2.86.3) gnome-remote-desktop (49.1 -> 49.2) gstreamer (1.26.8 -> 1.26.9) gstreamer-plugins-bad (1.26.8 -> 1.26.9) gstreamer-plugins-base (1.26.8 -> 1.26.9) gstreamer-plugins-good (1.26.8 -> 1.26.9) gstreamer-plugins-libav (1.26.8 -> 1.26.9) gstreamer-plugins-rs (1.26.8 -> 1.26.9) gstreamer-plugins-ugly (1.26.8 -> 1.26.9) ibus (1.5.32 -> 1.5.33) ibus_gtk4 (1.5.32 -> 1.5.33) iproute2 (6.17 -> 6.18) kernel-firmware-amdgpu (20251201 -> 20251203) kernel-firmware-ath10k (20250206 -> 20251205) kernel-firmware-ath11k (20250829 -> 20251202) kernel-firmware-bluetooth (20251125 -> 20251202) kernel-firmware-qcom (20251125 -> 20251202) kernel-firmware-sound (20251121 -> 20251205) kernel-source krb5 (1.21.3 -> 1.22.1) leancrypto libcap libdrm (2.4.129 -> 2.4.130) libeconf (0.8.1 -> 0.8.2) libinput (1.30.0 -> 1.30.1) libnl3 (3.11.0 -> 3.12.0) libpng16 (1.6.51 -> 1.6.52) linux-glibc-devel (6.17 -> 6.18) mdadm (4.4+30.g9a59bf51 -> 4.4+31.g541b40d3) ncurses (6.5.20251123 -> 6.5.20251206) nftables (1.1.5 -> 1.1.6) openSUSE-release (20251205 -> 20251210) patterns-media poppler poppler-qt6 python-anyio (4.11.0 -> 4.12.0) python-argon2-cffi (23.1.0 -> 25.1.0) python-cryptography python-greenlet (3.2.4 -> 3.3.0) python-psutil python-typing_extensions python-tzdata rng-tools selinux-policy (20251128 -> 20251208) sensors snapshot (49.0 -> 49.1) strace (6.17 -> 6.18) systemd-presets-common-SUSE usbmuxd (1.1.1+git69.523f700 -> 1.1.1+git72.3ded00c) webkit2gtk3 (2.50.2 -> 2.50.3) webkit2gtk4 (2.50.2 -> 2.50.3) yast2-trans (84.87.20251125.b9a54cb9bd -> 84.87.20251202.6c2698bf7a) === Details === ==== 7zip ==== - Do not use asm code on aarch64 until PAC/BTI/GCS fixed upstream ==== alsa ==== Version update (1.2.14 -> 1.2.15) Subpackages: libasound2 libatopology2 - Backport upstream fixes, mainly for regressions (bsc#1254652): 0001-ucm-use-closefrom-instead-of-close_range.patch 0002-ucm-exec-fix-maxfd-used-warning.patch 0003-conf-merge-card-specific-contents-per-file-whole-aft.patch 0004-conf-fix-possible-memory-leak-in-config_file_open-er.patch 0005-Revert-conf-fix-load_for_all_cards-do-not-merge-the-.patch 0006-conf-USB-Audio-define-pcm-configuration-block-only-o.patch 0007-conf-HDA-Intel-define-pcm-configuration-block-only-o.patch - Update to alsa-lib 1.2.15: * documentation, coding style and configure fixes * error: add priority and interface strings to the log messages * snd_tlv_convert_to_dB: Fix mute handling for MINMAX_MUTE type * mixer: bag - fix bag_del_all implementation (missing free) * pcm: plugin - avoid 32-bit to 64-bit return value conversions * pcm route: suppress false positive warning for gcc 8+ * pcm: add a loop to snd_pcm_avail_delay() to avoid bogus delay values * rawmidi: Fix inactive stream definition and handling * seq: drain API fix, notiffy for pversion ioctl failure * topology: fix nibble warning in tplg_save_quoted() * lots of UCM and conf fixes and improvements For details, see: https://www.alsa-project.org/wiki/Changes_v1.2.14_v1.2.15#alsa-lib ==== alsa-ucm-conf ==== Version update (1.2.14 -> 1.2.15) - Update to alsa-ucm-conf 1.2.15: * USB-Audio: support for Steinberg UR22C, GoXLR, HP Thunderbolt Dock G2, Audient iD14 MK2, DualSense PS5 controller, Steinberg UR22mkII, Teufel CAGE PRO, MSI MAG B850M Mortar Wifi, Beacn Mic and Studio, Solid State Labs SSL 2, Behringer Flow8, Solid State Labs SSL 2+, Steinberg UR44, Behringer UCM204HD/404HD, RME Fireface UCX, Presonus Revelator IO44 * Fixes for configurations * Lots of Qualcomm updates * Intel SOF updates/fixes * Mediatek, Realtek, Tegra, AMD ACP updates For details, see: https://www.alsa-project.org/wiki/Changes_v1.2.14_v1.2.15#alsa-ucm-conf ==== alsa-utils ==== Version update (1.2.14 -> 1.2.15) - Update to alsa-utils 1.2.15: * alsactl lots of fixes, new -Y option to extract via key=value pairs * amidi: Ignore inactive MIDI ports as default at listing * add support for new log handler for aconnect, alsamixer, alsactl * aplay: reorganize format handling in begin_wave() * Revert "aplay: fix S24_LE wav header" * bat: Fix buffer time configuration For details, see: https://www.alsa-project.org/wiki/Changes_v1.2.14_v1.2.15#alsa-utils ==== apache2 ==== Version update (2.4.65 -> 2.4.66) - version update to 2.4.66 * ) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo (cve.mitre.org) mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. * ) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment variable override (cve.mitre.org) Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. * ) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF (cve.mitre.org) Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content * ) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... (cve.mitre.org) Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. * ) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals (cve.mitre.org) An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. * ) mod_http2: Fix handling of 304 responses from mod_cache. * ) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of integers, used in push diaries and proxy window size calculations. * ) mod_md: update to version 2.6.5 - New directive `MDInitialDelay`, controlling how longer to wait after a server restart before checking certificates for renewal. [Michael Kaufmann] - Hardening: when build with OpenSSL older than 1.0.2 or old libressl versions, the parsing of ASN.1 time strings did not do a length check. - Hardening: when reading back OCSP responses stored in the local JSON store, missing 'valid' key led to uninitialized values, resulting in wrong refresh behaviour. * ) mod_md: update to version 2.6.6 - Fix a small memory leak when using OpenSSL's BIGNUMs. - Fix reuse of curl easy handles by resetting them. * ) mod_http2: update to version 2.0.35 New directive `H2MaxStreamErrors` to control how much bad behaviour by clients is tolerated before the connection is closed. * ) mod_proxy_http2: add support for ProxyErrorOverride directive. * ) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify the value set for the TCP_DEFER_ACCEPT socket option on listen sockets. * ) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual host compatibility policy. * ) mod_md: update to version 2.6.2 - Fix error retry delay calculation to not already doubling the wait on the first error. * ) mod_md: update to version 2.6.1 - Increasing default `MDRetryDelay` to 30 seconds to generate less bursty traffic on errored renewals for the ACME CA. This leads to error retries of 30s, 1 minute, 2, 4, etc. up to daily attempts. - Checking that configuring `MDRetryDelay` will result in a positive duration. A delay of 0 is not accepted. - Fix a bug in checking Content-Type of responses from the ACME server. - Added ACME ARI support (rfc9773) to the module. Enabled by default. New directive "MDRenewViaARI on|off" for controlling this. - Removing tailscale support. It has not been working for a long time as the company decided to change their APIs. Away with the dead code, documentation and tests. - Fixed a compilation issue with pre-industrial versions of libcurl. - httpd testsuite of svn revision 1929573 ==== apache2-manual ==== Version update (2.4.65 -> 2.4.66) - version update to 2.4.66 * ) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo (cve.mitre.org) mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. * ) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment variable override (cve.mitre.org) Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. * ) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF (cve.mitre.org) Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content * ) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... (cve.mitre.org) Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. * ) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals (cve.mitre.org) An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. * ) mod_http2: Fix handling of 304 responses from mod_cache. * ) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of integers, used in push diaries and proxy window size calculations. * ) mod_md: update to version 2.6.5 - New directive `MDInitialDelay`, controlling how longer to wait after a server restart before checking certificates for renewal. [Michael Kaufmann] - Hardening: when build with OpenSSL older than 1.0.2 or old libressl versions, the parsing of ASN.1 time strings did not do a length check. - Hardening: when reading back OCSP responses stored in the local JSON store, missing 'valid' key led to uninitialized values, resulting in wrong refresh behaviour. * ) mod_md: update to version 2.6.6 - Fix a small memory leak when using OpenSSL's BIGNUMs. - Fix reuse of curl easy handles by resetting them. * ) mod_http2: update to version 2.0.35 New directive `H2MaxStreamErrors` to control how much bad behaviour by clients is tolerated before the connection is closed. * ) mod_proxy_http2: add support for ProxyErrorOverride directive. * ) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify the value set for the TCP_DEFER_ACCEPT socket option on listen sockets. * ) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual host compatibility policy. * ) mod_md: update to version 2.6.2 - Fix error retry delay calculation to not already doubling the wait on the first error. * ) mod_md: update to version 2.6.1 - Increasing default `MDRetryDelay` to 30 seconds to generate less bursty traffic on errored renewals for the ACME CA. This leads to error retries of 30s, 1 minute, 2, 4, etc. up to daily attempts. - Checking that configuring `MDRetryDelay` will result in a positive duration. A delay of 0 is not accepted. - Fix a bug in checking Content-Type of responses from the ACME server. - Added ACME ARI support (rfc9773) to the module. Enabled by default. New directive "MDRenewViaARI on|off" for controlling this. - Removing tailscale support. It has not been working for a long time as the company decided to change their APIs. Away with the dead code, documentation and tests. - Fixed a compilation issue with pre-industrial versions of libcurl. - httpd testsuite of svn revision 1929573 ==== apache2-prefork ==== Version update (2.4.65 -> 2.4.66) - version update to 2.4.66 * ) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo (cve.mitre.org) mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. * ) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment variable override (cve.mitre.org) Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. * ) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF (cve.mitre.org) Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content * ) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... (cve.mitre.org) Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. * ) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals (cve.mitre.org) An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. * ) mod_http2: Fix handling of 304 responses from mod_cache. * ) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of integers, used in push diaries and proxy window size calculations. * ) mod_md: update to version 2.6.5 - New directive `MDInitialDelay`, controlling how longer to wait after a server restart before checking certificates for renewal. [Michael Kaufmann] - Hardening: when build with OpenSSL older than 1.0.2 or old libressl versions, the parsing of ASN.1 time strings did not do a length check. - Hardening: when reading back OCSP responses stored in the local JSON store, missing 'valid' key led to uninitialized values, resulting in wrong refresh behaviour. * ) mod_md: update to version 2.6.6 - Fix a small memory leak when using OpenSSL's BIGNUMs. - Fix reuse of curl easy handles by resetting them. * ) mod_http2: update to version 2.0.35 New directive `H2MaxStreamErrors` to control how much bad behaviour by clients is tolerated before the connection is closed. * ) mod_proxy_http2: add support for ProxyErrorOverride directive. * ) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify the value set for the TCP_DEFER_ACCEPT socket option on listen sockets. * ) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual host compatibility policy. * ) mod_md: update to version 2.6.2 - Fix error retry delay calculation to not already doubling the wait on the first error. * ) mod_md: update to version 2.6.1 - Increasing default `MDRetryDelay` to 30 seconds to generate less bursty traffic on errored renewals for the ACME CA. This leads to error retries of 30s, 1 minute, 2, 4, etc. up to daily attempts. - Checking that configuring `MDRetryDelay` will result in a positive duration. A delay of 0 is not accepted. - Fix a bug in checking Content-Type of responses from the ACME server. - Added ACME ARI support (rfc9773) to the module. Enabled by default. New directive "MDRenewViaARI on|off" for controlling this. - Removing tailscale support. It has not been working for a long time as the company decided to change their APIs. Away with the dead code, documentation and tests. - Fixed a compilation issue with pre-industrial versions of libcurl. - httpd testsuite of svn revision 1929573 ==== apache2-utils ==== Version update (2.4.65 -> 2.4.66) - version update to 2.4.66 * ) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo (cve.mitre.org) mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. * ) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment variable override (cve.mitre.org) Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. * ) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF (cve.mitre.org) Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content * ) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... (cve.mitre.org) Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. * ) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals (cve.mitre.org) An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. * ) mod_http2: Fix handling of 304 responses from mod_cache. * ) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of integers, used in push diaries and proxy window size calculations. * ) mod_md: update to version 2.6.5 - New directive `MDInitialDelay`, controlling how longer to wait after a server restart before checking certificates for renewal. [Michael Kaufmann] - Hardening: when build with OpenSSL older than 1.0.2 or old libressl versions, the parsing of ASN.1 time strings did not do a length check. - Hardening: when reading back OCSP responses stored in the local JSON store, missing 'valid' key led to uninitialized values, resulting in wrong refresh behaviour. * ) mod_md: update to version 2.6.6 - Fix a small memory leak when using OpenSSL's BIGNUMs. - Fix reuse of curl easy handles by resetting them. * ) mod_http2: update to version 2.0.35 New directive `H2MaxStreamErrors` to control how much bad behaviour by clients is tolerated before the connection is closed. * ) mod_proxy_http2: add support for ProxyErrorOverride directive. * ) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify the value set for the TCP_DEFER_ACCEPT socket option on listen sockets. * ) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual host compatibility policy. * ) mod_md: update to version 2.6.2 - Fix error retry delay calculation to not already doubling the wait on the first error. * ) mod_md: update to version 2.6.1 - Increasing default `MDRetryDelay` to 30 seconds to generate less bursty traffic on errored renewals for the ACME CA. This leads to error retries of 30s, 1 minute, 2, 4, etc. up to daily attempts. - Checking that configuring `MDRetryDelay` will result in a positive duration. A delay of 0 is not accepted. - Fix a bug in checking Content-Type of responses from the ACME server. - Added ACME ARI support (rfc9773) to the module. Enabled by default. New directive "MDRenewViaARI on|off" for controlling this. - Removing tailscale support. It has not been working for a long time as the company decided to change their APIs. Away with the dead code, documentation and tests. - Fixed a compilation issue with pre-industrial versions of libcurl. - httpd testsuite of svn revision 1929573 ==== blueman ==== Version update (2.4.2 -> 2.4.6) Subpackages: blueman-lang thunar-sendto-blueman - Update to version 2.4.6: * Handling for new StatusNotifierWatcher - Update to version 2.4.5: * Make connection notifications transient * StatusNotifierItem: announce children-display * Manager: Hide bt status switch when PowerManager is not available - Update to version 2.4.4: * Fix Rfcom plugin dbus signature * Set an initial selected device in blueman-sendto * AutoConnect: Store bluetooth address instead of object path * Applet: Handle UnknownObject DBus error (@tommie) * Make search button available after device list becomes empty (@astcri) * Fix Fatal LoadException * Terminate applet on manager termination if it was started by manager * AutoConnect: Automatically convert path to address * Add toggle to force symbolic statusicon - Update to version 2.4.3: * Fix issues with specific device names * Fix deadlock between applet and manager when double-clicking the tray icon ==== container-selinux ==== Version update (2.243.0 -> 2.244.0) - Update to version 2.244.0: * New release: v2.244.0 * TMT: ELN rootless user has changed * Introduce container_write_proc_files interface (bsc#1253469) ==== gcc ==== - Remove go/gofmt alternatives. [bsc#1245878] ==== glib2 ==== Version update (2.86.2 -> 2.86.3) Subpackages: glib2-lang glib2-tools libgio-2_0-0 libgirepository-2_0-0 libglib-2_0-0 libglib-2_0-0-32bit libgmodule-2_0-0 libgobject-2_0-0 libgthread-2_0-0 typelib-1_0-GIRepository-3_0 typelib-1_0-GLib-2_0 typelib-1_0-GModule-2_0 typelib-1_0-GObject-2_0 typelib-1_0-Gio-2_0 - Update to version 2.86.3: + Fix several security vulnerabilities of varying severity (see below for details): + Bugs fixed: - (CVE-2025-13601) (#YWH-PGM9867-134) Incorrect calculation of buffer size in g_escape_uri_string() - (#YWH-PGM9867-145) Buffer underflow on Glib through glib/gvariant via bytestring_parse() or string_parse() leads to OOB Write - GIO: Integer overflow in file attribute escaping - G_FILE_MONITOR_WATCH_HARD_LINK does not monitor files on Windows - gconvert: Error out if g_escape_uri_string() would overflow - gvariant-parser: Fix potential integer overflow parsing (byte)strings - gfileattribute: Fix integer overflow calculating escaping for byte strings ==== gnome-remote-desktop ==== Version update (49.1 -> 49.2) Subpackages: gnome-remote-desktop-lang - Update to version 49.2: + Misc bug fixes + Fix crash ==== gstreamer ==== Version update (1.26.8 -> 1.26.9) Subpackages: gstreamer-lang gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.26.9: + Highlighted bugfixes in 1.26.9: - playback: playbin3 and decodebin3 stability fixes - Ancillary metadata handling fixes for AJA playout and Blackmagic Decklink capture cards - HLS and DASH adaptive streaming clients stability improvements - gst-play-1.0 will now print details of any missing plugins again - gtk4paintablesink: Add property to fine-tune reconfiguration behaviour on window-resize - NDI source: fix audio corruption for non-interleaved audio with stride padding - Add SMPTE ST291-1 ancillary metadata RTP payloader and depayloader - Add ST-2038 metadata combiner and extractor - webrtcsink: support hardware-accelerated encoders from the va VA-API plugin - spotifysrc: fix the Spotify integration by using Spotify's extended metadata endpoint - Python bindings cross compilation fixes - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - info: Force comparison to same types - queue: Use GST_PTR_FORMAT everywhere - streamcollection: Fix race condition between disconnecting notify proxy and notifications - value: Fix GstAllocationParams string serialisation on 32-bit architectures ==== gstreamer-plugins-bad ==== Version update (1.26.8 -> 1.26.9) Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstsctp-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.26.9: + Add missing G_DECLS symbols to gstvkqueue and gstvkcommandqueue + ajasink, decklinkvideosrc: Fix some GstAncillaryMeta handling bugs + analyticsmeta: Initialize span to avoid undefined behavior + GstPlay: Fixed wrong initial position update interval configuration + id3tag: Fix resource leak + mpegtsmux: Avoid infinite recursion writing PCR packets + mxfdemux: Fix typo on mxf_ffv1_create_caps + mxfmux: Fix memset usage + mpegtsmux: segfaults when bitrate is configured lower than bitrate that's coming in + scte-section: fix missing cleanup on splice component parse failure + tsdemux: expose audio GstStream for DTS + va, unixfdsrc: keep dmabufs mapped + vkh265dec: Fix a typo + vkvideo-private: Replace GstBuffer with GstMemory array for video sessions + vtdec: Fix race condition in decoder draining. Fluster runs were unstable ==== gstreamer-plugins-base ==== Version update (1.26.8 -> 1.26.9) Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.26.9: + allocators: drmdumb: Keep dmabuf mapped + alsadeviceprovider: Fix device name leak + audiovisualizer: Use break instead of goto for escape logic + decodebin3: - Clear previous collection on input - Consider certain meta caps in decodebin3 as raw format to avoid warnings + decodebin3: Protect again NULL dereference if input slot can't be mapped + glbasesrc: Add unlock handling for non-negotiated cases + glcolorconvert: Fix memory leak in _create_shader + gldownload: Keep dmabuf mapped + glfiltershader: Add missing unlock + glstereosplit: Add missing unlock for exceptional case + pbutils: Fix bit shifting when generate hevc mime codec string + rtpbaseaudiopay: Consider RESYNC flag as discontinuity too + rtpbasedepayload: Add missing unlock in error code path + uridecodebin3: - Add null check of play items in purge - Add missing unlock + urisourcebin: Fix initial values of min_byte_level and min_time_level variables + videoencoder: Fix warning of uninitialized buffer + gst-play-1.0: - Fix printing of missing plugin details - Add missing unlock for invalid track type ==== gstreamer-plugins-good ==== Version update (1.26.8 -> 1.26.9) Subpackages: gstreamer-plugins-good-gtk gstreamer-plugins-good-lang - Update to version 1.26.9: + adaptivedemux2: Fix a crash on rapid state changes, and startup busy waiting + hlsdemux2: - Keep streams with different names - Error out instead of asserting on negative stream time - Not all subtitles are present in track/collection. Usage of FORCE EXT-X-MEDIA field + v4l2allocator: Add KEEP_MAPPED flag to the allocated buffers + v4l2videoenc: Fix codec frame leak on error ==== gstreamer-plugins-libav ==== Version update (1.26.8 -> 1.26.9) - Update to version 1.26.9: + No changes, stable bump only ==== gstreamer-plugins-rs ==== Version update (1.26.8 -> 1.26.9) - Update to version 1.26.9: + analytics splitter/combiner: Remove the separate fields to events and buffer + audiornnoise: copy input metadatas to ouput buffer + closedcaption: - cctost2038anc: Support alignment - st2038ancdemux: Support alignment - st2038ancmux: Support frame alignment - st2038: Forward frame rate in caps where available - Add ST-2038 combiner and extractor element - st2038extractor: Some fixes - st2038combiner: Some fixes + gif: Update to gif 0.14 + gtk4: - Add property to control reconfigure on window-resize behavior - Fix compile warning + fmp4, mp4: Implement GstChildProxy for MP4Mux and FMP4Mux + fmp4: Update to dash-mpd 0.19 + ndisrcdemux: fix audio corruption with non-interleaved stride padding + net/quinn: Update web-transport-quinn and fix flaky QUIC test + rtp: Add SMPTE ST291-1 (ANC) RTP payloader and depayloader + spotify: bump librespot 0.8.0 + webrtcsink: Don't let recalculate_latency block tokio worker thread + webrtcsink: support va encoders + Update dependencies + meson: fix build when GTK is not present ==== gstreamer-plugins-ugly ==== Version update (1.26.8 -> 1.26.9) Subpackages: gstreamer-plugins-ugly-lang - Update to version 1.26.9: + mdemux: Remove unnecessary condition ==== ibus ==== Version update (1.5.32 -> 1.5.33) Subpackages: ibus-dict-emoji ibus-gtk ibus-gtk3 ibus-lang libibus-1_0-5 typelib-1_0-IBus-1_0 - Upstream update to 1.5.33 * Fix reset signal w/ GTK_IM_MODULE=ibus in Wayland * Provide preedit semantic APIs * Do not load en-US compose table by default * IBus 1.5.33 will insert "include %L" in your compose file automatically generated by old IBus versions * Implement IBusMessage * Improve BEPO compose sequence visuals * Update simple.xml with xkeyboard-config 2.45 * Update ibusunicodegen.h with Unicode 17.0.0 * Bug fixes for Wayland input-method * Fix PageUp/PageDown buttons with hiding candidate popup * Drop fix-candidate-does-not-hide-automatically.patch * Fix leaks and buffer overflows - Drop patches for unmaintained distributions * ibus-fix-Signal-does-not-exist.patch * ibus-socket-name-compatibility.patch ==== ibus_gtk4 ==== Version update (1.5.32 -> 1.5.33) - Upstream update to 1.5.33 * Fix reset signal w/ GTK_IM_MODULE=ibus in Wayland * Provide preedit semantic APIs * Do not load en-US compose table by default * IBus 1.5.33 will insert "include %L" in your compose file automatically generated by old IBus versions * Implement IBusMessage * Improve BEPO compose sequence visuals * Update simple.xml with xkeyboard-config 2.45 * Update ibusunicodegen.h with Unicode 17.0.0 * Bug fixes for Wayland input-method * Fix PageUp/PageDown buttons with hiding candidate popup * Drop fix-candidate-does-not-hide-automatically.patch * Fix leaks and buffer overflows - Drop patches for unmaintained distributions * ibus-fix-Signal-does-not-exist.patch * ibus-socket-name-compatibility.patch ==== iproute2 ==== Version update (6.17 -> 6.18) Subpackages: iproute2-bash-completion - Update to release 6.18 * tc: add dualpi2 scheduler module * iplink: bond_slave: add support for actor_port_prio * ip: iplink_bridge: Support fdb_local_vlan_0 * ip/bond: add broadcast_neighbor support * netshaper: Add netshaper command ==== kernel-firmware-amdgpu ==== Version update (20251201 -> 20251203) - Update to version 20251203 (git commit a0f0e52138e5): * Revert "amdgpu: update GC 11.5.0 firmware" ==== kernel-firmware-ath10k ==== Version update (20250206 -> 20251205) - Update to version 20251205 (git commit 536cc58d9db1): * ath10k: WCN3990 hw1.0: update board-2.bin * ath10k: QCA9888 hw2.0: update board-2.bin * ath10k: QCA4019 hw1.0: update board-2.bin ==== kernel-firmware-ath11k ==== Version update (20250829 -> 20251202) - Update to version 20251202 (git commit 685171356137): * ath11k: QCA6698AQ hw2.1: update to WLAN.HSP.1.1-04866-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1 * ath11k: QCA2066 hw2.1: update board-2.bin ==== kernel-firmware-bluetooth ==== Version update (20251125 -> 20251202) - Update to version 20251202 (git commit 685171356137): * linux-firmware: Update firmware file for Intel Scorpius core * linux-firmware: Update firmware file for Intel BlazarIGfP core * linux-firmware: Update firmware file for Intel BlazarI core * linux-firmware: Update firmware file for Intel BlazarU-HrPGfP core * linux-firmware: Update firmware file for Intel BlazarU core ==== kernel-firmware-qcom ==== Version update (20251125 -> 20251202) - Update to version 20251202 (git commit 38c82f07a964): * qcom: update ADSP firmware for x1e80100 platform, change the license * qcom: reorder ADSP, CDSP firmware entries for qcs8300 in WHENCE ==== kernel-firmware-sound ==== Version update (20251121 -> 20251205) - Update to version 20251205 (git commit 536cc58d9db1): * cirrus: cs35l41: Add support for new HP laptops ==== kernel-source ==== - Reapply "rpm/config.sh: Use suse-kabi-tools" This reverts commit 6ce3f150389ee2831c4c0047296d6b64fc9054da. 1) 6.18 on its own is in factory. 2) suse-kabi-tools are in ring 1 already. - commit 371bdaf ==== krb5 ==== Version update (1.21.3 -> 1.22.1) Subpackages: krb5-32bit krb5-client - Fix memory leak; (bsc#1252989); Update patch 0009-UsrEtc-support.patch - Update to 1.22.1 * Fix a vulnerability in GSS MIC verification [CVE-2025-57736] - Changes in 1.22.0 User experience * The libdefaults configuration variable "request_timeout" can be set to limit the total timeout for KDC requests. When making a KDC request, the client will now wait indefinitely (or until the request timeout has elapsed) on a KDC which accepts a TCP connection, without contacting any additional KDCs. Clients will make fewer DNS queries in some configurations. * The realm configuration variable "sitename" can be set to cause the client to query site-specific DNS records when making KDC requests. Administrator experience * Principal aliases are supported in the DB2 and LMDB KDB modules and in the kadmin protocol. (The LDAP KDB module has supported aliases since release 1.7.) * UNIX domain sockets are supported for the Kerberos and kpasswd protocols. * systemd socket activation is supported for krb5kdc and kadmind. Developer experience * KDB modules can be be implemented in terms of other modules using the new krb5_db_load_module() function. * The profile library supports the modification of empty profiles and the copying of modified profiles, making it possible to construct an in-memory profile and pass it to krb5_init_context_profile(). * GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to gss_init_sec_context() to request strict enforcement of channel bindings by the acceptor. Protocol evolution * The PKINIT preauth module supports elliptic curve client certificates, ECDH key exchange, and the Microsoft paChecksum2 field. * The IAKERB implementation has been changed to comply with the most recent draft standard and to support realm discovery. * Message-Authenticator is supported in the RADIUS implementation used by the OTP kdcpreauth module. Code quality * Removed old-style function declarations, to accomodate compilers which have removed support for them. * Added OSS-Fuzz to the project's continuous integration infrastructure. * Rewrote the GSS per-message token parsing code for improved safety. - Updated patches: * 0001-ksu-pam-integration.patch * 0002-krb5-1.9-manpaths.patch * 0003-Adjust-build-configuration.patch * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch * 0005-krb5-1.6.3-ktutil-manpage.patch * 0006-krb5-1.12-api.patch * 0007-SELinux-integration.patch * 0008-krb5-1.9-debuginfo.patch - Renamed patches: * 0011_usr_etc.patch -> 0009-UsrEtc-support.patch - Deleted patches: * 0009-Fix-three-memory-leaks.patch * 0010-CVE-2025-24528.patch ==== leancrypto ==== Subpackages: libleancrypto1 libleancrypto1-32bit - Fix bsc#1254370, bsc#1253654 - AVX detection is wrong on older intel CPUs * Add leancrypto_avx_detect1.patch * Add leancrypto_avx_detect2.patch ==== libcap ==== Subpackages: libcap2 libcap2-32bit - Move utils to bindir and then provide symlinks under sbindir as needed by Steam (bsc#1252129) ==== libdrm ==== Version update (2.4.129 -> 2.4.130) Subpackages: libdrm2 libdrm_amdgpu1 libdrm_intel1 libdrm_nouveau2 libdrm_radeon1 - Update to 2.4.130 * omap: fix omap_bo_size for tiled buffers * amdgpu: add env support for amdgpu.ids path * Support multiple paths in AMDGPU_ASIC_ID_TABLE_PATH envar * amdgpu: Fix envar name in documentation * Sync headers with drm-next * headers: drm: Sync virtgpu_drm.h with Linux v6.16 ==== libeconf ==== Version update (0.8.1 -> 0.8.2) Subpackages: libeconf0 libeconf0-32bit - Update to version 0.8.2: * Cleanup man pages * Using ECONF_ARGUMENT_IS_NULL_VALUE instead of general error ==== libinput ==== Version update (1.30.0 -> 1.30.1) Subpackages: libinput-udev libinput10 - Update to release 1.30.1 * Fixed a regression in the tablet handling code for some tablets that send input events while being logically out of proximity. * Support for the INPUT_PROP_PRESSUREPAD property available in Linux kernel 6.18. ==== libnl3 ==== Version update (3.11.0 -> 3.12.0) Subpackages: libnl-config libnl3-200 - Update to release 3.12 * xfrm: Add support for xfrm interface ID * Change vlan module to set QOS mapping flag * ip6_tnl: Add API to mark tunnels to "collect metadata" * encap: Add support for an IPv6/IPv4/ILA nexthop encapsulation ==== libpng16 ==== Version update (1.6.51 -> 1.6.52) Subpackages: libpng16-16 libpng16-16-x86-64-v3 - version update to 1.6.52 * Fixed CVE-2025-66293 (high severity): Out-of-bounds read in `png_image_read_composite`. (Reported by flyfish101 .) * Fixed the Paeth filter handling in the RISC-V RVV implementation. (Reported by Filip Wasil; fixed by Liang Junzhao.) * Improved the performance of the RISC-V RVV implementation. (Contributed by Liang Junzhao.) * Added allocation failure fuzzing to oss-fuzz. (Contributed by Philippe Antoine.) ==== linux-glibc-devel ==== Version update (6.17 -> 6.18) - Update to kernel headers 6.18 ==== mdadm ==== Version update (4.4+30.g9a59bf51 -> 4.4+31.g541b40d3) - Update to version 4.4+31.g541b40d3: * fix crash with homehost=none (bsc#1254541) ==== ncurses ==== Version update (6.5.20251123 -> 6.5.20251206) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20251206 + in-progress work to merge MinGW/Windows port. - Add missing dependency for libncurses_c++6 in ncurses-devel to avoid dangling symbolic links - Add ncurses patch 20251129 + in-progress work to merge MinGW/Windows port. ==== nftables ==== Version update (1.1.5 -> 1.1.6) Subpackages: libnftables1 python313-nftables - Update to release 1.1.6 * Complete lightweight tunnel template support, including vxlan, geneve and erspan. * Support for wildcards in netdev hooks. * Support to pass up bridge frame to the bridge device for local processing. ==== openSUSE-release ==== Version update (20251205 -> 20251210) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== patterns-media ==== Subpackages: patterns-media-rest_cd_core patterns-media-rest_dvd - Add grub2-riscv64-efi-bls ==== poppler ==== Subpackages: libpoppler-cpp2 libpoppler-glib8 libpoppler153 poppler-tools - security update - added patches CVE-2025-11896 [bsc#1252337], infinite recursion leading to stack overflow due to object loop in PDF CMap * poppler-CVE-2025-11896.patch ==== poppler-qt6 ==== - security update - added patches CVE-2025-11896 [bsc#1252337], infinite recursion leading to stack overflow due to object loop in PDF CMap * poppler-CVE-2025-11896.patch ==== python-anyio ==== Version update (4.11.0 -> 4.12.0) - Update to 4.12.0: * Added support for asyncio's task call graphs on Python 3.14 and later when using AnyIO's task groups * Added an asynchronous implementation of the functools module * Added support for uvloop=True on Windows via the winloop implementation * Added support for use as a context manager to anyio.lowlevel.RunVar * Added __all__ declarations to public submodules (anyio.lowlevel etc.) * Added the ability to set the token count of a CapacityLimiter to zero * Added parameters case_sensitive and recurse_symlinks along with support for path-like objects to anyio.Path.glob() and anyio.Path.rglob() * Dropped sniffio as a direct dependency and added the get_available_backends() function * Fixed Process.stdin.send() not raising ClosedResourceError and BrokenResourceError on asyncio * Fixed Process.stdin.send() not checkpointing before writing data on asyncio * Fixed a race condition where cancelling a Future from BlockingPortal.start_task_soon() would sometimes not cancel the async function * Fixed the presence of the pytest plugin causing breakage with older versions of pytest (<= 6.1.2) * Fixed a rarely occurring RuntimeError: Set changed size during iteration while shutting down the process pool when using the asyncio backend ==== python-argon2-cffi ==== Version update (23.1.0 -> 25.1.0) - Update to 25.1.0 Added * Official support for Python 3.13 and 3.14. No code changes were necessary. Removed * Python 3.7 is not supported anymore. #186 Changed * argon2.PasswordHasher.check_needs_rehash() now also accepts bytes like the rest of the API. #174 * Improved parameter compatibility handling for Pyodide / WebAssembly environments. #190 - Remove Python 3.14 fro classifiers since the current version of setuptools doesn't recognize it. ==== python-cryptography ==== Subpackages: python311-cryptography python313-cryptography - Only require pytest-subtests with pytest < 9. ==== python-greenlet ==== Version update (3.2.4 -> 3.3.0) - Update to 3.3.0 * Drop support for Python 3.9. * Switch to distributing manylinux_2_28 wheels instead of manylinux2014 wheels. Likewise, switch from musllinux_1_1 to 1_2. * Add initial support for free-threaded builds of CPython 3.14. Due to limitations, we do not distribute binary wheels for free-threaded CPython on Windows. (Free-threaded CPython 3.13 may work, but is untested and unsupported.) ==== python-psutil ==== Subpackages: python311-psutil python313-psutil - Only require pytest-subtests with pytest < 9. ==== python-typing_extensions ==== - add py314-fix-tests.patch to fix tests with python 3.14 ==== python-tzdata ==== - Only require pytest-subtests with pytest < 9. ==== rng-tools ==== - Drop rcrng-tools symlink [jsc#PED-266] ==== selinux-policy ==== Version update (20251128 -> 20251208) Subpackages: selinux-policy-targeted - Update to version 20251208: * Introduce systemd_cryptsetup_generator_var_run_t file type (bsc#1244459) * Allow virtqemud_t to read/write device_t (bsc#1251789) * Introduce sap_service_transition_to_unconfined_user boolean * allow init to read sap symlinks * Allow SAP domain to relocation text in all files - Update embedded container-selinux version to commit: - 9017e1f8074db9b7ae026670b0e0216cf53f18d9 (version 2.244.0) ==== sensors ==== Subpackages: libsensors4 - Don't use valgrind in qemu emulation - Drop rcFOO symlinks [jsc#PED-266] ==== snapshot ==== Version update (49.0 -> 49.1) Subpackages: snapshot-lang - Update to version 49.1: + Fix camera portal usage for non-sandboxed app + Use static.gnome.org for screenshots in app metainfo + Updated translations. ==== strace ==== Version update (6.17 -> 6.18) - Update to strace 6.18 * Added -e kvm=vcpu+ option for kvm_run struct decoding. * Implemented decoding of FS_IOC_GETFSUUID, FS_IOC_GETFSSYSFSPATH, and FS_IOC_GETLBMD_CAP ioctl commands. * Implemented decoding of BPF_PROG_STREAM_READ_BY_FD bpf command. * Updated decoding of BPF_BTF_LOAD, BPF_MAP_CREATE, BPF_PROG_ATTACH, BPF_PROG_DETACH, BPF_PROG_LOAD, BPF_PROG_QUERY, and BPF_*_GET_*_ID bpf commands. * Updated decoding of bpf_map_info and bpf_prog_info structures. * Updated lists of AUDIT_*, BR_*, FF_*, IFLA_*, INPUT_PROP_*, IORING_*, KEXEC_FILE_*, KEY_*, KVM_CAP_*, NL80211_CMD_*, RWF_*, and TEE_* constants. ==== systemd-presets-common-SUSE ==== - Enable cleanoldsepoldir.service to allow to run after boot it is part of root path move from /var/lib/selinux to /etc/selinux (bsc#1221342) ==== usbmuxd ==== Version update (1.1.1+git69.523f700 -> 1.1.1+git72.3ded00c) - Update to version 1.1.1+git72.3ded00c: - Allow specifying configuration directory to use - conf: Make sure to sanitize input for SavePairRecord command (bsc#1254302) - Refresh harden_usbmuxd.service.patch. ==== webkit2gtk3 ==== Version update (2.50.2 -> 2.50.3) Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update to version 2.50.3 (bsc#1254473 bsc#1254498 bsc#1254509): + Fix seeking and looping of media elements that set the "loop" property. + Fix several crashes and rendering issues. + Security fixes: CVE-2025-13947, CVE-2025-43421, CVE-2025-43458, CVE-2025-66287. - Drop webkit2gtk3-undefined-symbol.patch: fixed upstream. - Use %limit_build. Also define %dwz_low_mem_die_limit and %dwz_max_die_limit, similar to what we have in wpewebkit. This should simplify the logic for limiting jobs and will hopefully help with intermittent build failures. ==== webkit2gtk4 ==== Version update (2.50.2 -> 2.50.3) Subpackages: WebKitGTK-6.0-lang libjavascriptcoregtk-6_0-1 libwebkitgtk-6_0-4 typelib-1_0-JavaScriptCore-6_0 typelib-1_0-WebKit-6_0 webkitgtk-6_0-injected-bundles - Update to version 2.50.3 (bsc#1254473 bsc#1254498 bsc#1254509): + Fix seeking and looping of media elements that set the "loop" property. + Fix several crashes and rendering issues. + Security fixes: CVE-2025-13947, CVE-2025-43421, CVE-2025-43458, CVE-2025-66287. - Drop webkit2gtk3-undefined-symbol.patch: fixed upstream. - Use %limit_build. Also define %dwz_low_mem_die_limit and %dwz_max_die_limit, similar to what we have in wpewebkit. This should simplify the logic for limiting jobs and will hopefully help with intermittent build failures. ==== yast2-trans ==== Version update (84.87.20251125.b9a54cb9bd -> 84.87.20251202.6c2698bf7a) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20251202.6c2698bf7a: * Update translation files * New POT for text domain 'rmt'.