Packages changed: MicroOS-release (20251205 -> 20251210) alsa (1.2.14 -> 1.2.15) cockpit container-selinux (2.243.0 -> 2.244.0) gcc glib2 (2.86.2 -> 2.86.3) gstreamer (1.26.8 -> 1.26.9) gstreamer-plugins-bad (1.26.8 -> 1.26.9) gstreamer-plugins-base (1.26.8 -> 1.26.9) iproute2 (6.17 -> 6.18) kernel-firmware-amdgpu (20251201 -> 20251203) kernel-firmware-ath10k (20250206 -> 20251205) kernel-firmware-ath11k (20250829 -> 20251202) kernel-firmware-bluetooth (20251125 -> 20251202) kernel-firmware-qcom (20251125 -> 20251202) kernel-firmware-sound (20251121 -> 20251205) kernel-source keylime (7.12.1 -> 7.13.0+40) krb5 (1.21.3 -> 1.22.1) leancrypto libcap libdrm (2.4.129 -> 2.4.130) libeconf (0.8.1 -> 0.8.2) libinput (1.30.0 -> 1.30.1) libnl3 (3.11.0 -> 3.12.0) libpng16 (1.6.51 -> 1.6.52) mdadm (4.4+30.g9a59bf51 -> 4.4+31.g541b40d3) ncurses (6.5.20251123 -> 6.5.20251206) nftables (1.1.5 -> 1.1.6) poppler poppler-qt6 python-cryptography python-greenlet (3.2.4 -> 3.3.0) python-psutil python-referencing python-typing_extensions selinux-policy (20251128 -> 20251208) sensors steam-devices (20240522+git.e2971e4 -> 20251018+git.4d7e6c1) systemd-presets-common-SUSE ucode-amd (20251113 -> 20251203) === Details === ==== MicroOS-release ==== Version update (20251205 -> 20251210) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== alsa ==== Version update (1.2.14 -> 1.2.15) - Backport upstream fixes, mainly for regressions (bsc#1254652): 0001-ucm-use-closefrom-instead-of-close_range.patch 0002-ucm-exec-fix-maxfd-used-warning.patch 0003-conf-merge-card-specific-contents-per-file-whole-aft.patch 0004-conf-fix-possible-memory-leak-in-config_file_open-er.patch 0005-Revert-conf-fix-load_for_all_cards-do-not-merge-the-.patch 0006-conf-USB-Audio-define-pcm-configuration-block-only-o.patch 0007-conf-HDA-Intel-define-pcm-configuration-block-only-o.patch - Update to alsa-lib 1.2.15: * documentation, coding style and configure fixes * error: add priority and interface strings to the log messages * snd_tlv_convert_to_dB: Fix mute handling for MINMAX_MUTE type * mixer: bag - fix bag_del_all implementation (missing free) * pcm: plugin - avoid 32-bit to 64-bit return value conversions * pcm route: suppress false positive warning for gcc 8+ * pcm: add a loop to snd_pcm_avail_delay() to avoid bogus delay values * rawmidi: Fix inactive stream definition and handling * seq: drain API fix, notiffy for pversion ioctl failure * topology: fix nibble warning in tplg_save_quoted() * lots of UCM and conf fixes and improvements For details, see: https://www.alsa-project.org/wiki/Changes_v1.2.14_v1.2.15#alsa-lib ==== cockpit ==== Subpackages: cockpit-bridge cockpit-networkmanager cockpit-packagekit cockpit-system cockpit-ws cockpit-ws-selinux - Update SELinux module dir as macro to allow root path move from /var/lib/selinux to /etc/selinux (bsc#1221342) ==== container-selinux ==== Version update (2.243.0 -> 2.244.0) - Update to version 2.244.0: * New release: v2.244.0 * TMT: ELN rootless user has changed * Introduce container_write_proc_files interface (bsc#1253469) ==== gcc ==== - Remove go/gofmt alternatives. [bsc#1245878] ==== glib2 ==== Version update (2.86.2 -> 2.86.3) Subpackages: glib2-tools libgio-2_0-0 libgirepository-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0 typelib-1_0-GLib-2_0 typelib-1_0-GModule-2_0 typelib-1_0-GObject-2_0 typelib-1_0-Gio-2_0 - Update to version 2.86.3: + Fix several security vulnerabilities of varying severity (see below for details): + Bugs fixed: - (CVE-2025-13601) (#YWH-PGM9867-134) Incorrect calculation of buffer size in g_escape_uri_string() - (#YWH-PGM9867-145) Buffer underflow on Glib through glib/gvariant via bytestring_parse() or string_parse() leads to OOB Write - GIO: Integer overflow in file attribute escaping - G_FILE_MONITOR_WATCH_HARD_LINK does not monitor files on Windows - gconvert: Error out if g_escape_uri_string() would overflow - gvariant-parser: Fix potential integer overflow parsing (byte)strings - gfileattribute: Fix integer overflow calculating escaping for byte strings ==== gstreamer ==== Version update (1.26.8 -> 1.26.9) Subpackages: libgstreamer-1_0-0 - Update to version 1.26.9: + Highlighted bugfixes in 1.26.9: - playback: playbin3 and decodebin3 stability fixes - Ancillary metadata handling fixes for AJA playout and Blackmagic Decklink capture cards - HLS and DASH adaptive streaming clients stability improvements - gst-play-1.0 will now print details of any missing plugins again - gtk4paintablesink: Add property to fine-tune reconfiguration behaviour on window-resize - NDI source: fix audio corruption for non-interleaved audio with stride padding - Add SMPTE ST291-1 ancillary metadata RTP payloader and depayloader - Add ST-2038 metadata combiner and extractor - webrtcsink: support hardware-accelerated encoders from the va VA-API plugin - spotifysrc: fix the Spotify integration by using Spotify's extended metadata endpoint - Python bindings cross compilation fixes - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - info: Force comparison to same types - queue: Use GST_PTR_FORMAT everywhere - streamcollection: Fix race condition between disconnecting notify proxy and notifications - value: Fix GstAllocationParams string serialisation on 32-bit architectures ==== gstreamer-plugins-bad ==== Version update (1.26.8 -> 1.26.9) Subpackages: libgstphotography-1_0-0 libgstplay-1_0-0 - Update to version 1.26.9: + Add missing G_DECLS symbols to gstvkqueue and gstvkcommandqueue + ajasink, decklinkvideosrc: Fix some GstAncillaryMeta handling bugs + analyticsmeta: Initialize span to avoid undefined behavior + GstPlay: Fixed wrong initial position update interval configuration + id3tag: Fix resource leak + mpegtsmux: Avoid infinite recursion writing PCR packets + mxfdemux: Fix typo on mxf_ffv1_create_caps + mxfmux: Fix memset usage + mpegtsmux: segfaults when bitrate is configured lower than bitrate that's coming in + scte-section: fix missing cleanup on splice component parse failure + tsdemux: expose audio GstStream for DTS + va, unixfdsrc: keep dmabufs mapped + vkh265dec: Fix a typo + vkvideo-private: Replace GstBuffer with GstMemory array for video sessions + vtdec: Fix race condition in decoder draining. Fluster runs were unstable ==== gstreamer-plugins-base ==== Version update (1.26.8 -> 1.26.9) Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 - Update to version 1.26.9: + allocators: drmdumb: Keep dmabuf mapped + alsadeviceprovider: Fix device name leak + audiovisualizer: Use break instead of goto for escape logic + decodebin3: - Clear previous collection on input - Consider certain meta caps in decodebin3 as raw format to avoid warnings + decodebin3: Protect again NULL dereference if input slot can't be mapped + glbasesrc: Add unlock handling for non-negotiated cases + glcolorconvert: Fix memory leak in _create_shader + gldownload: Keep dmabuf mapped + glfiltershader: Add missing unlock + glstereosplit: Add missing unlock for exceptional case + pbutils: Fix bit shifting when generate hevc mime codec string + rtpbaseaudiopay: Consider RESYNC flag as discontinuity too + rtpbasedepayload: Add missing unlock in error code path + uridecodebin3: - Add null check of play items in purge - Add missing unlock + urisourcebin: Fix initial values of min_byte_level and min_time_level variables + videoencoder: Fix warning of uninitialized buffer + gst-play-1.0: - Fix printing of missing plugin details - Add missing unlock for invalid track type ==== iproute2 ==== Version update (6.17 -> 6.18) - Update to release 6.18 * tc: add dualpi2 scheduler module * iplink: bond_slave: add support for actor_port_prio * ip: iplink_bridge: Support fdb_local_vlan_0 * ip/bond: add broadcast_neighbor support * netshaper: Add netshaper command ==== kernel-firmware-amdgpu ==== Version update (20251201 -> 20251203) - Update to version 20251203 (git commit a0f0e52138e5): * Revert "amdgpu: update GC 11.5.0 firmware" ==== kernel-firmware-ath10k ==== Version update (20250206 -> 20251205) - Update to version 20251205 (git commit 536cc58d9db1): * ath10k: WCN3990 hw1.0: update board-2.bin * ath10k: QCA9888 hw2.0: update board-2.bin * ath10k: QCA4019 hw1.0: update board-2.bin ==== kernel-firmware-ath11k ==== Version update (20250829 -> 20251202) - Update to version 20251202 (git commit 685171356137): * ath11k: QCA6698AQ hw2.1: update to WLAN.HSP.1.1-04866-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1 * ath11k: QCA2066 hw2.1: update board-2.bin ==== kernel-firmware-bluetooth ==== Version update (20251125 -> 20251202) - Update to version 20251202 (git commit 685171356137): * linux-firmware: Update firmware file for Intel Scorpius core * linux-firmware: Update firmware file for Intel BlazarIGfP core * linux-firmware: Update firmware file for Intel BlazarI core * linux-firmware: Update firmware file for Intel BlazarU-HrPGfP core * linux-firmware: Update firmware file for Intel BlazarU core ==== kernel-firmware-qcom ==== Version update (20251125 -> 20251202) - Update to version 20251202 (git commit 38c82f07a964): * qcom: update ADSP firmware for x1e80100 platform, change the license * qcom: reorder ADSP, CDSP firmware entries for qcs8300 in WHENCE ==== kernel-firmware-sound ==== Version update (20251121 -> 20251205) - Update to version 20251205 (git commit 536cc58d9db1): * cirrus: cs35l41: Add support for new HP laptops ==== kernel-source ==== - Reapply "rpm/config.sh: Use suse-kabi-tools" This reverts commit 6ce3f150389ee2831c4c0047296d6b64fc9054da. 1) 6.18 on its own is in factory. 2) suse-kabi-tools are in ring 1 already. - commit 371bdaf ==== keylime ==== Version update (7.12.1 -> 7.13.0+40) Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tenant keylime-tpm_cert_store keylime-verifier python313-keylime - Update to version 7.13.0+40 (CVE-2025-13609, bsc#1254199): * Fix registrar duplicate UUID vulnerability (#1825) * [Automatic] Update Keylime base image 2025-12-01 * Include new attestation information fields (#1818) * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823) * ci: add push model tests to the packit plan * push-model: require HTTPS for authentication and attestation endpoints * Fix operational_state tracking in push mode attestations * templates: add push model authentication config options to 2.5 templates * Improve test coverage for authentication components * Security: Hash authentication tokens in logs * Fix stale IMA policy cache in verification * Fix authentication behavior on failed attestations for push mode * Add shared memory infrastructure for multiprocess communication * Add agent authentication (challenge/response) protocol for push mode * Convert CRLF to LF line endings in attestation_controller.py * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814) * [Automatic] Update Keylime base image (2025-11-01) (#1816) * docs: Fix man page RST formatting for rst2man compatibility (#1813) * tests: Enable more tests in CI * Apply limit on keylime-policy workers * tpm: fix ECC signature parsing to support variable-length coordinates * tpm: fix ECC P-521 credential activation with consistent marshaling * tpm: fix ECC P-521 coordinate validation * tests: Test keylime-policy both for filelist-ext.xml match and mismatch (#1806) * [Automatic] Update Keylime base image 2025-10-01 * Remove deprecated disabled_signing_algorithms configuration option (#1804) * algorithms: add support for specific RSA algorithms * algorithms: add support for specific ECC curve algorithms * Update manages based on review feedback * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent * Manpage for keylime agent * Manpage for keylime verifier * Manpage for keylime registrar * Use constants for timeout and max retries defaults * tests: Add unit tests for the timeout configuration * verifier: Use timeout from `request_timeout` config option * revocation_notifier: Use timeout setting from config file * tenant: Set timeout when getting version from agent * verify/evidence: SEV-SNP evidence type/verifier * verify/evidence: Add evidence type to request JSON - Update to version v7.13.0: * Bump version to 7.13.0 * Avoid re-encoding certificate stored in DB * Revert "models: Do not re-encode certificate stored in DB" * Revert "registrar_agent: Use pyasn1 to parse PEM" * CI: Enable test add-agent-with-malformed-ek-cert * [Automatic] Update Keylime base image 2025-09-01 * policy/sign: use print() when writing to /dev/stdout * registrar_agent: Use pyasn1 to parse PEM * models: Do not re-encode certificate stored in DB * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events * Fix minor typo (exponantial->exponential) * mb: support vendor_db as logged by newer shim versions * mb: support EV_EFI_HANDOFF_TABLES events on PCR1 * Remove unnecessary configuration values * cloud_verifier_tornado: handle exception in notify_error() * requests_client: close the session at the end of the resource manager * Manpage for keylime_tenant (#1786) * Add 2.5 templates including Push Model changes * [Automatic] Update Keylime base image 2025-08-01 * Initial version of verify evidence API * packit: Enable connection leak test in CI * db: Do not read pool size and max overflow for sqlite * Use context managers to close DB sessions * revocations: Try to send notifications on shutdown * verifier: Gracefully shutdown on signal * [Automatic] Update Keylime base image 2025-07-01 * Use `fork` as `multiprocessing` start method * Fix inaccuracy in threat model and add reference to SBAT * Explain TPM properties and expand vTPM discussion * Misc formatting fixes * Add diagrams and tweak formatting * Fix formatting issues * Fix invalid RST and update TOC * Expand threat model page to include adversarial model * CI: Enable CONTAINER_ENGINE to allow other engines * Add --push-model option to avoid requests to agents * [Automatic] Update Keylime base image 2025-06-04 * docker: Remove tpm2-tools compilation from base image * tests: fix rpm repo tests from create-runtime-policy * tests: skip measured-boot related tests for s390x and ppc64le * templates: duplicate str_to_version() in the adjust script * policy: fix mypy issues with rpm_repo * revocation_notifier: fix mypy issue by replacing deprecated call * Fix create_runtime_policy in python < 3.12 * [Automatic] Update Keylime base image 2025-06-02 * Fix after review * fixed CONSTANT names C0103 errors * [Automatic] Update Keylime base image 2025-05-02 * [Automatic] Update Keylime base image 2025-04-04 * [Automatic] Update Keylime base image 2025-04-01 * Extend meta_data field in verifierdb * docs: update issue templates * docs: add GitHub PR template with documentation reminders * [Automatic] Update Keylime base image 2025-03-10 * tpm_util: fix quote signature extraction for ECDSA * packit: Add compatibility/api_version_compatibility test * registrar: Log API versions during startup * lint: Fix mypy warnings * Remove excessive logging on exception * tests: change test_mba_parsing to not need keylime installed * scripts: Fix coverage information downloading script ==== krb5 ==== Version update (1.21.3 -> 1.22.1) - Fix memory leak; (bsc#1252989); Update patch 0009-UsrEtc-support.patch - Update to 1.22.1 * Fix a vulnerability in GSS MIC verification [CVE-2025-57736] - Changes in 1.22.0 User experience * The libdefaults configuration variable "request_timeout" can be set to limit the total timeout for KDC requests. When making a KDC request, the client will now wait indefinitely (or until the request timeout has elapsed) on a KDC which accepts a TCP connection, without contacting any additional KDCs. Clients will make fewer DNS queries in some configurations. * The realm configuration variable "sitename" can be set to cause the client to query site-specific DNS records when making KDC requests. Administrator experience * Principal aliases are supported in the DB2 and LMDB KDB modules and in the kadmin protocol. (The LDAP KDB module has supported aliases since release 1.7.) * UNIX domain sockets are supported for the Kerberos and kpasswd protocols. * systemd socket activation is supported for krb5kdc and kadmind. Developer experience * KDB modules can be be implemented in terms of other modules using the new krb5_db_load_module() function. * The profile library supports the modification of empty profiles and the copying of modified profiles, making it possible to construct an in-memory profile and pass it to krb5_init_context_profile(). * GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to gss_init_sec_context() to request strict enforcement of channel bindings by the acceptor. Protocol evolution * The PKINIT preauth module supports elliptic curve client certificates, ECDH key exchange, and the Microsoft paChecksum2 field. * The IAKERB implementation has been changed to comply with the most recent draft standard and to support realm discovery. * Message-Authenticator is supported in the RADIUS implementation used by the OTP kdcpreauth module. Code quality * Removed old-style function declarations, to accomodate compilers which have removed support for them. * Added OSS-Fuzz to the project's continuous integration infrastructure. * Rewrote the GSS per-message token parsing code for improved safety. - Updated patches: * 0001-ksu-pam-integration.patch * 0002-krb5-1.9-manpaths.patch * 0003-Adjust-build-configuration.patch * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch * 0005-krb5-1.6.3-ktutil-manpage.patch * 0006-krb5-1.12-api.patch * 0007-SELinux-integration.patch * 0008-krb5-1.9-debuginfo.patch - Renamed patches: * 0011_usr_etc.patch -> 0009-UsrEtc-support.patch - Deleted patches: * 0009-Fix-three-memory-leaks.patch * 0010-CVE-2025-24528.patch ==== leancrypto ==== - Fix bsc#1254370, bsc#1253654 - AVX detection is wrong on older intel CPUs * Add leancrypto_avx_detect1.patch * Add leancrypto_avx_detect2.patch ==== libcap ==== - Move utils to bindir and then provide symlinks under sbindir as needed by Steam (bsc#1252129) ==== libdrm ==== Version update (2.4.129 -> 2.4.130) Subpackages: libdrm2 libdrm_amdgpu1 libdrm_intel1 - Update to 2.4.130 * omap: fix omap_bo_size for tiled buffers * amdgpu: add env support for amdgpu.ids path * Support multiple paths in AMDGPU_ASIC_ID_TABLE_PATH envar * amdgpu: Fix envar name in documentation * Sync headers with drm-next * headers: drm: Sync virtgpu_drm.h with Linux v6.16 ==== libeconf ==== Version update (0.8.1 -> 0.8.2) - Update to version 0.8.2: * Cleanup man pages * Using ECONF_ARGUMENT_IS_NULL_VALUE instead of general error ==== libinput ==== Version update (1.30.0 -> 1.30.1) - Update to release 1.30.1 * Fixed a regression in the tablet handling code for some tablets that send input events while being logically out of proximity. * Support for the INPUT_PROP_PRESSUREPAD property available in Linux kernel 6.18. ==== libnl3 ==== Version update (3.11.0 -> 3.12.0) Subpackages: libnl-config libnl3-200 - Update to release 3.12 * xfrm: Add support for xfrm interface ID * Change vlan module to set QOS mapping flag * ip6_tnl: Add API to mark tunnels to "collect metadata" * encap: Add support for an IPv6/IPv4/ILA nexthop encapsulation ==== libpng16 ==== Version update (1.6.51 -> 1.6.52) - version update to 1.6.52 * Fixed CVE-2025-66293 (high severity): Out-of-bounds read in `png_image_read_composite`. (Reported by flyfish101 .) * Fixed the Paeth filter handling in the RISC-V RVV implementation. (Reported by Filip Wasil; fixed by Liang Junzhao.) * Improved the performance of the RISC-V RVV implementation. (Contributed by Liang Junzhao.) * Added allocation failure fuzzing to oss-fuzz. (Contributed by Philippe Antoine.) ==== mdadm ==== Version update (4.4+30.g9a59bf51 -> 4.4+31.g541b40d3) - Update to version 4.4+31.g541b40d3: * fix crash with homehost=none (bsc#1254541) ==== ncurses ==== Version update (6.5.20251123 -> 6.5.20251206) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20251206 + in-progress work to merge MinGW/Windows port. - Add missing dependency for libncurses_c++6 in ncurses-devel to avoid dangling symbolic links - Add ncurses patch 20251129 + in-progress work to merge MinGW/Windows port. ==== nftables ==== Version update (1.1.5 -> 1.1.6) Subpackages: libnftables1 python313-nftables - Update to release 1.1.6 * Complete lightweight tunnel template support, including vxlan, geneve and erspan. * Support for wildcards in netdev hooks. * Support to pass up bridge frame to the bridge device for local processing. ==== poppler ==== Subpackages: libpoppler-cpp2 libpoppler153 - security update - added patches CVE-2025-11896 [bsc#1252337], infinite recursion leading to stack overflow due to object loop in PDF CMap * poppler-CVE-2025-11896.patch ==== poppler-qt6 ==== - security update - added patches CVE-2025-11896 [bsc#1252337], infinite recursion leading to stack overflow due to object loop in PDF CMap * poppler-CVE-2025-11896.patch ==== python-cryptography ==== - Only require pytest-subtests with pytest < 9. ==== python-greenlet ==== Version update (3.2.4 -> 3.3.0) - Update to 3.3.0 * Drop support for Python 3.9. * Switch to distributing manylinux_2_28 wheels instead of manylinux2014 wheels. Likewise, switch from musllinux_1_1 to 1_2. * Add initial support for free-threaded builds of CPython 3.14. Due to limitations, we do not distribute binary wheels for free-threaded CPython on Windows. (Free-threaded CPython 3.13 may work, but is untested and unsupported.) ==== python-psutil ==== - Only require pytest-subtests with pytest < 9. ==== python-referencing ==== - Only require pytest-subtests with pytest < 9. ==== python-typing_extensions ==== - add py314-fix-tests.patch to fix tests with python 3.14 ==== selinux-policy ==== Version update (20251128 -> 20251208) Subpackages: selinux-policy-targeted - Update to version 20251208: * Introduce systemd_cryptsetup_generator_var_run_t file type (bsc#1244459) * Allow virtqemud_t to read/write device_t (bsc#1251789) * Introduce sap_service_transition_to_unconfined_user boolean * allow init to read sap symlinks * Allow SAP domain to relocation text in all files - Update embedded container-selinux version to commit: - 9017e1f8074db9b7ae026670b0e0216cf53f18d9 (version 2.244.0) ==== sensors ==== - Don't use valgrind in qemu emulation - Drop rcFOO symlinks [jsc#PED-266] ==== steam-devices ==== Version update (20240522+git.e2971e4 -> 20251018+git.4d7e6c1) - Update to version 20251018+git.4d7e6c1: * Add Nintendo Switch Joy-Cons * Add Hori HORIPAD STEAM * Add Xbox One Elite 2 Controller * Add EdgeTX / OpenTX controllers in gamepad mode * Add PowerA Fusion Fightpad for Nintendo Switch * Add Razer Wolverine V2 Pro * Add Hori Alpha for PS5 ==== systemd-presets-common-SUSE ==== - Enable cleanoldsepoldir.service to allow to run after boot it is part of root path move from /var/lib/selinux to /etc/selinux (bsc#1221342) ==== ucode-amd ==== Version update (20251113 -> 20251203) - Update to version 20251203 (git commit a0f0e52138e5): * linux-firmware: Update amd-ucode copyright information * linux-firmware: Update AMD cpu microcode