Packages changed: cnf dhcp glib2-branding-openSUSE kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-ath11k (20250227 -> 20250424) kernel-firmware-ath12k (20250206 -> 20250424) kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi (20250312 -> 20250423) kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media (20250422 -> 20250424) kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-prestera kernel-firmware-qcom kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network libssh libzip lilv lua54 mariadb-connector-c open-vm-tools openssh (9.9p2 -> 10.0p2) openssh-askpass-gnome (9.9p2 -> 10.0p2) orca publicsuffix (20250407 -> 20250424) python-M2Crypto (0.44.0 -> 0.45.1) python-gevent (24.10.3 -> 25.4.2) python-h11 (0.14.0 -> 0.16.0) python-httpcore (1.0.8 -> 1.0.9) python313 (3.13.2 -> 3.13.3) python313-core (3.13.2 -> 3.13.3) sane-backends sdbootutil (1+git20250423.61ca94f -> 1+git20250425.25d659b) unbound (1.22.0 -> 1.23.0) === Details === ==== cnf ==== Subpackages: cnf-bash cnf-locale - Fix Obsolete of a scout-command-not-found to <= 0.2.9 ==== dhcp ==== Subpackages: dhcp-client dhcp-relay dhcp-server - Add compile option '-std=gnu17' to fix build with gcc15. [bsc#1241472] ==== glib2-branding-openSUSE ==== - Update defaults to match current situation: + Remove banshee preference: banshee has not been shipped since 2016. + Add Loupe to the preferred applications for images + Do not use Eog by default. As it's alphabetically before Loupe, Eog would always win the way it was listed (when installed). + Explicitly set image/tiff to org.gnome.Loupe as Eog is no longer part of the default installations. ==== kernel-firmware-amdgpu ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-ath10k ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-ath11k ==== Version update (20250227 -> 20250424) - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. - Update to version 20250424 (git commit c8af472e05cb): * ath11k: WCN6855 hw2.0: update board-2.bin * ath11k: IPQ5018 hw1.0: update to WLAN.HK.2.6.0.1-01300-QCAHKSWPL_SILICONZ-1 ==== kernel-firmware-ath12k ==== Version update (20250206 -> 20250424) - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. - Update to version 20250424 (git commit c8af472e05cb): * ath12k: WCN7850 hw2.0: update to WLAN.HMT.1.1.c5-00284-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 * ath12k: QCN9274 hw2.0: update board-2.bin ==== kernel-firmware-atheros ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-bluetooth ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-bnx2 ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-brcm ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-chelsio ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-dpaa2 ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-i915 ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-intel ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-iwlwifi ==== Version update (20250312 -> 20250423) - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. - Update to version 20250423 (git commit c67433231cbd): * iwlwifi: add Bz/gl FW for core95-82 release * iwlwifi: update ty/So/Ma firmwares for core95-82 release * iwlwifi: update cc/Qu/QuZ firmwares for core95-82 release - Update to version 20250422 (git commit 32f3227b67c0): * iwlwifi: add Bz-hr FW for core93-123 release ==== kernel-firmware-liquidio ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-marvell ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-media ==== Version update (20250422 -> 20250424) - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. - Update to version 20250424 (git commit c8af472e05cb): * qcom: vpu: update video firmware binary for SA8775p ==== kernel-firmware-mediatek ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-mellanox ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-mwifiex ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-network ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-nfp ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-nvidia ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-platform ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-prestera ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-qcom ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-qlogic ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-radeon ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-realtek ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-serial ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-sound ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-ti ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-ueagle ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== kernel-firmware-usb-network ==== - Change conflicts filesystem < 84 to conflicts filesystem without may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE 16 uses Version 16; yet we need to ensure we get an up-to-date version of filesystem. Relying on the recently introduced provides instructing zypp about the usrmerge is perfect for this use case. ==== libssh ==== Subpackages: libssh-config libssh4 - Fix build and tests with OpenSSH >= 10.0 * Use %make_build instead of naked make * Add patches: - libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch - libssh-misc-Fix-OpenSSH-banner-parsing.patch ==== libzip ==== - Fix libzip-devel dependencies. libzip-targets*.cmake create CMake targets for zipcmp, zipmerge and ziptool. ==== lilv ==== - Rework the way the preferred python flavor is used as prefix so it also works with Slowroll - Add BuildRequires for pkgconfig(zix) which was pulled in indirectly but is actually required since 0.24.22. - Generate the python subpackage with the python flavored prefix it's being used instead of always using python3 ==== lua54 ==== - Fix license: it is MIT, not GPL-3.0-or-later. ==== mariadb-connector-c ==== - add patches from upstream to fix gcc-15 compile time errors: * mariadb-connector-c-3.4.5-gcc15.patch * mariadb-connector-c-3.4.5-gcc15-part2.patch ==== open-vm-tools ==== Subpackages: libvmtools0 open-vm-tools-desktop - (bsc#1237147): Newer version of containerd do not have the directory /usr/share/go/1.x/contrib/src/github.com/containerd/containerd/api. Update detect-suse-location.patch to point to the directory /usr/share/go/1.x/contrib/src/github.com/containerd/containerd/vendor/github.com/containerd/containerd/api to find the needed files and update the tasks.proto file to import from github.com/containerd/containerd/vendor/github.com/containerd/containerd/api ==== openssh ==== Version update (9.9p2 -> 10.0p2) Subpackages: openssh-clients openssh-common openssh-server - Add openssh-send-extra-term-env.patch, which appends a few environment variables useful for terminal identification to the default send and accept lists. - "Update" to openssh 10.0p2: - There was an issue during the packaging of 10.0p1 which made it identify itself as 10.0p2 so 10.0p1 is now considered identical to 10.0p2 and upstream won't release a separate 10.0p2 package. - Update to openssh 10.0p1: = Potentially-incompatible changes * This release removes support for the weak DSA signature algorithm, completing the deprecation process that began in 2015 (when DSA was disabled by default) and repeatedly warned over the last 12 months. * scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by scp & sftp. This disables implicit session creation by these tools when ControlMaster was set to yes/auto by configuration, which some users found surprising. This change will not prevent scp/sftp from using an existing multiplexing session if one had already been created. GHPR557 * This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this. * sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per- connection sshd-session binary to a new sshd-auth binary. Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection. It also yields a small runtime memory saving as the authentication code will be unloaded after the authentication phase completes. This change should be largely invisible to users, though some log messages may now come from "sshd-auth" instead of "sshd-session". Downstream distributors of OpenSSH will need to package the sshd-auth binary. * sshd(8): this release disables finite field (a.k.a modp) Diffie-Hellman key exchange in sshd by default. Specifically, this removes the "diffie-hellman-group*" and "diffie-hellman-group-exchange-*" methods from the default KEXAlgorithms list. The client is unchanged and continues to support these methods by default. Finite field Diffie Hellman is slow and computationally expensive for the same security level as Elliptic Curve DH or PQ key agreement while offering no redeeming advantages. ECDH has been specified for the SSH protocol for 15 years and some form of ECDH has been the default key exchange in OpenSSH for the last 14 years. * sshd(8): this release removes the implicit fallback to compiled-in groups for Diffie-Hellman Group Exchange KEX when the moduli file exists but does not contain moduli within the client-requested range. The fallback behaviour remains for the case where the moduli file does not exist at all. This allows administrators more explicit control over which DH groups will be selected, but can lead to connection failures if the moduli file is edited incorrectly. bz#2793 = Security * sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. X11 forwarding is disabled by default in the server and agent forwarding is off by default in the client. = New features * ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement. This algorithm is considered to be safe against attack by quantum computers, is guaranteed to be no less strong than the popular curve25519-sha256 algorithm, has been standardised by NIST and is considerably faster than the previous default. * ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher for the connection. The default cipher preference list is now Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR (128/192/256). * ssh(1): add %-token and environment variable expansion to the ssh_config SetEnv directive. * ssh(1): allow %-token and environment variable expansion in the ssh_config User directive, with the exception of %r and %C which would be self-referential. bz#3477 * ssh(1), sshd(8): add "Match version" support to ssh_config and sshd_config. Allows matching on the local version of OpenSSH, e.g. "Match version OpenSSH_10.*". * ssh(1): add support for "Match sessiontype" to ssh_config. Allows matching on the type of session initially requested, either "shell" for interactive sessions, "exec" for command execution sessions, "subsystem" for subsystem requests, such as sftp, or "none" for transport/forwarding-only sessions. * ssh(1): add support for "Match command ..." support to ssh_config, allowing matching on the remote command as specified on the command-line. * ssh(1): allow 'Match tagged ""' and 'Match command ""' to match empty tag and command values respectively. * sshd(8): allow glob(3) patterns to be used in sshd_config AuthorizedKeysFile and AuthorizedPrincipalsFile directives. bz2755 * sshd(1): support the VersionAddendum in the client, mirroring the option of the same name in the server; bz2745 * ssh-agent(1): the agent will now delete all loaded keys when signaled with SIGUSR1. This allows deletion of keys without having access to $SSH_AUTH_SOCK. * Portable OpenSSH, ssh-agent(1): support systemd-style socket activation in ssh-agent using the LISTEN_PID/LISTEN_FDS mechanism. Activated when these environment variables are set, ... changelog too long, skipping 116 lines ... * fix-nopie-flag.patch ==== openssh-askpass-gnome ==== Version update (9.9p2 -> 10.0p2) - "Update" to openssh 10.0p2: * No changes for askpass, see main package changelog for details. - Update to openssh 10.0p1: * No changes for askpass, see main package changelog for details. ==== orca ==== Subpackages: orca-lang - Downgrade Wnck to Recommends. It is an optional dependency and is not used under Wayland (bsc#1241516). ==== publicsuffix ==== Version update (20250407 -> 20250424) - Update to version 20250424: * Add lp.dev to public_suffix_list.dat (#2391) * fix: autopin dependencies (#2430) * Run go mod tidy * Bump golang.org/x/net from 0.33.0 to 0.38.0 in /tools (#2438) * Add mmv.kr / vki.kr (#2442) * dev.project-study.com (#2444) * add `preview.site` (#2445) * Add `luyani.app` (#2440) * Add objectstorage.ch (#2439) * Add val.run (#2432) * Update public_suffix_list.dat (#2437) * Add seg.ar to public_suffix_list.dat (#2433) * Add convex.app and convex.site (#2436) * Add e2b.app (#2431) * Add *.devinapps.com (#2435) * Add rules for Amazon Cognito (#2366) * add `figma.site` (#2429) ==== python-M2Crypto ==== Version update (0.44.0 -> 0.45.1) - Update to 0.45.1: - ci: switch from using sha1 to sha256. - ci(keys): regenerate rsa*.pem keys as well - fix: make the package compatible with OpenSSL >= 3.4 (don’t rely on LEGACY crypto-policies) - chore: package also system_shadowing directory to make builds more reliable - Update to 0.45.0: - chore: preparing 0.45.0 release - fix(lib,ssl): rewrite ssl_accept, ssl_{read,write}_nbio for better error handling - fix: replace m2_PyBuffer_Release with native PyBuffer_Release - chore: build Windows builds with Python 3.13 as well - fix: remove support for Engine - chore: use actual license of the project - ci(Debian): make M2Crypto buildable on Debian (bsc#1240965) - swig: Workaround for reading sys/select.h ending with wrong types. - ci: bump required setuptools version because of change in naming strategy - fix: add fix for build with older GCC - fix: remove AnyStr and Any types ==== python-gevent ==== Version update (24.10.3 -> 25.4.2) - Update to 25.4.2: [bsc#1241067, bsc#1241037] * Make gevent's queue classes subscriptable to match the standard library. See issue #2102. * Make the c-ares resolver build on Windows. * The gevent testsuite runs a copy of the test_ssl from cpython but the follwoing change has not been ported yet: - gh-126500: test_ssl: Don't stop ThreadedEchoServer on OSError in ConnectionHandler [gh#python/cpython/pull/126503] - Rebase gevent-openssl35-test-fix.patch - Upstream PR: [gh#gevent/gevent/pull/2103] - Update to 25.4.1 * Remove some legacy code that supported Python 2 for compatibility with the upcoming releases of Cython 3.1. * Add a new environment variable and configuration setting to control whether blocking reports are printed by the monitor thread. * Add initial support for Python 3.14a7. * Fix using gevent’s BackdoorServer with Unix sockets. * Do not use pywsgi in a security-conscious environment. Fix one security issue related to HTTP 100 Continue handling. See issue #2075. ==== python-h11 ==== Version update (0.14.0 -> 0.16.0) - Update 0.16.0: * Security fix (CVE-2025-43859, bsc#1241872) Reject certain malformed Transfer-Encoding: chunked bodies that were previously accepted. These could have enabled request-smuggling attacks when an h11-based HTTP server was placed behind a load balancer with a matching bug in its chunked handling. Advisory with more details: https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj - 0.15.0: * Reject Content-Lengths >= 1 zettabyte (1 billion terabytes) early, without attempting to parse the integer (#181) ==== python-httpcore ==== Version update (1.0.8 -> 1.0.9) - Update to 1.0.9 * Resolve https://github.com/advisories/GHSA-vqfr-h8mv-ghfj with h11 dependency update. (#1008) ==== python313 ==== Version update (3.13.2 -> 3.13.3) Subpackages: python313-curses python313-dbm python313-tk python313-x86-64-v3 - Update to 3.13.3: - Tools/Demos - gh-131852: msgfmt no longer adds the POT-Creation-Date to generated .mo files for consistency with GNU msgfmt. - gh-85012: Correctly reset msgctxt when compiling messages in msgfmt. - gh-130025: The iOS testbed now correctly handles symlinks used as Python framework references. - Tests - gh-131050: test_ssl.test_dh_params is skipped if the underlying TLS library does not support finite-field ephemeral Diffie-Hellman. - gh-129200: Multiple iOS testbed runners can now be started at the same time without introducing an ambiguity over simulator ownership. - gh-130292: The iOS testbed will now run successfully on a machine that has not previously run Xcode tests (such as CI configurations). - gh-130293: The tests of terminal colorization are no longer sensitive to the value of the TERM variable in the testing environment. - gh-126332: Add unit tests for pyrepl. - Security - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-127371: Avoid unbounded buffering for tempfile.SpooledTemporaryFile.writelines(). Previously, disk spillover was only checked after the lines iterator had been exhausted. This is now done after each line is written. - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - Library - gh-132174: Fix function name in error message of _interpreters.run_string. - gh-132171: Fix crash of _interpreters.run_string on string subclasses. - gh-129204: Introduce new _PYTHON_SUBPROCESS_USE_POSIX_SPAWN environment variable knob in subprocess to control the use of os.posix_spawn(). - gh-132159: Do not shadow user arguments in generated __new__() by decorator warnings.deprecated. Patch by Xuehai Pan. - gh-132075: Fix possible use of socket address structures with uninitialized members. Now all structure members are initialized with zeroes by default. - gh-132002: Fix crash when deallocating contextvars.ContextVar with weird unahashable string names. - gh-131668: socket: Fix code parsing AF_BLUETOOTH socket addresses. - gh-131492: Fix a resource leak when constructing a gzip.GzipFile with a filename fails, for example when passing an invalid compresslevel. - gh-131325: Fix sendfile fallback implementation to drain data after writing to transport in asyncio. - gh-129843: Fix incorrect argument passing in warnings.warn_explicit(). - gh-131204: Use monospace font from System Font Stack for cross-platform support in difflib.HtmlDiff. - gh-130940: The PyConfig.use_system_logger attribute, introduced in Python 3.13.2, has been removed. The introduction of this attribute inadvertently introduced an ABI breakage on macOS and iOS. The use of the system logger is now enabled by default on iOS, and disabled by default on macOS. - gh-131045: Fix issue with __contains__, values, and pseudo-members for enum.Flag. - gh-130959: Fix pure-Python implementation of datetime.time.fromisoformat() to reject times with spaces in fractional part (for example, 12:34:56.400 +02:00), matching the C implementation. Patch by Michał Gorny. - gh-130637: Add validation for numeric response data in poplib.POP3.stat() method - gh-130461: Remove .. index:: directives from the uuid module documentation. These directives previously created entries in the general index for getnode() as well as the uuid1(), uuid3(), uuid4(), and uuid5() constructor functions. - gh-130379: The zipapp module now calculates the list of files to be added to the archive before creating the archive. This avoids accidentally including the target when it is being created in the source directory. - gh-130285: Fix corner case for random.sample() allowing the counts parameter to specify an empty population. So now, sample([], 0, counts=[]) and sample('abc', k=0, counts=[0, 0, 0]) both give the same result as sample([], 0). - gh-130250: Fix regression in traceback.print_last(). - gh-130230: Fix crash in pow() with only Decimal third argument. - gh-118761: Reverts a change in the previous release attempting to make some stdlib imports used within the subprocess module lazy as this was causing errors during ... changelog too long, skipping 175 lines ... (gh#python/cpython#132535). ==== python313-core ==== Version update (3.13.2 -> 3.13.3) Subpackages: libpython3_13-1_0 libpython3_13-1_0-x86-64-v3 python313-base python313-base-x86-64-v3 - Update to 3.13.3: - Tools/Demos - gh-131852: msgfmt no longer adds the POT-Creation-Date to generated .mo files for consistency with GNU msgfmt. - gh-85012: Correctly reset msgctxt when compiling messages in msgfmt. - gh-130025: The iOS testbed now correctly handles symlinks used as Python framework references. - Tests - gh-131050: test_ssl.test_dh_params is skipped if the underlying TLS library does not support finite-field ephemeral Diffie-Hellman. - gh-129200: Multiple iOS testbed runners can now be started at the same time without introducing an ambiguity over simulator ownership. - gh-130292: The iOS testbed will now run successfully on a machine that has not previously run Xcode tests (such as CI configurations). - gh-130293: The tests of terminal colorization are no longer sensitive to the value of the TERM variable in the testing environment. - gh-126332: Add unit tests for pyrepl. - Security - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-127371: Avoid unbounded buffering for tempfile.SpooledTemporaryFile.writelines(). Previously, disk spillover was only checked after the lines iterator had been exhausted. This is now done after each line is written. - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - Library - gh-132174: Fix function name in error message of _interpreters.run_string. - gh-132171: Fix crash of _interpreters.run_string on string subclasses. - gh-129204: Introduce new _PYTHON_SUBPROCESS_USE_POSIX_SPAWN environment variable knob in subprocess to control the use of os.posix_spawn(). - gh-132159: Do not shadow user arguments in generated __new__() by decorator warnings.deprecated. Patch by Xuehai Pan. - gh-132075: Fix possible use of socket address structures with uninitialized members. Now all structure members are initialized with zeroes by default. - gh-132002: Fix crash when deallocating contextvars.ContextVar with weird unahashable string names. - gh-131668: socket: Fix code parsing AF_BLUETOOTH socket addresses. - gh-131492: Fix a resource leak when constructing a gzip.GzipFile with a filename fails, for example when passing an invalid compresslevel. - gh-131325: Fix sendfile fallback implementation to drain data after writing to transport in asyncio. - gh-129843: Fix incorrect argument passing in warnings.warn_explicit(). - gh-131204: Use monospace font from System Font Stack for cross-platform support in difflib.HtmlDiff. - gh-130940: The PyConfig.use_system_logger attribute, introduced in Python 3.13.2, has been removed. The introduction of this attribute inadvertently introduced an ABI breakage on macOS and iOS. The use of the system logger is now enabled by default on iOS, and disabled by default on macOS. - gh-131045: Fix issue with __contains__, values, and pseudo-members for enum.Flag. - gh-130959: Fix pure-Python implementation of datetime.time.fromisoformat() to reject times with spaces in fractional part (for example, 12:34:56.400 +02:00), matching the C implementation. Patch by Michał Gorny. - gh-130637: Add validation for numeric response data in poplib.POP3.stat() method - gh-130461: Remove .. index:: directives from the uuid module documentation. These directives previously created entries in the general index for getnode() as well as the uuid1(), uuid3(), uuid4(), and uuid5() constructor functions. - gh-130379: The zipapp module now calculates the list of files to be added to the archive before creating the archive. This avoids accidentally including the target when it is being created in the source directory. - gh-130285: Fix corner case for random.sample() allowing the counts parameter to specify an empty population. So now, sample([], 0, counts=[]) and sample('abc', k=0, counts=[0, 0, 0]) both give the same result as sample([], 0). - gh-130250: Fix regression in traceback.print_last(). - gh-130230: Fix crash in pow() with only Decimal third argument. - gh-118761: Reverts a change in the previous release attempting to make some stdlib imports used within the subprocess module lazy as this was causing errors during ... changelog too long, skipping 175 lines ... (gh#python/cpython#132535). ==== sane-backends ==== Subpackages: libsane1 sane-backends-autoconfig - add c23-keywords.patch from upstream to fix gcc15 compile error ==== sdbootutil ==== Version update (1+git20250423.61ca94f -> 1+git20250425.25d659b) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20250425.25d659b: * get-timeout for sd-boot return unsigned value * jeos-firstboot-enroll: drop unused variable * jeos-firstboot-enroll: continue if no enrollment (bsc#1236583) * jeos-firstboot-enroll: hide keyctl output * jeos-firstboot-enroll: add title and description ==== unbound ==== Version update (1.22.0 -> 1.23.0) Subpackages: libunbound8 unbound-anchor - Update to 1.23.0: Features: * Increase the default of max-global-quota to 200 from 128 after operational feedback. Still keeping the possible amplification factor (CAMP related issues) in the hundreds. * Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767. * For #1175, the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767. * For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT. * Add resolver.arpa and service.arpa to the default locally served zones. * Merge #1042: Fast Reload. The unbound-control fast_reload is added. It reads changed config in a thread, then only briefly pauses the service threads, that keep running. DNS service is only interrupted briefly, less than a second. * Merge #1019: Redis read-only replica support. Introduces new 'redis-replica-*' options for the Redis cache backend. * Merge #902: DNS Error Reporting (RFC 9567). Introduces new configuration option 'dns-error-reporting' and new statistics for 'num.dns_error_reports'. Bug Fixes: * Fix #1154: Tag Incorrectly Applying for Other Interfaces Using the Same IP. This fix is not for 1.22.0. * Fix #1163: Typos in unbound.conf documentation. * Merge #1159: Stats for discard-timeout and wait-limit. * Add test case for #1159. * Some clean up for stat_values.test. * Merge #1170 from Melroy van den Berg, Fix chroot manpage description. * Merge #1157 from Liang Zhu, Fix heap corruption when calling ub_ctx_delete in Windows. * Fix redis that during a reload it does not fail if the redis server does not connect or does not respond. It still logs the errors and if the server is up checks expiration features. * Merge #1167: Makefile.in: fix occasional parallel build failures around bison rule. * Fix SETEX check during Redis (re)initialization. * Fix for the serve expired DNSSEC information fix, it would not allow current delegation information be updated in cache. The fix allows current delegation and validation recursion information to be updated, but as a consequence no longer has certain expired information around for later dnssec valid expired responses. * Fix to log redis timeout error string on failure. * More descriptive text for 'harden-algo-downgrade'. * Complete fix for max-global-quota to 200. * Fix #1183: the data being used is released in method nsec3_hash_test_entry. * Fix for #1183: release nsec3 hashes per test file. * Merge #1169 from Sergey Kacheev, fix: lock-free counters for auth_zone up/down queries. * Fix comparison to help static analyzer. * For #1175, update serve-expired tests. * Merge #1189: Fix the dname_str method to cause conversion errors when the domain name length is 255. * Merge #1197: dname_str() fixes. * Merge #1198: Fix log-servfail with serve expired and no useful cache contents. * Safeguard alias loop while looking in the cache for expired answers. * Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege drop. * Fix typo in log_servfail.tdir test. * Merge #1204: ci: set persist-credentials: false for actions/checkout per zizmor suggestion. * Merge #1174: Serve expired cache update fixes. Fixes a regression bug with serve-expired that appeared in 1.22.0 and would not allow the iterator to update the cache with not-yet-validated entries resulting in increased outgoing traffic. * Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS handshake. * Fix #1213: Misleading error message on default access control causing refuse. * Merge #1221: Consider auth zones when checking for forwarders. * Merge #1222: Unique DoT and DoH SSL contexts to allow for different ALPN. * Create the quic SSL listening context only when needed. * Fix compile of interface check code when dnscrypt or quic is disabled. * Fix encoding of RR type ATMA. * Fix to check length in ATMA string to wire. * Merge #1229: check before use daemon->shm_info. * Use the same interface listening port discovery code for all needed protocols. * Port to string only when needed before getaddrinfo(). * Do not open unencrypted channels next to encrypted ones on the same port. * Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is set. * Merge #1220 from Petr Menšík, Add unbound members group access to control key. * Make the default value of module-config "validator iterator" regardless of compilation options. --enable-subnet would implicitly change the value to enable the subnetcache module by default in the past. * Fix #986: Resolving sas.com with dnssec-validation fails though signed delegations seem to be (mostly) correct. Consider reconfigurations when calculating the still_useful_timeout ... changelog too long, skipping 62 lines ... * Merge #1265: Fix WSAPoll.