Packages changed: GraphicsMagick ImageMagick (7.1.2.22 -> 7.1.2.23) dnsmasq (2.92 -> 2.92rel2) gdm kernel-firmware-amdgpu (20260505 -> 20260514) kernel-firmware-i915 (20260416 -> 20260514) kernel-firmware-platform (20260505 -> 20260514) kernel-firmware-qcom (20260505 -> 20260514) kernel-source (7.0.7 -> 7.0.9) libXi (1.8.2 -> 1.8.3) libopenmpt (0.8.6 -> 0.8.7) libpaper (2.2.7 -> 2.2.8) libreoffice (26.2.2.2 -> 26.2.3.2) libusb-1_0 (1.0.29 -> 1.0.30) libzypp (17.38.8 -> 17.38.9) memtest86+ (8.00 -> 8.10) ncurses (6.6.20260509 -> 6.6.20260516) openSUSE-release (20260519 -> 20260520) perl-IO-Tty (1.270.0 -> 1.290.0) perl-JSON (4.10 -> 4.110.0) perl-Net-Ident (1.25 -> 1.310.0) perl-XML-Parser (2.570.0 -> 2.580.0) postgresql18 (18.3 -> 18.4) python-decorator (5.2.1 -> 5.3.0) python-idna (3.13 -> 3.15) ruby-common === Details === ==== GraphicsMagick ==== Subpackages: libGraphicsMagick++-Q16-12 libGraphicsMagick-Q16-3 libGraphicsMagick3-config - added patches CVE-2026-42050: Stack buffer overflow in XTileImage [bsc#1265048] * GraphicsMagick-CVE-2026-42050.patch ==== ImageMagick ==== Version update (7.1.2.22 -> 7.1.2.23) Subpackages: ImageMagick-config-7-SUSE libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - version update to 7.1.2.23 * no upstream changelog - fixes following GH security advisories: * GHSA-36wm-hprc-mcf5 * GHSA-3rvp-mpr5-qjm9 * GHSA-4g75-9r48-jf92 * GHSA-533m-3wf6-c33v * GHSA-5r4x-w6p5-222q * GHSA-6gxq-f64p-5w6f * GHSA-7gg8-qqx7-92g5 * GHSA-88wq-x9gc-45h8 * GHSA-jcqp-6r6f-3mfx * GHSA-p93h-f2jc-477j * GHSA-rcr6-g7jc-f57g * GHSA-xf64-q5rg-85g5 - modified patches * ImageMagick-configuration-SUSE.patch (refreshed) * ImageMagick_policy_etc.patch (refreshed) ==== dnsmasq ==== Version update (2.92 -> 2.92rel2) - Update to security release 2.92rel2: * CVE-2026-2291, bsc#1258251: dnsmasq can be abused to record false cached data enabling DoS or attacker redirect. * CVE-2026-4890, bsc#1265001: DoS vulnerability in the DNSSEC validation. * CVE-2026-4891, bsc#1265002: heap-based out-of-bounds read vulnerability in the DNSSEC validation. * CVE-2026-4892, bsc#1265003: heap-based out-of-bounds write vulnerability in the DHCPv6 implementation. * CVE-2026-4893, bsc#1265004: information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks. * CVE-2026-5172, bsc#1265006: buffer overflow in dnsmasq’s extract_addresses() function. ==== gdm ==== Subpackages: gdm-lang gdm-schema gdm-systemd gdm-xdm-integration libgdm1 typelib-1_0-Gdm-1_0 - Drop pam_gnome_keyring from gdm-fingerprint.pamd, fix regression from boo#1258070. ==== kernel-firmware-amdgpu ==== Version update (20260505 -> 20260514) - Update to version 20260514 (git commit 5b2bc2e7d14c): * amdgpu: rembrandt DMCUB v4.0.74.0 * amdgpu: update SMU 14.0.3 kicker firmware * amdgpu: update navy flounder firmware * amdgpu: update SDMA 6.1.3 firmware * amdgpu: update PSP 14.0.5 firmware * amdgpu: update GC 11.5.3 firmware * amdgpu: update yellow carp firmware * amdgpu: update VCN 5.0.0 firmware * amdgpu: update PSP 14.0.3 firmware * amdgpu: update GC 12.0.1 firmware * amdgpu: update VPE 6.1.3 firmware * amdgpu: update SDMA 6.1.2 firmware * amdgpu: update PSP 14.0.4 firmware * amdgpu: update GC 11.5.2 firmware * amdgpu: update PSP 14.0.2 firmware * amdgpu: update GC 12.0.0 firmware * amdgpu: update sienna cichlid firmware * amdgpu: update VCN 3.1.2 firmware * amdgpu: update PSP 13.0.5 firmware * amdgpu: update GC 10.3.6 firmware * amdgpu: update VCN 4.0.4 firmware * amdgpu: update SDMA 6.0.2 firmware * amdgpu: update PSP 13.0.7 firmware * amdgpu: update GC 11.0.2 firmware * amdgpu: update navi14 firmware * amdgpu: update SDMA 6.0.3 firmware * amdgpu: update PSP 13.0.10 firmware * amdgpu: update GC 11.0.3 firmware * amdgpu: update navi12 firmware * amdgpu: update vangogh firmware * amdgpu: update navi10 firmware * amdgpu: update green sardine firmware * amdgpu: update PSP 13.0.0 kicker firmware * amdgpu: update VCN 4.0.0 firmware * amdgpu: update SDMA 6.0.0 firmware * amdgpu: update PSP 13.0.0 firmware * amdgpu: update GC 11.0.0 firmware * amdgpu: update SDMA 4.4.4 firmware * amdgpu: update VCN 5.0.1 firmware * amdgpu: update PSP 13.0.12 firmware * amdgpu: update GC 9.5.0 firmware * amdgpu: update SDMA 4.4.5 firmware * amdgpu: update PSP 13.0.14 firmware * amdgpu: update VPE 6.1.1 firmware * amdgpu: update VCN 4.0.6 firmware * amdgpu: update SDMA 6.1.1 firmware * amdgpu: update PSP 14.0.1 firmware * amdgpu: update GC 11.5.1 firmware * amdgpu: update PSP 13.0.11 firmware * amdgpu: update GC 11.0.4 firmware * amdgpu: update beige goby firmware * amdgpu: update VCN 4.0.3 firmware * amdgpu: update SDMA 4.4.2 firmware * amdgpu: update PSP 13.0.6 firmware * amdgpu: update GC 9.4.3 firmware * amdgpu: update VPE 6.1.0 firmware * amdgpu: update VCN 4.0.5 firmware * amdgpu: update SDMA 6.1.0 firmware * amdgpu: update PSP 14.0.0 firmware * amdgpu: update GC 11.5.0 firmware * amdgpu: update VCN 4.0.2 firmware * amdgpu: update SDMA 6.0.1 firmware * amdgpu: update PSP 13.0.4 firmware * amdgpu: update GC 11.0.1 firmware * amdgpu: update dimgrey cavefish firmware * amdgpu: update renoir firmware * amdgpu: update aldebaran firmware ==== kernel-firmware-i915 ==== Version update (20260416 -> 20260514) - Update to version 20260514 (git commit 5b2bc2e7d14c): * xe: Update GUC to v70.65.0 for LNL, BMG, PTL ==== kernel-firmware-platform ==== Version update (20260505 -> 20260514) - Update to version 20260514 (git commit 5b2bc2e7d14c): * lt*_fw.bin: move to Lontium subdir * linux-firmware: Add firmware for Lontium LT9611C ==== kernel-firmware-qcom ==== Version update (20260505 -> 20260514) - Update to version 20260514 (git commit 5b2bc2e7d14c): * qcom: update ADSP firmware for x1e80100 platform * qcom: Add cdsp1r.jsn for sa8775p platform ==== kernel-source ==== Version update (7.0.7 -> 7.0.9) - drm: Replace old pointer to new idr (git-fixes). - commit 9b5964b - Linux 7.0.9 (bsc#1012628). - HID: playstation: Clamp num_touch_reports (bsc#1012628). - HID: appletb-kbd: fix UAF in inactivity-timer cleanup path (bsc#1012628). - HID: appletb-kbd: run inactivity autodim from workqueues (bsc#1012628). - HID: pidff: Fix integer overflow in pidff_rescale (bsc#1012628). - media: uvcvideo: Enable VB2_DMABUF for metadata stream (bsc#1012628). - drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames (bsc#1012628). - media: rzv2h-ivc: Avoid double job scheduling (bsc#1012628). - media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0 (bsc#1012628). - media: rzv2h-ivc: Write AXIRX_PIXFMT once (bsc#1012628). - media: rzv2h-ivc: Fix FM_STOP register write (bsc#1012628). - media: rzv2h-ivc: Fix concurrent buffer list access (bsc#1012628). - media: mali-c55: Initialize the ISP in enable_streams() (bsc#1012628). - media: mali-c55: Fix Iridix bypass macros (bsc#1012628). - media: renesas: vsp1: Fix NULL pointer deref on module unload (bsc#1012628). - media: renesas: vin: Fix RAW8 (again) (bsc#1012628). - media: i2c: ov8856: free control handler on error in ov8856_init_controls() (bsc#1012628). - media: dt-bindings: rockchip,vdec: Add alternative reg-names order for RK35{76,88} (bsc#1012628). - media: dt-bindings: rockchip,vdec: Mark reg-names required for RK35{76,88} (bsc#1012628). - media: chips-media: wave5: fix a potential memory leak in wave5_vdi_init() (bsc#1012628). - media: chips-media: wave5: add missing spinlock protection for send_eos_event() (bsc#1012628). - media: chips-media: wave5: add missing spinlock protection for handle_dynamic_resolution_change() (bsc#1012628). - arm64: dts: freescale: imx95-toradex-smarc: fix PMIC_SD2_VSEL label position (bsc#1012628). - drm/gpusvm: Allow device pages to be mapped in mixed mappings after system pages (bsc#1012628). - drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages (bsc#1012628). - spi: bcm63xx: fix controller deregistration (bsc#1012628). - spi: atmel: fix controller deregistration (bsc#1012628). - arm64: dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux (bsc#1012628). - staging: media: atomisp: Disallow all private IOCTLs (bsc#1012628). - regulator: mt6357: fix OF node reference imbalance (bsc#1012628). - spi: st-ssc4: fix controller deregistration (bsc#1012628). - regulator: max77650: fix OF node reference imbalance (bsc#1012628). - media: ti: vpe: Add missing v4l2_device_unregister in vip_remove() (bsc#1012628). - media: rc: xbox_remote: heed DMA restrictions (bsc#1012628). - media: rc: streamzap: Error handling in probe (bsc#1012628). - media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl (bsc#1012628). - media: i2c: imx283: Enter full standby when stopping streaming (bsc#1012628). - regulator: bq257xx: fix OF node reference imbalance (bsc#1012628). - regulator: rk808: fix OF node reference imbalance (bsc#1012628). - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap (bsc#1012628). - media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads (bsc#1012628). - media: mali-c55: Fully reset the ISP configuration (bsc#1012628). - media: intel/ipu6: fix error pointer dereference (bsc#1012628). - media: i2c: imx283: Fix hang when going from large to small resolution (bsc#1012628). - regulator: act8945a: fix OF node reference imbalance (bsc#1012628). - regulator: s2dos05: fix OF node reference imbalance (bsc#1012628). - regulator: bd9571mwv: fix OF node reference imbalance (bsc#1012628). - spi: lantiq-ssc: fix controller deregistration (bsc#1012628). - spi: meson-spicc: fix controller deregistration (bsc#1012628). - spi: qup: fix controller deregistration (bsc#1012628). - arm64: dts: ti: k3-am69-aquila-clover: Fix DP regulator enable GPIO (bsc#1012628). - spi: at91-usart: fix controller deregistration (bsc#1012628). - media: saa7164: add ioremap return checks and cleanups (bsc#1012628). - spi: amlogic-spisg: fix controller deregistration (bsc#1012628). - spi: aspeed-smc: fix controller deregistration (bsc#1012628). - drm/colorop: Preserve bypass value in duplicate_state() (bsc#1012628). - drm/atomic: Add affected colorops with affected planes (bsc#1012628). - platform/x86: hp-wmi: Ignore backlight and FnLock events (bsc#1012628). - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to copy (bsc#1012628). ... changelog too long, skipping 240 lines ... - commit ce3b8c5 ==== libXi ==== Version update (1.8.2 -> 1.8.3) - Update to version 1.8.3 * This release fixes an issue with potentially uninitialized memory if auxiliary events (DeviceValuatorNotify, KeyStateNotify, ButtonStateNotify) are received when the event they are supposed to follow got lost. ==== libopenmpt ==== Version update (0.8.6 -> 0.8.7) - Update to version 0.8.7: * ULT: Sustain loops were stopped after a portamento. ==== libpaper ==== Version update (2.2.7 -> 2.2.8) Subpackages: libpaper-tools libpaper2 - Update 2.2.8: * This release fixes a typo in the C4 envelope size, which has been present for a long time (since +libpaper 1). Thanks to @yegord for the bug report and fix. ==== libreoffice ==== Version update (26.2.2.2 -> 26.2.3.2) Subpackages: libreoffice-base libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-l10n-cs libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-el libreoffice-l10n-en libreoffice-l10n-en_GB libreoffice-l10n-es libreoffice-l10n-fr libreoffice-l10n-hu libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-pl libreoffice-l10n-pt_BR libreoffice-l10n-ru libreoffice-l10n-zh_CN libreoffice-l10n-zh_TW libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-qt5 libreoffice-qt6 libreoffice-writer libreofficekit - Update to 26.2.3.2: * Release notes: https://wiki.documentfoundation.org/Releases/26.2.3/RC1 https://wiki.documentfoundation.org/Releases/26.2.3/RC2 ==== libusb-1_0 ==== Version update (1.0.29 -> 1.0.30) - Update to version 1.0.30 * Add new API libusb_get_device_string() to access device strings without opening the device. * Add new API libusb_get_session_data() which returns the OS-specific handle. * Fix device removal races on non-hotplug builds. * Improve descriptor parsing memory safety. * Fix various compiler warnings, improved tests and examples. ==== libzypp ==== Version update (17.38.8 -> 17.38.9) - Prevent configured scripts from escaping the sigcheck directory (bsc#1265223, CVE-2026-44933) - StringV: guard hasPrefix/hasPrefixCI against reading past the view end (fixes #735) - version 17.38.9 (35) ==== memtest86+ ==== Version update (8.00 -> 8.10) - Update to 8.10 - Add support for x2APIC - Better support for Intel Lunar/Panther Lake - Better Bandwidth measurement for caches and RAM - Enable SIMD (SSE2) on x86_64 build - Fix timings on LPDDR5 - Fix AMI BIOS boot issues due to unannounced W^X policy change - Fix older GRUB boot issues - Fix SecureBoot code & binary structure for future shim review - LA64-specific improvements - Bug fixes ==== ncurses ==== Version update (6.6.20260509 -> 6.6.20260516) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20260516 + defer initialization of magic-cookies, which disables some capabilities, until the first screen update using a video attribute which might introduce a magic cookie (report by Frank Palazzolo). + correct buffer limit in recur_wgetnstr() (report by Daniel Anderson). + correct logic in safe_name() function of infocmp, used in -E/-e options (report/patch by Daniel Anderson). ==== openSUSE-release ==== Version update (20260519 -> 20260520) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== perl-IO-Tty ==== Version update (1.270.0 -> 1.290.0) - updated to 1.290.0 (1.29) see /usr/share/doc/packages/perl-IO-Tty/ChangeLog 1.29 2026-04-23 Todd Rinaldo Bug Fixes: * GH #87, PR #88 - Fix configure-time function detection probes being broken by compiler optimization. The probes stored function pointers in local variables which -O2/-Os (added to probe flags in PR #81) eliminated as dead stores, so the linker never saw the function reference. On systems where openpty() lives in -lutil (older glibc, BSDs), the probe falsely succeeded without -lutil, producing "undefined symbol: openpty" at runtime. Fixed by storing the function pointer in a file-scope global variable which the optimizer cannot eliminate. Maintenance: * PR #89 - Add Ubuntu LTS version matrix (20.04, 22.04, 24.04) to the GitHub Actions test suite. Exercises the system perl on each current Ubuntu LTS release via Docker containers, running after the main ubuntu job. 1.28 2026-04-23 Todd Rinaldo Bug Fixes: * PR #69 - Fix make_slave_controlling_terminal() on Solaris/HP-UX to use _open_tty() instead of IO::Tty->open(), ensuring STREAMS modules (ptem, ldterm, ttcompat) are pushed via I_PUSH when the slave is opened for controlling terminal setup. Parallel fix to the slave() method fix in 1.24. * PR #74 - Fix Perl 5.40+ "Possible memory corruption: ioctl overflowed 3rd argument" warning in clone_winsize_from() and get_winsize(). Use pack_winsize(0,0,0,0) to pre-allocate the ioctl buffer with SvCUR matching sizeof(struct winsize) instead of an empty string. * PR #76, PR #79 - Fix diagnostic warnings being silently suppressed when callers use lexical "use warnings" (the modern standard since Perl 5.6). $^W and PL_dowarn only fire under perl -w; replaced with warnings::enabled() in IO::Tty and IO::Pty (PR #76) and ckWARN(WARN_IO) in Tty.xs (PR #79). * PR #77 - Fix file descriptor leak in IO::Pty when new_from_fd() fails after pty_allocate() or _open_tty() returns raw C-level fds. Added POSIX::close() calls on the raw fds before croaking at three sites in new() and slave(). * PR #78 - Fix openpty() detection on Alpine Linux and other musl-based systems where openpty() has moved from libutil into libc (glibc 2.34+). Probe libc first before falling back to -lutil. * PR #80 - Fix -Wsign-compare compiler warnings: change namebuflen parameter type from int to size_t in open_slave() and allocate_pty() to match the return type of strlcpy() and the size argument of snprintf(). * PR #81 - Fix spurious "_FORTIFY_SOURCE requires compiling with optimization" warnings during configure probes when $Config{optimize} (e.g. -Os) is separate from $Config{ccflags}. Include optimize flags in all configure probe compilations. * PR #84 - Fix header probes in Makefile.PL missing platform extension defines (_GNU_SOURCE, _BSD_VISIBLE, etc.) that function probes already included. Bare #includes could cause HAVE_PTY_H and similar to be unset on strict POSIX systems even when the header exists. Improvements: * PR #86 - Use L<> instead of C<> for cross-module POD references in Tty.pm and Pty.pm so MetaCPAN renders IO::Pty, IO::Handle, and IO::Stty as clickable links. Maintenance: * PR #70 - Modernize POD in Tty.pm and Pty.pm: remove stale platform version references (FreeBSD 4.4, OpenBSD 2.8, HPUX 10.20, Solaris 2.6), replace defunct SourceForge/mailing list URLs with GitHub issue tracker. * PR #73 - Modernize the try example script: add strict/warnings, my declarations, 3-arg open, and lexical filehandles. The script is shipped to CPAN and referenced in POD as the canonical usage example. * PR #75 - Strengthen test coverage for set_raw() and winsize: verify all termios flags set by cfmakeraw (iflag, oflag, PARENB, CSIZE, CS8, VMIN, VTIME) and add a test for the unpack_winsize() length-validation croak. * PR #85 - Update GitHub Actions to Node.js 24 versions: actions/checkout v6, cross-platform-actions/action v1, perl-actions/install-with-cpm v2. Required before GitHub forces Node.js 24 in June 2026. ==== perl-JSON ==== Version update (4.10 -> 4.110.0) - updated to 4.110.0 (4.11) see /usr/share/doc/packages/perl-JSON/Changes 4.11 2026-03-22 - updated backportPP with JSON::PP 4.18 ==== perl-Net-Ident ==== Version update (1.25 -> 1.310.0) - updated to 1.310.0 (1.31) see /usr/share/doc/packages/perl-Net-Ident/Changes 1.31 2026-04-02 [Improvements] - PR #43 - Add functional tests for lookupFromInAddr() and lookup() covering scalar/list context, error propagation, unreachable remotes, bad filehandles, and the ident_lookup alias - PR #44 - Add timeout behavior tests for query() and ready() covering expired timeouts, select() timeout, partial data accumulation, timeout propagation through username(), and non-blocking ready() [Maintenance] - PR #38 - Add missing patterns to MANIFEST.SKIP (blib/, pm_to_blib, Makefile.old, dist directories, .tar.gz files) - PR #39 - Add AI policy (AI_POLICY.md) and link from README - PR #40 - Remove dead Apache/mod_perl infrastructure from Makefile.PL, reducing it from 660 lines to 44 - PR #41 - Clean up POD warnings and remove dead compat-mode markers - PR #42 - Remove stale INSTALL file and fix MANIFEST inconsistency 1.29 2026-03-24 [Improvements] - PR #36 - Add constructor tests for new() and _passfh resolution covering glob ref, string, qualified name, FileHandle, error-state objects, newFromInAddr, and connected socket without identd [Maintenance] - PR #35 - Regenerate README.md from current POD to pick up badge, example code, and typo fixes - PR #37 - Fix .gitignore to match all dist directories, not just 0.x 1.28 2026-03-22 [Bug Fixes] - GH #26, PR #33 - Handle ECONNRESET from sysread on Windows where socketpair emulation sends TCP RST instead of FIN on close - GH #28, PR #31 - Handle ESPIPE from sysread on Solaris socketpairs where remote close returns "Illegal seek" instead of EOF - GH #29, PR #30 - Add use 5.010 to remaining test files for Perl 5.8.x defense in depth [Maintenance] - PR #25 - Add use 5.010 to Makefile.PL for clean failure on old perls - PR #34 - Sync cpanfile and PREREQ_PM with actual dependencies: remove unused Fcntl and Config, add missing Errno 1.27 2026-03-20 [Bug Fixes] - GH #19, PR #23 - Remove select() exception mask checks that fail on Solaris - GH #20, PR #24 - Remove select() exception mask that fails on Solaris socketpair - GH #18, PR #22 - Add use 5.010 for clean failure on Perl < 5.10 - GH #17, PR #21 - Make t/query.t portable to Windows [Improvements] - PR #15 - Add comprehensive tests for export hook mechanism [Maintenance] - PR #16 - Improve CPAN metadata in Makefile.PL (LICENSE, MIN_PERL_VERSION, TEST_REQUIRES, META spec v2) 1.26 2026-03-18 [Bug Fixes] - GH #2 - Fix compat mode - GH #12 - Fix sysread EOF in ready() to prevent infinite loop - GH #9 - Fix unreachable elsif in ready() that broke repeated calls - GH #10 - Fix SUPER::export_fail to use method call so class is passed correctly - GH #11 - Fix newFromInAddr state inconsistency [Improvements] - GH #14 - Replace string eval with blocking(0) for non-blocking sockets - GH #8 - Add unit tests for RFC1413 response parsing - GH #13 - Add comprehensive async interface tests - GH #10 - Modernize tests from hand-rolled TAP to Test::More [Maintenance] - GH #3 - Fix Makefile.PL bugs, fix pod typos - GH #11 - Fix POD example and typos - GH #7 - Modernize CI: consolidate workflows, fix deprecated Docker images - GH #4 - Update repository URLs to reflect new cpan-authors location ==== perl-XML-Parser ==== Version update (2.570.0 -> 2.580.0) - updated to 2.580.0 (2.58) see /usr/share/doc/packages/perl-XML-Parser/Changes 2.58 2026-04-23 (by Todd Rinaldo) Fixes: - PR #260 Prevent element-name SV leak when Start or End handlers die: wrap the call_sv in ENTER/SAVEFREESV/LEAVE so an exception thrown from a handler no longer leaks one SV per call. Audited all 19 XS callbacks — startElement and endElement were the only ones with non-mortal SVs across a call_sv boundary - PR #259 Add NULL check for GvIOp in XML_Do_External_Parse to prevent a segfault when an ExternEnt handler returns an unopened filehandle. GvIOp returns NULL for a glob that has never been opened; both call sites previously passed the NULL straight to newRV_inc - PR #258 Release the parser when an Init or Final handler dies. The release() call used to be skipped on exception, leaving a circular reference through self_sv so DESTROY never ran and the parser leaked permanently - PR #257 Free doctype_sysid during normal parser teardown and NULL self_sv after release. Every parse of a document with a declaration previously leaked the system-id string on the non-error path (free_cbv already freed it on the error path) - PR #255 Use bare return instead of "return undef" in ContentModel::children() and expand_ns_prefix(). "return undef" in list context produces (undef) — a one-element list — which silently broke callers checking @result for emptiness - PR #246 Use three-argument open in file_ext_ent_handler so that pipe characters and IO-mode prefixes in external-entity SYSTEM identifiers can never be interpreted by Perl's two-argument open. The existing regex check is now defense-in-depth rather than the sole protection - PR #242 Add NULL-after-allocation checks with cascading cleanup to the three New() calls in LoadEncoding, consistent with the pattern established for XML_ParserCreate_MM in PR #204 Improvements: - PR #267 Address CPANTS Kwalitee issues: add =head1 LICENSE to Parser.pm, add use warnings to Expat.pm, add provides to META_MERGE (using MM->parse_version() to avoid hardcoding), and add SECURITY.md and CONTRIBUTING.md - PR #265 Fix Doctype handler Internal parameter documentation in Parser.pm — the XS code pushes PL_sv_yes/PL_sv_no (a boolean indicating whether an internal subset exists), not the subset string the POD claimed. Also correct the DoctypeFin parameter label from (Parser) to (Expat) and a minor Expat.pm POD typo - PR #264 Add use strict and use warnings to Makefile.PL and Expat/Makefile.PL, and convert $expat_libpath / $expat_incpath from bare globals to lexicals - PR #262 Modernize META resources to CPAN Meta spec v2 — structured bugtracker and repository entries so MetaCPAN and CPAN tooling can extract richer information (separate git URL, web URL, and tracker type) - PR #256 Add use warnings to Parser.pm and all five Style modules. Expat.pm is intentionally excluded and already documents why (it uses int() on strings in namespace methods) - PR #254 Improve const-correctness in Expat.xs: propagate const char * through newUTF8SVpv, newUTF8SVpvn, and append_error, and drop 30+ now-unnecessary (char *) casts. No functional change — identical generated code - PR #251 Add a Codecov coverage badge to README.md alongside the existing CI badge - PR #250 Document the Codecov coverage integration in CLAUDE.md, including the two flags (perl via Devel::Cover, xs via gcov/lcov) and a link to the dashboard - PR #247 Add a Devel::Cover code-coverage CI job that measures both Perl and XS/C coverage (via gcc --coverage + lcov) and uploads to Codecov with separate perl/xs flags - PR #241 Add a SECURITY section to Parser.pm POD documenting the BillionLaughsAttackProtection*, AllocTracker*, and ReparseDeferralEnabled options, with cross-references from the new() option list Maintenance: - PR #266 Add 22 tests in t/expat_guards.t covering Expat.pm input validation (setHandlers type/arity checks), parse-state guards, and reference-exception preservation - PR #263 Upgrade cross-platform-actions from v0.32 to v1 in the BSD (FreeBSD, OpenBSD, NetBSD) CI jobs - PR #261 Add 4 missing test files to MANIFEST via make manifest and extend MANIFEST.SKIP with standard exclusions for build artifacts (blib/, *.o, *.so, *.bs, *.c, cover_db/, .DS_Store, Makefile.old) so future regenerations stay clean - PR #253 Add missing use strict and use warnings to 9 test files so the whole suite is consistent, and fix an undeclared $parser in t/file.t surfaced by the new strictures - PR #252 Upgrade actions/checkout from v4 to v6 in the release workflow (the testsuite workflow was already upgraded) - PR #249 Add t/expat_xs_coverage.t with 26 tests targeting previously-uncovered paths in Expat.xs (93% → 95% line coverage), focused on skip_until suspend/resume, namespace cleanup in finish(), and external-entity edge cases - PR #248 Add t/coverage_gaps.t with 31 tests for previously uncovered Perl code paths identified via Devel::Cover — Debug and Stream style Proc/PI handlers, Expat direct parse methods, ContentModel MIXED asString, and security-API argument validation. Subroutine coverage reaches 100% across all modules - PR #245 Add 16 targeted Stream_Delimiter boundary tests that exercise the XS parse_stream delimiter detection logic directly with small controlled documents (t/stream.t only exercised it against one large sample file) - PR #244 Add t/parser_api.t covering the XML::Parser API surface: setHandlers return and croak semantics, parsefile Base save/restore (including on error), parser reuse, parse return values in scalar and list context, Init handler invocation, and Pkg defaulting ==== postgresql18 ==== Version update (18.3 -> 18.4) Subpackages: libpq5 postgresql18-contrib postgresql18-llvmjit postgresql18-server - Update to version 18.4: * bsc#1265172, CVE-2026-6472: ensure the user has CREATE privilege on the schema specified * bsc#1265173, CVE-2026-6473: integer overflows in memory-allocation calculations * bsc#1265174, CVE-2026-6474: Guard against malicious time zone names * bsc#1265175, CVE-2026-6475: Prevent path traversal in pg_basebackup and pg_rewind * bsc#1265176, CVE-2026-6476: Properly quote subscription names in pg_createsubscriber * bsc#1265177, CVE-2026-6477: Mark PQfn() as unsafe, and avoid using it within libpq * bsc#1265178, CVE-2026-6478: Use timing-safe string comparisons in authentication code * bsc#1265179, CVE-2026-6479: Prevent unbounded recursion while processing startup packets * bsc#1265180, CVE-2026-6575: Detect faulty input when restoring attribute MCV statistics * bsc#1265181, CVE-2026-6637: Prevent SQL injection and buffer overruns in contrib/spi * bsc#1265182, CVE-2026-6638: Properly quote object names in logical replication origin checks * https://www.postgresql.org/docs/release/18.4/ ==== python-decorator ==== Version update (5.2.1 -> 5.3.0) - update to 5.3.0: * Added official support for Python 3.14 * Fixed a bug with "return await" * Moved decorator.py to a package structure * added a stub file (decorator/__init__.pyi) ==== python-idna ==== Version update (3.13 -> 3.15) Subpackages: python311-idna python313-idna - update to 3.15 (bsc#1265413, CVE-2026-45409): * Enforce DNS-length cap on individual labels early in `check_label`, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage. * Tidy core helpers: hoist bidi category sets to module-level * frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared `_unicode_dots_re` from `idna.core` in the codec module. * Use `raise ... from err` for proper exception chaining and switch internal string formatting to f-strings. * Allow `flit_core` 4.x in the build backend. * Expand the ruff lint set (flake8-bugbear, flake8-simplify, * pyupgrade, perflint) and apply the surfaced fixes; pin lint to Python 3.14. * Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier. * Removed opportunity to process long inputs into quadratic * time by rejecting oversize inputs up-front. Closes a bypass * of the CVE-2024-3651 mitigation. [CVE-2026-45409] ==== ruby-common ==== - Fix shebang line patching (yeah quoting through 3 layers!) - Have diff output so we can easily see patching worked.