Packages changed: ImageMagick Mesa (26.1.2 -> 26.1.3) Mesa-drivers (26.1.2 -> 26.1.3) MozillaFirefox (152.0 -> 152.0.1) amarok (3.3.2 -> 3.3.3) ffmpeg-8 (8.1.1 -> 8.1.2) freerdp (3.26.0 -> 3.27.1) gpsd iproute2 (7.0 -> 7.1) libportal (0.9.1 -> 0.10.0) libupnp (1.18.5 -> 2.0.2) liburing openSUSE-release (20260618 -> 20260619) pipewire (1.6.6 -> 1.6.7) python311 python311-core python313 python313-core selinux-policy (20260605 -> 20260618) xdg-desktop-portal (1.22.0 -> 1.22.1) === Details === ==== ImageMagick ==== Subpackages: ImageMagick-config-7-SUSE libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - disable dpc support [bsc#1268117] [bsc#1268113] ==== Mesa ==== Version update (26.1.2 -> 26.1.3) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to 26.1.3 bugfix release - -> https://docs.mesa3d.org/relnotes/26.1.3 ==== Mesa-drivers ==== Version update (26.1.2 -> 26.1.3) Subpackages: Mesa-dri Mesa-libva Mesa-vulkan-device-select libvulkan_lvp - Update to 26.1.3 bugfix release - -> https://docs.mesa3d.org/relnotes/26.1.3 ==== MozillaFirefox ==== Version update (152.0 -> 152.0.1) Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common - Mozilla Firefox 152.0.1 https://www.firefox.com/en-US/firefox/152.0.1/releasenotes/ * Fix frequent crashes affecting users with Intel Raptor Lake processors (bmo#2039575) ==== amarok ==== Version update (3.3.2 -> 3.3.3) - Update to 3.3.3 https://blogs.kde.org/2026/06/17/amarok-3.3.3-released/ * Restore functionality for inhibiting system suspend when music is playing * Fix restoring main window layout after restart (kde#514963) * Fix context applet height saving sometimes not working (kde#514190) * Adapt parsing in Wikipedia applet to handle some page syntax changes * Don't multiply tracks when dragging from file browser to PUD (kde#521425) - Drop gcc16.patch ==== ffmpeg-8 ==== Version update (8.1.1 -> 8.1.2) Subpackages: libavcodec62 libavfilter11 libavformat62 libavutil60 libswresample6 libswscale9 - Update to release 8.1.2 * Fix some buffer overflows, integer overflows, negative indices, off-by-one erros and double frees in various codecs, muxers and filters. ==== freerdp ==== Version update (3.26.0 -> 3.27.1) Subpackages: libfreerdp3-3 librdtk0-0 libwinpr3-3 - Update to version 3.27.1: + Bugfix/regression fix and android feature release * Fixed a regression with gateway connections * Android client RDPECAM support * Android client RAILS support + CVE fixes: * CVE-2026-55827 + Changes: * [core,utils] fix guid2str (#12898) * [client,android] Add RAIL/RemoteApp window support (#12887) * Bitmap decode (#12899) * [client,rdpecam,android] Add camera redirection support (#12894) * [tools] make the generator create more clang-format friendly code (#12900) - Update to version 3.27.0: + A major feature / bugfix / cleanup release * Password hash now uses a custom SSPI attribute on non windows systems * TLS seclevel now defaults to 2 and a minimum of TLS 1.2 is required. Client side the /tls:seclevel: and /tls:enforce: allow to override these. Server implementations can manually set these with rdpSettings::FreeRDP_TLSMinVersion and rdpSettings::FreeRDP_TlsSecLevel (See https://docs.openssl.org/3.0/man3/SSL_CTX_set_security_level/ for more details) * The RDP proxy got a fix which removed (unstable) structs from public headers. There are no known users of that (internal) API, but if you happen to be one please ping us. * Android client got some huge updates again (thank @svncibrahim) * Enhancements with Azure/Entra support: some (known but not officially documented) extensions have been added to make these connections more stable. * keyboard mapping * Allow RDPDR channel to pass additional arguments to the channel. Does not break existing behaviour but allows a channel supporting this to query the additional arguments for further use. * Fix some WinPR deprecation handling, add WITHOUT_WINPR_3x_DEPRECATED that allows building without any symbol deprecated during the stable 3 series * Some client side statistics logging API was added. By default prints a (trace) log at the end of a session, but it can be queried at any time for some connection details. + CVE fixes: * CVE-2026-55194 * CVE-2026-55193 * CVE-2026-55192 * CVE-2026-55191 * CVE-2026-55648 + Changes: * Call winpr_InitializeSSL in TestWinPRUtils/TestNTLM (#12746) * [core,codec] Fix invalid overlap check (#12753) * Improve clipboard massive files copying performance (#12743) * [crypto,certificate] Honor BIO_should_retry (#12755) * Unify PEM read routines (#12758) * Build updates (#12772) * Fix sdl3 clipboard for files (#12759) * url: replace http://www.freerdp.com (#12781) * Fuzz/analyzer fixes (#12791) * [winpr,sspi] replace password-length heuristic with explicit hash (#12782) * Claude suggestions (#12792) * Disp check fix (#12795) * [core,settings] Raise default security level (#12752) * [clang,tidy] use workflow from ZedThree (#12806) * Improve FIPS mode support (#12811) * Lots of android specific improvements (#12773, #12777, #12783, #12784, #12785, [#12786], #12787, #12788, #12807, #12812, #12815, #12818, #12819, #12820, #12822, [#12748], #12750) * [channels,audin] fix opensles error handling (#12751) * [channels,audin] fix iOS and mac backends (#12864) * [channels,cliprdr] refactor server channel (#12810) * [channels,cliprdr] reset stream after use (#12855) * [channels,drdynvc] add new PubSub events (#12760) * [channels,rail] fix client handshake response (#12780) * [channels,rdpdr] various enhancements (#12800, #12797, #12803) * [channels,rdpgfx] fix server frame command returning success on write failure (#12828) * [channels,rdpsnd] reject client audio formats with zero nChannels/nBlockAlign (server-side DoS) (#12829) * [channels,rdpsnd] skip unusable playback backend during selection (#12830) * Refactor printer queue (#12817) * [ci,freebsd] update ci (#12823, #12824, #12825) * [cmake,simd] guard CMAKE_OSX_ARCHITECTURES (#12802) * [cmake] replace find_package(GLOBAL) (#12837) * [cmake] fix use of pkg_check_module (#12838) * [winpr,input] complete japanese keyboard mapping (#12836) * winpr/input: Fix numpad mapping for japanese keyboards (#12845) * [core,gateway] validate auth blob length in rdg_process_extauth_sspi (#12856) * Restore fullscreen when maximizing a toggled fullscreen window (#12849) * Fix(wfreerdp): Refresh Windows frame after fullscreen restore (#12848) * Fix copying multiple items of the same type between xfreerdp sessions (#12834) * [core,event] add StateChanged event (#12858) * [core,nego] bound cookie tag check to remaining length (#12862) * codec stats (#12860) * Various warning fixes (#12749, #12813, #12866, #12831) * [core,client] add PubSub events (#12757) * [core,client] use correct interface pointer (#12766) * [client,rdpewa] filter UserNotify events (#12767) * [client,windows] honor /from-stdin in wfreerdp (#12821) * [client,x11] release normal keys before modifiers (#12868) * fix(client/SDL): do not treat an unrecognized mouse button as fatal (#12847) * Proxy client context (#12865) * [core,update] filter out unused/unknown (#12870) * Azure/Entra undocumented stuff and request compaction (#12872, #12871, #12770) * Various bounds checks (#12873, #12857) * Sspi separate ansi unicode (#12874) * Ci update qa (#12875) * [channels,gfx] extract remaining header length (#12876) * [cache,glyph] bound offset read to buffer length (#12881) * Expose the correlationId in settings (#12879) * [winpr,wtypes] fix WINPR_C23_ENUM_TYPE (#12882) * [server,proxy] pass ntlm hostname (#12877) ==== gpsd ==== - Rewrite the SPEC file to build, remove Python 2 building, and clean up. - Needs more work to support building via wheels. - Add update-desktop-files.patch and remove `%suse_update_desktop_file` and dependency on `update-desktop-files` package (https://en.opensuse.org/openSUSE:Update-desktop-files_deprecation). ==== iproute2 ==== Version update (7.0 -> 7.1) Subpackages: iproute2-bash-completion - Update to release 7.1 * mptcp: monitor: add JSON support * iplink: bond_slave: print actor and partner churn state * dpll: add client-side filtering for device show, pin show * dpll: add pin filtering by parent-device and parent-pin * tc: Add JSON output support to HFSC/QFQ/multiq * ss: add support for showing TCP delack timers * Remove support for hamradio protocols ==== libportal ==== Version update (0.9.1 -> 0.10.0) Subpackages: libportal-gtk3-1 libportal-gtk4-1 libportal1 typelib-1_0-Xdp-1_0 - Update to version 0.10.0: + Features: - Support directory selection in xdp_portal_open_file() - Add clipboard API and support InputCapture session persistence + Bug fixes: - Replace deprecated Gio.UnixInputStream with GioUnix.InputStream in tests - Fix a memory leak in the background API - Specify --doc-format=gi-docgen when building introspection - Use canonical property names and G_PARAM_STATIC_STRINGS for all GObject properties in inputcapture - Fix invalid free of call-related data in inputcapture - Expose libportal/settings.h header in libportal/portal.h - Fix build with Qt 6.9+ - Don't install glib-backports.h as part of public headers - Drop libportal-qt69.patch: Fixed upstream. ==== libupnp ==== Version update (1.18.5 -> 2.0.2) - Update to release 2.0.2 * Fixed Transfer-Encoding: chunked bodies bypassing the g_maxContentLength limit. * Fixed a NULL dereference in ixmlNode_compare. * Fixed a integer truncation in raw_to_int(). - Update to release 2.0.1 * miniserver: Nagle algorithm on accepted TCP sockets is now disabled. * Use poll() to support fds higher than 1024. * chore: Normalized HTTP response header names to title-case. * Added UpnpGetSsdpReqPort4/6() to query SSDP M-SEARCH source port. * Explicitly-named non-multicast interfaces in UpnpGetIfInfo are now allowed. * Now rejects oversized HTTP POST body before buffering. * Now accepts RFC 1918 cross-subnet delivery URLs in GENA subscriptions. * Removed UpnpPrintf from public API. ==== liburing ==== - disable failing tests via catch-all in SLE15, force bash ==== openSUSE-release ==== Version update (20260618 -> 20260619) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== pipewire ==== Version update (1.6.6 -> 1.6.7) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-jack pipewire-lang pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.6.7: * This is a bugfix release that is API and ABI compatible with the previous 1.6.x releases. * Highlights - Fix a race issue where some ports would stay silent after a rate change. - Fix sync regressions between ALSA cards in some cases. - Small fixes and improvements. * PipeWire - Fix a scheduler regression where some driver nodes would not run correctly and cause sync issues. (#5210 (closed)) - Fix a race issue with suspend on samplerate changes. It can cause ports to be silent. (#3547 (closed)) * Modules - There are some locking issues in the RT portal, for now reduce the DBus timeout to something more sane. Also disable portal RT for pipewire and the pulse server. These are not usually run in a sandbox and can go directly to RTKit. - Fix potential incorrect delay in combine-stream. * SPA - Fix a regression in ALSA period_size calculations. For non-power-of-2 periods, it would in some cases round down a a power-of-2, causing a mismatch between requested and configured period_size. (#5302 (closed)) - Fix a potential segfault when removing a card because of bad ALSA api usage. (#5255 (closed)) - Emit a route param update when card properties change. Otherwise, jack port updates are not always reflected correctly. * Misc - Make sure we don't deal with uninitialized spa_dict. ==== python311 ==== Subpackages: python311-curses python311-dbm python311-x86-64-v3 - Keep unversioned Python 3 development entry points in python3-devel: python313-devel no longer provides python3-devel and no longer owns libpython3.so, python3-config, python3.pc, or python3-embed.pc. Do not package versioned GIL pkg-config files in nogil-devel. Also, fix regular expressions in rpmlintrc. - Remove macros.python3. - CVE-2026-6019: protect against HTML injection by Base64-encoding cookie values embedded in JS (bsc#1262654, gh#python/cpython#90309) CVE-2026-6019-Morsel-js_output.patch - CVE-2026-1502: reject CR/LF in HTTP tunnel request headers (bsc#1261969, gh#python/cpython#146211) CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch - CVE-2026-4786: fix webbrowser %action substitution bypass of dash-prefix check (bsc#1262319, gh#python/cpython#148169) CVE-2026-4786-webbrowser-open-action.patch - CVE-2026-6100: prevent dangling pointer, which can end in the use-after-free error (bsc#1262098, gh#python/cpython#148395) CVE-2026-6100-use-after-free-decompression.patch - Add CVE-2026-3446-base64-padding.patch preventing ignoring excess Base64 data after the first padded quad (bsc#1261970, CVE-2026-3446, gh#python/cpython#145264). - Rewrite structure of Python interpreter packages. `python3*` symbols should be now provided by real python3 packages and its subpackages instead of the virtual provides (bsc#1258364). ==== python311-core ==== Subpackages: libpython3_11-1_0 libpython3_11-1_0-x86-64-v3 python311-base python311-base-x86-64-v3 - Keep unversioned Python 3 development entry points in python3-devel: python313-devel no longer provides python3-devel and no longer owns libpython3.so, python3-config, python3.pc, or python3-embed.pc. Do not package versioned GIL pkg-config files in nogil-devel. Also, fix regular expressions in rpmlintrc. - Remove macros.python3. - CVE-2026-6019: protect against HTML injection by Base64-encoding cookie values embedded in JS (bsc#1262654, gh#python/cpython#90309) CVE-2026-6019-Morsel-js_output.patch - CVE-2026-1502: reject CR/LF in HTTP tunnel request headers (bsc#1261969, gh#python/cpython#146211) CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch - CVE-2026-4786: fix webbrowser %action substitution bypass of dash-prefix check (bsc#1262319, gh#python/cpython#148169) CVE-2026-4786-webbrowser-open-action.patch - CVE-2026-6100: prevent dangling pointer, which can end in the use-after-free error (bsc#1262098, gh#python/cpython#148395) CVE-2026-6100-use-after-free-decompression.patch - Add CVE-2026-3446-base64-padding.patch preventing ignoring excess Base64 data after the first padded quad (bsc#1261970, CVE-2026-3446, gh#python/cpython#145264). - Rewrite structure of Python interpreter packages. `python3*` symbols should be now provided by real python3 packages and its subpackages instead of the virtual provides (bsc#1258364). ==== python313 ==== Subpackages: python313-curses python313-dbm python313-tk python313-x86-64-v3 - Add test_UDPLITE_support.patch (bsc#1263787, gh#python/cpython!149081) improving testing for the support of IPPROTO_UDPLITE, which could be not present although header files are. - Add missing BR `crypto-policies-scripts` (need for the fix of bsc#1211301). ==== python313-core ==== Subpackages: libpython3_13-1_0 libpython3_13-1_0-x86-64-v3 python313-base python313-base-x86-64-v3 python313-devel - Add test_UDPLITE_support.patch (bsc#1263787, gh#python/cpython!149081) improving testing for the support of IPPROTO_UDPLITE, which could be not present although header files are. - Add missing BR `crypto-policies-scripts` (need for the fix of bsc#1211301). ==== selinux-policy ==== Version update (20260605 -> 20260618) Subpackages: selinux-policy-targeted - Update to version 20260618: * Allow wireguard to setup DNS using dns_hatchet (bsc#1243148) * Add sysnet_mount_file() interface ==== xdg-desktop-portal ==== Version update (1.22.0 -> 1.22.1) Subpackages: xdg-desktop-portal-lang - Update to version 1.22.1: + Security fixes: - Fix a security issue which allows a malicious sandboxed applications to redirect drag-and-drop and copy-paste data to itself via a predictable key in FileTransfer.RetrieveFiles (GHSA-c5cf-79w8-pvfh) - Fix a security issue which allows a malicious sandboxed applications to gain arbitrary write access to nonexistent files outside of the sandbox via the "files" option in FileChooser.SaveFiles (GHSA-cm83-2936-gxjm) - Validate all App IDs in the Document Portal to prevent malicious applications from providing a well-crafted App ID which causes the parsing of arbitrary files on the host as Glib.KeyFiles + Enhancements: Disable PipeWire's realtime module to prevent deadlocks