Packages changed: GraphicsMagick bash blog (2.45 -> 2.46) cryptsetup gstreamer-plugins-rs (1.28.4 -> 1.28.5) kernel-firmware-amdgpu (20260614 -> 20260629) kernel-firmware-bluetooth (20260618 -> 20260629) kernel-firmware-i915 (20260610 -> 20260706) kernel-firmware-iwlwifi kernel-firmware-media (20260610 -> 20260706) kernel-firmware-mediatek (20260619 -> 20260629) kernel-firmware-nvidia kernel-firmware-platform (20260610 -> 20260629) kernel-firmware-qcom (20260619 -> 20260629) kernel-firmware-realtek (20260614 -> 20260629) kernel-firmware-sound (20260618 -> 20260706) permissions (1699_20260512 -> 1699_20260707) postfix (3.11.4 -> 3.11.5) python-kiwi (10.3.3 -> 10.3.9) qemu (10.2.2 -> 11.0.2) wget wpa_supplicant === Details === ==== GraphicsMagick ==== Subpackages: libGraphicsMagick++-Q16-12 libGraphicsMagick-Q16-3 libGraphicsMagick3-config - added patches CVE-2026-13606: memory corruption via crafted Photo CD (PCD) file [bsc#1269891] * GraphicsMagick-CVE-2026-13606.patch ==== bash ==== Subpackages: bash-lang bash-loadables bash-sh - Add workaround for msginit which ignores SOURCE_DATE_EPOCH (boo#1268542) ==== blog ==== Version update (2.45 -> 2.46) Subpackages: libblogger2 - Update to version 2.46 Implement Plymouth-compatible display-message and hide-message commands This commit adds support for the display-message and hide-message Plymouth commands, allowing external tools to print status updates directly to the boot console via blogctl. Key changes: Add MAGIC_SHOW_MSG and MAGIC_HIDE_MSG protocols to blogctl and parse the --text= argument using getopt_long_only(). Broadcast display-message payloads to all active hardware consoles via c->out() to ensure immediate visual feedback, while simultaneously logging it to /var/log/boot.log via copylog(). Add \r\n line endings to printed messages to prevent the staircase effect on serial terminals operating in raw mode. Handle hide-message as a visual no-op (replying with an ACK only) to deliberately avoid ANSI clear-screen sequences that would corrupt the output on line-based, half-duplex consoles like the s390x 3215. Update the blogctl.8 manual page to document the new commands and their specific behavior regarding screen clearing. Implement Plymouth-compatible ask-for-password and ask-question commands This commit extends blogctl to act as a lightweight, fully functional replacement for Plymouth's interactive prompt commands, allowing scripts to securely ask for passwords or questions on the system console. Key changes: Add support for ask-for-password and ask-question in blogctl. Use getopt_long_only() to robustly parse GNU-style long options (--prompt, --command, --number-of-tries, --dont-pause-progress). Offload the retry-loop and command execution (popen) entirely to the blogctl client, keeping the blogd daemon simple and secure. Fix an epoll EEXIST crash in console.c by separating the daemon's process state (asking) from the requested prompt type (ask_mode), resolving a race condition during socket handler registration. Comply strictly with the Plymouth protocol: enforce 1-byte prompt length limits, handle little-endian length headers (le32toh), and ensure null-terminated payloads via asprintf. Update the blogctl.8 manual page to document the new commands. Back to use constructor for initial seed for the process lifetime and inherited across fork() Make tty wait logic real and fix SIGHUP/inotify cleanup Better in-memory reversible obfuscation for cached passwords This is not cryptographic protection against a memory-reading attacker. It is only meant to avoid trivial/plaintext exposure in memory. Fix resource leaks and harden IPC validations This commit addresses several issues found by static code analysis, focusing on memory hygiene, file descriptor management, and robust error handling. Key changes: Fix memory and file descriptor leaks in error paths (proc.c, shm.c, tty.c) and ensure all pending coldstart requests are freed on shutdown. Harden the systemd ask-password interface by adding boundary checks for UNIX socket paths, verifying sendto payloads, and gracefully handling missing directories during early boot without fatal errors. Improve IPC protocol safety by strictly validating the MAGIC_CHROOT argument (must be an absolute path) and sending an explicit NACK on failure. Prevent stale terminal states on s390x by clearing the VMCP cache prior to parsing a new QUERY TERMINAL reply. User the --wait option of the blogctl quit command Add an --wait option specially for quit of blogctl Fix gh##7 setting blog.silent=true causes it to be non-silent Make shared library a executable Refactor daemon to use synchronous signalfd and epoll event loop This commit migrates the core architecture from traditional, asynchronous signal handling to a modern, synchronous event loop using signalfd. By integrating signal handling directly into the epoll multiplexer, we eliminate race conditions, unexpected EINTR interruptions during I/O operations, and complex reentrancy issues. Key changes: Add setup_signalfd() to block essential signals (SIGINT, SIGQUIT, SIGTERM, SIGSYS, SIGIO, SIGCHLD) globally and route them through a dedicated file descriptor monitored by epoll. Shield epoll_pwait() using a fully populated signal mask (omask) to guarantee uninterrupted I/O processing. Prevent socket handlers (MAGIC_SYS_INIT, MAGIC_CLOSE) from accidentally unblocking signals and resetting dispositions when signalfd is active. Sanitize the inherited signal mask in forked child processes (e.g., systemd password prompts on tty) by resetting it to an empty mask via sigprocmask(), ensuring agents run without restrictions. Replace the ALIGNED_SIZEOF macro with a cleaner align_up(type, boundary) macro and fix memset() sizes to correctly zero out trailing padding bytes. Update the Makefile to compile a stripped-down fallback object (signals_stripped.o compiled with -DNO_SIGNALFD) to ensure the passive libblogger.so library remains unaffected by the signalfd architecture. Some minor changes in quit and umount unit services The HVC consoles are like sclp console and can do colours as well - Silent some rpmlint warnings ==== cryptsetup ==== Subpackages: cryptsetup-doc cryptsetup-lang libcryptsetup12 - Fix for (bsc#1270254) to avoid undesired pinning of all volume keys (via the thread keyring) through the caller's credentials when the kernel opens a file. This is due to the refactoring in kernel commit a28d893eb327 ("md: port block device access to file") that accidentally causes the caller's thread keyring to be kept alive long beyond the caller's lifetime, the kernel part is tracked in (bsc#1270252). * Add keyring key type. [b6fb6fc0] * Load volume keys in intermediary keyring linked in thread keyring. [413a3dd0] * Use unique intermediary keyring name per device. [04ef07a7] * Add regression tests. [bfcb0c38, bb5e8e9f, e6573494, aa214c09] * Add upstream patches: - cryptsetup-Add-keyring-key-type.patch - cryptsetup-Load-volume-keys-in-intermediary-keyring-linked-in-t.patch - cryptsetup-Use-unique-intermediary-keyring-name-per-device.patch - cryptsetup-tests-revoke-keys-instead-unlinking-from-thread-keyr.patch - cryptsetup-tests-verify-VK-and-internal-keyring-cleanup-after-p.patch - cryptsetup-tests-refactor-keyring-helpers.patch - cryptsetup-tests-verify-intermediary-keyring-cleanup-after-cryp.patch ==== gstreamer-plugins-rs ==== Version update (1.28.4 -> 1.28.5) - Update to version 1.28.5: + fmp4mux: Various fixes for splitting at fragment boundaries + gopbuffer: add support for H.266/VVC + onvifmeta2relatiometa: fix inversion between width and height + rtprecv: fix buffer list split handling + rtspsrc2: digest authentication fixes + rtspsrc2: Allow disabling SRTP/SRTCP encryption and SRTP authentication + textaccumulate: output joined single buffer, add list as meta + threadshare: add ts-clocksync + webrtcsink: add support for h264 profile constrained-high + webrtcsink: allow change of interlace-mode in the input caps + webrtcsink: allow renegotiation if caps is missing interlace-mode + webrtcsink: fix negotiation for nvh264enc in the GLMemory case + webrtcsink: read rav1enc bitrate as i32 + webrtcsrc, webrtcsink: Fix SDP renegotiation bugs + Update dependencies ==== kernel-firmware-amdgpu ==== Version update (20260614 -> 20260629) - Update to version 20260629 (git commit 3ee099cd4a20): * amdgpu: DMCUB updates for various ASICs * amdgpu: DMCUB updates for various ASICs ==== kernel-firmware-bluetooth ==== Version update (20260618 -> 20260629) - Update to version 20260629 (git commit 3ee099cd4a20): * QCA: Update Bluetooth QCA6698 firmware to 2.1.2-00072 ==== kernel-firmware-i915 ==== Version update (20260610 -> 20260706) - Update to version 20260706 (git commit 2c35b1ed46f6): * xe: Release GuC firmware for NVL-S - Update aliases from 7.1 / 7.2-rc1 ==== kernel-firmware-iwlwifi ==== - Update aliases from 7.1 / 7.2-rc1 ==== kernel-firmware-media ==== Version update (20260610 -> 20260706) - Update to version 20260706 (git commit 2c35b1ed46f6): * qcom: vpu: add Gen2 firmware binary for Purwa ==== kernel-firmware-mediatek ==== Version update (20260619 -> 20260629) - Update to version 20260629 (git commit 3ee099cd4a20): * mediatek MT7922: update bluetooth firmware to 20260605203811 * mediatek MT7925: update bluetooth firmware to 20260605184935 * linux-firmware: update firmware for MT7925 WiFi device * linux-firmware: update firmware for MT7922 WiFi device - Update aliases ==== kernel-firmware-nvidia ==== - Update aliases from 7.1 / 7.2-rc1 ==== kernel-firmware-platform ==== Version update (20260610 -> 20260629) - Update to version 20260629 (git commit 3ee099cd4a20): * linux-firmware: Update AMD SEV firmware * nxp: add firmware for IW61x WiFi device - Update aliases ==== kernel-firmware-qcom ==== Version update (20260619 -> 20260629) - Update to version 20260629 (git commit 3ee099cd4a20): * qcom: add LPAICP firmware for shikra platform - Update aliases ==== kernel-firmware-realtek ==== Version update (20260614 -> 20260629) - Update to version 20260629 (git commit 3ee099cd4a20): * rtw89: 8852a: add TX power track R34 - Update aliases ==== kernel-firmware-sound ==== Version update (20260618 -> 20260706) - Update to version 20260706 (git commit 2c35b1ed46f6): * cirrus: cs35l56: Update firmware for the ASUS UX5406SA - Update to version 20260703 (git commit c95059a3774b): * cirrus: cs42l45: Update CS42L45 SDCA codec firmware for Dell laptops * cirrus: cs35l56: Add firmware for Cirrus Amps for a few Dell laptops - Update to version 20260629 (git commit 3ee099cd4a20): * linux-firmware: qcom: sync audioreach firmwares from v1.0.4 build * linux-firmware: Add firmware for new projects - Update aliases ==== permissions ==== Version update (1699_20260512 -> 1699_20260707) Subpackages: permctl permissions-config - Update to version 1699_20260707: * profiles: add cap_perfmon for ksystemstats6 (bsc#1262779) ==== postfix ==== Version update (3.11.4 -> 3.11.5) - update to 3.11.5 This release addresses medium-impact problems that need to be fixed as some enable remote DOS, or local memory corruption. * Bug (defect introduced: Postfix 2.7, date: 20090617): out-of-memory condition with remote input in the postscreen dummy SMTP engine. This dummy engine is used after PREGREET or DNSBL checks fail, or when "after 220" protocol checks are enabled. * Bug (defect introduced: Postfix 2.0, date: 20030619): file system DOS: with smtpd_proxy_filter enabled, the before-filter SMTP server did not enforce the message size limit for mailbox From_ lines at the beginning of a message. With smtpd_proxy_filter disabled, the file size limit was still enforced by the cleanup daemon. * Bug (defect introduced: Postfix 2.3, date: 20060611): double ldap_msgfree(resloop) call during error handling when special_result_attribute is configured. An attacker who controls the LDAP server or can play attacker-in-the-middle could corrupt heap memory. * Bug (defect introduced: Postfix 3.4, date: 20190121): missing null termination in a postlogd process that was started with an EMPTY maillog_file setting, while receiving a message from a postlog command that was started with a NON-EMPTY maillog_file setting. Under these contradicting conditions, an unprivileged attacker could cause postlogd to write null bytes to stack memory as it tokenized text outside the receive buffer, and possibly gain 'postfix' privilege. * Bug (defect introduced: Postfix 2.3, date: 20060711): one-byte heap over-write in the Milter client with soft_bounce=yes while processing a malformed SMFIR_REPLYCODE Milter response. An attacker who controls the Milter or who can play attacker-in-the-middle could corrupt heap memory. * Bug (defect introduced: Postfix 2.1, date: 20030619): SMTP server panic() in smtpd_proxy_filter when handling long mailbox From_ lines at the beginning of a message. * Bug (defect introduced: Postfix 3.1, date: 20151129): a missing return statement in the SHOWQ_CLEANUP_AND_RETURN() macro. A local user could submit a crafted message that triggered a read-after-free and panic() in the unprivileged showq daemon (which scans the mail queue for the 'postqueue -p' and 'mailq' commands). This could happen only before a message had been picked up by the pickup(8) daemon. * Bug: (defect introduced: Postfix 3.10, date: 20240925): NULL pointer read in the TLSRPT client, caused by missing STR_OR_NULL() wrappers. * Bug (defect introduced: Postfix < alpha, date: 1997): missing recursion guard while processing :include: files that directly include other :include: files in local(8) aliases or .forward files. This could result in exhausting stack space (segfault) or file handles (fatal error). This is not a global DOS; it affected at most two parallel delivery processes for the local recipient who created the condition. * Bug (defect introduced: postfix-3.11.0-RC1, date: 20251222): heap memory over-read in the cleanup daemon as it handled a milter "shutdown" reply. The over-read memory was logged after masking unprintable content. * Bug (defect introduced: Postfix 2.3, date: 20050526): limited (<= 11 byte) heap over-read in the cleanup daemon. This could be triggered by local user with a crafted queue file, but the over-read content was not disclosed and there was no other impact. * Bug (defect introduced: Postfix < alpha, date: 19971221): a signal handler in the postdrop command could call unlink() with a pathname that was already wiped and free()d, but not yet reused. * Bug (defect introduced: Postfix 3.11, date: 20260219): In the non-BerkeleyDB re-indexing server, vstream_fopen_as() ignored the uid and gid arguments and opened a database source file read-only as the 'postfix' user instead of the file owner. * Bug (defect introduced: Postfix 2.2. date: 20040829): after a RAND_bytes() call failure, do not rely on stack-based pseudo-randomness for tlsmgr seed generation, and for timing jitter of tlsmgr seed refresh intervals. * Bug (defect introduced: Postfix 2.3, date: 20060711): In the Milter client, null-terminate the SMFIR_REPLYCODE response data to exclude stale data when processing the result as a C string. * Hardening: make sure that optimizers will not delete a memset() call in myfree() that wipes memory. * Allow zero-length memory allocation requests. Many people have experience with systems that allow this, therefore it should not trigger a panic in Postfix. * Safety: added a global recursion guard in the local delivery agent. ==== python-kiwi ==== Version update (10.3.3 -> 10.3.9) - Bump version: 10.3.8 → 10.3.9 - fixed return value for get video_mode The method get_build_type_bootloader_video_mode() is expected to return "auto" if no video mode is available. However a bug in that method caused it to return a None value which should not happen. This commit fixes the condition checking. This Fixes #3023 and Fixes bsc#1271164 - Fix derived container integration test This integration test installed kiwi as part of the test. Actually using a simpler application with less dependencies increases the build time of the test and does not violate the purpose of the test. This commit just sets the joe editor as test package to install on top of the derived container. - Bump version: 10.3.7 → 10.3.8 - Add blocksize sanity check in oem dump Dumping an image file to a target requires that the I/O blocksize of the image file at creation time matches with the I/O blocksize of the target device. If this is not the case the dumped image will not be able to work on this target. Such issues are very hard to debug and therefore this commit adds a blocksize sanity check prior dumping the image to target. This Fixes bsc#1271057 - Refactor credentials handling from the cmdline When passing a repo definition on the cmdline it is possible to provide the credentials information as file name reference. Doing so deleted that file after reading which is unexpected and should not be done. This Fixes #2992 - Allow to build kis image without archiving By default the files (kernel, initrd, system) plus the metadata information (shasum, append) are all placed into a tar archive and served as one entity. In some cases this archived bundle is unwanted and users want to just handle the files individually. To allow this a new type attribute named: archive="true|false" is introduced which is evaluated for the kis type only at the moment. If set to false no tar archive is produced and the kiwi bundler handles all result files individually. In addition the documentation around the topic has been improved/corrected. This Fixes #3016 - Update documentation Fix style and layout errors - Bump version: 10.3.6 → 10.3.7 - Fix test_reading_custom_config_file unit test The test intentionally reads all available config files. As such the assertion must be specific to the file we expect among others. - Bump version: 10.3.5 → 10.3.6 - Followup fix for sha512sum support Yet another use of get_checksum_handler in the KIS builder with only a filename and not file path reference - Followup fix for sha512sum support The use of get_checksum_handler in the KIS builder was broken because the provided file did not exist at call time of the method - Fix reading of runtime config files Make sure the reading of the runtime config files in the different locations is not an exclusive procedure. According to the systemd/uapi spec both vendor(/usr) and admin(/etc) places needs to be taken into account and not only one. In addition the drop-ins directories should also be taken into account if their main file is not present. This Fixes #3014 - Add shasum_size set to 512 for fedora test builds - Fix system resize When resizing the partition table via sfdisk --relocate, the resize failed when the device was locked beforehand. In addition the resize of the actual filesystem failed the prior filesystem check if the btrfs filesystem is used. btrfs reports the free space cache to be outdated/corrupt after kiwi has resized the partition table. This is an expected condition prior resize of the filesystem and should not prevent the following resize. As such the filesystem check is not applied for btrfs prior resize. - Update settings "onlyRequired" pattern should just be mandatory, while the "plusRecommended" pattern would have default,mandatory,conditional. Also updated one integration test to apply a pattern type for a reality check on the option settings. Not sure though if it has an impact on the package selection. A small group name with some optional packages in it for testing would be nice - Add support for sha512sum Allow to select between the default shasum size 256 and 512 via a new runtime config section named: shasum This Fixes #3004 - Fix dnf5 handling for patternType attribute The patternType attribute is used to control the mandatory vs. optional installation for the concept of patterns,groups aka collections for the respective package manager. In dnf5 this is also controlled by the group_package_types option which is used now in combination with install_weak_deps. This Fixes #3008 - Fix Matrix room alias link The index page of the documentation has a broken link to the matrix room. This commit fixes it - Fix qemu-xxx requirement Do not require qemu variant packages for 32bit architectures. This Fixes bsc#1263564 Co-authored-by: Ana Guerrero - Update Rawhide test-image-live-disk Add a build variant without shim for testing the vendor directory lookup from the distro provided grub binary ... changelog too long, skipping 130 lines ... move Ubuntu integration tests to Ubuntu 26(resolut) ==== qemu ==== Version update (10.2.2 -> 11.0.2) Subpackages: qemu-audio-spice qemu-block-curl qemu-block-nfs qemu-block-rbd qemu-chardev-spice qemu-guest-agent qemu-hw-display-qxl qemu-hw-display-virtio-gpu qemu-hw-display-virtio-gpu-pci qemu-hw-display-virtio-vga qemu-hw-usb-host qemu-hw-usb-redirect qemu-hw-usb-smartcard qemu-img qemu-ksm qemu-lang qemu-microvm qemu-pr-helper qemu-seabios qemu-tools qemu-ui-curses qemu-ui-gtk qemu-ui-opengl qemu-ui-spice-app qemu-ui-spice-core qemu-vgabios qemu-vmsr-helper qemu-x86 - Update to latest stable release (11.0.2) Full backport list here: https://lore.kernel.org/qemu-devel/20260627082913.181C717AB6B@think4mjt.localdomain/ Bugs and CVEs fixed: - bsc#1268794 (CVE-2026-48914) A selection of them is reported here below: linux-user: Fix AT_PHDR when program headers are relocated into their own segment hw/pci: Replace assert with bounds check and return ppc/pnv_phb3: Error out on invalid config access linux-user/xtensa: fix unlock of uninitialized frame pointer on sigreturn linux-user/xtensa: save/restore FP registers across signal delivery target/xtensa: add cpu_set_fcr/fsr helpers to sync fp_status target/arm/hvf: Stop pre-allocating cpreg_vmstate arrays ui/sdl2: Set GL ES profile before creating initial GL context ui/sdl2: Explicitly specify EGL platform hw/9pfs: reject . and .. in Twstat rename hw/9pfs: fix abort due to illegal name with Twstat rename gdbstub: Update x86 control register bits target/i386: apply mod to immediate count of an RCL/RCR operation hw/uefi: fix parse_hexstr target/riscv: mask vxrm csrw write to the low 2 bits disas/riscv.c: fix inst_length() target/riscv/tcg: disable svnapot if satp_mode < sv39 target/riscv/cpu_helper.c: add PMA access fault target/riscv/cpu_helper.c: fault with reserved PTE.PBMT val target/riscv/insn_trans/trans_rvzicbo.c.inc: save opcode before helpers disas/riscv.c: add 'cbo' insns to disassembler target/riscv/csr.c: fix mstatus.UXL reserved value target/riscv/csr.c: do not allow mstatus MPV/GVA writes target/riscv/tcg: disable svpbmt if satp_mode < sv39 target/riscv/cpu_helper.c: allow LOAD_ADDR_MIS promotion to AMO fault virtio: Allow to fill a whole virtqueue in order amd_iommu: Reject non-decreasing NextLevel in fetch_pte() amd_iommu: Follow root pointer before page walk and use 1-based levels libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() tests/qtest: Add amd-iommu command buffer head wrap test amd_iommu: Update command buffer head ptr in MMIO region after wraparound amd_iommu: restrict command buffer head/tail ranges to ring size linux-user: add preadv2/preadv2 system/rtc: Fix a possible year-2038 integer overflow problem linux-user/strace: add fsmount series of syscalls linux-user: implement fsmount(2) series of syscalls fpu: Handle all rounding modes in partsN_uncanon_normal hw/usb/hcd-ohci: Clean up USBPacket before freeing ISO TD packet qed: Don't try to flush during incoming migration iotests: test shared mmap for fuse export block/export/fuse: set FUSE_DIRECT_IO_ALLOW_MMAP flag to fix regression block/export/fuse: use struct fuse_init_in qcow2: Fix data loss on zero write with detect-zeroes=unmap iotests/046: Test that discard/write_zeroes wait for dependencies qcow2: Fix corruption on discard during write with COW qemu-io: Add 'aio_discard' command virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check (CVE-2026-48914) block/io: fallback to bounce buffer if BLKZEROOUT is not supported because of alignment hw/i3c: fix CMD/data FIFO depth reset values to match real silicon s390x/pci: Fix interrupt forwarding disable for interpreted devices target/s390x: Make container ids in SysIB_15x 1-based lcitool: remove Cirrus CI support gitlab: remove x64-freebsd-14-build Cirrus job gitlab: add initial MacOS 15 on gitlab runner ci: drop cirrus MacOS build tests/unit: add test-envlist covering setenv/unsetenv name matching util/envlist: fix prefix-match in envlist_unsetenv() name lookup ... - Fix bsc#1268279, bsc#1268245, bsc#1263098: * [openSUSE][RPM] spec: fix post-build-checks failure for qemu-tools (bsc#1263098) * [openSUSE][RPM] spec: fix missing unversioned ppc64 cross-compiler binaries (bsc#1268245) * ppc/spapr: Skip system reset for quiesced CPUs (bsc#1268279) - Update to latest stable release (11.0.1) Full backport list here: https://lore.kernel.org/qemu-devel/20260528061820.CEE521691A9@think4mjt.localdomain/ A selection of them is reported here below: block/graph-lock: fix missed wakeup in bdrv_graph_co_rdunlock() commit: Drain nodes across all of bdrv_commit() block: Add more defaults to DEFAULT_BLOCK_CONF block: Create DEFAULT_BLOCK_CONF macro ide-test: Test reset during TRIM ide-test: Factor out wait_dma_completion() ide: Clean up ide_trim_co_entry() to be idiomatic coroutine code ide: Minimal fix for deadlock between TRIM and drain block: Add flags parameter to blk_*_pdiscard() block: Add blk_co_start/end_request() and BDRV_REQ_NO_QUEUE blkdebug: Add 'delay-ns' option linux-user/sh4: Fix setup_sigtramp to match Linux kernel trampoline pattern linux-user/sh4: Fix target_ucontext tuc_link field type linux-user: Fix AT_EXECFN in AUXV for symlinked programs hw/nvme: fix admin cq msix setup target/arm/hvf: Fix WFI halting to stop idle vCPU spinning tests/functional/qemu_test/asset.py: Don't use setxattr when it doesn't exist hw/remote/machine.c: Mark x-remote machine as OK for AArch64 and AArch32 meson.build: Add -fzero-init-padding-bits=all tests/qtest/iommu-smmuv3-test: Skip if no TCG GICv3 device present ati-vga: fix ati_set_dirty address calculation hw/i2c/microbit_i2c: Don't index off end of twi_read_sequence[] aspeed/hace: Prevent total_req_len overflow aspeed/hace: Fix out-of-bounds read in has_padding() hw/misc/aspeed_sbc: Add bounds checking for OTP write operations hw/display/cirrus_vga: Fix packed-24 color-expansion transparent copies ... changelog too long, skipping 68 lines ... * [openSUSE][RPM] spec: enable passt support ==== wget ==== Subpackages: wget-lang - Fix buffer underflow in clean_metalink_link [bsc#1271033, CVE-2026-58469] * CVE-2026-58469.patch - Fix integer overflow in parse_content_range [bsc#1271034, CVE-2026-58470] * CVE-2026-58470.patch - Fix buffer size handling in filename conversion [bsc#1271035, CVE-2026-58471] * CVE-2026-58471.patch - Fix integer+buffer overflow in html_quote_string [bsc#1271036, CVE-2026-58472] * CVE-2026-58472.patch ==== wpa_supplicant ==== - Add Require-network_ctx-and-AKMP-match-for-accepting-PMK.patch https://w1.fi/security/2026-2/ - Add SAE-Fix-crash-due-to-NULL-pointer-dereference-in-H2E.patch https://w1.fi/security/2026-3/ - Add CVE-2026-58374.patch: Missing multi-link parsing validation in wpa_supplicant and hostapd (bsc#1269892) - Add wpa_supplicant_support_pem_encoded_chain.patch: OpenSSL: Support PEM encoded chain from ca_cert blob (bsc#1258365).