Packages changed: Mesa (26.1.3 -> 26.1.4) Mesa-drivers (26.1.3 -> 26.1.4) MicroOS-release (20260703 -> 20260707) blog (2.42 -> 2.45) cloud-init dhcp (4.4.2.P1 -> 4.4.3.P1) glycin-loaders (2.1.1 -> 2.1.5) hwdata (0.408 -> 0.409) json-c (0.18 -> 0.19) kquickimageeditor6 (0.6.2 -> 0.6.2.1) libglycin (2.1.1 -> 2.1.5) libpsl (0.21.5 -> 0.22.0) libwacom (2.18.0 -> 2.19.0) lilv (0.26.4 -> 0.28.0) live-langset-data pam pam-full-src pinentry (1.3.2 -> 1.3.3) pinentry-gui (1.3.2 -> 1.3.3) python-greenlet rpm taglib (2.2.1 -> 2.3) upower (1.91.2 -> 1.91.3) vim (9.2.0725 -> 9.2.0780) === Details === ==== Mesa ==== Version update (26.1.3 -> 26.1.4) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to 26.1.4 bugfix release - -> https://docs.mesa3d.org/relnotes/26.1.4 ==== Mesa-drivers ==== Version update (26.1.3 -> 26.1.4) Subpackages: Mesa-dri Mesa-vulkan-device-select libvulkan_lvp - Update to 26.1.4 bugfix release - -> https://docs.mesa3d.org/relnotes/26.1.4 ==== MicroOS-release ==== Version update (20260703 -> 20260707) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== blog ==== Version update (2.42 -> 2.45) Subpackages: libblogger2 - Update to version 2.45 Fix early boot LUKS prompt on s390x and resolve memory corruptions This update addresses several critical issues in the early boot phase, especially on s390x architectures, and hardens the daemon's architecture: - Initrd/Dracut: Properly include `systemd-ask-password-blog.path` in sysinit.target.wants during the initrd phase to ensure LUKS password prompts are captured early in the zipl phase. - Systemd Units: Drop restrictive `ConditionKernelCommandLine=!plymouth.enable=0` to prevent the agent from being disabled by standard mainframe boot parameters. - Memory Corruption: Fix a critical heap corruption by renaming the conflicting `alignof()` macro to `ALIGNED_SIZEOF()` and zeroing allocated memory for `struct request` (memset) to prevent reading uninitialized pointers #5. - Kernel Command Line: Improve `parse_cmdline()` to support boolean parameters without an explicit value (e.g., `blog.silent` defaults to `blog.silent=1`). - New Features: Introduce `blog.silent` to suppress console I/O and `blog.coldboot` to explicitly trigger the early coldstart password query. - Lifecycle: Switch `KillMode=none` to `KillMode=mixed` to comply with modern systemd process lifecycle management. Fixes: gh#bitstreamout/showconsole#5 Fixes: gh#bitstreamout/showconsole#6 Fixes: bsc#1264176 - Update to version 2.44 Harden blog and use shims units to handle plymouth Disable coldstart requests via epoll Avoid handling fd twice in epoll loop - Correct latest changes of 2.43 - Update to version 2.43 Make sure that if blog is running it is identified as plymouth Latest also add conflicts to systemd-ask-password-console units in the systemd-ask-password-blog units. This should avoid conflicting password agents asking the same question in s390x. ==== cloud-init ==== - Re-add cloud-init-write-routes.patch (bsc#1267422) incorrectly dropped ==== dhcp ==== Version update (4.4.2.P1 -> 4.4.3.P1) Subpackages: dhcp-client - Update dhcrelay script and service. Due to some leftover calls to sysvinit tools the script no longer worked. Now the script is a lot leaner and only implements the sysconfig arg parsing and makes it more of a native systemd service. [bsc#1269228] - Update to version 4.4.3-P1: * Corrected reference count leak in leasequery packets (CVE-2022-2928). * Corrected memory leak in FQDN option unpacking (CVE-2022-2929). * Added OMAPI timed function calls. * Updated BIND libraries to version 9.11.36. * Added support for DHCPv4 option v6-only-preferred (RFC 8925). - Drop obsolete patches already included in version 4.4.3-P1: * dhcp-CVE-2022-2928.patch * dhcp-CVE-2022-2929.patch - Refresh patches: * 0009-dhcp-4.2.6-close-on-exec.patch * 0015-Expose-next-server-DHCPv4-option-to-dhclient-script.patch * 0016-infiniband-support.patch ==== glycin-loaders ==== Version update (2.1.1 -> 2.1.5) - Update to version 2.1.5: + Fixed: image-rs/jpeg: Support RGB for editing. There are actually images that don't use ycbcr. ==== hwdata ==== Version update (0.408 -> 0.409) - Update to version 0.409: * Update pci, usb and vendor ids ==== json-c ==== Version update (0.18 -> 0.19) - Add no-xxd.patch and bring back the full testsuite. - Name the -devel and -doc subpackages based on the SRPM and nothing else. - Drop xxd BuildRequires to break an OBS build cycle; exclude the test_json_parse_cli test (its only consumer) from %check. - Update to 0.19: New features - ----------- * Add support for Commodore Amiga and MorphOS * Allow builds with CMake 4 - sync minimum version across all CMakeLists.txt files * Update openssl command to work for newer versions of openssl. * Add support for building json-c with meson * Support MSVC in packages that use GNU Autoconf. * Add VERSIONINFO to libjson-c.dll * Make json_tokener_free(NULL) a no-op, to simplify cleanup paths. * Explicitly handle NaN values when converting to int * Set errno=RANGE in json_object_get_int/int64/uint64() when the source value can't be represented in the target type. * Make json_parse a bit more useful by adding -u (validate UTF8) and -P (specify arbitrary tokener parse flags), and read from stdin if no filename is provided. * Fix the apps/json_parse "-s" (strict) option so it actually does something, and default to non-strict. Significant changes and bug fixes - -------------------------------- * Issue #867 - also disallow control characters in keys in JSON_TOKENER_STRICT mode * Issue #875: cast to unsigned char so bytes above 0x7f aren't interpreted as negative, which was causing the strict-mode control characters check to incorrectly trigger. * Issue #881: don't allow json_tokener_new_ex() with a depth < 1 * Fix linkhash breaking -std=c89 * Fixing Cmake build when using clang-cl, avoids errors about redefining existing symbols * Fix AIX build failure - Add CMake detection for getopt.h * Fix bug involving supplemental code points that look like high surrogates * Fix runtime issue with test_util_file.c in Windows (add O_BINARY) * Fix macro WIN32_LEAN_AND_MEAN redefined * Issue #914: Fix Memory usage regression due to newlocale() on macOS * Issue #916: Fix OOM via large array index in json_pointer_set * Issue #923: Avoid stack recursion in json_object_put() * Issue #927: CVE-2026-9146 - update json_object_iterator documentation * Issue #929: CVE-2026-11322 - fix information disclosure bug in apps/json_parse (not installed by default) * Issue #930: fix locale-dependent strtod in json_object_get_double * Issue #931: deep copy values in json_patch copy op to avoid aliasing and cycles ==== kquickimageeditor6 ==== Version update (0.6.2 -> 0.6.2.1) Subpackages: kquickimageeditor6-imports libKQuickImageEditor1 - Udpate to 0.6.2.1 * Fix a crash caused by lack of ARGB32 support when built with OpenCV ==== libglycin ==== Version update (2.1.1 -> 2.1.5) - Update to version 2.1.5: + Fixed: image-rs/jpeg: Support RGB for editing. There are actually images that don't use ycbcr. ==== libpsl ==== Version update (0.21.5 -> 0.22.0) - Update to version 0.22.0: * Can now be built from the release tarball without Python * Drop an external dependency by implementing the IPv4/IPv6 address checks internally * Avoid using alloca() and improve general portability * Add support for native ICU on Windows and libcucore on Apple systems * Improve the meson and autotools builds and the installed libpsl.pc pkg-config file * Documentation improvements * No soname change (still libpsl.so.5) ==== libwacom ==== Version update (2.18.0 -> 2.19.0) Subpackages: libwacom-data libwacom9 - update to 2.19.0: * libwacom_list_styli_from_database() provides a WacomStylus list of all known styli * libwacom_database_ref() and libwacom_database_unref() to simplify callers having * libwacom_get_width_mm() and libwacom_get_height_mm() for the tablet dimensions in mm. The .tablet files switched to mm too. * New generic 3 button + eraser tool, assigned to some Huion devices by default * New devices: - Gaomon M5 V2 - HP Envy x360 15-fh0xxx - Huion Inspiroy Frego S (L310), Kamvas Pro 27 (GT2701), H610 Pro V2 - Lenovo ThinkBook 14s Yoga ITL - Wacom HID 53FD - Xencelabs Pen Display 16 ==== lilv ==== Version update (0.26.4 -> 0.28.0) - update to 0.28.0: * Add early assertions for non-null parameters in public API * Add lilv_state_get_bundle_path() * Always create state files with O_CLOEXEC on glibc >= 2.7 * Clarify relative symbolic link creation when saving state * Fix build with dynmanifest support * Fix crash when loading plugin classes on Windows * Fix potential file loss when saving state with no link directory * Fix potential iterator leaks and resulting log message flood * Fix replacing links when saving over state * Fix test build when no C++ compiler is available * Improve error handling when writing and deleting state ==== live-langset-data ==== - Add missing BR of python3-base. ==== pam ==== - Fix password comparison timing leak from pam_userdb [CVE-2026-54411], [bsc#1268290] * pam_userdb-fix-password-comparison-timing-leak.patch ==== pam-full-src ==== - Fix password comparison timing leak from pam_userdb [CVE-2026-54411], [bsc#1268290] * pam_userdb-fix-password-comparison-timing-leak.patch ==== pinentry ==== Version update (1.3.2 -> 1.3.3) - Update to 1.3.3: * gtk,curses: Add --focus=ok option to CONFIRM command. [T8315] * tty: Discard input on timeout. [rP4c72137885] * Various build fixes. ==== pinentry-gui ==== Version update (1.3.2 -> 1.3.3) - Update to 1.3.3: * gtk,curses: Add --focus=ok option to CONFIRM command. [T8315] * tty: Discard input on timeout. [rP4c72137885] * Various build fixes. ==== python-greenlet ==== ==== rpm ==== - Add Requires: (rpm-plugin-selinux if selinux-policy) - harden ndb code [bsc#1269584] [CVE-2026-44605] * new patch: ndbharden.diff - split all plugins into subpackages * this allows for an easy way to get rid of a plugin, it's also what other distributions do - make the imaevmsign plugin build in a multibuild flavor * updated patch: imaevmsignplugin.diff - rpm2archive: use size 0 for hardlinked files as bnew versions of gnu tar reject non-zero sizes [bsc#1269150] * updated patch: rpm2archive.diff - backport fix for add_sysuser macro [bsc#1269571] * updated patch: macrosin.diff - backport rpmuncompress security fix [bsc#1268747] [CVE-2026-44604] * new patch: rpmuncompress.diff - switch from rpmpgp_legacy to libpgpr * multiple bug fixes, support for v5 and v6 signatures * updated patch: pgpreleasemtime.diff - turn on imaevm file signature support and move the imaevm code that needs the libimaevm library into a plugin. Put this plugin into a new "rpm-imaevmsign" subpackage. [jsc#PED-7246] * new patch: imaevmsignplugin.diff ==== taglib ==== Version update (2.2.1 -> 2.3) - update to 2.3: * MP4: Support for chapters (Nero and QuickTime). * WAV: Support for BEXT and iXML chunks. * FLAC: Support for BEXT and iXML application blocks. * Opus: New audio property `outputGain()`. * Speed up Matroska reading by using seek head for element lookup. * Speed up Matroska writing by offering multiple write style modes. * More tolerant handling of files with oversized RIFF chunks, zero size ID3v2 * frames and Matroska chapters without edition. * Avoid wrong content-based detection as MPEG files. * Fix bitrate calculations for MPEG ADTS and MP4 ESDS. * Fix data race with multi-threaded use of `MP4::ItemFactory`. * Fix unbounded recursion in EBML/Matroska `MasterElement` and MP4 atoms. * Limit number of MP4 atoms at top level. * Fix writing too many offsets when updating MP4 stco/co64 atoms. * Fix k bounds in Shorten Rice-Golomb coding. ==== upower ==== Version update (1.91.2 -> 1.91.3) Subpackages: libupower-glib3 - Update to version 1.91.3: + Feature: up-device-battery: Prefer "Standard" over "Fast" charging + Fix: Resolve potential leaks + Fix: Potential out-of-bound access + Fix: Improve access control + Fix: Remove unused codes + Fix: Fix for Asus Battery Charge Threshold Detection - Drop 25303ba52771ee514b70fb1a5318a8313889ac31.patch: Added upstream. ==== vim ==== Version update (9.2.0725 -> 9.2.0780) Subpackages: vim-data-common vim-small - update to 9.2.0780 patch 9.2.0780: Memory leak in evalvars.c on alloc failure patch 9.2.0779: Memory leak in type_name_func() on alloc failure patch 9.2.0778: Memory Leak in compile_dict() on alloc failure patch 9.2.0777: Memory leak in add_defer() on alloc failure patch 9.2.0776: Memory leak in sign_getlist() on alloc failure patch 9.2.0775: Memory Leak in highlight_get_info() on alloc failure patch 9.2.0774: Memory leak in f_getscriptinfo() on alloc failure patch 9.2.0773: Memory leak in evalfunc.c on alloc failure patch 9.2.0772: Vim9: Null dereference inside alloc_type() patch 9.2.0771: dict_add_list() has inconsistent ownership on failure patch 9.2.0770: dict_add_dict() has inconsistent ownership on failure translation(zh_CN): Add Chinese man pages patch 9.2.0769: conversion to utf-16be using iconv is inconsistent patch 9.2.0768: legacy/vim9cmd modifiers are not exclusive patch 9.2.0767: legacy/vim9cmd modifiers do not set script version for options values patch 9.2.0766: quick_tab entries for empty letters point to the wrong index patch 9.2.0765: popup: opacity popup over a terminal is not cleared when moved patch 9.2.0764: Compiler warning about unused function translation(sr): Update Serbian translation patch 9.2.0763: tests: style issue in test_plugin_netrw runtime(xml): Update xml syntax file runtime(doc): regenerate help tags patch 9.2.0762: duplicated sub-option name check in :set completion runtime(screen): Bring the syntax up to version 5 runtime(typst): Improve ftplugin, and syntax file patch 9.2.0761: runtime(netrw): Unix: unable to open '\' file patch 9.2.0760: Compiler warning for using potentially uninitialized var patch 9.2.0759: Some code for 'autocompletedelay' is no longer needed runtime(autoload/dist): gx may use xdg-open on macOS patch 9.2.0758: pum: No opacity when background not set for Popup menu group patch 9.2.0757: tests: test_popupwin fails with zsh because of the prompt patch 9.2.0756: Session with multiple tabpages sets 'winminheight' to 0 patch 9.2.0755: 'autocomplete' behaves inconsistently when recording patch 9.2.0754: repeated completion length lookup in search_for_exact_line patch 9.2.0753: GTK GUI deferred redraw skipped on 'lazyredraw' runtime: add missing fnameescape()/shellescape() in a few runtime files patch 9.2.0752: GTK4: drag-and-drop does not support HTML patch 9.2.0751: GTK3 GUI is slow under Wayland translation(ru): Updated message files patch 9.2.0750: completion: 'autocompletedelay' deferral leaks state patch 9.2.0749: 'autocompletedelay' interferes with i_CTRL-K patch 9.2.0748: 'autocompletedelay' interferes with CTRL-G U runtime(netrw): Use consistent forward slashes patch 9.2.0747: cscope: connection leak when growing the array fails patch 9.2.0746: NULL pointer dereference in gui_photon patch 9.2.0745: Crash with truncated spellfile patch 9.2.0744: popup_atcursor() closes immediately on white space runtime(odin): Update indent script, add indent tests patch 9.2.0743: string macros silently accept a size of the wrong type runtime(vim): Fix heredoc triggering misidentifcation of Vim9 script patch 9.2.0742: filetype: SSH keys and related filetypes not recognized runtime(css): add more missing CSS properties patch 9.2.0741: complete_check() does not return TRUE for mapped input patch 9.2.0740: GTK4: scrollbar wrongly displayed patch 9.2.0739: completion: 'autocompletedelay' blocks the main loop and drops autocommands runtime: guard recommended style settings consistently patch 9.2.0738: ml_recover() may write beyond block buffer CI: Bump actions/checkout in the github-actions group across 1 directory patch 9.2.0737: tests: comment test can be improved patch 9.2.0736: potential command execution in PHP omni-completion patch 9.2.0735: [security]: arbitrary Ex command execution during C omni-completion runtime(doc): Tweak documentation style and typo patch 9.2.0734: function pointer passed to STRNCMP() instead of a length runtime(cabal): Update compiler, ftplugin, syntax, add indent script patch 9.2.0733: GTK3: GUI slow on X11 since dropping the alpha channel patch 9.2.0732: session: terminal restored using absolute columns/rows patch 9.2.0731: GTK4 GUI scrollbar size not updated when restoring a session patch 9.2.0730: GTK4 GUI tabline is not updated patch 9.2.0729: % skips parens on continued quoted lines runtime(doc): Add installer updates to version9.txt patch 9.2.0728: filetype: supertux info pattern is relative to current dir patch 9.2.0727: popup images not rendered correctly when unfocused patch 9.2.0726: filetype detect missing from completion