Packages changed: MicroOS-release (20260710 -> 20260712) busybox (1.37.0 -> 1.38.0) busybox-links (1.37.0 -> 1.38.0) chrony ethtool (7.0 -> 7.1) freetype2 (2.14.2 -> 2.14.3) grub2 gstreamer (1.28.4 -> 1.28.5) gstreamer-plugins-bad (1.28.4+24 -> 1.28.5) gstreamer-plugins-base (1.28.4 -> 1.28.5) libxml2 timezone (2026b -> 2026c) xen xrdb (1.2.2 -> 1.2.3) xset (1.2.5 -> 1.2.6) === Details === ==== MicroOS-release ==== Version update (20260710 -> 20260712) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== busybox ==== Version update (1.37.0 -> 1.38.0) - Update to version 1.38.0: * New applets: sha384sum, vmstat, ssl_server, lsblk, uuidgen * Security: Disallow path traversals in archival (CVE-2023-39810) * archival: Sanitize filenames on output to prevent control sequence attacks * ash/hush: Implement <<< here_string syntax and improve bash compatibility * libbb: Add yescrypt password hashing support * tls: Implement server-side code and support ECDHE_RSA * httpd: Add connection limits (-M), POSTDATA read timeouts, and CGI logging * telnet/telnetd: Rewrite to use generic fd polling and I/O loop * cut: Major fixes for empty delimiters, ranges, and output-delimiter support * cp: Fix 'cp -aT' overwriting symlink to directories * fdisk: Fix GPT disk size overflow and add 4K sector size support * top: Reduce flicker and show RSS instead of VIRT by default * udhcpc6: Fix potential buffer overflow * many other small fixes and optimizations - Remove patches included in the new version: * busybox-1.37.0-fix-conditional-for-sha1_process_block64_shaNI.patch * busybox-1.37.0-fix-regression-n2.patch * busybox-1.37.0-hexdump-add-tests-for-x-handle-little-big-endian-pro.patch * busybox-1.37.0-hexdump-fix-regression-for-uint16-on-big-endian-syst.patch * busybox-1.37.0-od-make-B-test-little-endian-only-add-variant-for-bi.patch * 0001-archival-libarchive-sanitize-filenames-on-output-pre.patch * 0001-nsenter-unshare-don-t-use-xvfork_parent_waits_and_ex.patch * 0001-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch * 0002-tar-only-strip-unsafe-components-from-hardlinks-not-.patch * 0001-udhcpc6-fix-buffer-overflow.patch * 0002-udhcpc6-check-the-size-of-D6_OPT_IAPREFIX-option.patch ==== busybox-links ==== Version update (1.37.0 -> 1.38.0) Subpackages: busybox-coreutils busybox-grep busybox-gzip busybox-hostname busybox-sed busybox-xz - Adapt to busybox 1.38, new applets: sha384sum, ssl_server, vmstat, lsblk, uuidgen - Keep passwd in shadow package (it was split in shadow-pw-mgmt in the full featured version) ==== chrony ==== Subpackages: chrony-pool-openSUSE - boo#1257934: support libnettle 4.0 (chrony-libnettle4.patch). ==== ethtool ==== Version update (7.0 -> 7.1) - Update to release 7.1 * Added netlink support for RX CQE Coalescing params * netlink: module-eeprom: Add 'hex on pages on' option for page-organized hex dump * netlink: fec: Add missing newlines in FEC statistics output * ethtool: Add man page and bash completion for 'pages on|off' * ethtool: Update pause stats struct * ethtool: Add --disable-netlink to help output * qsfp: add support for newer SFF-8636 compliance codes * sfpid: add support for newer SFF-8472 compliance codes * sfpid: fix 10G Base-ER module detection - Delete bf023af442f63e16f1699128c7ce467eddc6d340.patch, d35d87fbcda97fe31df79d62277743214641892a.patch (merged) ==== freetype2 ==== Version update (2.14.2 -> 2.14.3) - update to 2.14.3 - Important bug fixes * A bunch of potential security problems have been found. All users should update. - Miscellaneous * If configuration option `TT_CONFIG_OPTION_GPOS_KERNING` is active, GPOS-based kerning could miss some value pairs (bug introduced in version 2.14.0). - Added patch: * freetype-CVE-2026-50811.patch + upstream fix for issue #1436, bsc#1271045, CVE-2026-50811: out-of-bounds read vulnerabilityin src/truetype/ttgxvar.c in the TT_Get_Var_Design implementation used by FT_Get_Var_Design_Coordinates ==== grub2 ==== Subpackages: grub2-common grub2-i386-efi grub2-i386-efi-bls grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi grub2-x86_64-efi-bls - Fix broken bash completion on arm64 images when the bash-completion package is not installed (bsc#1259132) * 0001-bash-completion-add-_init_completion-marker.patch ==== gstreamer ==== Version update (1.28.4 -> 1.28.5) Subpackages: libgstreamer-1_0-0 - Update to version 1.28.5: + Highlighted bugfixes: - Various security fixes and playback fixes - Fix subtitles cause green flickering with VA decoders on AMD GPUs - core: Fix sticky event raciness when pads are linked mid-push - appsrc: Uniformly handle EOS events being pushed - audio-resampler-neon fails to build for targets with neon but without thumb - avtp: Correct ptime generation from avtp timestamp - fmp4mux: Various fixes for splitting at fragment boundaries - gldownload: fix wrong DRM format negotiation causing R/B channel swap - gdkpixbufdec: Drop rank to NONE and handle resolution/format changes - gopbuffer: add support for H.266/VVC - h265decoder: Fix HEVC with alpha decoding - mp4mux: fix AC-3 template caps so muxer can accept input from ac3parse - mpegtsmux: Always assign PTS to output buffers in CBR mode - mpegtsmux: Output buffers with PCR-only bitrate-padding packets have wrong PTS - rtcpbuffer: Fix parsing of SR+SDES compound packets (regression from security fix) - rtspsrc2: Allow disabling SRTP/SRTCP encryption and SRTP authentication - tsdemux: Improve PTS rollover handling in ignore-pcr mode, fixing intermittent corruption with YouTube HLS streams - textaccumulate: output joined single buffer, add list as meta - threadshare: add ts-clocksync - webrtcsink: negotiation fixes and improvements - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - caps: fix field name leak in gst_caps_structure_simplify - info: Use a more optimized version of GST_TIME_ARGS - pads: Fix sticky event raciness when linked mid-push - typefindhelper: Drop unnecessary check for factories without a function - Use named pipes when spawning gst-ptp-helper on Windows ==== gstreamer-plugins-bad ==== Version update (1.28.4+24 -> 1.28.5) Subpackages: libgstphotography-1_0-0 libgstplay-1_0-0 - Update to version 1.28.5: + amcviddec: Fix double-free happening when codec gets reconfigured + avtp: Correct ptime generation from avtp timestamp + ccconverter: Use truncated length when converting CEA608 raw to CEA708 CDP + curlsmtpsink: Use the correct content-type if known + d3d12: Fix command list leak + dtlsconnection: Allocate large enough buffer for the peer certificate subject DN + h264parse: Check for enough slice header data being available + h2654parse: Unset GValue in every code path + h265decoder: Fix HEVC with alpha decoding + h266parser: Avoid out-of-bounds read if too many exp slices are signalled + h266parser: Check bounds before writing to CTU entrypoint array + h266parser: Check aspect ratio index against lookup table length + h266parser: Heap-allocate parameter sets before parse to avoid stack overflow + h266parser: Use long bit skipping function for potentially large values + mpeg4videoparse: Ensure enough config data is available before extracting profile/level + mpegpsdemux: Release stream lock when seeking fails + mpegtsmux: Always assign PTS to output buffers in CBR mode + mpegtsmux: Output buffers with PCR-only bitrate-padding packets have wrong PTS + mxfdemux: fix essence track offsets array population + netsim: Fix racy test failures + pcapparse: Add missing bounds checks to ensure packets are large enough + pnmdec: Avoid overflows when calculating frame sizes + qroverlay: Fix use after free bug + rfbsrc: Use correct bpp for copying hextile data + rfbsrc: Validate framebuffer update rectangles against the framebuffer size + rtmp2: Don't retry on G_IO_ERROR_TIMED_OUT + rtmp2: Remove socket timeout after handshake completes + rtpsink: fix mutex not unlocked on invalid URI in set_property + tsdemux: YouTube HLS streams have intermittent corruption + tsdemux: Improve PTS rollover handling in ignore-pcr mode + v4l2decoder: Fix media_fd leak when video_fd open fails + va: surfacecopy: get surface's image in gst_va_surface_copy + va: VOBSUB: compositing error with VA decoder in NV12 + va: radeonsi: subtitles cause green flickering + va: radeonsi: Subtitles cause green flickering with VA decoders + videoparsers: Always clear LCEVC enhancement data when resetting frame + videoparsers: Leak of LCEVC user data + vnmdec: Avoid integer overflows when rectangle positions and sizes + vp9parser: Check that enough data is available for parsing superframe info + webrtcbin: validate remote dtls certificates + webrtcsdp: Fix inverted fingerprint existence logic ==== gstreamer-plugins-base ==== Version update (1.28.4 -> 1.28.5) Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 - Update to version 1.28.5: + appsink: Clear local sample storage when flushing + appsrc: Uniformly handle EOS events being pushed + audio-resampler-neon fails to build for targets with neon but without thumb + encoding-target: Validate that encoding profile name is UTF-8 before using it + gldownload: fix wrong DRM format negotiation causing R/B channel swap + opusdec: Don't use any channel positions for >64 channels + rtcpbuffer: Fix parsing of SR+SDES compound packets (regression from security fix) + subparse: Don't allow very small framerates for microdvd subtitles + typefind: assorted fixes for the image-rs plugin typefinding + typefindhelper: Drop unnecessary check for factories without a function + WBMP typefinding rejects a valid 1280x800 file + typefinding: detect animation on PNG (and WebP, GIF, AVIF) + typefindfunctions: remove Sun and Andrew raster format typefinders + uridecodebin3: deactivate input_item in erroneous ready->paused transition + vorbistag: Check for enough base64 data before trying to decode + xmptag: Don't allocate -1 bytes of memory if there's only a single tag + xmptag: Handle fractions with 0 denominator as invalid ==== libxml2 ==== Subpackages: libxml2-16 libxml2-tools - CVE-2026-11979: stack-based buffer overflows in the `xmlcatalog` utility when running in `--shell` mode (bsc#1269790) * Add patch libxml2-CVE-2026-11979.patch ==== timezone ==== Version update (2026b -> 2026c) - Update to 2026c: * Alberta moved to permanent -06 on 2026-06-18 * Morocco moves to permanent +00 on 2026-09-20 * More integer overflow bugs have been fixed in zic ==== xen ==== - Add BuildRequires for python3-base ==== xrdb ==== Version update (1.2.2 -> 1.2.3) - Update to bugfix release 1.2.3 - switch to Meson build system ==== xset ==== Version update (1.2.5 -> 1.2.6) - Update to version 1.2.6: * Switch to Meson build system. * Add GPG validation for source archives. * The new release includes bugfixes.