Packages changed: gnome-software (49.2 -> 49.3) kernel-source (6.18.4 -> 6.18.5) libsolv (0.7.34 -> 0.7.35) libsoup libsoup2 libstorage-ng (4.5.283 -> 4.5.284) openSUSE-release (20260112 -> 20260113) polkit-default-privs (1550+20251212.3e30f11 -> 1550+20260108.4fc3a54) qemu (10.1.3 -> 10.2.0) uriparser (0.9.8 -> 1.0.0) wireplumber (0.5.12 -> 0.5.13) === Details === ==== gnome-software ==== Version update (49.2 -> 49.3) Subpackages: gnome-software-lang gnome-software-plugin-packagekit - Update to version 49.3: + Improve display of long repository names + Clarify warning about removing data when uninstalling an app + Fix minor UI issues when scrolling using gestures on a touchpad + Don’t show firmware warning on Installed Updates page + Several fixes to update history on rpm-ostree systems + Updated translations. ==== kernel-source ==== Version update (6.18.4 -> 6.18.5) - Update patches.kernel.org/6.18.1-002-jbd2-avoid-bug_on-in-jbd2_journal_get_create_a.patch (bsc#1012628 CVE-2025-68337 bsc#1255482). - Update patches.kernel.org/6.18.1-005-locking-spinlock-debug-Fix-data-race-in-do_raw.patch (bsc#1012628 CVE-2025-68336 bsc#1255481). - Update patches.kernel.org/6.18.1-009-comedi-pcl818-fix-null-ptr-deref-in-pcl818_ai_.patch (bsc#1012628 CVE-2025-68335 bsc#1255480). - Update patches.kernel.org/6.18.1-024-comedi-c6xdigio-Fix-invalid-PNP-driver-unregis.patch (bsc#1012628 CVE-2025-68332 bsc#1255483). - Update patches.kernel.org/6.18.1-028-staging-rtl8723bs-fix-stack-buffer-overflow-in.patch (bsc#1012628 CVE-2025-68255 bsc#1255395). - Update patches.kernel.org/6.18.2-006-smack-fix-bug-unprivileged-task-can-create-lab.patch (bsc#1012628 CVE-2025-68733 bsc#1255615). - Update patches.kernel.org/6.18.2-008-gpu-host1x-Fix-race-in-syncpt-alloc-free.patch (bsc#1012628 CVE-2025-68732 bsc#1255688). - Update patches.kernel.org/6.18.2-009-accel-amdxdna-Fix-an-integer-overflow-in-aie2_.patch (bsc#1012628 CVE-2025-68731 bsc#1255696). - Update patches.kernel.org/6.18.2-015-accel-ivpu-Fix-page-fault-in-ivpu_bo_unbind_al.patch (bsc#1012628 CVE-2025-68730 bsc#1255602). - Update patches.kernel.org/6.18.2-017-drm-vgem-fence-Fix-potential-deadlock-on-relea.patch (bsc#1012628 CVE-2025-68757 bsc#1255943). - Update patches.kernel.org/6.18.2-041-wifi-ath12k-Fix-MSDU-buffer-types-handling-in-.patch (bsc#1012628 CVE-2025-68729 bsc#1255692). - Update patches.kernel.org/6.18.2-057-ntfs3-fix-uninit-memory-after-failed-mi_read-i.patch (bsc#1012628 CVE-2025-68728 bsc#1255539). - Update patches.kernel.org/6.18.2-058-ntfs3-Fix-uninit-buffer-allocated-by-__getname.patch (bsc#1012628 CVE-2025-68727 bsc#1255568). - Update patches.kernel.org/6.18.2-063-crypto-aead-Fix-reqsize-handling.patch (bsc#1012628 CVE-2025-68726 bsc#1255598). - Update patches.kernel.org/6.18.2-067-bpf-Do-not-let-BPF-test-infra-emit-invalid-GSO.patch (bsc#1012628 CVE-2025-68725 bsc#1255569). - Update patches.kernel.org/6.18.2-087-crypto-asymmetric_keys-prevent-overflow-in-asy.patch (bsc#1012628 CVE-2025-68724 bsc#1255550). - Update patches.kernel.org/6.18.2-090-wifi-ath11k-fix-peer-HE-MCS-assignment.patch (bsc#1012628 CVE-2025-68380 bsc#1255580). - Update patches.kernel.org/6.18.2-129-RDMA-rxe-Fix-null-deref-on-srq-rq.queue-after-.patch (bsc#1012628 CVE-2025-68379 bsc#1255695). - Update patches.kernel.org/6.18.2-139-bpf-Fix-stackmap-overflow-check-in-__bpf_get_s.patch (bsc#1012628 CVE-2025-68378 bsc#1255614). - Update patches.kernel.org/6.18.2-151-accel-ivpu-Fix-race-condition-when-unbinding-B.patch (bsc#1012628 CVE-2025-68749 bsc#1255724). - Update patches.kernel.org/6.18.2-190-drm-panthor-Fix-UAF-race-between-device-unplug.patch (bsc#1012628 CVE-2025-68748 bsc#1255813). - Update patches.kernel.org/6.18.2-192-drm-panthor-Fix-UAF-on-kernel-BO-VA-nodes.patch (bsc#1012628 CVE-2025-68747 bsc#1255723). - Update patches.kernel.org/6.18.2-195-ns-initialize-ns_list_node-for-initial-namespa.patch (bsc#1012628 CVE-2025-68377 bsc#1255592). - Update patches.kernel.org/6.18.2-196-iommu-amd-Fix-potential-out-of-bounds-read-in-.patch (bsc#1012628 CVE-2025-68760 bsc#1255935). - Update patches.kernel.org/6.18.2-198-spi-tegra210-quad-Fix-timeout-handling.patch (bsc#1012628 CVE-2025-68746 bsc#1255722). - Update patches.kernel.org/6.18.2-206-coresight-ETR-Fix-ETR-buffer-use-after-free-is.patch (bsc#1012628 CVE-2025-68376 bsc#1255529). - Update patches.kernel.org/6.18.2-216-hfs-fix-potential-use-after-free-in-hfs_correc.patch (bsc#1012628 CVE-2025-68761 bsc#1255936). - Update patches.kernel.org/6.18.2-219-perf-x86-Fix-NULL-event-access-and-potential-P.patch (bsc#1012628 CVE-2025-68375 bsc#1255575). - Update patches.kernel.org/6.18.2-223-md-fix-rcu-protection-in-md_wakeup_thread.patch (bsc#1012628 CVE-2025-68374 bsc#1255530). - Update patches.kernel.org/6.18.2-224-md-avoid-repeated-calls-to-del_gendisk.patch (bsc#1012628 CVE-2025-68373 bsc#1255610). - Update patches.kernel.org/6.18.2-225-nbd-defer-config-put-in-recv_work.patch (bsc#1012628 CVE-2025-68372 bsc#1255537). - Update patches.kernel.org/6.18.2-227-scsi-smartpqi-Fix-device-resources-accessed-af.patch (bsc#1012628 CVE-2025-68371 bsc#1255572). - Update patches.kernel.org/6.18.2-228-staging-most-remove-broken-i2c-driver.patch (bsc#1012628 CVE-2025-68755 bsc#1255940). ... changelog too long, skipping 170 lines ... - commit 95bea31 ==== libsolv ==== Version update (0.7.34 -> 0.7.35) Subpackages: libsolv-tools-base libsolv1 ruby-solv - fixed rare crash in the handling of allowuninstall in combination with forcebest updates - new pool_satisfieddep_map feature to test if a set of packages satisfies a dependency - bump version to 0.7.35 ==== libsoup ==== Subpackages: libsoup-3_0-0 libsoup-lang typelib-1_0-Soup-3_0 - Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). - Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ==== libsoup2 ==== Subpackages: libsoup-2_4-1 libsoup2-lang - Add libsoup2-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ==== libstorage-ng ==== Version update (4.5.283 -> 4.5.284) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#1047 - added support for squashfs and erofs - 4.5.284 ==== openSUSE-release ==== Version update (20260112 -> 20260113) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== polkit-default-privs ==== Version update (1550+20251212.3e30f11 -> 1550+20260108.4fc3a54) - Update to version 1550+20260108.4fc3a54: * profiles: whitelist Foomuuri actions (bsc#1254385) ==== qemu ==== Version update (10.1.3 -> 10.2.0) Subpackages: qemu-audio-spice qemu-block-curl qemu-block-nfs qemu-block-rbd qemu-chardev-spice qemu-guest-agent qemu-hw-display-qxl qemu-hw-display-virtio-gpu qemu-hw-display-virtio-gpu-pci qemu-hw-display-virtio-vga qemu-hw-usb-host qemu-hw-usb-redirect qemu-hw-usb-smartcard qemu-img qemu-ipxe qemu-ksm qemu-lang qemu-microvm qemu-pr-helper qemu-seabios qemu-tools qemu-ui-curses qemu-ui-gtk qemu-ui-opengl qemu-ui-spice-app qemu-ui-spice-core qemu-vgabios qemu-vmsr-helper qemu-x86 - Build ui-sdl and audio-sdl modules as some applications (like quickemu) requires them. * [openSUSE][RPM]: add enable-sdl and enable-sdl-image flags - Update to version 10.2.0 (jsc#PED-14599) The full list of changes are available at: https://wiki.qemu.org/ChangeLog/10.2 Highlights include: * Arm - New CPU architectural features emulated: FEAT_SCTLR2, FEAT_TCR2, FEAT_CSSC, ... - The deprecated pxa CPU family has now been removed - The gdbstub now exposes the SME and SME2 registers to debuggers - virt: You can now create multiple SMMUv3 devices on the command line, to give separate PCIe roots their own IOMMU * PowerPC - Support for PowerNV11 and PPE42 CPU/Machines. - FADUMP Support for pSeries - Decodetree movement for some floating-point instructions - Firmware updates for SLOF, sam460ex u-boot * x86 - The HPET device does not take the big QEMU lock anymore. - The isapc machine can only use 3.5G memory and will warn when used with 64-bit CPUs. Also, when -cpu max is used with isapc it will pick a Pentium III CPU. - Support for a new accelerator, MSHV, which lets you create VMs from a Hyper-V guest without using nested virtualization. * VFIO - Removal of the deprecated vfio-platform, vfio-calxeda-xgmac and vfio-amd-xgbe devices * TCG Plugins - new uftrace plugin - new hooks for discontinuity events (irqs, host calls and exceptions) * Migration - Supported new cpr-exec migration mode - Supported mapped-ram on snapshot save/load - Fixed a false positive TLS warning when postcopy preempt migration is completing - Fixed source QEMU hang when a postcopy migration failed at switchover phase - Fixed a possible interrupt performance regression after migration when with VFIO-PCI devices - Fixed snapshot crash when migration capabilities were wrongly specified - Fixed COLO regression (since QEMU 10.0) * Block device backends and tools - It is now possible to open both the server and client endpoints of an NBD connection from the same process. Previously, attempting to connect QEMU as an NBD client to a socket being served by the same process would deadlock. - The block limits detected for a block backend (such as required request alignment, maximum request size etc.) are now exposed in QMP as part of the data returned by the 'query-block' and 'query-named-block-nodes' commands. The same information is displayed in 'qemu-img info' if the new option '--limits' is given. - 'stats-intervals' can now be configured in '-device' for block devices. Previously, this was only available in '-drive' (and therefore inaccessible when using '-blockdev'). * Miscellaneous - On host systems that support io_uring, QEMU's main loop is now based on io_uring, which can improve performance in some cases and will enable new features and potentially further performance improvements in the future. - The '-run-with' argument gains a new 'exit-with-parent=on' parameter which, on Linux, FreeBSD and macOS platforms, will ensure QEMU is terminated when the parent process exists. - Fixed possible memory leak on CPU hot plug / unplug - Fixed TDX regression on using hugetlbfs - Fixed guest-memfd use case on shmem - Fixed possible poweroff hang on virtio devices with iommu_platform=on * User-mode emulation - various bugfixes and added features - implement fchmodat2 syscall - support MADV_DONTDUMP and MADV_DODUMP - fix FIBMAP and FIGETBSZ ioctls - permit sendto() with NULL buf and 0 len * Guest agent - Fix truncated output handling in guest-exec status reporting - Fix 'retry_path' logic for Windows service (Windows only) - VSS: Write the hex value of the error in the log (Windows only) ==== uriparser ==== Version update (0.9.8 -> 1.0.0) - Update to 1.0.0 (bsc#1255000, CVE-2025-67899) * Fixed: [CVE-2025-67899] Protect from stack overflow during parsing by dissolving all 13 cases of recursion, both direct and indirect. The attack vector was long (or crafted) URI input. The known impact is denial of service or more. Thanks for the report to Sergey Svistunov! Thanks for in-depth review to Tim Düsterhus! (sponsored by Tideways GmbH) Thanks for C callgraph tool "egypt" (https://www.gson.org/egypt/) to Andreas Gustafsson and for "dot_find_cycles.py" to Jason Antman! * Changed: Start requiring a C99 compiler (GitHub #264, GitHub #273) * Changed: Require CMake >=3.15.0 (GitHub #270) * Fixed: Normalization of URIs with leading dot segments produced ambiguous results in the sense that a reparse after normalization would have misinterpreted path parts as a host (GitHub #262, GitHub #263, GitHub #265) Examples of affected URIs: - "scheme:/.//path1/path2" - "/.//path1/path2" - ".//path1/path2" The fix is to not remove that dot segment. Thanks to Ignace Nyamagana Butera and to Tim Düsterhus for the report! * Fixed: Insufficient pointer alignment from allocation wrappers used in the implementation of function uriCompleteMemoryManager. (GitHub #261) Thanks to Matthew Fernandez and Rolf Eike Beer for the report and review! * Fixed: Do not set `absolutePath` for empty paths when removing host Thanks for the report and pull request to Tim Düsterhus! (GitHub #275, GitHub #276) * Fixed: Documentation of functions uriCompleteMemoryManager, uriEmulateCalloc, uriEmulateReallocarray and uriTestMemoryManager (GitHub #261) * Fixed: CMake: Remake approach to static CRT with MSVC compilers Old: -DURIPARSER_MSVC_RUNTIME=/MT New: -DURIPARSER_MSVC_STATIC_CRT=ON (GitHub #270) * Fixed: Documentation: Get CMake variables list back in sync and sorted in the readme (GitHub #270) * Fixed: Various typos found by Codespell (https://github.com/codespell-project/codespell) (GitHub #259) * Added: Add a new (and recommended to use) version of uriTestMemoryManager that can challenge pointer alignment (GitHub #261) New functions: uriTestMemoryManagerEx * Improved: Increase test coverage by mutation testing Thanks for the pull request to Tim Düsterhus! (GitHub #266) * Improved: Address compiler warning -Wunused-but-set-variable (GitHub #268) * Improved: Deduplicate internal char set macros (GitHub #280) * Infrastructure: Enable stack traces from UndefinedBehaviorSanitizer in CI via environment variable UBSAN_OPTIONS (GitHub #261) * Infrastructure: Bump GoogleTest to 1.12.0 in AppVeyor CI to fix the build with CMake >=3.5 (GitHub #261) * Infrastructure: Migrate Windows CI from AppVeyor to GitHub Actions (GitHub #270) * Infrastructure: Make GitHub Actions detect and reject known typos using Codespell (https://github.com/codespell-project/codespell) (GitHub #259) * Infrastructure: Update Clang from 20 to 21 (GitHub #267) * Infrastructure: Start specifying CXX and CXXFLAGS for fuzzing CI (GitHub #268) * Infrastructure: Make CI report on test coverage using LLVM, and offer these reports for download (GitHub #32, GitHub #269) * Infrastructure: Make CI enforce clang-format clean code (GitHub #272) * Soname: 3:0:2 — see https://verbump.de/ for what these numbers do (liburiparser.so.1.2.0) Changes in 0.9.9: * Fixed: Dissolve undefined behavior in parsing of URIs (GitHub #252) Thanks to Tim Düsterhus for the report! * Fixed: Normalized percent-encoded octets should have uppercase letters in the host (GitHub #221, GitHub #222) Thanks to Máté Kocsis for the pull request! * Fixed: Fix documentation of uriEscape (GitHub #206, GitHub #207) * Fixed: Docstring typo in ParseIpFourAddress (GitHub #254) * Fixed: Documentation: Make Mainpage.txt bypass the C preprocessor (GitHub #226, GitHub #227) * Fixed: Documentation: Migrate Doxygen from ${CPP} to ${CC} -E (GitHub #192) * Fixed: Fix macros URI_VER_SUFFIX_UNICODE and URI_VER_UNICODE (GitHub #258) Thanks to Tim Düsterhus for the report and patch! * Added: Support for copying Uri structures (GitHub #200, GitHub #230, GitHub #237, GitHub #240, GitHub #250, GitHub #251) Thanks to Máté Kocsis and to Tim Düsterhus! New functions: uriCopyUri[AW] uriCopyUriMm[AW] * Added: Add port normalization to NormalizeSyntax function (GitHub #231) * Added: Add function HasHost to the public API (GitHub #234) Thanks to Máté Kocsis for the pull request! New functions: uriHasHost[AW] * Added: Support obtaining base runtime version (GitHub #219, GitHub #258) New functions: uriBaseRuntimeVersion[AW] * Added: CMake: Add alias "uriparser::uriparser" (GitHub #197) * Added: Integrate fuzzers from google/oss-fuzz repository and improve those fuzzers on top (GitHub #209, GitHub #211, GitHub #212, GitHub #214) Thanks to @tyler92 for two of the related pull requests! * Added: Support setting individual components of a UriUri[AW] structure (GitHub #196, GitHub #249) Part of this work was commissioned by the PHP Foundation. Thanks to Máté Kocsis and Tim Düsterhus for the detailed review! ... changelog too long, skipping 64 lines ... (liburiparser.so.1.1.0) ==== wireplumber ==== Version update (0.5.12 -> 0.5.13) Subpackages: libwireplumber-0_5-0 wireplumber-lang - Update to version 0.5.13: * Additions & Enhancements: - Added internal filter graph support for audio nodes, allowing users to create audio preprocessing and postprocessing chains without exposing filters to applications, useful for software DSP (!743 (merged)) - Added new Lua Properties API that significantly improves performance by avoiding constant serialization between WpProperties and Lua tables, resulting in approximately 40% faster node linking (!757 (merged)) - Added WpIterator Lua API for more efficient parameter enumeration (!746 (merged)) - Added bash completions for wpctl command (!762 (merged)) - Added script to find suitable volume control when using role-based policy, allowing volume sliders to automatically adjust the volume of the currently active role (e.g., ringing, call, media) (!711 (merged)) - Added experimental HDMI channel detection setting to use HDMI ELD information for channel configuration (!749 (merged)) - Enhanced role-based policy to allow setting preferred target sinks for media role loopbacks via policy.role-based.preferred-target (!754 (merged)) - Enhanced Bluetooth profile autoswitch logic to be more robust and handle saved profiles correctly, including support for loopback sink nodes (!739 (merged)) - Enhanced ALSA monitor to include alsa.* device properties on nodes for rule matching (!761 (merged)) - Optimized stream node linking for common cases to reduce latency when new audio/video streams are added (!760) - Improved event dispatcher performance by using hash table registration for event hooks, eliminating performance degradation as more hooks are registered (!765 (merged)) - Increased audio headroom for VMware and VirtualBox virtual machines (!756 (merged)) - Added setting to prevent restoring "Off" profiles via session.dont-restore-off-profile property (!753 (merged)) - Added support for 128 audio channels when compiled with a recent version of PipeWire (pipewire#4995 (closed)) * Fixes: - Fixed memory leaks and issues in the modem manager module (!770 (merged), !764 (merged)) - Fixed MPRIS module incorrectly treating GHashTable as GObject (!759 (merged)) - Fixed warning messages when process files in /proc//* don't exist, particularly when processes are removed quickly (#816 (closed), !717 (merged)) - Fixed MONO audio configuration to only apply to device sink nodes, allowing multi-channel mixing in the graph (!769) - Fixed event dispatcher hook registration and removal to avoid spurious errors (!747 (merged)) - Improved logging for standard-link activation failures (!744) - Simplified event-hook interest matching for better performance (!758 (merged)) - Remove patch already included by upstream: * 0001-automute-alsa-routes.lua-Dont-register_remove-hooks-if.patch