Packages changed: MozillaFirefox (150.0.2 -> 151.0.1) file kernel-source (7.0.9 -> 7.0.10) libstorage-ng (4.5.326 -> 4.5.328) openSUSE-release (20260525 -> 20260527) pam (1.7.2 -> 1.7.2+git12) pam-full-src (1.7.2 -> 1.7.2+git12) patterns-base shim-leap which (2.23 -> 2.25) === Details === ==== MozillaFirefox ==== Version update (150.0.2 -> 151.0.1) Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common - Mozilla Firefox 151.0.1 * Fixed a crash experienced by users with Intel Raptor Lake CPUs. (bmo#1950764) * Fixed an issue on Windows where some websites using WebSerial to flash device firmware could fail unexpectedly. (bmo#2040754) - Mozilla Firefox 151.0 * https://www.firefox.com/en-US/firefox/151.0/releasenotes/ MFSA 2026-46 (bsc#1265212) * CVE-2026-8945 (bmo#2003171) Sandbox escape in Firefox and Firefox Focus for Android * CVE-2026-8946 (bmo#2029070) Incorrect boundary conditions in the Audio/Video: Web Codecs component * CVE-2026-8947 (bmo#2038439) Use-after-free in the DOM: Bindings (WebIDL) component * CVE-2026-8948 (bmo#2038803) Same-origin policy bypass in the DOM: Networking component * CVE-2026-8949 (bmo#1355639) Integer overflow in the Widget: Win32 component * CVE-2026-8950 (bmo#1965430) Same-origin policy bypass in the Networking: HTTP component * CVE-2026-8951 (bmo#2018513) Spoofing issue in the Toolbar component in Firefox for Android * CVE-2026-8952 (bmo#2021727) Privilege escalation in the Application Update component * CVE-2026-8953 (bmo#2029511) Sandbox escape due to use-after-free in the Disability Access APIs component * CVE-2026-8954 (bmo#2030747) Incorrect boundary conditions, integer overflow in the Audio/Video component * CVE-2026-8955 (bmo#2031064) Privilege escalation in the DOM: Workers component * CVE-2026-8956 (bmo#2032427) Integer overflow in the Networking: JAR component * CVE-2026-8957 (bmo#2033850) Privilege escalation in the Enterprise Policies component * CVE-2026-8958 (bmo#2034713) Information disclosure, sandbox escape in the Security: Process Sandboxing component * CVE-2026-8959 (bmo#2034754) Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component * CVE-2026-8960 (bmo#1940116) Spoofing issue in WebExtensions * CVE-2026-8961 (bmo#1962625) Spoofing issue in the Form Autofill component * CVE-2026-8962 (bmo#2004804) Mitigation bypass in the DOM: Security component * CVE-2026-8963 (bmo#2021222) Spoofing issue in the Web Speech component * CVE-2026-8964 (bmo#2025170) Spoofing issue in the Popup Blocker component * CVE-2026-8965 (bmo#2025740) Information disclosure in the DOM: Security component * CVE-2026-8966 (bmo#2025849) Information disclosure in the IP Protection component * CVE-2026-8967 (bmo#2027173) Information disclosure in the Graphics: WebGPU component * CVE-2026-8968 (bmo#2030467) Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component * CVE-2026-8969 (bmo#2031123) Mitigation bypass in the DOM: Security component * CVE-2026-8970 (bmo#2032174) Privilege escalation in the Security component * CVE-2026-8971 (bmo#2032604) Same-origin policy bypass in the Networking: JAR component * CVE-2026-8972 (bmo#2033275) Privilege escalation in the WebRTC: Audio/Video component * CVE-2026-8973 (bmo#1362365, bmo#1860538, bmo#1929005, bmo#1983353, bmo#1998526, bmo#2023271, bmo#2023943, bmo#2024244, bmo#2024260, bmo#2024443, bmo#2024665, bmo#2024774, bmo#2024916, bmo#2025346, bmo#2025357, bmo#2025406, bmo#2025434, bmo#2025488, bmo#2025496, bmo#2025942, bmo#2025947, bmo#2025968, bmo#2026279, bmo#2027159, bmo#2027239, bmo#2027276, bmo#2027308, bmo#2027310, bmo#2027324, bmo#2027329, bmo#2027363, bmo#2027381, bmo#2027382, bmo#2027383, bmo#2028274, bmo#2028884, bmo#2029060, bmo#2029065, bmo#2029068, bmo#2029281, bmo#2029293, bmo#2029297, bmo#2029303, bmo#2029439, bmo#2029448, bmo#2029703, bmo#2029720, bmo#2029721, bmo#2029723, bmo#2029770, bmo#2029771, bmo#2029782, bmo#2029818, bmo#2029885, bmo#2030100, bmo#2030379, bmo#2030385, bmo#2030979, bmo#2031119, bmo#2031122, bmo#2034119, bmo#2034791, bmo#2035209, bmo#2036666, bmo#2037986) Memory safety bugs fixed in Firefox 151 * CVE-2026-8974 (bmo#1784128, bmo#1883230, bmo#1983677, bmo#2022390, bmo#2023116, bmo#2023657, bmo#2024255, bmo#2024418, bmo#2024441, bmo#2024447, bmo#2024966, bmo#2025412, bmo#2025467, bmo#2025940, bmo#2025950, bmo#2025956, bmo#2026284, bmo#2027247, bmo#2027255, bmo#2027288, bmo#2027306, bmo#2027322, bmo#2027332, bmo#2027333, bmo#2028266, bmo#2028292, bmo#2028319, bmo#2028526, bmo#2028870, bmo#2028876, bmo#2028882, bmo#2029062, bmo#2029309, bmo#2029414, bmo#2029422, bmo#2029428, bmo#2029447, bmo#2029732, bmo#2029785, bmo#2029793, bmo#2029813, bmo#2029899, bmo#2031028, bmo#2031457, bmo#2032039, bmo#2033610, bmo#2033854, bmo#2034498, bmo#2034628, bmo#2034978, bmo#2035966, bmo#2036668, bmo#2036905, bmo#2036930) Memory safety bugs fixed in Firefox ESR 140.11 and Firefox 151 * CVE-2026-8975 (bmo#1860195, bmo#2029325, bmo#2029429, bmo#2029910, bmo#2035915, bmo#2038669, bmo#2038678) ... changelog too long, skipping 5 lines ... - removed obsolete mozilla-bmo531915.patch ==== file ==== Subpackages: file-magic libmagic1 - Add patch file-5.47-s390x.patch from upstream commit Work around an endianess problem on s390x ==== kernel-source ==== Version update (7.0.9 -> 7.0.10) - tracing: Avoid NULL return from hist_field_name() on truncation (git-fixes). - firmware: arm_ffa: Align RxTx buffer size before mapping (git-fixes). - commit bb95589 - Linux 7.0.10 (bsc#1012628). - blk-cgroup: wait for blkcg cleanup before initializing new disk (bsc#1012628). - md: suppress spurious superblock update error message for dm-raid (bsc#1012628). - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START (bsc#1012628). - fs/mbcache: cancel shrink work before destroying the cache (bsc#1012628). - md/raid1: fix the comparing region of interval tree (bsc#1012628). - fs: fix archiecture-specific compat_ftruncate64 (bsc#1012628). - drbd: Balance RCU calls in drbd_adm_dump_devices() (bsc#1012628). - loop: fix partition scan race between udev and loop_reread_partitions() (bsc#1012628). - block: fix zones_cond memory leak on zone revalidation error paths (bsc#1012628). - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() (bsc#1012628). - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() (bsc#1012628). - pstore/ram: fix resource leak when ioremap() fails (bsc#1012628). - erofs: include the trailing NUL in FS_IOC_GETFSLABEL (bsc#1012628). - md: fix array_state=clear sysfs deadlock (bsc#1012628). - ublk: reset per-IO canceled flag on each fetch (bsc#1012628). - blk-wbt: remove WARN_ON_ONCE from wbt_init_enable_default() (bsc#1012628). - erofs: handle 48-bit blocks/uniaddr for extra devices (bsc#1012628). - md: remove unused static md_wq workqueue (bsc#1012628). - md: wake raid456 reshape waiters before suspend (bsc#1012628). - dcache: permit dynamic_dname()s up to NAME_MAX (bsc#1012628). - btrfs: fix the inline compressed extent check in inode_need_compress() (bsc#1012628). - btrfs: fix deadlock between reflink and transaction commit when using flushoncommit (bsc#1012628). - btrfs: do not reject a valid running dev-replace (bsc#1012628). - OPP: debugfs: Use performance level if available to distinguish between rates (bsc#1012628). - OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp() (bsc#1012628). - ACPI: x86: cmos_rtc: Clean up address space handler driver (bsc#1012628). - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver (bsc#1012628). - devres: fix missing node debug info in devm_krealloc() (bsc#1012628). - thermal/drivers/spear: Fix error condition for reading st,thermal-flags (bsc#1012628). - debugfs: check for NULL pointer in debugfs_create_str() (bsc#1012628). - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() (bsc#1012628). - soundwire: debugfs: initialize firmware_file to empty string (bsc#1012628). - amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init() (bsc#1012628). - amd-pstate: Update cppc_req_cached in fast_switch case (bsc#1012628). - cpufreq: Pass the policy to cpufreq_driver->adjust_perf() (bsc#1012628). - PCI: use generic driver_override infrastructure (bsc#1012628). - platform/wmi: use generic driver_override infrastructure (bsc#1012628). - vdpa: use generic driver_override infrastructure (bsc#1012628). - s390/cio: use generic driver_override infrastructure (bsc#1012628). - s390/ap: use generic driver_override infrastructure (bsc#1012628). - bus: fsl-mc: use generic driver_override infrastructure (bsc#1012628). - locking/mutex: Rename mutex_init_lockep() (bsc#1012628). - locking/mutex: Fix wrong comment for CONFIG_DEBUG_LOCK_ALLOC (bsc#1012628). - irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter (bsc#1012628). - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() (bsc#1012628). - hrtimer: Reduce trace noise in hrtimer_start() (bsc#1012628). - locking: Fix rwlock and spinlock lock context annotations (bsc#1012628). - signal: Fix the lock_task_sighand() annotation (bsc#1012628). - ww-mutex: Fix the ww_acquire_ctx function annotations (bsc#1012628). - perf/amd/ibs: Account interrupt for discarded samples (bsc#1012628). - perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR (bsc#1012628). - perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler (bsc#1012628). - x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE (bsc#1012628). ... changelog too long, skipping 2041 lines ... - commit 17ac7c8 ==== libstorage-ng ==== Version update (4.5.326 -> 4.5.328) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#1078 - update github actions - install git - 4.5.328 - merge gh#openSUSE/libstorage-ng#1077 - improve memory usage - 4.5.327 ==== openSUSE-release ==== Version update (20260525 -> 20260527) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== pam ==== Version update (1.7.2 -> 1.7.2+git12) Subpackages: pam-32bit - Update to version 1.7.2+git12: * pam_env: fix check for buffer size (#975) * pam.8: Drop self reference * pam_unix: always call unix_update if SELinux is enabled (obsoletes pam_unix-selinux.patch) * ci: use one-line syntax for the matrix strategy * ci: add logind jobs for all compilers to the build matrix * ci: add clang-19 jobs to the build matrix * po: update translations using Weblate (Greek) * ci: replace vendordir jobs with novendordir * ci/build.sh: add support for empty VENDORDIR * ci: apply Zizmor recommendations to workflow * ci: use matrix strategy to avoid code duplication * meson: do not undefine _FILE_OFFSET_BITS for 64-bit platforms ==== pam-full-src ==== Version update (1.7.2 -> 1.7.2+git12) Subpackages: pam-extra pam-manpages - Update to version 1.7.2+git12: * pam_env: fix check for buffer size (#975) * pam.8: Drop self reference * pam_unix: always call unix_update if SELinux is enabled (obsoletes pam_unix-selinux.patch) * ci: use one-line syntax for the matrix strategy * ci: add logind jobs for all compilers to the build matrix * ci: add clang-19 jobs to the build matrix * po: update translations using Weblate (Greek) * ci: replace vendordir jobs with novendordir * ci/build.sh: add support for empty VENDORDIR * ci: apply Zizmor recommendations to workflow * ci: use matrix strategy to avoid code duplication * meson: do not undefine _FILE_OFFSET_BITS for 64-bit platforms ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-x11 patterns-base-x11_enhanced - make kernel_livepatching pattern visible (bsc#1263084) - enable kernel livepatching for aarch64 in SLE16.1 and newer (jsc#PED-7906, bsc#1266306). ==== shim-leap ==== - Modified the pretrans Lua script to work around the broken DB issue caused by buggy firmware when Secure Boot is disabled. It is impossible for the db to be empty while Secure Boot is enabled. If the db is empty, the installation behavior will be treated the same as when Secure Boot is disabled. We allow the shim installation process to continue and display a message reminding the user to add the appropriate certificate. (bsc#1259096) ==== which ==== Version update (2.23 -> 2.25) - Update to 2.25: * Fix an out of bounds stack read