Packages changed: bash (5.3.9 -> 5.3.15) blog (2.40 -> 2.42) dracut (110+suse.32.g36b00ba7 -> 110+suse.35.g9834432) file-roller (44.6 -> 44.7) gstreamer-plugins-bad (1.28.4 -> 1.28.4+24) libbacktrace (1.0+git20250210 -> 1.0+git20260601) libstorage-ng (4.5.331 -> 4.5.334) lrzip (0.651 -> 0.660) openSUSE-release (20260619 -> 20260622) patterns-base patterns-fonts transmission wireplumber (0.5.14 -> 0.5.15) xscreensaver === Details === ==== bash ==== Version update (5.3.9 -> 5.3.15) Subpackages: bash-lang bash-loadables bash-sh - Add upstream patches * Bash-5.3 Official patch 10 -- bash53-010 Under some circumstances, a subshell or asynchronous job with an active EXIT trap that contains a call to `wait' can loop trying to wait for processes that are not its children. It usually inherits these jobs from its parent in the jobs list. * Bash-5.3 Official patch 11 -- bash53-011 If a `mapfile' callback unsets the array variable `mapfile' is using to save the lines it reads, `mapfile' can try to reference freed memory, which can cause corruption or shell crashes. * Bash-5.3 Official patch 12 -- bash53-012 If a subshell with an inherited EXIT trap receives a fatal signal before it clears the exit trap, and before it restores its original signal handlers, it's possible for it to inappropriately run the inherited EXIT trap. * Bash-5.3 Official patch 13 -- bash53-013 Comparing the value of a pointer returned from realloc/xrealloc to the original pointer passed is technically undefined behavior, which matters under some circumstances. * Bash-5.3 Official patch 14 -- bash53-014 Bash-5.3 patch 11 included an inadvertent extra line, which this patch removes. This also takes the opportunity to improve that patch, by looking up the variable each time through the line-reading loop only if there is a callback and it is invoked. * Bash-5.3 Official patch 15 -- bash53-015 There are circumstances under which index -1 is used to reference into the input buffer used by the `read' builtin. ==== blog ==== Version update (2.40 -> 2.42) Subpackages: libblogger2 - Update to version 2.42 Fix possible memory leaks, eliminate type punning, and resolve I/O blocking This update implements a series of systemic improvements to stability, security, and performance: 1. Memory Safety & Leak Resolution: - Implemented lcons_shutdown destructor to automatically purge the console list and close FDs on exit. - Fixed password buffer leak by using in closeIO, correctly matching the mmap allocation in shm_malloc. - Added cleanup for pwprompt in closeIO. 2. Elimination of Dangerous Type Punning: - Replaced the unreliable &cons->node pattern with a type-safe list_t lcons sentinel across the codebase. - Added __attribute__((may_alias)) to list_t in listing.h to prevent compiler strict aliasing optimizations from corrupting list traversals. 3. I/O Responsiveness & Stability: - Removed tcdrain() from the high-frequency epoll_console_in path to eliminate daemon freezes during heavy output. - Updated consinitIO to ensure CON_SERIAL devices remain in O_NONBLOCK mode, preventing freezes on slow serial lines. - Extended the tcdrain skip-list in closeIO to include CON_SERIAL, ensuring a hang-free shutdown. 4. Architectural Improvements: - Redesigned shm_malloc to use a tiered mapping strategy: prefers file-backed shared memory in /dev/shm with a graceful fallback to MAP_ANONYMOUS. - Optimized listing.h with always_inline attributes, __builtin_prefetch for cache efficiency, and list poisoning for safer debugging. - Update to version 2.41 * The __attribute__((noreturn)) for error() in libconsole.h added * The variable err with 0 initialized in thread_poll() * The variable cp.parity with {0} initialized in readpw() * feat(blogd): handle pending systemd password requests on coldstart * Initialize console pointer list as well * Check peer credentials before reading command * Make isinteger() string check usable for all architectures * Add some comments about warnings and translation for S390 ==== dracut ==== Version update (110+suse.32.g36b00ba7 -> 110+suse.35.g9834432) - Update to version 110+suse.35.g9834432: * fix(fips): handle zipl (bsc#1262515) * fix(network-legacy): sanitize DHCP values in dhclient-script.sh (bsc#1268322, CVE-2026-6893) * fix(network-legacy): add input validation to RFC 3442 route parser ==== file-roller ==== Version update (44.6 -> 44.7) Subpackages: file-roller-lang - Update to version 44.7: + Bugfixes: - New Archive Dialog: allow input of an absolute path directly. - Check line length when parsing command output. - Java Utils: make sure the package name respects the max size. - Metainfo: Add screenshot caption. - Flatpak Improvements: remove zstd module; improve cleanup command; replace p7zip with 7zip; reduce libportal features; modernize manifest. + Updated translations. ==== gstreamer-plugins-bad ==== Version update (1.28.4 -> 1.28.4+24) Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgsthip-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstsctp-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.28.4+24 (boo#1268406, boo#1268408, boo#1268410, CVE-2026-52720, CVE-2026-52721, CVE-2026-52722): + mxfdemux: fix remaining offsets index entry insertion call site + mxfdemux: fix essence track offsets array population + mxdemux: index entry: use intialized + rtmp2: Remove socket timeout after handshake completes + rtmp2: Don't retry on G_IO_ERROR_TIMED_OUT + vnmdec: Avoid integer overflows when rectangle positions and sizes + pcapparse: Add missing bounds checks to ensure packets are large enough + mpegpsdemux: Release stream lock when seeking fails + librfb: Validate framebuffer update rectangles against the framebuffer size ==== libbacktrace ==== Version update (1.0+git20250210 -> 1.0+git20260601) - Update to version 1.0+git20260601: * libbacktrace: support compressed block with no sequences * libbacktrace: Fix typos in various files * libbacktrace: support multiple zstd frames * libbacktrace: don't use ZSTD_CLEVEL_DEFAULT * Update copyright years. * Update copyright years. * libbacktrace: use correct names in #undef of ELF macros * libbacktrace: recognize PE bigobj objects at configure time * libbacktrace: Add hpux fileline support * bootstrap/119680 - fix cross-compiler build with --enable-host-shared * libbacktrace: Use correct type in backtrace_atomic_store_int ==== libstorage-ng ==== Version update (4.5.331 -> 4.5.334) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#1082 - updated swig template definitions - 4.5.334 - merge gh#openSUSE/libstorage-ng#1081 - fixed build on SLE 15 - 4.5.333 - merge gh#openSUSE/libstorage-ng#1080 - improved usleep function - improved memory handling - improved error reporting - use RAII for pid of child - 4.5.332 ==== lrzip ==== Version update (0.651 -> 0.660) - Update to version 0.660: * Do not clean up thread structures in decompression failure conditions, fixing a use-after-free in lzma_decompress_buf() and a NULL pointer dereference in ucompthread() on corrupt/malicious archives (CVE-2025-15570, boo#1258016; CVE-2025-15571, boo#1258023) * Handle -L given without a parameter, fixing a NULL pointer dereference (CVE-2025-9396, boo#1248598) * Add write bounds checking in libzpaq and sanity checks for maliciously encoded headers and oversized allocations * Various STDIO, portability and build fixes (OpenBSD support, non-x86 zpaq, autoconf warnings); drop Doxygen doc build - Switch Source to the upstream GitHub release tarball (0.660 is not published on ck.kolivas.org) and run autoreconf at build time - Drop fixasmstack.patch (merged upstream) ==== openSUSE-release ==== Version update (20260619 -> 20260622) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-x11 patterns-base-x11_enhanced - Disambiguate 32bit patterns and x11 patterns summaries (bsc#1267854) ==== patterns-fonts ==== Subpackages: patterns-fonts-fonts patterns-fonts-fonts_opt - Disambiguate fonts and fonts_opt pattern summaries (bsc#1267854) ==== transmission ==== Subpackages: transmission-common transmission-gtk transmission-gtk-lang - Add arm to ExcludeArch, 32bit arm does not build either. ==== wireplumber ==== Version update (0.5.14 -> 0.5.15) Subpackages: libwireplumber-0_5-0 wireplumber-bash-completion wireplumber-lang - Update to version 0.5.15: * Additions & Enhancements: - Added new WpPermissionManager API that centralizes access control for clients, with support for attaching permission managers to clients from Lua scripts; the client access scripts have been completely refactored to use the new API with a select-access event and a priority fallback mechanism: configuration, flatpak, snap, portal, and default (!797 (merged), !822 (merged), !825 (merged)) - Added new WpStateMetadata class that mirrors the persistent state into a PipeWire metadata object, allowing users to clear or change saved device profiles at runtime using pw-metadata (!818 (merged)) - Added set_param(), enum_params_sync() and params-changed signal to WpSpaDevice, and an event signal for SPA device events, allowing monitors to directly interact with SPA devices and react to profile changes without going through the global WpDevice object (!835 (merged), !842 (merged)) - Added list subcommand to wpctl for displaying PipeWire objects in a script-friendly format, with bash completions (!805 (merged), !823 (merged)) - Added reset command to wpctl to reset the state of WirePlumber and PipeWire to installation defaults (!848 (merged), !849 (merged)) - Enhanced wpctl to connect to the manager socket when available, giving the tool unrestricted access to the PipeWire graph (!814 (merged)) - Added new bluetooth.profile-preference setting to find-preferred-profile for selecting quality or latency A2DP profiles (!819 (merged)) - Added a cache for camera permission checks in the portal access module to avoid frequent D-Bus calls; also added a 3-second timeout and fixed the Set create parameter in portal-permissionstore (!820 (merged), !821 (merged)) * Fixes: - Fixed wpctl set-volume by PID to apply the same volume level to all matching nodes (#944 (closed); !829 (merged)) - Fixed portal clients to be un-gated immediately after permission setup, preventing them from remaining blocked (#941 (closed); !826 (merged)) - Fixed ALSA monitor to set the device profile to Off and restore it when a node enters an error state, forcing a close/reopen of the device to recover from broken ALSA device states (!837 (merged)) - Fixed voice call profile selection to not skip profiles with unknown availability (!834 (merged)) - Fixed memory leak in Lua scripting by only holding a strong reference of the Lua state when a script is activated, preventing leaked proxy warning messages on core disconnect (!844 (merged)) - Fixed state-stream to only use the media.role key when its value is Notification when forming the stream state lookup key (!845 (merged)) - Fixed pw-obj-mixin to apply the active filter when enumerating cached params and to deduplicate subscribed param IDs (!839 (merged), !840 (merged)) - Fixed m-lua-scripting to validate Bool values in Pod.Choice.Enum (!841 (merged)) - Fixed shutdown sequence to properly deactivate all objects and plugins before teardown (#881; !833 (merged)) - Fixed Bluetooth to not set bluez5.autoswitch-routes on BT devices (!811 (merged)) - Fixed null pointer dereference in permission-manager (!812 (merged)) - Fixed module destructor ordering to call the parent destructor before finalizing internal state (!813 (merged)) - Fixed nil value when logging in state-profile (!815 (merged)) - Fixed gobject-introspection issue on spa-pod to correctly generate Python bindings (!828 (merged)) - Updated translations: Chinese, Serbian, Serbian Latin ==== xscreensaver ==== Subpackages: xscreensaver-data xscreensaver-lang - Add xscreensaver-screenfade.patch: don't abort in openGL_context_for_window. Callers (e.g. the screen fade) treat a NULL return as "GL is unavailable" and fall back gracefully