Packages changed: ImageMagick (7.1.2.23 -> 7.1.2.24) Mesa (26.1.0 -> 26.1.1) Mesa-drivers (26.1.0 -> 26.1.1) apparmor bind (9.20.22 -> 9.20.23) docbook_4 fwupd gsasl (2.2.2 -> 2.2.3) iso_ent kernel-firmware-amdgpu (20260514 -> 20260519) kernel-firmware-intel (20260505 -> 20260519) kernel-firmware-mediatek (20260423 -> 20260519) kernel-firmware-qcom (20260514 -> 20260519) kernel-firmware-sound (20260421 -> 20260519) less (692 -> 702) libapparmor libcaca libheif (1.21.2 -> 1.22.2) libphonenumber (9.0.29 -> 9.0.31) libsolv (0.7.37 -> 0.7.38) libunwind libwebp libxfce4windowing (4.20.5 -> 4.20.6) libzio (1.12 -> 1.14) libzypp (17.38.9 -> 17.38.10) live555 (2026.03.23 -> 2026.04.22) man mariadb (11.8.6 -> 11.8.7) nvidia-open-driver-G06-signed nvidia-open-driver-G07-signed (595.71.05_k7.0.10_2 -> 595.80_k7.0.10_2) nvidia-open-driver-G07-signed-cuda (595.71.05_k7.0.10_2 -> 610.43.02_k7.0.10_2) openSUSE-build-key openSUSE-release (20260527 -> 20260529) pipewire (1.6.5 -> 1.6.6) polkit-default-privs (1550+20260513.3b99372 -> 1550+20260528.62493d2) powerdevil6 python-ldap (3.4.5 -> 3.4.7) python-markdown-it-py (4.0.0 -> 4.2.0) python-pip (26.1 -> 26.1.1) qt6-base (6.11.0 -> 6.11.1) qt6-declarative (6.11.0 -> 6.11.1) qt6-imageformats (6.11.0 -> 6.11.1) qt6-location (6.11.0 -> 6.11.1) qt6-multimedia (6.11.0 -> 6.11.1) qt6-networkauth (6.11.0 -> 6.11.1) qt6-positioning (6.11.0 -> 6.11.1) qt6-qt5compat (6.11.0 -> 6.11.1) qt6-quick3d (6.11.0 -> 6.11.1) qt6-quicktimeline (6.11.0 -> 6.11.1) qt6-sensors (6.11.0 -> 6.11.1) qt6-shadertools (6.11.0 -> 6.11.1) qt6-speech (6.11.0 -> 6.11.1) qt6-svg (6.11.0 -> 6.11.1) qt6-tools (6.11.0 -> 6.11.1) qt6-translations (6.11.0 -> 6.11.1) qt6-virtualkeyboard (6.11.0 -> 6.11.1) qt6-wayland (6.11.0 -> 6.11.1) qt6-webchannel (6.11.0 -> 6.11.1) qt6-webengine (6.11.0 -> 6.11.1) qt6-webview (6.11.0 -> 6.11.1) quadrapassel (50.1 -> 50.2) rdma-core (61.0 -> 62.0) samba (4.23.7+git.473.9487af01c24 -> 4.23.8+git.477.f78166bceed) selinux-policy (20260522 -> 20260526) sgml-skel talloc (2.4.3 -> 2.4.4) tdb (1.4.14 -> 1.4.15) unbound (1.25.0 -> 1.25.1) vorbis-tools === Details === ==== ImageMagick ==== Version update (7.1.2.23 -> 7.1.2.24) Subpackages: ImageMagick-config-7-SUSE libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - in default security policy, allow reading from symbolic links [bsc#1265373] - modified patches * ImageMagick-configuration-SUSE.patch - version update to 7.1.2.24 * reject mtv files with zero columns or rows #8758 * reject tga files with zero columns or rows #8756 * reject cineon files with zero columns or rows #8754 * build(deps): bump ubuntu from 22.04 to 26.04 in /.devcontainer #8751 * reject farbfeld files with zero columns or rows #8750 * build(deps): bump caphyon/advinst-github-action from 2.0.2 to 2.0.3 #8742 * build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 #8749 * Add profile_fuzzer for raw EXIF/XMP/IPTC/ICC parsing #8736 - fixes following GH security advisories: * GHSA-4v89-6mgq-6rgc * GHSA-8pj9-6897-74xc * GHSA-xcjm-wqff-m669 * GHSA-gm48-c7f2-v67p * GHSA-h36c-3666-h489 * GHSA-5v62-8fq6-cp9m * GHSA-9hqg-xf93-ghfw * GHSA-2hhq-c99x-492r * GHSA-6mwj-rp89-6j5j * GHSA-vgh5-r42g-4j44 ==== Mesa ==== Version update (26.1.0 -> 26.1.1) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to 26.1.1 bugfix release - -> https://docs.mesa3d.org/relnotes/26.1.1 - refreshed n_drirc-disable-rgb10-for-chromium-on-amd.patch ==== Mesa-drivers ==== Version update (26.1.0 -> 26.1.1) Subpackages: Mesa-dri Mesa-libva Mesa-vulkan-device-select libvulkan_lvp - Update to 26.1.1 bugfix release - -> https://docs.mesa3d.org/relnotes/26.1.1 - refreshed n_drirc-disable-rgb10-for-chromium-on-amd.patch ==== apparmor ==== Subpackages: apparmor-abstractions apparmor-docs apparmor-parser apparmor-parser-lang apparmor-profiles apparmor-utils apparmor-utils-lang python3-apparmor - add revert-plasmashell.diff - the profile changes caused strange problems (see SR 1355200). Revert for now to get the other fixes out. - add changes-since-v5.0.0.diff with all changes since the 5.0.0 release: - small fixes in parser and utils - lots of profile updates: - abstractions/nameservice (part of boo#1265394) - alsamixer (boo#1265452) - avahi-daemon (boo#1266041) - dig (boo#1265459) - fusermount3 (boo#1265951) - lsof - php-fpm (boo#1265864) - plasmashell - proftpd (boo#1265862) - Samba profiles (boo#1265865) - transmission-daemon (boo#1265863) - various dovecot profiles - add wg-quick.diff to fix wg-quick (boo#1265394) - add curl.diff to fix curl for usage with rpmdevtools (boo#1266273) - add who.diff to fix who (boo#1265860) - remove upstreamed patches (included in changes-since-v5.0.0.diff): - allow-read-slash.diff - lsusb.diff - postfix-profiles-slash.diff - syslog-ng-slashes.diff - wpa_supplicant.diff ==== bind ==== Version update (9.20.22 -> 9.20.23) Subpackages: bind-doc bind-utils - Upgrade to release 9.20.23 https://downloads.isc.org/isc/bind9/9.20.23/doc/arm/html/notes.html Security-Fixes: * Amplification vulnerabilities via self-pointed glue records. (CVE-2026-3592) [bsc#1265592] * server memory exhaustion during GSS-API TKEY negotiation. (CVE-2026-3039) [bsc#1265591] * Unbounded resend loop in BIND 9 resolver (CVE-2026-5950) [bsc#1265596] * SIG(0) validation during query flood may lead to undefined behavior. (CVE-2026-5947) [bsc#1265595] * Invalid handling of CLASS != IN. (CVE-2026-5946) [bsc#1265594] ==== docbook_4 ==== - jsc#PED-14844, bsc#1265199: Look for CATALOG.iso_ent in /usr/share/sgml instead of /var/lib/sgml. - Remove obsolete SGML_CONFIG_DIR aka /var/lib/sgml from Makefile. - Trim whitespace in .changes file. ==== fwupd ==== Subpackages: fwupd-bash-completion fwupd-lang libfwupd3 typelib-1_0-Fwupd-2_0 - Add fwupd-bsc1217138-fallback-shim-path.patch to set the fallback shim path for SUSE/openSUSE (bsc#1217138) ==== gsasl ==== Version update (2.2.2 -> 2.2.3) - Update to release 2.2.3 * DIGEST-MD5: Fix NULL pointer dereference in parser; (CVE-2026-48829); (bsc#1266371) * Support Dovecot 2.3 and 2.4 in tests/gsasl-dovecot-gssapi.sh * Update gnulib files and various minor fixes - Drop patch gsasl-const-correctness.patch (merged) ==== iso_ent ==== - jsc#PED-14844: Remove unnecessary systemd-tmpfile. - Specfile cleanup * Change Source0 URL to the redirect of the previous URL. * Convert ISOgrk5.gz to .zip (content unchanged) in order to clean up the %prep section. * Change URL to something more informative. * Drop unneeded sgml-skel BuildRequires. - Trim whitespace in .changes file. - Fix jsc#PED-14844 for immutable mode * No changes in tarball * Use %autosetup * Some code cleanup * Add systemd-tmpfile ==== kernel-firmware-amdgpu ==== Version update (20260514 -> 20260519) - Update to version 20260519 (git commit d962a6a309b7): * amdgpu: DMCUB updates for various ASICs ==== kernel-firmware-intel ==== Version update (20260505 -> 20260519) - Update to version 20260519 (git commit d962a6a309b7): * Add HP ISH firmware for Intel Panther Lake systems ==== kernel-firmware-mediatek ==== Version update (20260423 -> 20260519) - Update to version 20260519 (git commit d962a6a309b7): * linux-firmware: add firmware for MT7927 WiFi device ==== kernel-firmware-qcom ==== Version update (20260514 -> 20260519) - Update to version 20260519 (git commit d962a6a309b7): * qcom: add CDSP firmware for shikra platform ==== kernel-firmware-sound ==== Version update (20260421 -> 20260519) - Update to version 20260519 (git commit d962a6a309b7): * ASoC: tas2783: Add Firmware files for tas2783A projects * ti: Add PCM6240 firmware with multiple audio profiles support ==== less ==== Version update (692 -> 702) - Update to 702: * Add --hilite-target option and -DJ to color target line * Add --past-eof option * Add --end-prompt option * Add --emouse and --rmouse options, and horizontal mouse scrolling and dragging * Add -DT option to format tilde lines * Change OSC 8 link handling: replace LESS_OSC8_xxx with LESS_OSC8_OPEN_xxx. Remove %O from prompt expansion as no longer needed. Any use of environment variables LESS_OSC8_xxx need to be manually changed to use LESS_OSC8_OPEN_xxx * Add ?o to prompt strings, to detect whether an OSC 8 link is selected * When scrolling past end-of-file or before beginning-of-file, stop when exactly one line is left on screen. * Make -w/-W highlight lines when moving backward as well as forward * Display pattern in "Pattern not found" message * Allow m and M commands to take a numeric argument to specify the line to be marked * Allow ' command to take a numeric argument to specify the screen position on which to place the marked line. * Allow lesskey to map keypad ENTER with \kpe * Add "noaction" as a possible action in #line-edit section in a lesskey file * Support POSIX character classes with the built-in V8 regex library * Change | command to pipe just one line if the marked line is at the top of the screen * If OSC8 handler command begins with "-", suppress command echo, and if it begins with ctrl-P, suppress "done" message * Don't ask for confirmation when input is a binary file and stdout is redirected. Fixes infinite loop in that situation * Make early error messages go to stderr if stdout is redirected * Don't retry read after read error; fixes hang when attempting to read a directory or other unreadable file * Fix incorrect restoration of saved mark if not at top of screen * With --save-marks, don't save a mark that was cleared with ESC-m. * Fix buffer overflow when using malformed lesskey file * Fix unexpected scrolling past end of file * Fix bug when env var in LESSKEY_CONTENT partially matches env var defined in lesskey file * Fix bug when env var in lesskey file matches tail of env var used by less * Fix command parsing bug when one command is a substring of another. Also fixes --no-paste option * Fix incorrect display using --color to set character attributes without color, such as -DS-u * Fix crash when tags file contains invalid line number 0 * Fix build when tparm() doesn't use varargs * Fix prompt overflow when filtering with long prompt * Fix incorrect highlighting when change -i while filtering * Fix erroneous error mesage using --show-preproc-error with some shells * Fix erroneous highlighting when using a search pattern containing more than 5 pairs of parentheses with PCRE2 * When ^X interrupts F mode, discard pending keys as is done when ^C interrupts it * Fix bug in Windows where pressing any key during "waiting for data" would prevent a subsequent ^X from working. * Fix erroneous display in some situations when using LESS_LINES * Fix erroneous display after certain messages are displayed in a very narrow terminal * Don't init terminal if stdout is not a tty * Fix bug clicking OSC 8 link that crosses a screen line boundary - add upstream signing key and validate source signature ==== libapparmor ==== - add revert-plasmashell.diff - the profile changes caused strange problems (see SR 1355200). Revert for now to get the other fixes out. - add changes-since-v5.0.0.diff with all changes since the 5.0.0 release: - small fixes in parser and utils - lots of profile updates: - abstractions/nameservice (part of boo#1265394) - alsamixer (boo#1265452) - avahi-daemon (boo#1266041) - dig (boo#1265459) - fusermount3 (boo#1265951) - lsof - php-fpm (boo#1265864) - plasmashell - proftpd (boo#1265862) - Samba profiles (boo#1265865) - transmission-daemon (boo#1265863) - various dovecot profiles - add wg-quick.diff to fix wg-quick (boo#1265394) - add curl.diff to fix curl for usage with rpmdevtools (boo#1266273) - add who.diff to fix who (boo#1265860) - remove upstreamed patches (included in changes-since-v5.0.0.diff): - allow-read-slash.diff - lsusb.diff - postfix-profiles-slash.diff - syslog-ng-slashes.diff - wpa_supplicant.diff ==== libcaca ==== - Improve the fix of CVE-2026-42046 for 32bit system. [Fix-32-bit-overflow-in-CVE-2026-42046-patch.patch, bsc#1264984, CVE-2026-42046] ==== libheif ==== Version update (1.21.2 -> 1.22.2) Subpackages: gdk-pixbuf-loader-libheif libheif-aom libheif-dav1d libheif-ffmpeg libheif-jpeg libheif-openh264 libheif-openjpeg libheif-rav1e libheif-svtenc libheif1 - version update to 1.22.2: * build issues with OpenJPEG plugin (#1813) * non-plain C in header (#1812) * CVE TBD (GHSA-r7qj-cg5r-r6vf) - Wrapped icef compressed-unit range check causes out-of-bounds read in uncompressed HEIF decoder * CVE TBD (GHSA-5hqq-636x-r3cr) - Out-of-bounds write in inline mask region API when source mask exceeds declared region - deleted patches * libheif-fix-tests-no-HEVC.patch (upstreamed) - fixes [bsc#1266281] [bsc#1266282] - added patches https://github.com/strukturag/libheif/commit/5780da88104270ef316c764c2c2945e0c43af624 * libheif-fix-tests-no-HEVC.patch - update to 1.22.0: * This is a large release with substantial new functionality, mainly focusing on generalized image formats (e.g., multi- spectral images) and a reworked implementation of ISO/IEC 23001-17 (lossless image codec). * HDR up to 64 bpp * Multi-component images with arbitrary component layouts (multi-spectral images, arbitrary non-visual data) * Filter-array (Bayer / mosaic) images, with debayering in color transformation pipeline * Metadata: chroma-sample location (cloc), sample non- uniformity (snuc), sensor bad-pixel map (sbpm), polarization pattern (splz) * heif-dec can now convert to WebP (thanks to @torusrxxx). * heif-enc can now accept input from WebP, HEIF, pure raw files (including floating point pixel data), and CMYK JPEG (converted to RGB). * TIFF input can now read many TIFF formats used in geospatial imaging, like: 16-bit, signed integers, float samples, tiled TIFFs, GeoTIFF overview images, CMYK JPEG, YCbCr-as-JPEG. TIFFs with image tiling and multi-resolution layers are now reproduced as HEIFs when converted. * PNG decoder/encoder: cICP, cLLI, and mDCV chunk support (#1697). * heif-dec: auto-correct option to fix known input errors (e.g. mismatched NCLX/VUI). * Image, Track, Sequence samples, image component GIMI content IDs * Embedding of Turtle (.ttl) metadata files; automatic parsing of GIMI content IDs from Turtle * AOM encoder plugin now auto-selects IQ tune mode * mini-box syntax updated to the current HEIF version 4 draft (thanks @bradh for the initial implementation) * unif brand (globally-unique-ID) support * OMAF (omnidirectional images): indicate ISO/IEC 23000-22 spherical/omnidirectional image projection * alpha bit-depth tracked through the color-conversion pipeline * CVE-2026-32738 (GHSA-7f2h-cmpf-v9ww) : Heap OOB Read / SEGV Crash via Zero samples_per_chunk in stsc (bsc#1265874) * CVE-2026-32739 (GHSA-j9g7-q9hv-gq8c) : Infinite Loop DoS in stts Sample Duration Lookup (bsc#1265875) * CVE-2026-32740 (GHSA-frfr-f3vg-2g6j) : Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing (bsc#1265876) * CVE-2026-32741 (GHSA-j3w5-7whq-p37q) : heap buffer overflow in decode_mask_image() (bsc#1265877) * CVE-2026-32814 (GHSA-4m8r-34pg-rvwc) : Uninitialized Heap Memory Information Leak via Failed Grid Tiles (bsc#1265878) * CVE-2026-32882 (GHSA-hg7q-rjr2-8x46) : Heap Buffer OOB Read in overlay compositing due to wrong alpha stride (bsc#1265879) * CVE-2026-41069 (GHSA-p82x-fpmv-576r) : Out-of-bounds vector access leading to invalid dereference (bsc#1265979) * CVE-2026-41071 (GHSA-xj92-xjff-h8w3) : Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz sample count (bsc#1265980) * CVE-2026-47178 (GHSA-5x55-x5pf-9c6g) : Heap Out Of Bounds Write in unci subsystem (bsc#1265981) * CVE-2026-47247 (GHSA-2vh6-whr3-cmq3) : Heap Information Disclosure via Grid Image Gap + Uninitialized Pixel Plane Allocation (bsc#1265982) * CVE-2026-47251 (GHSA-p6q9-fhf2-vj9v) : Incomplete fix for (bsc#1265983) CVE-2026-3949: integer overflow bypass in vvdec_push_data2 * CVE-2026-47254 (GHSA-wqjg-4x9g-6cvg) : Heap Buffer Overflow in `Track::get_next_sample_raw_data()` -- OOB Chunk Vector Access (bsc#1265987) * CVE-2026-47709 (GHSA-4h72-vqgp-9376) : NULL pointer dereference in heif_image_handle_get_image_tiling for malformed unci image missing ispe (bsc#1265988) * CVE-2026-47714 (GHSA-h4wm-6wwf-qvhx) : Integer overflow in inline mask size calculation causes undersized buffer allocation (bsc#1265989) * CVE-2026-48029 (GHSA-6x5f-qchq-cxqv) : heap OOB read in ImageItem_Grid::decode_grid_tile via irot-induced tile- coordinate underflow (bsc#1265990) * (GHSA-95jx-g5vf-cpp8) : Integer Overflow in SampleAuxInfoReader Offset Calculation (bsc#1265992) * (GHSA-p4r6-6972-g26m) : Incorrect byte-count initialization in BitstreamRange constructor allows container-boundary check bypass (bsc#1265995) * (GHSA-jh2w-m72q-q595) : Out-of-bounds read and assertion- based DoS in EXIF parsing (find_exif_tag / read32) with short EXIF TIFF payload (bsc#1265996) * (GHSA-9h96-c44j-jpq9) : Heap buffer overflow via uint32_t stride overflow in image plane allocation (bsc#1265997) ... changelog too long, skipping 9 lines ... * libheif-CVE-2026-3950.patch ==== libphonenumber ==== Version update (9.0.29 -> 9.0.31) - update to 9.0.31: * Update alternate formatting data for country calling code(s): 84 * Update phone metadata for region code(s): AI, BO, DZ, ET, GE, GM, IN, TR, UG, VN * Update short number metadata for region code(s): IT * Update geocoding data for country calling code(s): 213 (en) * Update carrier data for country calling code(s): 34 (en), 43 (en), 84 (en), 90 (en), 220 (en), 251 (en), 256 (en), 354 (en), 591 (en), 1264 (en) - includes changes from 9.0.30: * Update alternate formatting data for country calling code(s): 91 * Update phone metadata for region code(s): CL, CZ, DE, IN, SG * Update geocoding data for country calling code(s): 91 (en) * Update carrier data for country calling code(s): 56 (en), 65 (en), 91 (en), 594 (en), 596 (en), 855 (en) ==== libsolv ==== Version update (0.7.37 -> 0.7.38) Subpackages: libsolv-tools-base libsolv1 ruby-solv - made repo_add_solv more robust against corrupt files [bsc#1265935] [CVE-2026-9149] - fix potential buffer overflow when verifying EdDSA signatures [bsc#1266039] [CVE-2026-48863] - added limit checks in multiple places to catch overflows - reduce the size of the language id cache - fixed Debian canon selection - fixed dbpath detection in repo_rpmdb_librpm - reduced stack usage in repo page compression (needed for musl) ==== libunwind ==== - Add fix-s390x-tests.diff (part of #1002) to fix endless loop on s390x in Gtest-trace and Ltest-trace ==== libwebp ==== Subpackages: libsharpyuv0 libwebp-tools libwebp7 libwebpdemux2 libwebpmux3 - Drop build dependency on giflib and glut, those are only used for example programs anyway. - Add libwebp-s390x-0e5f4ee.diff to fix python-Pillow on s390x (https://github.com/python-pillow/Pillow/issues/8831) - Fix build on code 15 by forcing gcc 14 ==== libxfce4windowing ==== Version update (4.20.5 -> 4.20.6) Subpackages: libxfce4windowing-0-0 libxfce4windowing-lang libxfce4windowingui-0-0 - Revert change regarding the -lang package. - Update to version 4.20.6 * Add xfw_screen_get_monitor_for_gdk_monitor() * Add missing "New in 4.20.6" docs section * Add missing chain up to parent class * I18n: Update po/LINGUAS list * XfwMonitor: Fix (xdg_)output_done event handling * XfwMonitor: Fix typo and initialize class member * Ignore workarea/workspace count mismatches * Fix incorrect max to clamp workspace number to * Implement workspace geometry for wayland * Add XfwWorkspace:geometry property * Fix missing workspace signal connections in test program * Add test program to enumerate workspaces * Fix X11 workspace geometry and layout getting out of date * Fix incorrect col & row ordering for Wayland workspace coordinates * Fix width -> height typo for XfwWorkspaceX11 geometry * Add fallback monitor on X11 if XRandR doesn't report anything * Don't depend on wayland-scanner and wayland-protocols * XfwWindowWayland: Connect to XfwScreen::monitor-added * XfwWindowWayland: Connect to XfwScreen::monitor-removed * Translation Updates ==== libzio ==== Version update (1.12 -> 1.14) - Update to version 1.14 * Fix signed octal magic character for lzma - Update to version 1.13 * Avoid signed/unsigned comparison in magic() ==== libzypp ==== Version update (17.38.9 -> 17.38.10) - Repo metadata: discard entries referring to a location outside the repo (bsc#1259802, CVE-2026-25707) Mirroring those data locally would refer to a location outside the repo's local cache directory. Those data entries are reported and discarded. - zypp.conf: Allow [env] section to add environment variables. This feature is designed to enable environment-specific settings or debugging options over an extended period. See zypp.conf(5). - version 17.38.10 (35) ==== live555 ==== Version update (2026.03.23 -> 2026.04.22) Subpackages: libBasicUsageEnvironment2 libUsageEnvironment3 libgroupsock33 - Update to version 2026.04.22 (CVE-2026-41470, boo#1265856): + Added extra checking to the handling of the RTSP server's "PLAY", "PAUSE", "TEARDOWN", and "SET_PARAMETER" commands, to ensure that, if the session is authenticated, then a proper authentication check is done before these commands are handled. This protects against the use of a 'stolen' RTSP session id to send these commands. (Note, however, that if the session is not authenticated (i.e., no username,password is needed), then no such protection is possible.) - Changes from version 2026-04-01: + Updated the way that the RTSP server generates successive RTSP 'session ids' to make it less likely that an attacker could guess a session id. + Updated the RTSP server implementation to make it possible for a client to request both interleaved (i.e., RTP/RTCP-over-TCP) and non-interleaved (i.e., RTP/RTCP-over-UDP) delivery within the same session. ==== man ==== - Change patch man-db-2.7.1-zio.dif to avoid Heisenbug (boo#1262477) ==== mariadb ==== Version update (11.8.6 -> 11.8.7) Subpackages: libmariadbd19 mariadb-client mariadb-errormessages - Update to 11.8.7: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.7 https://mariadb.com/docs/release-notes/community-server/changelogs/11.8/11.8.7 * fixes for the following security vulnerabilities: 11.8.7: CVE-2026-44173 CVE-2026-44172 CVE-2026-44171 CVE-2026-44170 CVE-2026-44169 CVE-2026-44168 - Update spec for removal of README-wsrep file - Add test pam modules in mariadb-test package - Add new mariadb-migrate-config-file utility in mariadb-tools package - Refresh 0001-MDEV-38874-Make-tests-pass-after-2030.patch - Drop MDEV-38811.patch * Included in upstream release ==== nvidia-open-driver-G06-signed ==== - linux-7.0.patch * adjust driver to changes of screen_info with Kernel 7.0, which broke the driver completely (boo#1263825); see also https://forums.developer.nvidia.com/t/linux-driver-595-71-05-still-tries-to-use-screen-info-struct-which-was-refactored-in-7-0-kernel/370825 ==== nvidia-open-driver-G07-signed ==== Version update (595.71.05_k7.0.10_2 -> 595.80_k7.0.10_2) - linux-7.0.patch * adjust driver to changes of screen_info with Kernel 7.0, which broke the driver completely (boo#1263825); see also https://forums.developer.nvidia.com/t/linux-driver-595-71-05-still-tries-to-use-screen-info-struct-which-was-refactored-in-7-0-kernel/370825 - update non-CUDA variant to 595.80 (boo#1266660) - update CUDA variant to 610.43.02 - kernel-5.14.patch not needed; removed therefore ==== nvidia-open-driver-G07-signed-cuda ==== Version update (595.71.05_k7.0.10_2 -> 610.43.02_k7.0.10_2) - linux-7.0.patch * adjust driver to changes of screen_info with Kernel 7.0, which broke the driver completely (boo#1263825); see also https://forums.developer.nvidia.com/t/linux-driver-595-71-05-still-tries-to-use-screen-info-struct-which-was-refactored-in-7-0-kernel/370825 - update non-CUDA variant to 595.80 (boo#1266660) - update CUDA variant to 610.43.02 - kernel-5.14.patch not needed; removed therefore ==== openSUSE-build-key ==== - extended to openSUSE 4096bit RSA key for 4 more years. gpg-pubkey-29b700a4-6a17fa38.asc ==== openSUSE-release ==== Version update (20260527 -> 20260529) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== pipewire ==== Version update (1.6.5 -> 1.6.6) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-jack pipewire-lang pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.6.6 * This is a bugfix release that is API and ABI compatible with the previous 1.6.x releases. * Highlights - Fix a bug in the server code that could leave snap clients without sound. (#5270 (closed)) - Relax LADSPA path loading again, absolute paths are only blocked in unsafe cases. - Fix a volume restore issue in filter-graph when using custom volume controls. - Small fixes and improvements. * PipeWire - Fix the meta permission check on metadata. - Make sure we don't accept too many fds. - Fix potential race with buffer allocation and Suspend. (#3547) * SPA - Relax LADSPA path loading. Absolute paths are allowed when loading modules from a config file. They are now only blocked when loading the pulse ladspa modules and filter-chains in nodes because those can load ladspa plugins in other processes. (#5222 (closed)) - Fix a regression in the dither noise that was silent when no input was available. (#5260 (closed)) - Fix volume initialization in filter-graph. (#5192 (closed)) * Pulse-server - Fix a bug in the server code that could leave snap clients without sound. (#5270 (closed)) - Be more careful with the stream suspend messages and only send them when the stream is monitoring. (#5273 (closed)) - Fix monitor mode in pavucontrol. * Tools - Fix midifile SysEx writing in pw-cat and ensure the header is written correctly on close. - Make sure pw-cat does not try to convert Midi to UMP. ==== polkit-default-privs ==== Version update (1550+20260513.3b99372 -> 1550+20260528.62493d2) - Update to version 1550+20260528.62493d2: * profiles: add qsnapper (bsc#1261537) ==== powerdevil6 ==== Subpackages: powerdevil6-lang - Pass '-DQT_QML_NO_CACHEGEN:BOOL=TRUE' to CMake to make builds reproducible (related: boo#1248369) ==== python-ldap ==== Version update (3.4.5 -> 3.4.7) - update to 3.4.7: * No code changes, correcting for the fact that the previous release artifacts uploaded to PyPI contained unintended files. * ``attrlist`` parameter is now properly checked before use, avoiding memory errors due to type mismatches * Fixed errors with requestName/requestValue in ``extop.dds`` * ``ldif`` and ``ldap.schema`` modules now actively close sockets as they're finished with them ==== python-markdown-it-py ==== Version update (4.0.0 -> 4.2.0) - Update to 4.2.0: * Add make_fence_rule() factory for configurable fence markers * Add --stdin option to CLI * Add typing to Scanner * Fix quadratic complexity in fragments_join / text_join * Allow plugins to register inline terminator characters * Add gfm-like2 preset with task lists, alerts, and single-tilde strikethrough ==== python-pip ==== Version update (26.1 -> 26.1.1) Subpackages: python311-pip python313-pip - Update to 26.1.1: - Fix issue where uninstallation left behind empty directories. Revert the removal of the adjacent __pycache__ directory when a .py file is removed. (#13973) ==== qt6-base ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6Concurrent6 libQt6Core6 libQt6DBus6 libQt6Gui6 libQt6Network6 libQt6OpenGL6 libQt6OpenGLWidgets6 libQt6PrintSupport6 libQt6Sql6 libQt6Test6 libQt6WaylandClient6 libQt6Widgets6 libQt6WlShellIntegration6 libQt6Xml6 qt6-network-tls qt6-networkinformation-connman qt6-networkinformation-glib qt6-networkinformation-nm qt6-platformtheme-gtk3 qt6-printsupport-cups qt6-sql-mysql qt6-sql-sqlite qt6-wayland - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released - Drop patches, merged upstream: * 0001-Do-not-persist-unicode-error-state-across-dirents.patch * 0001-Ensure-custom-types-are-normalized.patch * 0001-freetype-Handle-failing-glyph-rendering.patch ==== qt6-declarative ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6LabsAnimation6 libQt6LabsFolderListModel6 libQt6LabsPlatform6 libQt6LabsQmlModels6 libQt6LabsSettings6 libQt6LabsSharedImage6 libQt6LabsStyleKit6 libQt6LabsSynchronizer6 libQt6LabsWavefrontMesh6 libQt6Qml6 libQt6QmlCore6 libQt6QmlLocalStorage6 libQt6QmlMeta6 libQt6QmlModels6 libQt6QmlNetwork6 libQt6QmlWorkerScript6 libQt6QmlXmlListModel6 libQt6Quick6 libQt6QuickControls2-6 libQt6QuickControls2Impl6 libQt6QuickDialogs2-6 libQt6QuickDialogs2QuickImpl6 libQt6QuickDialogs2Utils6 libQt6QuickEffects6 libQt6QuickLayouts6 libQt6QuickParticles6 libQt6QuickShapes6 libQt6QuickTemplates2-6 libQt6QuickTest6 libQt6QuickVectorImage6 libQt6QuickWidgets6 qt6-declarative-imports - Add upstream fix (kde#520252) * 0001-QQmlTableInstanceModel-refactor-QModelIndex-calculat.patch - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-imageformats ==== Version update (6.11.0 -> 6.11.1) - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-location ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6Location6 - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-multimedia ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6Multimedia6 libQt6MultimediaQuick6 libQt6MultimediaWidgets6 libQt6Quick3DSpatialAudio6 libQt6SpatialAudio6 qt6-multimedia-imports - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-networkauth ==== Version update (6.11.0 -> 6.11.1) - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-positioning ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6Positioning6 libQt6PositioningQuick6 qt6-positioning-imports - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-qt5compat ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6Core5Compat6 qt6-qt5compat-imports - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-quick3d ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6Quick3D6 libQt6Quick3DAssetImport6 libQt6Quick3DAssetUtils6 libQt6Quick3DEffects6 libQt6Quick3DHelpers6 libQt6Quick3DHelpersImpl6 libQt6Quick3DParticleEffects6 libQt6Quick3DParticles6 libQt6Quick3DRuntimeRender6 libQt6Quick3DUtils6 libQt6Quick3DXr6 qt6-quick3d-imports - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-quicktimeline ==== Version update (6.11.0 -> 6.11.1) - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-sensors ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6Sensors6 - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-shadertools ==== Version update (6.11.0 -> 6.11.1) - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-speech ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6TextToSpeech6 qt6-texttospeech - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-svg ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6Svg6 libQt6SvgWidgets6 - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released - Drop patch, merged upstream: * 0001-Test-types-of-nodes-before-downcasting-them.patch ==== qt6-tools ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6Designer6 libQt6UiTools6 qt6-tools-qdbus - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released - Drop patch: * 0003-QDoc-Swap-forever-for-while-true.patch * 0004-QDoc-Disable-Qt-keyword-macros.patch ==== qt6-translations ==== Version update (6.11.0 -> 6.11.1) - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-virtualkeyboard ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6HunspellInputMethod6 libQt6VirtualKeyboard6 libQt6VirtualKeyboardQml6 qt6-virtualkeyboard-imports - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-wayland ==== Version update (6.11.0 -> 6.11.1) - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-webchannel ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6WebChannel6 libQt6WebChannelQuick6 qt6-webchannel-imports - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== qt6-webengine ==== Version update (6.11.0 -> 6.11.1) Subpackages: libQt6WebEngineCore6 libQt6WebEngineQuick6 libQt6WebEngineWidgets6 qt6-webengine-imports - Add upstream fix (QTBUG-145344) * 0001-Fix-AMD-VA-API-flickering-on-Wayland-by-allowing-mul.patch - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released Based on Chromium version: 140.0.7339.264 Patched with security patches up to Chromium version: 148.0.7778.96 - Update build dependencies ==== qt6-webview ==== Version update (6.11.0 -> 6.11.1) - Update to 6.11.1 https://www.qt.io/blog/qt-6.11.1-released ==== quadrapassel ==== Version update (50.1 -> 50.2) Subpackages: quadrapassel-lang - Update to version 50.2: + Fixed the game not getting saved when the window was closed + Updated libgnome-games-support + Updated translations. ==== rdma-core ==== Version update (61.0 -> 62.0) Subpackages: libefa1 libhns1 libibverbs libibverbs1 libionic1 libmana1 libmlx4-1 libmlx5-1 librdmacm1 rdma-ndd - use ldconfig_scriptlets - remove dependency on main package from libibverbs to avoid systemd being pulled in by valkey - Update to rdma-core v62.0 - https://github.com/linux-rdma/rdma-core/releases/tag/v62.0 - Fix bad link in v61.0 changelog entry ==== samba ==== Version update (4.23.7+git.473.9487af01c24 -> 4.23.8+git.477.f78166bceed) Subpackages: libldb2 libldb2-32bit python3-ldb samba-ad-dc-libs samba-ad-dc-libs-32bit samba-client samba-client-32bit samba-client-lang samba-client-libs samba-client-libs-32bit samba-dcerpc samba-gpupdate samba-ldb-ldap samba-libs samba-libs-32bit samba-libs-python3 samba-python3 samba-winbind samba-winbind-libs samba-winbind-libs-32bit samba-winbind-libs-lang - Update to 4.23.8 * CVE-2026-4480: Fix Unauthenticated Remote Code Execution; (bso#16033); (bsc#1261161). * CVE-2026-4408: Fix Remote Code Execution in SAMR;(bso#16034); (bsc#1261163). * CVE-2026-3238: Fix unauthenticated udp packet crashes AD DC nbt server; (bso#16012); (bsc#1261160). * CVE-2026-3012: Fix CVE-2026-3012 group policy certificate enrollment using http:// without validation;(bso#16003); (bsc#1261159). * CVE-2026-1933: Fix missing access check on reparse point operations; (bso#15992); (bsc#1261188). * CVE-2026-2340: vfs_worm does not block directory modification; (bso#15997); (bsc#1261158). * CVE-2026-40170: thirdparty ngtcp2 needs to be updated; (bso#16059). * Winbind can change Ownership Of / To A User Who has Homedir / In passwd; (bso#16073). ==== selinux-policy ==== Version update (20260522 -> 20260526) Subpackages: selinux-policy-targeted - Update to version 20260526: * Dontaudit apcupsd dac_override (bsc#1261232) * Allow virtqemud_t to call and transition into udev ==== sgml-skel ==== - jsc#PED-14847: Remove unneeded dir /var/lib/sgml - Specfile cleanup * Use %autosetup instead of %setup. * List files in _bindir explicitly instead of globbing. - Trim whitespace in .changes file. ==== talloc ==== Version update (2.4.3 -> 2.4.4) Subpackages: libtalloc2 libtalloc2-32bit libtalloc2-x86-64-v3 python3-talloc python3-talloc-x86-64-v3 - Update to 2.4.4 * lib: Add talloc_realloc_zero() * lib: docs: talloc: fix a wrong cd command * lib:talloc: Remove obsolete web page ==== tdb ==== Version update (1.4.14 -> 1.4.15) Subpackages: libtdb1 libtdb1-32bit python3-tdb - Update to 1.4.15 * Fix parse_hex during `tdbtool storehex` * Remove obsolete web page * tdbtorture: Fix CID 1034816: proper calloc usage ==== unbound ==== Version update (1.25.0 -> 1.25.1) Subpackages: libunbound8 unbound-anchor - Update to 1.25.1: * CVE-2026-33278, bsc#1265587: Possible remote code execution during DNSSEC validation * CVE-2026-42944, bsc#1265578: Heap overflow and crash with multiple nsid, cookie, padding EDNS options * CVE-2026-42959, bsc#1265586: Crash during DNSSEC validation of malicious content * CVE-2026-32792, bsc#1265583: Packet of death with DNSCrypt * CVE-2026-40622, bsc#1265581: "Ghost domain name" variant * CVE-2026-41292, bsc#1265580: Parsing a long list of incoming EDNS options degrades performance * CVE-2026-42534, bsc#1265585: Jostle logic bypass degrades resolution performance * CVE-2026-42923, bsc#1265589: Degradation of service with unbounded NSEC3 hash calculations * CVE-2026-42960, bsc#1265588: Possible cache poisoning attack while following delegation * CVE-2026-44390, bsc#1265584: Unbounded name compression in certain cases causes degradation of service * CVE-2026-44608, bsc#1265582: Use after free and crash in RPZ code. - Disable quic support for non tumbleweed distros ==== vorbis-tools ==== Subpackages: vorbis-tools-lang - Fix buffer underflow in the `ogg123` utility in function `remotethread` of `remote.c` (CVE-2026-34253, bsc#1265361): 0001-Do-not-assume-fgets-result-is-non-empty.patch 0002-ogg123-Handle-EOF-error-in-remote-interface.patch