Packages changed: MicroOS-release (20251217 -> 20251220) busybox dracut (059+suse.769.g693ea004 -> 059+suse.785.g17d177bb) flatpak (1.16.1 -> 1.16.2) fuse3 (3.17.4 -> 3.18.0) fwupd (2.0.18 -> 2.0.19) kernel-firmware-i915 (20251125 -> 20251217) kernel-firmware-intel kernel-firmware-iwlwifi (20251123 -> 20251217) kernel-firmware-platform kernel-firmware-qcom (20251202 -> 20251217) kernel-firmware-realtek (20251118 -> 20251217) kernel-firmware-sound (20251205 -> 20251217) kernel-source (6.18.1 -> 6.18.2) libopenmpt (0.8.3 -> 0.8.4) multipath-tools (0.13.0+127+suse.37f9a4c9 -> 0.13.0+229+suse.dbac936f) opus (1.5.2 -> 1.6) python-tornado6 (6.5 -> 6.5.4) qt6-webengine rsync sdbootutil (1+git20251211.b3d0304 -> 1+git20251218.1cd7294) selinux-policy (20251211 -> 20251219) === Details === ==== MicroOS-release ==== Version update (20251217 -> 20251220) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== busybox ==== - Fix tar hidden files via escape sequence (CVE-2025-46394, bsc#1241661) * 0001-archival-libarchive-sanitize-filenames-on-output-pre.patch - Fix HTTP request header injection in wget (CVE-2025-60876, bsc#1253245) * wget-don-t-allow-control-characters-in-url.patch - Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670) - Fix unshare -mrpf sh core dump on ppc64le (bsc#1249237) * 0001-nsenter-unshare-don-t-use-xvfork_parent_waits_and_ex.patch ==== dracut ==== Version update (059+suse.769.g693ea004 -> 059+suse.785.g17d177bb) Subpackages: dracut-ima - Update to version 059+suse.785.g17d177bb: Fix and update testsuite (bsc#1254873): * test(FULL-SYSTEMD): ignore errors in systemd-vconsole-setup.service * test: move /failed to /run/failed as rootfs might be read-only * test(FULL-SYSTEMD): use poweroff to shut down test * test(FULL SYSTEMD): no need to include dbus to the target rootfs * test: make the size of all test drives 512 MB * fix(systemd): move installation of libkmod to udev-rules module * test: switch to virtio for the QEMU drive * test: switch to virtio for the QEMU drive * test: increase test VM memory from 512M to 1024M to avoid OOM killer * test: move more common test code to test-functions * test: upgrade to ext4 Other: * fix(systemd-networkd): install and enable systemd-networkd-resolve-hook.socket * fix(nfs): do not execute logic in nfs hooks if netroot is not nfs (bsc#1253960) ==== flatpak ==== Version update (1.16.1 -> 1.16.2) Subpackages: flatpak-selinux libflatpak0 system-user-flatpak - Update to version 1.16.2: + Enhancements: - Documentation improvements - Support the reinstall option on bundle installations - Enable the VA-API extension for Intel Xe GPUs - Documentation improvements - Add cancellation support for curl downloads + Bug fixes: - Provide an empty /run/host/font-dirs.xml during flatpak build - Fix various issues with flatpak mask and flatpak pin by reloading the repo configuration after changes done via the system helper - Fix an issue where the home directory would accidentally be accessible when a bad version of glib is in use, the app has access to a standard XDG directory, and that directory is not available on the system - flatpak-kill will no longer send SIGKILL to all processes in the current process group - Various bug fixes for the OCI support - Fix various memory leaks - Fix various crashes + Updated translations. - Drop cd80e843435df5ce70d9a2b6710098135ceb9085.patch: Fixed upstream. ==== fuse3 ==== Version update (3.17.4 -> 3.18.0) Subpackages: libfuse3-4 - Update to release 3.18.0 * FUSE-over-uring communication * statx support * FUSE_NOTIFY_INC_EPOCH: New notification mechanism for epoch counters * Fixed double unmount on FUSE_DESTROY * Fixed junk readdirplus results when filesystem does not fill stat info ==== fwupd ==== Version update (2.0.18 -> 2.0.19) Subpackages: libfwupd3 typelib-1_0-Fwupd-2_0 - Update to version 2.0.19: + This release adds the following features: - Add two commands to fwupdtool to calculate and find CRCs - Allow systems to use the udev event source without using systemd + This release fixes the following bugs: - Always show the correct new firmware version in 'fwupdmgr get-history' - Fix an integer underflow when parsing a malicious PE file - Fix a regression when enumerating the dell-dock status component - Fix the fuzzer timeout when parsing a synaptics-rmi SBL container - Fix updating the Intel GPU FWDATA section - Respect 'fwupdmgr --force' when installing firmware + This release adds support for the following hardware: - Lenovo Sapphire Folio Keyboard ==== kernel-firmware-i915 ==== Version update (20251125 -> 20251217) - Update aliases for 6.19-rc1 - Update to version 20251217 (git commit c695356f6ea1): * xe: Update GUC to v70.55.3 for BMG, PTL ==== kernel-firmware-intel ==== - Update aliases for 6.19-rc1 ==== kernel-firmware-iwlwifi ==== Version update (20251123 -> 20251217) - Update to version 20251217 (git commit c695356f6ea1): * iwlwifi: add Bz/Sc FW for core101-82 release * iwlwifi: Add Sc/Gf firmware for core101-82 release * iwlwifi: update ty/So/Ma firmwares for core101-82 release * iwlwifi: update cc/Qu/QuZ firmwares for core101-82 release ==== kernel-firmware-platform ==== - Update aliases for 6.19-rc1 ==== kernel-firmware-qcom ==== Version update (20251202 -> 20251217) - Update to version 20251217 (git commit c695356f6ea1): * qcom: drop compatibility a640_zap.mdt symlink - Update to version 20251211 (git commit 6953ec7e9fea): * qcom: Add firmwares for sm8150 GPU * qcom: Add firmwares for sm8450 GPU * qcom: Add firmwares for sm8550 GPU * qcom: Add firmwares for sm8650 GPU * qcom: Add firmwares for sm8750 GPU ==== kernel-firmware-realtek ==== Version update (20251118 -> 20251217) - Update aliases for 6.19-rc1 - Update to version 20251217 (git commit c695356f6ea1): * rtw89: 8852b: update fw to v0.29.29.15 ==== kernel-firmware-sound ==== Version update (20251205 -> 20251217) - Update to version 20251217 (git commit c695356f6ea1): * cirrus: cs35l41: Update firmware and tuning for various HP laptops * cirrus: cs35l41: Add support for new HP Clipper laptop ==== kernel-source ==== Version update (6.18.1 -> 6.18.2) - Update patches.kernel.org/6.18.1-003-ext4-refresh-inline-data-size-before-write-ope.patch (bsc#1012628 CVE-2025-68264 bsc#1255380). - Update patches.kernel.org/6.18.1-004-ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_r.patch (bsc#1012628 CVE-2025-68263 bsc#1255384). - Update patches.kernel.org/6.18.1-006-crypto-zstd-fix-double-free-in-per-CPU-stream-.patch (bsc#1012628 CVE-2025-68262 bsc#1255158). - Update patches.kernel.org/6.18.1-007-ext4-add-i_data_sem-protection-in-ext4_destroy.patch (bsc#1012628 CVE-2025-68261 bsc#1255164). - Update patches.kernel.org/6.18.1-008-rust_binder-fix-race-condition-on-death_list.patch (bsc#1012628 CVE-2025-68260 bsc#1255177). - Update patches.kernel.org/6.18.1-010-KVM-SVM-Don-t-skip-unrelated-instruction-if-IN.patch (bsc#1012628 CVE-2025-68259 bsc#1255199). - Update patches.kernel.org/6.18.1-025-comedi-multiq3-sanitize-config-options-in-mult.patch (bsc#1012628 CVE-2025-68258 bsc#1255182). - Update patches.kernel.org/6.18.1-026-comedi-check-device-s-attached-status-in-compa.patch (bsc#1012628 CVE-2025-68257 bsc#1255167). - Update patches.kernel.org/6.18.1-027-staging-rtl8723bs-fix-out-of-bounds-read-in-rt.patch (bsc#1012628 CVE-2025-68256 bsc#1255138). - Update patches.kernel.org/6.18.1-028-staging-rtl8723bs-fix-stack-buffer-overflow-in.patch (bsc#1012628 CVE-2025-68255). - Update patches.kernel.org/6.18.1-029-staging-rtl8723bs-fix-out-of-bounds-read-in-On.patch (bsc#1012628 CVE-2025-68254 bsc#1255140). - Update patches.kernel.org/6.18.2-517-net-sched-sch_cake-Fix-incorrect-qlen-reductio.patch (bsc#1012628 CVE-2025-68325). - Update patches.kernel.org/6.18.2-589-scsi-imm-Fix-use-after-free-bug-caused-by-unfi.patch (bsc#1012628 CVE-2025-68324). - Update patches.kernel.org/6.18.2-602-usb-typec-ucsi-fix-use-after-free-caused-by-ue.patch (bsc#1012628 CVE-2025-68323). suse-add-cves - commit 9447271 - netfilter: nf_conncount: fix leaked ct in error paths (git-fixes). - commit 05e3e3d - Update config files. - commit 1b7058f - Linux 6.18.2 (bsc#1012628). - smack: fix bug: SMACK64TRANSMUTE set on non-directory (bsc#1012628). - smack: deduplicate "does access rule request transmutation" (bsc#1012628). - smack: deduplicate xattr setting in smack_inode_init_security() (bsc#1012628). - smack: always "instantiate" inode in smack_inode_init_security() (bsc#1012628). - smack: fix bug: invalid label of unix socket file (bsc#1012628). - smack: fix bug: unprivileged task can create labels (bsc#1012628). - smack: fix bug: setting task label silently ignores input garbage (bsc#1012628). - gpu: host1x: Fix race in syncpt alloc/free (bsc#1012628). - accel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array() (bsc#1012628). - accel/amdxdna: Call dma_buf_vmap_unlocked() for imported object (bsc#1012628). - accel/ivpu: Ensure rpm_runtime_put in case of engine reset/resume fail (bsc#1012628). - drm/panel: visionox-rm69299: Fix clock frequency for SHIFT6mq (bsc#1012628). - drm/panel: visionox-rm69299: Don't clear all mode flags (bsc#1012628). - accel/ivpu: Rework bind/unbind of imported buffers (bsc#1012628). - accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context() (bsc#1012628). - accel/ivpu: Fix DCT active percent format (bsc#1012628). - drm/vgem-fence: Fix potential deadlock on release (bsc#1012628). - bpf: Cleanup unused func args in rqspinlock implementation (bsc#1012628). - bpf: Fix sleepable context for async callbacks (bsc#1012628). - bpf: Fix handling maps with no BTF and non-constant offsets for the bpf_wq (bsc#1012628). - tools/nolibc: handle NULL wstatus argument to waitpid() (bsc#1012628). - USB: Fix descriptor count when handling invalid MBIM extended descriptor (bsc#1012628). - perf bpf_counter: Fix opening of "any"(-1) CPU events (bsc#1012628). - pinctrl: qcom: glymur: Drop unnecessary platform data from match table (bsc#1012628). - pinctrl: qcom: glymur: Fix the gpio and egpio pin functions (bsc#1012628). - ima: Attach CREDS_CHECK IMA hook to bprm_creds_from_file LSM hook (bsc#1012628). - pinctrl: renesas: rzg2l: Fix PMC restore (bsc#1012628). - clk: renesas: cpg-mssr: Add missing 1ms delay into reset toggle ... changelog too long, skipping 1022 lines ... - commit 114a3e8 ==== libopenmpt ==== Version update (0.8.3 -> 0.8.4) - Update to 0.8.4: * openmpt123: libsndfile float32 output was broken since 0.8.1. * [Bug] build/download_externals.txt was missing from makefile and msvc source archives. * PT36: Some MODs with samples larger than 64k inside PT36 containers were not read correctly. * IT: Files are no longer interpreted as ModPlug-made (thus disabling all compatibility settings) just because instrument extensions are found (no such files are currently known to exist in the wild). ==== multipath-tools ==== Version update (0.13.0+127+suse.37f9a4c9 -> 0.13.0+229+suse.dbac936f) Subpackages: kpartx libmpath0 - Update to version 0.13.0+229+suse.dbac936f: * multipath-tools tests: adaptations for cmocka 2.0 (bsc#1255045, gh#opensvc/multipath-tools#129) * libmpathutil: use union for bitfield (bsc#1255285) * libmultipath: don't access path members in free_pgvec() (gh#opensvc/multipath-tools#128) - Include reviewed upstream fixes post 0.13.0: * more mpathpersist fixes * hwtable updates - Update to version 0.13.0+201+suse.821510bc: * CI: more GitHub workflow updates. No code changes. - Update to version 0.13.0+186+suse.9a8e81de: * CI: GitHub workflow updates. No code changes. ==== opus ==== Version update (1.5.2 -> 1.6) - Update to version 1.6 * A new wideband-to-fullband bandwidth extension (BWE) module. * Support for 96 kHz audio with Opus HD. * Significant improvement to Deep Redundancy (DRED). * A new 24-bit encoder/decoder API. * Fixed-point improvements. ==== python-tornado6 ==== Version update (6.5 -> 6.5.4) - Update to 6.5.4 * The in operator for HTTPHeaders was incorrectly case-sensitive, causing lookups to fail for headers with different casing than the original header name. This was a regression in version 6.5.3 and has been fixed to restore the intended case-insensitive behavior from version 6.5.2 and earlier. - Update to 6.5.3 (bsc#1254903, bsc#1254905, bsc#1254904) * Fixed a denial-of-service vulnerability involving quadratic computation when parsing multipart/form-data request bodies. CVE-2025-67726 Thanks to Finder16 for reporting this issue. * Fixed a denial-of-service vulnerability involving quadratic computation when parsing repeated HTTP headers. CVE-2025-67725. Thanks to Finder16 for reporting this issue. * Fixed a header injection and XSS vulnerability involving the reason argument to .RequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724. Thanks to Finder16 and Cheshire1225 for reporting this issue. * Several demo applications bundled with the Tornado repo (blog, chat, facebook) had an open redirect vulnerability which has been fixed. This is not covered by a CVE or security advisory since the demo applications are not included as a part of the Tornado package when installed, but developers who have copied code from these demos may which to review their own applications for open redirects. Thanks to J1vvoo for reporting this issue. * he s3server demo application contained some path traversal vulnerabilities. Since this demo application was not demonstrating any interesting aspects of Tornado, it has been deleted rather than being fixed. Thanks to J1vvoo for reporting this issue. - Update to 6.5.2 * Fixed a bug that resulted in WebSocket pings not being sent at the configured interval. * Improved logging for invalid Host headers. This was previously logged as an uncaught exception with a stack trace, now it is simply a 400 response (logged as a warning in the access log). * Restored the host argument to .HTTPServerRequest. This argument is deprecated and will be removed in the future, but its removal with no warning in 6.5.0 was a mistake. * Removed a debugging print statement that was left in the code. * Improved type hints for gen.multi. - Update to 6.5.1 * Fixed a bug in multipart/form-data parsing that could incorrectly reject filenames containing characters above U+00FF (i.e. most characters outside the Latin alphabet). ==== qt6-webengine ==== Subpackages: libQt6WebEngineCore6 libQt6WebEngineQuick6 libQt6WebEngineWidgets6 qt6-webengine-imports - boo#1251922 - Re-enable LTO and pass -mno-outline-atomics to 3rdparty/chromium for aarch64 as a workaround until fixed upstream ==== rsync ==== - Security update (CVE-2025-10158, bsc#1254441): rsync: Out of bounds array access via negative index - Add rsync-CVE-2025-10158.patch ==== sdbootutil ==== Version update (1+git20251211.b3d0304 -> 1+git20251218.1cd7294) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper sdbootutil-tukit - Update to version 1+git20251218.1cd7294: * Improve partition detection for multipath (boo#1254317) ==== selinux-policy ==== Version update (20251211 -> 20251219) Subpackages: selinux-policy-targeted - Update to version 20251219: * Allow 'mysql-systemd-helper upgrade' to work correctly (bsc#1255024) - Save previous file contexts in /run and ensure deletion (bsc#1245303) - Update to version 20251218: * Allow systemd_udev_trigger_generator_t use CAP_SYS_RESOURCE (bsc#1255079) - Update to version 20251217: * Allow snapper_tu_etc_plugin_t to connect to machined varlink socket (bsc#1254889) * Label amavis spool directory correctly (bsc#1254438)