Packages changed: Mesa (25.3.1 -> 25.3.3) Mesa-drivers (25.3.1 -> 25.3.3) MicroOS-release (20260106 -> 20260108) curl (8.17.0 -> 8.18.0) kernel-firmware-bluetooth (20251228 -> 20260106) kernel-firmware-network (20250912 -> 20260106) kernel-firmware-platform kernel-firmware-qcom (20251228 -> 20260106) kernel-firmware-realtek libdecor (0.2.2 -> 0.2.5) libdrm (2.4.130 -> 2.4.131) libevdev (1.13.5 -> 1.13.6) libgcrypt libheif (1.20.2 -> 1.21.1) libva (2.22.0 -> 2.23.0) ncurses (6.5.20251213 -> 6.6.20260103) python-maturin (1.10.2 -> 1.11.2) rust-keylime (0.2.8+12 -> 0.2.8+96) systemd-presets-branding-MicroOS tslib (1.22 -> 1.24) yast2 (5.0.17 -> 5.0.18) === Details === ==== Mesa ==== Version update (25.3.1 -> 25.3.3) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to Mesa 25.3.3 - -> https://docs.mesa3d.org/relnotes/25.3.3 - Update to Mesa 25.3.2 - -> https://docs.mesa3d.org/relnotes/25.3.2 ==== Mesa-drivers ==== Version update (25.3.1 -> 25.3.3) Subpackages: Mesa-dri Mesa-vulkan-device-select libvulkan_lvp - Update to Mesa 25.3.3 - -> https://docs.mesa3d.org/relnotes/25.3.3 - Update to Mesa 25.3.2 - -> https://docs.mesa3d.org/relnotes/25.3.2 ==== MicroOS-release ==== Version update (20260106 -> 20260108) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== curl ==== Version update (8.17.0 -> 8.18.0) Subpackages: libcurl4 - Update to 8.18.0: * Security fixes: - [bsc#1256105, CVE-2025-14017] ldap: call ldap_init() before setting the options - [bsc#1255731, CVE-2025-14524] curl_sasl: if redirected, require permission to use bearer - [bsc#1255734, CVE-2025-15224] libssh: require private key or user-agent for public key auth - [bsc#1255732, CVE-2025-14819] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache - [bsc#1255733, CVE-2025-15079] libssh: set both knownhosts options to the same file * Changes: - openssl: bump minimum OpenSSL version to 3.0.0 * Bugfixes: - alt-svc: more flexibility on same destination - altsvc: accept ma/persist per alternative entry - altsvc: make it one malloc instead of three per entry - asyn-ares: handle Curl_dnscache_mk_entry() OOM error - asyn-ares: remove hostname free on OOM - asyn-thrdd: fix Curl_async_getaddrinfo() on systems without getaddrinfo - asyn-thrdd: release rrname if ares_init_options fails - auth: always treat Curl_auth_ntlm_get() returning NULL as OOM - autotools: add nettle library detection via pkg-config (for GnuTLS) - autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr) - autotools: fix LargeFile feature display on Windows (after prev patch) - autotools: tidy-up 'if' expressions - build: add build-level 'CURL_DISABLE_TYPECHECK' options - build: exclude clang prereleases from compiler warning options - build: replace '-pedantic' with '-Wpedantic' when supported - build: set '-Wno-format-signedness' - build: tidy-up MSVC CRT warning suppression macros - ccsidcurl: make curl_mime_data_ccsid() use the converted size - cf-h1-proxy: support folded headers in CONNECT responses - cf-https-connect: allocate ctx at first in cf_hc_create() - cf-socket: drop feature check for 'IPV6_V6ONLY' on Windows - cf-socket: enable Win10 'TCP_KEEP*' options with old SDKs - cf-socket: limit use of 'TCP_KEEP*' to Windows 10.0.16299+ at runtime - cf-socket: return OOM error if socket() fails due to OOM - cf-socket: trace ignored errors - cfilters: make conn_forget_socket a private libssh function - checksrc.pl: detect assign followed by more than one space - cmake: adjust defaults for target platforms not supporting shared libs - cmake: define dependencies as 'IMPORTED' interface targets - cmake: delete unused file 'CMake/CMakeConfigurableFile.in' - cmake: disable 'CURL_CA_PATH' auto-detection if 'USE_APPLE_SECTRUST=ON' - cmake: fix 'ws2_32' reference in 'curl-config.cmake' - cmake: honor 'CURL_DISABLE_INSTALL' and 'CURL_ENABLE_EXPORT_TARGET' - cmake: replace deprecated 'OPENSSL_FOUND' with 'OpenSSL_FOUND' - cmake: replace deprecated 'PERL_FOUND' with 'Perl_FOUND' - cmake: save and restore 'CMAKE_MODULE_PATH' in 'curl-config.cmake' - cmake: set found status to OFF when not found (for compression deps) - code: minor indent fixes before closing braces - config-win32.h: delete obsolete, non-Windows comments - config-win32.h: drop unused/obsolete 'CURL_HAS_OPENLDAP_LDAPSDK' - config2setopts: add space in cookie header with multiple -b - config2setopts: bail out if curl_url_get() returns OOM - config2setopts: exit if curl_url_set() fails on OOM - configure: delete unused variable - conncache: silence '-Wnull-dereference' on gcc 14 RISC-V 64 - conncontrol: reuse handling - connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition' - connection: attached transfer count - content_encoding: avoid strcpy - cookie. return proper error on OOM - cookie: allocate the main struct once cookie is fine - cookie: flush better - cookie: only keep and use the canonical cleaned up path - cookie: propagate errors better, cleanup the internal API - cookie: return error on OOM - cookie: when parsing a cookie header, delay all allocations until okay - cshutdn: acknowledge FD_SETSIZE for shutdown descriptors - curl: fix progress meter in parallel mode - curl_fopen: do not pass invalid mode flags to 'open()' on Windows - curl_gssapi: make sure Curl_gss_log_error() has an initialized buffer - curl_ntlm_core: fix DES_* symbols for some wolfSSL builds - curl_quiche: refuse headers with CR, LF or null bytes - curl_sasl: make Curl_sasl_decode_mech compare case insensitively - curl_setup.h: document more funcs flagged by '_CRT_SECURE_NO_WARNINGS' - curl_setup.h: drop stray '#undef stat' (Windows) - curl_setup.h: drop superfluous parenthesis from 'Curl_safefree' macro - curl_threads: don't do another malloc if the first fails - curl_trc: delete unused DoH remains - CURLINFO: remove 'get' and 'get the' from each short desc - CURLINFO_SCHEME/PROTOCOL: they return the "scheme" for a "transfer" - CURLINFO_TLS_SSL_PTR.md: remove CURLINFO_TLS_SESSION text - CURLMOPT_SOCKETFUNCTION.md: fix the callback argument use - CURLOPT_ACCEPT_ENCODING.md: warn about the expansion - CURLOPT_FOLLOWLOCATION.md: s/Authentication:/Authorization:/ - CURLOPT_HAPROXY_CLIENT_IP.md: emphasize reused connection use - CURLOPT_READFUNCTION.md: clarify the size of the buffer - CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example - curlx/fopen: replace open CRT functions their with '_s' counterparts (Windows) - curlx/multibyte: stop setting macros for non-Windows - curlx/strerr: use 'strerror_s()' on Windows - curlx: add 'curlx_rename()', fix to support long filenames on Windows - curlx: curlx_strcopy() instead of strcpy() - curlx: limit use of system allocators to the minimum possible - curlx: replace 'mbstowcs'/'wcstombs' with '_s' counterparts (Windows) - curlx: replace 'sprintf' with 'snprintf' - curlx: use curl alloc in 'curlx_win32_stat()' (Windows) - curlx: use curlx allocators in non-memdebug builds (Windows) - DEPRECATE: add CMake <3.18 deprecation for April 2026 - digest: fix OWS and escaped quote handling ... changelog too long, skipping 207 lines ... * Remove patch curl-vtls-fix-CURLOPT_CAPATH-use.patch ==== kernel-firmware-bluetooth ==== Version update (20251228 -> 20260106) - Update to version 20260106 (git commit e272e0d1edce): * qca: Update Bluetooth WCN6750 1.1.3-00100 firmware to 1.1.3-00105 ==== kernel-firmware-network ==== Version update (20250912 -> 20260106) - Update to version 20260106 (git commit e272e0d1edce): * linux-firmware: add firmware for an8811hb 2.5G ethernet phy ==== kernel-firmware-platform ==== - Update aliases ==== kernel-firmware-qcom ==== Version update (20251228 -> 20260106) - Update to version 20260106 (git commit e272e0d1edce): * qcom: Update aic100 firmware files * firmware: Revert kernel_boot.elf due to license compliance issue ==== kernel-firmware-realtek ==== - Update aliases for more Realtek WiFi devices (bsc#1255777) ==== libdecor ==== Version update (0.2.2 -> 0.2.5) Subpackages: libdecor-0-0 - update to 0.2.5: * libdecor: Fix set_visibility for SSD compositors * Don't commit frame when with no content set * Always apply limits no matter the window state * Only query border size when decorated ==== libdrm ==== Version update (2.4.130 -> 2.4.131) Subpackages: libdrm2 libdrm_amdgpu1 libdrm_intel1 - update to 2.4.131 * support steam machine * avoid insecure getenv use ==== libevdev ==== Version update (1.13.5 -> 1.13.6) - update to 1.13.6: * include: sync event codes with kernel 6.18 ==== libgcrypt ==== - enable the Kyber PQ KEM (boo#1256108) ==== libheif ==== Version update (1.20.2 -> 1.21.1) - update to 1.21.1: * This patch release only fixes a build error with some GCC versions because of a missing #include. - update to 1.21.0: * This release adds full support for reading and writing HEIF image sequences. libheif will now encode HEIF image sequences with all included codecs. * Since HEIF image sequences are very similar to MP4 videos, this new version is also capable of decoding most MP4 videos (without audio, of course). * heif-enc documentation for sequence encoding * API documentation for reading and writing sequences * Support for image sequences with alpha channels. For most codecs, the alpha channel will be stored in a separate, auxiliary, monochrome track. For ISO/IEC 23001-17 (uncompressed) streams, the alpha channel is stored in the main video track. * Support for sequence track edit lists to define the number of sequence repetitions (without actually repeating the video data). * New encoder plugin using x264 to write H.264-compressed video streams and images. * The FFmpeg decoder plugin will now decode both H.265 and H.264. * Support for HEIF text items and language properties. * CVEs fixed: CVE-2025-68431 ==== libva ==== Version update (2.22.0 -> 2.23.0) Subpackages: libva-drm2 libva-wayland2 libva-x11-2 libva2 - update to 2.23.0: * va: add VAProfileH264High422 * va: add av1 profile2 * va: correct the description of segment id map buffer for vp9e * va: encode segmentation map refine * va: add defintions for segment id block size * trace: support more format surface dump * trace:add vpp output surface dump support * trace: add Y410 support in dump surface * trace: add trace for vaDeriveImage * trace: add missing trace fields for VAProcPipelineParameterBuffer * doc: add backward compatibility declarison declaration * android: Remove unnecessary Android code * android: Include directories and generated header files in Android.bp * android: Update Android.bp to generate va_version.h and build only for x86_64 * android: Add Android.bp to replace mk files ==== ncurses ==== Version update (6.5.20251213 -> 6.6.20260103) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20251231 + amend fix for Windows-style pathnames to eliminate "./" in comment generated by infocmp where not needed (report by Sven Joachim). + fix a few gcc 15.2 warnings for C23 + actually generate doc/html/announce.html (report by Branden Robinson) - Add ncurses patch 20260103 + cancel ncv in putty (patch by Jakub Horky) + add NQ to list of user-definable capabilities in user_caps(5) (patch by Jakub Horky) + update ncurses/wcwidth.c, for MinGW ports, from xterm. - Update to ncurses 6.6 (patch 20251230) + update announcement + corrected an ifdef needed for mouse support in MinGW/Windows + eliminate remaining duplicate code between MinGW/Windows drivers - Update to tack-1.11-20251210 * package/debian/changelog, package/tack.spec, tack.h: bump * edit.c: gcc warning 0 vs NULL * tackcfg.h: build-fix: term.h no longer exports termios.h definitions (Debian #1122485) * tack.h: use noreturn, if possible * tackgen.c, tack.c, pad.c, sync.c, output.c, modes.c, crum.c, edit.c, fun.c, init.c, menu.c, ansi.c, charset.c, color.c, control.c, tack.h: fixes for gcc15 -Wzero-as-null-pointer-constant - Port and rename patch ncurses-6.4.dif which is now ncurses-6.6.dif - Port patches * ncurses-5.9-ibm327x.dif * ncurses-6.5-ghostty.dif - Add ncurses patch 20251227 + make win32_curses.h obsolete in favor of nc_win32.h + modify MinGW32 configuration to account for its use of Windows-style pathnames in filesystem checks. + replace --enable-exp-win32 option with --enable-named-pipes - Add ncurses patch 20251220 > in-progress work to merge MinGW/Windows port. + eliminate EXP_WIN32_DRIVER with USE_NAMED_PIPES + change MS_TERMINAL to DEFAULT_TERM_VAR ==== python-maturin ==== Version update (1.10.2 -> 1.11.2) - Update to version 1.11.2 (version bump only) - Changes in 1.11.1: * Fix compiled artifacts being excluded by source path matching gh#PyO3/maturin#2910 * Better error reporting for missing interpreters gh#PyO3/maturin#2918 * Ignore unreadable excluded directories gh#PyO3/maturin#2916 - Changes in 1.11.0: * Correct tagging for x86_64 iOS simulator wheels. gh#PyO3/maturin#2851 * Bump MSRV to 1.85.0 and use Rust 2024 edition gh#PyO3/maturin#2850 * Upgrade goblin to 0.10 gh#PyO3/maturin#2853 * Set entry type when adding to the tar file gh#PyO3/maturin#2859 * Split up module_writer.rs code for code organization gh#PyO3/maturin#2857 * Update environment variables for Android cross-compilation support gh#PyO3/maturin#2825 * Upgrade some Rust dependencies gh#PyO3/maturin#2860 * Swap outer and inner loops in write_python_part() gh#PyO3/maturin#2861 * Split out convenience methods from ModuleWriter trait gh#PyO3/maturin#2842 * Update cargo_metadata to 0.20.0 gh#PyO3/maturin#2864 * Calculate file options for WheelWriter once and cache the result gh#PyO3/maturin#2865 * fix link to pyo3 config file documentation gh#PyO3/maturin#2869 * Clean up internal fields of WheelWriter gh#PyO3/maturin#2870 * chore: bump action versions in the generated ci file gh#PyO3/maturin#2873 * Deprecate 'upload' and 'publish' CLI commands gh#PyO3/maturin#2875 * Create a binding generator trait gh#PyO3/maturin#2872 * Migrate cffi bindings to new BindingGenerator trait gh#PyO3/maturin#2876 * Always emit deprecation warning for 'upload' and 'publish' gh#PyO3/maturin#2879 * Migrate uniffi bindings to new BindingGenerator trait gh#PyO3/maturin#2878 * Emit a warning if a file is excluded from the archive by matching the target gh#PyO3/maturin#2874 * Migrate bin bindings to new BindingGenerator trait gh#PyO3/maturin#2880 * Clean up BindingGenerator interface gh#PyO3/maturin#2881 * Update ModuleWriter logic to use ArchiveSource enum gh#PyO3/maturin#2882 * Auto-enable required features for uniffi-bindgen gh#PyO3/maturin#2886 * Add VirtualWriter to track and order archive entries gh#PyO3/maturin#2887 * Remove maturin publish from docs gh#PyO3/maturin#2904 * Stop hardcode platform tag when using zig gh#PyO3/maturin#2905 * Make PEP 517 profile tests more resilient to cargo profiles gh#PyO3/maturin#2902 * Update pyodide version to fix emscripten CI gh#PyO3/maturin#2906 * Implement Android platform tag support gh#PyO3/maturin#2900 ==== rust-keylime ==== Version update (0.2.8+12 -> 0.2.8+96) - Use tmpfiles.d for /var directories (PED-14736) - Update to version 0.2.8+96: * build(deps): bump wiremock from 0.6.4 to 0.6.5 * build(deps): bump actions/checkout from 5 to 6 * build(deps): bump chrono from 0.4.41 to 0.4.42 * packit: Get coverage from Fedora 43 runs * Fix issues pointed out by clippy * Replace mutex unwraps with proper error handling in TPM library * Remove unused session request methods from StructureFiller * Fix config panic on missing ek_handle in push model agent * build(deps): bump tempfile from 3.21.0 to 3.23.0 * build(deps): bump actions/upload-artifact from 4 to 6 (#1163) * Fix clippy warnings project-wide * Add KEYLIME_DIR support for verifier TLS certificates in push model agent * Thread privileged resources and use MeasurementList for IMA reading * Add privileged resource initialization and privilege dropping to push model agent * Fix privilege dropping order in run_as() * add documentation on FQDN hostnames * Remove confusing logs for push mode agent * Set correct default Verifier port (8891->8881) (#1159) * Add verifier_url to reference configuration file (#1158) * Add TLS support for Registrar communication (#1139) * Fix agent handling of 403 registration responses (#1154) * Add minor README.md rephrasing (#1151) * build(deps): bump actions/checkout from 5 to 6 (#1153) * ci: update spec files for packit COPR build * docs: improve challenge encoding and async TPM documentation * refactor: improve middleware and error handling * feat: add authentication client with middleware integration * docker: Include keylime_push_model_agent binary * Include attestation_interval configuration (#1146) * Persist payload keys to avoid attestation failure on restart * crypto: Implement the load or generate pattern for keys * Use simple algorithm specifiers in certification_keys object (#1140) * tests: Enable more tests in CI * Fix RSA2048 algorithm reporting in keylime agent * Remove disabled_signing_algorithms configuration * rpm: Fix metadata patches to apply to current code * workflows/rpm.yml: Use more strict patching * build(deps): bump uuid from 1.17.0 to 1.18.1 * Fix ECC algorithm selection and reporting for keylime agent * Improve logging consistency and coherency * Implement minimal RFC compliance for Location header and URI parsing (#1125) * Use separate keys for payload mechanism and mTLS * docker: update rust to 1.81 for distroless Dockerfile * Ensure UEFI log capabilities are set to false * build(deps): bump http from 1.1.0 to 1.3.1 * build(deps): bump log from 0.4.27 to 0.4.28 * build(deps): bump cfg-if from 1.0.1 to 1.0.3 * build(deps): bump actix-rt from 2.10.0 to 2.11.0 * build(deps): bump async-trait from 0.1.88 to 0.1.89 * build(deps): bump trybuild from 1.0.105 to 1.0.110 * Accept evidence handling structures null entries * workflows: Add test to check if RPM patches still apply * CI: Enable test add-agent-with-malformed-ek-cert * config: Fix singleton tests * FSM: Remove needless lifetime annotations (#1105) * rpm: Do not remove wiremock which is now available in Fedora * Use latest Fedora httpdate version (1.0.3) * Enhance coverage with parse_retry_after test * Fix issues reported by CI regarding unwrap() calls * Reuse max retries indicated to the ResilientClient * Include limit of retries to 5 for Retry-After * Add policy to handle Retry-After response headers * build(deps): bump wiremock from 0.6.3 to 0.6.4 * build(deps): bump serde_json from 1.0.140 to 1.0.143 * build(deps): bump pest_derive from 2.8.0 to 2.8.1 * build(deps): bump syn from 2.0.90 to 2.0.106 * build(deps): bump tempfile from 3.20.0 to 3.21.0 * build(deps): bump thiserror from 2.0.12 to 2.0.16 * rpm: Fix patches to apply to current master code * build(deps): bump anyhow from 1.0.98 to 1.0.99 * state_machine: Automatically clean config override during tests * config: Implement singleton and factory pattern * testing: Support overriding configuration during tests * feat: implement standalone challenge-response authentication module * structures: rename session structs for clarity and fix typos * tpm: refactor certify_credential_with_iak() into a more generic function * Add Push Model Agent Mermaid FSM chart (#1095) * Add state to avoid exiting on wrong attestation (#1093) * Add 6 alphanumeric lowercase X-Request-ID header * Enhance Evidence Handling response parsing * build(deps): bump quote from 1.0.35 to 1.0.40 * build(deps): bump libc from 0.2.172 to 0.2.175 * build(deps): bump glob from 0.3.2 to 0.3.3 * build(deps): bump actix-web from 4.10.2 to 4.11.0 ==== systemd-presets-branding-MicroOS ==== - Modernize specfile - Update Supplements to new RPM format - Use RPM macros provided by systemd-presets-common-SUSE-devel ==== tslib ==== Version update (1.22 -> 1.24) - update to 1.24: * improved release procedure * debug fixes for 32bit systems * CMake and autoconf updates for newer versions * fixes for minor cppcheck errors * ts_conf test program fixes * new filter module: `module crop` * some build and security fixes * improved release procedure - updated keyring ==== yast2 ==== Version update (5.0.17 -> 5.0.18) - save_y2logs: Do not use the legacy /var/lib/rpm database path (bsc#1254914) - 5.0.18