Packages changed: MicroOS-release (20250623 -> 20250624) cpio docker fwupd glibc gpg2 (2.5.7 -> 2.5.8) kernel-firmware-amdgpu (20250620 -> 20250623) kernel-firmware-brcm (20250603 -> 20250623) kernel-firmware-iwlwifi kernel-firmware-mediatek kernel-firmware-network kernel-firmware-platform kernel-firmware-realtek kernel-firmware-sound kernel-source (6.15.2 -> 6.15.3) kf6-kirigami librepo (1.19.0 -> 1.20.0) libusb-1_0 (1.0.28 -> 1.0.29) libwacom (2.15.0 -> 2.16.1) ncurses (6.5.20250614 -> 6.5.20250621) python-maturin (1.8.7 -> 1.9.0) python-urllib3 (2.4.0 -> 2.5.0) python313 (3.13.3 -> 3.13.5) python313-core (3.13.3 -> 3.13.5) sddm sddm-qt6 snappy xdg-user-dirs === Details === ==== MicroOS-release ==== Version update (20250623 -> 20250624) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== cpio ==== - Downgrade cpio-mt and rmt recommends to suggests (boo#1244434) ==== docker ==== Subpackages: docker-buildx docker-rootless-extras [ This update is a no-op, only needed to work around unfortunate automated packaging script behaviour on SLES. ] - The following patches were removed in openSUSE in the Docker 28.1.1-ce update, but the patch names were later renamed in a SLES-only update before Docker 28.1.1-ce was submitted to SLES. This causes the SLES build scripts to refuse the update because the patches are not referenced in the changelog. There is no obvious place to put the patch removals (the 28.1.1-ce update removing the patches chronologically predates their renaming in SLES), so they are included here a dummy changelog entry to work around the issue. - 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch - 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch - Update to docker-buildx v0.25.0. Upstream changelog: ==== fwupd ==== Subpackages: libfwupd3 typelib-1_0-Fwupd-2_0 - Fix %{_modulesloaddir}/fwupd-i2c.conf packaging ==== glibc ==== Subpackages: glibc-locale glibc-locale-base - ppc64le-revert-power10-strcmp.patch: Revert optimized POWER10 strcmp, strncmp implementations (CVE-2025-5745, CVE-2025-5702, bsc#1244184, bsc#1244182, BZ #33060, BZ #33056) - ppc64le-revert-power10-memcmp.patch: Revert optimized POWER10 memcmp implementation (BZ #33059) - Filter GLIBC_PRIVATE symbols again - Drop ngpt provides - Refine libc_nonshared.a workaround - Enable Userspace Livepatching on ppc64le (jsc#PED-7395) ==== gpg2 ==== Version update (2.5.7 -> 2.5.8) - Update to 2.5.8: * gpg: Show revocation reason with a standard -k listing. [T7083] * gpg: Emit a revocation reason as comment in a "pub" record. [T7083] * agent: Fix regression in 2.5.7 decrypting with a card based cv25519 key. [T7676] * scd:openpgp: Fix a regression in exporting card based ed25519 ssh keys. [T7589] * dirmngr: Do not require a keyserver for "gpg --fetch-key". [T7693] - Remove patch: * gnupg-agent-fix-for-prefix-0x40-in-the-point-representation.patch ==== kernel-firmware-amdgpu ==== Version update (20250620 -> 20250623) - Update to version 20250623 (git commit dbfe16e9e8ac): * amdgpu: update dmcub fw for dcn401 ==== kernel-firmware-brcm ==== Version update (20250603 -> 20250623) - Update to version 20250623 (git commit dbfe16e9e8ac): * brcm: Fix symlinks for Khadas VIM SDIO wifi config ==== kernel-firmware-iwlwifi ==== - Update aliases ==== kernel-firmware-mediatek ==== - Update aliases ==== kernel-firmware-network ==== - Update aliases ==== kernel-firmware-platform ==== - Update aliases ==== kernel-firmware-realtek ==== - Update aliases ==== kernel-firmware-sound ==== - Update aliases ==== kernel-source ==== Version update (6.15.2 -> 6.15.3) - PCI: pciehp: Ignore belated Presence Detect Changed caused by DPC (git-fixes). - io_uring/sqpoll: don't put task_struct on tctx setup failure (git-fixes). - wifi: remove zero-length arrays (git-fixes). - ptp: fix breakage after ptp_vclock_in_use() rework (git-fixes). - commit 959cb8f - Linux 6.15.3 (bsc#1012628). - tools/x86/kcpuid: Fix error handling (bsc#1012628). - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (bsc#1012628). - crypto: iaa - Do not clobber req->base.data (bsc#1012628). - crypto: sun8i-ce-hash - fix error handling in sun8i_ce_hash_run() (bsc#1012628). - sched: Fix trace_sched_switch(.prev_state) (bsc#1012628). - crypto: ecdsa - Fix enc/dec size reported by KEYCTL_PKEY_QUERY (bsc#1012628). - crypto: ecdsa - Fix NIST P521 key size reported by KEYCTL_PKEY_QUERY (bsc#1012628). - crypto: zynqmp-sha - Add locking (bsc#1012628). - kunit: qemu_configs: sparc: Explicitly enable CONFIG_SPARC32=y (bsc#1012628). - kunit: qemu_configs: Disable faulting tests on 32-bit SPARC (bsc#1012628). - perf/x86/amd/uncore: Remove unused 'struct amd_uncore_ctx::node' member (bsc#1012628). - perf/x86/amd/uncore: Prevent UMC counters from saturating (bsc#1012628). - gfs2: replace sd_aspace with sd_inode (bsc#1012628). - gfs2: gfs2_create_inode error handling fix (bsc#1012628). - gfs2: Move gfs2_dinode_dealloc (bsc#1012628). - gfs2: Move GIF_ALLOC_FAILED check out of gfs2_ea_dealloc (bsc#1012628). - gfs2: deallocate inodes in gfs2_create_inode (bsc#1012628). - perf/core: Fix broken throttling when max_samples_per_tick=1 (bsc#1012628). - crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (bsc#1012628). - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (bsc#1012628). - powerpc: do not build ppc_save_regs.o always (bsc#1012628). - powerpc/crash: Fix non-smp kexec preparation (bsc#1012628). - sched/core: Tweak wait_task_inactive() to force dequeue sched_delayed tasks (bsc#1012628). - x86/microcode/AMD: Do not return error when microcode update is not necessary (bsc#1012628). - selftests: coredump: Properly initialize pointer (bsc#1012628). - selftests: coredump: Fix test failure for slow machines (bsc#1012628). - selftests: coredump: Raise timeout to 2 minutes (bsc#1012628). - crypto: sun8i-ce - undo runtime PM changes during driver removal (bsc#1012628). - blk-throttle: Fix wrong tg->[bytes/io]_disp update in __tg_update_carryover() (bsc#1012628). - x86/cpu: Sanitize CPUID(0x80000000) output (bsc#1012628). - x86/insn: Fix opcode map (!REX2) superscript tags (bsc#1012628). - brd: fix aligned_sector from brd_do_discard() (bsc#1012628). - brd: fix discard end sector (bsc#1012628). - kselftest: cpufreq: Get rid of double suspend in rtcwake case (bsc#1012628). - crypto: marvell/cesa - Handle zero-length skcipher requests (bsc#1012628). - crypto: marvell/cesa - Avoid empty transfer descriptor (bsc#1012628). - erofs: fix file handle encoding for 64-bit NIDs (bsc#1012628). - erofs: avoid using multiple devices with different type (bsc#1012628). - powerpc/pseries/iommu: Fix kmemleak in TCE table userspace view (bsc#1012628). - btrfs: scrub: update device stats when an error is detected (bsc#1012628). - btrfs: scrub: fix a wrong error type when metadata bytenr mismatches (bsc#1012628). - btrfs: fix invalid data space release when truncating block in NOCOW mode (bsc#1012628). - btrfs: fix wrong start offset for delalloc space release during mmap write (bsc#1012628). - rcu/cpu_stall_cputime: fix the hardirq count for x86 architecture (bsc#1012628). - crypto: lrw - Only add ecb if it is not already there (bsc#1012628). - crypto: xts - Only add ecb if it is not already there (bsc#1012628). - crypto: sun8i-ce - move fallback ahash_request to the end of the struct (bsc#1012628). - sched/fair: Fixup wake_up_sync() vs DELAYED_DEQUEUE (bsc#1012628). - kunit: Fix wrong parameter to kunit_deactivate_static_stub() (bsc#1012628). - gfs2: Move gfs2_trans_add_databufs (bsc#1012628). - gfs2: Don't start unnecessary transactions during log flush (bsc#1012628). - crypto: api - Redo lookup on EEXIST (bsc#1012628). - ACPICA: exserial: don't forget to handle FFixedHW opregions for reading (bsc#1012628). - ASoC: tas2764: Reinit cache on part reset (bsc#1012628). - ASoC: tas2764: Enable main IRQs (bsc#1012628). - ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() ... changelog too long, skipping 1314 lines ... - commit 5a8b80b ==== kf6-kirigami ==== Subpackages: kf6-kirigami-imports libKirigamiPlatform6 - Add upstream fix: * 0001-Revert-Properly-Align-menubar-when-there-is-a-sideba.patch ==== librepo ==== Version update (1.19.0 -> 1.20.0) - Update to 1.20.0: * Fix and update lr_download_metadata API to enable parallel downloading of repos ==== libusb-1_0 ==== Version update (1.0.28 -> 1.0.29) - Update to version 1.0.29 * LIBUSB_API_VERSION bump for the new functions in 1.0.28 * Fix xusb regression displaying wrong error on claim failure. ==== libwacom ==== Version update (2.15.0 -> 2.16.1) Subpackages: libwacom-data libwacom9 - update to 2.16.1 * New devices: - Add six new tablet definitions - Add Framework 12 touchscreen - Add Dell Active Pen PN7320A stylus * Bug fixes: - Fix segfault after running list-local-devices ==== ncurses ==== Version update (6.5.20250614 -> 6.5.20250621) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20250621 + revise loop in wins_nwstr, to ensure that non-spacing characters are combined with the base spacing character (report by Karl Knechtel). + fixes for port using clang-cl or cl MSVC (report by Kirill Makurin). + improve test-packages: + convert debian*/copyright to DEP-5 format. + modify ".spec" test-files to work around timestamp-clamping in recent Fedora releases. ==== python-maturin ==== Version update (1.8.7 -> 1.9.0) - Update to 1.9.0 * Update pyproject-toml to 0.13.5 gh#PyO3/maturin#2645 * Fix clippy lints gh#PyO3/maturin#2648 * ZipWriter requires a compression level of None for the stored method gh#PyO3/maturin#2644 * Implement PEP 639 Support gh#PyO3/maturin#2647 * Don't go through Display for platform tag to policy gh#PyO3/maturin#2652 * Add --compatibility pypi to avoid building for unsupported architectures gh#PyO3/maturin#2650 * Fix self bootstrap without Rust installed gh#PyO3/maturin#2653 ==== python-urllib3 ==== Version update (2.4.0 -> 2.5.0) - Update to 2.5.0: * Security issues Pool managers now properly control redirects when retries is passed (CVE-2025-50181, GHSA-pq67-6m6q-mj2v, bsc#1244925) Redirects are now controlled by urllib3 in the Node.js runtime (CVE-2025-50182, GHSA-48p4-8xcf-vxj5, bsc#1244924) * Features Added support for the compression.zstd module that is new in Python 3.14. Added support for version 0.5 of hatch-vcs * Bugfixes Raised exception for HTTPResponse.shutdown on a connection already released to the pool. Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. ==== python313 ==== Version update (3.13.3 -> 3.13.5) - adjusted sofilename for "nogil" build correctly. - Update to 3.13.5: - Tests - gh-135120: Add test.support.subTests(). - Library - gh-133967: Do not normalize locale name ‘C.UTF-8’ to ‘en_US.UTF-8’. - gh-135326: Restore support of integer-like objects with __index__() in random.getrandbits(). - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - Core and Builtins - gh-135171: Roll back changes to generator and list comprehensions that went into 3.13.4 to fix gh-127682, but which involved semantic and bytecode changes not appropriate for a bugfix release. - C API - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE macros in the limited C API 3.11 and older: don’t treat Py_None, Py_True and Py_False as immortal. Patch by Victor Stinner. - gh-134989: Implement PyObject_DelAttr() and PyObject_DelAttrString() as macros in the limited C API 3.12 and older. Patch by Victor Stinner. - Substantially rewritten doc-py38-to-py36.patch patch to be more flexible and covering even unexpected changes. - Update to 3.13.4: - Security - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138 (bsc#1244059), CVE-2025-4330 (bsc#1244060), and CVE-2025-4517 (bsc#1244032). - gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler (CVE-2025-4516, bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-134718: ast.dump() now only omits None and [] values if they are default values. - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134696: Built-in HACL* and OpenSSL implementations of hash function constructors now correctly accept the same documented named arguments. For instance, md5() could be previously invoked as md5(data=data) or md5(string=string) depending on the underlying implementation but these calls were not compatible. Patch by Bénédikt Tran. - gh-134210: curses.window.getch() now correctly handles signals. Patch by Bénédikt Tran. - gh-80334: multiprocessing.freeze_support() now checks for work on any “spawn” start method platform rather than only on Windows. - gh-114177: Fix asyncio to not close subprocess pipes which would otherwise error out when the event loop is already closed. - gh-134152: Fixed UnboundLocalError that could occur during email header parsing if an expected trailing delimiter is missing in some contexts. - gh-62184: Remove import of C implementation of io.FileIO from Python implementation which has its own implementation - gh-133982: Emit RuntimeWarning in the Python implementation of io when the file-like object is not closed explicitly in the presence of multiple I/O layers. - gh-133890: The tarfile module now handles UnicodeEncodeError in the same way as OSError when cannot extract a member. - gh-134097: Fix interaction of the new REPL and -X showrefcount command line option. - gh-133889: The generated directory listing page in http.server.SimpleHTTPRequestHandler now only shows the decoded path component of the requested URL, and not the query and fragment. - gh-134098: Fix handling paths that end with a percent-encoded slash (%2f or %2F) in http.server.SimpleHTTPRequestHandler. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-133745: In 3.13.3 we accidentally changed the signature of the asyncio create_task() family of methods and how it calls a custom task factory in a backwards incompatible way. Since some 3rd party libraries have already made changes to work around the issue that might break if ... changelog too long, skipping 194 lines ... - gh-132535-rsrc-warn-test_timeout.patch ==== python313-core ==== Version update (3.13.3 -> 3.13.5) Subpackages: libpython3_13-1_0 python313-base - adjusted sofilename for "nogil" build correctly. - Update to 3.13.5: - Tests - gh-135120: Add test.support.subTests(). - Library - gh-133967: Do not normalize locale name ‘C.UTF-8’ to ‘en_US.UTF-8’. - gh-135326: Restore support of integer-like objects with __index__() in random.getrandbits(). - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - Core and Builtins - gh-135171: Roll back changes to generator and list comprehensions that went into 3.13.4 to fix gh-127682, but which involved semantic and bytecode changes not appropriate for a bugfix release. - C API - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE macros in the limited C API 3.11 and older: don’t treat Py_None, Py_True and Py_False as immortal. Patch by Victor Stinner. - gh-134989: Implement PyObject_DelAttr() and PyObject_DelAttrString() as macros in the limited C API 3.12 and older. Patch by Victor Stinner. - Substantially rewritten doc-py38-to-py36.patch patch to be more flexible and covering even unexpected changes. - Update to 3.13.4: - Security - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138 (bsc#1244059), CVE-2025-4330 (bsc#1244060), and CVE-2025-4517 (bsc#1244032). - gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler (CVE-2025-4516, bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-134718: ast.dump() now only omits None and [] values if they are default values. - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134696: Built-in HACL* and OpenSSL implementations of hash function constructors now correctly accept the same documented named arguments. For instance, md5() could be previously invoked as md5(data=data) or md5(string=string) depending on the underlying implementation but these calls were not compatible. Patch by Bénédikt Tran. - gh-134210: curses.window.getch() now correctly handles signals. Patch by Bénédikt Tran. - gh-80334: multiprocessing.freeze_support() now checks for work on any “spawn” start method platform rather than only on Windows. - gh-114177: Fix asyncio to not close subprocess pipes which would otherwise error out when the event loop is already closed. - gh-134152: Fixed UnboundLocalError that could occur during email header parsing if an expected trailing delimiter is missing in some contexts. - gh-62184: Remove import of C implementation of io.FileIO from Python implementation which has its own implementation - gh-133982: Emit RuntimeWarning in the Python implementation of io when the file-like object is not closed explicitly in the presence of multiple I/O layers. - gh-133890: The tarfile module now handles UnicodeEncodeError in the same way as OSError when cannot extract a member. - gh-134097: Fix interaction of the new REPL and -X showrefcount command line option. - gh-133889: The generated directory listing page in http.server.SimpleHTTPRequestHandler now only shows the decoded path component of the requested URL, and not the query and fragment. - gh-134098: Fix handling paths that end with a percent-encoded slash (%2f or %2F) in http.server.SimpleHTTPRequestHandler. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-133745: In 3.13.3 we accidentally changed the signature of the asyncio create_task() family of methods and how it calls a custom task factory in a backwards incompatible way. Since some 3rd party libraries have already made changes to work around the issue that might break if ... changelog too long, skipping 194 lines ... - gh-132535-rsrc-warn-test_timeout.patch ==== sddm ==== - Change patch to start plymouth-quit.service explicitly (boo#1245076): * sddm-service-handle-plymouth.patch ==== sddm-qt6 ==== Subpackages: sddm-greeter-qt6 - Change patch to start plymouth-quit.service explicitly (boo#1245076): * sddm-service-handle-plymouth.patch ==== snappy ==== - Fix build with googletest 1.17.0 by using C++17, boo#1244989 ==== xdg-user-dirs ==== - Drop obsolete update-desktop-files BuildRequires and macro.