Packages changed: busybox (1.37.0 -> 1.38.0) busybox-links (1.37.0 -> 1.38.0) chrony erofs-utils (1.8.10 -> 1.9.2) ethtool (7.0 -> 7.1) freetype2 (2.14.2 -> 2.14.3) grub2 gstreamer (1.28.4 -> 1.28.5) gstreamer-plugins-bad (1.28.4+24 -> 1.28.5) gstreamer-plugins-base (1.28.4 -> 1.28.5) gstreamer-plugins-good (1.28.4 -> 1.28.5) gstreamer-plugins-ugly (1.28.4 -> 1.28.5) libxml2 openSUSE-release (20260710 -> 20260712) openblas_openmp openblas_pthreads python-Pillow (12.2.0 -> 12.3.0) spice-gtk timezone (2026b -> 2026c) xen xrdb (1.2.2 -> 1.2.3) xset (1.2.5 -> 1.2.6) === Details === ==== busybox ==== Version update (1.37.0 -> 1.38.0) Subpackages: busybox-static - Update to version 1.38.0: * New applets: sha384sum, vmstat, ssl_server, lsblk, uuidgen * Security: Disallow path traversals in archival (CVE-2023-39810) * archival: Sanitize filenames on output to prevent control sequence attacks * ash/hush: Implement <<< here_string syntax and improve bash compatibility * libbb: Add yescrypt password hashing support * tls: Implement server-side code and support ECDHE_RSA * httpd: Add connection limits (-M), POSTDATA read timeouts, and CGI logging * telnet/telnetd: Rewrite to use generic fd polling and I/O loop * cut: Major fixes for empty delimiters, ranges, and output-delimiter support * cp: Fix 'cp -aT' overwriting symlink to directories * fdisk: Fix GPT disk size overflow and add 4K sector size support * top: Reduce flicker and show RSS instead of VIRT by default * udhcpc6: Fix potential buffer overflow * many other small fixes and optimizations - Remove patches included in the new version: * busybox-1.37.0-fix-conditional-for-sha1_process_block64_shaNI.patch * busybox-1.37.0-fix-regression-n2.patch * busybox-1.37.0-hexdump-add-tests-for-x-handle-little-big-endian-pro.patch * busybox-1.37.0-hexdump-fix-regression-for-uint16-on-big-endian-syst.patch * busybox-1.37.0-od-make-B-test-little-endian-only-add-variant-for-bi.patch * 0001-archival-libarchive-sanitize-filenames-on-output-pre.patch * 0001-nsenter-unshare-don-t-use-xvfork_parent_waits_and_ex.patch * 0001-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch * 0002-tar-only-strip-unsafe-components-from-hardlinks-not-.patch * 0001-udhcpc6-fix-buffer-overflow.patch * 0002-udhcpc6-check-the-size-of-D6_OPT_IAPREFIX-option.patch ==== busybox-links ==== Version update (1.37.0 -> 1.38.0) Subpackages: busybox-coreutils busybox-diffutils busybox-ed busybox-gawk busybox-grep busybox-gzip busybox-man busybox-psmisc busybox-sed busybox-which busybox-xz - Adapt to busybox 1.38, new applets: sha384sum, ssl_server, vmstat, lsblk, uuidgen - Keep passwd in shadow package (it was split in shadow-pw-mgmt in the full featured version) ==== chrony ==== Subpackages: chrony-pool-openSUSE - boo#1257934: support libnettle 4.0 (chrony-libnettle4.patch). ==== erofs-utils ==== Version update (1.8.10 -> 1.9.2) - Update to release 1.9.2 * Add 48-bit layout support for larger filesystems * Add metadata compression support * mkfs: Enable image creation from S3 storage and OCI registries * Implement an external mount helper for mounting remote EROFS filesystems * mount: Add support for mounting EROFS-native layers in OCI regs * mkfs: Support directory compression via the `--zD` option * mkfs: Enable isolated metadata zones to concentrate inodes and directories using the `--MZ` option * mkfs: Support customized lc,lp,pb properties for LZMA * mkfs: Add the `--xattr-inode-digest` option to enable page cache sharing by generating per-inode fingerprints * erofsfuse: Synchronize kernel patches to fix encoded extents and shared xattrs in the metabox * mkfs: Do not set LZ4_0PADDING for plain filesystems * fsck: Support extracting subtrees * mount: Fix a flag-clearing bug that can cause mount failures * mkfs: Fix a CPU spin that occurred when using `--tar=f` in conjunction with a closed stdin * mkfs: Fix crashes in the rebuild mode when the source images contains xattrs * mount: Add support for mounting EROFS images stored as S3 objects * mkfs: Add FULLDATA rebuild support for combining multiple layered EROFS filesystems * mount: Add support for Fanotify and UBLK backends * mkfs, tarerofs: Support inode digest generation when using `--sort=none` ==== ethtool ==== Version update (7.0 -> 7.1) - Update to release 7.1 * Added netlink support for RX CQE Coalescing params * netlink: module-eeprom: Add 'hex on pages on' option for page-organized hex dump * netlink: fec: Add missing newlines in FEC statistics output * ethtool: Add man page and bash completion for 'pages on|off' * ethtool: Update pause stats struct * ethtool: Add --disable-netlink to help output * qsfp: add support for newer SFF-8636 compliance codes * sfpid: add support for newer SFF-8472 compliance codes * sfpid: fix 10G Base-ER module detection - Delete bf023af442f63e16f1699128c7ce467eddc6d340.patch, d35d87fbcda97fe31df79d62277743214641892a.patch (merged) ==== freetype2 ==== Version update (2.14.2 -> 2.14.3) - update to 2.14.3 - Important bug fixes * A bunch of potential security problems have been found. All users should update. - Miscellaneous * If configuration option `TT_CONFIG_OPTION_GPOS_KERNING` is active, GPOS-based kerning could miss some value pairs (bug introduced in version 2.14.0). - Added patch: * freetype-CVE-2026-50811.patch + upstream fix for issue #1436, bsc#1271045, CVE-2026-50811: out-of-bounds read vulnerabilityin src/truetype/ttgxvar.c in the TT_Get_Var_Design implementation used by FT_Get_Var_Design_Coordinates ==== grub2 ==== Subpackages: grub2-common grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-efi-bls - Fix broken bash completion on arm64 images when the bash-completion package is not installed (bsc#1259132) * 0001-bash-completion-add-_init_completion-marker.patch ==== gstreamer ==== Version update (1.28.4 -> 1.28.5) Subpackages: gstreamer-lang gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.28.5: + Highlighted bugfixes: - Various security fixes and playback fixes - Fix subtitles cause green flickering with VA decoders on AMD GPUs - core: Fix sticky event raciness when pads are linked mid-push - appsrc: Uniformly handle EOS events being pushed - audio-resampler-neon fails to build for targets with neon but without thumb - avtp: Correct ptime generation from avtp timestamp - fmp4mux: Various fixes for splitting at fragment boundaries - gldownload: fix wrong DRM format negotiation causing R/B channel swap - gdkpixbufdec: Drop rank to NONE and handle resolution/format changes - gopbuffer: add support for H.266/VVC - h265decoder: Fix HEVC with alpha decoding - mp4mux: fix AC-3 template caps so muxer can accept input from ac3parse - mpegtsmux: Always assign PTS to output buffers in CBR mode - mpegtsmux: Output buffers with PCR-only bitrate-padding packets have wrong PTS - rtcpbuffer: Fix parsing of SR+SDES compound packets (regression from security fix) - rtspsrc2: Allow disabling SRTP/SRTCP encryption and SRTP authentication - tsdemux: Improve PTS rollover handling in ignore-pcr mode, fixing intermittent corruption with YouTube HLS streams - textaccumulate: output joined single buffer, add list as meta - threadshare: add ts-clocksync - webrtcsink: negotiation fixes and improvements - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - caps: fix field name leak in gst_caps_structure_simplify - info: Use a more optimized version of GST_TIME_ARGS - pads: Fix sticky event raciness when linked mid-push - typefindhelper: Drop unnecessary check for factories without a function - Use named pipes when spawning gst-ptp-helper on Windows ==== gstreamer-plugins-bad ==== Version update (1.28.4+24 -> 1.28.5) Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgsthip-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstsctp-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.28.5: + amcviddec: Fix double-free happening when codec gets reconfigured + avtp: Correct ptime generation from avtp timestamp + ccconverter: Use truncated length when converting CEA608 raw to CEA708 CDP + curlsmtpsink: Use the correct content-type if known + d3d12: Fix command list leak + dtlsconnection: Allocate large enough buffer for the peer certificate subject DN + h264parse: Check for enough slice header data being available + h2654parse: Unset GValue in every code path + h265decoder: Fix HEVC with alpha decoding + h266parser: Avoid out-of-bounds read if too many exp slices are signalled + h266parser: Check bounds before writing to CTU entrypoint array + h266parser: Check aspect ratio index against lookup table length + h266parser: Heap-allocate parameter sets before parse to avoid stack overflow + h266parser: Use long bit skipping function for potentially large values + mpeg4videoparse: Ensure enough config data is available before extracting profile/level + mpegpsdemux: Release stream lock when seeking fails + mpegtsmux: Always assign PTS to output buffers in CBR mode + mpegtsmux: Output buffers with PCR-only bitrate-padding packets have wrong PTS + mxfdemux: fix essence track offsets array population + netsim: Fix racy test failures + pcapparse: Add missing bounds checks to ensure packets are large enough + pnmdec: Avoid overflows when calculating frame sizes + qroverlay: Fix use after free bug + rfbsrc: Use correct bpp for copying hextile data + rfbsrc: Validate framebuffer update rectangles against the framebuffer size + rtmp2: Don't retry on G_IO_ERROR_TIMED_OUT + rtmp2: Remove socket timeout after handshake completes + rtpsink: fix mutex not unlocked on invalid URI in set_property + tsdemux: YouTube HLS streams have intermittent corruption + tsdemux: Improve PTS rollover handling in ignore-pcr mode + v4l2decoder: Fix media_fd leak when video_fd open fails + va: surfacecopy: get surface's image in gst_va_surface_copy + va: VOBSUB: compositing error with VA decoder in NV12 + va: radeonsi: subtitles cause green flickering + va: radeonsi: Subtitles cause green flickering with VA decoders + videoparsers: Always clear LCEVC enhancement data when resetting frame + videoparsers: Leak of LCEVC user data + vnmdec: Avoid integer overflows when rectangle positions and sizes + vp9parser: Check that enough data is available for parsing superframe info + webrtcbin: validate remote dtls certificates + webrtcsdp: Fix inverted fingerprint existence logic ==== gstreamer-plugins-base ==== Version update (1.28.4 -> 1.28.5) Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.28.5: + appsink: Clear local sample storage when flushing + appsrc: Uniformly handle EOS events being pushed + audio-resampler-neon fails to build for targets with neon but without thumb + encoding-target: Validate that encoding profile name is UTF-8 before using it + gldownload: fix wrong DRM format negotiation causing R/B channel swap + opusdec: Don't use any channel positions for >64 channels + rtcpbuffer: Fix parsing of SR+SDES compound packets (regression from security fix) + subparse: Don't allow very small framerates for microdvd subtitles + typefind: assorted fixes for the image-rs plugin typefinding + typefindhelper: Drop unnecessary check for factories without a function + WBMP typefinding rejects a valid 1280x800 file + typefinding: detect animation on PNG (and WebP, GIF, AVIF) + typefindfunctions: remove Sun and Andrew raster format typefinders + uridecodebin3: deactivate input_item in erroneous ready->paused transition + vorbistag: Check for enough base64 data before trying to decode + xmptag: Don't allocate -1 bytes of memory if there's only a single tag + xmptag: Handle fractions with 0 denominator as invalid ==== gstreamer-plugins-good ==== Version update (1.28.4 -> 1.28.5) Subpackages: gstreamer-plugins-good-gtk gstreamer-plugins-good-lang - Update to version 1.28.5: + flacenc: Fix g_object_notify on loose-mid-side-stereo property + gdkpixbufdec: Drop rank to NONE and handle resolution/format changes + gdkpixbufdec: stop advertising Sun and Andrew raster formats + gdkpixbufdec announces unsupported raster mediatypes + matroskademux: Don't pass non-GstElement pointers to GST_ELEMENT_ERROR + matroska: Update lzo decompression implementation from latest ffmpeg + mp4mux: fix AC-3 template caps so muxer can accept input from ac3parse + pngdec: fix wrong macro being used for ICC support test + qtmoovrecover: Validate box sizes + rtpceltdepay: error out if anyone tries to use this element + rtpjpegdepay: Ensure that quantization table is big enough + rtpsbcdepay: Check for available data in the adapter before getting data + shapewipe: Fix missing mutex unlock in shutdown path + wavparse: Avoid NULL pointer dereference when parsing adtl in push mode ==== gstreamer-plugins-ugly ==== Version update (1.28.4 -> 1.28.5) Subpackages: gstreamer-plugins-ugly-lang - Update to version 1.28.5: + asfdemux: Ensure that enough data is available for reading all replicated extensions ==== libxml2 ==== Subpackages: libxml2-16 libxml2-tools - CVE-2026-11979: stack-based buffer overflows in the `xmlcatalog` utility when running in `--shell` mode (bsc#1269790) * Add patch libxml2-CVE-2026-11979.patch ==== openSUSE-release ==== Version update (20260710 -> 20260712) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openblas_openmp ==== Subpackages: compatlibopenblas_openmp0 libopenblas_openmp0 - fixed wrong ownership of /usr/include for SLE16.1 builds and moved tests to non conflicting locations ==== openblas_pthreads ==== Subpackages: compatlibopenblas_pthreads0 libopenblas_pthreads0 - fixed wrong ownership of /usr/include for SLE16.1 builds and moved tests to non conflicting locations ==== python-Pillow ==== Version update (12.2.0 -> 12.3.0) - Update to 12.3.0 (fixes CVE-2026-42311 (bsc#1270404), CVE-2026-54059 (bsc#1270409), CVE-2026-54060 (bsc#1270410), CVE-2026-55379 (bsc#1270411), CVE-2026-55380 (bsc#1270412)) * Remove non-image ImageCms modes * Speed up ImageChops operations * Speed up Image.filter() * Speed up Image.getchannel(), Image.merge(), Image.putalpha() and Image.split() * Speed up Image.fill(), Image.linear_gradient() and Image.radial_gradient(). * Speed up Image.resample() * Speed up alpha_composite, matrix, negative, quantize * Remove PyErr_Clear() of "weird" exceptions * Check realloc return value * Add max_length to PdfStream decode() * Return early when there is no fill region * Allow error to be raised if PyDict_SetItemString fails * Speed up Image.blend() * Raise OverflowError if number of vertices is too large for Path * Remove unused HSV and LAB matrix conversion from C * Prevent reusing ImagingDecoderObject.setimage * Raise ValueError if FPX tile size is not 64px by 64px * Only clear error if it is BufferError * Apply XOR mask to 1 and L mode CUR images * Do not raise error from unknown channel ID when parsing PSD layers * Raise ValueError if P;2L or P;4L data is truncated in frombytes() * Embed SBOM into wheels * Do not set eval() globals in ImageMath.unsafe_eval() * Add Tcl/Tk license to wheels * Ensure map stride is at least one full row of pixels * Raise OverflowError if text width exceeds INT_MAX * Raise error if image modes do not match ImageCms transform modes * Use int64_t for text height * Return if error occurs in Py_mod_exec slot * Add decompression bomb checks to FontFile classes * If C error is raised, return NULL * Prevent saving 1 mode images as TGA with run-length encoding * Raise ValueError if EPS BeginBinary bytecount is negative * Do not DECREF tuple until tuple items are no longer used * Do not update NumPy automatically * Simplified code * If realloc fails, do not reduce block size * DECREF PyDict_GetItemRef result * Use int64_t to calculate paste box dimensions * Calculate JPEG2000 total_component_width for each tile in isolation * Raise ValueError if value is not bytes for TIFF_BYTE or TIFF_ASCII tag * Release Py_Buffer on error * Use os.startfile() in WindowsViewer show_file() * Validate large filter sizes when initializing RankFilter * Add decompression bomb check to GdImageFile * Free image bands when an error occurs while splitting an image * Check PyList_Append return value * Check WebPMuxNew return value * Check PyCapsule_New return value * Do not return negative width for text length * Add args argument to METH_NOARGS methods * Check ImagingNewDirty return value * Use int64_t for text width * Move PyDateTime_IMPORT inside Py_mod_exec slot * Validate size and rank when initializing RankFilter * Raise ValueError if insufficient data is read from DDS RGB file * Correct IFDRational.__float__() return value * Correct length when accessing ImagePath.Path subscript * Release reference on non-flattened sequence error * Do not release Py_buffer until buf is no longer in use * Do not resize macOS retina screenshots by default * Add abstract BaseImageFont class * Cast before multiplying * Limit radius to half width or height of rounded rectangle * linesize is always xsize multiplied by pixelsize * Check annotate_hash_table return value * Catch KeyError when checking mode from PNG IHDR chunk * Only pass one argument to C expand * Raise error if declared JPEG2000 marker length is too small * In _dump(), use Python PPM save, instead of C * Raise error consistently from inside ImagingNewArrow * Simplify RankFilter.c check * Support opening and saving L mode AVIF images with libavif >= 1.3.0 * [pre-commit.ci] pre-commit autoupdate * Apply libtiff patch to fix CVE-2026-4775 * Remove duplicate code * Switch iOS back to macos-26-intel * Don't use list as default in PdfParser read_prev_trailer * Add support for Python 3.15 * Do not draw line or arc if width is zero * Use _accept check in WebP _open * Compare dist sizes vs latest PyPI release * Do not generate SBOM in scheduled run on fork * Use plugin method directly when saving PDFs * [pre-commit.ci] pre-commit autoupdate * Set Renovate prCreation to not-pending * Raise error if PNG transparency has incorrect type or length when saving * If PdfParser buffer is memoryview, release it when closing * Correct integer overflow in 16-bit resampling * SBOM: Use real versions from dependencies.json * Restrict SBOM upload to only Pillow JSON * Generate CycloneDX SBOM at release time via CI * Raise ValueError if ImageOps border has unsupported format * Unsafe pointer dereference from unchecked Python integer in Tk initialization ... changelog too long, skipping 11 lines ... https://pillow.readthedocs.io/en/stable/releasenotes/12.3.0.html ==== spice-gtk ==== Subpackages: libspice-client-glib-2_0-8 libspice-client-glib-helper libspice-client-gtk-3_0-5 - Add BuildRequires for python3-base ==== timezone ==== Version update (2026b -> 2026c) Subpackages: tzselect - Update to 2026c: * Alberta moved to permanent -06 on 2026-06-18 * Morocco moves to permanent +00 on 2026-09-20 * More integer overflow bugs have been fixed in zic ==== xen ==== - Add BuildRequires for python3-base ==== xrdb ==== Version update (1.2.2 -> 1.2.3) - Update to bugfix release 1.2.3 - switch to Meson build system ==== xset ==== Version update (1.2.5 -> 1.2.6) - Update to version 1.2.6: * Switch to Meson build system. * Add GPG validation for source archives. * The new release includes bugfixes.