Packages changed: evolution (3.60.0 -> 3.60.1) evolution-data-server (3.60.0 -> 3.60.1) evolution-ews (3.60.0 -> 3.60.1) freerdp gnome-control-center (50.0 -> 50.1) gnome-online-accounts (3.58.0 -> 3.58.1) gnome-session gnome-software (50.0 -> 50.1) gnome-tour (49.0.openSUSE+git20251020.478f3eb -> 50.0.openSUSE+git20260413.334ffbd) gspell gstreamer (1.28.1 -> 1.28.2) gstreamer-devtools (1.28.1 -> 1.28.2) gstreamer-plugins-bad (1.28.1 -> 1.28.2) gstreamer-plugins-base (1.28.1 -> 1.28.2) gstreamer-plugins-good (1.28.1 -> 1.28.2) gstreamer-plugins-libav (1.28.1 -> 1.28.2) gstreamer-plugins-rs (1.28.1 -> 1.28.2) gstreamer-plugins-ugly (1.28.1 -> 1.28.2) harfbuzz (12.3.2 -> 14.1.0) jemalloc (5.3.0 -> 5.3.1) kernel-source (6.19.11 -> 6.19.12) lcms2 (2.17 -> 2.18) libburn (1.5.6 -> 1.5.8) libostree (2025.7 -> 2026.1) localsearch nautilus (50.0 -> 50.1) openSUSE-release (20260414 -> 20260415) patterns-gnome perl-IO-Tty (1.200.0 -> 1.270.0) polkit-default-privs (1550+20260409.85cbda6 -> 1550+20260414.1647bf2) python311 python311-core python313 (3.13.12 -> 3.13.13) python313-core (3.13.12 -> 3.13.13) systemd-presets-common-SUSE totem-pl-parser (3.26.6+30 -> 3.26.7) virtualbox virtualbox-kmp (7.2.6_k6.19.11_1 -> 7.2.6_k6.19.12_1) webkitgtk3 (2.52.1 -> 2.52.2) webkitgtk4 (2.52.1 -> 2.52.2) xdg-desktop-portal (1.20.3 -> 1.20.4) xorg-x11-server xwayland === Details === ==== evolution ==== Version update (3.60.0 -> 3.60.1) Subpackages: evolution-lang evolution-plugin-spamassassin - Update to version 3.60.1: + Bug Fixes: - itip-formatter: Layout has excessive empty space, long content - Composer: Inherit theme color not honoured on send - prefer-plain: Remote content load reverts shown part - Blank email body for some S/MIME Encrypted mails - Incorrect month name declination in some locales - Paste into 'add/edit note' window not working after open + Updated translations. ==== evolution-data-server ==== Version update (3.60.0 -> 3.60.1) Subpackages: evolution-data-server-lang libcamel-1_2-67 libebackend-1_2-11 libebook-1_2-21 libebook-contacts-1_2-5 libecal-2_0-3 libedata-book-1_2-27 libedata-cal-2_0-2 libedataserver-1_2-27 libedataserverui-1_2-4 - Update to version 3.60.1: + Bug Fixes: nntp: Fix GSocket ref leak in stream timeout helpers + Miscellaneous: - nntp: Rename nntp_get_stream_socket() to nntp_ref_stream_socket() - ESoupSession: Correct e_soup_session_get_authentication_requires_credentials() ==== evolution-ews ==== Version update (3.60.0 -> 3.60.1) Subpackages: evolution-ews-lang - Update to version 3.60.1: + Bug Fixes: Calendar: Crash when cancelling meeting with empty notice + Updated translations. ==== freerdp ==== Subpackages: libfreerdp3-3 librdtk0-0 libwinpr3-3 - Build with SDL3 instead of SDL2 on Tumbleweed ==== gnome-control-center ==== Version update (50.0 -> 50.1) Subpackages: gnome-control-center-color gnome-control-center-goa gnome-control-center-lang gnome-control-center-user-faces gnome-control-center-users - Update to version 50.1: + Accessibility: Fix keyboard navigation between cursor sizes + Display: Correct the type of num_scales counter + Privacy: - Fix memory leak in camera page - Fix memory leak in location page + Users: Chain up dispose in crop area widget + Updated translations. - Update libgxdp sub-module. ==== gnome-online-accounts ==== Version update (3.58.0 -> 3.58.1) Subpackages: gnome-online-accounts-lang libgoa-1_0-0 libgoa-backend-1_0-2 - Update to version 3.58.1: + Bugs fixed: google: Use #ifdef for GOA_GOOGLE_FILES_ENABLED + Updated translations. ==== gnome-session ==== Subpackages: gnome-session-lang - Add gnome-session-fix-double-free-GError.patch: Fix a double-free on GError. (bsc#1261932, glgo#GNOME/gnome-session!176) ==== gnome-software ==== Version update (50.0 -> 50.1) Subpackages: gnome-software-lang gnome-software-plugin-packagekit - Update to version 50.1: + Updated translations. ==== gnome-tour ==== Version update (49.0.openSUSE+git20251020.478f3eb -> 50.0.openSUSE+git20260413.334ffbd) Subpackages: gnome-tour-data gnome-tour-lang opensuse-welcome opensuse-welcome-lang - Update to 50.0: * Updated translations. ==== gspell ==== Subpackages: gspell-lang libgspell-1-3 - Add explicit pkgconfig(icu-uc) BuildRequires: checked for by meson. ==== gstreamer ==== Version update (1.28.1 -> 1.28.2) Subpackages: gstreamer-lang gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.28.2: + Highlighted bugfixes in 1.28.2 - Various security fixes and playback fixes - audioencoder: allow change of channel configuration with avenc_aac - audioinvert: fix float format handling - h264parse, h265parse, baseparse: Preserve upstream buffer duration if possible - compositor: fix segfault with force-live=true and no sink pads (regression) - fallbacksrc: send select-streams event to collection source element directly - hlsdemux2: fix seekable range for live HLS streams - glupload: Fix linking glupload with restrictive caps filter - nvcodec: Add capability caching to speed up plugin initialization - RTP and RTCP packet handling fixes - RTSP server fixes for clean-up of timed out play requests - video-converter: fix I420/A420 BGRA/ARGB output on big-endian - qtdemux: fix invalid WebVTT timestamps, and other fixes - qmlgl6sink: Qt6GLVideoItem caps update handling fixes - threadshare udp sink and source fixes - transcriberbin and speechmatics text-to-speech fixes and improvements - videorate: Fix wrong caps in case of PTS going backward - vtdec: more Apple VideoToolbox decoder fixes - wavparse: Fix parsing of RF64 wave files - wasapi2sink: Ignore transient device errors from default device - waylandsink: various fixes and improvements - WebRTC DTLS robustness/stability improvements - Cerbero: Various inno Windows installer fixes and improvements; new 'gstreamer_bundle' wheels meta-package - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - bin: iterator is not nullable - registry: Skip .dSYM bundles when loading plugins, try 3 - baseparse: . Preserve upstream buffer duration if possible . Fix out_buffer leak in frame_free and missing ref in frame_copy - filesink: Fix wrong open() in overwrite mode - queue: Fix potential use-after-free in log function - GThreadFunc return type fixes - Strange File-sink-file-mode property value in filesink plugin ==== gstreamer-devtools ==== Version update (1.28.1 -> 1.28.2) - Update to version 1.28.2: + No changes, stable versionbump only. - Update vendored dependencies tarball. ==== gstreamer-plugins-bad ==== Version update (1.28.1 -> 1.28.2) Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgsthip-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstsctp-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Fix suse_version check to enable faad codec only in TW since SLE 16 SP1 will use a suse_version value of 1610 - Update to version 1.28.2: + analytics: Set default pixel-aspect-ratio for inference elements + av1dec: Enable VIDEO_META and VIDEO_ALIGNMENT for pool + av1parse, vp9parse: Remove segment clipping to let downstream handle frame boundaries + av1parse: - Avoid signed 32 bit integer overflow and OOB reads when parsing LEB128 values - Split the alignment and stream type logic - Misc fixes 2 typo - Invalid assertion in gst_av1_parse_detect_stream_format() + dashsink: test: use playbin3 for DASH playback verification + decklinkvideosink: fix element leak in decklink callback + dtls: unregister signal handlers from connection + gdppay: Fix null pointer dereference on duplicated caps event + h264parse, h265parse: Preserve upstream buffer duration if possible + h264parser: - Fix memory leak in gst_h264_parser_parse_nal() - Avoid NULL pointer dereferences when freeing partially parsed SPS/MVC data + h264: Memory Leak in gst_h264_parser_parse_nal() + h266parser: Avoid integer overflow when parsing profile / tier / level + jp2kdecimator: Avoid integer overflows and divisions by zero on invalid tile configurations + mxfdemux: hardening + nice: Fix leak of webrtc libnice thread + nvcodec: Add capability caching to speed up plugin initialization + tsmux: Fix integer overflow in SCTE35 NULL interval + sctp: Set number of outgoing & incoming streams to the same value + shm: fix shmsink exit code 1 on clean shutdown + soundtouch: Only allow up to 192kHz and 16 channels + srtpenc: preserve ROC when master key is updated for an ongoing session + svtav1: fix "Level of parallelism" property type discrepencies + vkswapper/vksink: Don't advertise unsupported formats + vmncdec: Set cursormask to NULL to prevent double free + vtdec: - vp9 support is only enabled in first vtdec element - Do not hold the stream lock when pushing out frames - Prefer outputting VulkanImage instead of sysmem, fix some leaks, ensure vulkansink provides a window - Store supplemental codec support in a global variable - Supplemental VideoToolbox decoders now registered via vtutil helper - Handle decoder error status for iOS, vtenc: restart if VTCompressionSessionCompleteFrames fails + vulkan: Clear mutex when GstVulkanImageMemory is freed + vulkanvp9dec: Fix case in device-specific factory name + wasapi2: Log target device information + wasapi2sink: Ignore device errors from default device + wayland: display: Add protection when replacing wl_output + waylandsink: - Fix waylandsink crash when call window flush - Properly reset the tag orientation + wlwindow: fix viewport source outside buffer when play resolution change stream + Fix a couple of const correctness bugs around strchr() usage + GThreadFunc return type fixes + meson: Fix downloading MoltenVK SDK, make it work when meson-installed - Split out gstreamer-plugins-bad-extra sub-package, move mpeg2 encoder/plexer in its own sub-package. Gstreamer-plugins-libav provides the prefered software plugin. ==== gstreamer-plugins-base ==== Version update (1.28.1 -> 1.28.2) Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.28.2: + GstAudio/VideoDecoder: Fix different seqnum for eos event error + gst-validate reports event::eos-has-wrong-seqnum in GstAudio/VideoDecoder + audioencoder: Remove fixed caps from srcpad + audio-resampler-neon: read array operand by hand to fix build errors with some armv7hf toolchains + audio-resampler: build error with some armv7hf toolchains: 'asm' operand has impossible constraints + compositor: move gst_compositor_init_blend() to element class_init + exiftag: - Add missing bounds check and integer overflow protections in various places - Ignore invalid fractions with numerator/denominator G_MININT - Unmap buffer if parsing a rational number gives a zero denominator + gl: upload: Fix linking glupload with restrictive caps filter + glupload: can't handle caps video/x-raw(memory:GLMemory) + glcolorconvert: Fix NULL pointer dereference on buffers without video meta + libs_gstglcolorconvert test failure in 1.28.1 + opusenc: - Use correct memcpy() size when copying Vorbis channel positions - Using invalid size for memcpy? + playback: Make sure to check for empty/any caps before getting the first structure + rtcp: Fix buffer overread in SDES packet parsing + rtpbuffer: Add validation for CSRC list length + rtsp: - gstrtspurl: Parse URL having user without password - Does not parse URL with user but no password as valid + subparse: - Avoid NULL-pointer dereferences in mdvdsub parsing code - Fix integer overflow when calculating qttext timestamp - Replace regex string matching / replacing with plain C string parsing + typefindfunctions: Avoid signed 32 bit integer overflow and OOB reads when parsing LEB128 values + video-converter: fix I420/A420 BGRA/ARGB output on big-endian + video: fix too small default stride for UYVP with odd widths + videorate: Fix unrestored caps on backward PTS + GThreadFunc return type fixes - Split put new gstreamer-plugins-base-extra sub-package. ==== gstreamer-plugins-good ==== Version update (1.28.1 -> 1.28.2) Subpackages: gstreamer-plugins-good-gtk gstreamer-plugins-good-lang - Update to version 1.28.2: + audioinvert: fix float truncation in transform_float + audioinvert float path broken + compositor: segfault with force-live=true and no sink pads (regression in 1.28) + flvdemux: Avoid assertions on corrupted streams + flvmux: fix race condition on caps get and check + hlsdemux2: fix seekable range for live HLS streams + matroskademux: Fix calculation of bz2 buffer sizes + qtqml: Avoid parsing caps on every buffer (same fix for both qt5 and qt6) + qtdemux: - Add various integer overflow and bounds checks to uncompressed video handling - Fix invalid WebVTT timestamps - Fix handling of in-between fragments without tfdt - Don't immediately push segment after moov in push mode for fmp4 - Preserve Metas and Flags when doing row alignment - Avoid a couple of integer overflows - Various fixes related to audio channel counts + Qt6GLVideoItem: caps update fixed + GstGLQt6VideoItem crashes after source pipeline change + rgvolume: don't apply dBSPL reference level compensation for LUFS values + rtspsrc: - Discard early data in ONVIF mode - Fix const-correctness issue around strchr() usage + rtph264depay: fix invalid memory access in gst_rtp_h264_finish_fragmentation_unit + rtptwcc: fix feedback packet count wrapping at 255 + vmncdec: Set cursormask to NULL to prevent double free + wavenc: Skip writing empty LIST INFO chunk + wavparse: - Avoid overflow in length when setting ignore-length=true - Fix integer overflow when checking available buffer size for reading cues - Fix parsing of RF64 wave files + GThreadFunc return type fixes ==== gstreamer-plugins-libav ==== Version update (1.28.1 -> 1.28.2) - Update to version 1.28.2: + avviddec: Refcount codec frame associated with video frame ==== gstreamer-plugins-rs ==== Version update (1.28.1 -> 1.28.2) - Update to version 1.28.2: + burn: yoloxinference: Restrict widths/heights to a multiple of 32 + fallbacksrc: Send select-streams event to collection source element + gtk4paintablesink: Error out in NULL->READY if there is no default GDK display + png: implement image repacking when buffer is padded + rtpbin2: - Don't panic in Drop impl - Improve logs - Jtterbuffer: fix deadline for re-ordered packets - More log improvements + rtprecv: JitterBufferStream: avoid polling JitterBuffer when possible + speechmatics: - Fix first_buffer_pts race condition in dispatch_message - textaccumulate: fix flushing issues + threadshare: - Fix socket leak in ts-udpsink - udpsink/src: don't error out failing to send packet to a client / receiving an ICMP error + tracers: Mark enum types as plugin API + transcriberbin: ignore flow errors from transcription branch + webrtc: - Silence new clippy warning - tests: run signalling server with unique port number + whisper: - Fix compiling on ARM - Update to latest release 0.16 + Don't transform push_event() false returns into flow errors + Switch from std::os::raw to std::ffi for C types + Update dependencies - meson: only add example features when dependencies are found - build: update rustfmt edition to 2024 ==== gstreamer-plugins-ugly ==== Version update (1.28.1 -> 1.28.2) Subpackages: gstreamer-plugins-ugly-lang - Update to version 1.28.2: + No changes, stable version bump only. ==== harfbuzz ==== Version update (12.3.2 -> 14.1.0) Subpackages: libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz-subset0 libharfbuzz0 typelib-1_0-HarfBuzz-0_0 - Disable the new libharfbuzz-gpu demo-tool behind a bcond (with gpu). Building this leads to a build-cycle unfortunately. - Update to version 14.1.0: + GPU library improvements: - Add anti-aliased rendering for small sizes. - Store font scale in blob header. - Port scale/ppem support to MSL, WGSL, and HLSL shaders. - Fix contour breaks and bounds quantization in encode. - Fix garbled rendering after font change in web demo. + Various robustness fixes. + Various fuzzing fixes for harfbuzz-raster, harfbuzz-gpu and harfbuzz-vector libraries. + Move HB_NO_CFF from HB_LEAN to HB_NO_DRAW closure, and fix HB_TINY build. - Changes from version 14.0.0: + New libharfbuzz-gpu library: GPU text rasterization based on the Slug algorithm by Eric Lengyel. Encodes glyph outlines on the CPU into compact blobs that the GPU decodes and rasterizes directly in the fragment shader, with no intermediate bitmap atlas. + Shader sources provided in GLSL, WGSL, MSL, and HLSL. + New hb-gpu installed utility for interactive GPU text rendering. + Live web demo: https://harfbuzz.github.io/hb-gpu-demo/ + New harfbuzz-world.cc amalgamated source for building a subset of all HarfBuzz libraries into one compilation unit, driven by a custom hb-features.h. + Updated README with libraries overview and project description. + Various bug fixes. - Add pkgconfig(glew) and pkgconfig(glfw3) BuildRequires: New dependencies. - Add new sub-package libharfbuzz-gpu0 following upstream changes. - Update to version 13.2.1: + Fix regression in tracing messages from previous release. - Changes from version 13.2.0: + Fix hb-view glyph positioning with --glyphs input from hb-shape - -ned. + Various fuzzing fixes for harfbuzz-subset, harfbuzz-raster and harfbuzz-vector libraries. + Various improvements to tracing messages. + Various documentation improvements. - Migrate to xz compression and manual service run - Update to version 13.1.1: + Support gzip-compressed SVG glyphs in harfbuzz-raster and harfbuzz-vector libraries. This new functionality requires zlib, and will not be available if HarfBuzz is built without zlib. + Improve handling of SVG glyphs in harfbuzz-raster and harfbuzz-vector libraries. + Further harden application of stch feature against malicious fonts. + Various fuzzing fixes. + Various build fixes: - Add missing chafa dependency to hb-raster utility, and remove accidental cairo dependency. - Don’t build raster and vector fuzzers if the library is disabled. - Add meson options for enabling / disabling libpng and zlib. - Support building harfbuzz-raster and harfbuzz-vector libraries with CMake. - Add new optional pkgconfig(zlib) BuildRequires. - Update to version 13.1.0: + The harfbuzz-raster library can now render bitmap color glyph formats (CBDT and sbix). It now also has an API to serialize / deserialize images to and from PNGs. This new functionality requires libpng, and will not be available if HarfBuzz is built without libpng. + Install hb-raster command line utility. + Fix overflow when applying stch feature with malicious fonts. + Fix memory leaks in harfbuzz-raster and harfbuzz-vector in error conditions, as well as more robust handling of allocation failures. + Various documentation improvements and build fixes. - Build the new optional libpng support, add pkgconfig(libpng) BuildRequires. - Update to version 13.0.1: + Bug fixes in rendering COLR v1 fonts. + Various build fixes. - Update to version 13.0.0: + New experimental drawing and rendering libraries: - New public hb-vector API for vector output of glyph outlines. The only supported output format currently is SVG. - The new API is available in a separate harfbuzz-vector library. - New public hb-raster API for rasterizing glyphs to A8 / BGRA32 images. - The new API is available in a separate harfbuzz-raster library. - Both APIs are still experimental and subject to change. - Both libraries support monochrome as well as vector color glyph formats (COLR v0, v1, and SVG). - Additionally, hb-vector supports also bitmap color glyph formats (CBDT and sbix). - New command line utilities to accompany the new APIs: hb-vector and hb-raster. They share many of the same options as hb-view. + New subset flag HB_SUBSET_FLAGS_DOWNGRADE_CFF2 to convert instantiated CFF2 table to CFF . This options will desubroutinize CFF2 table and convert it to CID-keyed CFF table. This is useful for compatibility with older renderers ... changelog too long, skipping 18 lines ... following upstream changes. ==== jemalloc ==== Version update (5.3.0 -> 5.3.1) - Update to release 5.3.1 * Implement the `pvalloc` C function. * Add runtime option `prof_bt_max` to control the max stack depth for profiling. * Add runtime option `tcache_ncached_max` to control the number of items in each size bin in the thread cache. * Add runtime option `calloc_madvise_threshold` to determine if kernel or memset is used to zero the allocations for calloc. * Add runtime option `disable_large_size_classes` to guard the new usable size calculation, which minimizes the memory overhead for large allocations, i.e., >= 4 * PAGE. * Enable process_madvise usage, add runtime option `process_madvise_max_batch` to control the max # of regions in each madvise batch. ==== kernel-source ==== Version update (6.19.11 -> 6.19.12) - usb: typec: ucsi: skip connector validation before init (git-fixes). - commit c7234f7 - Linux 6.19.12 (bsc#1012628). - drm/amd/pm: disable OD_FAN_CURVE if temp or pwm range invalid for smu v13 (bsc#1012628). - net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback (bsc#1012628). - net: mana: fix use-after-free in add_adev() error path (bsc#1012628). - scsi: target: file: Use kzalloc_flex for aio_cmd (bsc#1012628). - scsi: target: tcm_loop: Drain commands in target_reset handler (bsc#1012628). - xfs: only assert new size for datafork during truncate extents (bsc#1012628). - xfs: factor out xfs_attr3_node_entry_remove (bsc#1012628). - xfs: factor out xfs_attr3_leaf_init (bsc#1012628). - xfs: close crash window in attr dabtree inactivation (bsc#1012628). - arm64/scs: Fix handling of advance_loc4 (bsc#1012628). - HID: logitech-hidpp: Enable MX Master 4 over bluetooth (bsc#1012628). - wifi: mac80211: check tdls flag in ieee80211_tdls_oper (bsc#1012628). - HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq (bsc#1012628). - atm: lec: fix use-after-free in sock_def_readable() (bsc#1012628). - btrfs: don't take device_list_mutex when querying zone info (bsc#1012628). - tg3: replace placeholder MAC address with device property (bsc#1012628). - objtool: Fix Clang jump table detection (bsc#1012628). - HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure (bsc#1012628). - HID: core: Mitigate potential OOB by removing bogus memset() (bsc#1012628). - objtool/klp: fix mkstemp() failure with long paths (bsc#1012628). - HID: multitouch: Check to ensure report responses match the request (bsc#1012628). - btrfs: reserve enough transaction items for qgroup ioctls (bsc#1012628). - i2c: tegra: Don't mark devices with pins as IRQ safe (bsc#1012628). - btrfs: reject root items with drop_progress and zero drop_level (bsc#1012628). - drm/amd/display: Fix gamma 2.2 colorop TFs (bsc#1012628). - smb: client: fix generic/694 due to wrong ->i_blocks (bsc#1012628). - spi: geni-qcom: Check DMA interrupts early in ISR (bsc#1012628). - mshv: Fix error handling in mshv_region_pin (bsc#1012628). - dt-bindings: auxdisplay: ht16k33: Use unevaluatedProperties to fix common property warning (bsc#1012628). - wifi: iwlwifi: mld: Fix MLO scan timing (bsc#1012628). - wifi: iwlwifi: mvm: don't send a 6E related command when not supported (bsc#1012628). - wifi: iwlwifi: mld: correctly set wifi generation data (bsc#1012628). - wifi: ath11k: Pass the correct value of each TID during a stop AMPDU session (bsc#1012628). - cgroup: Wait for dying tasks to leave on rmdir (bsc#1012628). - selftests/cgroup: Don't require synchronous populated update on task exit (bsc#1012628). - cgroup: Fix cgroup_drain_dying() testing the wrong condition (bsc#1012628). - crypto: caam - fix DMA corruption on long hmac keys (bsc#1012628). - crypto: caam - fix overflow on long hmac keys (bsc#1012628). - crypto: deflate - fix spurious -ENOSPC (bsc#1012628). - crypto: af-alg - fix NULL pointer dereference in scatterwalk (bsc#1012628). - mpls: add seqcount to protect the platform_label{,s} pair (bsc#1012628). - net: mana: Fix RX skb truesize accounting (bsc#1012628). - netdevsim: fix build if SKB_EXTENSIONS=n (bsc#1012628). - net: fec: fix the PTP periodic output sysfs interface (bsc#1012628). - net: enetc: reset PIR and CIR if they are not equal when initializing TX ring (bsc#1012628). - net: enetc: add graceful stop to safely reinitialize the TX Ring (bsc#1012628). - net: enetc: do not access non-existent registers on pseudo MAC (bsc#1012628). - net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak (bsc#1012628). - net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak (bsc#1012628). - iommupt/amdv1: mark amdv1pt_install_leaf_entry as __always_inline (bsc#1012628). - net/ipv6: ioam6: prevent schema length wraparound in trace fill (bsc#1012628). - tg3: Fix race for querying speed/duplex (bsc#1012628). - net: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch (bsc#1012628). - ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() (bsc#1012628). - ip6_tunnel: clear skb2->cb[] in ip4ip6_err() (bsc#1012628). ... changelog too long, skipping 476 lines ... - commit 1b7d8a2 ==== lcms2 ==== Version update (2.17 -> 2.18) - Update to version 2.18 * Fix a signed integer overflow which could trigger a FPE_INTOVF. * Added documentation for PCS illuminants and chromatic adaptation. * Check for a possible out-of-bounds in softproofing transforms when using cmsCreateExtendedTransform * Fix for a out-of-bound read, issue #522. * Add an extra check for out-of-bounds read when misusing a support function. * avoid divide by zero, special case from spec. notes on CAM02. * Fix CGATS parser bug when number has a "+" sign. * Fix a typo when handling a special case for BPC. * Fixed a loss of precision when Lab16 is used as input color space on integer transforms. * Fixes hypotetical corrupted pointer in non-happy path. Cannot happen in real world. * Fix a theoretical memory leak. * Mark some tables as const. * Make the param of cmsCreateLab4Profile() to refer to the media white instead of the illuminant. * fix a warning in unit tests. * Remove redundant check. Fixes #497. * Update autotools. * fix plugins soname + add oklab to transicc (experimental). * meson: ability to disable .so.version libraries. * Fix black point detection when using darker colorant.. * testcms2.c: Fix incorrect string comparisons. * Fix CICp tag size.. * Fix broken linkicc. * Add a guard against a wrong use of flags. * Fix for #469 heap buffer overflow on convert_utf16_to_utf32(). - Use %ldconfig_scriptlets macro ==== libburn ==== Version update (1.5.6 -> 1.5.8) - Update to version 1.5.8 * Bug fix: burn_offst_source_new() parameter "size" rolled over at 2 exp 31. * Bug fix: ATA and SATA drives under sg did not register their SCSI address tuple. * Bug fix: WAVE files with unsuitable audio format were read as raw audio file. * New API calls use and return off_t sizes instead of int or uint32_t. * Augmented struct burn_toc_entry by new off_t block addresses and counters. * New struct burn_progress_v2 and API call burn_drive_get_status_v2(). * New API call burn_disc_track_lba_nwa_v2(). * New API calls burn_disc_get_sectors_v2(), burn_session_get_sectors_v2(), burn_track_get_sectors_v2(). * New API call burn_get_read_capacity_v2(). * New API call burn_drive_release_v2(). * New API call burn_write_opts_set_perform_opc_v2. * New cdrskin option --audio_not_raw. * New cdrskin options --perform_opc and --perform_opc_growisofs. - Drop patch: * libburn-1.5.6-c23.patch (not longer needed) - Use %ldconfig_scriptlets macro ==== libostree ==== Version update (2025.7 -> 2026.1) Subpackages: libostree-1-1 - Update to 2026.1: * fix soft-reboot handling for var, sysroot, and boot mounts, * preserve extension BLS keys across staged deployments. * libarchive integration now correctly handles UTF-8 filenames without locale dependency * ostree admin status --json now includes the deployment origin refspec. ==== localsearch ==== Subpackages: localsearch-lang - Add localsearch-zip-private-library.patch: fix a crash when handling zip files. ==== nautilus ==== Version update (50.0 -> 50.1) Subpackages: gnome-shell-search-provider-nautilus libnautilus-extension4 nautilus-lang - Update to version 50.1: + Bugfixes: - Fix a crash on empty MIME type - Fix read-only/not accessible emblems - Assure view item deduplication on slow machines - Fix error icon size - Restore default focus for permanent delete dialog - Autocomplete folders with trailing slash again - Fix opening folder with many custom icons - Fix showing properties for encrypted partition - Fix image rounding + Cleanups: - Don't allow editing custom icons for trash or trashed files - Use GIcon for launch context + Updated translations. ==== openSUSE-release ==== Version update (20260414 -> 20260415) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== patterns-gnome ==== Subpackages: patterns-gnome-gnome patterns-gnome-gnome_basic patterns-gnome-gnome_basis patterns-gnome-gnome_games patterns-gnome-gnome_imaging patterns-gnome-gnome_internet patterns-gnome-gnome_multimedia patterns-gnome-gnome_office patterns-gnome-gnome_utilities patterns-gnome-gnome_yast patterns-gnome-sw_management_gnome - Update suse_version macro for 1610 (jsc#PED-15831) ==== perl-IO-Tty ==== Version update (1.200.0 -> 1.270.0) - updated to 1.270.0 (1.27) see /usr/share/doc/packages/perl-IO-Tty/ChangeLog 1.27 2026-04-03 Todd Rinaldo Bug Fixes: * GH #68, PR #68 - Fix build on OpenBSD by including termios.h to detect openpty reliably and setting _BSD_SOURCE to find strlcpy in includes. (Alexander Bluhm) 1.26 2026-04-02 Todd Rinaldo Bug Fixes: * PR #67 - Fix strlcpy detection on DragonFly BSD to avoid static/non-static declaration conflict. Added __DragonFly__ guard to the function test (paralleling __FreeBSD__) and added a belt-and-suspenders check for perl's own HAS_STRLCPY in Tty.xs. Maintenance: * PR #66 - Add 5-minute timeout to all CI test steps to prevent hung tests from consuming CI resources indefinitely. 1.25 2026-04-01 Todd Rinaldo Bug Fixes: * GH #62, PR #64 - Fix IO::Pty DESTROY force-closing the slave pty. The DESTROY method (added in 1.21) explicitly closed the cached slave handle, breaking consumers like IPC::Run that hold a reference to the slave via $pty->slave() and expect it to survive master destruction. Now just deletes the internal reference and lets Perl's refcounting handle fd closure correctly. Maintenance: * PR #61 - Simplify version variables to a single source of truth. Extract version from Tty.pm in Makefile.PL using MM->parse_version() instead of hardcoding it, use VERSION_FROM in WriteMakefile, and remove $XS_VERSION from Tty.pm. 1.24 2026-03-27 Todd Rinaldo Bug Fixes: * GH #54, PR #55 - Fix slave pty reopening on Solaris/illumos. After close_slave(), reopening with plain Perl open() skipped pushing STREAMS modules (ptem, ldterm, ttcompat), causing isatty() to return false. Added _open_tty() XS function that opens the device and pushes STREAMS modules on platforms that support I_PUSH. * GH #56, PR #58 - Fix undef warnings on Perl 5.8.8 by removing the undef operator on localized $SIG{__DIE__}, and fix XS ttyname() on older Perls by avoiding the InOutStream typemap which can return NULL for filehandles created via new_from_fd. * GH #57, PR #59 - Add __BSD_VISIBLE for FreeBSD in function probes. The _XOPEN_SOURCE definition hid BSD extensions like strlcpy, causing probe failures and subsequent compile errors from conflicting static/non-static declarations. Maintenance: * PR #60 - Modernize Makefile.PL: replace BUILD_REQUIRES with TEST_REQUIRES (EUMM 6.64+), add CONFIGURE_REQUIRES, upgrade META_MERGE to meta-spec v2, modernize generated Constant.pm to use 'our' instead of 'use vars', and remove dead PPD postamble. 1.23 2026-03-24 Todd Rinaldo Bug Fixes: * PR #52 - Replace deprecated indirect object syntax (e.g. `new IO::Pty`) with direct method calls (`IO::Pty->new`). Perl 5.36+ disables indirect object calls, so this fixes forward compatibility. Improvements: * PR #53 - Add clone_winsize_from() test coverage (7 new tests) covering basic clone between slave ttys, non-tty master fast path, croak on non-tty source, and pixel dimension preservation. Maintenance: * PR #52 - Regenerate README from POD to fix stale version. * PR #53 - Modernize `use vars` to `our` declarations in Tty.pm and Pty.pm. Add missing `use warnings` to Pty.pm. * Add AI_POLICY.md for transparency on AI-assisted contributions. * Convert README to Markdown and update MANIFEST. 1.22 2026-03-24 Todd Rinaldo Bug Fixes: * GH #47, PR #48 - Fix function detection on Solaris by adding __EXTENSIONS__ to expose BSD extensions (like strlcpy) that are hidden when _XOPEN_SOURCE is defined. * PR #49 - Fix file descriptor leaks in open_slave() error paths. The master pty fd was not closed on several early-return error paths, causing fd leaks when falling through multiple pty allocation methods. Improvements: * PR #50 - Add unit tests for ttyname(), slave()/close_slave() lifecycle, set_winsize()/get_winsize() round-trips, pack_winsize/unpack_winsize, and constant importing (28 new tests). * PR #51 - Replace DynaLoader with XSLoader and bump minimum perl version to 5.8.8. XSLoader is simpler and has been in core since perl 5.6. Maintenance: * PR #44 - Fix stale POD versions, add Perl 5.38/5.40 to CI, and update repository URLs from toddr/IO-Tty to cpan-authors/IO-Tty. * PR #45 - Remove dead Perl 5.003 compatibility code, modernize XS (Nullch to NULL, perl_get_sv to get_sv, sprintf to snprintf). * PR #46 - Modernize CI with dynamic perl version discovery via perl-actions/perl-versions and add a disttest job. 1.21 2026-03-22 Todd Rinaldo Bug Fixes: * GH #14, PR #39 - Fix slave fd leak on IO::Pty destruction. The slave pty file descriptor was not closed when the IO::Pty object was destroyed, leaking file descriptors until process exit. * GH #12, PR #40 - Fix set_raw() to modify cflag for proper raw mode on BSD/macOS. set_raw() was not clearing CSIZE|PARENB or setting CS8 in cflag, causing incomplete raw mode on macOS, OpenBSD, and NetBSD. * GH #38, PR #41 - Modernize function detection to use proper system headers instead of fragile K&R-style forward declarations. The old approach conflicted with real prototypes on modern compilers (especially FreeBSD/Clang), causing all function checks to fail. Improvements: * PR #42 - Add BSD CI testing for FreeBSD, OpenBSD, and NetBSD via cross-platform-actions. Also bumps actions/checkout from v2 to v4. ==== polkit-default-privs ==== Version update (1550+20260409.85cbda6 -> 1550+20260414.1647bf2) - Update to version 1550+20260414.1647bf2: * profiles: systemd v260 follow-up (bsc#1259318) ==== python311 ==== Subpackages: python311-curses python311-dbm python311-x86-64-v3 - Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has the same security model as open(). The documented limitations ensure compatibility with non-filesystem loaders; Python doesn't check that. (bsc#1259989, CVE-2026-3479, gh#python/cpython#146121). ==== python311-core ==== Subpackages: libpython3_11-1_0 libpython3_11-1_0-x86-64-v3 python311-base python311-base-x86-64-v3 - Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has the same security model as open(). The documented limitations ensure compatibility with non-filesystem loaders; Python doesn't check that. (bsc#1259989, CVE-2026-3479, gh#python/cpython#146121). ==== python313 ==== Version update (3.13.12 -> 3.13.13) Subpackages: python313-curses python313-dbm python313-tk python313-x86-64-v3 - Update to 3.13.13 - Security - gh-145986: xml.parsers.expat: Fixed a crash caused by unbounded C recursion when converting deeply nested XML content models with ElementDeclHandler(). This addresses CVE 2026-4224 (bsc#1259735, CVE-2026-4224). - gh-145599: Reject control characters in http.cookies.Morsel update() and js_output(). This addresses CVE 2026-3644 (bsc#1259734, CVE-2026-3644). - gh-145506: Fixes CVE 2026-2297 by ensuring that SourcelessFileLoader uses io.open_code() when opening .pyc files (bsc#1259240, CVE-2026-2297). - gh-144370: Disallow usage of control characters in status in wsgiref.handlers to prevent HTTP header injections. Patch by Benedikt Johannes. - gh-143930: Reject leading dashes in URLs passed to webbrowser.open() (bsc#1260026, CVE-2026-4519). - Library - gh-144503: Fix a regression introduced in 3.14.3 and 3.13.12 where the multiprocessing forkserver start method would fail with BrokenPipeError when the parent process had a very large sys.argv. The argv is now passed to the forkserver as separate command-line arguments rather than being embedded in the -c command string, avoiding the operating system’s per-argument length limit. - gh-146613: itertools: Fix a crash in itertools.groupby() when the grouper iterator is concurrently mutated. - gh-146080: ssl: fix a crash when an SNI callback tries to use an SSL object that has already been garbage-collected. Patch by Bénédikt Tran. - gh-146090: sqlite3: fix a crash when sqlite3.Connection.create_collation() fails with SQLITE_BUSY. Patch by Bénédikt Tran. - gh-146090: sqlite3: properly raise MemoryError instead of SystemError when a context callback fails to be allocated. Patch by Bénédikt Tran. - gh-145633: Fix struct.pack('f', float): use PyFloat_Pack4() to raise OverflowError. Patch by Sergey B Kirpichev and Victor Stinner. - gh-146310: The ensurepip module no longer looks for pip-*.whl wheel packages in the current directory. - gh-146083: Update bundled libexpat to version 2.7.5. - gh-146076: zoneinfo: fix crashes when deleting _weak_cache from a zoneinfo.ZoneInfo subclass. - gh-146054: Limit the size of encodings.search_function() cache. Found by OSS Fuzz in #493449985. - gh-145883: zoneinfo: Fix heap buffer overflow reads from malformed TZif data. Found by OSS Fuzz, issues #492245058 and #492230068. - gh-145750: Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module. Found by OSS Fuzz in #488466741. - gh-145492: Fix infinite recursion in collections.defaultdict __repr__ when a defaultdict contains itself. Based on analysis by KowalskiThomas in gh-145492. - gh-145623: Fix crash in struct when calling repr() or __sizeof__() on an uninitialized struct.Struct object created via Struct.__new__() without calling __init__(). - gh-145616: Detect Android sysconfig ABI correctly on 32-bit ARM Android on 64-bit ARM kernel - gh-145376: Fix null pointer dereference in unusual error scenario in hashlib. - gh-145551: Fix InvalidStateError when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Daan De Meyer. - gh-145417: venv: Prevent incorrect preservation of SELinux context when copying the Activate.ps1 script. The script inherited the SELinux security context of the system template directory, rather than the destination project directory. - gh-145301: hashlib: fix a crash when the initialization of the underlying C extension module fails. - gh-145264: Base64 decoder (see binascii.a2b_base64(), base64.b64decode(), etc) no longer ignores excess data after the first padded quad in non-strict (default) mode. Instead, in conformance with RFC 4648, section 3.3, it now ignores the pad character, “=”, if it is present before the end of the encoded data. - gh-145158: Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module. - gh-144984: Fix crash in xml.parsers.expat.xmlparser.ExternalEntityParserCreate() when an allocation fails. The error paths could dereference NULL handlers and double-decrement the parent parser’s reference count. - gh-88091: Fix unicodedata.decomposition() for Hangul characters. - gh-144835: Added missing explanations for some parameters in glob.glob() and glob.iglob(). - gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed. - gh-144259: Fix inconsistent display of long multiline pasted content in the REPL. - gh-144156: Fix the folding of headers by the email library when RFC 2047 encoded words are used. Now whitespace is correctly preserved and also correctly added between ... changelog too long, skipping 179 lines ... gh#python/cpython#146121). ==== python313-core ==== Version update (3.13.12 -> 3.13.13) Subpackages: libpython3_13-1_0 libpython3_13-1_0-x86-64-v3 python313-base python313-base-x86-64-v3 python313-devel - Update to 3.13.13 - Security - gh-145986: xml.parsers.expat: Fixed a crash caused by unbounded C recursion when converting deeply nested XML content models with ElementDeclHandler(). This addresses CVE 2026-4224 (bsc#1259735, CVE-2026-4224). - gh-145599: Reject control characters in http.cookies.Morsel update() and js_output(). This addresses CVE 2026-3644 (bsc#1259734, CVE-2026-3644). - gh-145506: Fixes CVE 2026-2297 by ensuring that SourcelessFileLoader uses io.open_code() when opening .pyc files (bsc#1259240, CVE-2026-2297). - gh-144370: Disallow usage of control characters in status in wsgiref.handlers to prevent HTTP header injections. Patch by Benedikt Johannes. - gh-143930: Reject leading dashes in URLs passed to webbrowser.open() (bsc#1260026, CVE-2026-4519). - Library - gh-144503: Fix a regression introduced in 3.14.3 and 3.13.12 where the multiprocessing forkserver start method would fail with BrokenPipeError when the parent process had a very large sys.argv. The argv is now passed to the forkserver as separate command-line arguments rather than being embedded in the -c command string, avoiding the operating system’s per-argument length limit. - gh-146613: itertools: Fix a crash in itertools.groupby() when the grouper iterator is concurrently mutated. - gh-146080: ssl: fix a crash when an SNI callback tries to use an SSL object that has already been garbage-collected. Patch by Bénédikt Tran. - gh-146090: sqlite3: fix a crash when sqlite3.Connection.create_collation() fails with SQLITE_BUSY. Patch by Bénédikt Tran. - gh-146090: sqlite3: properly raise MemoryError instead of SystemError when a context callback fails to be allocated. Patch by Bénédikt Tran. - gh-145633: Fix struct.pack('f', float): use PyFloat_Pack4() to raise OverflowError. Patch by Sergey B Kirpichev and Victor Stinner. - gh-146310: The ensurepip module no longer looks for pip-*.whl wheel packages in the current directory. - gh-146083: Update bundled libexpat to version 2.7.5. - gh-146076: zoneinfo: fix crashes when deleting _weak_cache from a zoneinfo.ZoneInfo subclass. - gh-146054: Limit the size of encodings.search_function() cache. Found by OSS Fuzz in #493449985. - gh-145883: zoneinfo: Fix heap buffer overflow reads from malformed TZif data. Found by OSS Fuzz, issues #492245058 and #492230068. - gh-145750: Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module. Found by OSS Fuzz in #488466741. - gh-145492: Fix infinite recursion in collections.defaultdict __repr__ when a defaultdict contains itself. Based on analysis by KowalskiThomas in gh-145492. - gh-145623: Fix crash in struct when calling repr() or __sizeof__() on an uninitialized struct.Struct object created via Struct.__new__() without calling __init__(). - gh-145616: Detect Android sysconfig ABI correctly on 32-bit ARM Android on 64-bit ARM kernel - gh-145376: Fix null pointer dereference in unusual error scenario in hashlib. - gh-145551: Fix InvalidStateError when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Daan De Meyer. - gh-145417: venv: Prevent incorrect preservation of SELinux context when copying the Activate.ps1 script. The script inherited the SELinux security context of the system template directory, rather than the destination project directory. - gh-145301: hashlib: fix a crash when the initialization of the underlying C extension module fails. - gh-145264: Base64 decoder (see binascii.a2b_base64(), base64.b64decode(), etc) no longer ignores excess data after the first padded quad in non-strict (default) mode. Instead, in conformance with RFC 4648, section 3.3, it now ignores the pad character, “=”, if it is present before the end of the encoded data. - gh-145158: Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module. - gh-144984: Fix crash in xml.parsers.expat.xmlparser.ExternalEntityParserCreate() when an allocation fails. The error paths could dereference NULL handlers and double-decrement the parent parser’s reference count. - gh-88091: Fix unicodedata.decomposition() for Hangul characters. - gh-144835: Added missing explanations for some parameters in glob.glob() and glob.iglob(). - gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed. - gh-144259: Fix inconsistent display of long multiline pasted content in the REPL. - gh-144156: Fix the folding of headers by the email library when RFC 2047 encoded words are used. Now whitespace is correctly preserved and also correctly added between ... changelog too long, skipping 179 lines ... gh#python/cpython#146121). ==== systemd-presets-common-SUSE ==== - Enable the new update-desktop-database service that updates the desktop files database on boot for immutable systems (jsc#PED-14839). ==== totem-pl-parser ==== Version update (3.26.6+30 -> 3.26.7) Subpackages: libtotem-plparser-mini18 libtotem-plparser18 totem-pl-parser-lang typelib-1_0-TotemPlParser-1_0 - Update to version 3.26.7: + Fix uninitialized variable error in plparser + Add itunes genre support for podcast RSS feeds + Split podcast tests + Fix deprecation warnings + Fix return value from cancelled plparser calls + Fix TotemPlParserMetadata in plparser bindings + Use gitlab.gnome.org for bug-database in doap + Use apps.gnome.org for homepage in doap + Update podcast test for server changes + Fix guard return type in plparser + Updated translations. ==== virtualbox ==== - Refresh the Leap 16.1 build fix patch for covering the missing file: leap16.1-kmp-fixes.patch ==== virtualbox-kmp ==== Version update (7.2.6_k6.19.11_1 -> 7.2.6_k6.19.12_1) - Refresh the Leap 16.1 build fix patch for covering the missing file: leap16.1-kmp-fixes.patch ==== webkitgtk3 ==== Version update (2.52.1 -> 2.52.2) Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update to version 2.52.2: + Improve handling of real-time threads. + Fix scrollbar rendering glitches visible in some GPU configurations. + Fix V4L2 hardware accelerated media codecs now working due to overly restrictive sandbox device access rules. + Fix leak of bitmap images in webkit_favicon_database_get_favicon_finish(). + Fix the build with USE_GTK4=OFF. + Fix several crashes and rendering issues. - Drop webkitgtk-gtk3-build-fix.patch: fixed upstream. ==== webkitgtk4 ==== Version update (2.52.1 -> 2.52.2) Subpackages: WebKitGTK-6.0-lang libjavascriptcoregtk-6_0-1 libwebkitgtk-6_0-4 typelib-1_0-JavaScriptCore-6_0 typelib-1_0-WebKit-6_0 webkitgtk-6_0-injected-bundles - Update to version 2.52.2: + Improve handling of real-time threads. + Fix scrollbar rendering glitches visible in some GPU configurations. + Fix V4L2 hardware accelerated media codecs now working due to overly restrictive sandbox device access rules. + Fix leak of bitmap images in webkit_favicon_database_get_favicon_finish(). + Fix the build with USE_GTK4=OFF. + Fix several crashes and rendering issues. - Drop webkitgtk-gtk3-build-fix.patch: fixed upstream. ==== xdg-desktop-portal ==== Version update (1.20.3 -> 1.20.4) Subpackages: xdg-desktop-portal-lang - Update to version 1.20.4: + Prevent trashing of arbitrary host files (GHSA-rqr9-jwwf-wxgj) - Update suse_version macro for 1610 (jsc#PED-15832) ==== xorg-x11-server ==== Subpackages: xorg-x11-server-Xvfb xorg-x11-server-extra - updated bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002) - bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch * XKB Integer Underflow in XkbSetCompatMap() (bsc#1260922, CVE-2026-33999) - bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch * XKB Out-of-bounds Read in CheckSetGeom() (bsc#1260923, CVE-2026-34000) - bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch * XSYNC Use-after-free in miSyncTriggerFence() (bsc#1260924, CVE-2026-34001) - bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002) - bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch * XKB Buffer overflow in CheckKeyTypes() (bsc#1260926, CVE-2026-34003) ==== xwayland ==== - updated bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002) - bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch * XKB Integer Underflow in XkbSetCompatMap() (bsc#1260922, CVE-2026-33999) - bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch * XKB Out-of-bounds Read in CheckSetGeom() (bsc#1260923, CVE-2026-34000) - bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch * XSYNC Use-after-free in miSyncTriggerFence() (bsc#1260924, CVE-2026-34001) - bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002) - bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch * XKB Buffer overflow in CheckKeyTypes() (bsc#1260926, CVE-2026-34003)