Packages changed: Mesa (26.1.4 -> 26.1.5) Mesa-drivers (26.1.4 -> 26.1.5) blog (2.46 -> 2.47) ca-certificates (2+git20260420.2a8e251 -> 2+git20260717.2e3a23b) firewalld (2.1.2 -> 2.3.2) glslang (16.3.0 -> 16.4.0) gtk4 (4.22.4+11 -> 4.22.4+29) libyui (4.7.6 -> 4.7.7) libyui-ncurses (4.7.6 -> 4.7.7) libyui-ncurses-pkg (4.7.6 -> 4.7.7) libyui-qt (4.7.6 -> 4.7.7) libyui-qt-graph (4.7.6 -> 4.7.7) libyui-qt-pkg (4.7.6 -> 4.7.7) polkit rsyslog ruby4.0 (4.0.5 -> 4.0.6) salt virtiofsd (1.13.2 -> 1.14.0) wayland (1.25.0 -> 1.26.0) webkitgtk3 (2.52.4 -> 2.52.5) webkitgtk4 (2.52.4 -> 2.52.5) wget xorg-x11-server (21.1.21 -> 21.1.24) === Details === ==== Mesa ==== Version update (26.1.4 -> 26.1.5) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to 26.1.5 bugfix release - -> https://docs.mesa3d.org/relnotes/26.1.5 ==== Mesa-drivers ==== Version update (26.1.4 -> 26.1.5) Subpackages: Mesa-dri Mesa-libva Mesa-vulkan-device-select libvulkan_lvp - Update to 26.1.5 bugfix release - -> https://docs.mesa3d.org/relnotes/26.1.5 ==== blog ==== Version update (2.46 -> 2.47) Subpackages: libblogger2 - Update to version 2.47 This addresses several race conditions, file descriptor leaks, and architectural issues regarding virtual terminal (VT) handling in blogd. * VT Encapsulation: Extracted all kernel-specific terminal ioctls and macros (e.g., KD_GRAPHICS, KD_TEXT) into a dedicated vt.c module. Added clean abstractions like vt_is_graphics(), vt_is_text(), and vt_set_text_mode() to decouple blogd.c and console.c from kernel headers. * List Management & FD Leaks: Fixed dynamic VT allocation in console.c. By resetting the console pointer to NULL before consalloc() and explicitly searching the doubly linked list for the target device ID afterward, we ensure the exact newly allocated terminal node is referenced. This fixes incorrect node assignments and prevents file descriptor leaks. * Smart VT Switching: Optimized the password prompt logic. If the currently active VT is a text console, the prompt is displayed there directly without unnecessary context switches. If the active VT is running a GUI (X11/Wayland), it safely switches to a newly allocated text VT and returns afterward. * EBUSY Race Condition: The child process now explicitly closes the temporary VT file descriptor before initiating the vt_switch back to the original console. This allows the parent process to safely perform vt_disallocate without encountering EBUSY kernel errors. * Timeout Handling: Replaced the infinite wait loop in request_tty() (tty.c) with a safe 2000ms timeout via can_read(). This prevents the daemon from hanging indefinitely on locked terminals and allowed the removal of error-prone alarm() signal hacks. * Lifecycle Management: Ensured newly allocated dynamic VTs are properly initialized via consinitIO() and reliably deallocated upon daemon exit (lcons_shutdown). Fix epoll EEXIST crash and prevent infinite waits on busy terminals This also addresses two critical edge cases that could cause the blogd daemon to either crash or hang during concurrent or blocked prompt requests. Key changes: * epoll.c: Prevent an `EEXIST` crash in `epoll_addition()`. If a file descriptor is already registered in the watch list, the daemon now gracefully updates it using `EPOLL_CTL_MOD` instead of blindly calling `EPOLL_CTL_ADD`. This makes the socket handling robust against rapid, overlapping client requests. * console.c: Add a 2-second deadline (`alarm(2)`) around the `request_tty()` call inside the password-prompt child process. Previously, if a terminal was exclusively locked (e.g. by an X11 server returning EPERM), the child would fall into an infinite inotify wait-loop. With the timeout, the child now dies cleanly, allowing the parent's reaping logic to properly cancel the prompt and send an ANSWER_ENQ (abort) to the waiting client. ==== ca-certificates ==== Version update (2+git20260420.2a8e251 -> 2+git20260717.2e3a23b) - Update to version 2+git20260717.2e3a23b: * Fix for 458d37d, logic got wrong - Update to version 2+git20260708.2380cdb: * Remove duplicate I from help text * Blacken test_update_ca_certificates * Replace backticks in shell scripts * Unify quoting in shell scripts * Refactor to POSIX sh * Reduce slashes in shell paths * Unify indentation style in shell scripts * CI: remove black format check and update actions * CI: create /etc/ca-certificates in the container ==== firewalld ==== Version update (2.1.2 -> 2.3.2) Subpackages: firewalld-bash-completion firewalld-lang python313-firewall * Fix CVE-2026-4948: local unprivileged users can modify firewall state due to D-Bus setter mis-authorizations (bsc#1260903) [+ 0003-CVE-2026-4948-fix-dbus-setter-authorization.patch] - Update to New Version 2.3.2 * doc(policy): add examples to man page * doc(policies): correct word is asymmetric * fix(doc): dbus: remove links to nonexistent IDs * fix(policy): allow forward ports with ingress zone and egress HOST * fix(server): load firewall rules before claiming dbus * fix(nftables): ipset: add entries from GLib loop when idle * fix(systemd): Requires dbus * fix(nftables): use current pkttype keywords * fix(systemd): use ProtectHome=tmpfs * fix(policy): allow-host-ipv6: allow MLD packets * fix(icmpv6): validate router codes * fix(icmpv6): validate neighbor codes * fix(icmpv6): validate redirect codes * docs(zone): update default zone target description to mention that ICMP is accepted * docs(zone): grammar fixes * docs(zone): mention that the ACCEPT target allows forwarding out of the zone * docs(zone): remove references to specific zone names in description of target attribute * docs: use US spelling of behavior - Update to New Version 2.3.0 -Update to New Version 2.3.0 It also includes all bug fixes since v2.3.0. * feat(policy): add disable flag * feat(client): policy: add disable flag * feat(cli): policy: add disable flag * feat(policy): increase maximum name length to 128 * feat(cli): policy: support setting disable on sets * feat(policy): set: add gateway ==== glslang ==== Version update (16.3.0 -> 16.4.0) - Update to release 16.4.0 * Implement `GLSL_EXT_structured_descriptor_heap` with SPIR-V layout generation, heap offset access, buffer references, matrix layout decorations, and correct `readonly`/`writeonly` qualifier propagation for buffer and image descriptors * Fix descriptor heap-bound buffer access to use typed pointers * Omit `NonUniform` decoration when using descriptor heaps, as the SPIR-V spec does not require it * Add `--relax-set-binding-limits` option to allow large `layout(set)` and `layout(binding)` values for descriptor heap-style workflows with sparse set spaces * Reject combined image samplers with `descriptor_heap` * Fix `GL_KHR_compute_shader_derivatives` regressions on shaders using the `GL_NV` variant * Update compute shader derivative rules to allow texture operations with implicit derivatives without extensions, falling back to LoD 0 * New extensions: `GL_EXT_ocp_microscaling_types`, `GL_NV_cooperative_matrix_decode_vector`, `GL_EXT_opacity_micromap_ray_query_mode` and basic support for `GL_NV_desktop_lowp_mediump` ==== gtk4 ==== Version update (4.22.4+11 -> 4.22.4+29) Subpackages: gtk4-lang gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0 - Update to version 4.22.4+29: + gl: Actually report partial damage + gtkapplication-wayland: Add a missing NULL check when forgetting a window + Fix the build with pango main + Revert "filechooserutils: Stop using pixbufs" + gskvulkanimage: fix building on 32-bit + Updated translations. ==== libyui ==== Version update (4.7.6 -> 4.7.7) - Fix build against GCC 16 (boo#1243674#c5, boo#1256972): + ncurses: Fix wchar_t stream insertion + Qt: Fix deprecated enum conversion in YQWizard + ncurses-pkg: remove unused-but-set variable 'idx' + ncurses-pkg: Replace deprecated SolvAttr provides and requires + qt-pkg: remove unused-but-set variables - 4.7.7 - Remove the -std=gnu++17 workaround in favor of the upcoming clean fix (boo#1256972) ==== libyui-ncurses ==== Version update (4.7.6 -> 4.7.7) - Fix build against GCC 16 (boo#1243674#c5, boo#1256972): + ncurses: Fix wchar_t stream insertion + Qt: Fix deprecated enum conversion in YQWizard + ncurses-pkg: remove unused-but-set variable 'idx' + ncurses-pkg: Replace deprecated SolvAttr provides and requires + qt-pkg: remove unused-but-set variables - 4.7.7 - Remove the -std=gnu++17 workaround in favor of the upcoming clean fix (boo#1256972) ==== libyui-ncurses-pkg ==== Version update (4.7.6 -> 4.7.7) - Fix build against GCC 16 (boo#1243674#c5, boo#1256972): + ncurses: Fix wchar_t stream insertion + Qt: Fix deprecated enum conversion in YQWizard + ncurses-pkg: remove unused-but-set variable 'idx' + ncurses-pkg: Replace deprecated SolvAttr provides and requires + qt-pkg: remove unused-but-set variables - 4.7.7 - Remove the -std=gnu++17 workaround in favor of the upcoming clean fix (boo#1256972) ==== libyui-qt ==== Version update (4.7.6 -> 4.7.7) - Fix build against GCC 16 (boo#1243674#c5, boo#1256972): + ncurses: Fix wchar_t stream insertion + Qt: Fix deprecated enum conversion in YQWizard + ncurses-pkg: remove unused-but-set variable 'idx' + ncurses-pkg: Replace deprecated SolvAttr provides and requires + qt-pkg: remove unused-but-set variables - 4.7.7 - Remove the -std=gnu++17 workaround in favor of the upcoming clean fix (boo#1256972) ==== libyui-qt-graph ==== Version update (4.7.6 -> 4.7.7) - Fix build against GCC 16 (boo#1243674#c5, boo#1256972): + ncurses: Fix wchar_t stream insertion + Qt: Fix deprecated enum conversion in YQWizard + ncurses-pkg: remove unused-but-set variable 'idx' + ncurses-pkg: Replace deprecated SolvAttr provides and requires + qt-pkg: remove unused-but-set variables - 4.7.7 - Remove the -std=gnu++17 workaround in favor of the upcoming clean fix (boo#1256972) ==== libyui-qt-pkg ==== Version update (4.7.6 -> 4.7.7) - Fix build against GCC 16 (boo#1243674#c5, boo#1256972): + ncurses: Fix wchar_t stream insertion + Qt: Fix deprecated enum conversion in YQWizard + ncurses-pkg: remove unused-but-set variable 'idx' + ncurses-pkg: Replace deprecated SolvAttr provides and requires + qt-pkg: remove unused-but-set variables - 4.7.7 - Remove the -std=gnu++17 workaround in favor of the upcoming clean fix (boo#1256972) ==== polkit ==== Subpackages: libpolkit-agent-1-0 libpolkit-gobject-1-0 pkexec typelib-1_0-Polkit-1_0 - pkexec: add provides pkexec-rpm to be able to give the solver a hint that this is the real pkexec.rpm [bsc#1267899] ==== rsyslog ==== - added a devel subpackage, with requires (jsc#PED-16301) ==== ruby4.0 ==== Version update (4.0.5 -> 4.0.6) Subpackages: libruby4_0-4_0 - Update to 4.0.6 - Bug #22070: Thread.each_caller_location(1, 1) segfaults when called from a cfunc - Bug #22075: heap-use-after-free in rb_vm_ci_lookup under parallel Ractors - Bug #22076: defined? returns nil for protected methods defined in a module even when callable - Bug #22072: [BUG] should have cvar cache entry - Bug #22074: YJIT misaligns locals when there are > 256 local variables - Bug #22064: GC compaction breaks compare-by-identity sets - Bug #22084: invokesuper from define_method in Ractor can call wrong super method or crash - Bug #22092: Array#sum takes slow path, does not perform compensated summation of Float elements when init argument is a Float - Bug #14635: Float#round(n) returns a wrong result when n is big - Bug #22079: Float#ceil gives incorrect result - Bug #22096: Freeing a mutex locked by a fiber inside fiber scheduler can crash - Bug #21996: Crash when modifying instance variables during inspect or Marshal dump - Bug #22101: ASAN heap-use-after-free in rb_data_free after TypedData dfree frees dynamic rb_data_type_t - Bug #22103: Constant-folded /o regexp crashes with dupstring of a Regexp - Bug #21991: $! stays as the first exception in Ruby Box - Feature #21881: Split the root box into the (newer) root box and the master of copied user boxes - Bug #22120: Segfault caused by ar_find_entry_hint() not checking for conversion to st_table - Bug #22129: error_highlight raises NotImplementedError for ArgumentErrors that get wrapped - Bug #21864: Inconsistencies in type coercion error messages for integers - Bug #21882: IO::Buffer#locked leaves the buffer locked when the block raises - Bug #22127: parse.y regexp crash on invalid encoding - Bug #22126: Stack underflow for partial DCE and loops - Bug #22124: void value missed in parse.y - Bug #22104: Segfault in PRISM while Bootsnap compiles aws-sdk client_api.rb - Bug #21685: Unnecessary context-switching, especially bad on multi-core machines. - Bug #22099: Keyword-only method silently accepts a positional argument - Bug #22183: parse.y interpolation inside lambda literal - Bug #22181: SEGV in branch peephole optimization due to label/insn struct aliasing - Bug #22133: Ruby's default SIGINT handling ignores Thread.handle_interrupt masking. - Bug #22189: Enumerator::Lazy#to_enum does not accept method names as strings - Bug #22191: Signal.trap(:EXIT) exception only shown if at_exit also raises ==== salt ==== Subpackages: python313-salt salt-master salt-minion - Stabilize testsuite tests and fix AllEventsHandler - Switch apache2ctl to apachectl for SUSE OSes (bsc#1252286) - Support attrlist in ldap.managed (bsc#1257151) - Added: * stabilize-testsuite-tests-and-fix-alleventshandler-7.patch * switch-apache2ctl-to-apachectl-for-suse-oses-bsc-125.patch * support-attrlist-in-ldap.managed-746.patch ==== virtiofsd ==== Version update (1.13.2 -> 1.14.0) - Update to version 1.14.0: * Bump version to v1.14.0 * passthrough: only clear capabilities on regular files * Track the file type on HandleData * read_dir: add tests for u64 cookie fallback path * read_dir: handle u64 directory cookies that exceed i64::MAX * passthrough: add negotiation modes to --security-label * passthrough: add negotiation modes to --posix-acl * vhost_user: exit gracefully on queue processing errors * vhost_user: extract process_message() from queue processing loops * deps: bump vhost 0.15->0.16, vhost-user-backend 0.21->0.22 * passthrough: remove redundant inode lookups in open_inode() * server: do not reject oversized readdir requests * server: reject malformed extension lengths with a minimal local check * passthrough: avoid panic in setxattr on non-UTF-8 names * Support multiple supplementary groups * Update rust-vmm dependencies * seccomp: Don't allow newfstatat syscall on sparc64 * README: --announce-submounts is enabled by default * sandbox: only canonicalize shared_dir for chroot * sandbox: fix pivot_root to relative paths - Add explicit handling of (and checking that is has actually been handled) bsc#1257912 (CVE-2026-25727). Patch added: * update-time-0.3.47.patch - Service file cleanup and refactoring - Update to version 1.13.3: * Bump version to v1.13.3 * Allow readv() seccomp * Allow pwritev() seccomp * Extend traits methods to support ReadvFlag * Replace preadv64() with preadv2() * Update pwritev2() flags * Add Intellij IDEA configuration to .gitignore ==== wayland ==== Version update (1.25.0 -> 1.26.0) Subpackages: libwayland-client0 libwayland-cursor0 libwayland-egl1 libwayland-server0 - Update to release 1.26 * A new wl_pointer.warp event, to notify a new pointer position without an end-user-initiated motion event. * A new wl_fixes.ack_global_remove request, to address races related to global remove events. * A new wl_display_remove_socket_fd() function to remove sockets previously added via wl_display_add_socket_fd(). * WAYLAND_DEBUG timestamps now use the "HH:MM:ss.xxxxxx" format, making them easier to read and compare with other logs. - Drop pre-Leap-16.x build logic ==== webkitgtk3 ==== Version update (2.52.4 -> 2.52.5) Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update to version 2.52.5: + Fire scrollend event for instant programmatic scrolls. + Increase network idle connection timeout to 115 seconds. + Add User-Agent quirk for HBO Max. + Fix the build with system malloc. + Fix several crashes and rendering issues. - Drop webkitgtk-ppc64le-build-fix.patch: Applied upstream. ==== webkitgtk4 ==== Version update (2.52.4 -> 2.52.5) Subpackages: WebKitGTK-6.0-lang libjavascriptcoregtk-6_0-1 libwebkitgtk-6_0-4 typelib-1_0-JavaScriptCore-6_0 typelib-1_0-WebKit-6_0 webkitgtk-6_0-injected-bundles - Update to version 2.52.5: + Fire scrollend event for instant programmatic scrolls. + Increase network idle connection timeout to 115 seconds. + Add User-Agent quirk for HBO Max. + Fix the build with system malloc. + Fix several crashes and rendering issues. - Drop webkitgtk-ppc64le-build-fix.patch: Applied upstream. ==== wget ==== Subpackages: wget-lang - ftp validate PASV/LPSV response address against control connection peer [bsc#1271320, CVE-2026-15146] * CVE-2026-15146.patch ==== xorg-x11-server ==== Version update (21.1.21 -> 21.1.24) Subpackages: xorg-x11-server-Xvfb xorg-x11-server-extra - Update to version 21.1.24 - Replaced xorg-server-21.1.21.tar.xz with xorg-server-21.1.24.tar.xz - Dropped patches now included upstream: * bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch (bsc#1260922, CVE-2026-33999) * bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch (bsc#1260923, CVE-2026-34000) * bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch (bsc#1260924, CVE-2026-34001) * bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch (bsc#1260925, CVE-2026-34002) * bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch (bsc#1260925, CVE-2026-34002) * bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch (bsc#1260926, CVE-2026-34003) * bsc1266294_CVE-2026-XXXX1_0007-dix-increase-XLFDMAXFONTNAMELEN-to-match-libXfont2-s.patch (bsc#1266294, CVE-2026-XXXX1) * bsc1266295_CVE-2026-XXXX2_0001-sync-fix-deletion-of-counters-and-fences.patch (bsc#1266295, CVE-2026-XXXX2) * bsc1266296_CVE-2026-XXXX3_0003-xkb-reject-key-types-with-num_levels-exceeding-XkbMa.patch (bsc#1266296, CVE-2026-XXXX3) * bsc1266297_CVE-2026-XXXX4_0004-xkb-clamp-nMaps-to-mapWidths-buffer-size-in-CheckKey.patch (bsc#1266297, CVE-2026-XXXX4) * bsc1266299_CVE-2026-XXXX6_0002-sync-restart-trigger-list-iteration-in-SyncChangeCou.patch (bsc#1266299, CVE-2026-XXXX6) * bsc1266300_CVE-2026-XXXX7_0005-glx-fix-reversed-length-check-in-ChangeDrawableAttri.patch (bsc#1266300, CVE-2026-XXXX7) * bsc1266301_CVE-2026-XXXX8_0006-saver-re-fetch-screen-private-after-CheckScreenPriva.patch (bsc#1266301, CVE-2026-XXXX8) * bsc1266302_CVE-2026-XXXX9_0001-dri2-Use-booleans-for-fake-front-buffer-tracking-in-.patch (bsc#1266302, CVE-2026-XXXX9) * bsc1266302_CVE-2026-XXXX9_0002-dri2-Deduplicate-attachments-in-do_get_buffer.patch (bsc#1266302, CVE-2026-XXXX9) * bsc1268893_CVE-2026-55999_0002-fb-mi-glamor-reject-glyphs-with-negative-dimensions.patch (bsc#1268893, CVE-2026-55999) * bsc1268893_CVE-2026-55999_0003-glamor-reject-fonts-with-per-glyph-metrics-exceeding.patch (bsc#1268893, CVE-2026-55999) * U_GLX-Free-the-tag-of-the-old-context-later.patch (bsc#1268894, CVE-2026-56000) * bsc1268894_CVE-2026-56000_0001-glx-free-old-context-tag-before-allocating-new-one-i.patch (bsc#1268894, CVE-2026-56000)