Packages changed: Mesa (26.1.4 -> 26.1.5) Mesa-drivers (26.1.4 -> 26.1.5) blog (2.46 -> 2.47) ca-certificates (2+git20260420.2a8e251 -> 2+git20260717.2e3a23b) firewalld (2.1.2 -> 2.3.2) glslang (16.3.0 -> 16.4.0) polkit run0-wrappers (0.4+git20260203.bbbfcf8 -> 0.5.0+git20260717.efd7268) runc (1.4.2 -> 1.4.3) wayland (1.25.0 -> 1.26.0) wget xorg-x11-server (21.1.21 -> 21.1.24) === Details === ==== Mesa ==== Version update (26.1.4 -> 26.1.5) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to 26.1.5 bugfix release - -> https://docs.mesa3d.org/relnotes/26.1.5 ==== Mesa-drivers ==== Version update (26.1.4 -> 26.1.5) Subpackages: Mesa-dri Mesa-vulkan-device-select libvulkan_lvp - Update to 26.1.5 bugfix release - -> https://docs.mesa3d.org/relnotes/26.1.5 ==== blog ==== Version update (2.46 -> 2.47) Subpackages: libblogger2 - Update to version 2.47 This addresses several race conditions, file descriptor leaks, and architectural issues regarding virtual terminal (VT) handling in blogd. * VT Encapsulation: Extracted all kernel-specific terminal ioctls and macros (e.g., KD_GRAPHICS, KD_TEXT) into a dedicated vt.c module. Added clean abstractions like vt_is_graphics(), vt_is_text(), and vt_set_text_mode() to decouple blogd.c and console.c from kernel headers. * List Management & FD Leaks: Fixed dynamic VT allocation in console.c. By resetting the console pointer to NULL before consalloc() and explicitly searching the doubly linked list for the target device ID afterward, we ensure the exact newly allocated terminal node is referenced. This fixes incorrect node assignments and prevents file descriptor leaks. * Smart VT Switching: Optimized the password prompt logic. If the currently active VT is a text console, the prompt is displayed there directly without unnecessary context switches. If the active VT is running a GUI (X11/Wayland), it safely switches to a newly allocated text VT and returns afterward. * EBUSY Race Condition: The child process now explicitly closes the temporary VT file descriptor before initiating the vt_switch back to the original console. This allows the parent process to safely perform vt_disallocate without encountering EBUSY kernel errors. * Timeout Handling: Replaced the infinite wait loop in request_tty() (tty.c) with a safe 2000ms timeout via can_read(). This prevents the daemon from hanging indefinitely on locked terminals and allowed the removal of error-prone alarm() signal hacks. * Lifecycle Management: Ensured newly allocated dynamic VTs are properly initialized via consinitIO() and reliably deallocated upon daemon exit (lcons_shutdown). Fix epoll EEXIST crash and prevent infinite waits on busy terminals This also addresses two critical edge cases that could cause the blogd daemon to either crash or hang during concurrent or blocked prompt requests. Key changes: * epoll.c: Prevent an `EEXIST` crash in `epoll_addition()`. If a file descriptor is already registered in the watch list, the daemon now gracefully updates it using `EPOLL_CTL_MOD` instead of blindly calling `EPOLL_CTL_ADD`. This makes the socket handling robust against rapid, overlapping client requests. * console.c: Add a 2-second deadline (`alarm(2)`) around the `request_tty()` call inside the password-prompt child process. Previously, if a terminal was exclusively locked (e.g. by an X11 server returning EPERM), the child would fall into an infinite inotify wait-loop. With the timeout, the child now dies cleanly, allowing the parent's reaping logic to properly cancel the prompt and send an ANSWER_ENQ (abort) to the waiting client. ==== ca-certificates ==== Version update (2+git20260420.2a8e251 -> 2+git20260717.2e3a23b) - Update to version 2+git20260717.2e3a23b: * Fix for 458d37d, logic got wrong - Update to version 2+git20260708.2380cdb: * Remove duplicate I from help text * Blacken test_update_ca_certificates * Replace backticks in shell scripts * Unify quoting in shell scripts * Refactor to POSIX sh * Reduce slashes in shell paths * Unify indentation style in shell scripts * CI: remove black format check and update actions * CI: create /etc/ca-certificates in the container ==== firewalld ==== Version update (2.1.2 -> 2.3.2) Subpackages: python313-firewall * Fix CVE-2026-4948: local unprivileged users can modify firewall state due to D-Bus setter mis-authorizations (bsc#1260903) [+ 0003-CVE-2026-4948-fix-dbus-setter-authorization.patch] - Update to New Version 2.3.2 * doc(policy): add examples to man page * doc(policies): correct word is asymmetric * fix(doc): dbus: remove links to nonexistent IDs * fix(policy): allow forward ports with ingress zone and egress HOST * fix(server): load firewall rules before claiming dbus * fix(nftables): ipset: add entries from GLib loop when idle * fix(systemd): Requires dbus * fix(nftables): use current pkttype keywords * fix(systemd): use ProtectHome=tmpfs * fix(policy): allow-host-ipv6: allow MLD packets * fix(icmpv6): validate router codes * fix(icmpv6): validate neighbor codes * fix(icmpv6): validate redirect codes * docs(zone): update default zone target description to mention that ICMP is accepted * docs(zone): grammar fixes * docs(zone): mention that the ACCEPT target allows forwarding out of the zone * docs(zone): remove references to specific zone names in description of target attribute * docs: use US spelling of behavior - Update to New Version 2.3.0 -Update to New Version 2.3.0 It also includes all bug fixes since v2.3.0. * feat(policy): add disable flag * feat(client): policy: add disable flag * feat(cli): policy: add disable flag * feat(policy): increase maximum name length to 128 * feat(cli): policy: support setting disable on sets * feat(policy): set: add gateway ==== glslang ==== Version update (16.3.0 -> 16.4.0) - Update to release 16.4.0 * Implement `GLSL_EXT_structured_descriptor_heap` with SPIR-V layout generation, heap offset access, buffer references, matrix layout decorations, and correct `readonly`/`writeonly` qualifier propagation for buffer and image descriptors * Fix descriptor heap-bound buffer access to use typed pointers * Omit `NonUniform` decoration when using descriptor heaps, as the SPIR-V spec does not require it * Add `--relax-set-binding-limits` option to allow large `layout(set)` and `layout(binding)` values for descriptor heap-style workflows with sparse set spaces * Reject combined image samplers with `descriptor_heap` * Fix `GL_KHR_compute_shader_derivatives` regressions on shaders using the `GL_NV` variant * Update compute shader derivative rules to allow texture operations with implicit derivatives without extensions, falling back to LoD 0 * New extensions: `GL_EXT_ocp_microscaling_types`, `GL_NV_cooperative_matrix_decode_vector`, `GL_EXT_opacity_micromap_ray_query_mode` and basic support for `GL_NV_desktop_lowp_mediump` ==== polkit ==== Subpackages: libpolkit-agent-1-0 libpolkit-gobject-1-0 typelib-1_0-Polkit-1_0 - pkexec: add provides pkexec-rpm to be able to give the solver a hint that this is the real pkexec.rpm [bsc#1267899] ==== run0-wrappers ==== Version update (0.4+git20260203.bbbfcf8 -> 0.5.0+git20260717.efd7268) - Update to version 0.5.0+git20260717.efd7268: * Release version 0.5.0 * run0-sudo: support environment variables in commandline (#5) * run0-sudo: add test for -k/-K option handling * sudo/su: Fix handling of environment variables with newlines * run0-sudo: improved version of -k/-K options (#6) ==== runc ==== Version update (1.4.2 -> 1.4.3) - update to 1.4.3 (bsc#1268275, CVE-2026-41579): * [CVE-2026-41579][] allowed a malicious image with a `/dev` symlink to have limited write access to the host filesystem in ways that our analysis indicates was too limited to be problematic in practice. This bug was very similar to those fixed in [CVE-2025-31133][], [CVE-2025-52565][], [CVE-2025-31133][] and was simply missed at the time when we hardened the rootfs preparation code. We have conducted a deeper audit and not found any other problematic cases. * Various integration test improvements. (#5222, #5237, #5226, [#5229], #5239, #5249, #5269, #5287, #5295, #5304) * When masking directories with `maskPaths`, runc will now re- use a single `tmpfs` instance (which is not writeable) to reduce the number `tmpfs` superblocks that need to be reaped when containers die (in particular, Kubernetes applies masks to per-CPU sysfs directories which get expensive quickly). - add vendor.tar.gz to bump x/net ==== wayland ==== Version update (1.25.0 -> 1.26.0) Subpackages: libwayland-client0 libwayland-cursor0 libwayland-egl1 libwayland-server0 - Update to release 1.26 * A new wl_pointer.warp event, to notify a new pointer position without an end-user-initiated motion event. * A new wl_fixes.ack_global_remove request, to address races related to global remove events. * A new wl_display_remove_socket_fd() function to remove sockets previously added via wl_display_add_socket_fd(). * WAYLAND_DEBUG timestamps now use the "HH:MM:ss.xxxxxx" format, making them easier to read and compare with other logs. - Drop pre-Leap-16.x build logic ==== wget ==== - ftp validate PASV/LPSV response address against control connection peer [bsc#1271320, CVE-2026-15146] * CVE-2026-15146.patch ==== xorg-x11-server ==== Version update (21.1.21 -> 21.1.24) Subpackages: xorg-x11-server-Xvfb - Update to version 21.1.24 - Replaced xorg-server-21.1.21.tar.xz with xorg-server-21.1.24.tar.xz - Dropped patches now included upstream: * bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch (bsc#1260922, CVE-2026-33999) * bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch (bsc#1260923, CVE-2026-34000) * bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch (bsc#1260924, CVE-2026-34001) * bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch (bsc#1260925, CVE-2026-34002) * bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch (bsc#1260925, CVE-2026-34002) * bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch (bsc#1260926, CVE-2026-34003) * bsc1266294_CVE-2026-XXXX1_0007-dix-increase-XLFDMAXFONTNAMELEN-to-match-libXfont2-s.patch (bsc#1266294, CVE-2026-XXXX1) * bsc1266295_CVE-2026-XXXX2_0001-sync-fix-deletion-of-counters-and-fences.patch (bsc#1266295, CVE-2026-XXXX2) * bsc1266296_CVE-2026-XXXX3_0003-xkb-reject-key-types-with-num_levels-exceeding-XkbMa.patch (bsc#1266296, CVE-2026-XXXX3) * bsc1266297_CVE-2026-XXXX4_0004-xkb-clamp-nMaps-to-mapWidths-buffer-size-in-CheckKey.patch (bsc#1266297, CVE-2026-XXXX4) * bsc1266299_CVE-2026-XXXX6_0002-sync-restart-trigger-list-iteration-in-SyncChangeCou.patch (bsc#1266299, CVE-2026-XXXX6) * bsc1266300_CVE-2026-XXXX7_0005-glx-fix-reversed-length-check-in-ChangeDrawableAttri.patch (bsc#1266300, CVE-2026-XXXX7) * bsc1266301_CVE-2026-XXXX8_0006-saver-re-fetch-screen-private-after-CheckScreenPriva.patch (bsc#1266301, CVE-2026-XXXX8) * bsc1266302_CVE-2026-XXXX9_0001-dri2-Use-booleans-for-fake-front-buffer-tracking-in-.patch (bsc#1266302, CVE-2026-XXXX9) * bsc1266302_CVE-2026-XXXX9_0002-dri2-Deduplicate-attachments-in-do_get_buffer.patch (bsc#1266302, CVE-2026-XXXX9) * bsc1268893_CVE-2026-55999_0002-fb-mi-glamor-reject-glyphs-with-negative-dimensions.patch (bsc#1268893, CVE-2026-55999) * bsc1268893_CVE-2026-55999_0003-glamor-reject-fonts-with-per-glyph-metrics-exceeding.patch (bsc#1268893, CVE-2026-55999) * U_GLX-Free-the-tag-of-the-old-context-later.patch (bsc#1268894, CVE-2026-56000) * bsc1268894_CVE-2026-56000_0001-glx-free-old-context-tag-before-allocating-new-one-i.patch (bsc#1268894, CVE-2026-56000)