Packages changed: NetworkManager-openvpn (1.12.0 -> 1.12.2) apache2-mod_php8 (8.4.10 -> 8.4.11) aws-lc (1.57.1 -> 1.58.0) bash (5.2.37 -> 5.3.3) gstreamer (1.26.4 -> 1.26.5) gstreamer-plugins-bad (1.26.4 -> 1.26.5) gstreamer-plugins-base (1.26.4 -> 1.26.5) gstreamer-plugins-good (1.26.4 -> 1.26.5) lhasa (0.4.0 -> 0.5.0) libgcrypt (1.11.1 -> 1.11.2) libplacebo libplacebo5 net-tools openSUSE-release (20250812 -> 20250813) ovmf php8 (8.4.10 -> 8.4.11) python-Twisted python-anyio (4.9.0 -> 4.10.0) python-kiwi (10.2.30 -> 10.2.32) qemu (10.0.2 -> 10.0.3) readline (8.2.13 -> 8.3.1) sdbootutil (1+git20250804.8dccab3 -> 1+git20250812.13f4562) selinux-policy (20250730 -> 20250812) strace (6.15 -> 6.16) util-linux util-linux-systemd yast2-bootloader (5.0.23 -> 5.0.24) === Details === ==== NetworkManager-openvpn ==== Version update (1.12.0 -> 1.12.2) Subpackages: NetworkManager-applet-openvpn NetworkManager-openvpn-lang - Update to version 1.12.2: + Fix bug that caused that challenge was incorrectly reused if invalid or expired. + Add support for "data-ciphers-fallback" option. + Add GUI support for "data-ciphers" option. + Fix export for password connection type that was not exporting some fields. + Fix mnemonics in editor's Identity - Advanced view + Auth-dialog ported to GTK4 + Import certificates into the XDG_DATA_HOME directory. + Updated translations. - Drop nm-openvpn-fix-crash.patch: Fixed upstream (in a slightly different way). - Rebase fix-for-missing-whirlpool-hmac-authentication.patch with quilt. ==== apache2-mod_php8 ==== Version update (8.4.10 -> 8.4.11) - version update to 8.4.11 Calendar: Fixed jewishtojd overflow on year argument. Core: Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction order). Fixed bug GH-18907 (Leak when creating cycle in hook). Fix OSS-Fuzz #427814456. Fix OSS-Fuzz #428983568 and #428760800. Fixed bug GH-17204 (-Wuseless-escape warnings emitted by re2c). Fixed bug GH-19064 (Undefined symbol 'execute_ex' on Windows ARM64). Curl: Fix memory leaks when returning refcounted value from curl callback. Remove incorrect string release. DOM: Fixed bug GH-18979 (Dom\XMLDocument::createComment() triggers undefined behavior with null byte). LDAP: Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty request OID. MbString: Fixed bug GH-18901 (integer overflow mb_split). Opcache: Fixed bug GH-18639 (Internal class aliases can break preloading + JIT). Fixed bug GH-18899 (JIT function crash when emitting undefined variable warning and opline is not set yet). Fixed bug GH-14082 (Segmentation fault on unknown address 0x600000000018 in ext/opcache/jit/zend_jit.c). Fixed bug GH-18898 (SEGV zend_jit_op_array_hot with property hooks and preloading). OpenSSL: Fixed bug #80770 (It is not possible to get client peer certificate with stream_socket_server). PCNTL: Fixed bug GH-18958 (Fatal error during shutdown after pcntl_rfork() or pcntl_forkx() with zend-max-execution-timers). Phar: Fix stream double free in phar. Fix phar crash and file corruption with SplFileObject. SOAP: Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing on object destruction). Fix memory leak when URL parsing fails in redirect. SPL: Fixed bug GH-19094 (Attaching class with no Iterator implementation to MultipleIterator causes crash). Standard: Fix misleading errors in printf(). Fix RCN violations in array functions. Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value. Streams: Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter fatal error). Zip: Fix leak when path is too long in ZipArchive::extractTo(). ==== aws-lc ==== Version update (1.57.1 -> 1.58.0) Subpackages: libcrypto-awslc0 libssl-awslc0 - update to version 1.58.0: * Add EVP_PKEY_check and EVP_PKEY_public_check * Rewrite 4-fold batched SHAKE to be amenable to batched Keccak-F1600 assembly * Fix Win64 unwind info alignment * Migrate MSVC tests to CodeBuild * Add optimized + verified hybrid AArch64 assembly for batched SHA3/SHAKE * target.h: more clearly check for ppc64 endianness * Impl SSL_client_hello_get1_extensions_present and friends * Implement SSL_set_verify_result * ML-DSA constant-time hardening for caddq, poly_chknorm, decompose ==== bash ==== Version update (5.2.37 -> 5.3.3) Subpackages: bash-lang bash-sh - Take refreshed source tar ball with uptodate (g)po files - Refresh (g)po files as well due our patches - Add upstream patches * bash53-001 In posix mode, `wait -n' with pid arguments does not restrict the set of processes it considers to those arguments. * bash53-002 There are too many differences in the various implementations of shm_open(2) to rely on it for bash's use. * bash53-003 Bash leaves internal quoting in place when expanding array subscripts that appear inside array subscripts in an arithmetic context, causing expansion failures. - The package bash-loadables supplements a specific bash version - Update to bash 5.3 a. When checking whether a script file argument is a binary file, check the first two lines of a script if the first line begins with `#!'. b. Bash does a better job of preserving user-supplied quotes around a word completion, instead of requoting it. c. Bash reports the starting line number in an error message about an unterminated compound command like `if' without a `fi'. d. Implement the POSIX requirement that running the `jobs' builtin removes jobs from the jobs list. f. Call bash signal handlers while executing programmable completion commands, instead of readline's. g. Print an error message if a regular expression used with [[ fails to compile. h. The `umask' builtin now has additional features for full POSIX conformance. i. `type -a -P' reports both hashed pathnames and the result of a $PATH search. j. `trap' has a new -P option that prints the trap action associated with each signal argument. k. The `command' builtin preceding a declaration builtin (e.g., `declare') preserves the special asisgnment statement parsing for the declaration builtin. This is a new POSIX requirement. l. `printf' uses the `alternate form' for %q and %Q to force single quoting. m. `printf' now interprets %ls (%S) and %lc (%C) as referring to wide strings and characters, respectively, when in a multibyte locale. n. The shell can be compiled with a different default value for the patsub_replacement option. o. Check for window size changes during trap commands, `bind -x' commands, and programmable completion. p. Treat a NULL value for $PATH as equivalent to ".". p. New loadable builtins: kv, strptime q. GLOBSORT: new variable to specify how to sort the results of pathname expansion (name, size, blocks, mtime, atime, ctime, numeric, none) in ascending or descending order. r. `compgen' has a new option: -V varname. If supplied, it stores the generated completions into VARNAME instead of printing them on stdout. s. New form of command substitution: ${ command; } or ${|command;} to capture the output of COMMAND without forking a child process and using pipes. t. array_expand_once: new shopt option, replaces assoc_expand_once u. complete/compopt new option: fullquote; sets rl_full_quoting_desired so all possible completions are quoted as if they were filenames. v. Command timing now allows precisions up to 6 digits instead of 3 in $TIMEFORMAT. w. BASH_MONOSECONDS: new dynamic variable that returns the value of the system's monotonic clock, if one is available. x. BASH_TRAPSIG: new variable, set to the numeric signal number of the trap being executed while it's running. y. The checkwinsize option can be used in subshell commands started from interactive shells. z. In posix mode, the test command < and > binary primaries compare strings using the current locale. aa. bind -x allows new key binding syntax: separate the key sequence and the command string with whitespace, but require the command string to be double-quoted if this is used. This allows different quoting options for the command string. bb. Print commands bound to key sequences using `bind -x' with the new key binding syntax it allows. cc. `read' has a new `-E' option to use readline but with the default bash completion (including programmable completion). dd. New bindable readline command name: `bash-vi-complete'. ee. New test builtin behavior when parsing a parenthesized subexpression and test was given more than 4 arguments: scan forward for a closing paren and call posixtest() if there are 4 or fewer arguments between the parentheses. Added for compatibility with coreutils test, dependent on the shell compatibility level. Such expressions remain ambiguous. ff. MULTIPLE_COPROCS is now enabled by default. gg. The `bind' builtin interprets additional non-option arguments after -p or - P as bindable command names and restricts output to the bindings for those names. hh. Bash now uses the login shell for $BASH if the shell is named `su' or `-su'. ii. Bash now prints job notifications if an interactive shell is running a trap, even though the shell is not interactive at that moment. jj. Programmable completion allows a new compspec loaded after a completion function returns 124 to be used in more cases. kk. ./source has a new -p PATH option, which makes it use the PATH argument instead of $PATH to look for the file. ll. Documentation has been significantly updated. mm. `wait -n' can now return terminated process substitutions, jobs about which the user has already been notified (like `wait' without options), nn. `wait -n' removes jobs from the jobs table or list of terminated children when in posix mode. oo. Changed the `wait' builtin behavior regarding process substitutions to match the documentation. pp. There is a new `bash_source_fullpath' shopt option, which makes bash put full pathnames into BASH_SOURCE, and a way to set a default value for it at configure time. qq. Posix mode now forces job notifications to occur when the new edition of POSIX specifies (since it now specifies them). ... changelog too long, skipping 27 lines ... * bash-5.2-gcc14.patch ==== gstreamer ==== Version update (1.26.4 -> 1.26.5) Subpackages: gstreamer-lang gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.26.5: + Highlighted bugfixes: - audioconvert: Fix caps negotiation regression when using a mix matrix - cea608overlay, cea708overlay: Accept GPU memory buffers if downstream supports the overlay composition meta - d3d12screencapture source element and device provider fixes - decodebin3: Don't error on an incoming ONVIF metadata stream - uridecodebin3: Fix potential crash when adding URIs to messages, e.g. if no decoder is available - v4l2: Fix memory leak for dynamic resolution change - VA encoder fixes - videorate, imagefreeze: Add support for JPEG XS - Vulkan integration fixes - wasapi2 audio device monitor improvements - threadshare: Many improvements and fixes to the generic threadshare and RTP threadshare elements - rtpbin2 improvements and fixes - gst-device-monitor-1.0 command line tool improvements - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - aggregator: add sub_latency_min to pad queue size - build: Disable C5287 warning on MSVC ==== gstreamer-plugins-bad ==== Version update (1.26.4 -> 1.26.5) Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.26.5: + av1parse: Don't error out on "currently" undefined seq-level indices + av1parse: fails to parse AV1 bitstreams generated by FFmpeg using the av1_nvenc hardware encoder + d3d12screencapturedevice: Avoid false device removal on monitor reconfiguration + d3d12screencapturesrc: Fix OS handle leaks/random crash in WGC mode + meson: d3d12: Add support for MinGW DirectXMath package + va: Re-negotiate after FLUSH + vaXXXenc: calculate latency with corrected framerate + vaXXXenc: fix potential race condition + vkphysicaldevice: enable sampler ycbcr conversion, synchronization2 and timeline semaphore features + vulkan: ycbcr conversion extension got promoted in 1.1.0 + wasapi2: Port to IMMDevice based device selection ==== gstreamer-plugins-base ==== Version update (1.26.4 -> 1.26.5) Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.26.5: + audioconvert: mix-matrix causes caps negotiation failure + decodebin3: Don't error on an incoming ONVIF metadata stream + gloverlay: Recompute geometry when caps change, and load texture after stopping and starting again + uridecodebin3: Add missing locking and NULL checks when adding URIs to messages + uridecodebin3: segfault in update_message_with_uri() if no decoder available + videorate, imagefreeze: add support for JPEG XS + gst-device-monitor-1.0: Add shell quoting for launch lines + gst-device-monitor-1.0: Fix criticals, and also accept utf8 in launch lines + gst-device-monitor-1.0: Use gst_print instead of g_print ==== gstreamer-plugins-good ==== Version update (1.26.4 -> 1.26.5) Subpackages: gstreamer-plugins-good-gtk gstreamer-plugins-good-lang - Update to version 1.26.5: + 4l2: fix memory leak for dynamic resolution change + videorate, imagefreeze: add support for JPEG XS ==== lhasa ==== Version update (0.4.0 -> 0.5.0) Subpackages: liblhasa0 - Update to release 0.5.0 * The output from the list subcommands has been tweaked to be more consistent. * A workaround was added for a bug with the Amiga port of lha that causes some versions to generate malformed archives where directories are stored using the -lh0- compression type. * Support was added for the 64-bit file sizes header, allowing huge files (>=4GiB) generated by the MorphOS port of lha to be extracted correctly. * The compression ratio shown in list output now always rounds up to the next 0.1%. * The manual page now includes more detailed information about the different list subcommands. * The liblhasa headers are now installed into a directory with a name that accurately reflects the project's version number. * The liblhasa .so version numbers now have meaningful numbers. * Some error messages were changed to print filenames safely. * Extraction of DECLHA self-extracting archives was fixed. * Undefined behavior in the BitStreamReader code was fixed. ==== libgcrypt ==== Version update (1.11.1 -> 1.11.2) Subpackages: libgcrypt20 libgcrypt20-32bit libgcrypt20-x86-64-v3 - Update to 1.11.2: * portability fixes * Support secp256k1 by KEM API. GnuPG has recently switched to use the KEM interface and a few folks are using this curve * Fix a missing initialization in RSA's generate_fips. * Use '.rodata' section for read-only data of poly1305-p10le ==== libplacebo ==== - Add 12509c0f.patch: Fix build on python 3.13.6. ==== libplacebo5 ==== - Add 12509c0f.patch: Fix build on python 3.13.6. ==== net-tools ==== Subpackages: net-tools-lang - Provide more readable error for interface name size checking introduced by net-tools-CVE-2025-46836.patch (bsc#1243581, net-tools-CVE-2025-46836-error-reporting.patch). ==== openSUSE-release ==== Version update (20250812 -> 20250813) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== ovmf ==== Subpackages: qemu-ovmf-x86_64 - Update firmware descriptors for SEV-SNP and TDX (bsc#1247847) - Add 50-ovmf-x86_64-sev-snp.json to support the 'amd-sev-snp' feature. - Remove the sev-snp feature from 50-ovmf-x86_64-sev.json. - Update the device in 60-ovmf-x86_64-tdx.json from 'pflash' to 'memory'. ==== php8 ==== Version update (8.4.10 -> 8.4.11) Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter - version update to 8.4.11 Calendar: Fixed jewishtojd overflow on year argument. Core: Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction order). Fixed bug GH-18907 (Leak when creating cycle in hook). Fix OSS-Fuzz #427814456. Fix OSS-Fuzz #428983568 and #428760800. Fixed bug GH-17204 (-Wuseless-escape warnings emitted by re2c). Fixed bug GH-19064 (Undefined symbol 'execute_ex' on Windows ARM64). Curl: Fix memory leaks when returning refcounted value from curl callback. Remove incorrect string release. DOM: Fixed bug GH-18979 (Dom\XMLDocument::createComment() triggers undefined behavior with null byte). LDAP: Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty request OID. MbString: Fixed bug GH-18901 (integer overflow mb_split). Opcache: Fixed bug GH-18639 (Internal class aliases can break preloading + JIT). Fixed bug GH-18899 (JIT function crash when emitting undefined variable warning and opline is not set yet). Fixed bug GH-14082 (Segmentation fault on unknown address 0x600000000018 in ext/opcache/jit/zend_jit.c). Fixed bug GH-18898 (SEGV zend_jit_op_array_hot with property hooks and preloading). OpenSSL: Fixed bug #80770 (It is not possible to get client peer certificate with stream_socket_server). PCNTL: Fixed bug GH-18958 (Fatal error during shutdown after pcntl_rfork() or pcntl_forkx() with zend-max-execution-timers). Phar: Fix stream double free in phar. Fix phar crash and file corruption with SplFileObject. SOAP: Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing on object destruction). Fix memory leak when URL parsing fails in redirect. SPL: Fixed bug GH-19094 (Attaching class with no Iterator implementation to MultipleIterator causes crash). Standard: Fix misleading errors in printf(). Fix RCN violations in array functions. Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value. Streams: Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter fatal error). Zip: Fix leak when path is too long in ZipArchive::extractTo(). ==== python-Twisted ==== Subpackages: python311-Twisted python311-Twisted-tls - Make the libalternatives transition conditional ==== python-anyio ==== Version update (4.9.0 -> 4.10.0) - Skip flaky test_keyboardinterrupt_during_test, the timeout increase doesn't always help. - Fix build for Leap - Update to 4.10.0: + Added the feed_data() method to the BufferedByteReceiveStream class, allowing users to inject data directly into the buffer + Added various class methods to wrap existing sockets as listeners or socket streams + Added a hierarchy of connectable stream classes for transparently connecting to various remote or local endpoints for exchanging bytes or objects + Added context manager mix-in classes (anyio.ContextManagerMixin and anyio.AsyncContextManagerMixin) to help write classes that embed other context managers, particularly cancel scopes or task groups + Added the ability to specify the thread name in start_blocking _portal() + Added anyio.notify_closing to allow waking anyio.wait_readable and anyio.wait_writable before closing a socket. Among other things, this prevents an OSError on the ProactorEventLoop. + Incorporated several documentation improvements from the EuroPython 2025 sprint + Added a documentation page explaining why one might want to use AnyIO's APIs instead of asyncio's + Updated the to_interpreters module to use the public concurrent.interpreters API on Python 3.14 or later + Fixed anyio.Path.copy() and anyio.Path.copy_into() failing on Python 3.14.0a7 + Fixed return annotation of __aexit__ on async context managers. + Fixed rollover boundary check in SpooledTemporaryFile so that rollover only occurs when the buffer size exceeds max_size + Migrated testing and documentation dependencies from extras to dependency groups + Fixed compatibility of anyio.to_interpreter with Python 3.14.0 + Fixed SyntaxWarning on Python 3.14 about return in finally + Fixed RunVar name conflicts. RunVar instances with the same name should not share storage + Renamed the BrokenWorkerIntepreter exception to BrokenWorkerInterpreter. The old name is available as a deprecated alias. + Fixed an edge case in CapacityLimiter on asyncio where a task, waiting to acquire a limiter gets cancelled and is subsequently granted a token from the limiter, but before the cancellation is delivered, and then fails to notify the next waiting task ==== python-kiwi ==== Version update (10.2.30 -> 10.2.32) - Bump version: 10.2.31 → 10.2.32 - fix: resize for raid device, ensure vars like kiwi_RaidDev are loaded before setting disk variable - Do not clobber initialize method There was a method named initialize defined and implemented differently in the dracut modules kiwi-lib and kiwi-repart. kiwi-lib is expected to be shared code across all kiwi dracut modules. However if one module redefines a method of the same name which is used in another module and expected to work differently there, this is evil. This commit cleans up the name conflict and names the kiwi library init function as lib_initialize. All dracut code that is expected to make use of this method has been adopted too. - Skip kiwi-repart module in install ISOs In case the kiwi-repart module is explicitly requested in a dracut.conf file and the image is also configured to build an install ISO image this leads the install ISO to contain the kiwi-repart module as well which is unwanted. This commit explicitly omits the kiwi-repart when creating the initrd for the install image - Skip repart when booting install/live iso - Update leap test-image-disk integration test Add test for alternative volume ID in install ISO - Bump version: 10.2.30 → 10.2.31 - Consolidate device lock into its own method Add set_device_lock method which uses udevadm lock preferable but also supports an flock fallback in case there is no lock command provided via systemd/udev - Fix bug in shell condition The shell code test ... || warn A; warn B will always print the warning for B despite the test result. This lead to the warning message "Settings from the kiwi description will be ignored" to be printed always. This commit fixes it with a clean if/then condition - Fix documentation rendering There was an indentation bug which caused the docs to render wrong. This commit fixes it - solver/repository: Handle zstd-compressed metadata files `_create_solvables` assumes metadata files are gzip-compressed, but modern Fedora ones are not, they are zstd-compressed. Signed-off-by: Adam Williamson ==== qemu ==== Version update (10.0.2 -> 10.0.3) Subpackages: qemu-audio-spice qemu-block-curl qemu-block-nfs qemu-block-rbd qemu-chardev-spice qemu-guest-agent qemu-hw-display-qxl qemu-hw-display-virtio-gpu qemu-hw-display-virtio-gpu-pci qemu-hw-display-virtio-vga qemu-hw-usb-host qemu-hw-usb-redirect qemu-hw-usb-smartcard qemu-img qemu-ipxe qemu-ksm qemu-lang qemu-microvm qemu-pr-helper qemu-seabios qemu-tools qemu-ui-curses qemu-ui-gtk qemu-ui-opengl qemu-ui-spice-app qemu-ui-spice-core qemu-vgabios qemu-vmsr-helper qemu-x86 - Bug and CVE fixes: * tests: Avoid dependency on padding on signal messages (boo#1246830) * pcie_sriov: Fix configuration and state synchronization (bsc#1246992 CVE-2025-54566 CVE-2025-54567) * [openSUSE][RPM] linux-user: restart systemd-binfmt upon changes (bsc#1247443) - Update to stable release 10.0.3: Full list of backports here: https://lore.kernel.org/qemu-devel/1748499690.323471.13081.nullmailer@localhost/ A selection of them is reported here too: hvf: arm: Emulate ICC_RPR_EL1 accesses properly target/arm: Correct encoding of Debug Communications Channel registers ui: fix setting client_endian field defaults hw/net/npcm_gmac.c: Send the right data for second packet in a row target/i386: do not expose ARCH_CAPABILITIES on AMD CPU i386/cpu: Honor maximum value for CPUID.8000001DH.EAX[25:14] i386/cpu: Fix overflow of cache topology fields in CPUID.04H i386/cpu: Fix cpu number overflow in CPUID.01H.EBX[23:16] ui/vnc: Do not copy z_stream vhost: Fix used memslot tracking when destroying a vhost device roms: re-remove execute bit from hppa-firmware* file-posix: Fix aio=threads performance regression after enablign FUA amd_iommu: Fix truncation of oldval in amdvi_writeq amd_iommu: Remove duplicated definitions amd_iommu: Fix the calculation for Device Table size amd_iommu: Fix mask to retrieve Interrupt Table Root Pointer from DTE amd_iommu: Fix masks for various IOMMU MMIO Registers amd_iommu: Update bitmasks representing DTE reserved fields amd_iommu: Fix Device ID decoding for INVALIDATE_IOTLB_PAGES command amd_iommu: Fix Miscellaneous Information Register 0 encoding virtio-net: Add queues for RSS during migration net: fix buffer overflow in af_xdp_umem_create() accel/kvm: Adjust the note about the minimum required kernel version ... ==== readline ==== Version update (8.2.13 -> 8.3.1) - Update to final readline-8.3 a. Output a newline if there is no prompt and readline reads an empty line. b. The history library falls back to stdio when writing the history list if mmap fails. c. New bindable variable `search-ignore-case', causes readline to perform case-insensitive incremental and non-incremental history searches. d. rl_full_quoting_desired: new application-settable variable, causes all completions to be quoted as if they were filenames. e. rl_macro_display_hook: new application-settable function pointer, used if the application wants to print macro values itself instead of letting readline do it f. rl_reparse_colors: new application-callable function, reparses $LS_COLORS (presumably after the user changes it) g. rl_completion_rewrite_hook: new application-settable function pointer, called to modify the word being completed before comparing it against pathnames from the file system. h. execute-named-command: a new bindable command that reads the name of a readline command from the standard input and executes it. Bound to M-x in emacs mode by default. i. Incremental and non-incremental searches now allow ^V/^Q (or, in the former case, anything bound to quoted-insert) to quote characters in the search string. j. Documentation has been significantly updated. k. New `force-meta-prefix' bindable variable, which forces the use of ESC as the meta prefix when using "\M-" in key bindings instead of overloading convert-meta. l. The default value for `readline-colored-completion-prefix' no longer has a leading `.'; the original report was based on a misunderstanding. m. There is a new bindable command, `export-completions', which writes the possible completions for a word to the standard output in a defined format. n. Readline can reset its idea of the screen dimensions when executing after a SIGCONT. - Remove upstream patches of former readline-8.2 * readline82-001 * readline82-002 * readline82-003 * readline82-004 * readline82-005 * readline82-006 * readline82-007 * readline82-008 * readline82-009 * readline82-010 * readline82-011 * readline82-012 * readline82-013 - Add upstream patch * readline83-001 If an application uses readline's event hook, it is called while waiting for input. There is a bug in the function that waits for available input that causes it not to read that input under certain circumstances, resulting in a loop where the event hook continues to be called, but there is no input to stop it. - Port readline-8.2.dif and rename it to readline-8.3.dif ==== sdbootutil ==== Version update (1+git20250804.8dccab3 -> 1+git20250812.13f4562) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20250812.13f4562: * Ignore UPDATE_NVRAM (bsc#1247952) - Update to version 1+git20250811.2048838: * Add easy advanced debugging - Update to version 1+git20250811.5fc14ca: * Enable sdbootutil-update-predictions.service on enroll * Fix device not marked as portable * Fix handling of configuration UPDATE_NVRAM - Update to version 1+git20250811.2fd41f0: * Clarify when the boot entries are created * Measure all bootloader combinations * Remove hard coded EFI boot entry name - Update to version 1+git20250805.67fa6cb: * PCR#15 workaround for LVM devices * Use installkernel() only to install kernel modules ==== selinux-policy ==== Version update (20250730 -> 20250812) Subpackages: selinux-policy-targeted - Update to version 20250812 (bsc#1247772): * Fix selinux-autorelabel-generator label after upstream changes * Revert "Remove the mysql module sources" * Revert "Allow rasdaemon write access to sysfs (bsc#1229587)" * Reset postfix.fc to upstream, add alias instead * Allow systemd-networkd to create leases directory * Apply generator template to selinux-autorelabel generator * Support virtqemud handle hotplug hostdev devices * Allow virtstoraged create qemu /var/run files * Allow unconfined_domain_type cap2_userns capabilities * Label /usr/libexec/postfix/tlsproxy with postfix_smtp_exec_t * Remove the mysql module sources * dist/targeted/modules.conf: Enable kmscon module (bsc#1238137) * Update kmscon policy module to kmscon version 9 (bsc#1238137) * Allow login to getattr pidfs * Allow systemd to map files under /sys * systemd: drop duplicate init_nnp_daemon_domain lines * Fix typo * Allow logwatch stream connect to opensmtpd * Allow geoclue read NetworkManager pid files * Allow unconfined user a file transition for creating sudo log directory * Allow virtqemud read/write inherited dri devices * Allow xdm_t create user namespaces * Update policy for login_userdomain * Add ppd_base_profile to file transition to get tuned_rw_etc_t type * Update policy for bootupd * Allow logwatch work with opensmtpd * Update dovecot policy for dovecot 2.4.1 * Allow ras-mc-ctl write to sysfs files - Update embedded container-selinux version to commit: * 10cc7ecacd631368e23691a77dbfe63ac6ca855f (version 2.240.0) The 2.239.0 was tagged incorrectly by upstream, syncing again with new tag - Update to version 20250804: * Allow anaconda-generator get attributes of all filesystems * Add the rhcd_rw_fifo_files() interface * Allow systemd-coredump the sys_chroot capability * Allow hostapd write to socket files in /tmp * Recognize /var/home as an alternate path for /home * Label /var/lib/lastlog with lastlog_t * Allow virtqemud write to sysfs files * Allow irqbalance search sssd lib directories * Allow samba-dcerpcd send sigkills to passwd * Allow systemd-oomd watch dbus pid sock files * Allow some confined users read and map generic log files * Allow login_userdomain watch the /run/log/journal directory * Allow login_userdomain dbus chat with tuned-ppd * Allow login_userdomain dbus chat with switcheroo-control * Allow userdomain to connect to systemd-oomd over a unix socket * Add insights_client_delete_lib_dirs() interface * Allow virtqemud_t use its private tmpfs files (bsc#1242998) * Allow virtqemud_t setattr to /dev/userfaultfd (bsc#1242998) * Allow virtqemud_t read and write /dev/ptmx (bsc#1242998) * Extend virtqemud_t tcp_socket permissions (bsc#1242998) * Allow virtqemud_t to read and write generic pty (bsc#1242998) * Allow systemd-importd create and unlink init pid socket * Allow virtqemud handle virt_content_t chr files * Allow svirt read virtqemud fifo files * All sblim-sfcbd the dac_read_search capability * Allow sblim domain read systemd session files * Allow sblim-sfcbd execute dnsdomainname * Confine nfs-server generator * Allow systemd-timedated start/stop timemaster services * Allow "hostapd_cli ping" run as a systemd service * Allow power-profiles-daemon get attributes of filesystems with extended attributes * Allow 'oomctl dump' to interact with systemd-oomd * Basic functionality for systemd-oomd * Basic enablement for systemd-oomd * Allow samba-bgqd send to smbd over a unix datagram socket * Update kernel_secretmem_use() * Add the file/watch_mountns permission * Update systemd-generators policy * Allow plymouthd_t read proc files of systemd_passwd_agent (bsc#1245470) * Allow insights-client file transition for files in /var/tmp * Allow tuned-ppd manage tuned log files * Allow systemd-coredump mount on tmpfs filesystems * Update sssd_dontaudit_read_public_files() * Allow zram-generator raw read fixed disk device * Add fs_write_cgroup_dirs() and fs_setattr_cgroup_dirs() interfaces - Syncing with upstream rawhide selinux-policy up to: * 1de2b642cba24f493578d4c944ea8db5535e8956 - Update embedded container-selinux version to commit: * 9693071320e1f931ff825ea376926f816380873d (version 2.239.0) ==== strace ==== Version update (6.15 -> 6.16) - Update to strace 6.16 * Added -N/--arg-names option for printing syscall argument names. * Implemented setting of system call information using PTRACE_SET_SYSCALL_INFO ptrace API introduced in Linux 6.16. * Implemented decoding of SO_RCVPRIORITY and SO_PASSRIGHTS socket options. * Implemented decoding of RTA_NH_ID and RTA_FLOWLABEL netlink attributes. * Updated decoding of statx syscall. * Updated lists of BR_*, CRYPTOCFGA_*, FUTEX2_*, IORING_*, IPSET_*, KVM_*, MDB_*, NETDEV_*, PR_*, RXRPC_*, SW_*, THERMAL_*, and V4L2_* constants. * Updated lists of ioctl commands from Linux 6.16. ==== util-linux ==== Subpackages: libblkid1 libfdisk1 libmount1 libsmartcols1 libuuid1 util-linux-lang - For bash 5.3 add (SIG)INT tests/expected/kill/decode as ignored signal for asynchronous coprocesses (boo#1246830) ==== util-linux-systemd ==== Subpackages: lastlog2 liblastlog2-2 - For bash 5.3 add (SIG)INT tests/expected/kill/decode as ignored signal for asynchronous coprocesses (boo#1246830) ==== yast2-bootloader ==== Version update (5.0.23 -> 5.0.24) - Do not register random recovery pin during FDE intallation. (bsc#1247941) - 5.0.23