Packages changed: MicroOS-release (20250627 -> 20250702) crypto-policies cryptsetup (2.7.5 -> 2.8.0) curl ffmpeg-7 gcc15 (15.1.1+git9739 -> 15.1.1+git9866) glslang (15.3.0 -> 15.4.0) gpg2 grub2 gstreamer-plugins-bad kdump (2.0.18 -> 2.1.0) kernel-firmware-amdgpu (20250623 -> 20250627) kernel-firmware-bnx2 (20250206 -> 20250627) kernel-firmware-chelsio (20250206 -> 20250627) kernel-firmware-media (20250424 -> 20250627) kernel-firmware-network (20250603 -> 20250627) kernel-firmware-platform (20250520 -> 20250627) kernel-firmware-radeon (20250206 -> 20250627) kernel-firmware-serial (20250206 -> 20250627) kernel-firmware-sound (20250613 -> 20250627) kernel-source (6.15.3 -> 6.15.4) libnettle (3.10.1 -> 3.10.2) llvm20 (20.1.6 -> 20.1.7) ncurses (6.5.20250621 -> 6.5.20250628) numactl (2.0.19.13.g63e0223 -> 2.0.19.14.g690a72c) openldap2 (2.6.8 -> 2.6.10) patterns-base pipewire (1.4.5 -> 1.4.6) plasma-branding-Kalpa (20250618 -> 20250624) setools shaderc (2025.1 -> 2025.3) sqlite3 (3.50.1 -> 3.50.2) sudo (1.9.16p2 -> 1.9.17p1) toolbox (2.4+git20250429.b335d1b -> 2.4+git20250630.5e08e45) udisks2 === Details === ==== MicroOS-release ==== Version update (20250627 -> 20250702) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== crypto-policies ==== - Allow openssl to load when using the DEFAULT policy, and also other policies, in FIPS mode. [bsc#1243830, bsc#1242233] * Add crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch ==== cryptsetup ==== Version update (2.7.5 -> 2.8.0) Subpackages: libcryptsetup12 - Update to 2.8.0: * Full release notes in: - https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/v2.8.0-ReleaseNotes * Introduce support for inline mode (use HW sectors with additional hardware metadata space). * Finalize use of keyslot context API. * Make all keyslot context types fully self-contained. * Add --key-description and --new-key-description cryptsetup options. * Support more precise keyslot selection in reencryption initialization. * Allow reencryption to resume using token and volume keys. * Cryptsetup repair command now tries to check LUKS keyslot areas for corruption. * Opal2 SED: PSID keyfile is now expected to be 32 alphanumeric characters. * Opal2: Avoid the Erase method and use Secure Erase for locking range. * Opal2: Fix some error description (in debug only). * Opal2: Do not allow deferred deactivation. * Allow --reduce-device-size and --device-size combination for reencryption (encrypt) action. * Fix the userspace storage backend to support kernel "capi:" cipher specification format. * Disallow conversion from LUKS2 to LUKS1 if kernel "capi:" cipher specification is used. * Explicitly disallow kernel "capi:" cipher specification format for LUKS2 keyslot encryption. * Do not allow conversion of LUKS2 to LUKS1 if an unbound keyslot is present. * cryptsetup: Adjust the XTS key size for kernel "capi:" cipher specification. * Remove keyslot warning about possible failure due to low memory. * Do not limit Argon2 KDF memory cost on systems with more than 4GB of available memory. * Properly report out of memory error for cryptographic backends implementing Argon2. * Avoid KDF2 memory cost overflow on 32-bit platforms. * Do not use page size as a fallback for device block size. * veritysetup: Check hash device size in advance. * Print a better error message for unsupported LUKS2 AEAD device resize. * Optimize LUKS2 metadata writes. * veritysetup: support --error-as-corruption option. * Report all sizes in status and dump command output in the correct units. * Add --integrity-key-size option to cryptsetup. * Support trusted & encrypted keyrings for plain devices. * Support plain format resize with a keyring key. * TCRYPT: Clear mapping of system-encrypted partitions. * TCRYPT: Print all information from the decrypted metadata header in the tcryptDump command. * Always lock the volume key structure in memory. * Do not run direct-io read check on block devices. * Fix a possible segfault in deferred deactivation. * Exclude cipher allocation time from the cryptsetup benchmark. * Add Mbed-TLS optional crypto backend. * Fix the wrong preprocessor use of #ifdef for config.h processed by Meson. * Reorganize license files. The license text files are now in docs/licenses. The COPYING file in the root directory is the default license. * Remove cc-by-sa-4.0.txt as already shipped now in docs/licenses and named as COPYING.CC-BY-SA-4.0. * Libcryptsetup API extensions. The libcryptsetup API is backward compatible with all existing symbols. Due to the self-contained memory allocation, these symbols have the new version: - crypt_keyslot_context_init_by_passphrase; - crypt_keyslot_context_init_by_keyfile; - crypt_keyslot_context_init_by_token; - crypt_keyslot_context_init_by_volume_key; - crypt_keyslot_context_init_by_signed_key; - crypt_keyslot_context_init_by_keyring; - crypt_keyslot_context_init_by_vk_in_keyring; * New symbols: - crypt_format_inline - crypt_get_old_volume_key_size - crypt_reencrypt_init_by_keyslot_context - crypt_safe_memcpy * New defines: - CRYPT_ACTIVATE_HIGH_PRIORITY - CRYPT_ACTIVATE_ERROR_AS_CORRUPTION - CRYPT_ACTIVATE_INLINE_MODE - CRYPT_REENCRYPT_CREATE_NEW_DIGEST * New requirement flag: - CRYPT_REQUIREMENT_INLINE_HW_TAGS ==== curl ==== Subpackages: libcurl4 - Disable insecure NTLM authentication support [bsc#1245491, jsc#PED-12960] - split wcurl into a subpackage so that upgrade works (wcurl used to be a separate package) ==== ffmpeg-7 ==== Subpackages: libavcodec61 libavfilter10 libavformat61 libavutil59 libpostproc58 libswresample5 libswscale8 - Built with noopenh264, drop ffmpeg-dlopen-openh264.patch (jsc#PED-12607) ==== gcc15 ==== Version update (15.1.1+git9739 -> 15.1.1+git9866) Subpackages: cpp15 libgcc_s1 libgfortran5 libgomp1 libstdc++6 - Update to GCC 15 branch head, 15.1.1+git9866 - Fix PR120827, ICE due to splitter emitting constant loads directly ==== glslang ==== Version update (15.3.0 -> 15.4.0) - Update to release 15.4 * Implement GL_NV_gpu_shader5 and enable GL_ARB_gpu_shader5 completely * Add the GLSL_QCOM_tile_shading support * Implement GL_EXT_float8_e5m2_e4m3 (bits for exponent/mantissa) * Add variadic function support for builtin functions * Add argument default values support for builtin functions * Add GL_ARM_tensors ==== gpg2 ==== - fix build of qgpgme >= 2.0.0 [T7083] boo#1244605 add gnupg-2.5.8-re-add-revocation-reason.patch ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-common grub2-snapper-plugin - Fix bls_bumpcounter breaking FDE (bsc#1243842) * grub2-blsbumpcounter-menu.patch ==== gstreamer-plugins-bad ==== Subpackages: libgstphotography-1_0-0 libgstplay-1_0-0 - Move faad plugin to main package. ==== kdump ==== Version update (2.0.18 -> 2.1.0) - upgrade to version 2.1.0 * fix calibrate (no run-time changes) * man: update kdump(7) * add kdump-commandline.service (jsc#PED-12454) * kdumptool: introduce the commandline subcommand (jsc#PED-12454) * kdumptool calibrate: add per-cpu userspace requirements * Use FADUMP_COMMANDLINE_APPEND to detect explicit ip= configuration (bsc#1242134) - update calibrate values for SLFO (alp1600) ==== kernel-firmware-amdgpu ==== Version update (20250623 -> 20250627) - Update to version 20250627 (git commit f40eafe21683): * amdgpu: DMCUB updates for DCN401 ==== kernel-firmware-bnx2 ==== Version update (20250206 -> 20250627) - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ==== kernel-firmware-chelsio ==== Version update (20250206 -> 20250627) - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ==== kernel-firmware-media ==== Version update (20250424 -> 20250627) - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts * qcom: update firmware binary for SM8550 - Update to version 20250624 (git commit b05fabcd6f2a): * qcom: venus-5.4: add the firmware binary for qcs615 ==== kernel-firmware-network ==== Version update (20250603 -> 20250627) - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ==== kernel-firmware-platform ==== Version update (20250520 -> 20250627) - Update to version 20250627 (git commit f40eafe21683): * WHENCE: expand the advansys license statement * WHENCE: some older AMD drivers are MIT licensed ==== kernel-firmware-radeon ==== Version update (20250206 -> 20250627) - Update to version 20250627 (git commit f40eafe21683): * WHENCE: some older AMD drivers are MIT licensed ==== kernel-firmware-serial ==== Version update (20250206 -> 20250627) - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ==== kernel-firmware-sound ==== Version update (20250613 -> 20250627) - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ==== kernel-source ==== Version update (6.15.3 -> 6.15.4) Subpackages: kernel-64kb kernel-default - io_uring: gate REQ_F_ISREG on !S_ANON_INODE as well (io_uring-regression). - commit 55e70a8 - Linux 6.15.4 (bsc#1012628). - alloc_tag: handle module codetag load errors as module load failures (bsc#1012628). - configfs: Do not override creating attribute file failure in populate_attrs() (bsc#1012628). - crypto: marvell/cesa - Do not chain submitted requests (bsc#1012628). - gfs2: move msleep to sleepable context (bsc#1012628). - sched/rt: Fix race in push_rt_task (bsc#1012628). - sched/fair: Adhere to place_entity() constraints (bsc#1012628). - crypto: qat - add shutdown handler to qat_c3xxx (bsc#1012628). - crypto: qat - add shutdown handler to qat_420xx (bsc#1012628). - crypto: qat - add shutdown handler to qat_4xxx (bsc#1012628). - crypto: qat - add shutdown handler to qat_c62x (bsc#1012628). - crypto: qat - add shutdown handler to qat_dh895xcc (bsc#1012628). - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (bsc#1012628). - firmware: cs_dsp: Fix OOB memory read access in KUnit test (bsc#1012628). - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (bsc#1012628). - ASoC: amd: amd_sdw: Fix unlikely uninitialized variable use in create_sdw_dailinks() (bsc#1012628). - ASoC: amd: sof_amd_sdw: Fix unlikely uninitialized variable use in create_sdw_dailinks() (bsc#1012628). - io_uring: account drain memory to cgroup (bsc#1012628). - io_uring/kbuf: account ring io_buffer_list memory (bsc#1012628). - powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states (bsc#1012628). - powerpc64/ftrace: fix clobbered r15 during livepatching (bsc#1012628). - powerpc/bpf: fix JIT code size calculation of bpf trampoline (bsc#1012628). - s390/pci: Fix __pcilg_mio_inuser() inline assembly (bsc#1012628). - s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1012628). - s390/pci: Prevent self deletion in disable_slot() (bsc#1012628). - s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1012628). - s390/pci: Serialize device addition and removal (bsc#1012628). - regulator: max20086: Fix MAX200086 chip id (bsc#1012628). - regulator: max20086: Change enable gpio to optional (bsc#1012628). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (bsc#1012628). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (bsc#1012628). - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (bsc#1012628). - wifi: mt76: mt7925: fix host interrupt register initialization (bsc#1012628). - anon_inode: use a proper mode internally (bsc#1012628). - anon_inode: explicitly block ->setattr() (bsc#1012628). - anon_inode: raise SB_I_NODEV and SB_I_NOEXEC (bsc#1012628). - fs: add S_ANON_INODE (bsc#1012628). - wifi: ath11k: fix rx completion meta data corruption (bsc#1012628). - wifi: rtw88: usb: Upload the firmware in bigger chunks (bsc#1012628). - wifi: ath11k: fix ring-buffer corruption (bsc#1012628). - NFSD: unregister filesystem in case genl_register_family() fails (bsc#1012628). - NFSD: fix race between nfsd registration and exports_proc (bsc#1012628). - NFSD: Implement FATTR4_CLONE_BLKSIZE attribute (bsc#1012628). - nfsd: fix access checking for NLM under XPRTSEC policies (bsc#1012628). - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (bsc#1012628). - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (bsc#1012628). - SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls (bsc#1012628). - NFS: always probe for LOCALIO support asynchronously (bsc#1012628). - NFSv4: Don't check for OPEN feature support in v4.1 (bsc#1012628). - fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() (bsc#1012628). - wifi: ath12k: fix ring-buffer corruption (bsc#1012628). - jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() (bsc#1012628). - svcrdma: Unregister the device if svc_rdma_accept() fails (bsc#1012628). - wifi: rtw88: usb: Reduce control message timeout to 500 ms (bsc#1012628). - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (bsc#1012628). - jfs: validate AG parameters in dbMount() to prevent crashes (bsc#1012628). - media: ov8856: suppress probe deferral errors (bsc#1012628). - media: ov5675: suppress probe deferral errors (bsc#1012628). - media: i2c: change lt6911uxe irq_gpio name to "hpd" (bsc#1012628). ... changelog too long, skipping 917 lines ... - commit 0952b8c ==== libnettle ==== Version update (3.10.1 -> 3.10.2) Subpackages: libhogweed6 libnettle8 - update to 3.10.2: * Fix missing prototypes in getopt.h and getopt.c * For powerpc64, avoid using v9 (ISA v3.0) instructions lxvb16x, lxv and stxv in powerpc64/p8/ files. * For powerpc64, add configure check for __VSX__, and disable use of assembly if not defined. Nettle's powerpc64 assembly requires at least v7 (ISA v2.06) - drop libnettle-powerpc64-skip-AES-GCM-test.patch ==== llvm20 ==== Version update (20.1.6 -> 20.1.7) - Update to version 20.1.7. * This release contains bug-fixes for the LLVM 20.1.0 release. This release is API and ABI compatible with 20.1.0. - Rebase llvm-do-not-install-static-libraries.patch. ==== ncurses ==== Version update (6.5.20250621 -> 6.5.20250628) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20250628 + fix a few compiler-warnings. + simplify include for wchar.h in Windows port by removing the platform ifdef's (report by Karl Knechtel). + regen Ada95/configure (report by Sven Joachim). ==== numactl ==== Version update (2.0.19.13.g63e0223 -> 2.0.19.14.g690a72c) - Update to version 2.0.19.14.g690a72c: * numastat command fails on LPAR which is not having node0 Patch is now upstream: https://github.com/numactl/numactl/pull/246 D 4abeee1aac20a7a2552870e0359b8df013ae9037.patch Patches are wrong or not needed anymore: https://github.com/numactl/numactl/pull/246 D 0001-Fixed-segfault-when-no-node-could-be-found-in-sysfs-.patch D numactl-clearcache-pie.patch ==== openldap2 ==== Version update (2.6.8 -> 2.6.10) - Update to release 2.6.10 * ldap.conf:TIMEOUT and NETWORK_TIMEOUT config directives now have the desired effect for TLS connections (previously ignored) * Reject attempts to modify cn=schema,cn=config objects * Fixed a slapo-nestgroup leak in nestgroup_memberFilter * Fixed a slapo-translucent regression with subordinate databases / and when requesting attributes * Adjusted slappw-argon2 defaults to be more secure * Added slapd microsecond timestamp format for local logging * Fixed libldap ldap_result behavior with LDAP_MSG_RECEIVED ==== patterns-base ==== Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11 - Add myrlyn to x11_enhanced Myrlyn replaces YaST software management code-o-o#leap/features#173 - Refine topics and descriptions of patterns (bsc#1243961). - Drop requirement on NetworkManager-wifi, it was merged back in NetworkManager in 2022. ==== pipewire ==== Version update (1.4.5 -> 1.4.6) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.4.6: * Highlights - Fix a crasher bug in filter-chain and one in the ALSA plugin. - Improve latency reporting in module-combine-stream. - Some smaller fixes and cleanups. * modules - Improve latency handling in module-combine-stream. (#4731) - Improve save activation/deactivation of the filter-graph in module-filter-chain to avoid crashes. (#4700, #4750) - Add an option to disable RAOP with a context.property. * SPA - Handle NULL io in alsa wakeup code. This can happen when there is negotiation happening. (#4734) - Enable interrupts after an ALSA error to keep the dataflow going. - Reset some stats better after an ALSA error. - Support the alsa.use-ucm property for the ALSA udev plugin. * pulse-server - Mark empty buffers. This improves some code paths in the mixer. * GStreamer - Fix a refcount issue in the device provider. ==== plasma-branding-Kalpa ==== Version update (20250618 -> 20250624) - Bump version to 20250624 - Removed kalpa-discover-update service and timer, plasma-discover-update was dropped in Plasma 6.4 ==== setools ==== - Drop legacy %python_build and %python_install macros and switch to pyproject macros instead as requested by packaging team ==== shaderc ==== Version update (2025.1 -> 2025.3) - Update to release 2025.3 * Added a way to disable the glsc CLI executable. ==== sqlite3 ==== Version update (3.50.1 -> 3.50.2) - Update to 3.50.2: * Fix the concat_ws() SQL function so that it includes empty strings in the concatenation. * Avoid writing frames with no checksums into the wal file if a savepoint is rolled back after dirty pages have already been spilled into the wal file. * Fix the Bitvec object to avoid stack overflow when the database is within 60 pages of its maximum size. * Fix a problem with UPDATEs on fts5 tables that contain BLOB values. * Fix an issue with transitive IS constraints on a RIGHT JOIN. * Raise an error early if the number of aggregate terms in a query exceeds the maximum number of columns, to avoid downstream assertion faults. * Ensure that sqlite3_setlk_timeout() holds the database mutex. ==== sudo ==== Version update (1.9.16p2 -> 1.9.17p1) - Update to 1.9.17p1 * Fix a possible local privilege escalation via the --host option [bsc#1245274, CVE-2025-32462] * Fix a possible local privilege Escalation via chroot option [bsc#1245275, CVE-2025-32463] - Update to 1.9.17 * Sudo now uses the NODEV macro consistently. Bug #1074. Fixed a bug where the ALL command in a sudoers rule would override a previous NOSETENV tag. Command tags are inherited from previous Cmnds in a Cmnd_Spec_List. There is a special case for the SETENV tag with the ALL command, where SETENV is implied if no explicit SETENV or NOSETENV tag is specified. This special case did not take into account that a NOSETENV tag that was inherited should override this behavior. * If sudo is run via ssh without a terminal and a password is required, it now suggest using ssh’s -t option. * Fixed the display of timeout values in the sudo -V output on systems without a C99-compliant snprintf() function. * Quieted a number of minor Coverity warnings. * Fixed a problem running sudo from a serial console on Linux when the command is run in a pseudo-terminal (the default). * Fixed a crash in sudo which could occur if there was a fatal error after the user was validated but before the command was actually run. * Fixed a number of man page style warnings. The “lint” make target in the docs directory will now run groff with warnings enabled if it is available. Bug #1075. * The ignore_dot sudoers setting is now on by default. There is now a - -disable-ignore-dot configure option to disable it. The - -with-ignore-dot configure option has been deprecated. * Fixed a problem with the pwfeedback option where an initial backspace would reduce the maximum length allowed for the password. GitHub issue #439. * Fixed minor grammar and spelling problems in the man pages. * Fixed a bug where a user could avoid entering a password for sudo -l command if they specified their own user or group name via the -u or - g options. * Avoid potential password guessing based on timing attacks on the strcmp() function on systems without PAM or a crypt() function where plaintext passwords are stored in the shadow password file. * Fixed a potential information leak where sudo -l command could be used to determine whether an executable exists in a directory that they do not have search access to. * Sudo uses TCSAFLUSH, not TCSADRAIN, when disabling echo once again. A long time ago sudo changed from using TCSAFLUSH to TCSADRAIN due to some systems having bugs related to TCSAFLUSH. That should no longer be a concern. Using TCSAFLUSH ensures that password input that has been received by the kernel, but not yet read by sudo, will be discarded and not echoed. * Added the SUDO_TTY environment variable if the user has a terminal. This can be used to find the user’s original tty device when sudo runs the command in its own pseudo-terminal. GitHub issue #447. * New Cantonese translation for sudo. ==== toolbox ==== Version update (2.4+git20250429.b335d1b -> 2.4+git20250630.5e08e45) - Update to version 2.4+git20250630.5e08e45: * Forbid --user if running as root ==== udisks2 ==== Subpackages: libudisks2-0 - Moved /etc/udisks2/modules.conf.d/udisks2_lsm.conf and /etc/udisks2/udisks2.conf do /usr/etc. (patch usr_etc.patch)