Packages changed: Mesa Mesa-drivers aws-lc (1.66.1 -> 1.66.2) gnome-settings-daemon kernel-source (6.18.3 -> 6.18.4) libsodium (1.0.20 -> 1.0.21) libsoup libsoup2 lightdm mc nautilus (49.2 -> 49.3) openSUSE-release (20260108 -> 20260109) python-urllib3 (2.5.0 -> 2.6.2) ruby-common sdbootutil (1+git20251218.1cd7294 -> 1+git20260108.be38224) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - get rid of Mesa 24.1.7 used for s390x (boo#1233167), which supersedes the following patches: * python36-buildfix1-s390x.patch * u_dep_xcb-s390x.patch * u_mesa-CVE-2023-45913-s390x.patch ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-libva Mesa-vulkan-device-select libvulkan_lvp - get rid of Mesa 24.1.7 used for s390x (boo#1233167), which supersedes the following patches: * python36-buildfix1-s390x.patch * u_dep_xcb-s390x.patch * u_mesa-CVE-2023-45913-s390x.patch ==== aws-lc ==== Version update (1.66.1 -> 1.66.2) Subpackages: libcrypto-awslc0 libssl-awslc0 - Update to version 1.66.2: * Fix incorrect assembler directive in AArch64 code * Fix the libwebsockets integration test script * Remove pkcs8 expected in test * Add randomized unit testing for EVP_CIPHERs * fix(target): fix mipseb 64bit compile * Consolidate FORMAT_DER/PEM in tool-openssl * Replace password string with proper class * Fix ppc64le; Improve platform detection ==== gnome-settings-daemon ==== Subpackages: gnome-settings-daemon-lang - Drop /usr/bin/pkexec Requires: this has not been needed anymore since GMOME 3.37. ==== kernel-source ==== Version update (6.18.3 -> 6.18.4) - Linux 6.18.4 (bsc#1012628). - drm: nova: depend on CONFIG_64BIT (bsc#1012628). - x86/microcode/AMD: Select which microcode patch to load (bsc#1012628). - sched/core: Add comment explaining force-idle vruntime snapshots (bsc#1012628). - sched/eevdf: Fix min_vruntime vs avg_vruntime (bsc#1012628). - sched_ext: Fix incorrect sched_class settings for per-cpu migration tasks (bsc#1012628). - mm/huge_memory: merge uniform_split_supported() and non_uniform_split_supported() (bsc#1012628). - KVM: s390: Fix gmap_helper_zap_one_page() again (bsc#1012628). - drm/edid: add DRM_EDID_IDENT_INIT() to initialize struct drm_edid_ident (bsc#1012628). - drm/displayid: add quirk to ignore DisplayID checksum errors (bsc#1012628). - drm/amdgpu: don't attach the tlb fence for SI (bsc#1012628). - wifi: rtw88: limit indirect IO under powered off for RTL8822CS (bsc#1012628). - wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() (bsc#1012628). - wifi: cfg80211: sme: store capped length in __cfg80211_connect_result() (bsc#1012628). - wifi: mac80211: do not use old MBSSID elements (bsc#1012628). - sched_ext: fix uninitialized ret on alloc_percpu() failure (bsc#1012628). - i40e: fix scheduling in set_rx_mode (bsc#1012628). - i40e: validate ring_len parameter against hardware-specific values (bsc#1012628). - iavf: fix off-by-one issues in iavf_config_rss_reg() (bsc#1012628). - idpf: fix LAN memory regions command on some NVMs (bsc#1012628). - idpf: reduce mbx_task schedule delay to 300us (bsc#1012628). - cpuset: fix warning when disabling remote partition (bsc#1012628). - crypto: seqiv - Do not use req->iv after crypto_aead_encrypt (bsc#1012628). - Bluetooth: MGMT: report BIS capability flags in supported settings (bsc#1012628). - Bluetooth: btusb: revert use of devm_kzalloc in btusb (bsc#1012628). - net: mdio: aspeed: add dummy read to avoid read-after-write issue (bsc#1012628). - net: openvswitch: Avoid needlessly taking the RTNL on vport destroy (bsc#1012628). - ip6_gre: make ip6gre_header() robust (bsc#1012628). - powerpc/tools: drop `-o pipefail` in gcc check scripts (bsc#1012628). - platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event names (bsc#1012628). - platform/x86: msi-laptop: add missing sysfs_remove_group() (bsc#1012628). - platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic (bsc#1012628). - team: fix check for port enabled in team_queue_override_port_prio_changed() (bsc#1012628). - net: airoha: Move net_devs registration in a dedicated routine (bsc#1012628). - net: dsa: properly keep track of conduit reference (bsc#1012628). - net: dsa: fix missing put_device() in dsa_tree_find_first_conduit() (bsc#1012628). - amd-xgbe: reset retries and mode on RX adapt failures (bsc#1012628). - selftests: drv-net: psp: fix templated test names in psp_ip_ver_test_builder() (bsc#1012628). - selftests: drv-net: psp: fix test names in ipver_test_builder() (bsc#1012628). - net: usb: rtl8150: fix memory leak on usb_submit_urb() failure (bsc#1012628). - selftests: net: fix "buffer overflow detected" for tap.c (bsc#1012628). - net: wangxun: move PHYLINK dependency (bsc#1012628). - platform/x86/intel/pmt: Fix kobject memory leak on init failure (bsc#1012628). - smc91x: fix broken irq-context in PREEMPT_RT (bsc#1012628). - genalloc.h: fix htmldocs warning (bsc#1012628). - firewire: nosy: Fix dma_free_coherent() size (bsc#1012628). - bng_en: update module description (bsc#1012628). - net: dsa: b53: skip multicast entries for fdb_dump() (bsc#1012628). - kbuild: fix compilation of dtb specified on command-line without make rule (bsc#1012628). - mcb: Add missing modpost build support (bsc#1012628). - net: mdio: rtl9300: use scoped for loops (bsc#1012628). - net: usb: asix: validate PHY address before use (bsc#1012628). - net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct (bsc#1012628). - tools/sched_ext: fix scx_show_state.py for scx_root change (bsc#1012628). - vfio/pds: Fix memory leak in pds_vfio_dirty_enable() (bsc#1012628). - platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing (bsc#1012628). - platform/x86/intel/pmt/discovery: use valid device pointer in dev_err_probe (bsc#1012628). - octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" (bsc#1012628). - net: stmmac: fix the crash issue for zero copy XDP_TX action ... changelog too long, skipping 448 lines ... - commit 0ccf2fe ==== libsodium ==== Version update (1.0.20 -> 1.0.21) - Update to 1.0.21: * The new crypto_ipcrypt_* functions implement mechanisms for securely encrypting and anonymizing IP addresses. * The sodium_bin2ip and sodium_ip2bin helper functions have been added to complement the crypto_ipcrypt_* functions and easily convert addresses between bytes and strings. * XOF: the crypto_xof_shake* and crypto_xof_turboshake* functions are * standard extendable output functions. From input of any length, they can derive output of any length with the same properties as hash functions. These primitives are required by many post-quantum mechanisms, but can also be used for a wide range of applications, including key derivation, session encryption and more. * Performance of AES256-GCM and AEGIS on ARM has been improved with some compilers * Security: optblockers have been introduced in critical code paths to prevent compilers from introducing unwanted side channels via conditional jumps. This was observed on RISC-V targets with specific compilers and options. * Security: crypto_core_ed25519_is_valid_point() now properly rejects small-order points that are not in the main subgroup [bsc#1256070, CVE-2025-15444] * ((nonnull)) attributes have been relaxed on some crypto_stream* functions to allow NULL output buffers when the output length is zero * A cross-compilation issue with old clang versions has been fixed * crypto_aead_aes256gcm_is_available is exported to JavaScript * Security: memory fences have been added after MAC verification in AEAD to prevent speculative access to plaintext before authentication is complete * Assembly files now include .gnu.property notes for proper IBT and Shadow Stack support when building with CET instrumentation. - Add patch libsodium-Fix-compilation-with-GCC-on-aarch64.patch ==== libsoup ==== Subpackages: libsoup-3_0-0 libsoup-lang typelib-1_0-Soup-3_0 - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ==== libsoup2 ==== Subpackages: libsoup-2_4-1 libsoup2-lang - Add libsoup2-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ==== lightdm ==== Subpackages: liblightdm-gobject-1-0 lightdm-bash-completion lightdm-lang - Move all created /run, /var/lib, /var/cache and /var/log directories to systemd-tmpfiles ==== mc ==== Subpackages: mc-lang - run obs/service/source_validators/helpers/fix_changelog ==== nautilus ==== Version update (49.2 -> 49.3) Subpackages: gnome-shell-search-provider-nautilus libnautilus-extension4 nautilus-lang - Update to version 49.3: + Bugfixes: - Don't waste resources on images with extreme dimensions - Consider thumbnailing finished at correct time - Redraw view when screen scale factor changes - Fix potential outdated view item usage - Correctly close mime type program chooser dialog + Updated translations. ==== openSUSE-release ==== Version update (20260108 -> 20260109) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== python-urllib3 ==== Version update (2.5.0 -> 2.6.2) Subpackages: python311-urllib3 python313-urllib3 - Update to 2.6.2 * Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. - Update to 2.6.1 * Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. - Update to 2.6.0 * Security: - Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471, GHSA-2xpw-w6gg-jr37, bsc#1254867) - Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418, GHSA-gm62-xv2j-4w53, bsc#1254866) * Features: - Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. - Added host and port information to string representations of HTTPConnection. - Added support for Python 3.14 free-threading builds explicitly. * Removals: - Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). * Bugfixes: - Fixed redirect handling in urllib3.PoolManager when an integer is passed for the retries parameter. - Fixed HTTPConnectionPool when used in Emscripten with no explicit port. - Fixed handling of SSLKEYLOGFILE with expandable variables. * Misc: - Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. - Improved the performance of content decoding by optimizing BytesQueueBuffer class. - Allowed building the urllib3 package with newer setuptools-scm v9.x. - Ensured successful urllib3 builds by setting Hatchling requirement to ≥ 1.27.0. ==== ruby-common ==== - Some gems (especially rust based ones) start failing if /usr/bin/ruby is not available. But they can take the desired ruby binary from the RUBY environment variable. Since we can not really set that properly via pre_install, set it within the loop to the current ruby binary before calling the ruby part of gem_install.sh. ==== sdbootutil ==== Version update (1+git20251218.1cd7294 -> 1+git20260108.be38224) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20260108.be38224: * Use tmpfiles.d for /var directories (PED-14900) - Update to version 1+git20260107.2807c87: * Enable armv7 builds (boo#1254865)