Packages changed: Mesa Mesa-drivers MicroOS-release (20251127 -> 20251204) SDL3 (3.2.26 -> 3.2.28) bash (5.3.3 -> 5.3.8) cyrus-sasl distrobox (1.8.2.1 -> 1.8.2.2) docker fwupd (2.0.17 -> 2.0.18) glslang (16.0.0 -> 16.1.0) graphene kernel-firmware-amdgpu (20251119 -> 20251201) kernel-firmware-bluetooth (20251111 -> 20251125) kernel-firmware-i915 (20251106 -> 20251125) kernel-firmware-intel (20251024 -> 20251129) kernel-firmware-iwlwifi (20251024 -> 20251123) kernel-firmware-media (20251018 -> 20251123) kernel-firmware-mediatek (20251119 -> 20251129) kernel-firmware-qcom (20251119 -> 20251125) kernel-firmware-sound (20251118 -> 20251121) kernel-source (6.17.9 -> 6.18.0) libX11 libarchive (3.8.1 -> 3.8.3) libdisplay-info libpng16 (1.6.50 -> 1.6.51) mozilla-nss (3.117 -> 3.118.1) nghttp2 (1.66.0 -> 1.68.0) pam-config (2.13+git.20251105 -> 2.13+git.20251203) pipewire (1.5.83 -> 1.5.84) python-certifi (2025.10.5 -> 2025.11.12) python-lark (1.2.2 -> 1.3.1) python-psutil runc (1.3.3 -> 1.4.0) selinux-policy (20251111 -> 20251128) shaderc (2025.4 -> 2025.5) shadow sqlite3 (3.50.4 -> 3.51.1) suse-module-tools (16.1.0 -> 16.1.1) systemd-presets-branding-MicroOS wtmpdb (0.75.0+git20251009.a6f185a -> 0.75.0+git20251130.0d8fe7a) zlib-ng-compat (2.2.5 -> 2.3.1) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Build with VK_AMD_anti_lag vulkan extension support to allow AMD Anti-Lag to be used on AMD GPUs - Create new subpackage Mesa-vulkan-anti-lag for this new vulkan extension - Build with -Ddisplay-info=enabled to allow VK_EXT_hdr_metadata support for VK_KHR_display ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-vulkan-device-select libvulkan_lvp - Build with VK_AMD_anti_lag vulkan extension support to allow AMD Anti-Lag to be used on AMD GPUs - Create new subpackage Mesa-vulkan-anti-lag for this new vulkan extension - Build with -Ddisplay-info=enabled to allow VK_EXT_hdr_metadata support for VK_KHR_display ==== MicroOS-release ==== Version update (20251127 -> 20251204) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== SDL3 ==== Version update (3.2.26 -> 3.2.28) - Update to release 3.2.28 * Fixed a divide by zero with a zero sized blit in some cases * Fixed blitting bitmaps with a non-zero x offset * Fixed a crash in the Vulkan renderer when the window is minimized * Fixed the initial X11 window position in some environments * Fixed the channel mapping for surround sound on PulseAudio * Fixed the sensor axis ordering with the Linux Nintendo driver * Fixed Xbox 360 controller mappings on newer Linux kernels * Made Nintendo Switch controller initialization more robust * Fixed the paddle mapping for Steam Controllers ==== bash ==== Version update (5.3.3 -> 5.3.8) Subpackages: bash-sh - Add upstream patches * Bash-5.3 Official patch 4 -- bash53-004 The Linux kernel reports incorrect sizes for files in /sys/block/*/uevent, leading bash to report a read error when the byte count does not agree with the file size from fstat(2). * Bash-5.3 Official patch 5 -- bash53-005 Restoring the default disposition in a subshell for a signal bash treats specially can cause a crash. * Bash-5.3 Official patch 6 -- bash53-006 When `globasciiranges' is enabled, glob patterns with ranges in bracket expressions can produce incorrect matches for character ranges whose start and end are non-ascii characters. * Bash-5.3 Official patch 7 -- bash53-007 No-fork command substitutions can perform redirections that act on the enclosing command as well. * Bash-5.3 Official patch 8 -- bash53-008 Bash tries to consume entire multibyte characters when looking for backslash escapes in $'...' strings, and treats too many characters as potentially beginning a multibyte character in UTF-8 locales. Being more selective about when to call mbrtowc() can lead to optimized string processing and script speedups. This patch also handles the unlikely situation of a locale encoding null wide characters with non-null bytes. - Remove patch boo1254087.patch now upstream with bash53-004 ==== cyrus-sasl ==== Subpackages: cyrus-sasl-gssapi libsasl2-3 - Python3 error log upon importing pycurl (bsc#1233529) Remove senceless log message. * add remove-senceless-log.patch ==== distrobox ==== Version update (1.8.2.1 -> 1.8.2.2) Subpackages: distrobox-bash-completion - Update to 1.8.2.2: * docs: update command for GNOME installation by @amnexya in https://github.com/89luca89/distrobox/pull/1873 * Fix typo in nested Podman instructions by @atimeofday in https://github.com/89luca89/distrobox/pull/1879 * docs: note that Podman and Distrobox are now pre-installed on SteamOS 3.5+ by @kavishgr in https://github.com/89luca89/distrobox/pull/1881 * docs: clarify distrobox-host-exec behavior by @jaluoma in https://github.com/89luca89/distrobox/pull/1882 * docs: fix reference to #28 in README.md by @dottorblaster in https://github.com/89luca89/distrobox/pull/1891 * init: fix stat syntax error in rootful detection by @john-holt4 in https://github.com/89luca89/distrobox/pull/1907 * docs: fix mdlint issues in compatibility matrix by @dottorblaster in https://github.com/89luca89/distrobox/pull/1908 * create: fix failing to create containers from images that print to stdout with no input by @bsutherland333 in https://github.com/89luca89/distrobox/pull/1912 * docs: systemd unit example to mount root as a shared mount by @yehorb in https://github.com/89luca89/distrobox/pull/1911 * assemble: /dev/null stdin for distrobox enter execs by @dottorblaster and @balanza in https://github.com/89luca89/distrobox/pull/1915 * feat: set compopt filenames for --file in bash completion by @yedayak in https://github.com/89luca89/distrobox/pull/1916 * enter: preserve SHELL with unshared groups by @Kamorst in https://github.com/89luca89/distrobox/pull/1917 * fix: don't use --pty with buggy su implementations by @Kamorst in https://github.com/89luca89/distrobox/pull/1919 * init: restrict find pattern to libcuda so it doesn't pick up non-NVIDIA libs by @miaulightouch in https://github.com/89luca89/distrobox/pull/1918 * create: direct stderr to /dev/null to prevent incorrect eval by @dottorblaster and @inc0 in https://github.com/89luca89/distrobox/pull/1920 * chore(version): bump to 1.8.2.2 by @dottorblaster in https://github.com/89luca89/distrobox/pull/1921 ==== docker ==== Subpackages: docker-buildx docker-rootless-extras - Add Requires containers-selinux on systems with selinux-policy installed. bsc#1252672 ==== fwupd ==== Version update (2.0.17 -> 2.0.18) Subpackages: libfwupd3 typelib-1_0-Fwupd-2_0 - Update to version 2.0.18: + This release adds the following features: - Add a MOTD message for devices needing reboot after staged updates - Create the reboot-required file when a firmware update requires reboot - Record the system state for each composite emulation - Update USI docking station firmware without requiring a manual replug + This release fixes the following bugs: - Add a MTD device problem if the Intel SPI BIOS lock is set - Allow changing the child name when using PARENT_NAME_PREFIX - Allow UpdateCapsule to work on systems that do not support SecureBoot - Correctly parse the EFI_CAPSULE_RESULT_VARIABLE_HEADER - Fall back to the SMBIOS version for BIOS MTD devices - Fix a crash when trying to record an i2c emulation - Fixed Huddly upgrade problems with major version changes - Fix man page compatibility with apropos and whatis - Fix parsing USB BOS descriptors - Fix up the x86_64-specific capsule flags when deploying UEFI firmware - Improve firmware stream searching speed by a huge amount - Only convert the release uint32_t to device version format for UEFI devices - Only handle SIGINT in fwupdtool when required - Refactor the hypervisor and container detection to be usable from plugins - Set PlatformArchitecture as the CPU architecture for RISC-V machines - Use a sensible timeout when doing qc-s5gen2 HID requests + This release adds support for the following hardware: - HP Portable USB-C 4K HDMI Hub - Lenovo Legion Go 2 (as a HID device) - Synaptics HapticsPad - Rebase fwupd-bsc1130056-change-shim-path.patch ==== glslang ==== Version update (16.0.0 -> 16.1.0) - Update to release 16.1.0 * Avoid emitting OpCapability RuntimeDescriptorArray when unnecessary * Improve compilation speed when debug infomation is enabled * Support GL_EXT_shader_invocation_reorder * Add checks to coopMatMulAdd * Implement stringify operator * Add ES support for depth layout qualifier * Add debug info for hitObjectNV * Emit a DebugGlobalVariable instead of DebugLocalVariable for rayQueryEXT * Add debug info for constant variable * Improve debug line to point declaration * Fix bugs in buffer reference alignment * Reject string operands in binary and select ops * Support GL_EXT_shader_64bit_indexing * Support GLSL_EXT_uniform_buffer_unsized_array * Add semantic check for cooperative vector loads/stores * Improve the debug info name of opaque (sampler) types * Support IO mapping of combined samplers and acceleration structures * Fix bug in debug info for bool types inside SSBO/UBO * Fix bug in debug info for struct member names * Add methods for entry point and invert-y to C interface ==== graphene ==== - add no_fast-math_for_tests.patch * %check may fail for some architerture if the test use -ffast-math ==== kernel-firmware-amdgpu ==== Version update (20251119 -> 20251201) - Update to version 20251201 (git commit 934bfe7e1e27): * Reapply "amdgpu: update SMU 14.0.3 firmware" * Revert "amdgpu: update SMU 14.0.3 firmware" * Revert "amdgpu: update GC 10.3.6 firmware" * Revert "amdgpu: update GC 11.5.1 firmware" - Update to version 20251125 (git commit 23568a4b9420): * Revert "amdgpu: update GC 11.0.1 firmware" - Update to version 20251121 (git commit ff6418d18552): * amdgpu: DMCUB updates for various ASICs ==== kernel-firmware-bluetooth ==== Version update (20251111 -> 20251125) - Update to version 20251125 (git commit 23568a4b9420): * QCA: Add Bluetooth firmware for WCN685x uart interface - Update to version 20251121 (git commit ff6418d18552): * rtl_bt: Update RTL8852B BT USB FW to 0x42D3_4E04 ==== kernel-firmware-i915 ==== Version update (20251106 -> 20251125) - Update to version 20251125 (git commit 23568a4b9420): * xe: Update GUC to v70.54.0 for BMG, PTL ==== kernel-firmware-intel ==== Version update (20251024 -> 20251129) - Update to version 20251129 (git commit 01006f5dea2d): * intel_vpu: Update NPU firmware ==== kernel-firmware-iwlwifi ==== Version update (20251024 -> 20251123) - Update to version 20251123 (git commit 9dba680579f4): * iwlwifi: add Sc/Wh FW for core98-181 release ==== kernel-firmware-media ==== Version update (20251018 -> 20251123) - Update to version 20251123 (git commit 9dba680579f4): * qcom: venus-5.4: update firmware binary for v5.4 * qcom: venus-5.4: remove unused firmware file ==== kernel-firmware-mediatek ==== Version update (20251119 -> 20251129) - Update to version 20251129 (git commit 01006f5dea2d): * linux-firmware: update firmware for MT7925 WiFi device * mediatek MT7925: update bluetooth firmware to 20251124093155 ==== kernel-firmware-qcom ==== Version update (20251119 -> 20251125) - Update to version 20251125 (git commit 23568a4b9420): * qcom: Add ADSP firmware for qcs6490-thundercomm-rubikpi3 ==== kernel-firmware-sound ==== Version update (20251118 -> 20251121) - Update to version 20251121 (git commit ff6418d18552): * ASoC: tas2781: Add more symbol links on SPI devices ==== kernel-source ==== Version update (6.17.9 -> 6.18.0) - Revert "rpm/config.sh: Use suse-kabi-tools" This reverts commit e17118487b4d4fbabdbd7af5f3a53d7baaa11825. Temporarily revert this as: * There is a high risk to break something in factory and I want to separate it from the 6.18 update. * ring0 does not have suse-kabi-tools (yet), so we see "nothing provides suse-kabi-tools". - commit 6ce3f15 - Refresh patches.suse/wifi-iwlwifi-Add-missing-firmware-info-for-bz-b0-mod.patch. Fix backport for 6.17. Upstream's IWL_BZ_UCODE_CORE_MAX has to be changed to 6.17's IWL_BZ_UCODE_API_MAX. Otherwise we get the fw strings like: "firmware" "=" "iwlwifi-bz-b0-fm-c0" "-" "IWL_BZ_UCODE_CORE_MAX" ".ucode"; instead of upstream's: "firmware" "=" "iwlwifi-bz-b0-fm-c0" "-c" "99" ".ucode"; - commit 24dd031 - update to 6.18 final - drop obsoleted patch - patches.rpmify/power-supply-use-ktime_divns-to-avoid-64-bit-divisio.patch (ad8cccc24887) - refresh configs (headers only) - commit 3b67758 - config: update and reenable armv6hl configs - options mirrored from armv7hl - commit 5d0d415 - config: update and reenable armv7hl configs - options mirrored from arm64 except - TI_PRUETH=m - RESET_ASPEED=m - commit 60f8c94 - config/riscv64: enable generic ASoC drivers CONFIG_SND_SIMPLE_CARD_UTILS=m CONFIG_SND_SIMPLE_CARD=m CONFIG_SND_AUDIO_GRAPH_CARD=m CONFIG_SND_AUDIO_GRAPH_CARD2=m CONFIG_SND_AUDIO_GRAPH_CARD2_CUSTOM_SAMPLE=m - commit 4722423 - Add dtb-spacemit SpacemiT boards include MilkV-Jupiter, Banana Pi F3 and Orange Pi RV2. - commit f2f396d - smb: client: fix incomplete backport in cfids_invalidation_worker() (bsc#1254096). - commit a337d5c - rpm/kernel-obs-build.spec.in: Add xt_addrtype module for docker Needed by docker meanwhile. - commit 1cd2f7d ==== libX11 ==== Subpackages: libX11-6 libX11-data libX11-xcb1 - Add libX11-ignore-incompatible-XkbMapNotify.patch: Fix mutter-x11-frames crash caused by keyboard layout change triggered by orca screen reader. (bsc#1253076) ==== libarchive ==== Version update (3.8.1 -> 3.8.3) - Update to 3.8.3: * lib: Create temporary files in the target directory (boo#1254340) * lha: Fix for an out-of-bounds buffer overrun when using p[H_LEVEL_OFFSET] (boo#1254341) * 7-zip: Fix a buffer overrun when reading truncated 7zip headers (boo#1254342) * lz4 and zstd: Support both lz4 and zstd data with leading skippable frames - update upstream signing key - update to 3.8.2: Security fixes: * 7zip: Fix out of boundary access * tar reader: fix checking the result of the strftime (CVE-2025-25724) Notable bugfixes: * bsdtar: Allow filename to have CRLF endings * lib: archive_read_data: handle sparse holes at end of file correctly * lib: improve filter process handling * lib: fix error checking in writing files * lib: handle possible errors from system calls * lib: avoid leaking file descriptors into subprocesses * lib: parse_date: handle dates in 2038 and beyond if time_t is big enough * RAR5 reader: fix multiple issues in extra field parsing function * RAR5 reader: early fail when file declares data for a dir entry * tar writer: fix replacing a regular file with a dir for ARCHIVE_EXTRACT_SAFE_WRITES * tar reader (Windows): check WCS pathname in header_gnutar before overwriting * tar reader: fix an infinite loop when parsing V headers * zip writer: fix a memory leak if write callback error early * zip writer: fix writing with ZSTD compression * zstd write filter: enable Zstandard's checksum feature ==== libdisplay-info ==== - added -32bit package needed by Mesa's libvulkan driver packages ==== libpng16 ==== Version update (1.6.50 -> 1.6.51) - version update to 1.6.51 * Fixed CVE-2025-64505 (moderate severity): Heap buffer overflow in `png_do_quantize` via malformed palette index. (Reported by Samsung; analyzed by Fabio Gritti.) * Fixed CVE-2025-64506 (moderate severity): Heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled. (Reported by Samsung and ; analyzed by Fabio Gritti.) * Fixed CVE-2025-64720 (high severity): Buffer overflow in `png_image_read_composite` via incorrect palette premultiplication. (Reported by Samsung; analyzed by John Bowler.) * Fixed CVE-2025-65018 (high severity): Heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`. (Reported by .) * Fixed a memory leak in `png_set_quantize`. (Reported by Samsung; analyzed by Fabio Gritti.) * Removed the experimental and incomplete ERROR_NUMBERS code. (Contributed by Tobias Stoeckmann.) * Improved the RISC-V vector extension support; required RVV 1.0 or newer. (Contributed by Filip Wasil.) * Added GitHub Actions workflows for automated testing. * Performed various refactorings and cleanups. - fixes [bsc#1254157] [bsc#1254158] [bsc#1254159] [bsc#1254160] ==== mozilla-nss ==== Version update (3.117 -> 3.118.1) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs - update to NSS 3.118.1 * bmo#1999517 - pk11wrap selects incorrect slot for CKM_ML_KEM* - update to NSS 3.118 * bmo#1994866 - Remove four Commscope root certificates from NSS * bmo#1996036 - fix try pushes with --nspr-patch to actually apply the patch * bmo#1995512 - Support for NIST Curves compressed points * bmo#1985058 - Destroy certificate on error paths * bmo#1990242 - Move NSS DB password hash away from SHA-1 * bmo#1983313 - support secp384r1mlkem1024 * bmo#1991549 - vendor latest ML-KEM code from libcrux * bmo#1991549 - add mlk-kem-1024 tests * bmo#1996717 - use the correct directory for FStar_UInt_8_16_32_64.h in source consistency test * bmo#1766767 - Move scripts to python3 * bmo#1983313 - add mlkem1024 support in freebl * bmo#1983313 - support secp256r1mlkem768 * bmo#1983313 - Make mlkem768x25519 the default * bmo#1983320 - ML-DSA SGN and VFY interfaces * bmo#1988625 - Align FIPS interfaces count with array * bmo#1989477 - Ensure CKK_ML_KEM has derive CK_FALSE * bmo#1992128 - Add script for tagging an NSS release * bmo#1992128 - Remove the globals from nss-release-helper.py * bmo#1992128 - Add release helper command for generating the release index * bmo#1992128 - Add release helper command for generating a release note * bmo#1992128 - Add release helper command for freezing a branch ==== nghttp2 ==== Version update (1.66.0 -> 1.68.0) - Update to 1.68.0: * Increase glitch counter for unexpected builtin extension frames * Remove session_update_glitch_ratelim called from deep inside the chain * nghttpd: Make the supported groups configurable * Use SSL_CTX_set1_groups_list * nghttpx: Add groups option * nghttpx: Prefer ML-DSA certificate over ECDSA * nghttpx: Select ECDSA cert based on EVP_PKEY_base_id * nghttpx: Select certificate with BoringSSL * nghttpx: Select certificate with wolfSSL * nghttpx: Add the fast path when selecting a certificate * nghttpx: Select a certificate in a single pass * nghttpx: Support ML-DSA certificate selection with wolfSSL * nghttpx: Make servername_callback behavior consistent * nghttpx: Drop TLSv1.0 and TLSv1.1 support * nghttpx: Define NGHTTP2_CERT_TYPE as constexpr * src: Move sgi _daemonize to util::daemonize * examples: Consistent conditional macro comments * Bump ngtcp2 and its dependencies * src: Adopt nghttp3_conn_read_stream2 * src: Use std::ranges::begin and std::ranges::end consistently * h2load: Set QUIC window-bits to 24 by default * Fix typos in documentation: "or3xx" → "or 3xx" and missing space after period * nghttpx: Increase number of UDP packets to read * Optimize quic io * nghttpx: Remove unused ticket_keys from WorkerEvent * Bump ngtcp2 and its dependencies - Update to 1.67.1: * Remove session_update_glitch_ratelim called from deep inside the chain - Update to 1.67.0: * Port ngtcp2 map changes * src: Adopt IP_PMTUDISC_PROBE * Map seed * Use allocator-aware free in failure path * lib: Use nghttp2_mem_free * src: Rewrite util::is_hex_string * GHA: Run android workflow on branches event * Make error handling robust * Update doc * Add "glitch" counter * Make glitch counter configurable * tests: Swap the positions of expected and actual values * Bump ngtcp2 and its dependencies * Adopt ngtcp2 nghttp3 features * Adopt libngtcp2_crypto_libressl changes * src: Adopt designated initializers for ngtcp2_callbacks * src: Adopt designated initializers * src: constexpr fixup * src: Adopt NGTCP2_WRITE_STREAM_FLAG_PADDING * Test lib before building applications * Bump libbpf to v1.6.2 * Added nghttp3's pattern targets * Bump ngtcp2 to v1.15.1 ==== pam-config ==== Version update (2.13+git.20251105 -> 2.13+git.20251203) - Update to version 2.13+git.20251203: * Make pam_unix_ng work together with pam_sss * pam_sss has no debug option ==== pipewire ==== Version update (1.5.83 -> 1.5.84) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Add patch from upstream to fix linking in older clients: * remove-mappable.patch - Update to version 1.5.84 (1.6 RC4): * This is the fourth 1.6 release candidate that is API and ABI compatible with previous 1.4.x, 1.2.x and 1.0.x releases. * Highlights - Capabilities were added to improve negotiation over links. - The audio resampler now has a configurable window function to better tune the resampler quality. A kaiser and blackman window was added and the default parameters were tuned. - Various small fixes and improvements. * PipeWire - Capabilities and PeerCapabilities were added to exchange key/value pairs between consumer and producer right after a link is made. This can be used to detect how the negotiation of formats and buffers should be done. * Modules - Avoid segfaults in RTP source. (#4970 (closed)) - The AVB module has seen some improvements. * Pulse-server - @NONE@ can now be used to clear the default sink/source. * SPA - Support longer convolver filenames and also support inline IRs. - The audio resampler window function is now selectable and configurable. A kaiser window and blackman window was added and the default qualities were tweaked to improve quality. - The filter-graph convolver latency is now set by default to something more sensible. (0 by default and N/2 for hilbert). (#4980 (closed)) * Bluetooth - Better xrun and error handling for iso streams. - The +CNUM reply was fixed. - The CIEC call status was fixed. (#1744 (closed)) - Add BAP context metadata to improve compatibility. - Improve compatibility with Creative Zen Hybrid Pro by releasing transports simultaneously. ==== python-certifi ==== Version update (2025.10.5 -> 2025.11.12) - Update to 2025.11.12 * Bump actions/download-artifact from 5.0.0 to 6.0.0 (#373) * Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#374) ==== python-lark ==== Version update (1.2.2 -> 1.3.1) - Update to 1.3.1 * Bugfix: Restore support for custom input, alongside text and TextSlice by @erezsh in (#1562) * Keep sdist in sync with git (include all files in source build, including docs, tests and examples) by @chanicpanic in (#1561) - from version 1.3.0 * Lark can now parse in sections of strings, using TextSlice, as a faster alternative to creating a "copy-slice" with s[i:j]. * Added support to match on Tree instances * When serializing a Lark instance, added the option to include the grammar object (before compilation). * Added convenience method Tree.find_token() * Bugfix of an edge case in Earley related to representation of ambiguity. * Bugfixes in the standalone parser related to imports * Bugfix in indenter - now dedents always contain line information * Various small bugfixes (see PR list below) - from version 1.2.2 * Bugfix: Earley now respects ambiguity='resolve' again. (#1444) - Drop py314-functools-partial.patch, merged upstream ==== python-psutil ==== - Add upstream pytest9.patch to fix tests ==== runc ==== Version update (1.3.3 -> 1.4.0) - Add libpathrs build option to allow builds to switch to libpathrs. In future we will switch to enabling this by default for Tumbleweed and Leap >= 16. - Update to runc v1.4.0. Upstream changelog is available from . ==== selinux-policy ==== Version update (20251111 -> 20251128) Subpackages: selinux-policy-targeted - Update to version 20251128: * update support for polkit agent helper (bsc#1251931) * Allow system_mail_t read apache system content conditionally * Allow login_userdomain read lastlog * Allow sshd-net read and write to sshd vsock socket * Update ktls policy * Add comprehensive SELinux policy module for bwrap thumbnail generation * Revert "Allow thumb_t create permission in the user namespace" * Allow systemd-machined read svirt process state * Allow sshd_auth_t getopt/setopt on tcp_socket (bsc#1252992) * Allow sysadm access to TPM * Allow tlp get the attributes of the pidfs filesystem * Allow kmscon to read netlink_kobject_uevent_socket * Allow systemd-ssh-issue read kernel sysctls * fix: bz2279215 Allow speech-dispatcher access to user home/cache files * Allow create kerberos files in postgresql db home * Fix files_delete_boot_symlinks() to contain delete_lnk_files_pattern * Allow shell comamnds in locate systemd service (bsc#1246559) * Introduce initrc_nnp_daemon_domain interface * Label /var/lib/cosmic-greeter with xdm_var_lib_t * Allow setroubleshoot-fixit get attributes of xattr fs * Allow insights-client manage /etc symlinks * Allow insights-client get attributes of the rpm executable * Allow nfsidmapd search virt lib directories * Allow iotop stream connect to systemd-userdbd * Allow gnome-remote-desktop read sssd public files * Allow thumb_t stream connect to systemd-userdbd * Add auth_nnp_domtrans_chkpwd() * Allow bluez dbus API passing unix domain sockets * Allow bluez dbus api pass sockets over dbus * Dontaudit systemd-generator connect to sssd over a unix stream socket * Allow init watch/watch_reads systemd-machined user ptys - Syncing with upstream rawhide selinux-policy up to: * 874e36c884fc9e31ae12428338a38b14db65f554 - Update embedded container-selinux version to commit: * efdee4df4e98b5f5fe826b83db5ff4a9239e54bb (version 2.243.0) ==== shaderc ==== Version update (2025.4 -> 2025.5) - Update to release 2025.5 * No user-visible changes; just a new archive with changes to upstream's deployment scripts. ==== shadow ==== Subpackages: libsubid5 login_defs - Move chage, chfn, chsh, passwd and new?idmap into own pw-mgmt sub-package ==== sqlite3 ==== Version update (3.50.4 -> 3.51.1) - Update to version 3.51.1: * Fix incorrect results from nested EXISTS queries caused by the optimization in item 6b in the 3.51.0 release. * Fix a latent bug in fts5vocab virtual table, exposed by new optimizations in the 3.51.0 release - Changes in version 3.51.0: * New macros in sqlite3.h: - SQLITE_SCM_BRANCH → the name of the branch from which the source code is taken. - SQLITE_SCM_TAGS → space-separated list of tags on the source code check-in. - SQLITE_SCM_DATETIME → ISO-8601 date and time of the source code check-in. * Two new JSON functions, jsonb_each() and jsonb_tree() work the same as the existing json_each() and json_tree() functions except that they return JSONB for the "value" column when the "type" is 'array' or 'object'. * The carray and percentile extensions are now built into the amalgamation, though they are disabled by default and must be activated at compile-time using the -DSQLITE_ENABLE_CARRAY and/or -DSQLITE_ENABLE_PERCENTILE options, respectively. * Enhancements to TCL Interface: - Add the -asdict flag to the eval command to have it set the row data as a dict instead of an array. - User-defined functions may now break to return an SQL NULL. * CLI enhancements: - Increase the precision of ".timer" to microseconds. - Enhance the "box" and "column" formatting modes to deal with double-wide characters. - The ".imposter" command provides read-only imposter tables that work with VACUUM and do not require the --unsafe-testing option. - Add the --ifexists option to the CLI command-line option and to the .open command. - Limit columns widths set by the ".width" command to 30,000 or less, as there is not good reason to have wider columns, but supporting wider columns provides opportunity to malefactors. * Performance enhancements: - Use fewer CPU cycles to commit a read transaction. - Early detection of joins that return no rows due to one or more of the tables containing no rows. - Avoid evaluation of scalar subqueries if the result of the subquery does not change the result of the overall expression. - Faster window function queries when using "BETWEEN :x FOLLOWING AND :y FOLLOWING" with a large :y. * Add the PRAGMA wal_checkpoint=NOOP; command and the SQLITE_CHECKPOINT_NOOP argument for sqlite3_wal_checkpoint_v2(). * Add the sqlite3_set_errmsg() API for use by extensions. * Add the sqlite3_db_status64() API, which works just like the existing sqlite3_db_status() API except that it returns 64-bit results. * Add the SQLITE_DBSTATUS_TEMPBUF_SPILL option to the sqlite3_db_status() and sqlite3_db_status64() interfaces. * In the session extension add the sqlite3changeset_apply_v3() interface. * For the built-in printf() and the format() SQL function, omit the leading '-' from negative floating point numbers if the '+' flag is omitted and the "#" flag is present and all displayed digits are '0'. Use '%#f' or similar to avoid outputs like '-0.00' and instead show just '0.00'. * Improved error messages generated by FTS5. * Enforce STRICT typing on computed columns. * Improved support for VxWorks * JavaScript/WASM now supports 64-bit WASM. The canonical builds continue to be 32-bit but creating one's own 64-bit build is now as simple as running "make". * Improved resistance to database corruption caused by an application breaking Posix advisory locks using close(). ==== suse-module-tools ==== Version update (16.1.0 -> 16.1.1) Subpackages: suse-module-tools-scriptlets - Update to version 16.1.1: * 80-hotplug-cpu-mem.rules: remount tmpfs on "online" uevents (bsc#1254264) ==== systemd-presets-branding-MicroOS ==== - enable firewalld.service by default (bsc#1237923) since the Agama installer does not do that (contrary to what the YaST installer used to do). ==== wtmpdb ==== Version update (0.75.0+git20251009.a6f185a -> 0.75.0+git20251130.0d8fe7a) Subpackages: libwtmpdb0 - Update to version 0.75.0+git20251130.0d8fe7a: * wtmpdbd: add method Rotate to interface definition * wtmpdb last: fix --present option * last -x: apply --since and --until to split entries * last -x: show shutdown entries before reboot ones * Fix varlink definition for type WtmpdbEntry ==== zlib-ng-compat ==== Version update (2.2.5 -> 2.3.1) - Remove WITH_RVV=OFF - Update to 2.3.1: * Changelog at https://github.com/zlib-ng/zlib-ng/releases/tag/2.3.1