Packages changed:
MicroOS-release (20250224 -> 20250225)
apparmor
bash-completion
cockpit
ffmpeg-4
ffmpeg-7
gnutls (3.8.8 -> 3.8.9)
grub2
kernel-firmware-realtek (20250206 -> 20250224)
kmod (33 -> 34)
libaccounts-glib (1.26 -> 1.27)
libapparmor
libwacom (2.12.2 -> 2.14.0)
libx86emu (3.5 -> 3.7)
libxmlb (0.3.19 -> 0.3.21)
libzip (1.11.2 -> 1.11.3)
passt (20250121.4f2c8e7 -> 20250217.a1e48a0)
patterns-base
polkit-default-privs (1550+20250217.25d4aef -> 1550+20250225.49f846d)
pulseaudio-qt6 (1.6.1 -> 1.7.0)
qt6-tools
sdbootutil (1+git20250221.19f7d1a -> 1+git20250225.b78f812)
selinux-policy (20250221 -> 20250224)
speech-dispatcher (0.12.0~rc4 -> 0.12.0)
tiff
=== Details ===
==== MicroOS-release ====
Version update (20250224 -> 20250225)
Subpackages: MicroOS-release-appliance MicroOS-release-dvd
- automatically generated by openSUSE-release-tools/pkglistgen
==== apparmor ====
Subpackages: apparmor-abstractions apparmor-parser apparmor-profiles apparmor-utils python3-apparmor
- add py313-aa-notify.patch to adapt the last bits to python 3.13
==== bash-completion ====
- Drop completions for kmod; kmod>=34 provides its own now.
==== cockpit ====
Subpackages: cockpit-bridge cockpit-networkmanager cockpit-packagekit cockpit-system cockpit-ws
- fix build with latest local-npm-registry
==== ffmpeg-4 ====
Subpackages: libavcodec58_134 libavformat58_76 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9
- Add ffmpeg-7-CVE-2025-22921.patch:
Backporting 7f9c7f98 from upstream, clear array length when
freeing it.
(CVE-2025-22921, bsc#1237382)
- Add ffmpeg-7-CVE-2025-25473.patch:
Backporting c08d3004 from upstream, clear FFFormatContext packet.
When packet_buffer is used in mux.c, and if a muxing process fails
at a point where packets remained in said queue.
(CVE-2025-25473, bsc#1237351)
- Add ffmpeg-7-CVE-2025-0518.patch:
Backporting b5b6391d from upstream, fixes memory data leak when
use sscanf().
(CVE-2025-0518, bsc#1236007)
- Add ffmpeg-7-CVE-2025-22919.patch:
Backporting 1446e37d from upstream, check for valid sample rate
As the sample rate <= 0 is invalid.
(CVE-2025-22919, bsc#1237371)
- Add ffmpeg-4-CVE-2024-12361.patch:
Backporting 4065ff69 from upstream, add check for av_packet_new_side_data()
to avoid null pointer dereference if allocation fails.
(CVE-2024-12361, bsc#1237358)
==== ffmpeg-7 ====
Subpackages: libavcodec61 libavfilter10 libavformat61 libavutil59 libpostproc58 libswresample5 libswscale8
- Add ffmpeg-7-CVE-2025-22921.patch:
Backporting 7f9c7f98 from upstream, clear array length when
freeing it.
(CVE-2025-22921, bsc#1237382)
- Add ffmpeg-7-CVE-2025-25473.patch:
Backporting c08d3004 from upstream, clear FFFormatContext packet.
When packet_buffer is used in mux.c, and if a muxing process fails
at a point where packets remained in said queue.
(CVE-2025-25473, bsc#1237351)
- Add ffmpeg-7-CVE-2025-0518.patch:
Backporting b5b6391d from upstream, fixes memory data leak when
use sscanf().
(CVE-2025-0518, bsc#1236007)
- Add ffmpeg-7-CVE-2025-22919.patch:
Backporting 1446e37d from upstream, check for valid sample rate
As the sample rate <= 0 is invalid.
(CVE-2025-22919, bsc#1237371)
==== gnutls ====
Version update (3.8.8 -> 3.8.9)
- Update to 3.8.9
- libgnutls: leancrypto was added as an interim option for PQC
The library can now be built with leancrypto instead of liboqs for
post-quantum cryptography (PQC), when configured with
- -with-leancrypto option instead of --with-liboqs.
- libgnutls: Experimental support for ML-DSA signature algorithm
The library and certtool now support ML-DSA signature algorithm as
defined in FIPS 204 and based on
draft-ietf-lamps-dilithium-certificates-04. This feature is
currently marked as experimental and can only be enabled when
compiled with --with-leancrypto or --with-liboqs.
Contributed by David Dudas.
- libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
The support for ML-KEM post-quantum key encapsulation mechanisms
has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
draft-kwiatkowski-tls-ecdhe-mlkem-03.
- libgnutls: Fix potential DoS in handling certificates with numerous name
constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
bundled copy of libtasn1 has also been updated to the latest 4.20.0
release to complete the fix. Reported by Bing Shi (#1553).
[GNUTLS-SA-2025-02-07, CVSS: medium] [bsc#1236974, CVE-2024-12243
- Licensing information moved to REAMDE.md, COPYING, COPYING.LESSERv2
* Rebased gnutls-FIPS-140-3-references.patch
* Rebased gnutls-FIPS-TLS_KDF_selftest.patch
* Rebased gnutls-FIPS-jitterentropy.patch
* Rebased gnutls-disable-flaky-test-dtls-resume.patch
* Rebased gnutls-srp-test-SIGPIPE.patch
* Rebased gnutls-3.5.11-skip-trust-store-tests.patch
* Add gnutls-set-cligen-python-interp.patch
* Add gnutls-skip-pqx-test.patch
==== grub2 ====
Subpackages: grub2-common grub2-i386-efi grub2-i386-efi-bls grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi grub2-x86_64-efi-bls
- Make SLFO/SLE-16 and openSUSE have identical package structures
- Provide grub2-<CPUARCH>-efi-bls for SLFO/SLE-16
==== kernel-firmware-realtek ====
Version update (20250206 -> 20250224)
- Update to version 20250224 (git commit 1a1470d90de2):
* rtw89: 8852bt: update fw to v0.29.122.0 and BB parameter to 07
==== kmod ====
Version update (33 -> 34)
Subpackages: libkmod2
- Update to release 34
* modinfo now dlopens compression libraries, and only if needed.
(insmod/modprobe exercises the kernel's built-in decompression
anyway, so is unaffected).
* depmod: add -m option for overriding the module directory at
runtime.
* depmod: deleted deprecated options --unresolved-error, --quiet,
- root and --map.
* rmmod: deleted deprecated option -w.
* insmod: deleted deprecated options -p, -s.
- Delete 0001-testsuite-fix-path-for-test-user.patch (obsolete)
==== libaccounts-glib ====
Version update (1.26 -> 1.27)
- Update to 1.27
* Do not install python gobject introspection files by default.
If they are needed, build with `-Dinstall-py-overrides=true`.
* Lib: do not attempt to terminate the GTask twice
* Fix memory leak on provider tags
* Do not emit misleading enabled signals on account services
* Fix incorrect cleanup in ag_account_finalize
- Drop patches, merged upstream:
* 0001-ag-account-fix-incorrect-cleanup-in-ag_account_final.patch
* 0002-Build-Don-t-install-Python-overrides-by-default.patch
* 0003-Lib-do-not-attempt-to-terminate-the-GTask-twice.patch
* 0004-ag-provider-fix-memory-leak-on-provider-tags.patch
* 0006-ag-account-do-not-emit-misleading-enabled-signals-on.patch
==== libapparmor ====
- add py313-aa-notify.patch to adapt the last bits to python 3.13
==== libwacom ====
Version update (2.12.2 -> 2.14.0)
Subpackages: libwacom-data libwacom9
- update to 2.14.0
* Extended Lenovo Yoga X1 Gen5 support, improved the Huion mini
keydial (KD100)
* Fixed missing Strip in the Huion Kamvas Pro 16
* Corrected entry for Elan 5515
* Fixed outdated properties for Lenovo Yoga 9 14IAP7
* Add support for Dial status LEDs
* .tablet files shadow any ones with the same name
* New XP Pen devices supported: Artist 22R Pro, 24 Pro, Deco Fun
L, ACK05 Remote, Pro Pen 3E
* New Lenovo device ssupported: Yoga 9 14IAP7, Active Pen 3
(2023), Digital Pen 2, X1 Fold 16 Gen1, Precision Pen 2 (2023)
stylus
* New ELAN devices supported: ELAN-2514 variant 04f3:2f9d, ELAN
9008 and 9009 (Asus Zenbook Duo UX8406MA 1200p), ELAN 2F2A and
41A1 (ZenBook Pro Duo UX8402VV)
* New Wacom devices supported: HID 5214 (IdeaPad Flex 5 14ARE05
rev.81X2), HID 52C6 Pen.
* New HP devices supported: Spectre x360, Elite Chromebook C1030
* Other devices supported: StarLite Mk V; HP Spectre x360
13-aw0020ng; Huion RTP-700, Huion KeyDial K20
* Database: support $XDG_CONFIG_HOME/libwacom as additional path
* tools/clean_svg: allow passing in a .tablet file
* tools/list-local-devices: print the vid/pid if available
* tools/debug-device: print the device class too
==== libx86emu ====
Version update (3.5 -> 3.7)
- merge gh#wfeldt/libx86emu#47
- fix building on non-x86 architectures
- 3.7
- merge gh#wfeldt/libx86emu#46
- fix a buffer overflow in x86emu_log (bsc#1237557)
- 3.6
- merge gh#wfeldt/libx86emu#44
- prim_ops: fix some indentation
- merge gh#wfeldt/libx86emu#42
- Fix a bug in R/M 01 decoding
- merge gh#wfeldt/libx86emu#41
- fix NEG remark typos
==== libxmlb ====
Version update (0.3.19 -> 0.3.21)
- Update to 0.3.21
* Check for corrupt XbSiloNode values in a smarter way
Changes in 0.3.20:
* Do not always strip literal text
* Do not assume .txt files are application/xml
* Fix a crash when loading a corrupt XMLb store
==== libzip ====
Version update (1.11.2 -> 1.11.3)
- update to 1.11.3:
* Report read error for corrupted encrypted file data
* Avoid unnecessary seeks when writing archive
* Don't hardcode _Nullable support in zip.h to allow it to be
used with different compilers
==== passt ====
Version update (20250121.4f2c8e7 -> 20250217.a1e48a0)
Subpackages: passt-selinux
- Update to version 20250217.a1e48a0:
* test: Add migration tests
* migrate: Migrate TCP flows
* repair, passt-repair: Build and warning fixes for musl
* tcp_splice: A typo three years ago and SO_RCVLOWAT is gone
* tcp_splice: Don't wake up on input data if we can't write it anywhere
* vhost_user: Clear ring address on GET_VRING_BASE
* tcp, tcp_splice: Don't set SO_SNDBUF and SO_RCVBUF to maximum values
* tcp: Keep updating window and checking for socket data after FIN from guest
* contrib/selinux: Enable mapping guest memory for libvirt guests
* selinux: Add rules needed to run tests
* rampstream: Add utility to test for corruption of data streams
* tcp: Get bound address for connected inbound sockets too
* vhost_user: Make source quit after reporting migration state
* Add interfaces and configuration bits for passt-repair
* migrate: Migrate guest observed addresses
* migrate: Skeleton of live migration logic
* passt-repair: Fix off-by-one in check for number of file descriptors
* tcp_vu: Fix off-by one in header count array adjustment
* tcp: Implement conservative zero-window probe on ACK timeout
* tcp: Don't discard window information on keep-alive segments
* dhcp, dhcpv6: Add hostname and client fqdn ops
* conf: Don't map DNS traffic to host, if host gateway is a resolver
* passt-repair: Send one confirmation *per command*, not *per socket*
* dhcp: Don't re-use request message for reply
* passt-repair: Dodge "structurally unreachable code" warning from Coverity
* passt-repair: Fix calculation of payload length from cmsg_len
* passt-repair: Don't use perror(), accept ECONNRESET as termination
* conf, passt.1: Un-deprecate --host-lo-to-ns-lo
* debug: Add tcpdump to mbuto.img
* apparmor: Workaround for unconfined libvirtd when triggered by unprivileged user
* passt-repair.1: Fix indication of TCP_REPAIR constants
* passt-repair: Build fixes for musl
* passt-repair: use _exit() over return
* treewide: use _exit() over exit()
* tcp: Simplify handling of getsockname()
* migrate: Fix several errors with passt-repair
* doc: Add mock of migration source and target
* tcp: Get socket port and address using getsockname() when connecting from guest
* Introduce passt-repair
* vhost_user: Turn some vhost-user message reports to trace()
* util: Add read_remainder() and read_all_buf()
* tcp_splice, udp_flow: fcntl64() support on PPC64 depends on glibc version
* vhost_user: On 32-bit ARM, mmap() is not available, mmap2() is used instead
* tcp: Don't reset outbound connection on SYN retries
* pasta.te: fix demo.sh and remove one duplicate rule
* tcp: Add HOSTSIDE(x), HOSTFLOW(x) macros
* util: Rename and make global vu_remove_watch()
* tcp: Always pass NULL event with EPOLL_CTL_DEL
* vhost-user: Implement an empty VHOST_USER_SEND_RARP command
* netlink: Skip loopback interface while looking for a template
==== patterns-base ====
Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11
- Only requires busybox on openSUSE MicroOS, not SL Micro.
- Don't build apparmor pattern for SLFO.
- Disable 32bit pattern on aarch64 and ppc64le.
- Build selinux pattern everywhere and requires targeted policy
on SLE.
==== polkit-default-privs ====
Version update (1550+20250217.25d4aef -> 1550+20250225.49f846d)
- Update to version 1550+20250225.49f846d:
* profiles: whitelist kio-admin (bsc#1229913)
- Update to version 1550+20250224.8d1bf49:
* profiles: whitelist apparmor-utils (bsc#1237329)
==== pulseaudio-qt6 ====
Version update (1.6.1 -> 1.7.0)
- Update to 1.7.0
* Remove Qt 5 support
* bump compiler setting to 6.0
* bump c++ to 20
* change all dptrs to unique_ptr
* debug: correctly mark updates
* card: don't mutate the container we iterate on
* context: add support for loading and unloading modules
* server: consider pipewire/wireplumber the default
* Add missing license text
- Drop the Qt 5 flavor (but keep the _multibuild setup)
==== qt6-tools ====
Subpackages: libQt6UiTools6 qt6-tools-qdbus
- Use clang 19 on Leap 15.6.
The 15.6 update repo got a new llvm version which causes issues
if both llvm 17 and 19 are present
==== sdbootutil ====
Version update (1+git20250221.19f7d1a -> 1+git20250225.b78f812)
Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper sdbootutil-tukit
- Update to version 1+git20250225.b78f812:
* Use also cryptenroll key to recover the volume key
- Update to version 1+git20250225.292283f:
* Support UUID references in crypttab
- Update to version 1+git20250224.c9be3b6:
* Do not use && when copying signature (bsc#1237505)
==== selinux-policy ====
Version update (20250221 -> 20250224)
Subpackages: selinux-policy-targeted
- Update to version 20250224:
* Label /run/systemd/pcrlock.json systemd_pcrlock_var_lib_t
* systemd_pcrlock_t needs to filetrans when recreating /var/lib/pcrlock.d
* Allow snapper access to keys
* Add rules for pcrlock (bsc#1233358)
* allow snapper to call pcrlock and manage its files
* allow unconfined_t to execute pcrlock
* label rules for default systemd_pcrlock_var_lib_t locations
* new interfaces: systemd_domtrans_pcrlock and systemd_pcrlock_exec
* introduce systemd_pcrlock_var_lib_t and systemd_manage_pcrlock_files
* Introduce interfaces snapper_manage_tmp_files and snapper_manage_tmp_dirs
==== speech-dispatcher ====
Version update (0.12.0~rc4 -> 0.12.0)
- Update to version 0.12.0:
* Add libspeechd-module library for making it simpler to create
external spd modules.
* Update CLDR to version 45, symbols from orca 45.2, and symbols
from NVDA.
* Also support loading symbols from home directory.
==== tiff ====
- Use python3-Sphinx instead of %{primary_python}-Sphinx
based on recommendation from python maintainers.
* Fixes build issue of man flavor on 15.6