------------------------------------------------------------------ --- Changelog.all ----------- Wed Mar 25 10:46:44 UTC 2026 ------ ------------------------------------------------------------------ ------------------------------------------------------------------ ------------------ 2026-3-19 - Mar 19 2026 ------------------- ------------------------------------------------------------------ ++++ systemd: - Import commit a943e3ce2f655b8509038e31f03f5ded18f24683 a943e3ce2f machined: reject invalid class types when registering machines (bsc#1259650 CVE-2026-4105) 71593f77db udev: fix review mixup 73a89810b4 udev-builtin-net-id: print cescaped bad attributes 0f360bfdc0 udev-builtin-net_id: do not assume the current interface name is ethX 40905232e2 udev: ensure tag parsing stays within bounds 7bce9026e3 udev: ensure there is space for trailing NUL before calling sprintf d018ac1ea3 udev: check for invalid chars in various fields received from the kernel (bsc#1259697) ++++ python-PyJWT: - Add CVE-2026-32597_crit-header.patch to validate the crit (Critical) Header Parameter defined in RFC 7515 (bsc#1259616, CVE-2026-32597). ------------------------------------------------------------------ ------------------ 2026-3-18 - Mar 18 2026 ------------------- ------------------------------------------------------------------ ++++ libzypp: - Fix preloader not caching packages from arch specific subrepos (bsc#1253740) - Deprioritize invalid mirrors (fixes openSUSE/zypper#636) - version 17.38.5 (35) ------------------------------------------------------------------ ------------------ 2026-3-17 - Mar 17 2026 ------------------- ------------------------------------------------------------------ ++++ pcr-oracle: - Add fix-bsc1258119-fix-stop-event-crash.patch to fix the potential crash when processing the stop event (bsc#1258119) ++++ python-tornado6: - CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service (bsc#1259553) * added CVE-2026-31958.patch - VUL-0: incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes (bsc#1259630) * added VUL-0-cookie-attribute-validation.patch ------------------------------------------------------------------ ------------------ 2026-3-13 - Mar 13 2026 ------------------- ------------------------------------------------------------------ ++++ sqlite3: - Update to version 3.51.3: * Fix the WAL-reset database corruption bug: https://sqlite.org/wal.html#walresetbug * Other minor bug fixes. ------------------------------------------------------------------ ------------------ 2026-3-12 - Mar 12 2026 ------------------- ------------------------------------------------------------------ ++++ libsolv: - respect the "default" attribute in environment optionlist in the comps parser - support suse namespace deps in boolean dependencies [bsc#1258193] - support for the Elbrus2000 (e2k) architecture - support language() suse namespace rewriting - bump version to 0.7.36 ------------------------------------------------------------------ ------------------ 2026-3-11 - Mar 11 2026 ------------------- ------------------------------------------------------------------ ++++ vim: * Update Vim to version 9.2.0110 (from 9.2.0045). * Specifically, this fixes bsc#1259051 / CVE-2026-28417. ------------------------------------------------------------------ ------------------ 2026-3-10 - Mar 10 2026 ------------------- ------------------------------------------------------------------ ++++ cockpit-machines: - add drop-virtinterfaced-usage.patch (bsc#1228187) ++++ libzypp: - Fix Product::referencePackage lookup (bsc#1259311) Use a provided autoproduct() as hint to the package name of the release package. It might be that not just multiple versions of the same release package provide the same product version, but also different release packages. - version 17.38.4 (35) ------------------------------------------------------------------ ------------------ 2026-3-9 - Mar 9 2026 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fixes: * CVE-2026-1965: Bad reuse of HTTP Negotiate connection (bsc#1259362) * CVE-2026-3783: Token leak with redirect and netrc (bsc#1259363) * CVE-2026-3784: Wrong proxy connection reuse with credentials (bsc#1259364) * CVE-2026-3805: Use after free in SMB connection reuse (bsc#1259365) * Add patches: - curl-CVE-2026-1965.patch - curl-CVE-2026-3783.patch - curl-CVE-2026-3784.patch - curl-CVE-2026-3805.patch ------------------------------------------------------------------ ------------------ 2026-3-6 - Mar 6 2026 ------------------- ------------------------------------------------------------------ ++++ busybox: - Additional fix for use-after-realloc in awk (CVE-2021-42380, bsc#1192869) * 0001-awk-fix-use-after-realloc-CVE-2021-42380-closes-1560.patch - Fix use-after-free in the awk.c copyvar (CVE-2023-42365, bsc#1217585) * 0002-awk-fix-precedence-of-relative-to.patch - Fix use-after-free vulnerability in xasprintf (CVE-2023-42363, bsc#1217580) * 0003-awk-fix-use-after-free-CVE-2023-42363.patch - Fix use-after-free in the awk.c (CVE-2023-42364, bsc#1217584) * 0004-awk-restore-assignment-precedence-to-be-lower-than-t.patch - Fix hidden files in tar listing using escape chars (CVE-2025-46394, bsc#1241661) * 0005-archival-libarchive-sanitize-filenames-on-output-pre.patch - Fix file overwrite, modification, privilege escalation, potential code execution in tar (CVE-2026-26157, bsc#1258163) (CVE-2026-26158, bsc#1258167) * 0006-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch * 0007-tar-only-strip-unsafe-components-from-hardlinks-not-.patch - Fix wget request header injection (CVE-2025-60876, bsc#1253245) * wget-don-t-allow-control-characters-in-url.patch ++++ python311-core: - Update to 3.11.15: - Security - gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650). - gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs (bsc#1257029 CVE-2025-11468). - gh-143925: Reject control characters in data: URL media types (bsc#1257046, CVE-2025-15282). - gh-143919: Reject control characters in http.cookies.Morsel fields and values (bsc#1257031, CVE-2026-0672). - gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters (bsc#1257042, CVE-2026-0865). - gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. In order to do this without breaking existing users, we also add the ownerDocument attribute to xml.dom.minidom elements and attributes created by directly instantiating the Element or Attr class. Note that this way of creating nodes is not supported; creator functions like xml.dom.Document.documentElement() should be used instead (bsc#1254997, CVE-2025-12084). - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (bsc#1252974, CVE-2025-6075). - gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13836, bsc#1254400). - gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes. - gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (bsc#1254401, CVE-2025-13837). - Library - gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed. - gh-144363: Update bundled libexpat to 2.7.4 - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran. - Core and Builtins - gh-120384: Fix an array out of bounds crash in list_ass_subscript, which could be invoked via some specificly tailored input: including concurrent modification of a list object, where one thread assigns a slice and another clears it. - gh-120298: Fix use-after free in list_richcompare_impl which can be invoked via some specificly tailored evil input. Remove upstreamed patches: - CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2025-12084-minidom-quad-search.patch - CVE-2025-13836-http-resp-cont-len.patch - CVE-2025-13837-plistlib-mailicious-length.patch - CVE-2025-6075-expandvars-perf-degrad.patch - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15282-urllib-ctrl-chars.patch ++++ libzypp: - specfile: on fedora use %{_prefix}/share as zyppconfdir if %{_distconfdir} is undefined (fixes #693) This will set '-DZYPPCONFDIR=%{zyppconfdir}' for cmake. - Fall back to a writable location when precaching packages without root (bsc#1247948) - version 17.38.3 (35) ++++ python311: - Update to 3.11.15: - Security - gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650). - gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs (bsc#1257029 CVE-2025-11468). - gh-143925: Reject control characters in data: URL media types (bsc#1257046, CVE-2025-15282). - gh-143919: Reject control characters in http.cookies.Morsel fields and values (bsc#1257031, CVE-2026-0672). - gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters (bsc#1257042, CVE-2026-0865). - gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. In order to do this without breaking existing users, we also add the ownerDocument attribute to xml.dom.minidom elements and attributes created by directly instantiating the Element or Attr class. Note that this way of creating nodes is not supported; creator functions like xml.dom.Document.documentElement() should be used instead (bsc#1254997, CVE-2025-12084). - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (bsc#1252974, CVE-2025-6075). - gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13836, bsc#1254400). - gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes. - gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (bsc#1254401, CVE-2025-13837). - Library - gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed. - gh-144363: Update bundled libexpat to 2.7.4 - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran. - Core and Builtins - gh-120384: Fix an array out of bounds crash in list_ass_subscript, which could be invoked via some specificly tailored input: including concurrent modification of a list object, where one thread assigns a slice and another clears it. - gh-120298: Fix use-after free in list_richcompare_impl which can be invoked via some specificly tailored evil input. Remove upstreamed patches: - CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2025-12084-minidom-quad-search.patch - CVE-2025-13836-http-resp-cont-len.patch - CVE-2025-13837-plistlib-mailicious-length.patch - CVE-2025-6075-expandvars-perf-degrad.patch - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15282-urllib-ctrl-chars.patch ++++ zypper: - Report download progress for command line rpms (fixes #613) - Hint to '-vv ref' to see the mirrors used to download the metadata (bsc#1257882) - Service: Allow "zypper ls SERVICE ..." to test whether a service with this alias is defined (bsc#1252744) The command prints an abstract of all services passed on the command line. It returns 3-ZYPPER_EXIT_ERR_INVALID_ARGS if some argument does not name an existing service. - Keep repo data when updating the service settings (bsc#1252744) - info: Enhance pattern content table (bsc#1158038) Alternatives (multiple packages providing the same requirement) are now listed as a single entry in the content table. The entry shows either the installed package which satisfies the requirement or the requirement itself as type 'Provides'. Listing all potential alternatives was miss leading, especially if the alternatives were mutual exclusive. It looked like an installed pattern had not-installed requirements and it was not possible to install all requirements at the same time. - version 1.14.95 ------------------------------------------------------------------ ------------------ 2026-3-4 - Mar 4 2026 ------------------- ------------------------------------------------------------------ ++++ salt: - Make syntax in httputil_test compatible with Python 3.6 - Fix KeyError in postgres module with PostgreSQL 17 (bsc#1254325) - Use internal deb classes instead of external aptsource lib - Speed up wheel key.finger call (bsc#1240532) - Backport security patches for Salt vendored tornado: * CVE-2025-67724: missing validation of supplied reason phrase (bsc#1254903) * CVE-2025-67725: fix DoS via malicious HTTP request (bsc#1254905) * CVE-2025-67726: fix HTTP header parameter parsing algorithm (bsc#1254904) - Simplify and speed up utils.find_json function (bsc#1246130) - Extend warn_until period to 2027 - Added: * fix-tornado-s-httputil_test-syntax-for-python-3.6.patch * backport-add-maintain-m-privilege-to-postgres-module.patch * use-internal-salt.utils.pkg.deb-classes-instead-of-a.patch * speedup-wheel-key.finger-call-bsc-1240532-713.patch * fixes-for-security-issues-cve-2025-13836-cve-2025-67.patch * simplify-utils.json.find_json-function.patch * extend-fails-to-warnings-until-2027-742.patch ++++ suseconnect-ng: - Regressions found during QA test runs: - Ignore product in announce call (bsc#1257490) - Registration to SMT server with failed (bsc#1257625) ++++ tar: - Add tar-fix-deletion-from-archive.patch * Fixes tar creating invalid tarballs when used with --delete (bsc#1246607) * Add makeinfo build requirement, needed after the addition of the patch ++++ vim: * Update Vim to version 9.2.0045 (from 9.1.1629). * Fix bsc#1258229 CVE-2026-26269 as 9.2.0045 is not impacted (fixed upstream). * Fix bsc#1246602 CVE-2025-53906 as 9.2.0045 is not impacted (fixed upstream). * Drop obsolete or upstreamed patches: - vim-7.3-filetype_spec.patch - vim-7.4-filetype_apparmor.patch - vim-8.2.2411-globalvimrc.patch * Refresh the following patches: - vim-7.3-filetype_changes.patch - vim-7.3-filetype_ftl.patch - vim-7.3-sh_is_bash.patch - vim-9.1.1134-revert-putty-terminal-colors.patch * Remove autoconf from BuildRequires and drop the autoconf call in %build. * Package new Swedish (sv) man pages and clean up duplicate encodings (sv.ISO8859-1 and sv.UTF-8) during %install. ++++ vim: * Update Vim to version 9.2.0045 (from 9.1.1629). * Fix bsc#1258229 CVE-2026-26269 as 9.2.0045 is not impacted (fixed upstream). * Fix bsc#1246602 CVE-2025-53906 as 9.2.0045 is not impacted (fixed upstream). * Drop obsolete or upstreamed patches: - vim-7.3-filetype_spec.patch - vim-7.4-filetype_apparmor.patch - vim-8.2.2411-globalvimrc.patch * Refresh the following patches: - vim-7.3-filetype_changes.patch - vim-7.3-filetype_ftl.patch - vim-7.3-sh_is_bash.patch - vim-9.1.1134-revert-putty-terminal-colors.patch * Remove autoconf from BuildRequires and drop the autoconf call in %build. * Package new Swedish (sv) man pages and clean up duplicate encodings (sv.ISO8859-1 and sv.UTF-8) during %install. ------------------------------------------------------------------ ------------------ 2026-3-3 - Mar 3 2026 ------------------- ------------------------------------------------------------------ ++++ freetype2: - update to 2.14.2 - Important changes * Several changes related to LCD filtering are implemented to achieve better performance and encourage sound practices. + Instead of blanket LCD filtering over the entire bitmap, it is now applied only to non-zero spans using direct rendering. This speeds up the ClearType-like rendering by more than 40% at sizes above 32 ppem. + Setting the filter weights with FT_Face_Properties is no longer supported. The default and light filters are optimized to work with any face. + The legacy libXft LCD filter algorithm is no longer provided. - Important bug fixes * A bunch of potential security problems have been found (bsc#1259118, CVE-2026-23865). All users should update. * The italic angle in `PS_FontInfo` is now stored as a fixed-point value in degrees for all Type 1 fonts and their derivatives, consistent with CFF fonts and common practices. The broken underline position and thickness values are fixed for CFF fonts. - Miscellaneous * The `x` field in the `FT_Span` structure is now unsigned. * Demo program `ftgrid` got an option `-m` to select a start character to display. * Similarly, demo program `ftmulti` got an option `-m` to select a text string for rendering. * Option `-d` in the demo program `ttdebug` is now called `-a`, expecting a comma-separated list of axis values. The user interface is also slightly improved. * The `ftinspect` demo program can now be compiled with Qt6, too. ------------------------------------------------------------------ ------------------ 2026-3-2 - Mar 2 2026 ------------------- ------------------------------------------------------------------ ++++ virtiofsd: - Add CVE-2026-25727.patch: Avoid denial of service when parsing Rfc2822(bsc#1257912 CVE-2026-25727). ------------------------------------------------------------------ ------------------ 2026-3-1 - Mar 1 2026 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Use full hostname for PAM to ensure correct access control for "login -h" (bsc#1258859, CVE-2026-3184, util-linux-CVE-2026-3184.patch). ++++ util-linux-systemd: - Use full hostname for PAM to ensure correct access control for "login -h" (bsc#1258859, CVE-2026-3184, util-linux-CVE-2026-3184.patch). ------------------------------------------------------------------ ------------------ 2026-2-27 - Feb 27 2026 ------------------- ------------------------------------------------------------------ ++++ systemd: - Import commit aef6e11921f8c46a2b7ee8cfab024c9c641d74d8 aef6e11921 core/cgroup: avoid one unnecessary strjoina() cc7426f38a sd-json: fix off-by-one issue when updating parent for array elements 26a748f727 core: validate input cgroup path more prudently (bsc#1259418 CVE-2026-29111) 99d8308fde core/dbus-manager: propagate meaningful dbus errors from EnqueueMarkedJobs ------------------------------------------------------------------ ------------------ 2026-2-25 - Feb 25 2026 ------------------- ------------------------------------------------------------------ ++++ libsoup: - Add libsoup-CVE-2026-1760.patch: server: close the connection after responsing a request containing... (bsc#1257597, CVE-2026-1760, glgo#GNOME/libsoup#475). - Add libsoup-CVE-2026-1467.patch: uri-utils: do host validation when checking if a GUri is valid (bsc#1257398, CVE-2026-1467, glgo#GNOME/libsoup#488). - Add libsoup-CVE-2026-1539.patch: Also remove Proxy-Authorization header on cross origin redirect (bsc#1257441, CVE-2026-1539, glgo#GNOME/libsoup#489). ++++ qemu: - Bug and CVE fixes: * cryptodev-builtin: Limit the maximum size (bsc#1255400, CVE-2025-14876) * hw/virtio/virtio-crypto: verify asym request size (bsc#1255400, CVE-2025-14876) * hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq() (bsc#1256484, CVE-2026-0665) ------------------------------------------------------------------ ------------------ 2026-2-24 - Feb 24 2026 ------------------- ------------------------------------------------------------------ ++++ gnutls: - Add the functionality to allow to specify the hash algorithm for the PSK. This fixes a bug in the current implementation where the binder is always calculated with SHA256. * (bsc#1258083, jsc#PED-15752, jsc#PED-15753) * lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2 * tests/psk-file: Add testing for _credentials2 functions * lib/psk: add null check for binder algo * pre_shared_key: fix memleak when retrying with different binder algo * pre_shared_key: add null check on pskcred * Add patches: - gnutls-PSK-hash.patch - gnutls-PSK-hash-tests.patch - gnutls-PSK-hash-NULL-check.patch - gnutls-PSK-hash-NULL-check-pskcred.patch - gnutls-PSK-hash-fix-memleak.patch ------------------------------------------------------------------ ------------------ 2026-2-20 - Feb 20 2026 ------------------- ------------------------------------------------------------------ ++++ libsoup: - Add more CVE fixes: + libsoup-CVE-2025-12105.patch (bsc#1252555 CVE-2025-12105 glgo#GNOME/libsoup!481) + libsoup-CVE-2025-32049.patch (bsc#1240751 CVE-2025-32049 glgo#GNOME/libsoup#390) + libsoup-CVE-2026-2443.patch (bsc#1258170 CVE-2026-2443 glgo#GNOME/libsoup#487) + libsoup-CVE-2026-2369.patch (bsc#1258120 CVE-2026-2369 glgo#GNOME/libsoup!508) + libsoup-CVE-2026-2708.patch (bsc#1258508 CVE-2026-2708 glgo#GNOME/libsoup#500) ++++ libsoup: - Add more CVE fixes: + libsoup-CVE-2025-12105.patch (bsc#1252555 CVE-2025-12105 glgo#GNOME/libsoup!481) + libsoup-CVE-2025-32049.patch (bsc#1240751 CVE-2025-32049 glgo#GNOME/libsoup#390) + libsoup-CVE-2026-2443.patch (bsc#1258170 CVE-2026-2443 glgo#GNOME/libsoup#487) + libsoup-CVE-2026-2369.patch (bsc#1258120 CVE-2026-2369 glgo#GNOME/libsoup!508) + libsoup-CVE-2026-2708.patch (bsc#1258508 CVE-2026-2708 glgo#GNOME/libsoup#500) ------------------------------------------------------------------ ------------------ 2026-2-18 - Feb 18 2026 ------------------- ------------------------------------------------------------------ ++++ zlib: - Fix CVE-2026-27171, infinite loop via the crc32_combine64 and crc32_combine_gen64 functions due to missing checks for negative lengths (bsc#1258392) * CVE-2026-27171.patch ------------------------------------------------------------------ ------------------ 2026-2-17 - Feb 17 2026 ------------------- ------------------------------------------------------------------ ++++ python-cryptography: - CVE-2026-26007: Subgroup Attack Due to Missing Subgroup Validation for SECT Curves (bsc#1258074) * added CVE-2026-26007.patch ------------------------------------------------------------------ ------------------ 2026-2-13 - Feb 13 2026 ------------------- ------------------------------------------------------------------ ++++ libxml2: - CVE-2026-0990: call stack overflow leading to application crash due to infinite recursion in `xmlCatalogXMLResolveURI` (bsc#1256807, bsc#1256811) * Add patch libxml2-CVE-2026-0990.patch - CVE-2026-0992: excessive resource consumption when processing XML catalogs due to exponential behavior when handling `` elements (bsc#1256808, bsc#1256809, bsc#1256812) * Add patch libxml2-CVE-2026-0992.patch - CVE-2025-8732: infinite recursion in catalog parsing functions when processing malformed SGML catalog files (bsc#1247858, bsc#1247850) * Add patch libxml2-CVE-2025-8732.patch ++++ libxml2-python: - CVE-2026-0990: call stack overflow leading to application crash due to infinite recursion in `xmlCatalogXMLResolveURI` (bsc#1256807, bsc#1256811) * Add patch libxml2-CVE-2026-0990.patch - CVE-2026-0992: excessive resource consumption when processing XML catalogs due to exponential behavior when handling `` elements (bsc#1256808, bsc#1256809, bsc#1256812) * Add patch libxml2-CVE-2026-0992.patch - CVE-2025-8732: infinite recursion in catalog parsing functions when processing malformed SGML catalog files (bsc#1247858, bsc#1247850) * Add patch libxml2-CVE-2025-8732.patch ------------------------------------------------------------------ ------------------ 2026-2-12 - Feb 12 2026 ------------------- ------------------------------------------------------------------ ++++ libpng16: - added patches CVE-2026-25646: Heap buffer overflow vulnerability in png_set_dither/png_set_quantize (bsc#1258020) * libpng16-CVE-2026-25646.patch ------------------------------------------------------------------ ------------------ 2026-2-11 - Feb 11 2026 ------------------- ------------------------------------------------------------------ ++++ gpg2: - Fix Y2K38 FTBFS: * gpg2 quick-key-manipulation test FTBFS-2038 (bsc#1251214) * Upstream issue: dev.gnupg.org/T8096 * Add gnupg-gpgscm-New-operator-long-time-t-to-detect-proper-tim.patch ++++ python311-core: - CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch - CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch - CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch - CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch ++++ python311-core: - CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch - CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch - CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch - CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch ++++ libssh: - Security fixes: * CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request() (bsc#1258049) * CVE-2026-0965: Possible Denial of Service when parsing unexpected configuration files (bsc#1258045) * CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054) * CVE-2026-0967: Specially crafted patterns could cause DoS (bsc#1258081) * CVE-2026-0968: OOB Read in sftp_parse_longname() (bsc#1258080) * Add patches: - libssh-CVE-2026-0964-scp-Reject-invalid-paths-received-thro.patch - libssh-CVE-2026-0965-config-Do-not-attempt-to-read-non-regu.patch - libssh-CVE-2026-0966-misc-Avoid-heap-buffer-underflow-in-ss.patch - libssh-CVE-2026-0966-tests-Test-coverage-for-ssh_get_hexa.patch - libssh-CVE-2026-0966-doc-Update-guided-tour-to-use-SHA256-f.patch - libssh-CVE-2026-0967-match-Avoid-recursive-matching-ReDoS.patch - libssh-CVE-2026-0968-sftp-Sanitize-input-handling-in-sftp_p.patch ++++ python311: - CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch - CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch - CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch - CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch ++++ python311: - CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch - CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch - CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch - CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch - CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch ------------------------------------------------------------------ ------------------ 2026-2-10 - Feb 10 2026 ------------------- ------------------------------------------------------------------ ++++ avahi: - Add avahi-CVE-2024-52615.patch: Backport 4e2e1ea from upstream, Resolve fixed source ports for wide-area DNS queries cause DNS responses be injected. (CVE-2024-52615, bsc#1233421) - Add avahi-CVE-2025-68468.patch: Backport f66be13 from upstream, fix DoS bug by removing incorrect assertion. (CVE-2025-68468, bsc#1256499) - Add avahi-CVE-2025-68471.patch: Backport 9c6eb53 from upstream, fix DoS bug by changing assert to return. (CVE-2025-68471, bsc#1256500) - Add avahi-CVE-2025-68276.patch: Backport 0c013e2 from upstream, refuse to create wide-area record browsers when wide-area is off. (CVE-2025-68276, bsc#1256498) ++++ ca-certificates-mozilla: - Updated to 2.84 state (bsc#1258002) - Removed: - Baltimore CyberTrust Root - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 - DigiNotar Root CA - Added: - e-Szigno TLS Root CA 2023 - OISTE Client Root ECC G1 - OISTE Client Root RSA G1 - OISTE Server Root ECC G1 - OISTE Server Root RSA G1 - SwissSign RSA SMIME Root CA 2022 - 1 - SwissSign RSA TLS Root CA 2022 - 1 - TrustAsia SMIME ECC Root CA - TrustAsia SMIME RSA Root CA - TrustAsia TLS ECC Root CA - TrustAsia TLS RSA Root CA ++++ gnutls: - Security fix: * CVE-2025-14831: DoS via excessive resource consumption during certificate verification (bsc#1257960) * Add gnutls-CVE-2025-14831.patch ++++ libpng16: - added patches CVE-2026-22695: Heap buffer over-read in png_image_finish_read (bsc#1256525) * libpng16-CVE-2026-22695.patch CVE-2026-22801: Integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526) * libpng16-CVE-2026-22801.patch ------------------------------------------------------------------ ------------------ 2026-2-9 - Feb 9 2026 ------------------- ------------------------------------------------------------------ ++++ rust-keylime: - Update vendored crates (bsc#1257908, CVE-2026-25727) * time 0.3.47 - Update to version 0.2.8+116: * build(deps): bump bytes from 1.7.2 to 1.11.1 * api: Modify /version endpoint output in version 2.5 * Add API v2.5 with backward-compatible /v2.5/quotes/integrity * tests: add unit test for resolve_agent_id (#1182) * (pull-model): enable retry logic for registration * rpm: Update specfiles to apply on master * workflows: Add test to detect unused crates * lib: Drop unused crates * push-model: Drop unused crates * keylime-agent: Drop unused crates * build(deps): bump uuid from 1.18.1 to 1.19.0 * Update reqwest-retry to 0.8, retry-policies to 0.5 * rpm: Fix cargo_build macro usage on CentOS Stream * fix(push-model): resolve hash_ek uuid to actual EK hash * build(deps): bump thiserror from 2.0.16 to 2.0.17 * workflows: Separate upstream test suite from e2e coverage * Send UEFI measured boot logs as raw bytes (#1173) * auth: Add unit tests for SecretToken implementation * packit: Enable push-attestation tests * resilient_client: Prevent authentication token leakage in logs ------------------------------------------------------------------ ------------------ 2026-2-5 - Feb 5 2026 ------------------- ------------------------------------------------------------------ ++++ regionServiceClientConfigGCE: - Update to version 5.2.0 + Drop the if condition for gcemetdata requirement ------------------------------------------------------------------ ------------------ 2026-2-4 - Feb 4 2026 ------------------- ------------------------------------------------------------------ ++++ cockpit-machines: - Update dependencies for bsc#1257325/CVE-2025-13465 ++++ cockpit-machines: - Update dependencies for bsc#1257325/CVE-2025-13465 ++++ docker: - Places a hard cap on the amount of mechanisms that can be specified and encoded in the payload. (bcs#1253904, CVE-2025-58181) * 0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch ++++ libxslt: - CVE-2025-10911 will be fixed on libxml2 side instead [bsc#1250553] - deleted patches * libxslt-CVE-2025-10911.patch ++++ libxml2: - CVE-2026-1757: memory leak in the `xmllint` interactive shell (bsc#1257593, bsc#1257594, bsc#1257595) * Add patch libxml2-CVE-2026-1757.patch - CVE-2025-10911: use-after-free with key data stored cross-RVT (bsc#1250553) * Add patch libxml2-CVE-2025-10911.patch ++++ libxml2-python: - CVE-2026-1757: memory leak in the `xmllint` interactive shell (bsc#1257593, bsc#1257594, bsc#1257595) * Add patch libxml2-CVE-2026-1757.patch - CVE-2025-10911: use-after-free with key data stored cross-RVT (bsc#1250553) * Add patch libxml2-CVE-2025-10911.patch ------------------------------------------------------------------ ------------------ 2026-2-3 - Feb 3 2026 ------------------- ------------------------------------------------------------------ ++++ cockpit: - Update dependencies for bsc#1257324/CVE-2025-13465 ++++ crun: - make sure the opened .krun_config.json is below the rootfs directory and we don't follow any symlink. (CVE-2025-24965, bsc#1237421) * krun-fix-CVE-2025-24965.patch ++++ docker-compose: - Add patch for CVE-2025-47914 (bsc#1254041), CVE-2025-47913 (bsc#1253584): 0001-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch ++++ expat: - security update - added patches CVE-2026-24515 [bsc#1257144], NULL dereference (CWE-476) due to function XML_ExternalEntityParserCreate() failing to copy the encoding handler data passed to XML_SetUnknownEncodingHandler() from the parent to the subparser * expat-CVE-2026-24515.patch CVE-2026-25210 [bsc#1257496], lack of buffer size check can lead to an integer overflow * expat-CVE-2026-25210.patch ++++ libsoup: - Add libsoup-CVE-2026-1536.patch: Always validate the headers value when coming from untrusted source (bsc#1257440, CVE-2026-1536, glgo#GNOME/libsoup/commit/5c1a2e9c). - Add libsoup-CVE-2026-1761.patch: multipart: check length of bytes read soup_filter_input_stream_read_until() (bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496). ++++ libsoup: - Add libsoup-CVE-2026-1536.patch: Always validate the headers value when coming from untrusted source (bsc#1257440, CVE-2026-1536, glgo#GNOME/libsoup/commit/5c1a2e9c). - Add libsoup-CVE-2026-1761.patch: multipart: check length of bytes read soup_filter_input_stream_read_until() (bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496). ++++ libsoup: - Add libsoup-CVE-2026-1536.patch: Always validate the headers value when coming from untrusted source (bsc#1257440, CVE-2026-1536, glgo#GNOME/libsoup/commit/5c1a2e9c). - Add libsoup-CVE-2026-1761.patch: multipart: check length of bytes read soup_filter_input_stream_read_until() (bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496). ------------------------------------------------------------------ ------------------ 2026-1-30 - Jan 30 2026 ------------------- ------------------------------------------------------------------ ++++ cockpit-podman: - Update dependencies to fix building on non-x86 arches - Update lodash to 4.17.23 for bsc#1257324 ------------------------------------------------------------------ ------------------ 2026-1-29 - Jan 29 2026 ------------------- ------------------------------------------------------------------ ++++ libzypp: - Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros. See the ZYPP.CONF(5) man page for details. - Fix runtime check for broken rpm --runposttrans (bsc#1257068) - version 17.38.2 (35) ++++ libzypp: - Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros. See the ZYPP.CONF(5) man page for details. - Fix runtime check for broken rpm --runposttrans (bsc#1257068) - version 17.38.2 (35) ++++ podman: - Add symlink to catatonit in /usr/libexec/podman (bsc#1248988) ------------------------------------------------------------------ ------------------ 2026-1-28 - Jan 28 2026 ------------------- ------------------------------------------------------------------ ++++ glib2: - Add CVE fixes: + glib2-CVE-2026-1484.patch (bsc#1257355 CVE-2026-1484 glgo#GNOME/glib!4979). + glib2-CVE-2026-1485.patch (bsc#1257354 CVE-2026-1485 glgo#GNOME/glib!4981). + glib2-CVE-2026-1489.patch (bsc#1257353 CVE-2026-1489 glgo#GNOME/glib!4984). ++++ gpg2: - Security fix [bsc#1257396, CVE-2026-24882] - gpg2: stack-based buffer overflow in TPM2 PKDECRYPT for TPM-backed RSA and ECC keys - Added gnupg-CVE-2026-24882.patch - Security fix [bsc#1256389] (gpg.fail/filename) * Added gnupg-accepts-path-separators-literal-data.patch * GnuPG Accepts Path Separators and Path Traversals in Literal Data ++++ gpg2: - Security fix [bsc#1257396, CVE-2026-24882] * gpg2: stack-based buffer overflow in TPM2 PKDECRYPT for TPM-backed RSA and ECC keys * Added gnupg-CVE-2026-24882.patch - Security fix [bsc#1256389] (gpg.fail/filename) * Added gnupg-accepts-path-separators-literal-data.patch * GnuPG Accepts Path Separators and Path Traversals in Literal Data ++++ libpng16: - security update - added patches CVE-2025-28162 [bsc#1257364], memory leaks when running `pngimage` CVE-2025-28164 [bsc#1257365], memory leaks when running `pngimage` * libpng16-CVE-2025-28162,28164.patch ++++ regionServiceClientConfigGCE: - Update to version 5.1.0 (jsc#PCT-590) + Add licenses info in the metdata - Accomodate build setup ------------------------------------------------------------------ ------------------ 2026-1-26 - Jan 26 2026 ------------------- ------------------------------------------------------------------ ++++ python-urllib3: - Add security patches: * CVE-2025-66471 (bsc#1254867) * CVE-2025-66418 (bsc#1254866) ------------------------------------------------------------------ ------------------ 2026-1-22 - Jan 22 2026 ------------------- ------------------------------------------------------------------ ++++ sqlite3: - Update to version 3.51.2: * bsc#1259619, CVE-2025-70873: zipfile extension may disclose uninitialized heap memory during inflation. * Fix an obscure deadlock in the new broken-posix-lock detection logic. * Fix multiple problems in the EXISTS-to-JOIN optimization. * Other minor bug fixes. ++++ libxml2: - Add patch libxml2-CVE-2026-0989.patch, to fix call stack exhaustion leading to application crash due to RelaxNG parser not limiting the recursion depth when resolving `` directives CVE-2026-0989, bsc#1256805, https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374 ++++ libxml2: - CVE-2026-0989: call stack exhaustion leading to application crash due to RelaxNG parser not limiting the recursion depth when resolving `` directives (bsc#1256804, bsc#1256805, bsc#1256810) * Add patch libxml2-CVE-2026-0989.patch * https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374 ++++ libxml2-python: - CVE-2026-0989: call stack exhaustion leading to application crash due to RelaxNG parser not limiting the recursion depth when resolving `` directives (bsc#1256804, bsc#1256805, bsc#1256810) * Add patch libxml2-CVE-2026-0989.patch * https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374 ++++ suseconnect-ng: - Update version to 1.20: - Update error message for Public Cloud instances with registercloudguest installed. SUSEConnect -d is disabled on PYAG and BYOS when the registercloudguest command is available. (bsc#1230861) - Enhanced SAP detected. Take TREX into account and remove empty values when only /usr/sap but no installation exists (bsc#1241002) - Fixed modules and extension link to point to version less documentation. (bsc#1239439) - Fixed SAP instance detection (bsc#1244550) - Remove link to extensions documentation (bsc#1239439) - Migrate to the public library ++++ suseconnect-ng: - Update version to 1.20: - Update error message for Public Cloud instances with registercloudguest installed. SUSEConnect -d is disabled on PYAG and BYOS when the registercloudguest command is available. (bsc#1230861) - Enhanced SAP detected. Take TREX into account and remove empty values when only /usr/sap but no installation exists (bsc#1241002) - Fixed modules and extension link to point to version less documentation. (bsc#1239439) - Fixed SAP instance detection (bsc#1244550) - Remove link to extensions documentation (bsc#1239439) - Migrate to the public library ------------------------------------------------------------------ ------------------ 2026-1-21 - Jan 21 2026 ------------------- ------------------------------------------------------------------ ++++ cups: - Version upgrade to 2.4.16: See https://github.com/openprinting/cups/releases The hotfix release 2.4.16 includes fix for infinite loop in GTK, which was caused by change of internal behavior in libcups on which GTK depended on, and workaround for stopping the scheduler if configuration includes unknown directives. Detailed list (from CHANGES.md): * 'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences, potentially reading past the end of the source string (Issue #1438) * The web interface did not support domain usernames fully (Issue #1441) * Fixed an infinite loop issue in the GTK+ print dialog (Issue #1439 boo#1254353) * Fixed stopping scheduler on unknown directive in configuration (Issue #1443) Issues are those at https://github.com/OpenPrinting/cups/issues - Version upgrade to 2.4.15: See https://github.com/openprinting/cups/releases The release CUPS 2.4.15 brings two CVE fixes: Fix various cupsd issues which cause local DoS (CVE-2025-61915 bsc#1253783) Fix unresponsive cupsd process caused by slow client (CVE-2025-58436 bsc#1244057) and several bug fixes described in CHANGES.md. Detailed list (from CHANGES.md): * Fixed potential crash in 'cups-driverd' when there are duplicate PPDs (Issue #1355) * Fixed error recovery when scanning for PPDs in 'cups-driverd' (Issue #1416) Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.16 - Fixed entry below dated "Sat Sep 30 08:52:42 UTC 2017" which contained needless UTF-8 Unicode characters that are now replaced by plain ASCII text in "... line - the ..." to fix a rpmlint "non-break-space" warning. - Adapted and enhanced 'tmpfiles.d' related things in cups.spec to "Fix packages for Immutable Mode - cups" (implementation task jsc#PED-14775 from epic jsc#PED-14688) ++++ glib2: - Add glib2-CVE-2026-0988.patch: fix a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049 CVE-2026-0988 glgo#GNOME/glib#3851). ------------------------------------------------------------------ ------------------ 2026-1-19 - Jan 19 2026 ------------------- ------------------------------------------------------------------ ++++ glibc: - memalign-overflow-check.patch: memalign: reinstate alignment overflow check (CVE-2026-0861, bsc#1256766, BZ #33796) - nss-dns-getnetbyaddr.patch: resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915, bsc#1256822, BZ #33802) - wordexp-wrde-reuse.patch: posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281, bsc#1257005, BZ #33814) ++++ openssl-3: - Security fixes: * Missing ASN1_TYPE validation in PKCS#12 parsing - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795] * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function - openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796] * Missing ASN1_TYPE validation in TS_RESP_verify_response() function - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420] * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421] * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419] * Heap out-of-bounds write in BIO_f_linebuffer on short writes - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160] * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418] * Stack buffer overflow in CMS AuthEnvelopedData parsing - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467] - openssl-CVE-2025-15467-comments.patch - openssl-CVE-2025-15467-test.patch ------------------------------------------------------------------ ------------------ 2026-1-14 - Jan 14 2026 ------------------- ------------------------------------------------------------------ ++++ libsoup: - Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). - Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ++++ libsoup: - Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). - Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ++++ libsoup: - Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). - Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ++++ libsoup: - Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). - Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ++++ libzypp: - Avoid libcurl-mini4 when building as it does not support ftp protocol. - Translation: updated .pot file. - version 17.38.1 (35) ++++ libzypp: - Avoid libcurl-mini4 when building as it does not support ftp protocol. - Translation: updated .pot file. - version 17.38.1 (35) ------------------------------------------------------------------ ------------------ 2026-1-13 - Jan 13 2026 ------------------- ------------------------------------------------------------------ ++++ systemd: - Name libsystemd-{shared,core} based on the major version of systemd and the package release number (bsc#1228081 bsc#1256427) This way, both the old and new versions of the shared libraries will be present during the update. This should prevent issues during package updates when incompatible changes are introduced in the new versions of the shared libraries. - Import commit 8bbac1d508acb8aa4e7262f47c7f4076b8350f72 8bbac1d508 detect-virt: bare-metal GCE only for x86 and i386 (bsc#1254293) ++++ linuxptp: - Move to DevicePolicy=closed instead of -PrivateDevices=true to allow access to devices (bsc#1256059) ++++ python-urllib3: - Add CVE-2026-21441.patch to fix excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331, CVE-2026-21441) ++++ python-urllib3: - Add CVE-2026-21441.patch to fix excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331, CVE-2026-21441) ------------------------------------------------------------------ ------------------ 2026-1-12 - Jan 12 2026 ------------------- ------------------------------------------------------------------ ++++ kernel-firmware: - Update AMD ucode to 20251203 (bsc#1256483) ++++ net-snmp: - Fix snmptrapd buffer overflow (bsc#1255491, CVE-2025-68615). Add net-snmp-5.9.4-fix-out-of-bounds-trapOid-access.patch ------------------------------------------------------------------ ------------------ 2026-1-11 - Jan 11 2026 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Fix heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666, CVE-2025-14104, util-linux-CVE-2025-14104-1.patch, util-linux-CVE-2025-14104-2.patch). ++++ util-linux: - Fix heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666, CVE-2025-14104, util-linux-CVE-2025-14104-1.patch, util-linux-CVE-2025-14104-2.patch). ++++ libzypp: - zypp.conf: follow the UAPI configuration file specification (PED-14658) In short terms it means we will no longer ship an /etc/zypp/zypp.conf, but store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config file settings completely, or - the preferred way - to overwrite specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files. See the ZYPP.CONF(5) man page for details. - cmake: correctly detect rpm6 (fixes #689) - Use 'zypp.tmp' as temp directory component to ease setting up SELinux policies (bsc#1249435) - zyppng: Update Provider to current MediaCurl2 download approach, drop Metalink ( fixes #682 ) - version 17.38.0 (35) ++++ libzypp: - zypp.conf: follow the UAPI configuration file specification (PED-14658) In short terms it means we will no longer ship an /etc/zypp/zypp.conf, but store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config file settings completely, or - the preferred way - to overwrite specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files. See the ZYPP.CONF(5) man page for details. - cmake: correctly detect rpm6 (fixes #689) - Use 'zypp.tmp' as temp directory component to ease setting up SELinux policies (bsc#1249435) - zyppng: Update Provider to current MediaCurl2 download approach, drop Metalink ( fixes #682 ) - version 17.38.0 (35) ++++ util-linux-systemd: - Fix heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666, CVE-2025-14104, util-linux-CVE-2025-14104-1.patch, util-linux-CVE-2025-14104-2.patch). ++++ util-linux-systemd: - Fix heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666, CVE-2025-14104, util-linux-CVE-2025-14104-1.patch, util-linux-CVE-2025-14104-2.patch). ------------------------------------------------------------------ ------------------ 2026-1-9 - Jan 9 2026 ------------------- ------------------------------------------------------------------ ++++ libsoup: - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ++++ libsoup: - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ++++ libsoup: - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ++++ libsoup: - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ++++ libsoup: - Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491). ++++ libtasn1: - Security fix: [bsc#1256341, CVE-2025-13151] * Stack-based buffer overflow. The function asn1_expend_octet_string() fails to validate the size of input data resulting in a buffer overflow. * Add libtasn1-CVE-2025-13151.patch ------------------------------------------------------------------ ------------------ 2026-1-8 - Jan 8 2026 ------------------- ------------------------------------------------------------------ ++++ gpg2: - Security fix: [bsc#1255715, CVE-2025-68973] (gpg.fail/memcpy) * gpg: Fix possible memory corruption in the armor parser [T7906] * Add gnupg-CVE-2025-68973.patch - Security fix: [bsc#1256246] (gpg.fail/sha1) * gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures [T7904] * Add gnupg-gpg-Avoid-potential-downgrade-to-SHA1-in-3rd-party-keysig.patch - Security fix: [bsc#1256244] (gpg.fail/detached) * gpg: Error out on unverified output for non-detached signatures [T7903] * Add gnupg-gpg-Error-out-on-unverified-output-for-non-detached-signatures.patch - Security fix: [bsc#1256243] * gpg2 agent: Fix a memory leak * Add patch gnupg-agent-memleak.patch - Security fix: [bsc#1256390] (gpg.fail/notdash) * gpg2: Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG * Add patch gnupg-CVE-2025-68972.patch ++++ gpg2: - Security fix: [bsc#1255715, CVE-2025-68973] (gpg.fail/memcpy) * gpg: Fix possible memory corruption in the armor parser [T7906] * Add gnupg-CVE-2025-68973.patch - Security fix: [bsc#1256246] (gpg.fail/sha1) * gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures [T7904] * Add gnupg-gpg-Avoid-potential-downgrade-to-SHA1-in-3rd-party-keysig.patch - Security fix: [bsc#1256244] (gpg.fail/detached) * gpg: Error out on unverified output for non-detached signatures [T7903] * Add gnupg-gpg-Error-out-on-unverified-output-for-non-detached-signatures.patch - Security fix: [bsc#1256243] * gpg2 agent: Fix a memory leak * Add patch gnupg-agent-memleak.patch - Security fix: [bsc#1256390] (gpg.fail/notdash) * gpg2: Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG * Add patch gnupg-CVE-2025-68972.patch ++++ gpg2: - Security fix: [bsc#1255715, CVE-2025-68973] (gpg.fail/memcpy) * gpg: Fix possible memory corruption in the armor parser [T7906] * Add gnupg-CVE-2025-68973.patch - Security fix: [bsc#1256246] (gpg.fail/sha1) * gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures [T7904] * Add gnupg-gpg-Avoid-potential-downgrade-to-SHA1-in-3rd-party-keysig.patch - Security fix: [bsc#1256244] (gpg.fail/detached) * gpg: Error out on unverified output for non-detached signatures [T7903] * Add gnupg-gpg-Error-out-on-unverified-output-for-non-detached-signatures.patch - Security fix: [bsc#1256243] * gpg2 agent: Fix a memory leak * Add patch gnupg-agent-memleak.patch - Security fix: [bsc#1256390] (gpg.fail/notdash) * gpg2: Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG * Add patch gnupg-CVE-2025-68972.patch ++++ libsodium: - Security fix: [bsc#1256070, CVE-2025-15444] * check Y==Z in addition to X==0 * Add patch libsodium-CVE-2025-15444.patch - Security fix: [bsc#1256070, CVE-2025-15444, bsc#1255764, CVE-2025-69277] * check Y==Z in addition to X==0 * Add patch libsodium-CVE-2025-15444.patch ------------------------------------------------------------------ ------------------ 2026-1-7 - Jan 7 2026 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fix: [bsc#1256105, CVE-2025-14017] * call ldap_init() before setting the options * Add patch curl-CVE-2025-14017.patch ++++ curl: - Security fix: [bsc#1256105, CVE-2025-14017] * call ldap_init() before setting the options * Add patch curl-CVE-2025-14017.patch ++++ ovmf: - Add backported patches for bsc#1218680 (CVE-2022-36765) - ovmf-UefiPayloadPkg-Hob-Integer-Overflow-in-CreateHob.patch 59f024c76ee5 UefiPayloadPkg/Hob: Integer Overflow in CreateHob() - ovmf-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch aeaee8944f0e EmbeddedPkg/Hob: Integer Overflow in CreateHob() - ovmf-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch 9a75b030cf27 StandaloneMmPkg/Hob: Integer Overflow in CreateHob() (bsc#1218680, CVE-2022-36765) ++++ rust-keylime: - Use tmpfiles.d for /var directories (PED-14736) + tmpfiles.keylime renamed to rust-keylime.conf and extended - Update to version 0.2.8+96: * build(deps): bump wiremock from 0.6.4 to 0.6.5 * build(deps): bump actions/checkout from 5 to 6 * build(deps): bump chrono from 0.4.41 to 0.4.42 * packit: Get coverage from Fedora 43 runs * Fix issues pointed out by clippy * Replace mutex unwraps with proper error handling in TPM library * Remove unused session request methods from StructureFiller * Fix config panic on missing ek_handle in push model agent * build(deps): bump tempfile from 3.21.0 to 3.23.0 * build(deps): bump actions/upload-artifact from 4 to 6 (#1163) * Fix clippy warnings project-wide * Add KEYLIME_DIR support for verifier TLS certificates in push model agent * Thread privileged resources and use MeasurementList for IMA reading * Add privileged resource initialization and privilege dropping to push model agent * Fix privilege dropping order in run_as() * add documentation on FQDN hostnames * Remove confusing logs for push mode agent * Set correct default Verifier port (8891->8881) (#1159) * Add verifier_url to reference configuration file (#1158) * Add TLS support for Registrar communication (#1139) * Fix agent handling of 403 registration responses (#1154) * Add minor README.md rephrasing (#1151) * build(deps): bump actions/checkout from 5 to 6 (#1153) * ci: update spec files for packit COPR build * docs: improve challenge encoding and async TPM documentation * refactor: improve middleware and error handling * feat: add authentication client with middleware integration * docker: Include keylime_push_model_agent binary * Include attestation_interval configuration (#1146) * Persist payload keys to avoid attestation failure on restart * crypto: Implement the load or generate pattern for keys * Use simple algorithm specifiers in certification_keys object (#1140) * tests: Enable more tests in CI * Fix RSA2048 algorithm reporting in keylime agent * Remove disabled_signing_algorithms configuration * rpm: Fix metadata patches to apply to current code * workflows/rpm.yml: Use more strict patching * build(deps): bump uuid from 1.17.0 to 1.18.1 * Fix ECC algorithm selection and reporting for keylime agent * Improve logging consistency and coherency * Implement minimal RFC compliance for Location header and URI parsing (#1125) * Use separate keys for payload mechanism and mTLS * docker: update rust to 1.81 for distroless Dockerfile * Ensure UEFI log capabilities are set to false * build(deps): bump http from 1.1.0 to 1.3.1 * build(deps): bump log from 0.4.27 to 0.4.28 * build(deps): bump cfg-if from 1.0.1 to 1.0.3 * build(deps): bump actix-rt from 2.10.0 to 2.11.0 * build(deps): bump async-trait from 0.1.88 to 0.1.89 * build(deps): bump trybuild from 1.0.105 to 1.0.110 * Accept evidence handling structures null entries * workflows: Add test to check if RPM patches still apply * CI: Enable test add-agent-with-malformed-ek-cert * config: Fix singleton tests * FSM: Remove needless lifetime annotations (#1105) * rpm: Do not remove wiremock which is now available in Fedora * Use latest Fedora httpdate version (1.0.3) * Enhance coverage with parse_retry_after test * Fix issues reported by CI regarding unwrap() calls * Reuse max retries indicated to the ResilientClient * Include limit of retries to 5 for Retry-After * Add policy to handle Retry-After response headers * build(deps): bump wiremock from 0.6.3 to 0.6.4 * build(deps): bump serde_json from 1.0.140 to 1.0.143 * build(deps): bump pest_derive from 2.8.0 to 2.8.1 * build(deps): bump syn from 2.0.90 to 2.0.106 * build(deps): bump tempfile from 3.20.0 to 3.21.0 * build(deps): bump thiserror from 2.0.12 to 2.0.16 * rpm: Fix patches to apply to current master code * build(deps): bump anyhow from 1.0.98 to 1.0.99 * state_machine: Automatically clean config override during tests * config: Implement singleton and factory pattern * testing: Support overriding configuration during tests * feat: implement standalone challenge-response authentication module * structures: rename session structs for clarity and fix typos * tpm: refactor certify_credential_with_iak() into a more generic function * Add Push Model Agent Mermaid FSM chart (#1095) * Add state to avoid exiting on wrong attestation (#1093) * Add 6 alphanumeric lowercase X-Request-ID header * Enhance Evidence Handling response parsing * build(deps): bump quote from 1.0.35 to 1.0.40 * build(deps): bump libc from 0.2.172 to 0.2.175 * build(deps): bump glob from 0.3.2 to 0.3.3 * build(deps): bump actix-web from 4.10.2 to 4.11.0 ++++ selinux-policy: - Update to version 20230523+git34.7b0eea050: * rsync: add rsync_exec_commands boolean and enable it by default (bsc#1231494, bsc#1255372) ------------------------------------------------------------------ ------------------ 2026-1-6 - Jan 6 2026 ------------------- ------------------------------------------------------------------ ++++ bluez: - Add input.conf-Change-default-of-ClassicBondedOnly.patch to change default of ClassicBondedOnly in input.conf. 25a471a83e02 input.conf: Change default of ClassicBondedOnly (bsc#1217877, CVE-2023-45866) - Fixed the date in bluez.changes: - Mon Sep2y 09:36:31 CEST 2008 - seife@suse.de +Mon Sep 29 09:36:31 CEST 2008 - seife@suse.de ------------------------------------------------------------------ ------------------ 2026-1-5 - Jan 5 2026 ------------------- ------------------------------------------------------------------ ++++ libpcap: - Security fix: [bsc#1255765, CVE-2025-11961] * Fix out-of-bound-write and out-of-bound-read in pcap_ether_aton() due to missing validation of provided MAC-48 address string * Add libpcap-CVE-2025-11961.patch ------------------------------------------------------------------ ------------------ 2026-1-2 - Jan 2 2026 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fixes: * [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer * [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth * [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache * [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file * Add patches: - curl-CVE-2025-14524.patch - curl-CVE-2025-15224.patch - curl-CVE-2025-14819.patch - curl-CVE-2025-15079.patch ++++ curl: - Security fixes: * [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer * [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth * [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache * [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file * Add patches: - curl-CVE-2025-14524.patch - curl-CVE-2025-15224.patch - curl-CVE-2025-14819.patch - curl-CVE-2025-15079.patch ++++ curl: - Security fixes: * [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer * [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth * [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache * [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file * Add patches: - curl-CVE-2025-14524.patch - curl-CVE-2025-15224.patch - curl-CVE-2025-14819.patch - curl-CVE-2025-15079.patch ------------------------------------------------------------------ ------------------ 2025-12-24 - Dec 24 2025 ------------------- ------------------------------------------------------------------ ++++ ovmf: - Add the following patches from edk2-stable202402 for CVE-2023-45230: - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch f31453e8d654 NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch - ovmf-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch 8014ac2d7bbb NetworkPkg: : Add Unit tests to CI and create Host Test DSC - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch 5f3658197bf2 NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests (bsc#1218880, CVE-2023-45230) - Add the following patches from edk2-stable202402 for CVE-2023-45229: - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch 1dbb10cc52dc NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch 07362769ab7a NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests - ovmf-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch 1d0b95f6457d NetworkPkg: : Adds a SecurityFix.yaml file - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch 1c440a5eceed NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch - ovmf-NetworkPkg-Updating-SecurityFixes.yaml.patch 5fd3078a2e08 NetworkPkg: Updating SecurityFixes.yaml (bsc#1218879, CVE-2023-45229) ++++ ovmf: - Add the following patches from edk2-stable202402 for CVE-2023-45230: - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch f31453e8d654 NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch - ovmf-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch 8014ac2d7bbb NetworkPkg: : Add Unit tests to CI and create Host Test DSC - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch 5f3658197bf2 NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests (bsc#1218880, CVE-2023-45230) - Add the following patches from edk2-stable202402 for CVE-2023-45229: - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch 1dbb10cc52dc NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch 07362769ab7a NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests - ovmf-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch 1d0b95f6457d NetworkPkg: : Adds a SecurityFix.yaml file - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch 1c440a5eceed NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch - ovmf-NetworkPkg-Updating-SecurityFixes.yaml.patch 5fd3078a2e08 NetworkPkg: Updating SecurityFixes.yaml (bsc#1218879, CVE-2023-45229) ------------------------------------------------------------------ ------------------ 2025-12-23 - Dec 23 2025 ------------------- ------------------------------------------------------------------ ++++ capstone: - fix bsc#1255309 (CVE-2025-67873) Patch added: * fix-unchecked-lenght-cbef76.patch ------------------------------------------------------------------ ------------------ 2025-12-22 - Dec 22 2025 ------------------- ------------------------------------------------------------------ ++++ qemu: - More spec file cleanup: * [openSUSE][RPM} spec: delete old specfile constructs ++++ qemu: - More spec file cleanup: * [openSUSE][RPM} spec: delete old specfile constructs ------------------------------------------------------------------ ------------------ 2025-12-19 - Dec 19 2025 ------------------- ------------------------------------------------------------------ ++++ capstone: - Fix bsc#1255310 (CVE-2025-68114) Patch added: * fix-buffer-overflow-2c7797.patch ++++ podman: - Add patch for CVE-2025-47914 (bsc#1253993), CVE-2025-47913 (bsc#1253542): * 0012-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch ++++ podman: - Add patch for CVE-2025-47914 (bsc#1253993), CVE-2025-47913 (bsc#1253542): * 0012-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch ------------------------------------------------------------------ ------------------ 2025-12-18 - Dec 18 2025 ------------------- ------------------------------------------------------------------ ++++ python311-core: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311-core: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311-core: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ qemu: - We *always* want a display driver in x86 too: * [openSUSE][RPM] spec: require qemu-hw-display-virtio-gpu-pci for x86 too ++++ qemu: - We *always* want a display driver in x86 too: * [openSUSE][RPM] spec: require qemu-hw-display-virtio-gpu-pci for x86 too ------------------------------------------------------------------ ------------------ 2025-12-17 - Dec 17 2025 ------------------- ------------------------------------------------------------------ ++++ selinux-policy: - Fix systemd generator.early and generator.late file contexts (bsc#1255027) ++++ selinux-policy: - Fix systemd generator.early and generator.late file contexts (bsc#1255027) ------------------------------------------------------------------ ------------------ 2025-12-16 - Dec 16 2025 ------------------- ------------------------------------------------------------------ ++++ libvirt: - CVE-2025-13193: qemu: Set umask for 'qemu-img' when creating external inactive snapshots bsc#1253703 - CVE-2025-12748: Check ACLs before parsing the whole domain XML bsc#1253278 ++++ qemu: - Bug and CVE fixes: * [openSUSE][RPM]: really fix *-virtio-gpu-pci dependency on ARM (bsc#1254286) * net: pad packets to minimum length in qemu_receive_packet() (bsc#1253002, CVE-2025-12464) ++++ qemu: - Bug and CVE fixes: * [openSUSE][RPM]: really fix *-virtio-gpu-pci dependency on ARM (bsc#1254286) * net: pad packets to minimum length in qemu_receive_packet() (bsc#1253002, CVE-2025-12464) ++++ rsync: - Security update (CVE-2025-10158, bsc#1254441): rsync: Out of bounds array access via negative index - Add rsync-CVE-2025-10158.patch ++++ shim: - shim-install: Add ca_string for SL Micro to update fallback loader The fallback loader, /boot/efi/EFI/BOOT/bootaa64.efi or bootx64.efi, cannot be upgraded by shim-install on SL Micro. The issue case is SL Micro 6.0. It causes that system gets regression bug because it's fallback to a old shim. So this patch adds ca_string to SL Micro. (bsc#1254336) ------------------------------------------------------------------ ------------------ 2025-12-15 - Dec 15 2025 ------------------- ------------------------------------------------------------------ ++++ glib2: - Add CVE fixes: + glib2-CVE-2025-13601-1.patch, glib2-CVE-2025-13601-2.patch (bsc#1254297 CVE-2025-13601 glgo#GNOME/glib#3827). + glib2-CVE-2025-14087-1.patch, glib2-CVE-2025-14087-2.patch, glib2-CVE-2025-14087-3.patch (bsc#1254662 CVE-2025-14087 glgo#GNOME/glib#3834). + glib2-CVE-2025-14512.patch (bsc#1254878 CVE-2025-14512 glgo#GNOME/glib#3845). ++++ glib2: - Add CVE fixes: + glib2-CVE-2025-13601-1.patch, glib2-CVE-2025-13601-2.patch (bsc#1254297 CVE-2025-13601 glgo#GNOME/glib#3827). + glib2-CVE-2025-14087-1.patch, glib2-CVE-2025-14087-2.patch, glib2-CVE-2025-14087-3.patch (bsc#1254662 CVE-2025-14087 glgo#GNOME/glib#3834). + glib2-CVE-2025-14512.patch (bsc#1254878 CVE-2025-14512 glgo#GNOME/glib#3845). ++++ systemd: - Import commit 9ecd16228492f44212e2771bec11ec78245b4094 9ecd162284 timer: rebase last_trigger timestamp if needed cd4a9103ef timer: rebase the next elapse timestamp only if timer didn't already run c3f4407e97 timer: don't run service immediately after restart of a timer (bsc#1254563) 05bcfe3295 test: check the next elapse timer timestamp after deserialization fe8f656975 test: restarting elapsed timer shouldn't trigger the corresponding service e4dd315b6c units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356) b58e72215a units: add dep on systemd-logind.service by user@.service 97ceca445c detect-virt: add bare-metal support for GCE (bsc#1244449 - Sync systemd-update-helper with the version shipped in Base:System This includes the following changes: - systemd-update-helper: do not stop or disable services when they are migrated to other packages. This can occur during package renaming or splitting. - systemd-update-helper: Fix invalid use of "break" in case statement - systemd-update-helper: fix regression introduced when support for package renaming/splitting was added (bsc#1245551) - systemd-update-helper: backport commit 2d0af8bc354f4a1429ce Since user@.service has `Type=notify-reload` (making the reloading process synchronous) and reloading implies reexecuting with `ReloadSignal=RTMIN+25`, reexecuting user managers synchronously can be achieved with `systemctl reload user@*.service" now. ++++ systemd: - Import commit 9ecd16228492f44212e2771bec11ec78245b4094 9ecd162284 timer: rebase last_trigger timestamp if needed cd4a9103ef timer: rebase the next elapse timestamp only if timer didn't already run c3f4407e97 timer: don't run service immediately after restart of a timer (bsc#1254563) 05bcfe3295 test: check the next elapse timer timestamp after deserialization fe8f656975 test: restarting elapsed timer shouldn't trigger the corresponding service e4dd315b6c units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356) b58e72215a units: add dep on systemd-logind.service by user@.service 97ceca445c detect-virt: add bare-metal support for GCE (bsc#1244449 - Sync systemd-update-helper with the version shipped in Base:System This includes the following changes: - systemd-update-helper: do not stop or disable services when they are migrated to other packages. This can occur during package renaming or splitting. - systemd-update-helper: Fix invalid use of "break" in case statement - systemd-update-helper: fix regression introduced when support for package renaming/splitting was added (bsc#1245551) - systemd-update-helper: backport commit 2d0af8bc354f4a1429ce Since user@.service has `Type=notify-reload` (making the reloading process synchronous) and reloading implies reexecuting with `ReloadSignal=RTMIN+25`, reexecuting user managers synchronously can be achieved with `systemctl reload user@*.service" now. ++++ python-tornado6: - Add security patches: * CVE-2025-67724.patch (bsc#1254903) * CVE-2025-67725.patch (bsc#1254905) * CVE-2025-67726.patch (bsc#1254904) ++++ python-tornado6: - Add security patches: * CVE-2025-67724.patch (bsc#1254903) * CVE-2025-67725.patch (bsc#1254905) * CVE-2025-67726.patch (bsc#1254904) ++++ shim: - Add DER format certificate files for the pretrans script to verify that the necessary certificate is in the UEFI db - openSUSE Secure Boot CA, 2013-2035 openSUSE_Secure_Boot_CA_2013.crt - SUSE Linux Enterprise Secure Boot CA, 2013-2035 SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt - Microsoft Corporation UEFI CA 2011, 2011-2026 Microsoft_Corporation_UEFI_CA_2011.crt - Microsoft UEFI CA 2023, 2023-2038 Microsoft_UEFI_CA_2023.crt - shim.spec: Add a pretrans script to verify that the necessary certificate is in the UEFI db. - Always put SUSE Linux Enterprise Secure Boot CA to target array. (bsc#1254679) ------------------------------------------------------------------ ------------------ 2025-12-12 - Dec 12 2025 ------------------- ------------------------------------------------------------------ ++++ shim: - Update to 16.1 - RPMs shim-16.1-150300.4.31.1.x86_64.rpm shim-debuginfo-16.1-150300.4.31.1.x86_64.rpm shim-debugsource-16.1-150300.4.31.1.x86_64.rpm shim-16.1-150300.4.31.1.aarch64.rpm shim-debuginfo-16.1-150300.4.31.1.aarch64.rpm shim-debugsource-16.1-150300.4.31.1.aarch64.rpm - submitreq: https://build.suse.de/request/show/395247 - repo: https://build.suse.de/package/show/SUSE:Maintenance:39913/shim.SUSE_SLE-15-SP3_Update - Patches (git log --oneline --reverse 16.0..16.1) 4040ec4 shim_start_image(): fix guid/handle pairing when uninstalling protocols 39c0aa1 str2ip6(): parsing of "uncompressed" ipv6 addresses 3133d19 test-mock-variables: make our filter list entries safer. d44405e mock-variables: remove unused variable 0e8459f Update CI to use ubuntu-24.04 instead of ubuntu-20.04 d16a5a6 SbatLevel_Variable.txt: minor typo fix. 32804cf Realloc() needs one more byte for sprintf() 431d370 IPv6: Add more check to avoid multiple double colon and illegal char 5e4d93c Loader Proto: make freeing of bprop.buffer conditional. 33deac2 Prepare to move things from shim.c to verify.c 030e7df Move a bunch of stuff from shim.c to verify.c f3ddda7 handle_image(): make verification conditional 774f226 Cache sections of a loaded image and sub-images from them. eb0d20b loader-protocol: handle sub-section loading for UKIs 2f64bb9 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages 1abc7ca loader-protocol: NULL output variable in load_image on failure fb77b44 Generate Authenticode for the entire PE file b86b909 README: mention new loader protocol and interaction with UKIs 8522612 ci: add mkosi configuration and CI 9ebab84 mkosi workflow: fix the branch name for main. 72a4c41 shim: change automatically enable MOK_POLICY_REQUIRE_NX a2f0dfa This is an organizational patch to move some things around in mok.c 54b9946 Update to the shim-16.1 branch of gnu-efi to get AsciiSPrint() a5a6922 get_max_var_sz(): add more debugging for apple platforms 77a2922 Add a "VariableInfo" variable to mok-variables. efc71c9 build: Avoid passing *FLAGS to sub-make 7670932 Fixes for 'make TOPDIR=... clean' 13ab598 add SbatLevel entry 2025051000 for PSA-2025-00012-1 617aed5 Update version to 16.1~rc1 d316ba8 format_variable_info(): fix wrong size test. f5fad0e _do_sha256_sum(): Fix missing error check. 3a9734d doc: add howto for running mkosi locally ced5f71 mkosi: remove spurious slashes from script 0076155 ci: update mkosi commit 5481105 fix http boot 121cddf loader-protocol: Handle UnloadImage after StartImage properly 6a1d1a9 loader-protocol: Fix memory leaks 27a5d22 gitignore: add more mkosi dirs and vscode dir 346ed15 mkosi: disable repository key check on Fedora afc4955 Update version to 16.1 - 16.1 release note https://github.com/rhboot/shim/releases shim_start_image(): fix guid/handle pairing when uninstalling protocols by @vathpela in #738 Fix uncompressed ipv6 netboot by @hrvach in #742 fix test segfaults caused by uninitialized memory by @Fabian-Gruenbichler in #739 Update CI to use ubuntu-24.04 instead of ubuntu-20.04 by @vathpela in #749 SbatLevel_Variable.txt: minor typo fix. by @vathpela in #751 Realloc() needs to allocate one more byte for sprintf() by @dennis-tseng99 in #746 IPv6: Add more check to avoid multiple double colon and illegal char by @dennis-tseng99 in #753 Loader proto v2 by @vathpela in #748 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages by @bluca in #750 Generate Authenticode for the entire PE file by @esnowberg in #604 README: mention new loader protocol and interaction with UKIs by @bluca in #755 ci: add mkosi configuration and CI by @bluca in #764 shim: change automatically enable MOK_POLICY_REQUIRE_NX by @vathpela in #761 Save var info by @vathpela in #763 build: Avoid passing *FLAGS to sub-make by @rosslagerwall in #758 Fixes for 'make TOPDIR=... clean' by @bluca in #762 add SbatLevel entry 2025051000 for PSA-2025-00012-1 by @Fabian-Gruenbichler in #766 Coverity fixes 20250804 by @vathpela in #767 ci: fixlets and docs for mkosi workflow by @bluca in #768 fix http boot by @jsetje in #770 Fix double free and leak in the loader protocol by @rosslagerwall in #769 gitignore: add more mkosi dirs and vscode dir by @bluca in #771 - Drop upstreamed patch: The following patches are merged to 16.1 - shim-alloc-one-more-byte-for-sprintf.patch - 32804cf5d9 Realloc() needs one more byte for sprintf() [16.1] - shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch (bsc#1205588) - 72a4c41877 shim: change automatically enable MOK_POLICY_REQUIRE_NX [16.1] - Building MokManager.efi and fallback.efi with POST_PROCESS_PE_FLAGS=-n (bsc#1205588) - Building with the latest version of gcc in the codebase: - The gcc13 can workaround dxe_get_mem_attrs() hsi_status problem - We prefer that building shim with the latest version of gcc in codebase. - Set the minimum version is gcc-13. (bsc#1247432) - SLE shim should includes vendor-dbx-sles.esl instead of vendor-dbx-opensuse.esl. Fixed it in shim.spec. ++++ supportutils: - Changes to version 3.2.12 + Optimized lsof usage and honors OPTION_OFILES (bsc#1232351, PR#274) + Run in containers without errors (bsc#1245667, PR#272) + Removed pmap PID from memory.txt (bsc#1246011, PR#263) + Added missing /proc/pagetypeinfo to memory.txt (bsc#1246025, PR#264) + Improved database perforce with kGraft patching (bsc#1249657, PR#273) + Using last boot for journalctl for optimization (bsc#1250224, PR#287) + Fixed extraction failures (bsc#1252318, PR#275) + Update supportconfig.conf path in docs (bsc#1254425, PR#281) + drm_sub_info: Catch error when dir doesn't exist (PR#265) + Replace remaining `egrep` with `grep -E` (PR#261, PR#266) + Add process affinity to slert logs (PR#269) + Reintroduce cgroup statistics (and v2) (PR#270) + Minor changes to basic-health-check: improve information level (PR#271) + Collect important machine health counters (PR#276) + powerpc: collect hot-pluggable PCI and PHB slots (PR#278) + podman: collect podman disk usage (PR#279) + Exclude binary files in crondir (PR#282) + kexec/kdump: collect everything under /sys/kernel/kexec dir (PR#284) + Use short-iso for journalctl (PR#288) ------------------------------------------------------------------ ------------------ 2025-12-5 - Dec 5 2025 ------------------- ------------------------------------------------------------------ ++++ libpng16: - security update - added patches CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite * libpng16-CVE-2025-66293-1.patch * libpng16-CVE-2025-66293-2.patch ++++ libpng16: - security update - added patches CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite * libpng16-CVE-2025-66293-1.patch * libpng16-CVE-2025-66293-2.patch ------------------------------------------------------------------ ------------------ 2025-11-28 - Nov 28 2025 ------------------- ------------------------------------------------------------------ ++++ libpng16: - security update - added patches CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index * libpng16-CVE-2025-64505.patch CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled * libpng16-CVE-2025-64506.patch CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication * libpng16-CVE-2025-64720.patch CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` * libpng16-CVE-2025-65018.patch ++++ libpng16: - security update - added patches CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index * libpng16-CVE-2025-64505.patch CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled * libpng16-CVE-2025-64506.patch CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication * libpng16-CVE-2025-64720.patch CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` * libpng16-CVE-2025-65018.patch ++++ sqlite3: - Update to version 3.51.1: * Fix incorrect results from nested EXISTS queries caused by the optimization in item 6b in the 3.51.0 release. * Fix a latent bug in fts5vocab virtual table, exposed by new optimizations in the 3.51.0 release - Changes in version 3.51.0: * New macros in sqlite3.h: - SQLITE_SCM_BRANCH → the name of the branch from which the source code is taken. - SQLITE_SCM_TAGS → space-separated list of tags on the source code check-in. - SQLITE_SCM_DATETIME → ISO-8601 date and time of the source code check-in. * Two new JSON functions, jsonb_each() and jsonb_tree() work the same as the existing json_each() and json_tree() functions except that they return JSONB for the "value" column when the "type" is 'array' or 'object'. * The carray and percentile extensions are now built into the amalgamation, though they are disabled by default and must be activated at compile-time using the -DSQLITE_ENABLE_CARRAY and/or -DSQLITE_ENABLE_PERCENTILE options, respectively. * Enhancements to TCL Interface: - Add the -asdict flag to the eval command to have it set the row data as a dict instead of an array. - User-defined functions may now break to return an SQL NULL. * CLI enhancements: - Increase the precision of ".timer" to microseconds. - Enhance the "box" and "column" formatting modes to deal with double-wide characters. - The ".imposter" command provides read-only imposter tables that work with VACUUM and do not require the --unsafe-testing option. - Add the --ifexists option to the CLI command-line option and to the .open command. - Limit columns widths set by the ".width" command to 30,000 or less, as there is not good reason to have wider columns, but supporting wider columns provides opportunity to malefactors. * Performance enhancements: - Use fewer CPU cycles to commit a read transaction. - Early detection of joins that return no rows due to one or more of the tables containing no rows. - Avoid evaluation of scalar subqueries if the result of the subquery does not change the result of the overall expression. - Faster window function queries when using "BETWEEN :x FOLLOWING AND :y FOLLOWING" with a large :y. * Add the PRAGMA wal_checkpoint=NOOP; command and the SQLITE_CHECKPOINT_NOOP argument for sqlite3_wal_checkpoint_v2(). * Add the sqlite3_set_errmsg() API for use by extensions. * Add the sqlite3_db_status64() API, which works just like the existing sqlite3_db_status() API except that it returns 64-bit results. * Add the SQLITE_DBSTATUS_TEMPBUF_SPILL option to the sqlite3_db_status() and sqlite3_db_status64() interfaces. * In the session extension add the sqlite3changeset_apply_v3() interface. * For the built-in printf() and the format() SQL function, omit the leading '-' from negative floating point numbers if the '+' flag is omitted and the "#" flag is present and all displayed digits are '0'. Use '%#f' or similar to avoid outputs like '-0.00' and instead show just '0.00'. * Improved error messages generated by FTS5. * Enforce STRICT typing on computed columns. * Improved support for VxWorks * JavaScript/WASM now supports 64-bit WASM. The canonical builds continue to be 32-bit but creating one's own 64-bit build is now as simple as running "make". * Improved resistance to database corruption caused by an application breaking Posix advisory locks using close(). ++++ runc: - Update to runc v1.3.4. Upstream changelog is available from . bsc#1254362 ------------------------------------------------------------------ ------------------ 2025-11-26 - Nov 26 2025 ------------------- ------------------------------------------------------------------ ++++ openvswitch: - OpenvSwitch upstream bugfix updates: * https://www.openvswitch.org/releases/NEWS-3.1.7.txt * v3.1.7 - Bug fixes - OVS validated with DPDK 22.11.7. * v3.1.6 - Bug fixes - OVS validated with DPDK 22.11.6. * v3.1.5 - Bug fixes - OVS validated with DPDK 22.11.5. * v3.1.4 - Bug fixes - Fixed vulnerabilities CVE-2023-3966 (bsc#1219465) and CVE-2023-5366 (bsc#1216002). - OVS validated with DPDK 22.11.4. * v3.1.3 - Bug fixes * v3.1.2 - Bug fixes * v3.1.1 - Bug fixes - Fixed vulnerability CVE-2023-1668 (bsc#1210054) - Remove included patches: CVE-2023-1668.patch - OVN upstream bugfix updates: * https://github.com/ovn-org/ovn/blob/branch-23.03/NEWS - Fix CVE-2025-0650 (bsc#1236353) ovn: egress ACLs may be bypassed via specially crafted UDP packet (CVE-2025-0650.patch) * v23.03.3 - Bug fixes - Add "garp-max-timeout-sec" config option to vswitchd external-ids to cap the time between when ovn-controller sends gARP packets. - Security: Fixed vulnerability CVE-2024-2182 (bsc#1255435). - Updated patches install-ovsdb-tools.patch * v23.03.2 - Bug fixes * v23.03.1 - Bug fixes - CT entries are not flushed by default anymore whenever a load balancer backend is removed. A new, per-LB, option 'ct_flush' can be used to restore the previous behavior. Disabled by default. - Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast Listener Discovery protocols, regardless of ACLs defined. - Send ICMP Fragmentation Needed packets back to offending ports when communicating with multichassis ports using frames that don't fit through a tunnel. This is done only for logical switches that are attached to a physical network via a localnet port, in which case multichassis ports may have an effective MTU different from regular ports and hence may need this mechanism to maintain connectivity with other peers in the network. - ECMP routes use L4_SYM dp-hash by default if the datapath supports it. Existing sessions might get re-hashed to a different ECMP path when OVN detects the algorithm support in the datapath during an upgrade or restart of ovn-controller. - Add CoPP for the svc_monitor_mac. This addresses CVE-2023-3153 (bsc#1212125). - Remove included patches: CVE-2023-3152.patch ------------------------------------------------------------------ ------------------ 2025-11-25 - Nov 25 2025 ------------------- ------------------------------------------------------------------ ++++ salt: - Add minimum_auth_version to enforce security (CVE-2025-62349) - Backport security fixes for vendored tornado * BDSA-2024-3438 * BDSA-2024-3439 * BDSA-2024-9026 - Junos module yaml loader fix (CVE-2025-62348) - Require Python dependencies only for used Python version - Fix TLS and x509 modules for OSes with older cryptography module - Require python-legacy-cgi only for Python > 3.12 - Builds with py >=3.13 require python-legacy-cgi - Fix Salt for Python > 3.11 (bsc#1252285) (bsc#1252244) - * Use external tornado on Python > 3.11 - * Make tls and x509 to use python-cryptography - * Remove usage of spwd - Fix payload signature verification on Tumbleweed (bsc#1251776) - Fix broken symlink on migration to Leap 16.0 (bsc#1250755) - Use versioned python interpreter for salt-ssh - Fix known_hosts error on gitfs (bsc#1250520) (bsc#1227207) - Add python3.11 as preferable for salt-ssh to avoid tests fails - Make test_pillar_timeout test more reliable - Modify README and other doc files for openSUSE - Set python-CherryPy as required for python-salt-testsuite (#115) - Revert require M2Crypto >= 0.44.0 for SUSE Family distros - This reverts commit aa40615dcf7a15325ef71bbc09a5423ce512491d. - Improve SL Micro 6.2 detection with grains - Fix functional.states.test_user for SLES 16 and Micro systems - Fix the tests failing on AlmaLinux 10 and other clones - Added: * backport-3006.17-security-fixes-739.patch * fix-tls-and-x509-modules-for-older-cryptography-modu.patch * fix-salt-for-python-3.11.patch * do-not-break-signature-verification-on-latest-m2cryp.patch * use-versioned-python-interpreter-for-salt-ssh.patch * allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch * add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch * even-more-reliable-pillar-timeout-test.patch * modify-readme-for-opensuse-728.patch * improve-sl-micro-6.2-detection-with-grains.patch * fix-functional.states.test_user-for-sles-16-and-micr.patch * fix-the-tests-failing-on-almalinux-10-and-other-clon.patch ++++ salt: - Add minimum_auth_version to enforce security (CVE-2025-62349) - Backport security fixes for vendored tornado * BDSA-2024-3438 * BDSA-2024-3439 * BDSA-2024-9026 - Junos module yaml loader fix (CVE-2025-62348) - Require Python dependencies only for used Python version - Fix TLS and x509 modules for OSes with older cryptography module - Require python-legacy-cgi only for Python > 3.12 - Builds with py >=3.13 require python-legacy-cgi - Fix Salt for Python > 3.11 (bsc#1252285) (bsc#1252244) - * Use external tornado on Python > 3.11 - * Make tls and x509 to use python-cryptography - * Remove usage of spwd - Fix payload signature verification on Tumbleweed (bsc#1251776) - Fix broken symlink on migration to Leap 16.0 (bsc#1250755) - Use versioned python interpreter for salt-ssh - Fix known_hosts error on gitfs (bsc#1250520) (bsc#1227207) - Add python3.11 as preferable for salt-ssh to avoid tests fails - Make test_pillar_timeout test more reliable - Modify README and other doc files for openSUSE - Set python-CherryPy as required for python-salt-testsuite (#115) - Revert require M2Crypto >= 0.44.0 for SUSE Family distros - This reverts commit aa40615dcf7a15325ef71bbc09a5423ce512491d. - Improve SL Micro 6.2 detection with grains - Fix functional.states.test_user for SLES 16 and Micro systems - Fix the tests failing on AlmaLinux 10 and other clones - Added: * backport-3006.17-security-fixes-739.patch * fix-tls-and-x509-modules-for-older-cryptography-modu.patch * fix-salt-for-python-3.11.patch * do-not-break-signature-verification-on-latest-m2cryp.patch * use-versioned-python-interpreter-for-salt-ssh.patch * allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch * add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch * even-more-reliable-pillar-timeout-test.patch * modify-readme-for-opensuse-728.patch * improve-sl-micro-6.2-detection-with-grains.patch * fix-functional.states.test_user-for-sles-16-and-micr.patch * fix-the-tests-failing-on-almalinux-10-and-other-clon.patch ------------------------------------------------------------------ ------------------ 2025-11-24 - Nov 24 2025 ------------------- ------------------------------------------------------------------ ++++ gnutls: - Security fix bsc#1254132 CVE-2025-9820 * Fix buffer overflow in gnutls_pkcs11_token_init * Added gnutls-CVE-2025-9820.patch ++++ gnutls: - Security fix bsc#1254132 CVE-2025-9820 * Fix buffer overflow in gnutls_pkcs11_token_init * Added gnutls-CVE-2025-9820.patch ------------------------------------------------------------------ ------------------ 2025-11-21 - Nov 21 2025 ------------------- ------------------------------------------------------------------ ++++ libmicrohttpd: - Fix for the following bugs: * bsc#1253177 CVE-2025-59777 * bsc#1253178 CVE-2025-62689 - Add patch: * CVE-2025-59777.patch * this same patch fixes both CVEs * git commit ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b ------------------------------------------------------------------ ------------------ 2025-11-19 - Nov 19 2025 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch ++++ curl: - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch ++++ curl: - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch ++++ curl: - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch ++++ kmod: - man: modprobe.d: document the config file order handling (bsc#1253741) * man-modprobe.d-document-the-config-file-order-handling.patch ------------------------------------------------------------------ ------------------ 2025-11-18 - Nov 18 2025 ------------------- ------------------------------------------------------------------ ++++ sssd: - Install file in krb5.conf.d to include sssd krb5 config snippets; (bsc#1244325); - Disable Kerberos localauth an2ln plugin for AD; (CVE-2025-11561); (bsc#1251827); Add patch 0006-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch ------------------------------------------------------------------ ------------------ 2025-11-17 - Nov 17 2025 ------------------- ------------------------------------------------------------------ ++++ dpdk: - Upstream bugfix update: - Version 22.11.10 - net/mlx5: fix out-of-order completions in ordinary Rx burst (CVE-2025-23259, bsc#1254161) - Version 22.11.9 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id24 - Version 22.11.8 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id21 - Version 22.11.7 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id18 - Remove included fix dpdk-CVE-2024-11614.patch - Version 22.11.6 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id15 - Version 22.11.5 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id12 - Version 22.11.4 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id8 - Version 22.11.3 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id4 Remove included fixes: - 0001-kni-fix-build-with-Linux-6.3.patch - Version 22.11.2 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id2 - Fix [bsc#1214724], SUSE provided DPDK modules taint the kernel as unsupported + Add kernel support flag for rte_kni.ko ++++ glib2: - Add glib2-CVE-2025-7039.patch: fix computation of temporary file name (bsc#1249055 CVE-2025-7039 glgo#GNOME/glib#3716). ++++ glib2: - Add glib2-CVE-2025-7039.patch: fix computation of temporary file name (bsc#1249055 CVE-2025-7039 glgo#GNOME/glib#3716). ++++ glib2: - Add glib2-CVE-2025-7039.patch: fix computation of temporary file name (bsc#1249055 CVE-2025-7039 glgo#GNOME/glib#3716). ++++ freetype2: - update to 2.14.1: * The auto-hinter got new abilities. It can now better separate diacritic glyphs from base glyphs at small sizes by artificially moving diacritics up (or down) if necessary * Tilde accent glyphs get vertically stretched at small sizes so that they don't degenerate to horizontal lines. * Diacritics directly attached to a base glyph (like the ogonek in character 'ę') no longer distort the shape of the base glyph * The TrueType instruction interpreter was optimized to produce a 15% gain in the glyph loading speed. * Handling of Variation Fonts is now considerably faster * TrueType and CFF glyph loading speed has been improved by 5-10% on modern 64-bit platforms as a result of better handling of fixed-point multiplication. * The BDF driver now loads fonts 75% faster. ------------------------------------------------------------------ ------------------ 2025-11-13 - Nov 13 2025 ------------------- ------------------------------------------------------------------ ++++ python311-core: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311-core: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311-core: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311-core: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ unbound: - Fix CVE-2025-11411 (possible domain hijacking attack). Since this minimal patch interferes with most of the unit tests, the '%check' section has been removed from the spec file. [CVE-2025-11411, bsc#1252525, unbound-1.22-CVE-2025-11411.patch] ++++ python311: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ qemu: - Bugfixes: * io: fix use after free in websocket handshake code (bsc#1250984, CVE-2025-11234) * io: move websock resource release to close method (bsc#1250984, CVE-2025-11234) * io: release active GSource in TLS channel finalizer (bsc#1250984, CVE-2025-11234) * block/curl: fix curl internal handles handling (bsc#1252768, CVE-2025-11234) ++++ qemu: - Bugfixes: * io: fix use after free in websocket handshake code (bsc#1250984, CVE-2025-11234) * io: move websock resource release to close method (bsc#1250984, CVE-2025-11234) * io: release active GSource in TLS channel finalizer (bsc#1250984, CVE-2025-11234) * block/curl: fix curl internal handles handling (bsc#1252768, CVE-2025-11234) ------------------------------------------------------------------ ------------------ 2025-11-9 - Nov 9 2025 ------------------- ------------------------------------------------------------------ ++++ containerd: - Update to containerd v1.7.29. Upstream release notes: * CVE-2024-25621 bsc#1253126 * CVE-2025-64329 bsc#1253132 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch ------------------------------------------------------------------ ------------------ 2025-11-7 - Nov 7 2025 ------------------- ------------------------------------------------------------------ ++++ openssh: - Add openssh-cve-2025-61984-username-validation.patch (bsc#1251198, CVE-2025-61984). - Add openssh-cve-2025-61985-nul-url-encode.patch (bsc#1251199, CVE-2025-61985). ------------------------------------------------------------------ ------------------ 2025-11-6 - Nov 6 2025 ------------------- ------------------------------------------------------------------ ++++ podman: - Add patch for CVE-2025-31133,CVE-2025-52565,CVE-2025-52881 (bsc#1252376): * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch - Add patch for bsc#1252543: * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch ++++ podman: - Add patch for CVE-2025-31133,CVE-2025-52565,CVE-2025-52881 (bsc#1252376): * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch - Add patch for bsc#1252543: * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch ++++ podman: - Add patch for CVE-2025-31133,CVE-2025-52565,CVE-2025-52881 (bsc#1252376): * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch - Add patch for bsc#1252543: * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch ------------------------------------------------------------------ ------------------ 2025-11-5 - Nov 5 2025 ------------------- ------------------------------------------------------------------ ++++ runc: - Update to runc v1.3.3. Upstream changelog is available from . bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 - Remove upstreamed patches for bsc#1252232: - 2025-11-05-CVEs.patch ++++ runc: - Update to runc v1.3.3. Upstream changelog is available from . bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 - Remove upstreamed patches for bsc#1252232: - 2025-11-05-CVEs.patch ------------------------------------------------------------------ ------------------ 2025-11-4 - Nov 4 2025 ------------------- ------------------------------------------------------------------ ++++ dracut: - Update to version 059+suse.607.g05002594: * fix(kernel-modules-extra): remove stray \ before / (bsc#1253029) ------------------------------------------------------------------ ------------------ 2025-10-28 - Oct 28 2025 ------------------- ------------------------------------------------------------------ ++++ libgcrypt: - Fix running the test suite in FIPS mode [bsc#1246934] * Add libgcrypt-fix-pkcs12-test-in-FIPS-mode.patch * Rebase libgcrypt-FIPS-SLI-kdf-leylength.patch ------------------------------------------------------------------ ------------------ 2025-10-27 - Oct 27 2025 ------------------- ------------------------------------------------------------------ ++++ docker: - Enable SELinux in default daemon.json config (--selinux-enabled). This has no practical impact on non-SELinux systems. bsc#1252290 ++++ docker: - Enable SELinux in default daemon.json config (--selinux-enabled). This has no practical impact on non-SELinux systems. bsc#1252290 ------------------------------------------------------------------ ------------------ 2025-10-22 - Oct 22 2025 ------------------- ------------------------------------------------------------------ ++++ gpgme: - Treat empty DISPLAY variable as unset. [bsc#1252425, bsc#1231055] * To avoid gpgme constructing an invalid gpg command line when the DISPLAY variable is empty it can be treated as unset. * Add gpgme-Treat-empty-DISPLAY-variable-as-unset.patch * Reported upstream: dev.gnupg.org/T7919 ------------------------------------------------------------------ ------------------ 2025-10-21 - Oct 21 2025 ------------------- ------------------------------------------------------------------ ++++ sqlite3: - bsc#1252217: Add a %license file. ++++ sqlite3: - bsc#1252217: Add a %license file. ------------------------------------------------------------------ ------------------ 2025-10-19 - Oct 19 2025 ------------------- ------------------------------------------------------------------ ++++ util-linux: - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682, util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch). ++++ util-linux: - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682, util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch). ++++ util-linux-systemd: - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682, util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch). ++++ util-linux-systemd: - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682, util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch). ------------------------------------------------------------------ ------------------ 2025-10-17 - Oct 17 2025 ------------------- ------------------------------------------------------------------ ++++ freetype2: - package FTL.TXT and GPLv2.TXT [bsc#1252148] ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ------------------------------------------------------------------ ------------------ 2025-10-16 - Oct 16 2025 ------------------- ------------------------------------------------------------------ ++++ runc: [ This update was only released for SLE 12 and 15. ] - Backport patches for three CVEs. All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files. bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 + 2025-11-05-CVEs.patch ++++ runc: [ This update was only released for SLE 12 and 15. ] - Backport patches for three CVEs. All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files. bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 + 2025-11-05-CVEs.patch ------------------------------------------------------------------ ------------------ 2025-10-15 - Oct 15 2025 ------------------- ------------------------------------------------------------------ ++++ libxslt: - security update - added patches CVE-2025-11731 [bsc#1251979], type confusion in exsltFuncResultCompfunction leading to denial of service * libxslt-CVE-2025-11731.patch ++++ libxslt: - security update - added patches CVE-2025-11731 [bsc#1251979], type confusion in exsltFuncResultCompfunction leading to denial of service * libxslt-CVE-2025-11731.patch ++++ python311-core: - Update to 3.11.14: - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with “zip64 extensible data” if there are no bytes prepended to the ZIP file (CVE-2025-8291, bsc#1251305). - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. * Whitespaces no longer accepted between does not end the script section. * Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. * Null character (U+0000) no longer ends the tag name. * Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the