Packages changed: MicroOS-release (20250224 -> 20250225) apparmor bash-completion cockpit ffmpeg-4 ffmpeg-7 gnutls (3.8.8 -> 3.8.9) grub2 kernel-firmware-realtek (20250206 -> 20250224) kmod (33 -> 34) libaccounts-glib (1.26 -> 1.27) libapparmor libwacom (2.12.2 -> 2.14.0) libx86emu (3.5 -> 3.7) libxmlb (0.3.19 -> 0.3.21) libzip (1.11.2 -> 1.11.3) passt (20250121.4f2c8e7 -> 20250217.a1e48a0) patterns-base polkit-default-privs (1550+20250217.25d4aef -> 1550+20250225.49f846d) pulseaudio-qt6 (1.6.1 -> 1.7.0) qt6-tools sdbootutil (1+git20250221.19f7d1a -> 1+git20250225.b78f812) selinux-policy (20250221 -> 20250224) speech-dispatcher (0.12.0~rc4 -> 0.12.0) tiff === Details === ==== MicroOS-release ==== Version update (20250224 -> 20250225) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== apparmor ==== Subpackages: apparmor-abstractions apparmor-parser apparmor-profiles apparmor-utils python3-apparmor - add py313-aa-notify.patch to adapt the last bits to python 3.13 ==== bash-completion ==== - Drop completions for kmod; kmod>=34 provides its own now. ==== cockpit ==== Subpackages: cockpit-bridge cockpit-networkmanager cockpit-packagekit cockpit-system cockpit-ws - fix build with latest local-npm-registry ==== ffmpeg-4 ==== Subpackages: libavcodec58_134 libavformat58_76 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9 - Add ffmpeg-7-CVE-2025-22921.patch: Backporting 7f9c7f98 from upstream, clear array length when freeing it. (CVE-2025-22921, bsc#1237382) - Add ffmpeg-7-CVE-2025-25473.patch: Backporting c08d3004 from upstream, clear FFFormatContext packet. When packet_buffer is used in mux.c, and if a muxing process fails at a point where packets remained in said queue. (CVE-2025-25473, bsc#1237351) - Add ffmpeg-7-CVE-2025-0518.patch: Backporting b5b6391d from upstream, fixes memory data leak when use sscanf(). (CVE-2025-0518, bsc#1236007) - Add ffmpeg-7-CVE-2025-22919.patch: Backporting 1446e37d from upstream, check for valid sample rate As the sample rate <= 0 is invalid. (CVE-2025-22919, bsc#1237371) - Add ffmpeg-4-CVE-2024-12361.patch: Backporting 4065ff69 from upstream, add check for av_packet_new_side_data() to avoid null pointer dereference if allocation fails. (CVE-2024-12361, bsc#1237358) ==== ffmpeg-7 ==== Subpackages: libavcodec61 libavfilter10 libavformat61 libavutil59 libpostproc58 libswresample5 libswscale8 - Add ffmpeg-7-CVE-2025-22921.patch: Backporting 7f9c7f98 from upstream, clear array length when freeing it. (CVE-2025-22921, bsc#1237382) - Add ffmpeg-7-CVE-2025-25473.patch: Backporting c08d3004 from upstream, clear FFFormatContext packet. When packet_buffer is used in mux.c, and if a muxing process fails at a point where packets remained in said queue. (CVE-2025-25473, bsc#1237351) - Add ffmpeg-7-CVE-2025-0518.patch: Backporting b5b6391d from upstream, fixes memory data leak when use sscanf(). (CVE-2025-0518, bsc#1236007) - Add ffmpeg-7-CVE-2025-22919.patch: Backporting 1446e37d from upstream, check for valid sample rate As the sample rate <= 0 is invalid. (CVE-2025-22919, bsc#1237371) ==== gnutls ==== Version update (3.8.8 -> 3.8.9) - Update to 3.8.9 - libgnutls: leancrypto was added as an interim option for PQC The library can now be built with leancrypto instead of liboqs for post-quantum cryptography (PQC), when configured with - -with-leancrypto option instead of --with-liboqs. - libgnutls: Experimental support for ML-DSA signature algorithm The library and certtool now support ML-DSA signature algorithm as defined in FIPS 204 and based on draft-ietf-lamps-dilithium-certificates-04. This feature is currently marked as experimental and can only be enabled when compiled with --with-leancrypto or --with-liboqs. Contributed by David Dudas. - libgnutls: Support for ML-KEM-1024 key encapsulation mechanism The support for ML-KEM post-quantum key encapsulation mechanisms has been extended to cover ML-KEM-1024, in addition to ML-KEM-768. MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per draft-kwiatkowski-tls-ecdhe-mlkem-03. - libgnutls: Fix potential DoS in handling certificates with numerous name constraints, as a follow-up of CVE-2024-12133 in libtasn1. The bundled copy of libtasn1 has also been updated to the latest 4.20.0 release to complete the fix. Reported by Bing Shi (#1553). [GNUTLS-SA-2025-02-07, CVSS: medium] [bsc#1236974, CVE-2024-12243 - Licensing information moved to REAMDE.md, COPYING, COPYING.LESSERv2 * Rebased gnutls-FIPS-140-3-references.patch * Rebased gnutls-FIPS-TLS_KDF_selftest.patch * Rebased gnutls-FIPS-jitterentropy.patch * Rebased gnutls-disable-flaky-test-dtls-resume.patch * Rebased gnutls-srp-test-SIGPIPE.patch * Rebased gnutls-3.5.11-skip-trust-store-tests.patch * Add gnutls-set-cligen-python-interp.patch * Add gnutls-skip-pqx-test.patch ==== grub2 ==== Subpackages: grub2-common grub2-i386-efi grub2-i386-efi-bls grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi grub2-x86_64-efi-bls - Make SLFO/SLE-16 and openSUSE have identical package structures - Provide grub2--efi-bls for SLFO/SLE-16 ==== kernel-firmware-realtek ==== Version update (20250206 -> 20250224) - Update to version 20250224 (git commit 1a1470d90de2): * rtw89: 8852bt: update fw to v0.29.122.0 and BB parameter to 07 ==== kmod ==== Version update (33 -> 34) Subpackages: libkmod2 - Update to release 34 * modinfo now dlopens compression libraries, and only if needed. (insmod/modprobe exercises the kernel's built-in decompression anyway, so is unaffected). * depmod: add -m option for overriding the module directory at runtime. * depmod: deleted deprecated options --unresolved-error, --quiet, - root and --map. * rmmod: deleted deprecated option -w. * insmod: deleted deprecated options -p, -s. - Delete 0001-testsuite-fix-path-for-test-user.patch (obsolete) ==== libaccounts-glib ==== Version update (1.26 -> 1.27) - Update to 1.27 * Do not install python gobject introspection files by default. If they are needed, build with `-Dinstall-py-overrides=true`. * Lib: do not attempt to terminate the GTask twice * Fix memory leak on provider tags * Do not emit misleading enabled signals on account services * Fix incorrect cleanup in ag_account_finalize - Drop patches, merged upstream: * 0001-ag-account-fix-incorrect-cleanup-in-ag_account_final.patch * 0002-Build-Don-t-install-Python-overrides-by-default.patch * 0003-Lib-do-not-attempt-to-terminate-the-GTask-twice.patch * 0004-ag-provider-fix-memory-leak-on-provider-tags.patch * 0006-ag-account-do-not-emit-misleading-enabled-signals-on.patch ==== libapparmor ==== - add py313-aa-notify.patch to adapt the last bits to python 3.13 ==== libwacom ==== Version update (2.12.2 -> 2.14.0) Subpackages: libwacom-data libwacom9 - update to 2.14.0 * Extended Lenovo Yoga X1 Gen5 support, improved the Huion mini keydial (KD100) * Fixed missing Strip in the Huion Kamvas Pro 16 * Corrected entry for Elan 5515 * Fixed outdated properties for Lenovo Yoga 9 14IAP7 * Add support for Dial status LEDs * .tablet files shadow any ones with the same name * New XP Pen devices supported: Artist 22R Pro, 24 Pro, Deco Fun L, ACK05 Remote, Pro Pen 3E * New Lenovo device ssupported: Yoga 9 14IAP7, Active Pen 3 (2023), Digital Pen 2, X1 Fold 16 Gen1, Precision Pen 2 (2023) stylus * New ELAN devices supported: ELAN-2514 variant 04f3:2f9d, ELAN 9008 and 9009 (Asus Zenbook Duo UX8406MA 1200p), ELAN 2F2A and 41A1 (ZenBook Pro Duo UX8402VV) * New Wacom devices supported: HID 5214 (IdeaPad Flex 5 14ARE05 rev.81X2), HID 52C6 Pen. * New HP devices supported: Spectre x360, Elite Chromebook C1030 * Other devices supported: StarLite Mk V; HP Spectre x360 13-aw0020ng; Huion RTP-700, Huion KeyDial K20 * Database: support $XDG_CONFIG_HOME/libwacom as additional path * tools/clean_svg: allow passing in a .tablet file * tools/list-local-devices: print the vid/pid if available * tools/debug-device: print the device class too ==== libx86emu ==== Version update (3.5 -> 3.7) - merge gh#wfeldt/libx86emu#47 - fix building on non-x86 architectures - 3.7 - merge gh#wfeldt/libx86emu#46 - fix a buffer overflow in x86emu_log (bsc#1237557) - 3.6 - merge gh#wfeldt/libx86emu#44 - prim_ops: fix some indentation - merge gh#wfeldt/libx86emu#42 - Fix a bug in R/M 01 decoding - merge gh#wfeldt/libx86emu#41 - fix NEG remark typos ==== libxmlb ==== Version update (0.3.19 -> 0.3.21) - Update to 0.3.21 * Check for corrupt XbSiloNode values in a smarter way Changes in 0.3.20: * Do not always strip literal text * Do not assume .txt files are application/xml * Fix a crash when loading a corrupt XMLb store ==== libzip ==== Version update (1.11.2 -> 1.11.3) - update to 1.11.3: * Report read error for corrupted encrypted file data * Avoid unnecessary seeks when writing archive * Don't hardcode _Nullable support in zip.h to allow it to be used with different compilers ==== passt ==== Version update (20250121.4f2c8e7 -> 20250217.a1e48a0) Subpackages: passt-selinux - Update to version 20250217.a1e48a0: * test: Add migration tests * migrate: Migrate TCP flows * repair, passt-repair: Build and warning fixes for musl * tcp_splice: A typo three years ago and SO_RCVLOWAT is gone * tcp_splice: Don't wake up on input data if we can't write it anywhere * vhost_user: Clear ring address on GET_VRING_BASE * tcp, tcp_splice: Don't set SO_SNDBUF and SO_RCVBUF to maximum values * tcp: Keep updating window and checking for socket data after FIN from guest * contrib/selinux: Enable mapping guest memory for libvirt guests * selinux: Add rules needed to run tests * rampstream: Add utility to test for corruption of data streams * tcp: Get bound address for connected inbound sockets too * vhost_user: Make source quit after reporting migration state * Add interfaces and configuration bits for passt-repair * migrate: Migrate guest observed addresses * migrate: Skeleton of live migration logic * passt-repair: Fix off-by-one in check for number of file descriptors * tcp_vu: Fix off-by one in header count array adjustment * tcp: Implement conservative zero-window probe on ACK timeout * tcp: Don't discard window information on keep-alive segments * dhcp, dhcpv6: Add hostname and client fqdn ops * conf: Don't map DNS traffic to host, if host gateway is a resolver * passt-repair: Send one confirmation *per command*, not *per socket* * dhcp: Don't re-use request message for reply * passt-repair: Dodge "structurally unreachable code" warning from Coverity * passt-repair: Fix calculation of payload length from cmsg_len * passt-repair: Don't use perror(), accept ECONNRESET as termination * conf, passt.1: Un-deprecate --host-lo-to-ns-lo * debug: Add tcpdump to mbuto.img * apparmor: Workaround for unconfined libvirtd when triggered by unprivileged user * passt-repair.1: Fix indication of TCP_REPAIR constants * passt-repair: Build fixes for musl * passt-repair: use _exit() over return * treewide: use _exit() over exit() * tcp: Simplify handling of getsockname() * migrate: Fix several errors with passt-repair * doc: Add mock of migration source and target * tcp: Get socket port and address using getsockname() when connecting from guest * Introduce passt-repair * vhost_user: Turn some vhost-user message reports to trace() * util: Add read_remainder() and read_all_buf() * tcp_splice, udp_flow: fcntl64() support on PPC64 depends on glibc version * vhost_user: On 32-bit ARM, mmap() is not available, mmap2() is used instead * tcp: Don't reset outbound connection on SYN retries * pasta.te: fix demo.sh and remove one duplicate rule * tcp: Add HOSTSIDE(x), HOSTFLOW(x) macros * util: Rename and make global vu_remove_watch() * tcp: Always pass NULL event with EPOLL_CTL_DEL * vhost-user: Implement an empty VHOST_USER_SEND_RARP command * netlink: Skip loopback interface while looking for a template ==== patterns-base ==== Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11 - Only requires busybox on openSUSE MicroOS, not SL Micro. - Don't build apparmor pattern for SLFO. - Disable 32bit pattern on aarch64 and ppc64le. - Build selinux pattern everywhere and requires targeted policy on SLE. ==== polkit-default-privs ==== Version update (1550+20250217.25d4aef -> 1550+20250225.49f846d) - Update to version 1550+20250225.49f846d: * profiles: whitelist kio-admin (bsc#1229913) - Update to version 1550+20250224.8d1bf49: * profiles: whitelist apparmor-utils (bsc#1237329) ==== pulseaudio-qt6 ==== Version update (1.6.1 -> 1.7.0) - Update to 1.7.0 * Remove Qt 5 support * bump compiler setting to 6.0 * bump c++ to 20 * change all dptrs to unique_ptr * debug: correctly mark updates * card: don't mutate the container we iterate on * context: add support for loading and unloading modules * server: consider pipewire/wireplumber the default * Add missing license text - Drop the Qt 5 flavor (but keep the _multibuild setup) ==== qt6-tools ==== Subpackages: libQt6UiTools6 qt6-tools-qdbus - Use clang 19 on Leap 15.6. The 15.6 update repo got a new llvm version which causes issues if both llvm 17 and 19 are present ==== sdbootutil ==== Version update (1+git20250221.19f7d1a -> 1+git20250225.b78f812) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper sdbootutil-tukit - Update to version 1+git20250225.b78f812: * Use also cryptenroll key to recover the volume key - Update to version 1+git20250225.292283f: * Support UUID references in crypttab - Update to version 1+git20250224.c9be3b6: * Do not use && when copying signature (bsc#1237505) ==== selinux-policy ==== Version update (20250221 -> 20250224) Subpackages: selinux-policy-targeted - Update to version 20250224: * Label /run/systemd/pcrlock.json systemd_pcrlock_var_lib_t * systemd_pcrlock_t needs to filetrans when recreating /var/lib/pcrlock.d * Allow snapper access to keys * Add rules for pcrlock (bsc#1233358) * allow snapper to call pcrlock and manage its files * allow unconfined_t to execute pcrlock * label rules for default systemd_pcrlock_var_lib_t locations * new interfaces: systemd_domtrans_pcrlock and systemd_pcrlock_exec * introduce systemd_pcrlock_var_lib_t and systemd_manage_pcrlock_files * Introduce interfaces snapper_manage_tmp_files and snapper_manage_tmp_dirs ==== speech-dispatcher ==== Version update (0.12.0~rc4 -> 0.12.0) - Update to version 0.12.0: * Add libspeechd-module library for making it simpler to create external spd modules. * Update CLDR to version 45, symbols from orca 45.2, and symbols from NVDA. * Also support loading symbols from home directory. ==== tiff ==== - Use python3-Sphinx instead of %{primary_python}-Sphinx based on recommendation from python maintainers. * Fixes build issue of man flavor on 15.6