Packages changed: ImageMagick (7.1.2.21 -> 7.1.2.22) apache2 (2.4.66 -> 2.4.67) apache2-manual (2.4.66 -> 2.4.67) apache2-prefork (2.4.66 -> 2.4.67) apache2-utils (2.4.66 -> 2.4.67) apparmor (4.1.7 -> 5.0.0) aurorae6 (6.6.4 -> 6.6.5) bluedevil6 (6.6.4 -> 6.6.5) breeze6 (6.6.4 -> 6.6.5) breeze6-gtk (6.6.4 -> 6.6.5) container-selinux (2.247.0 -> 2.248.0) discover6 (6.6.4 -> 6.6.5) dracut (110+suse.29.g16072cee -> 110+suse.31.ga81148a) drkonqi6 (6.6.4 -> 6.6.5) expat (2.7.5 -> 2.8.1) ffmpeg-8 flatpak-kcm6 (6.6.4 -> 6.6.5) fwupd (2.1.1 -> 2.1.3) gdm glib2-branding-openSUSE glibc gnome-shell gpg2 (2.5.19 -> 2.5.20) gstreamer (1.28.2 -> 1.28.3) gstreamer-devtools (1.28.2 -> 1.28.3) gstreamer-plugins-bad (1.28.2 -> 1.28.3) gstreamer-plugins-base (1.28.2 -> 1.28.3) gstreamer-plugins-good (1.28.2 -> 1.28.3) gstreamer-plugins-rs (1.28.2 -> 1.28.3) javapackages-tools (6.4.1 -> 6.5.1) kactivitymanagerd6 (6.6.4 -> 6.6.5) kde-cli-tools6 (6.6.4 -> 6.6.5) kde-gtk-config6 (6.6.4 -> 6.6.5) kdecoration6 (6.6.4 -> 6.6.5) kdeplasma6-addons (6.6.4 -> 6.6.5) kernel-source (7.0.5 -> 7.0.7) kgamma6 (6.6.4 -> 6.6.5) kglobalacceld6 (6.6.4 -> 6.6.5) kinfocenter6 (6.6.4 -> 6.6.5) kmenuedit6 (6.6.4 -> 6.6.5) knighttime6 (6.6.4 -> 6.6.5) kpipewire6 (6.6.4 -> 6.6.5) kscreen6 (6.6.4 -> 6.6.5) kscreenlocker6 (6.6.4 -> 6.6.5) ksshaskpass6 (6.6.4 -> 6.6.5) ksystemstats6 (6.6.4 -> 6.6.5) kwayland-integration6 (6.6.4 -> 6.6.5) kwayland6 (6.6.4 -> 6.6.5) kwin6 (6.6.4 -> 6.6.5) kwin6-x11 (6.6.4 -> 6.6.5) layer-shell-qt6 (6.6.4 -> 6.6.5) libapparmor (4.1.7 -> 5.0.0) libei (1.5.0 -> 1.6.0) libinput (1.31.1 -> 1.31.2) libksba (1.7.0 -> 1.8.0) libkscreen6 (6.6.4 -> 6.6.5) libksysguard6 (6.6.4 -> 6.6.5) libmodulemd libplasma6 (6.6.4 -> 6.6.5) librsvg (2.62.0 -> 2.62.2) libselinux libselinux-bindings libsolv (0.7.36 -> 0.7.37) libstorage-ng (4.5.314 -> 4.5.320) libzypp (17.38.7 -> 17.38.8) milou6 (6.6.4 -> 6.6.5) net-snmp ntfs-3g_ntfsprogs ocean-sound-theme6 (6.6.4 -> 6.6.5) open-vm-tools (13.0.10 -> 13.1.0) openSUSE-release (20260512 -> 20260517) openblas_openmp openblas_pthreads openexr (3.4.9 -> 3.4.11) openssh openssl-3 pam_kwallet6 (6.6.4 -> 6.6.5) patterns-base perl-CGI (4.710.0 -> 4.720.0) perl-CryptX (0.87.0 -> 0.89.0) perl-Net-CIDR-Lite (0.220.0 -> 0.240.0) perl-libwww-perl (6.820.0 -> 6.830.0) permissions (1699_20260217 -> 1699_20260512) pipewire (1.6.4 -> 1.6.5) plasma5support6 (6.6.4 -> 6.6.5) plasma6-activities (6.6.4 -> 6.6.5) plasma6-activities-stats (6.6.4 -> 6.6.5) plasma6-browser-integration (6.6.4 -> 6.6.5) plasma6-desktop (6.6.4 -> 6.6.5) plasma6-disks (6.6.4 -> 6.6.5) plasma6-integration (6.6.4 -> 6.6.5) plasma6-nm (6.6.4 -> 6.6.5) plasma6-openSUSE plasma6-pa (6.6.4 -> 6.6.5) plasma6-print-manager (6.6.4 -> 6.6.5) plasma6-systemmonitor (6.6.4 -> 6.6.5) plasma6-thunderbolt (6.6.4 -> 6.6.5) plasma6-workspace (6.6.4 -> 6.6.5) polkit-default-privs (1550+20260428.f2a5d2e -> 1550+20260513.3b99372) polkit-kde-agent-6 (6.6.4 -> 6.6.5) powerdevil6 (6.6.4 -> 6.6.5) python-gobject (3.56.2 -> 3.56.3) python-numpy (2.4.3 -> 2.4.4) python-packaging (26.0 -> 26.2) python-urllib3 (2.6.3 -> 2.7.0) qqc2-breeze-style6 (6.6.4 -> 6.6.5) rsync ruby4.0 (4.0.3 -> 4.0.4) rubygem-gem2rpm salt sddm-kcm6 (6.6.4 -> 6.6.5) selinux-policy (20260414 -> 20260508) shaderc (2026.1 -> 2026.2) spectacle (6.6.4 -> 6.6.5) suse-module-tools (16.1.4 -> 16.1.5) systemsettings6 (6.6.4 -> 6.6.5) tree-sitter vulkan-loader (1.4.341 -> 1.4.350) vulkan-tools (1.4.341 -> 1.4.350) wacomtablet-kcm6 (6.6.4 -> 6.6.5) webkitgtk3 webkitgtk4 xdg-desktop-portal-kde6 (6.6.4 -> 6.6.5) yast2 (5.0.20 -> 5.0.21) yast2-storage-ng (5.0.43 -> 5.0.48) zypper (1.14.96 -> 1.14.97) === Details === ==== ImageMagick ==== Version update (7.1.2.21 -> 7.1.2.22) Subpackages: ImageMagick-config-7-SUSE libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - version update to 7.1.2.22 * no upstream changelog - seem to fix following GH security advisories: * GHSA-7wff-wpr6-vmhm * GHSA-85r7-8qr6-54gh * GHSA-cr6r-hmj8-pr7r * GHSA-cwpj-h54c-xjpx * GHSA-g5mf-wqq5-vwg6 * GHSA-gj92-pwm7-jcmp * GHSA-hg5x-pmmv-4q7g * GHSA-j3pv-77gf-fw2g * GHSA-jqq5-8px3-9m6m * GHSA-pfvh-m9xv-8966 * GHSA-rw3g-wvj6-3p7w * GHSA-v6qj-8rm4-fpgj * GHSA-vf33-6r7x-66xx * GHSA-vhrh-72hq-w8m7 - deleted patches * ImageMagick-fix-overflow-check.patch (upstreamed) ==== apache2 ==== Version update (2.4.66 -> 2.4.67) - Remove last remnants of update-alternatives. - version update to 2.4.67 * ) SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data() [boo#1263950] Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string) [boo#1263951] Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP getter functions [boo#1263952] Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line [boo#1263953] HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-33007: Apache HTTP Server: mod_authn_socache crash [boo#1263954] A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. * ) SECURITY: CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack [boo#1263955] A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue. * ) SECURITY: CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock crash [boo#1263956] A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock. * ) SECURITY: CVE-2026-29168: Apache HTTP Server: mod_md unrestricted OCSP response [boo#1264150] Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header() [boo#1264163] Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr [boo#1263935] An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. * ) SECURITY: CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset [boo#1263957] Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) mod_md: update to version 2.6.10 - Fix issue #420 by ignoring job.json files that claim to have completely finished a certificate renewal, but have not produced the necessary result files. * ) mod_http2: update to version 2.0.39 Remove streams own memory allocator after reports of memory problems with third party modules. * ) mod_http2: update to version 2.0.38 ... changelog too long, skipping 16 lines ... * ) mod_md: Use correct function name when compiling against APR < 1.6.0. ==== apache2-manual ==== Version update (2.4.66 -> 2.4.67) - Remove last remnants of update-alternatives. - version update to 2.4.67 * ) SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data() [boo#1263950] Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string) [boo#1263951] Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP getter functions [boo#1263952] Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line [boo#1263953] HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-33007: Apache HTTP Server: mod_authn_socache crash [boo#1263954] A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. * ) SECURITY: CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack [boo#1263955] A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue. * ) SECURITY: CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock crash [boo#1263956] A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock. * ) SECURITY: CVE-2026-29168: Apache HTTP Server: mod_md unrestricted OCSP response [boo#1264150] Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header() [boo#1264163] Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr [boo#1263935] An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. * ) SECURITY: CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset [boo#1263957] Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) mod_md: update to version 2.6.10 - Fix issue #420 by ignoring job.json files that claim to have completely finished a certificate renewal, but have not produced the necessary result files. * ) mod_http2: update to version 2.0.39 Remove streams own memory allocator after reports of memory problems with third party modules. * ) mod_http2: update to version 2.0.38 ... changelog too long, skipping 16 lines ... * ) mod_md: Use correct function name when compiling against APR < 1.6.0. ==== apache2-prefork ==== Version update (2.4.66 -> 2.4.67) - Remove last remnants of update-alternatives. - version update to 2.4.67 * ) SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data() [boo#1263950] Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string) [boo#1263951] Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP getter functions [boo#1263952] Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line [boo#1263953] HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-33007: Apache HTTP Server: mod_authn_socache crash [boo#1263954] A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. * ) SECURITY: CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack [boo#1263955] A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue. * ) SECURITY: CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock crash [boo#1263956] A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock. * ) SECURITY: CVE-2026-29168: Apache HTTP Server: mod_md unrestricted OCSP response [boo#1264150] Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header() [boo#1264163] Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr [boo#1263935] An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. * ) SECURITY: CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset [boo#1263957] Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) mod_md: update to version 2.6.10 - Fix issue #420 by ignoring job.json files that claim to have completely finished a certificate renewal, but have not produced the necessary result files. * ) mod_http2: update to version 2.0.39 Remove streams own memory allocator after reports of memory problems with third party modules. * ) mod_http2: update to version 2.0.38 ... changelog too long, skipping 16 lines ... * ) mod_md: Use correct function name when compiling against APR < 1.6.0. ==== apache2-utils ==== Version update (2.4.66 -> 2.4.67) - Remove last remnants of update-alternatives. - version update to 2.4.67 * ) SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data() [boo#1263950] Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string) [boo#1263951] Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP getter functions [boo#1263952] Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line [boo#1263953] HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-33007: Apache HTTP Server: mod_authn_socache crash [boo#1263954] A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. * ) SECURITY: CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack [boo#1263955] A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue. * ) SECURITY: CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock crash [boo#1263956] A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock. * ) SECURITY: CVE-2026-29168: Apache HTTP Server: mod_md unrestricted OCSP response [boo#1264150] Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header() [boo#1264163] Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) SECURITY: CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr [boo#1263935] An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. * ) SECURITY: CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset [boo#1263957] Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. * ) mod_md: update to version 2.6.10 - Fix issue #420 by ignoring job.json files that claim to have completely finished a certificate renewal, but have not produced the necessary result files. * ) mod_http2: update to version 2.0.39 Remove streams own memory allocator after reports of memory problems with third party modules. * ) mod_http2: update to version 2.0.38 ... changelog too long, skipping 16 lines ... * ) mod_md: Use correct function name when compiling against APR < 1.6.0. ==== apparmor ==== Version update (4.1.7 -> 5.0.0) Subpackages: apparmor-abstractions apparmor-docs apparmor-parser apparmor-profiles apparmor-utils python3-apparmor - add lsusb.diff: fix lsusb profile - add wpa_supplicant.diff: fix wpa_supplicant profile (boo#1265377) - add syslog-ng-slashes.diff: avoid double slashes (and therefore a path mismatch) in syslog-ng profile - Use %{_tmpfilesdir} macro and package apparmor.conf tmpfiles configuration. - add allow-read-slash.diff and postfix-profiles-slash.diff to allow reading / in samba, dovecot and postfix profiles (boo#1263051) - update to AppArmor 5.0 - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_5.0.0 for the full upstream changelog - update lessopen.sh profile to abi/5.0 - enable all tests in profiles/ - Add and use tmpfiles.d/apparmor.conf for log and cache path creation (jsc#PED-14916) (jsc#PED-14917) + drop removal of pre-2.12 cache location + retain "apparmor_parser --purge-cache" calls for non-transactional systems - update to AppArmor 5.0rc5 - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_5.0.0-rc5 - drop upstreamed parser-lib-path.diff - update to AppArmor 5.0rc4 - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_5.0.0-rc4 for the full upstream changelog - add BR libzstd-devel - add parser-lib-path.diff to ensure parser finds libapparmor in make check - refresh apache-extra-profile-include-if-exists.diff - add 'make -C init' (apparmor.service and aa-teardown now live in a separate directory) ==== aurorae6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== bluedevil6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== breeze6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: breeze6-cursors breeze6-decoration breeze6-style - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * kdecoration: Use correct scale when computing border outline thickness ==== breeze6-gtk ==== Version update (6.6.4 -> 6.6.5) Subpackages: gtk2-metatheme-breeze6 gtk3-metatheme-breeze6 gtk4-metatheme-breeze6 metatheme-breeze6-common - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== container-selinux ==== Version update (2.247.0 -> 2.248.0) - Update to version 2.248.0: * Condition ptrace permission on deny_ptrace boolean ==== discover6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: discover6-backend-flatpak discover6-backend-fwupd discover6-backend-packagekit discover6-notifier - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * ProgressView: Don't conditionally invert text color * rpmostree: Connect to this when connecting to a lambda that captures this ==== dracut ==== Version update (110+suse.29.g16072cee -> 110+suse.31.ga81148a) - Update to version 110+suse.31.ga81148a: Support NTP configuration for airgapped scenarios (jsc#PED-16110): * feat(chrony): introducing the chrony module * feat(network-manager): write info about NTP servers in dhcpopts file ==== drkonqi6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== expat ==== Version update (2.7.5 -> 2.8.1) Subpackages: libexpat1 - update to 2.8.1 (bsc#1264713, CVE-2026-45186, bsc#1262263, CVE-2026-41080): * Fix quadratic runtime from attribute name collision checks that allowed denial of service attacks through moderately sized crafted XML input (CWE-407). Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * CVE-2026-41080 -- The existing hash flooding protection only used 4 to 8 bytes of entropy for * a salt, when 16 bytes of salt are supported by the * implementation of SipHash used by Expat. Now full 16 bytes * of entropy are used to improve protection against hash * flooding attacks. * Existing API function XML_SetHashSalt is now deprecated * because of its limitations, and its use should be * considered a vulnerability. Please either use the new API * function XML_SetHashSalt16Bytes (with known-high-quality * entropy input only!) instead, or leave the derivation of * a 16-bytes hash salt from high quality entropy to Expat's * internal machinery (by *not* calling either of the two * XML_SetHashSalt* functions). ==== ffmpeg-8 ==== Subpackages: libavcodec62 libavfilter11 libavformat62 libavutil60 libswresample6 libswscale9 - Enable glslang filters ==== flatpak-kcm6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - No code changes since 6.6.4 ==== fwupd ==== Version update (2.1.1 -> 2.1.3) Subpackages: fwupd-bash-completion libfwupd3 typelib-1_0-Fwupd-2_0 - Update to version 2.1.3: + This release adds the following features: - Add support for Redfish bearer token authentication - Add support for several XMC SPI chips - Parse JCat files in libfwupd without using libjcat + This release fixes the following bugs: - Allow configuring a Redfish URI with a path prefix - Avoid firmware matching errors for Cat-6 and Cat-12 modems - Calculate and export a floating point percentage progress value - Do not print clean remote success message if aborted - Do not probe all Nordic devices with USB VID 0x1915 - Fix force table support in Elan IC types 0x13 and 0x14 - Fix Raydium information check flow to avoid incorrect validation - Fix the Thunderbolt version number by ignoring the reserved bits - Load well-known paths in dbxtool to prevent a regression - Match a specific Raydium device to prevent resetting older hardware - Only copy the HIDRAW USB properties if a DS-20 has been provided - Use CA1 for a SK Hynix NVMe drive + This release adds support for the following hardware: - SHIFT6mq and SHIFTphone 8 - Update to version 2.1.2: + This release adds the following features: - Add an HSI check for AMD SB-7033 aka EntrySign - Add native CBOR parsing and drop libcbor2 as a dep - Add server platform detection to suspend HSI checks - Allow setting a maximum version number for a device - Allow setting context flags from HWID matches - Increment the progressbar when waiting for replug - Require Windows 8+ for the MSI build artifact - Support loading EFI authenticated variables with ContentInfo headers + This release fixes the following bugs: - Add daemon support for modems that export ttyUSB devices - Add decompression ratio limit to prevent parsing emulation ZIP bombs - Add device activation flag for Dell servers after firmware upgrade - Allow using a custom Telink HidToolVer quirk - Check the UEFI capsule payload is less than 4GiB in size - Cleanup all the user inhibits when required - Do not allow using non-regular files like devnull as metadata - Do not use capsule-on-disk on Lenovo ThinkCentre M60e Tiny - Fix a buffer overread when parsing a malicious PE file - Fix a CRC validation mistake in ZIP firmware parser - Fix a maybe-impossible NULL pointer dereference when parsing netlink data - Fix a small memory leak when writing Redfish firmware - Fix accessing Nordic devices connected through a dongle - Fix handling snapd payloads with only a default image - Fix potential NULL pointer dereference in QMI firmware write - Fix the auto-generated Redfish HBA device name - Fix the displayed Thunderbolt version number by ignoring reserved bits - Fix UF2 race with UDisks2 volume discovery during replug - Fix warning when probing removable USB devices with no medium - Guard HSI feature with platforms requirements - Hardcode the modification timestamp in generated zip archive - Increase the resolution of the progress bar updates - Limit the maximum number of files that can be parsed from ZIP archives - Prevent users from asking for unlimited system inhibits - Properly handle Dell iDRAC when using Redfish - Reject DFU sectors with zero size to prevent a possible infinite loop - Restore the VID check in Algoltek USBCR probe function - Set sensible parsing limits in each FuFirmware subclass - Show a suitable version when the Novatek update is interrupted - Support CAB image filenames longer than 255 chars - Update the Focal touch firmware format to the latest release - Use overflow-checked arithmetic for all offset calculations - Use prepared queries when querying silos - Validate CCGX record data size before flash write - Validate Nordic HID peer index before accessing peers cache array - Validate Synaptics cxaudio EEPROM size before trusting it - Wait for mock snapd API socket to appear when running tests - Wait for the new version when updating the Nordic TK059 Keyboard + This release adds support for the following hardware: - Elan TP IC type 0x19 - Google Moonstone - HP 400 and 405 Mouse - Lenovo USB-4 dock - LX Semicon SW42101 touch controller - Parade USB hubs with GPIO control - Pixart PLP239 devices - Raydium TP devices - Sunplus cameras - Drop pkgconfig(libcbor) BuildRequires: no longer needed. ==== gdm ==== Subpackages: gdm-schema gdm-systemd gdm-xdm-integration libgdm1 typelib-1_0-Gdm-1_0 - Drop xdm-integration in SLE 16.1 to remove the update-alternatives dependency (bsc#1264389, jsc#PED-15673). - Drop pam_gdm from gdm-fingerprint.pamd (boo#1258070, glgo#GNOME/gdm#1074) ==== glib2-branding-openSUSE ==== - Update .gschema.override.in: fix key name typo of monospace-font-name (bsc#1263043). ==== glibc ==== Subpackages: glibc-devel glibc-extra glibc-gconv-modules-extra glibc-locale glibc-locale-base - ungetwc-byte-stream.patch: libio: Fix ungetwc operating on byte stream (CVE-2026-5928, bsc#1262464, BZ #33998) - scanf-mc-buffer-overflow.patch: stdio-common: Fix buffer overflow in scanf %mc (CVE-2026-5450, bsc#1262465, BZ #34008) ==== gnome-shell ==== Subpackages: gnome-extensions gnome-shell-calendar - Add fix-ibus-engine-race-condition-on-unlock.patch, Fix IBus input failure after screen unlock ==== gpg2 ==== Version update (2.5.19 -> 2.5.20) Subpackages: dirmngr - Update to 2.5.20: * gpgsm: Implement GCM encryption. Note that decryption works since version 2 * gpgsm: New option --attribute and server command SETATTR to include arbitrary signed or unsigned attributes into a signature. Enable only with libksba 1 * gpgsm: Introduce system attribute _signingCertificateV2. * gpg: Fix wrong assertion failure which could very rarely occur during key signature checking * gpg: Consider certify-only keys for revocation signature check. * gpgsm: Fix possible double free in the CMS parser * gpgsm: Fix possible too early removal of ephemeral keys * gpgsm: Avoid emitting a final FAILURE status line if --status-fd is not used * gpgsm: Fix a regression in 2.5.19 for password encrypted GCM data * agent: Fix not using cache for pinentry loopback * agent: Fix command PUT_SECRET by saving input line * keyboxd: Mark keys searched but not imported via LDAP correctly as ephemeral * scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA keys > 2k * dirmngr: Fix uninitialized use of the dns_any union in dns_rr_cmp ==== gstreamer ==== Version update (1.28.2 -> 1.28.3) Subpackages: gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.28.3: + Highlighted bugfixes: - Various security fixes and playback fixes - applemedia: vtdec stability, MoltenVK integration and planar video format handling fixes - audioresample: Fix regression on armv7hf - bpmdetect: Fixes for stereo and multi-channel modes - devicemonitor: wait for start thread to finish when listing devices so all the info is there for e.g. v4l2 provider - fallbacksrc: Add fallback-source and enable-dummy properties - nvidia: fix cudaconvert performance regression and nvdec device creation regression - opengl: add GBRA swizzle support, and fix glcolorconvert vertical flip issue on crop - rtspsrc: include user-agent property in HTTP tunnel requests and fix mikey regression - threadshare: add leaky mode to dataqueue-based elements - v4l2: fix negotiation error when trying to force stateful decoders to output dmabufs - webrtcsink: Add support imx8mp vpuenc_hevc hardware H.265 encoder - cerbero: Extend gst-plugins-rs melding to Darwin platforms for smaller binary sizes and static linking improvements - inno Windows installer fixes, including silent install mode via the command line - macOS: provide script to allow uninstalling the package; relocate absolute paths to Python.framework in wheels - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - pad: fix potential buffer leak in get_range_failed error handler - aggregator: Fix documentation - allocator: Use g_try_malloc() instead of g_malloc() for sysmem - baseparse: Fix memory leak when subclass returns error - bitwriter: Allow unsetting set bits when overwriting them - devicemonitor: Wait for start thread to finish when listing devices - streams: Add METADATA to the valid stream flags for serialization - value: On buffer deserialization errors first unmap the buffer and then unref it - gst-inspect-1.0: type for string caps fields should be 'string' not 'gchararray' ==== gstreamer-devtools ==== Version update (1.28.2 -> 1.28.3) - Update to version 1.28.3: + Plug memory leaks reported running valgrind on our testsuite ==== gstreamer-plugins-bad ==== Version update (1.28.2 -> 1.28.3) Subpackages: libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgsthip-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstsctp-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.28.3: + ajasink: Correctly set reference source + analytics: fix meta transform function for copy cases + av1parse: Fix null pointer deference + bpmdetect: Fix calculation of number of samples for >1 channels + codecparsers: Stack Buffer Overflow in H.265 Buffering Period SEI Parser + cudaconvert: fix performance regression caused by double precision floating point constants + decklink: Fix various refcount issues and related leaks + h263parse: - Fix wrong ratio masking - Missing handling of reserved invalid EPAR_D value + h265parser: - Use sub-layer 0 CPB count in buffering_period SEI loops - Add missing clearing function for H266 SEI message - Avoid out-of-bounds write when parsing PPS tile slices + mpegdemux: Add various bounds checks related to PES header parsing + interlace: Revert "Drop framerate from query caps of sinkpad" + mpegtsdemux: Various fixes + mpegtspacketizer: Avoid potential overflow + mse: Also disable the library if the meson option is disabled + mxf: - Fix multiple writing / parsing issues when handling VANC packets - Theoretical heap Buffer Overflow in MXF AES3 Audio Descriptor write_tags + mxfdemux: Fix reverse temporal offsets array upper bounds check + mxfmux: aes-bwf: Use correct size when serializing user data / channel status mode + nvcodec: Fix missing adapter-luid when loading decoders + nvdec regression in 1.28.2: "Couldn't create new device with adapter luid 0" + pngparse: Fix Use-after-free bug + qml6d3d11sink: Clear texture on Paused-to-Ready transition + qt6d3d11: fix null check in SetForceAspectRatio() + tsdemux: - Fix parsing of PES ESCR and following PES header fields - Fix segfault when trying to handle SCTE-35 with incorrect program specified + va: do not post error message when push fails + vkupload/vkdownload: Fix possible corrupted image due to mismatched stride/padding + vtdec: - Avoid blocking decoder output callback - Avoid locking up during a decoder reset - Deadlock when restarting pipeline - Fix deadlock when restarting pipeline + webrtc: take ownership of src_bin and sink_bin and don't leak error message + Require C std gnu11 or c11, remove custom 'restrict' definition, fixing build with Qt 6.11 ==== gstreamer-plugins-base ==== Version update (1.28.2 -> 1.28.3) Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.28.3: + appsink, appsrc: Allow passing NULL callbacks + appsrc: Fix dropped counting with bufferlist + audioaggregator: - Don't drop pending input buffers on sinkpads on srcpad caps changes - Don't reset samples_per_buffer unless sample rate / output-buffer-duration has changed - Don't try converting buffers on caps changes if impossible + audioresample: Fix extra samples produced at speech-to-silence transitions + audio-resampler-neon: fix Thumb encoding and use Clang O2 calculation for strides + audio sounds strange on release 1.28.2 for armv7hf + decodebin2: fix leak of endpads list on shutdown while exposing + discoverer: Take the DISCO_LOCK while parsing stream topology + exiftag: Use a hashtable instead of a linked list for storing the pending tags + gl: add GBRA swizzle support + id3v2: - Add input validation and refactor id3v2_ununsync_data - Check valid frame sizes more + opengl: Fix glcolorconvert vertical flip issue on crop + glcolorconvert: GBRA input hits unreachable swizzle path + subparse / samiparse: Various robustness fixes and minor other fixes + subparse: - Fix memory leakage for text colour and background colour - O(N^2) complexity in SAMI parser causes timeout with crafted large input + tag: - Prevent ubsan and wrong fraction usage - Off-by-one checking for id3v2 unnsync tag parsing + video: add precondition check on dma helpers + videodmabufpool: Break ref cycle between the pool and its thread ==== gstreamer-plugins-good ==== Version update (1.28.2 -> 1.28.3) Subpackages: gstreamer-plugins-good-gtk - Update to version 1.28.3: + adaptivedemux/hlsdemux assertions / fixes + avidemux: - Fix divide by zero if VPRP contains fields==0 - Divide-by-Zero in vprp parser + isomp4: - Fix memory leak when file is corrupted - qtdemux: Add bounds checks for ESDS descriptors + matroska: Fix wrong object type bug + qml6glsink: Fix redraw issues on buffer change + qtdemux: Check for minimum stride requirements and width/height constraints with uncompressed video + rtspsrc: - mki is optional upon crypto update - mikey without mki failure - include user-agent property in HTTP tunnel requests + v4l2: object: Fix caps filtering in caps negotiation + v4l2transform: release input buffers earlier + wavparse: - Remove assertion about upstream file size - Recover from invalid av_bps instead of failing - Assert and execute an integer overflow on invalid duration + Require C std gnu11 or c11, remove custom 'restrict' definition, fixing build with Qt 6.11 ==== gstreamer-plugins-rs ==== Version update (1.28.2 -> 1.28.3) - Update to version 1.28.3: + fallbacksrc: Add fallback-source and enable-dummy properties + isobmff: Change caps updates in test to not be delayed + quinn: Disable tests which were flaky + quinnwtsrc/sink: Fix session close + rtpbin2: examples: fix audio resyncs, stream offsets and frame drops + rtprecv: extend jitter accounted for + threadshare: add leaky mode to dataqueue-based elements + tracers: feature gate remaining PluginAPIFlags makers behind doc + webrtcsink: - Actually allow custom signaller to be set - Adding imx8mp vpuenc_hevc support for 265 + Switch from std::os::raw to std::ffi for C types + Update dependencies + all: address clippy 1.95.0 suggestions + Fix new 1.95 clippy warnings ==== javapackages-tools ==== Version update (6.4.1 -> 6.5.1) Subpackages: javapackages-filesystem - Upgrade to upstream version 6.5.1 * Changes Bump actions/setup-python from 5 to 6 Bump actions/checkout from 4 to 6 Bump codecov/codecov-action from 4.6.0 to 5.5.2 Remove Codecov call from GitHub CI workflow Remove unused and outdated Vagrantfile Java launcher script improvements Add jpackage_script manpage Implement feature contitionals Fix installation of jpackage_script.7 manpage - Modified patch: * python-optional.patch * suse-use-libdir.patch + rediff - Make the gradle and ivy support configurable ==== kactivitymanagerd6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kde-cli-tools6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kde-gtk-config6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: kde-gtk-config6-gtk3 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kdecoration6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libkdecorations3-6 libkdecorations3private2 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kdeplasma6-addons ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * applets/weather: Fix typo on fallback icon name ==== kernel-source ==== Version update (7.0.5 -> 7.0.7) Subpackages: kernel-64kb kernel-default - Update patches.kernel.org/7.0.2-014-f2fs-fix-to-avoid-uninit-value-access-in-f2fs_s.patch (bsc#1012628 CVE-2026-43349 bsc#1265131). - Update patches.kernel.org/7.0.2-024-smb-client-require-a-full-NFS-mode-SID-before-r.patch (bsc#1012628 CVE-2026-43350 bsc#1264985). - Update patches.kernel.org/7.0.2-042-mshv_vtl-Fix-vmemmap_shift-exceeding-MAX_FOLIO_.patch (bsc#1012628 CVE-2026-43348 bsc#1264981). - Update patches.kernel.org/7.0.7-306-ksmbd-validate-inherited-ACE-SID-length.patch (bsc#1012628 CVE-2026-43490). suse-add-cves - commit f1d450c - ptrace: slightly saner 'get_dumpable()' logic (bsc#1265308). - commit 67ebcde - selftests/namespaces: Skip efault tests when listns() is not available (poo#196367). - selftests/namespaces: Fix waitpid race in listns_efault_test cleanup (poo#196367). - selftests/namespaces: Kill grandchild in nsid fixture teardown (poo#196367). - commit 37898a9 - Linux 7.0.7 (bsc#1012628). - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() (bsc#1012628). - ipmi: Add limits to event and receive message requests (bsc#1012628). - ipmi: Check event message buffer response for bad data (bsc#1012628). - ipmi:si: Return state to normal if message allocation fails (bsc#1012628). - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free (bsc#1012628). - ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states (bsc#1012628). - ACPI: scan: Use acpi_dev_put() in object add error paths (bsc#1012628). - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO (bsc#1012628). - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug (bsc#1012628). - ACPI: video: force native backlight on HP OMEN 16 (8A44) (bsc#1012628). - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() (bsc#1012628). - iommufd: Fix a race with concurrent allocation and unmap (bsc#1012628). - ASoC: SOF: Don't allow pointer operations on unconfigured streams (bsc#1012628). - wifi: mt76: mt7925: fix incorrect TLV length in CLC command (bsc#1012628). - spi: rockchip: fix controller deregistration (bsc#1012628). - ksmbd: rewrite stop_sessions() with restartable iteration (bsc#1012628). - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (bsc#1012628). - flow_dissector: do not dissect PPPoE PFC frames (bsc#1012628). - smb: client/smbdirect: fix MR registration for coalesced SG lists (bsc#1012628). - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked (bsc#1012628). - exit: prevent preemption of oopsing TASK_DEAD task (bsc#1012628). - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr (bsc#1012628). - wifi: mt76: mt7925: fix incorrect length field in txpower command (bsc#1012628). - wifi: mt76: mt7921: fix a potential clc buffer length underflow (bsc#1012628). - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work (bsc#1012628). - wifi: b43legacy: enforce bounds check on firmware key index in RX path (bsc#1012628). - wifi: mac80211: drop stray 'static' from fast-RX rx_result (bsc#1012628). - wifi: rsi: fix kthread lifetime race between self-exit and external-stop (bsc#1012628). - wifi: mac80211: use safe list iteration in radar detect work (bsc#1012628). - wifi: ath5k: do not access array OOB (bsc#1012628). - wifi: mac80211: remove station if connection prep fails (bsc#1012628). - wifi: b43: enforce bounds check on firmware key index in b43_rx() (bsc#1012628). - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task (bsc#1012628). - usb: usblp: fix heap leak in IEEE 1284 device ID via short response (bsc#1012628). - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl (bsc#1012628). - ALSA: usb-audio: midi2: Restart output URBs on resume (bsc#1012628). - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() (bsc#1012628). - ALSA: usb-audio: Fix UAC3 cluster descriptor size check (bsc#1012628). - usb: dwc3: Move GUID programming after PHY initialization (bsc#1012628). ... changelog too long, skipping 631 lines ... - commit 6661b4c ==== kgamma6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kglobalacceld6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libKGlobalAccelD6-0 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Load shortcuts from desktop file and config in the same order * Remove duplicate key sanitization logic ==== kinfocenter6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kmenuedit6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== knighttime6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libKNightTime0 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Resubscribe to the daemon if it is restarted ==== kpipewire6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: kpipewire6-imports libKPipeWire6 libKPipeWireDmaBuf6 libKPipeWireRecord6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kscreen6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * kcm: hide ddc/ci option when HDR is enabled (kde#518532) * kcm: do not allow gaps when creating replicas (kde#515754,kde#519397) * output_model: remove off-by-one causing if statement (kde#515754) ==== kscreenlocker6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libKScreenLocker6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * PamAuthenticator: Emit failed on authentication attempts that happen too soon (kde#515299) ==== ksshaskpass6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== ksystemstats6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kwayland-integration6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kwayland6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libKWaylandClient6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== kwin6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libkwin6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * backends/x11: Fix interactive output resizing * Temporarily reference Windows during compositing * backends/drm: only update outputs on GPUs that actually changed (kde#519461) * rules: make checkGeometrySafe actually safe (kde#466119) * backends/drm: drop dmabuf import modes * backends/drm: don't attempt multi GPU copies with unsupported formats (kde#517987) * input: Map devices to device outputs, not logical (kde#514688) * Fix passing fullscreen to the X11 backend * input: Process key repeat before A11yKeyboardMonitor (kde#519143) * backends/drm: Check flags when comparing modes * virtualdesktops: add missing connection to save desktop names (kde#512212) * opengl/eglcontext: add asserts for eglMakeCurrent * backends/drm: Fix restoring custom modes after reboot * backends/drm: Match output modes differently * Make removed flag separate state in OutputMode * Track preferred output mode flags * Fix saving custom output modes * Cleanup keyboard grabs * activation: restore code updating layers of fullscreen windows (kde#484155) * backends/libinput: Fix dangling InputDevices on shutdown * plugins/highlightwindow: Better handling of windows during highlight/ghost operations * plugins/highlightwindow: Don't animate deleted or invisible windows * backends/drm: set COLOR_RANGE to full for RGB planes on NVIDIA * plugins/colorpicker: use GL_RGBA instead of GL_RGB, to support OpenGL ES (kde#518770) ==== kwin6-x11 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libkwin-x11-6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== layer-shell-qt6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libLayerShellQtInterface6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== libapparmor ==== Version update (4.1.7 -> 5.0.0) - add lsusb.diff: fix lsusb profile - add wpa_supplicant.diff: fix wpa_supplicant profile (boo#1265377) - add syslog-ng-slashes.diff: avoid double slashes (and therefore a path mismatch) in syslog-ng profile - Use %{_tmpfilesdir} macro and package apparmor.conf tmpfiles configuration. - add allow-read-slash.diff and postfix-profiles-slash.diff to allow reading / in samba, dovecot and postfix profiles (boo#1263051) - update to AppArmor 5.0 - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_5.0.0 for the full upstream changelog - update lessopen.sh profile to abi/5.0 - enable all tests in profiles/ - Add and use tmpfiles.d/apparmor.conf for log and cache path creation (jsc#PED-14916) (jsc#PED-14917) + drop removal of pre-2.12 cache location + retain "apparmor_parser --purge-cache" calls for non-transactional systems - update to AppArmor 5.0rc5 - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_5.0.0-rc5 - drop upstreamed parser-lib-path.diff - update to AppArmor 5.0rc4 - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_5.0.0-rc4 for the full upstream changelog - add BR libzstd-devel - add parser-lib-path.diff to ensure parser finds libapparmor in make check - refresh apache-extra-profile-include-if-exists.diff - add 'make -C init' (apparmor.service and aa-teardown now live in a separate directory) ==== libei ==== Version update (1.5.0 -> 1.6.0) - Update to release 1.6.0 * A new ei_text interface that provides the ei_text.keysym and ei_text.utf8 requests and events. These allow an emulating client to send keysyms or straight utf8, useful for situations where a keysym needs to be sent independent of the available keymap on the ei_keyboard device. * Preparatory work for future table support: * ei_device.ready is a request sent by compatible clients after ei_device.done to notify the EIS implementation that the client is done with any device-specific configuration. * ei_seat.request_device is a request sent by compatible clients to request a device with specific capabilities. The EIS implementation is not required to honor this request. ==== libinput ==== Version update (1.31.1 -> 1.31.2) Subpackages: libinput-udev libinput10 - Update to release 1.31.2 * A bunch of device-specific quirks * Fix for the new fast-swipe interaction during 3fg dragging. A wrong timestamp calculation could cause slow movements to be interpreted as swipes in some cases. * A fix for the Acer Swift SFX14-73G (and likely other devices with a similar touchpad) fixes a stuttering cursor caused by wrong SYN_REPORT handling in libinput. ==== libksba ==== Version update (1.7.0 -> 1.8.0) - Update to 1.8.0: * New function ksba_cms_get_attribute. [rKf40bfced7c] * Support building of unsigned attributes with ksba_cms_add_attribute. [rK54d7e3bea8] * Release-info: https://dev.gnupg.org/T8253 ==== libkscreen6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libKF6Screen8 libKF6ScreenDpms8 libkscreen6-plugin - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== libksysguard6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: ksysguardsystemstats6-data libKSysGuardSystemStats2 libksysguard6-imports libksysguard6-plugins - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Choices.qml: Add Kirigami.OverlayZStacking ==== libmodulemd ==== - Build different flavors for Python subpackages ==== libplasma6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libPlasma7 libplasma6-components libplasma6-desktoptheme - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Update height instead of width when implicitHeightChanged ==== librsvg ==== Version update (2.62.0 -> 2.62.2) Subpackages: librsvg-2-2 typelib-1_0-Rsvg-2_0 - Update to version 2.62.2: + librsvg crate version 2.62.2 + librsvg-rebind crate version 0.3.0 + Fix blurry embeded SVG images by rasterizing them at device resolution. + Fix build when gobject-introspection is enabled but gdk-pixbuf is disabled. - Changes from version 2.62.1: + librsvg crate version 2.62.1 + librsvg-rebind crate version 0.3.0 + There are no changes from 2.62.0, just an update of the image-rs crate to align it with the rest of GNOME 50's versions for dependencies. ==== libselinux ==== Subpackages: libselinux1 selinux-tools - Change License from SUSE-Public-Domain to LicenseRef-SUSE-Public-Domain due to rpmlint invalid-license warning. ==== libselinux-bindings ==== - Change License from SUSE-Public-Domain to LicenseRef-SUSE-Public-Domain due to rpmlint invalid-license warning. ==== libsolv ==== Version update (0.7.36 -> 0.7.37) Subpackages: libsolv-tools-base libsolv1 ruby-solv - fix parsing of sha512 checksums in debian repositories - improve speed of dirpool_add_dir makeing parsing of filelists.xml twice as fast - fix parsing of recommands in the old Mandriva synthesis format - bump version to 0.7.37 ==== libstorage-ng ==== Version update (4.5.314 -> 4.5.320) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Spanish) (bsc#1149754) - 4.5.320 - merge gh#openSUSE/libstorage-ng#1073 - make parser for /proc/mdstat more robust - added test cases - 4.5.319 - Translated using Weblate (Chinese (China) (zh_CN)) (bsc#1149754) - 4.5.318 - Translated using Weblate (Chinese (Taiwan) (zh_TW)) (bsc#1149754) - merge gh#openSUSE/libstorage-ng#1072 - fixed logging empty lines - added test cases - 4.5.317 - merge gh#openSUSE/libstorage-ng#1071 - improved xml parser - coding style - 4.5.316 - merge gh#openSUSE/libstorage-ng#1070 - fixed test - added tests - use modern C++ - minor improvements - 4.5.315 ==== libzypp ==== Version update (17.38.7 -> 17.38.8) - Mandatory signature verification plugin support (PED#11922) - version 17.38.8 (35) ==== milou6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== net-snmp ==== Subpackages: libsnmp45 perl-SNMP snmp-mibs - net-snmp Immutable Mode adaptation * implementation task jsc#PED-14728 from epic jsc#PED-14688 * modify net-snmp.spec * modify net-snmp-tmpfs.conf ==== ntfs-3g_ntfsprogs ==== Subpackages: libntfs-3g89 ntfs-3g ntfsprogs - Remove last remnants of update-alternatives. ==== ocean-sound-theme6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== open-vm-tools ==== Version update (13.0.10 -> 13.1.0) Subpackages: libvmtools0 open-vm-tools-desktop - update to 13.1.0 release based on build 25218885: (boo#1265304) Please refer to the Release Notes at https://github.com/vmware/open-vm-tools/blob/stable-13.1.0/ReleaseNotes.md. Support for GNOME Toolkit version 4. This release of open-vm-tools supports building with either the GNOME Toolkit version 4 (GTK4) or to continue using version 3 (GTK3). The configure script will accept options to restrict the build to either GTK3 or GTK4. If no restriction is applied, the latest version for which the required development package(s) are installed will be used. Please see the What's New section of the Release Notes for details. The following github issues have been resolved: - issue #707 - issue #763 The granular changes that have gone into the open-vm-tools 13.1.0 release are in the ChangeLog at https://github.com/vmware/open-vm-tools/blob/stable-13.1.0/open-vm-tools/ChangeLog. For a more complete description of what is new in this release, see the What's New and Resolved Issues sections of the Release Notes. https://github.com/vmware/open-vm-tools/blob/stable-13.1.0/ReleaseNotes.md#whatsnew https://github.com/vmware/open-vm-tools/blob/stable-13.1.0/ReleaseNotes.md#resolved-issues ==== openSUSE-release ==== Version update (20260512 -> 20260517) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openblas_openmp ==== - Run test_sbgemm only if it was built ==== openblas_pthreads ==== - Run test_sbgemm only if it was built ==== openexr ==== Version update (3.4.9 -> 3.4.11) Subpackages: libIex-3_4-33 libIlmThread-3_4-33 libOpenEXR-3_4-33 libOpenEXRCore-3_4-33 - version update to 3.4.11 * [CVE-2026-42217](https://www.cve.org/CVERecord?id=CVE-2026-42217) Shift exponent overflow in `readVariableLengthInteger()` (`ImfIDManifest.cpp`) * [CVE-2026-42216](https://www.cve.org/CVERecord?id=CVE-2026-42216) Out-of-bounds read in `IDManifest::init()` during prefix expansion * [CVE-2026-41142](https://www.cve.org/CVERecord?id=CVE-2026-41142) Integer overflow in `ImageChannel::resize` leads to heap OOB write via OpenEXRUtil public API * OSS-fuzz [504280155](https://issues.oss-fuzz.com/issues/504280155) Heap-buffer-overflow in `DwaCompressor_uncompress` * OSS-fuzz [505062709](https://issues.oss-fuzz.com/issues/505062709) Null-dereference READ in `Imf_3_3::prefixFromLayerName` - version update to 3.4.10 * [CVE-2026-39886](https://www.cve.org/CVERecord?id=CVE-2026-39886) HTJ2K Signed Integer Overflow in `ht_undo_impl()` * [CVE-2026-40244](https://www.cve.org/CVERecord?id=CVE-2026-40244) Integer overflow in DWA `setupChannelData` `planarUncRle` pointer arithmetic (missed variant of CVE-2026-34589) * [CVE-2026-40250](https://www.cve.org/CVERecord?id=CVE-2026-40250) Integer overflow in DWA decoder `outBufferEnd` pointer arithmetic (missed variant of CVE-2026-34589) - fixes [bsc#1264354], [bsc#1264356], [bsc#1264353] ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Update openssh-7.7p1-fips.patch (bsc#1264787): Add the rijndael alias to the list of all ciphers, making the FIPS list a strict subset. ==== openssl-3 ==== Subpackages: libopenssl3 - POWER performance enhancements * Optimized MLDSA NTT, supports p8 and above architectures (jsc#PED-14569) * Add patch: openssl-ppc64le-Optimized-MLKEM-NTT-supports-p8-ISA-2.07-and-above-architectures.patch ==== pam_kwallet6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: pam_kwallet6-common - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-x11 patterns-base-x11_enhanced - use distrobox instead of toolbox on SLE (jsc#PED-13820) - do not require vim-small if vim is installed (bsc#1262334) ==== perl-CGI ==== Version update (4.710.0 -> 4.720.0) - updated to 4.720.0 (4.72) see /usr/share/doc/packages/perl-CGI/Changes 4.72 2026-05-05 [ INTERNALS ] - fix regression due to edge case bug introduced in 4.71 (GH #278, thanks to dddonovan) ==== perl-CryptX ==== Version update (0.87.0 -> 0.89.0) - updated to 0.89.0 (0.089) see /usr/share/doc/packages/perl-CryptX/Changes 0.089 2026-05-10 - new: Crypt::ASN1 - new: Crypt::AuthEnc::SIV - new: Crypt::AuthEnc::XChaCha20Poly1305 - new: Crypt::Cipher::SM4 - new: Crypt::Digest::TurboSHAKE - new: Crypt::Digest::KangarooTwelve - new: Crypt::PK::Ed448 - new: Crypt::PK::X448 - new: Crypt::Stream::XChaCha - new: Crypt::Stream::XSalsa20 - Crypt::PK::Ed25519 - new functions: sign_message_ctx, verify_message_ctx, sign_message_ph, verify_message_ph - Crypt::Digest: object digest accessors now finalize the object; use reset() before reuse - Crypt::Mac + Crypt::AuthEnc: finalized-object lifecycle is now enforced consistently - security/hardening fixes across Digest/Mac/AuthEnc/Mode/Stream/PK/PRNG - fixes related to wycheproof test suite - documentation cleanup & improvements - support for RFC 8702 RSA-PSS-SHAKE128/256 and ECDSA-SHAKE128/256 - support for FRP256v1 elliptic-curve - bundled libtomcrypt update branch:develop (commit: 8b5af49b 2026-05-06) 0.088 2026-04-23 - Crypt::KeyDerivation - new functions: pbkdf1_openssl, bcrypt_pbkdf, scrypt_pbkdf, argon2_pbkdf - Crypt::Misc - new functions: random_v7uuid, is_uuid - bundled libtomcrypt update branch:develop (commit: 2e441a17 2026-04-15) - bundled libtommath update branch:develop (commit: ae40a87 2026-04-20) - security fix CVE-2026-41564 https://github.com/DCIT/perl-CryptX/security/advisories/GHSA-24c2-gp6c-24c6 bsc#1262697 ==== perl-Net-CIDR-Lite ==== Version update (0.220.0 -> 0.240.0) - updated to 0.240.0 (0.24) see /usr/share/doc/packages/perl-Net-CIDR-Lite/Changes 0.24 2026-05-10 - Security: (CVE-2026-45190) Reject Unicode digits and trailing newlines in parser inputs. bsc#1264710 - Security: (CVE-2026-45191) Reject zero-padded CIDR masks. bsc#1264709 0.23 2026-04-10 - Security: (CVE-2026-40199) Fix IPv4 mapped IPv6 packed length. bsc#1262088 - Security: (CVE-2026-40198) Reject invalid uncompressed IPv6. bsc#1262088 ==== perl-libwww-perl ==== Version update (6.820.0 -> 6.830.0) - updated to 6.830.0 (6.83) see /usr/share/doc/packages/perl-libwww-perl/Changes 6.83 2026-05-12 11:41:48Z - LWP::UserAgent now strips Authorization and Proxy-Authorization headers on cross-origin redirects (a different scheme, host, or port) to prevent credential leakage to the redirect target. Same-origin redirects retain credentials. Opt out with allow_credentialed_redirects => 1. CVE-2026-8368 reported by Kai Zen; PoC and initial patch by Stig Palmquist. - LWP::UserAgent now refuses https to http redirects by default to prevent leaking remaining request headers and bodies over plaintext. Opt in with allow_downgrade => 1. Related hardening alongside CVE-2026-8368; PoC by Stig Palmquist. bsc#1265156 ==== permissions ==== Version update (1699_20260217 -> 1699_20260512) Subpackages: permctl permissions-config - Update to version 1699_20260512: * iputils: Fix capability permissions for clockdiff * profiles: drop nfs-utils rmtab entry * README: document RPM installation time race condition ==== pipewire ==== Version update (1.6.4 -> 1.6.5) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-jack pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.6.5: * This is a bugfix release that is API and ABI compatible with the previous 1.6.x releases. * Highlights - Fix muted output in some cases. - Removed the pipe filter in filter-graph. - More fixes and improvements. * PipeWire - Fix an issue in pw-filter where it could end up in a loop where buffers are stuck on a port and the port becomes silent. (#5249 (closed)) * Modules - Improve ROC receiver start/stop, fixes memory leaks. (#5250 (closed)) - Remove the pipe filter from filter-graph, it's broken by design and a security nightmare. - Fix the midi buffer size in jack-tunnel. * SPA - Rate limit out-of-buffers errors. (#5249 (closed)) - Partially revert the line-out mute patch, it seems to break things and leave audio muted when plugging-unplugging jacks. (#5246) - Improve renegotiation in audioconvert when the graph rate changes and the resampler was disabled. (#4933 (closed)). - Fix potential crash in alsa when logging. * Pulse-server - A whole bunch of extra security checks and hardening fixes. ==== plasma5support6 ==== Version update (6.6.4 -> 6.6.5) Subpackages: libPlasma5Support6 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== plasma6-activities ==== Version update (6.6.4 -> 6.6.5) Subpackages: libPlasmaActivities7 plasma6-activities-imports - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== plasma6-activities-stats ==== Version update (6.6.4 -> 6.6.5) Subpackages: libPlasmaActivitiesStats1 - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== plasma6-browser-integration ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== plasma6-desktop ==== Version update (6.6.4 -> 6.6.5) Subpackages: plasma6-desktop-emojier plasma6-kimpanel-ibus - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * applets/kicker: open category on return again * applets/kicker: don't show sidebar scrollbar without screen (kde#517535) * kcms/tablet: Improve line drawing * kcms/tablet: Initially set start position (kde#519600) * kcm_keys_test: Fix shortcut element name * kcms/keyboard: Fix KeyBindings resetButton positioning * keysrunner: Align dbus path sanitization with kglobalacceld which fixes triggering plasma-systemmonitor actions using krunner * applets/kicker: don't activate when dropping * applets/kicker: match background opacity in submenus (kde#517495) ==== plasma6-disks ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== plasma6-integration ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * qt6/KFontSettingsData: Chop off extra fontString items for versions under 6.11 (kde#519185) ==== plasma6-nm ==== Version update (6.6.4 -> 6.6.5) Subpackages: plasma6-nm-openconnect plasma6-nm-openvpn plasma6-nm-pptp plasma6-nm-vpnc - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * applet: Fix accessibility of switches (kde#519217) * Ensure that placeholder is not visible when applet closes (kde#511367) * Keep focus on password field when hovering another delegate (kde#454523,kde#510784) ==== plasma6-openSUSE ==== Subpackages: plasma6-branding-openSUSE plasma6-sddm-theme-openSUSE plasma6-theme-openSUSE - Update to 6.6.5 ==== plasma6-pa ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Explictly set text format on label ==== plasma6-print-manager ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Port PrinterDelegate to required properties (kde#518705) ==== plasma6-systemmonitor ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== plasma6-thunderbolt ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - No code changes since 6.6.4 ==== plasma6-workspace ==== Version update (6.6.4 -> 6.6.5) Subpackages: plasma6-session plasma6-session-x11 plasma6-workspace-libs sddm-qt6-branding-openSUSE - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * applets/kicker: show separator after service runner Recent Files (kde#518978) * kcms/font: Make buttons accessible (kde#519471) * runners/helprunner: Fix broken icon and text * xembedsniproxy: fix icon transparency * libkworkspace: Handle new states from logind (kde#518174) * ktimezoned.cpp: Fix what appears a copy-paste error * appiumtests: fix race condition in mediacontrollertest MPRIS player * appiumtests: fix D-Bus Properties Get return type in mediacontrollertest * appiumtests: fix unstable D-Bus activated plasmoid test in CI * kcms/soundtheme: Use on(Double)Clicked from GridDelegate instead of custom TapHandler * logout: Fix broken text legiblity with themes like Air and Breeze Light (kde#518001) * klipper: always set clipboard when moving entry to top (kde#514095) * SourcesPage: Fix sourceDelegate padding calculations * kcms/region_language: fix locale suffix matching (kde#518878) * applets/systemtray: Fix scroll orientation string case mismatch * applets/notifications: fix null-guard bugs in Globals.qml (kde#519046) * Fix kde_output_device_v2 bind version in devicenotifications * libclock: Fix stale transition metadata on timezone change * applets/activitybar: import Kirigami * libclock: fix lockscreen timezone init race on multi-screen - Drop patches, now upstream: * 0001-libkworkspace-Handle-new-states-from-logind.patch ==== polkit-default-privs ==== Version update (1550+20260428.f2a5d2e -> 1550+20260513.3b99372) - Update to version 1550+20260513.3b99372: * profiles: whitelist apparmor aa-notify.from_file action (bsc#1265157) ==== polkit-kde-agent-6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== powerdevil6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Fix screen brightness stuck at 30% after PowerDevil restart (kde#513809) ==== python-gobject ==== Version update (3.56.2 -> 3.56.3) Subpackages: python311-gobject python311-gobject-Gdk python311-gobject-cairo python313-gobject python313-gobject-Gdk python313-gobject-cairo - Update to version 3.56.3: + Fix crash when user_data is defined before callback + Add missing msg argument to asyncio cancel() + Fix potential buffer overflow errors + Fix memory leak when initializing GTK templates ==== python-numpy ==== Version update (2.4.3 -> 2.4.4) Subpackages: python311-numpy python313-numpy - Force "none" cpu-baseline on x86_64 and %{ix86} only - Ignore test_cpu_features test failure on s390x - Ignore test_einsum test failure on %{ix86} - Update to 2.4.4 * np.linalg.norm returned different value after update to 2.4.2 * fix FNV-1a 64-bit selection by using NPY_SIZEOF_UINTP * avoid warning on ufunc with where=True and no output * document caveats of ndarray.resize on 3.14 and newer * fix POWER VSX feature mapping * numpy.i: Replace deprecated sprintf with snprintf - Set `cpu_baseline` build option to `none` to be compatible with the widest arrays of CPU (including `qemu` and older CPUs; bsc#1261151). ==== python-packaging ==== Version update (26.0 -> 26.2) - Add missing test BuildRequires on hypothesis. - update to 26.2: * Fix incorrect sysconfig var name for pyemscripten in * Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe and backward-compatible with pickles created in 25.0-26.1 (including references to the removed packaging._structures module) (:pull:`1163`, :pull:`1168`, :pull:`1170`, :pull:`1171`) * Re-export ExceptionGroup in metatadata for now in (:pull:`1164`) * Add errors section and fix missing details in (:pull:`1159`) * Document our property-based test suite in (:pull:`1167`) * Fix a DirectUrl typo in (:pull:`1167`) * Add example of is_unsatisfiable in (:pull:`1166`) * Enable the auditor persona on zizmor in (:pull:`1158`) * Test new pickle gaurentees in (:pull:`1174`) * Use new native ReadTheDocs uv integration in (:pull:`1175`) * PEP 783: add handling for Emscripten wheel tags in (:pull:`804`) (old name used in implementation, fixed in next release) * PEP 803: add handling for the abi3.abi3t free-threading tag * PEP 723: add packaging.dependency_groups module, based on the dependency-groups package in (:pull:`1065`) * Add the packaging.direct_url module in (:pull:`944`) * Add the packaging.errors module in (:pull:`1071`) * Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) in (:pull:`1119`) * Add create_compatible_tags_selector to select compatible tags in (:pull:`1110`) * Add a key argument to SpecifierSet.filter() in (:pull:`1068`) * Support & and | for Marker's in (:pull:`1146`) * Normalize Version.__replace__ and add Version.from_parts in * Add an option to validate compressed tag set sort order in parse_wheel_filename in (:pull:`1150`) * Narrow exclusion of pre-releases for V to match spec in * Rename format_full_version to _format_full_version to make it visibly private in (:pull:`1125`) * Restrict local version to ASCII in (:pull:`1102`) * Add pylock select function in (:pull:`1092`) * Document pylock select() method and PylockSelectError in (:pull:`1153`) * Add filename property to PackageSdist and PackageWheel, more validation in (:pull:`1095`) ==== python-urllib3 ==== Version update (2.6.3 -> 2.7.0) Subpackages: python311-urllib3 python313-urllib3 - Update to 2.7.0 (CVE-2026-44432, bsc#1265266, CVE-2026-44431, bsc#1265267): [#]# Security Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal. * Decompression-bomb safeguards of the streaming API were bypassed: See GHSA-mf9v-mfxr-j63j for details. * HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc) [#]# Deprecations and Removals * Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (#3763) * Removed support for end-of-life Python 3.9. (#3720) * Removed support for end-of-life PyPy3.10. (#4979) * Bumped the minimum supported pyOpenSSL version to 19.0.0. (#3777) [#]# Bugfixes * Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (#3636) * Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (#4967) * Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (#3793) * Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (#3798) * Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (#3352) * Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (#3764) ==== qqc2-breeze-style6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Revert "ToolButton: Fix flat mode not inheriting background color scheme" ==== rsync ==== - Security update (CVE-2026-41035, bsc#1262223): rsync: count of entries mismatch can lead to a use-after-free - Add rsync-CVE-2026-41035.patch ==== ruby4.0 ==== Version update (4.0.3 -> 4.0.4) Subpackages: libruby4_0-4_0 - make install also need the locale set on 15.x - Update to 4.0.4 - Bug #21955: Fiber#transfer: machine stack not released when fiber terminates, causing FiberError: can't set a guard page - Ruby - Ruby Issue Tracking System - Bug #21964: Fiber stack acquire can expand unnecessarily - Ruby - Ruby Issue Tracking System - Bug #21971: Fix regexp performance regression for patterns starting with s/k - Ruby - Ruby Issue Tracking System - Bug #21961: Marshal.load freeze option fail to freeze linked strings - Ruby - Ruby Issue Tracking System - Bug #21959: rb_internal_thread_event_hooks_rw_lock is not reinitialized after fork causing deadlocks - Ruby - Ruby Issue Tracking System - Bug #21954: NoMethodError instead of Gem::LoadError on gem activation problem in Ruby 4.0.2 - Ruby - Ruby Issue Tracking System - Bug #21844: Inconsistent ArgumentError message for Data::define.new - Ruby - Ruby Issue Tracking System - Bug #21992: Defining BasicObject#initialize causes segmentation fault - Ruby - Ruby Issue Tracking System - Bug #22018: ISeq created via RubyVM::InstructionSequence.compile don't support coverage - Ruby - Ruby Issue Tracking System - Bug #21985: RubyVM::AST negative numbers do not include - in location - Ruby - Ruby Issue Tracking System - Bug #21986: RubyVM::AST incorrect location for literals followed by modifier if - Ruby - Ruby Issue Tracking System - Bug #21933: Ruby::Box: named capture local variable can become nil after non-matching lines - Ruby - Ruby Issue Tracking System - Bug #21940: Ruby::Box: $_ returns stale value due to gvar_tbl caching - Ruby - Ruby Issue Tracking System - Bug #22004: parse.y doesn't executes loop body with while true || true condition - Ruby - Ruby Issue Tracking System - Bug #21952: Ruby::Box double free at process exit when fiddle/import is required in multiple boxes - Ruby - Ruby Issue Tracking System - Bug #22003: .bundle extensions not built when doing out-of-source build - Ruby - Ruby Issue Tracking System - Bug #22002: argument stack underflow (-1) - Ruby - Ruby Issue Tracking System ==== rubygem-gem2rpm ==== - update suse.patch - fix copyright header - fix BR order - update suse.patch - remove unneeded buildrequires for u-a ==== salt ==== Subpackages: python311-salt salt-master salt-minion - Use non vendored tornado with Python 3.11 (bsc#1257583, bsc#1259700) - Added: * use-non-vendored-tornado-with-python-3.11.patch ==== sddm-kcm6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== selinux-policy ==== Version update (20260414 -> 20260508) Subpackages: selinux-policy-targeted - Update to version 20260508: * Add boolean ntp_refclock_access (bsc#1262711) * Add /var/log/ntp in ntp named filetrans interface (bsc#1262711) * Allow thump_t setattr on thumb_tmp_t lnk_files * Allow accounts-daemon read accountsd_share_t symlinks (bsc#1262502) * Label /usr/bin/sudo-rs and /usr/bin/su-rs * Allow pwupdd to read cracklib (bsc#1259138) * Allow pwupdd to log to audit log (bsc#1259138) * Move accountutils_pwaccessd_varlink_socket_connect from auth_use_pam (bsc#1259138) * Allow gpsd the setcap process capability * Add note about the process to merge template * Add mgetty_allow_sendfax boolean (bsc#1258666) * Do not backslash-escape underscores in file context specifications * Label /var/log/mgetty.* getty_log_t (bsc#1258666) * Allow systemd_homework_t to delete systemd_homed_record_t dirs (bsc#1261359) * Allow sshd-auth/sshd-session get attributes of their sshd parent * Allow systemd-tmpfiles to adjust resource limits * Allow logwatch to getattr nsfs files * Allow xdm dbus chat with rhsmcertd * Allow dhcpc_hook_t unix_dgram_socket and module_request * Allow accountsd list accountsd_share_t dirs ==== shaderc ==== Version update (2026.1 -> 2026.2) - Update to release 2026.2 * Test GL_EXT_descriptor_heap ==== spectacle ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * OptionsMenu: Drop double ownership of delay widgets * Keep spectacle alive briefly after copying screenshots (kde#) * SelectionEditor: Don't call setShowMagnifier in hoverMoveEvent (kde#509776,kde#509777) * CaptureOverlay: Fix checking the wrong showMagnifier property when activating the magnifier loader * fix: viewer window not hiding when quit-after-export is enabled ==== suse-module-tools ==== Version update (16.1.4 -> 16.1.5) Subpackages: suse-module-tools-scriptlets - Update to version 16.1.5: * Support XBOOTLDR (jsc#PED-16142) * modprobe.conf: split RNDIS blacklist, add interactive unblacklist support (boo#1262299, boo#1217268) * weak-modules2: don't remove symlinks in the rpm --reinstall case (bsc#1257055) ==== systemsettings6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * Set accessible text for back button (kde#519333) * Fix empty category in sidebar when "Highlight Changed Settings" is enabled (kde#518868) * systemsettingsrunner: add correct file URLs to the kickoff and krunner entries. (kde#500259) * Ignore warnings from qt.qpa.services ==== tree-sitter ==== - Also don't provide lib%{name}%{somajor}: this is already the sub package's exact name and as such is implicitly provided. - We actually don’t provide lower version APIs and it is not right to claim so. Also, packages linking to this library will ignore it anyway. ==== vulkan-loader ==== Version update (1.4.341 -> 1.4.350) - Update to tag SDK-1.4.350.0 * Fix the wrong extension being used for GGP ==== vulkan-tools ==== Version update (1.4.341 -> 1.4.350) - Update to tag SDK-1.4.350.0 * vulkaninfo: Enable device groups extension * vulkaninfo: Check extensions before querying properties ==== wacomtablet-kcm6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 ==== webkitgtk3 ==== Subpackages: libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - riscv-platformenable.patch: Fix build for riscv64 - Update constraints for riscv64 ==== webkitgtk4 ==== Subpackages: libjavascriptcoregtk-6_0-1 libwebkitgtk-6_0-4 typelib-1_0-JavaScriptCore-6_0 typelib-1_0-WebKit-6_0 webkitgtk-6_0-injected-bundles - riscv-platformenable.patch: Fix build for riscv64 - Update constraints for riscv64 ==== xdg-desktop-portal-kde6 ==== Version update (6.6.4 -> 6.6.5) - Update to 6.6.5: * New bugfix release * For more details see https://kde.org/announcements/plasma/6/6.6.5 - Changes since 6.6.4: * Update version for new release 6.6.5 * PortalDialog: fix standard button handling (kde#519631) * ci: disable qmllint ==== yast2 ==== Version update (5.0.20 -> 5.0.21) Subpackages: yast2-logs - Drop the logic for checking TPM2 availability. - The TPM2 check is now provided by yast2-storage-ng (related to jsc#PED-10703). - 5.0.21 ==== yast2-storage-ng ==== Version update (5.0.43 -> 5.0.48) - Use the session keyring instead of the user one to communicate with sdbootutil (related to jsc#PED-10703). - 5.0.48 - Make sure to mount sys/kernel/security for the final steps of the installation (related to jsc#PED-10703). - 5.0.47 - Set BLS LEGACY bootloader as BLS (related to jsc#PED-10703). - 5.0.46 - Allow checking if a bootloader type is BLS-compliant (related to jsc#PED-10703). - 5.0.45 - New BlsEfi strategy to be used by Agama to create partitions for booting in a way that is compliant to the BLS specification (related to jsc#PED-10703). - 5.0.44 - Add TPM BLS encrytion method (related to jsc#PED-10703). ==== zypper ==== Version update (1.14.96 -> 1.14.97) Subpackages: zypper-log zypper-needs-restarting - Add --filter-version-change to zypper lu. Adds filtering by version change significance to reduce noise in update listings. Supports levels: rebuild (hides rebuild-only changes) and package (hides all release-only changes). - version 1.14.97