Marcus Updateinfo to OVAL Converter5.52026-04-15T05:20:20Security update for go1.25 (Important)openSUSE Leap 16.0
This update for go1.25 fixes the following issues:
Update to go1.25.5.
Security issues fixed:
- CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation
(bsc#1254431).
- CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).
- CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).
- CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).
- CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).
- CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255).
- CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).
- CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).
- CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).
- CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
(bsc#1251258).
- CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).
- CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).
- CVE-2025-47910: net/http: CrossOriginProtection insecure bypass patterns not limited to exact matches (bsc#1249141).
Other issues fixed and changes:
- Version 1.25.5:
* go#76245 mime: FormatMediaType and ParseMediaType not compatible across 1.24 to 1.25
* go#76360 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access
is denied, ReOpenFile error handling followup
- Version 1.25.4:
* go#75480 cmd/link: linker panic and relocation errors with complex generics inlining
* go#75775 runtime: build fails when run via QEMU for linux/amd64 running on linux/arm64
* go#75790 crypto/internal/fips140/subtle: Go 1.25 subtle.xorBytes panic on MIPS
* go#75832 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
* go#75952 encoding/pem: regression when decoding blocks with leading garbage
* go#75989 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access
is denied
* go#76010 cmd/compile: any(func(){})==any(func(){}) does not panic but should
* go#76029 pem/encoding: malformed line endings can cause panics
- Version 1.25.3:
* go#75861 crypto/x509: TLS validation fails for FQDNs with trailing dot
* go#75777 spec: Go1.25 spec should be dated closer to actual release date
- Version 1.25.2:
* go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt
* go#75116 os: Root.MkdirAll can return "file exists" when called concurrently on the same path
* go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root
* go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
* go#75255 cmd/compile: export to DWARF types only referenced through interfaces
* go#75347 testing/synctest: test timeout with no runnable goroutines
* go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
* go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail
* go#75537 context: Err can return non-nil before Done channel is closed
* go#75539 net/http: internal error: connCount underflow
* go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
* go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value
* go#75669 runtime: debug.decoratemappings don't work as expected
- Version 1.25.1:
* go#74822 cmd/go: "get toolchain@latest" should ignore release candidates
* go#74999 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets
* go#75008 os/exec: TestLookPath fails on plan9 after CL 685755
* go#75021 testing/synctest: bubble not terminating
* go#75083 os: File.Seek doesn't set the correct offset with Windows overlapped handles
- Packaging: migrate from update-alternatives to libalternatives (bsc#1245878).
- Fix runtime condition for gcc/gcc7 dependency.
- Use at least gcc 7 for all architectures (bsc#1254227).
- Package svgpan.js to fix issues with "go tool pprof" (boo#1249985).
- Drop unused gccgo bootstrap code in go1.22+ (bsc#1248082).
ImportantSUSE bug 1244485SUSE bug 1245878SUSE bug 1247816SUSE bug 1248082SUSE bug 1249141SUSE bug 1249985SUSE bug 1251253SUSE bug 1251254SUSE bug 1251255SUSE bug 1251256SUSE bug 1251257SUSE bug 1251258SUSE bug 1251259SUSE bug 1251260SUSE bug 1251261SUSE bug 1251262SUSE bug 1254227SUSE bug 1254430SUSE bug 1254431CVE-2025-47910 at SUSECVE-2025-47910 at NVDCVE-2025-47912 at SUSECVE-2025-47912 at NVDCVE-2025-58183 at SUSECVE-2025-58183 at NVDCVE-2025-58185 at SUSECVE-2025-58185 at NVDCVE-2025-58186 at SUSECVE-2025-58186 at NVDCVE-2025-58187 at SUSECVE-2025-58187 at NVDCVE-2025-58188 at SUSECVE-2025-58188 at NVDCVE-2025-58189 at SUSECVE-2025-58189 at NVDCVE-2025-61723 at SUSECVE-2025-61723 at NVDCVE-2025-61724 at SUSECVE-2025-61724 at NVDCVE-2025-61725 at SUSECVE-2025-61725 at NVDCVE-2025-61727 at SUSECVE-2025-61727 at NVDCVE-2025-61729 at SUSECVE-2025-61729 at NVDSecurity update for go1.24 (Important)openSUSE Leap 16.0
This update for go1.24 fixes the following issues:
Update to go1.24.11.
Security issues fixed:
- CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).
- CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).
- CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
(bsc#1251258).
- CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).
- CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).
- CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).
- CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255).
- CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).
- CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).
- CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).
- CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).
- CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation
(bsc#1254431).
Other issues fixed and changes:
- Version 1.24.11:
* go#76378 internal/cpu: incorrect CPU features bit parsing on loong64 cause illegal instruction core dumps on LA364
cores
- Version 1.24.10:
* go#75831 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
* go#75951 encoding/pem: regression when decoding blocks with leading garbage
* go#76028 pem/encoding: malformed line endings can cause panics
- Version 1.24.9:
* go#75860 crypto/x509: TLS validation fails for FQDNs with trailing dot
- Version 1.24.8:
* go#75138 os: Root.OpenRoot sets incorrect name, losing prefix of original root
* go#75220 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
* go#75351 cmd/link: panic on riscv64 with CGO enabled due to empty container symbol
* go#75356 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
* go#75359 os: new test TestOpenFileCreateExclDanglingSymlink fails on Plan 9
* go#75523 crypto/internal/fips140/rsa: requires a panic if self-tests fail
* go#75538 net/http: internal error: connCount underflow
* go#75594 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
* go#75609 sync/atomic: comment for Uintptr.Or incorrectly describes return value
- Version 1.24.7:
* go#75007 os/exec: TestLookPath fails on plan9 after CL 685755
* go#74821 cmd/go: "get toolchain@latest" should ignore release candidates
* go#74818 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets
- Packaging: migrate from update-alternatives to libalternatives (bsc#1245878).
- Package svgpan.js to fix issues with "go tool pprof" (bsc#1249985).
- Drop unused gccgo bootstrap code in go1.22+ (bsc#1248082).
ImportantSUSE bug 1236217SUSE bug 1245878SUSE bug 1247816SUSE bug 1248082SUSE bug 1249985SUSE bug 1251253SUSE bug 1251254SUSE bug 1251255SUSE bug 1251256SUSE bug 1251257SUSE bug 1251258SUSE bug 1251259SUSE bug 1251260SUSE bug 1251261SUSE bug 1251262SUSE bug 1254430SUSE bug 1254431CVE-2025-47912 at SUSECVE-2025-47912 at NVDCVE-2025-58183 at SUSECVE-2025-58183 at NVDCVE-2025-58185 at SUSECVE-2025-58185 at NVDCVE-2025-58186 at SUSECVE-2025-58186 at NVDCVE-2025-58187 at SUSECVE-2025-58187 at NVDCVE-2025-58188 at SUSECVE-2025-58188 at NVDCVE-2025-58189 at SUSECVE-2025-58189 at NVDCVE-2025-61723 at SUSECVE-2025-61723 at NVDCVE-2025-61724 at SUSECVE-2025-61724 at NVDCVE-2025-61725 at SUSECVE-2025-61725 at NVDCVE-2025-61727 at SUSECVE-2025-61727 at NVDCVE-2025-61729 at SUSECVE-2025-61729 at NVDSecurity update for keylime (Critical)openSUSE Leap 16.0
This update for keylime fixes the following issues:
Update to version 7.13.0+40.
Security issues fixed:
- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate
UUIDs (bsc#1254199).
- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).
Other issues fixed and changes:
- Version 7.13.0+40:
* Include new attestation information fields (#1818)
* Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
* push-model: require HTTPS for authentication and attestation endpoints
* Fix operational_state tracking in push mode attestations
* templates: add push model authentication config options to 2.5 templates
* Security: Hash authentication tokens in logs
* Fix stale IMA policy cache in verification
* Fix authentication behavior on failed attestations for push mode
* Add shared memory infrastructure for multiprocess communication
* Add agent authentication (challenge/response) protocol for push mode
* Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)
* docs: Fix man page RST formatting for rst2man compatibility (#1813)
* Apply limit on keylime-policy workers
* tpm: fix ECC signature parsing to support variable-length coordinates
* tpm: fix ECC P-521 credential activation with consistent marshaling
* tpm: fix ECC P-521 coordinate validation
* Remove deprecated disabled_signing_algorithms configuration option (#1804)
* algorithms: add support for specific RSA algorithms
* algorithms: add support for specific ECC curve algorithms
* Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent
* Manpage for keylime agent
* Manpage for keylime verifier
* Manpage for keylime registrar
* Use constants for timeout and max retries defaults
* verifier: Use timeout from `request_timeout` config option
* revocation_notifier: Use timeout setting from config file
* tenant: Set timeout when getting version from agent
* verify/evidence: SEV-SNP evidence type/verifier
* verify/evidence: Add evidence type to request JSON
- Version v7.13.0:
* Avoid re-encoding certificate stored in DB
* Revert "models: Do not re-encode certificate stored in DB"
* Revert "registrar_agent: Use pyasn1 to parse PEM"
* policy/sign: use print() when writing to /dev/stdout
* registrar_agent: Use pyasn1 to parse PEM
* models: Do not re-encode certificate stored in DB
* mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
* mb: support vendor_db as logged by newer shim versions
* mb: support EV_EFI_HANDOFF_TABLES events on PCR1
* Remove unnecessary configuration values
* cloud_verifier_tornado: handle exception in notify_error()
* requests_client: close the session at the end of the resource manager
* Manpage for keylime_tenant (#1786)
* Add 2.5 templates including Push Model changes
* Initial version of verify evidence API
* db: Do not read pool size and max overflow for sqlite
* Use context managers to close DB sessions
* revocations: Try to send notifications on shutdown
* verifier: Gracefully shutdown on signal
* Use `fork` as `multiprocessing` start method
* Fix inaccuracy in threat model and add reference to SBAT
* Explain TPM properties and expand vTPM discussion
* Fix invalid RST and update TOC
* Expand threat model page to include adversarial model
* Add --push-model option to avoid requests to agents
* templates: duplicate str_to_version() in the adjust script
* policy: fix mypy issues with rpm_repo
* revocation_notifier: fix mypy issue by replacing deprecated call
* Fix create_runtime_policy in python < 3.12
* Fix after review
* fixed CONSTANT names C0103 errors
* Extend meta_data field in verifierdb
* docs: update issue templates
* docs: add GitHub PR template with documentation reminders
* tpm_util: fix quote signature extraction for ECDSA
* registrar: Log API versions during startup
* Remove excessive logging on exception
* scripts: Fix coverage information downloading script
- Version v7.12.1:
* models: Add Base64Bytes type to read and write from the database
* Simplify response check from registrar
- Version v7.12.0:
* API: Add /version endpoint to registrar
* scripts: Download coverage data directly from Testing Farm
* docs: Add separate documentation for each API version
* scripts/create_runtime_policy.sh: fix path for the exclude list
* docs: add documentation for keylime-policy
* templates: Add the new agent.conf option 'api_versions'
* Enable autocompletion using argcomplete
* build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
* Configure EPEL-10 repo in packit-ci.fmf
* build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
* build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
* build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
* build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
* keylime-policy: improve error handling when provided a bad key (sign)
* keylime-policy: exit with status 1 when the commands failed
* keylime-policy: use Certificate() from models.base to validate certs
* keylime-policy: check for valid cert file when using x509 backend (sign)
* keylime-policy: fix help for "keylime-policy sign" verb
* tenant: Correctly log number of tries when deleting
* update TCTI environment variable usage
* build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
* keylime-policy: add `create measured-boot' subcommand
* keylime-policy: add `sign runtime' subcommand
* keylime-policy: add logger to use with the policy tool
* installer.sh: Restore execution permission
* installer: Fix string comparison
* build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
* build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
* build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
* installer.sh: updated EPEL, PEP668 Fix, logic fix
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
* build(deps): bump actions/checkout from 4.2.1 to 4.2.2
* postgresql support for docker using psycopg2
* installer.sh: update package list, add workaround for PEP 668
* build(deps): bump actions/checkout from 4.2.0 to 4.2.1
* keylime.conf: full removal
* Drop pending SPDX-License-Identifier headers
* create_runtime_policy: Validate algorithm from IMA measurement log
* create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
* create_runtime_policy: drop commment with test data
* create_runtime_policy: Use a common method to guess algorithm
* keylime-policy: rename tool to keylime-policy instead of keylime_policy
* keylime_policy: create runtime: remove --use-ima-measurement-list
* keylime_policy: use consistent arg names for create_runtime_policy
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
* build(deps): bump actions/checkout from 4.1.7 to 4.2.0
* elchecking/example: workaround empty PK, KEK, db and dbx
* elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
* create_runtime_policy: Fix log level for debug messages
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
* build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
* pylintrc: Ignore too-many-positional-arguments check
* keylime/web/base/controller: Move TypeAlias definition out of class
* create_runtime_policy: Calculate digests in multiple threads
* create_runtime_policy: Allow rootfs to be in any directory
* keylime_policy: Calculate digests from each source separately
* create_runtime_policy: Simplify boot_aggregate parsing
* ima: Validate JSON when loading IMA Keyring from string
* docs: include IDevID page also in the sidebar
* docs: point to installation guide from RHEL and SLE Micro
* build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
* change check_tpm_origin_check to a warning that does not prevent registration
* docs: Fix Runtime Policy JSON schema to reflect the reality
* Sets absolute path for files inside a rootfs dir
* policy/create_runtime_policy: fix handling of empty lines in exclude list
* keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
* codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
* codestyle: convert bytearrays to bytes to get expected type (pyright)
* codestyle: Use new variables after changing datatype (pyright)
* cert_utils: add description why loading using cryptography might fail
* ima: list names of the runtime policies
* build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
* tox: Use python 3.10 instead of 3.6
* revocation_notifier: Use web_util to generate TLS context
* mba: Add a skip custom policies option when loading mba.
* build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* cmd/keylime_policy: add tool to handle keylime policies
* cert_utils: add is_x509_cert()
* common/algorithms: transform Encrypt and Sign class into enums
* common/algorithms: add method to calculate digest of a file
* build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
* build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
* tpm: Replace KDFs and ECDH implementations with python-cryptography
* build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
* build(deps): bump docker/login-action from 2.2.0 to 3.2.0
* build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
* build(deps): bump actions/first-interaction
* build(deps): bump actions/checkout from 2.7.0 to 4.1.7
* revocation_notifier: Explicitly add CA certificate bundle
* Introduce new REST API framework and refactor registrar implementation
* mba: Support named measured boot policies
* tenant: add friendlier error message if mTLS CA is wrongly configured
* ca_impl_openssl: Mark extensions as critical following RFC 5280
* Include Authority Key Identifier in KL-generated certs
* verifier, tenant: make payload for agent completely optional
CriticalSUSE bug 1237153SUSE bug 1254199CVE-2025-1057 at SUSECVE-2025-1057 at NVDCVE-2025-13609 at SUSECVE-2025-13609 at NVDSecurity update for ImageMagick (Important)openSUSE Leap 16.0
This update for ImageMagick fixes the following issues:
- CVE-2025-62594: unsigned underflow and division-by-zero can lead to OOB pointer arithmetic and process crash
(bsc#1252749).
- CVE-2025-57807: BlobStream Forward-Seek Under-Allocation (bsc#1249362).
- CVE-2025-62171: incomplete fix for integer overflow in BMP Decoder (bsc#1252282).
- CVE-2025-55298: format string bug vulnerability can lead to heap overflow (bsc#1248780).
- CVE-2025-57803: 32-bit integer overflow can lead to heap out-of-bounds (OOB) write (bsc#1248784).
- CVE-2025-55212: division-by-zero in ThumbnailImage() when passing a geometry string containing only a colon to
`montage -geometry` (bsc#1248767).
ImportantSUSE bug 1248767SUSE bug 1248780SUSE bug 1248784SUSE bug 1249362SUSE bug 1252282SUSE bug 1252749CVE-2025-55212 at SUSECVE-2025-55212 at NVDCVE-2025-55298 at SUSECVE-2025-55298 at NVDCVE-2025-57803 at SUSECVE-2025-57803 at NVDCVE-2025-57807 at SUSECVE-2025-57807 at NVDCVE-2025-62171 at SUSECVE-2025-62171 at NVDCVE-2025-62594 at SUSECVE-2025-62594 at NVDSecurity update for grub2 (Important)openSUSE Leap 16.0
This update for grub2 fixes the following issues:
Changes in grub2:
- CVE-2025-54771: Fixed grub_file_close() does not properly controls the fs refcount (bsc#1252931)
- CVE-2025-54770: Fixed missing unregister call for net_set_vlan command may lead to use-after-free (bsc#1252930)
- CVE-2025-61662: Fixed missing unregister call for gettext command may lead to use-after-free (bsc#1252933)
- CVE-2025-61663: Fixed missing unregister call for normal commands may lead to use-after-free (bsc#1252934)
- CVE-2025-61664: Fixed missing unregister call for normal_exit command may lead to use-after-free (bsc#1252935)
- CVE-2025-61661: Fixed out-of-bounds write in grub_usb_get_string() function (bsc#1252932)
- Bump upstream SBAT generation to 6
- Fix "sparse file not allowed" error after grub2-reboot (bsc#1245738)
- Fix PowerPC network boot prefix to correctly locate grub.cfg (bsc#1249385)
- turn off page flipping for i386-pc using VBE video backend (bsc#1245636)
- Fix boot hangs in setting up serial console when ACPI SPCR table is present
and redirection is disabled (bsc#1249088)
- Fix timeout when loading initrd via http after PPC CAS reboot (bsc#1245953)
- Skip mount point in grub_find_device function (bsc#1246231)
- CVE-2024-56738: Fixed side-channel attack due to not constant-time algorithm in grub_crypto_memcmp (bsc#1234959)
ImportantSUSE bug 1234959SUSE bug 1245636SUSE bug 1245738SUSE bug 1245953SUSE bug 1246231SUSE bug 1247242SUSE bug 1249088SUSE bug 1249385SUSE bug 1252930SUSE bug 1252931SUSE bug 1252932SUSE bug 1252933SUSE bug 1252934SUSE bug 1252935CVE-2024-56738 at SUSECVE-2024-56738 at NVDCVE-2025-54770 at SUSECVE-2025-54770 at NVDCVE-2025-54771 at SUSECVE-2025-54771 at NVDCVE-2025-61661 at SUSECVE-2025-61661 at NVDCVE-2025-61662 at SUSECVE-2025-61662 at NVDCVE-2025-61663 at SUSECVE-2025-61663 at NVDCVE-2025-61664 at SUSECVE-2025-61664 at NVDSecurity update for openssl-3 (Important)openSUSE Leap 16.0
This update for openssl-3 fixes the following issues:
- CVE-2025-9230: Fixed out-of-bounds read & write in RFC 3211 KEK unwrap (bsc#1250232)
- CVE-2025-9231: Fixedk timing side-channel in SM2 algorithm on 64 bit ARM (bsc#1250233)
- CVE-2025-9232: Fixed out-of-bounds read in HTTP client no_proxy handling (bsc#1250234)
ImportantSUSE bug 1250232SUSE bug 1250233SUSE bug 1250234CVE-2025-9230 at SUSECVE-2025-9230 at NVDCVE-2025-9231 at SUSECVE-2025-9231 at NVDCVE-2025-9232 at SUSECVE-2025-9232 at NVDSecurity update for qemu (Important)openSUSE Leap 16.0
This update for qemu fixes the following issues:
Update to version 10.0.7.
Security issues fixed:
- CVE-2025-12464: stack-based buffer overflow in the e1000 network device operations can be exploited by a malicious
guest user to crash the QEMU process on the host (bsc#1253002).
- CVE-2025-11234: use-after-free in WebSocket handshake operations can be exploited by a malicious client with network
access to the VNC WebSocket port to cause a denial-of-service (bsc#1250984).
Other updates and bugfixes:
- Version 10.0.7:
* kvm: Fix kvm_vm_ioctl() and kvm_device_ioctl() return value
* docs/devel: Update URL for make-pullreq script
* target/arm: Fix assert on BRA.
* hw/aspeed/{xdma, rtc, sdhci}: Fix endianness to DEVICE_LITTLE_ENDIAN
* hw/core/machine: Provide a description for aux-ram-share property
* hw/pci: Make msix_init take a uint32_t for nentries
* block/io_uring: avoid potentially getting stuck after resubmit at the end of ioq_submit()
* block-backend: Fix race when resuming queued requests
* ui/vnc: Fix qemu abort when query vnc info
* chardev/char-pty: Do not ignore chr_write() failures
* hw/display/exynos4210_fimd: Account for zero length in fimd_update_memory_section()
* hw/arm/armv7m: Disable reentrancy guard for v7m_sysreg_ns_ops MRs
* hw/arm/aspeed: Fix missing SPI IRQ connection causing DMA interrupt failure
* migration: Fix transition to COLO state from precopy
* Full backport list: https://lore.kernel.org/qemu-devel/1765037524.347582.2700543.nullmailer@tls.msk.ru/
- Version 10.0.6:
* linux-user/microblaze: Fix little-endianness binary
* target/hppa: correct size bit parity for fmpyadd
* target/i386: user: do not set up a valid LDT on reset
* async: access bottom half flags with qatomic_read
* target/i386: fix x86_64 pushw op
* i386/tcg/smm_helper: Properly apply DR values on SMM entry / exit
* i386/cpu: Prevent delivering SIPI during SMM in TCG mode
* i386/kvm: Expose ARCH_CAP_FB_CLEAR when invulnerable to MDS
* target/i386: Fix CR2 handling for non-canonical addresses
* block/curl.c: Use explicit long constants in curl_easy_setopt calls
* pcie_sriov: Fix broken MMIO accesses from SR-IOV VFs
* target/riscv: rvv: Fix vslide1[up|down].vx unexpected result when XLEN2 and SEWd
* target/riscv: Fix ssamoswap error handling
* Full backport list: https://lore.kernel.org/qemu-devel/1761022287.744330.6357.nullmailer@tls.msk.ru/
- Version 10.0.5:
* tests/functional/test_aarch64_sbsaref_freebsd: Fix the URL of the ISO image
* tests/functional/test_ppc_bamboo: Replace broken link with working assets
* physmem: Destroy all CPU AddressSpaces on unrealize
* memory: New AS helper to serialize destroy+free
* include/system/memory.h: Clarify address_space_destroy() behaviour
* migration: Fix state transition in postcopy_start() error handling
* target/riscv: rvv: Modify minimum VLEN according to enabled vector extensions
* target/riscv: rvv: Replace checking V by checking Zve32x
* target/riscv: Fix endianness swap on compressed instructions
* hw/riscv/riscv-iommu: Fixup PDT Nested Walk
* Full backport list: https://lore.kernel.org/qemu-devel/1759986125.676506.643525.nullmailer@tls.msk.ru/
- [openSUSE][RPM]: really fix *-virtio-gpu-pci dependency on ARM (bsc#1254286).
- [openSUSE][RPM] spec: make glusterfs support conditional (bsc#1254494).
ImportantSUSE bug 1230042SUSE bug 1250984SUSE bug 1253002SUSE bug 1254286SUSE bug 1254494CVE-2025-11234 at SUSECVE-2025-11234 at NVDCVE-2025-12464 at SUSECVE-2025-12464 at NVDSecurity update for the Linux Kernel (Important)openSUSE Leap 16.0
The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2022-50253: bpf: make sure skb->len != 0 when redirecting to a tunneling device (bsc#1249912).
- CVE-2025-37916: pds_core: remove write-after-free of client_id (bsc#1243474).
- CVE-2025-38084: mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431 bsc#1245498).
- CVE-2025-38085: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431 bsc#1245499).
- CVE-2025-38321: smb: Log an error when close_all_cached_dirs fails (bsc#1246328).
- CVE-2025-38728: smb3: fix for slab out of bounds on mount to ksmbd (bsc#1249256).
- CVE-2025-39805: net: macb: fix unregister_netdev call order in macb_remove() (bsc#1249982).
- CVE-2025-39819: fs/smb: Fix inconsistent refcnt update (bsc#1250176).
- CVE-2025-39822: io_uring/kbuf: fix signedness in this_len calculation (bsc#1250034).
- CVE-2025-39831: fbnic: Move phylink resume out of service_task and into open/close (bsc#1249977).
- CVE-2025-39859: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog (bsc#1250252).
- CVE-2025-39897: net: xilinx: axienet: Add error handling for RX metadata pointer retrieval (bsc#1250746).
- CVE-2025-39917: bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt (bsc#1250723).
- CVE-2025-39944: octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() (bsc#1251120).
- CVE-2025-39961: iommu/amd/pgtbl: Fix possible race while increase page table level (bsc#1251817).
- CVE-2025-39980: nexthop: Forbid FDB status change while nexthop is in a group (bsc#1252063).
- CVE-2025-39990: bpf: Check the helper function is valid in get_helper_proto (bsc#1252054).
- CVE-2025-40001: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue (bsc#1252303).
- CVE-2025-40003: net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work (bsc#1252301).
- CVE-2025-40006: mm/hugetlb: fix folio is still mapped when deleted (bsc#1252342).
- CVE-2025-40021: tracing: dynevent: Add a missing lockdown check on dynevent (bsc#1252681).
- CVE-2025-40024: vhost: Take a reference on the task in struct vhost_task (bsc#1252686).
- CVE-2025-40027: net/9p: fix double req put in p9_fd_cancelled (bsc#1252763).
- CVE-2025-40031: tee: fix register_shm_helper() (bsc#1252779).
- CVE-2025-40033: remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() (bsc#1252824).
- CVE-2025-40038: KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid (bsc#1252817).
- CVE-2025-40047: io_uring/waitid: always prune wait queue entry in io_waitid_wait() (bsc#1252790).
- CVE-2025-40053: net: dlink: handle copy_thresh allocation failure (bsc#1252808).
- CVE-2025-40055: ocfs2: fix double free in user_cluster_connect() (bsc#1252821).
- CVE-2025-40059: coresight: Fix incorrect handling for return value of devm_kzalloc (bsc#1252809).
- CVE-2025-40064: smc: Fix use-after-free in __pnet_find_base_ndev() (bsc#1252845).
- CVE-2025-40070: pps: fix warning in pps_register_cdev when register device fail (bsc#1252836).
- CVE-2025-40074: tcp: convert to dev_net_rcu() (bsc#1252794).
- CVE-2025-40075: tcp_metrics: use dst_dev_net_rcu() (bsc#1252795).
- CVE-2025-40081: perf: arm_spe: Prevent overflow in PERF_IDX2OFF() (bsc#1252776).
- CVE-2025-40083: net/sched: sch_qfq: Fix null-deref in agg_dequeue (bsc#1252912).
- CVE-2025-40086: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds (bsc#1252923).
- CVE-2025-40098: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() (bsc#1252917).
- CVE-2025-40101: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST (bsc#1252901).
- CVE-2025-40102: KVM: arm64: Prevent access to vCPU events before init (bsc#1252919).
- CVE-2025-40105: vfs: Don't leak disconnected dentries on umount (bsc#1252928).
- CVE-2025-40133: mptcp: Call dst_release() in mptcp_active_enable() (bsc#1253328).
- CVE-2025-40134: dm: fix NULL pointer dereference in __dm_suspend() (bsc#1253386).
- CVE-2025-40135: ipv6: use RCU in ip6_xmit() (bsc#1253342).
- CVE-2025-40139: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set() (bsc#1253409).
- CVE-2025-40149: tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock() (bsc#1253355).
- CVE-2025-40153: mm: hugetlb: avoid soft lockup when mprotect to large memory area (bsc#1253408).
- CVE-2025-40157: EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller (bsc#1253423).
- CVE-2025-40158: ipv6: use RCU in ip6_output() (bsc#1253402).
- CVE-2025-40159: xsk: Harden userspace-supplied xdp_desc validation (bsc#1253403).
- CVE-2025-40168: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match() (bsc#1253427).
- CVE-2025-40169: bpf: Reject negative offsets for ALU ops (bsc#1253416).
- CVE-2025-40173: net/ip6_tunnel: Prevent perpetual tunnel growth (bsc#1253421).
- CVE-2025-40175: idpf: cleanup remaining SKBs in PTP flows (bsc#1253426).
- CVE-2025-40176: tls: wait for pending async decryptions if tls_strp_msg_hold fails (bsc#1253425).
- CVE-2025-40178: pid: Add a judgment for ns null in pid_nr_ns (bsc#1253463).
- CVE-2025-40185: ice: ice_adapter: release xa entry on adapter allocation failure (bsc#1253394).
- CVE-2025-40201: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths (bsc#1253455).
- CVE-2025-40203: listmount: don't call path_put() under namespace semaphore (bsc#1253457).
The following non security issues were fixed:
- ACPI: scan: Update honor list for RPMI System MSI (stable-fixes).
- ACPICA: Update dsmethod.c to get rid of unused variable warning (stable-fixes).
- Disable CONFIG_CPU5_WDT The cpu5wdt driver doesn't implement a
proper watchdog interface and has many code issues. It only handles
obscure and obsolete hardware. Stop building and supporting this driver
(jsc#PED-14062).
- Fix "drm/xe: Don't allow evicting of BOs in same VM in array of VM binds" (bsc#1252923)
- KVM: SVM: Delete IRTE link from previous vCPU before setting new IRTE (git-fixes).
- KVM: SVM: Delete IRTE link from previous vCPU irrespective of new routing (git-fixes).
- KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated (git-fixes).
- KVM: s390: improve interrupt cpu for wakeup (bsc#1235463).
- KVM: s390: kABI backport for 'last_sleep_cpu' (bsc#1252352).
- KVM: x86/mmu: Return -EAGAIN if userspace deletes/moves memslot during prefault (git-fixes).
- PCI/ERR: Update device error_state already after reset (stable-fixes).
- PM: EM: Slightly reduce em_check_capacity_update() overhead (stable-fixes).
- Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" (git-fixes).
- Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" (git-fixes).
- Update config files: enable zstd module decompression (jsc#PED-14115).
- bpf/selftests: Fix test_tcpnotify_user (bsc#1253635).
- btrfs: do not clear read-only when adding sprout device (bsc#1253238).
- btrfs: do not update last_log_commit when logging inode due to a new name (git-fixes).
- dm: fix queue start/stop imbalance under suspend/load/resume races (bsc#1253386)
- drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream (stable-fixes).
- drm/amd/display: update color on atomic commit time (stable-fixes).
- drm/amd/display: update dpp/disp clock from smu clock table (stable-fixes).
- drm/radeon: delete radeon_fence_process in is_signaled, no deadlock (stable-fixes).
- hwmon: (lenovo-ec-sensors) Update P8 supprt (stable-fixes).
- media: amphion: Delete v4l2_fh synchronously in .release() (stable-fixes).
- mount: handle NULL values in mnt_ns_release() (bsc#1254308)
- net/smc: Remove validation of reserved bits in CLC Decline (bsc#1252357).
- net: phy: move realtek PHY driver to its own subdirectory (jsc#PED-14353).
- net: phy: realtek: add defines for shadowed c45 standard registers (jsc#PED-14353).
- net: phy: realtek: add helper RTL822X_VND2_C22_REG (jsc#PED-14353).
- net: phy: realtek: change order of calls in C22 read_status() (jsc#PED-14353).
- net: phy: realtek: clear 1000Base-T link partner advertisement (jsc#PED-14353).
- net: phy: realtek: improve mmd register access for internal PHY's (jsc#PED-14353).
- net: phy: realtek: read duplex and gbit master from PHYSR register (jsc#PED-14353).
- net: phy: realtek: switch from paged to MMD ops in rtl822x functions (jsc#PED-14353).
- net: phy: realtek: use string choices helpers (jsc#PED-14353).
- net: xilinx: axienet: Fix IRQ coalescing packet count overflow (bsc#1250746)
- net: xilinx: axienet: Fix RX skb ring management in DMAengine mode (bsc#1250746)
- net: xilinx: axienet: Fix Tx skb circular buffer occupancy check in dmaengine xmit (bsc#1250746)
- nvmet-auth: update sc_c in host response (git-fixes bsc#1249397).
- nvmet-auth: update sc_c in target host hash calculation (git-fixes).
- perf list: Add IBM z17 event descriptions (jsc#PED-13611).
- platform/x86:intel/pmc: Update Arrow Lake telemetry GUID (git-fixes).
- powercap: intel_rapl: Add support for Panther Lake platform (jsc#PED-13949).
- pwm: pca9685: Use bulk write to atomicially update registers (stable-fixes).
- r8169: add PHY c45 ops for MDIO_MMD_VENDOR2 registers (jsc#PED-14353).
- r8169: add support for Intel Killer E5000 (jsc#PED-14353).
- r8169: add support for RTL8125BP rev.b (jsc#PED-14353).
- r8169: add support for RTL8125D rev.b (jsc#PED-14353).
- r8169: adjust version numbering for RTL8126 (jsc#PED-14353).
- r8169: align RTL8125 EEE config with vendor driver (jsc#PED-14353).
- r8169: align RTL8125/RTL8126 PHY config with vendor driver (jsc#PED-14353).
- r8169: align RTL8126 EEE config with vendor driver (jsc#PED-14353).
- r8169: align WAKE_PHY handling with r8125/r8126 vendor drivers (jsc#PED-14353).
- r8169: avoid duplicated messages if loading firmware fails and switch to warn level (jsc#PED-14353).
- r8169: don't take RTNL lock in rtl_task() (jsc#PED-14353).
- r8169: enable EEE at 2.5G per default on RTL8125B (jsc#PED-14353).
- r8169: enable RTL8168H/RTL8168EP/RTL8168FP ASPM support (jsc#PED-14353).
- r8169: fix inconsistent indenting in rtl8169_get_eth_mac_stats (jsc#PED-14353).
- r8169: implement additional ethtool stats ops (jsc#PED-14353).
- r8169: improve __rtl8169_set_wol (jsc#PED-14353).
- r8169: improve initialization of RSS registers on RTL8125/RTL8126 (jsc#PED-14353).
- r8169: improve rtl_set_d3_pll_down (jsc#PED-14353).
- r8169: increase max jumbo packet size on RTL8125/RTL8126 (jsc#PED-14353).
- r8169: remove leftover locks after reverted change (jsc#PED-14353).
- r8169: remove original workaround for RTL8125 broken rx issue (jsc#PED-14353).
- r8169: remove rtl_dash_loop_wait_high/low (jsc#PED-14353).
- r8169: remove support for chip version 11 (jsc#PED-14353).
- r8169: remove unused flag RTL_FLAG_TASK_RESET_NO_QUEUE_WAKE (jsc#PED-14353).
- r8169: replace custom flag with disable_work() et al (jsc#PED-14353).
- r8169: switch away from deprecated pcim_iomap_table (jsc#PED-14353).
- r8169: use helper r8169_mod_reg8_cond to simplify rtl_jumbo_config (jsc#PED-14353).
- ring-buffer: Update pages_touched to reflect persistent buffer content (git-fixes).
- s390/mm: Fix __ptep_rdp() inline assembly (bsc#1253643).
- sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask() (bsc#1246843).
- sched/fair: Have SD_SERIALIZE affect newidle balancing (bsc#1248792).
- sched/fair: Proportional newidle balance (bsc#1248792).
- sched/fair: Proportional newidle balance -KABI (bsc#1248792).
- sched/fair: Revert max_newidle_lb_cost bump (bsc#1248792).
- sched/fair: Skip sched_balance_running cmpxchg when balance is not due (bsc#1248792).
- sched/fair: Small cleanup to sched_balance_newidle() (bsc#1248792).
- sched/fair: Small cleanup to update_newidle_cost() (bsc#1248792).
- scsi: lpfc: Add capability to register Platform Name ID to fabric (bsc#1254119).
- scsi: lpfc: Allow support for BB credit recovery in point-to-point topology (bsc#1254119).
- scsi: lpfc: Ensure unregistration of rpis for received PLOGIs (bsc#1254119).
- scsi: lpfc: Fix leaked ndlp krefs when in point-to-point topology (bsc#1254119).
- scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (bsc#1254119).
- scsi: lpfc: Modify kref handling for Fabric Controller ndlps (bsc#1254119).
- scsi: lpfc: Remove redundant NULL ptr assignment in lpfc_els_free_iocb() (bsc#1254119).
- scsi: lpfc: Revise discovery related function headers and comments (bsc#1254119).
- scsi: lpfc: Update lpfc version to 14.4.0.12 (bsc#1254119).
- scsi: lpfc: Update various NPIV diagnostic log messaging (bsc#1254119).
- selftests/run_kselftest.sh: Add `--skip` argument option (bsc#1254221).
- smpboot: introduce SDTL_INIT() helper to tidy sched topology setup (bsc#1246843).
- soc/tegra: fuse: speedo-tegra210: Update speedo IDs (git-fixes).
- spi: tegra210-quad: Check hardware status on timeout (bsc#1253155)
- spi: tegra210-quad: Fix timeout handling (bsc#1253155)
- spi: tegra210-quad: Refactor error handling into helper functions (bsc#1253155)
- spi: tegra210-quad: Update dummy sequence configuration (git-fixes)
- tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork (bsc#1250705).
- wifi: ath11k: Add quirk entries for Thinkpad T14s Gen3 AMD (bsc#1254181).
- wifi: mt76: do not add wcid entries to sta poll list during MCU reset (bsc#1254315).
- wifi: mt76: introduce mt792x_config_mac_addr_list routine (bsc#1254315).
- wifi: mt76: mt7925: Fix logical vs bitwise typo (bsc#1254315).
- wifi: mt76: mt7925: Remove unnecessary if-check (bsc#1254315).
- wifi: mt76: mt7925: Simplify HIF suspend handling to avoid suspend fail (bsc#1254315).
- wifi: mt76: mt7925: add EHT control support based on the CLC data (bsc#1254315).
- wifi: mt76: mt7925: add handler to hif suspend/resume event (bsc#1254315).
- wifi: mt76: mt7925: add pci restore for hibernate (bsc#1254315).
- wifi: mt76: mt7925: config the dwell time by firmware (bsc#1254315).
- wifi: mt76: mt7925: extend MCU support for testmode (bsc#1254315).
- wifi: mt76: mt7925: fix CLC command timeout when suspend/resume (bsc#1254315).
- wifi: mt76: mt7925: fix missing hdr_trans_tlv command for broadcast wtbl (bsc#1254315).
- wifi: mt76: mt7925: fix the unfinished command of regd_notifier before suspend (bsc#1254315).
- wifi: mt76: mt7925: refine the txpower initialization flow (bsc#1254315).
- wifi: mt76: mt7925: replace zero-length array with flexible-array member (bsc#1254315).
- wifi: mt76: mt7925: update the channel usage when the regd domain changed (bsc#1254315).
- wifi: mt76: mt7925e: fix too long of wifi resume time (bsc#1254315).
- x86/smpboot: avoid SMT domain attach/destroy if SMT is not enabled (bsc#1246843).
- x86/smpboot: moves x86_topology to static initialize and truncate (bsc#1246843).
- x86/smpboot: remove redundant CONFIG_SCHED_SMT (bsc#1246843).
ImportantSUSE bug 1235463SUSE bug 1243474SUSE bug 1245193SUSE bug 1245431SUSE bug 1245498SUSE bug 1245499SUSE bug 1246328SUSE bug 1246843SUSE bug 1247500SUSE bug 1248792SUSE bug 1249256SUSE bug 1249397SUSE bug 1249912SUSE bug 1249977SUSE bug 1249982SUSE bug 1250034SUSE bug 1250176SUSE bug 1250237SUSE bug 1250252SUSE bug 1250705SUSE bug 1250723SUSE bug 1250746SUSE bug 1251120SUSE bug 1251817SUSE bug 1252054SUSE bug 1252063SUSE bug 1252301SUSE bug 1252303SUSE bug 1252342SUSE bug 1252352SUSE bug 1252357SUSE bug 1252681SUSE bug 1252686SUSE bug 1252763SUSE bug 1252776SUSE bug 1252779SUSE bug 1252790SUSE bug 1252794SUSE bug 1252795SUSE bug 1252808SUSE bug 1252809SUSE bug 1252817SUSE bug 1252821SUSE bug 1252824SUSE bug 1252836SUSE bug 1252845SUSE bug 1252901SUSE bug 1252912SUSE bug 1252917SUSE bug 1252919SUSE bug 1252923SUSE bug 1252928SUSE bug 1253018SUSE bug 1253155SUSE bug 1253176SUSE bug 1253238SUSE bug 1253275SUSE bug 1253318SUSE bug 1253324SUSE bug 1253328SUSE bug 1253330SUSE bug 1253342SUSE bug 1253348SUSE bug 1253349SUSE bug 1253352SUSE bug 1253355SUSE bug 1253360SUSE bug 1253362SUSE bug 1253363SUSE bug 1253367SUSE bug 1253369SUSE bug 1253386SUSE bug 1253394SUSE bug 1253395SUSE bug 1253402SUSE bug 1253403SUSE bug 1253405SUSE bug 1253407SUSE bug 1253408SUSE bug 1253409SUSE bug 1253410SUSE bug 1253412SUSE bug 1253416SUSE bug 1253421SUSE bug 1253422SUSE bug 1253423SUSE bug 1253424SUSE bug 1253425SUSE bug 1253426SUSE bug 1253427SUSE bug 1253428SUSE bug 1253431SUSE bug 1253433SUSE bug 1253436SUSE bug 1253438SUSE bug 1253440SUSE bug 1253441SUSE bug 1253443SUSE bug 1253445SUSE bug 1253448SUSE bug 1253449SUSE bug 1253450SUSE bug 1253451SUSE bug 1253453SUSE bug 1253455SUSE bug 1253456SUSE bug 1253457SUSE bug 1253463SUSE bug 1253472SUSE bug 1253622SUSE bug 1253624SUSE bug 1253635SUSE bug 1253643SUSE bug 1253647SUSE bug 1254119SUSE bug 1254181SUSE bug 1254221SUSE bug 1254308SUSE bug 1254315CVE-2022-50253 at SUSECVE-2022-50253 at NVDCVE-2025-37916 at SUSECVE-2025-37916 at NVDCVE-2025-38084 at SUSECVE-2025-38084 at NVDCVE-2025-38085 at SUSECVE-2025-38085 at NVDCVE-2025-38321 at SUSECVE-2025-38321 at NVDCVE-2025-38728 at SUSECVE-2025-38728 at NVDCVE-2025-39805 at SUSECVE-2025-39805 at NVDCVE-2025-39819 at SUSECVE-2025-39819 at NVDCVE-2025-39822 at SUSECVE-2025-39822 at NVDCVE-2025-39831 at SUSECVE-2025-39831 at NVDCVE-2025-39859 at SUSECVE-2025-39859 at NVDCVE-2025-39897 at SUSECVE-2025-39897 at NVDCVE-2025-39917 at SUSECVE-2025-39917 at NVDCVE-2025-39944 at SUSECVE-2025-39944 at NVDCVE-2025-39961 at SUSECVE-2025-39961 at NVDCVE-2025-39980 at SUSECVE-2025-39980 at NVDCVE-2025-39990 at SUSECVE-2025-39990 at NVDCVE-2025-40001 at SUSECVE-2025-40001 at NVDCVE-2025-40003 at SUSECVE-2025-40003 at NVDCVE-2025-40006 at SUSECVE-2025-40006 at NVDCVE-2025-40021 at SUSECVE-2025-40021 at NVDCVE-2025-40024 at SUSECVE-2025-40024 at NVDCVE-2025-40027 at SUSECVE-2025-40027 at NVDCVE-2025-40031 at SUSECVE-2025-40031 at NVDCVE-2025-40033 at SUSECVE-2025-40033 at NVDCVE-2025-40038 at SUSECVE-2025-40038 at NVDCVE-2025-40047 at SUSECVE-2025-40047 at NVDCVE-2025-40053 at SUSECVE-2025-40053 at NVDCVE-2025-40055 at SUSECVE-2025-40055 at NVDCVE-2025-40059 at SUSECVE-2025-40059 at NVDCVE-2025-40064 at SUSECVE-2025-40064 at NVDCVE-2025-40070 at SUSECVE-2025-40070 at NVDCVE-2025-40074 at SUSECVE-2025-40074 at NVDCVE-2025-40075 at SUSECVE-2025-40075 at NVDCVE-2025-40081 at SUSECVE-2025-40081 at NVDCVE-2025-40083 at SUSECVE-2025-40083 at NVDCVE-2025-40086 at SUSECVE-2025-40086 at NVDCVE-2025-40098 at SUSECVE-2025-40098 at NVDCVE-2025-40101 at SUSECVE-2025-40101 at NVDCVE-2025-40102 at SUSECVE-2025-40102 at NVDCVE-2025-40105 at SUSECVE-2025-40105 at NVDCVE-2025-40107 at SUSECVE-2025-40107 at NVDCVE-2025-40109 at SUSECVE-2025-40109 at NVDCVE-2025-40110 at SUSECVE-2025-40110 at NVDCVE-2025-40111 at SUSECVE-2025-40111 at NVDCVE-2025-40115 at SUSECVE-2025-40115 at NVDCVE-2025-40116 at SUSECVE-2025-40116 at NVDCVE-2025-40118 at SUSECVE-2025-40118 at NVDCVE-2025-40120 at SUSECVE-2025-40120 at NVDCVE-2025-40121 at SUSECVE-2025-40121 at NVDCVE-2025-40127 at SUSECVE-2025-40127 at NVDCVE-2025-40129 at SUSECVE-2025-40129 at NVDCVE-2025-40132 at SUSECVE-2025-40132 at NVDCVE-2025-40133 at SUSECVE-2025-40133 at NVDCVE-2025-40134 at SUSECVE-2025-40134 at NVDCVE-2025-40135 at SUSECVE-2025-40135 at NVDCVE-2025-40139 at SUSECVE-2025-40139 at NVDCVE-2025-40140 at SUSECVE-2025-40140 at NVDCVE-2025-40141 at SUSECVE-2025-40141 at NVDCVE-2025-40142 at SUSECVE-2025-40142 at NVDCVE-2025-40149 at SUSECVE-2025-40149 at NVDCVE-2025-40153 at SUSECVE-2025-40153 at NVDCVE-2025-40154 at SUSECVE-2025-40154 at NVDCVE-2025-40156 at SUSECVE-2025-40156 at NVDCVE-2025-40157 at SUSECVE-2025-40157 at NVDCVE-2025-40158 at SUSECVE-2025-40158 at NVDCVE-2025-40159 at SUSECVE-2025-40159 at NVDCVE-2025-40161 at SUSECVE-2025-40161 at NVDCVE-2025-40162 at SUSECVE-2025-40162 at NVDCVE-2025-40164 at SUSECVE-2025-40164 at NVDCVE-2025-40165 at SUSECVE-2025-40165 at NVDCVE-2025-40166 at SUSECVE-2025-40166 at NVDCVE-2025-40168 at SUSECVE-2025-40168 at NVDCVE-2025-40169 at SUSECVE-2025-40169 at NVDCVE-2025-40171 at SUSECVE-2025-40171 at NVDCVE-2025-40172 at SUSECVE-2025-40172 at NVDCVE-2025-40173 at SUSECVE-2025-40173 at NVDCVE-2025-40175 at SUSECVE-2025-40175 at NVDCVE-2025-40176 at SUSECVE-2025-40176 at NVDCVE-2025-40177 at SUSECVE-2025-40177 at NVDCVE-2025-40178 at SUSECVE-2025-40178 at NVDCVE-2025-40180 at SUSECVE-2025-40180 at NVDCVE-2025-40183 at SUSECVE-2025-40183 at NVDCVE-2025-40185 at SUSECVE-2025-40185 at NVDCVE-2025-40186 at SUSECVE-2025-40186 at NVDCVE-2025-40187 at SUSECVE-2025-40187 at NVDCVE-2025-40188 at SUSECVE-2025-40188 at NVDCVE-2025-40192 at SUSECVE-2025-40192 at NVDCVE-2025-40194 at SUSECVE-2025-40194 at NVDCVE-2025-40196 at SUSECVE-2025-40196 at NVDCVE-2025-40197 at SUSECVE-2025-40197 at NVDCVE-2025-40198 at SUSECVE-2025-40198 at NVDCVE-2025-40200 at SUSECVE-2025-40200 at NVDCVE-2025-40201 at SUSECVE-2025-40201 at NVDCVE-2025-40202 at SUSECVE-2025-40202 at NVDCVE-2025-40203 at SUSECVE-2025-40203 at NVDCVE-2025-40204 at SUSECVE-2025-40204 at NVDCVE-2025-40205 at SUSECVE-2025-40205 at NVDCVE-2025-40206 at SUSECVE-2025-40206 at NVDCVE-2025-40207 at SUSECVE-2025-40207 at NVDSecurity update for fontforge (Low)openSUSE Leap 16.0
This update for fontforge fixes the following issues:
- CVE-2025-50949: Fixed memory leak in function DlgCreate8 (bsc#1252652).
LowSUSE bug 1252652CVE-2025-50949 at SUSECVE-2025-50949 at NVDSecurity update for mariadb (Important)openSUSE Leap 16.0
This update for mariadb fixes the following issues:
- Update to 11.8.5:
* CVE-2025-13699: Fixed Directory Traversal Remote Code Execution
Vulnerability (bsc#1254313)
Other fixes:
- Add %license tags to license files (bsc#1252162)
- Add INSTALL_DOCREADMEDIR cmake flag to install readme and license files
- Remove client plugin parsec.so, it is shipped by libmariadb_plugins
(bsc#1243040, bsc#1254476)
ImportantSUSE bug 1243040SUSE bug 1252162SUSE bug 1254313SUSE bug 1254476CVE-2025-13699 at SUSECVE-2025-13699 at NVDSecurity update for salt (Important)openSUSE Leap 16.0
This update for salt fixes the following issues:
Changes in salt:
- Add minimum_auth_version to enforce security (CVE-2025-62349)
- Backport security fixes for vendored tornado
* BDSA-2024-3438
* BDSA-2024-3439
* BDSA-2024-9026
- Junos module yaml loader fix (CVE-2025-62348)
- Require Python dependencies only for used Python version
- Fix TLS and x509 modules for OSes with older cryptography module
- Fix Salt for Python > 3.11 (bsc#1252285, bsc#1252244)
- Fix payload signature verification on Tumbleweed (bsc#1251776)
- Fix broken symlink on migration to Leap 16.0 (bsc#1250755)
- Use versioned python interpreter for salt-ssh
- Fix known_hosts error on gitfs (bsc#1250520, bsc#1227207)
- Revert require M2Crypto >= 0.44.0 for SUSE Family distros
- Improve SL Micro 6.2 detection with grains
- Fix the tests failing on AlmaLinux 10 and other clones
ImportantSUSE bug 1227207SUSE bug 1250520SUSE bug 1250755SUSE bug 1251776SUSE bug 1252244SUSE bug 1252285CVE-2025-62348 at SUSECVE-2025-62348 at NVDCVE-2025-62349 at SUSECVE-2025-62349 at NVDSecurity update for sssd (Important)openSUSE Leap 16.0
This update for sssd fixes the following issues:
- CVE-2025-11561: Fixed default Kerberos configuration allowing privilege
escalation on AD-joined Linux systems (bsc#1244325)
ImportantSUSE bug 1244325SUSE bug 1251827CVE-2025-11561 at SUSECVE-2025-11561 at NVDSecurity update of valkey (Critical)openSUSE Leap 16.0
This update for valkey fixes the following issues:
Update to 8.0.6:
- Security fixes:
- CVE-2025-49844: Fixed that a Lua script may lead to remote code execution (bsc#1250995)
- CVE-2025-46817: Fixed that a Lua script may lead to integer overflow and potential RCE (bsc#1250995)
- CVE-2025-46818: Fixed that a Lua script can be executed in the context of another user (bsc#1250995)
- CVE-2025-46819: Fixed LUA out-of-bound read (bsc#1250995)
- Bug fixes:
* Fix accounting for dual channel RDB bytes in replication stats (#2614)
* Fix EVAL to report unknown error when empty error table is provided (#2229)
* Fix use-after-free when active expiration triggers hashtable to shrink (#2257)
* Fix MEMORY USAGE to account for embedded keys (#2290)
* Fix memory leak when shrinking a hashtable without entries (#2288)
* Prevent potential assertion in active defrag handling large allocations (#2353)
* Prevent bad memory access when NOTOUCH client gets unblocked (#2347)
* Converge divergent shard-id persisted in nodes.conf to primary's shard id (#2174)
* Fix client tracking memory overhead calculation (#2360)
* Fix RDB load per slot memory pre-allocation when loading from RDB snapshot (#2466)
* Don't use AVX2 instructions if the CPU doesn't support it (#2571)
* Fix bug where active defrag may be unable to defrag sparsely filled pages (#2656)
Changes from 8.0.5:
https://github.com/valkey-io/valkey/releases/tag/8.0.5
CriticalSUSE bug 1250995CVE-2025-46817 at SUSECVE-2025-46817 at NVDCVE-2025-46818 at SUSECVE-2025-46818 at NVDCVE-2025-46819 at SUSECVE-2025-46819 at NVDCVE-2025-49844 at SUSECVE-2025-49844 at NVDSecurity update for avahi (Moderate)openSUSE Leap 16.0
This update for avahi fixes the following issues:
- CVE-2024-52615: Fixed DNS spoofing (bsc#1233421)
ModerateSUSE bug 1233421CVE-2024-52615 at SUSECVE-2024-52615 at NVDSecurity update for MozillaFirefox (Important)openSUSE Leap 16.0
This update for MozillaFirefox fixes the following issues:
Changes in MozillaFirefox:
Firefox Extended Support Release 140.6.0 ESR was released:
* Fixed: Various security fixes.
MFSA 2025-94 (bsc#1254551):
* CVE-2025-14321: Use-after-free in the WebRTC: Signaling component
* CVE-2025-14322: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
* CVE-2025-14323: Privilege escalation in the DOM: Notifications component
* CVE-2025-14324: JIT miscompilation in the JavaScript Engine: JIT component
* CVE-2025-14325: JIT miscompilation in the JavaScript Engine: JIT component
* CVE-2025-14328: Privilege escalation in the Netmonitor component
* CVE-2025-14329: Privilege escalation in the Netmonitor component
* CVE-2025-14330: JIT miscompilation in the JavaScript Engine: JIT component
* CVE-2025-14331: Same-origin policy bypass in the Request Handling component
* CVE-2025-14333: Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146
ImportantSUSE bug 1254551CVE-2025-14321 at SUSECVE-2025-14321 at NVDCVE-2025-14322 at SUSECVE-2025-14322 at NVDCVE-2025-14323 at SUSECVE-2025-14323 at NVDCVE-2025-14324 at SUSECVE-2025-14324 at NVDCVE-2025-14325 at SUSECVE-2025-14325 at NVDCVE-2025-14328 at SUSECVE-2025-14328 at NVDCVE-2025-14329 at SUSECVE-2025-14329 at NVDCVE-2025-14330 at SUSECVE-2025-14330 at NVDCVE-2025-14331 at SUSECVE-2025-14331 at NVDCVE-2025-14333 at SUSECVE-2025-14333 at NVDSecurity update for python-tornado6 (Important)openSUSE Leap 16.0
This update for python-tornado6 fixes the following issues:
- CVE-2025-67724: unescaped `reason` argument used in HTTP headers and in HTML default error pages can be used by
attackers to launch header injection or XSS attacks (bsc#1254903).
- CVE-2025-67725: quadratic complexity of string concatenation operations used by the `HTTPHeaders.add` method can lead
o DoS when processing a maliciously crafted HTTP request (bsc#1254905).
- CVE-2025-67726: quadratic complexity algorithm used in the `_parseparam` function of `httputil.py` can lead to DoS
when processing maliciously crafted parameters in a `Content-Disposition` header (bsc#1254904).
ImportantSUSE bug 1254903SUSE bug 1254904SUSE bug 1254905CVE-2025-67724 at SUSECVE-2025-67724 at NVDCVE-2025-67725 at SUSECVE-2025-67725 at NVDCVE-2025-67726 at SUSECVE-2025-67726 at NVDSecurity update for libmicrohttpd (Important)openSUSE Leap 16.0
This update for libmicrohttpd fixes the following issues:
- CVE-2025-62689: Fixed heap-based buffer overflow through
a specially crafted packet (bsc#1253178)
- CVE-2025-59777: Fixed NULL pointer dereference through
a specially crafted packet (bsc#1253177)
ImportantSUSE bug 1253177SUSE bug 1253178CVE-2025-59777 at SUSECVE-2025-59777 at NVDCVE-2025-62689 at SUSECVE-2025-62689 at NVDSecurity update for libpng16 (Important)openSUSE Leap 16.0
This update for libpng16 fixes the following issues:
- CVE-2025-64505: heap buffer over-read in `png_do_quantize` when processing PNG files malformed palette indices
(bsc#1254157).
- CVE-2025-64506: heap buffer over-read in `png_write_image_8bit` when processing 8-bit input with `convert_to_8bit`
enabled (bsc#1254158).
- CVE-2025-64720: out-of-bounds read in `png_image_read_composite` when processing palette images with
`PNG_FLAG_OPTIMIZE_ALPHA` enabled (bsc#1254159).
- CVE-2025-65018: heap buffer overflow in `png_image_finish_read` when processing specially crafted 16-bit interlaced
PNGs with 8-bit output format (bsc#1254160).
- CVE-2025-66293: out-of-bounds read of the `png_sRGB_base` array when processing palette PNG images with partial
transparency and gamma correction (bsc#1254480).
ImportantSUSE bug 1254157SUSE bug 1254158SUSE bug 1254159SUSE bug 1254160SUSE bug 1254480CVE-2025-64505 at SUSECVE-2025-64505 at NVDCVE-2025-64506 at SUSECVE-2025-64506 at NVDCVE-2025-64720 at SUSECVE-2025-64720 at NVDCVE-2025-65018 at SUSECVE-2025-65018 at NVDCVE-2025-66293 at SUSECVE-2025-66293 at NVDSecurity update for glib2 (Important)openSUSE Leap 16.0
This update for glib2 fixes the following issues:
Update to version 2.84.4.
Security issues fixed:
- CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote
filesystem attribute values can lead to denial-of-service (bsc#1254878).
- CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()` functions when
processing attacker-influenced data may lead to crash or code execution (bsc#1254662).
- CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a
large number of unacceptable characters may lead to crash or code execution (bsc#1254297).
- CVE-2025-7039: integer overflow when creating temporary files may lead to an out-of-bounds memory access that can be
used for path traversal or exposure of sensitive content in a temporary file (bsc#1249055).
Other issues fixed and changes:
- Fix GFile leak in `g_local_file_set_display_name` during error handling.
- Fix incorrect output parameter handling in closure helper of `g_settings_bind_with_mapping_closures`.
- `gfileutils`: fix computation of temporary file name.
- Fix GFile leak in `g_local_file_set_display_name()`.
- `gthreadpool`: catch `pool_spawner` creation failure.
- `gio/filenamecompleter`: fix leaks.
- `gfilenamecompleter`: fix `g_object_unref()` of undefined value.
ImportantSUSE bug 1249055SUSE bug 1254297SUSE bug 1254662SUSE bug 1254878CVE-2025-13601 at SUSECVE-2025-13601 at NVDCVE-2025-14087 at SUSECVE-2025-14087 at NVDCVE-2025-14512 at SUSECVE-2025-14512 at NVDCVE-2025-7039 at SUSECVE-2025-7039 at NVDSecurity update for hawk2 (Important)openSUSE Leap 16.0
This update for hawk2 fixes the following issues:
- Bump ruby gem rack to 3.1.18 (bsc#1251939).
- Bump ruby gem uri to 1.0.4.
- Fix the mtime in manifest.json (bsc#1230275).
- Make builds determinitstic (bsc#1230275).
- Bump rails version from 8.0.2 to 8.0.2.1 (bsc#1248100).
- Require openssl explicitly (bsc#1247899). ImportantSUSE bug 1230275SUSE bug 1247899SUSE bug 1248100SUSE bug 1251939CVE-2025-55193 at SUSECVE-2025-55193 at NVDCVE-2025-61919 at SUSECVE-2025-61919 at NVDSecurity update for python-uv (Important)openSUSE Leap 16.0
This update for python-uv fixes the following issues:
- CVE-2025-62518: astral-tokio-tar: Fixed boundary parsing issue
allowing attackers to smuggle additional archive entries
(bsc#1252399)
- CVE-2025-58160: tracing-subscriber: Fixed log pollution (bsc#1249011)
ImportantSUSE bug 1249011SUSE bug 1252399CVE-2025-58160 at SUSECVE-2025-58160 at NVDCVE-2025-62518 at SUSECVE-2025-62518 at NVDSecurity update for squid (Important)openSUSE Leap 16.0
This update for squid fixes the following issues:
- CVE-2025-62168: failure to redact HTTP authentication credentials in error handling leads to the disclosure of credentials a trusted client uses to authenticate (bsc#1252281).
- CVE-2025-59362: SNMP message processing component of Squid Cache can lead to stack-based buffer overflow (bsc#1250627).
ImportantSUSE bug 1250627SUSE bug 1252281CVE-2025-59362 at SUSECVE-2025-59362 at NVDCVE-2025-62168 at SUSECVE-2025-62168 at NVDSecurity update for gpg2 (Important)openSUSE Leap 16.0
This update for gpg2 fixes the following issues:
- CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption (bsc#1255715).
Other security fixes:
- gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures (bsc#1256246).
- gpg: Error out on unverified output for non-detached signatures (bsc#1256244).
- gpg: Deprecate the option --not-dash-escaped (bsc#1256390).
ImportantSUSE bug 1255715SUSE bug 1256244SUSE bug 1256246SUSE bug 1256390CVE-2025-68973 at SUSECVE-2025-68973 at NVDSecurity update for apache2 (Moderate)openSUSE Leap 16.0
This update for apache2 fixes the following issues:
- CVE-2025-55753: Fixed mod_md (ACME), unintended retry intervals (bsc#1254511)
- CVE-2025-58098: Fixed Server Side Includes adds query string to #exec cmd (bsc#1254512)
- CVE-2025-65082: Fixed CGI environment variable override (bsc#1254514)
- CVE-2025-66200: Fixed mod_userdir+suexec bypass via AllowOverride FileInfo (bsc#1254515)
ModerateSUSE bug 1254511SUSE bug 1254512SUSE bug 1254514SUSE bug 1254515CVE-2025-55753 at SUSECVE-2025-55753 at NVDCVE-2025-58098 at SUSECVE-2025-58098 at NVDCVE-2025-65082 at SUSECVE-2025-65082 at NVDCVE-2025-66200 at SUSECVE-2025-66200 at NVDSecurity update for curl (Moderate)openSUSE Leap 16.0
This update for curl fixes the following issues:
This update for curl fixes the following issues:
- CVE-2025-14017: broken TLS options for threaded LDAPS (bsc#1256105).
- CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731).
- CVE-2025-14819: libssh global knownhost override (bsc#1255732).
- CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733).
- CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734).
ModerateSUSE bug 1255731SUSE bug 1255732SUSE bug 1255733SUSE bug 1255734SUSE bug 1256105CVE-2025-14017 at SUSECVE-2025-14017 at NVDCVE-2025-14524 at SUSECVE-2025-14524 at NVDCVE-2025-14819 at SUSECVE-2025-14819 at NVDCVE-2025-15079 at SUSECVE-2025-15079 at NVDCVE-2025-15224 at SUSECVE-2025-15224 at NVDSecurity update for haproxy (Moderate)openSUSE Leap 16.0
This update for haproxy fixes the following issues:
- CVE-2025-11230: issue in the mjson JSON decoder leads to excessive resource consumption when processing numbers with
large exponents (bsc#1250983).
ModerateSUSE bug 1250983CVE-2025-11230 at SUSECVE-2025-11230 at NVDSecurity update for tomcat (Important)openSUSE Leap 16.0
This update for tomcat fixes the following issues:
- Update to Tomcat 9.0.111
- Security fixes:
- CVE-2025-55752: directory traversal via rewrite with possible RCE if PUT is enabled (bsc#1252753).
- CVE-2025-55754: improper neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat
(bsc#1252905).
- CVE-2025-61795: temporary copies during the processing of multipart upload can lead to a denial of service
(bsc#1252756).
ImportantSUSE bug 1252753SUSE bug 1252756SUSE bug 1252905CVE-2025-55752 at SUSECVE-2025-55752 at NVDCVE-2025-55754 at SUSECVE-2025-55754 at NVDCVE-2025-61795 at SUSECVE-2025-61795 at NVDSecurity update for bind (Important)openSUSE Leap 16.0
This update for bind fixes the following issues:
- Upgrade to release 9.20.15
Security Fixes:
* CVE-2025-40778: Fixed cache poisoning attacks with unsolicited RRs (bsc#1252379)
* CVE-2025-40780: Fixed cache poisoning due to weak PRNG (bsc#1252380)
* CVE-2025-8677: Fixed resource exhaustion via malformed DNSKEY handling (bsc#1252378)
New Features:
* Add dnssec-policy keys configuration check to named-checkconf.
* Add a new option `manual-mode` to dnssec-policy.
* Add a new option `servfail-until-ready` to response-policy
zones.
* Support for parsing HHIT and BRID records has been added.
* Support for parsing DSYNC records has been added.
Removed Features:
* Deprecate the `tkey-gssapi-credential` statement.
* Obsolete the `tkey-domain` statement.
Feature Changes:
* Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS
digest type 1.
Bug Fixes:
* Missing DNSSEC information when CD bit is set in query.
* rndc sign during ZSK rollover will now replace signatures.
* Use signer name when disabling DNSSEC algorithms.
* Preserve cache when reload fails and reload the server again.
* Prevent spurious SERVFAILs for certain 0-TTL resource records.
* Fix unexpected termination if catalog-zones had undefined
`default-primaries`.
* Stale RRsets in a CNAME chain were not always refreshed.
* Add RPZ extended DNS error for zones with a CNAME override
policy configured.
* Fix dig +keepopen option.
* Log dropped or slipped responses in the query-errors category.
* Fix synth-from-dnssec not working in some scenarios.
* Clean enough memory when adding new ADB names/entries under
memory pressure.
* Prevent spurious validation failures.
* Ensure file descriptors 0-2 are in use before using libuv
[bsc#1230649]
ImportantSUSE bug 1230649SUSE bug 1252378SUSE bug 1252379SUSE bug 1252380CVE-2025-40778 at SUSECVE-2025-40778 at NVDCVE-2025-40780 at SUSECVE-2025-40780 at NVDCVE-2025-8677 at SUSECVE-2025-8677 at NVDSecurity update for MozillaFirefox (Important)openSUSE Leap 16.0
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 140.7.0 ESR (bsc#1256340).
- MFSA 2026-03 (bsc#1256340)
* CVE-2026-0877: Mitigation bypass in the DOM: Security component
* CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
* CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component
* CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component
* CVE-2026-0882: Use-after-free in the IPC component
* CVE-2025-14327: Spoofing issue in the Downloads Panel component
* CVE-2026-0883: Information disclosure in the Networking component
* CVE-2026-0884: Use-after-free in the JavaScript Engine component
* CVE-2026-0885: Use-after-free in the JavaScript: GC component
* CVE-2026-0886: Incorrect boundary conditions in the Graphics component
* CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component
* CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component
* CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147
ImportantSUSE bug 1256340CVE-2025-14327 at SUSECVE-2025-14327 at NVDCVE-2026-0877 at SUSECVE-2026-0877 at NVDCVE-2026-0878 at SUSECVE-2026-0878 at NVDCVE-2026-0879 at SUSECVE-2026-0879 at NVDCVE-2026-0880 at SUSECVE-2026-0880 at NVDCVE-2026-0882 at SUSECVE-2026-0882 at NVDCVE-2026-0883 at SUSECVE-2026-0883 at NVDCVE-2026-0884 at SUSECVE-2026-0884 at NVDCVE-2026-0885 at SUSECVE-2026-0885 at NVDCVE-2026-0886 at SUSECVE-2026-0886 at NVDCVE-2026-0887 at SUSECVE-2026-0887 at NVDCVE-2026-0890 at SUSECVE-2026-0890 at NVDCVE-2026-0891 at SUSECVE-2026-0891 at NVDSecurity update for erlang (Moderate)openSUSE Leap 16.0
This update for erlang fixes the following issues:
Update the ssh component to the latest in the maint-27 branch.
Security issues fixed:
- CVE-2025-48040: ssh: overly tolerant handling of data received from unauthenticated users when processing key
exchange messages may lead to excessive resource consumption (bsc#1249472).
- CVE-2025-48039: ssh: unverified paths from authenticated SFTP users may lead to excessive resource consumption
(bsc#1249469).
- CVE-2025-48038: ssh: unverified file handles from authenticated SFTP users may lead to excessive resource consumption
(bsc#1249470).
ModerateSUSE bug 1249469SUSE bug 1249470SUSE bug 1249472CVE-2025-48038 at SUSECVE-2025-48038 at NVDCVE-2025-48039 at SUSECVE-2025-48039 at NVDCVE-2025-48040 at SUSECVE-2025-48040 at NVDSecurity update for alloy (Important)openSUSE Leap 16.0
This update for alloy fixes the following issues:
Upgrade to version 1.12.1.
Security issues fixed:
- CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents
(bsc#1251509).
- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially
crafted input (bsc#1251716).
- CVE-2025-47913: golang.org/x/crypto: early client process termination when receiving an unexpected message type in
response to a key listing or signing request (bsc#1253609).
Other updates and bugfixes:
- Version 1.12.1:
* Bugfixes
- update to Beyla 2.7.10.
- Version 1.12.0:
* Breaking changes
- `prometheus.exporter.blackbox`, `prometheus.exporter.snmp` and `prometheus.exporter.statsd` now use the component
ID instead of the hostname as their instance label in their exported metrics.
* Features
- (Experimental) Add an `otelcol.receiver.cloudflare` component to receive logs pushed by Cloudflare's LogPush
jobs.
- (Experimental) Additions to experimental `database_observability.mysql` component:
- `explain_plans`
- collector now changes schema before returning the connection to the pool.
- collector now passes queries more permissively.
- enable `explain_plans` collector by default
- (Experimental) Additions to experimental `database_observability.postgres` component:
- `explain_plans`
- added the explain plan collector.
- collector now passes queries more permissively.
- `query_samples`
- add user field to wait events within `query_samples` collector.
- rework the query samples collector to buffer per-query execution state across scrapes and emit finalized
entries.
- process turned idle rows to calculate finalization times precisely and emit first seen idle rows.
- `query_details`
- escape queries coming from `pg_stat_statements` with quotes.
- enable `explain_plans` collector by default.
- safely generate `server_id` when UDP socket used for database connection.
- add table registry and include "validated" in parsed table name logs.
- Add `otelcol.exporter.googlecloudpubsub` community component to export metrics, traces, and logs to Google Cloud
Pub/Sub topic.
- Add `structured_metadata_drop` stage for `loki.process` to filter structured metadata.
- Send remote config status to the remote server for the `remotecfg` service.
- Send effective config to the remote server for the `remotecfg` service.
- Add a `stat_statements` configuration block to the `prometheus.exporter.postgres` component to enable selecting
both the query ID and the full SQL statement. The new block includes one option to enable statement selection,
and another to configure the maximum length of the statement text.
- Add truncate stage for `loki.process` to truncate log entries, label values, and `structured_metadata` values.
- Add `u_probe_links` & `load_probe` configuration fields to alloy `pyroscope.ebpf` to extend configuration of
the `opentelemetry-ebpf-profiler` to allow uprobe profiling and dynamic probing.
- Add `verbose_mode` configuration fields to `alloy pyroscope.ebpf` to be enable `ebpf-profiler` verbose mode.
- Add `file_match` block to `loki.source.file` for built-in file discovery using glob patterns.
- Add a regex argument to the `structured_metadata` stage in `loki.process` to extract labels matching a regular
expression.
- OpenTelemetry Collector dependencies upgraded from v0.134.0 to v0.139.0.
- See the upstream
[core](https://github.com/open-telemetry/opentelemetry-collector/blob/v0.139.0/CHANGELOG.md)
and
[contrib](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/v0.139.0/CHANGELOG.md)
changelogs for more details.
- A new `mimir.alerts.kubernetes` component which discovers AlertmanagerConfig Kubernetes resources and loads them
into a Mimir instance.
- Mark `stage.windowsevent` block in the `loki.process` component as GA.
* Enhancements
- Add per-application rate limiting with the strategy attribute in the `faro.receiver` component, to prevent one
application from consuming the rate limit quota of others.
- Add support of tls in components `loki.source.(awsfirehose|gcplog|heroku|api)` and `prometheus.receive_http` and
`pyroscope.receive_http`.
- Remove `SendSIGKILL=no` from unit files and recommendations.
- Reduce memory overhead of `prometheus.remote_write`'s WAL by lowering the size of the allocated series storage.
- Reduce lock wait/contention on the `labelstore.LabelStore` by removing unecessary usage from
`prometheus.relabel`.
- `prometheus.exporter.postgres` dependency has been updated to v0.18.1.
- Update Beyla component to 2.7.8.
- Support delimiters in `stage.luhn`.
- `pyroscope.java`: update `async-profiler` to 4.2.
- `prometheus.exporter.unix`: Add an arp config block to configure the ARP collector.
- `prometheus.exporter.snowflake` dependency has been updated to 20251016132346-6d442402afb2.
- `loki.source.podlogs` now supports `preserve_discovered_labels` parameter to preserve discovered pod metadata
labels for use by downstream components.
- Rework underlying framework of Alloy UI to use Vite instead of Create React App.
- Use POST requests for remote config requests to avoid hitting http2 header limits.
- `loki.source.api` during component shutdown will now reject all the inflight requests with status code 503 after
`graceful_shutdown_timeout` has expired.
- `kubernetes.discovery`: Add support for attaching namespace metadata.
- Add `meta_cache_address` to `beyla.ebpf` component.
* Bugfixes
- Stop `loki.source.kubernetes` discarding log lines with duplicate timestamps.
- Fix direction of arrows for pyroscope components in UI graph.
- Only log EOF errors for syslog port investigations in `loki.source.syslog` as Debug, not Warn.
- Fix `prometheus.exporter.process` ignoring the `remove_empty_groups` argument.
- Fix issues with "unknown series ref when trying to add exemplar" from `prometheus.remote_write` by allowing
series ref links to be updated if they change.
- Fix `loki.source.podlogs` component to register the Kubernetes field index for `spec.nodeName` when node
filtering is enabled, preventing "Index with name `field:spec.nodeName` does not exist" errors.
- Fix issue in `loki.source.file` where scheduling files could take too long.
- Fix `loki.write` no longer includes internal labels __.
- Fix missing native histograms custom buckets (NHCB) samples from `prometheus.remote_write`.
- `otelcol.receiver.prometheus` now supports mixed histograms if `prometheus.scrape` has `honor_metadata` set to
true.
- `loki.source.file` has better support for non-UTF-8 encoded files.
- Fix the `loki.write` endpoint block's `enable_http2` attribute to actually affect the client.
- Optionally remove trailing newlines before appending entries in `stage.multiline`.
- `loki.source.api` no longer drops request when relabel rules drops a specific stream.
ImportantSUSE bug 1251509SUSE bug 1251716SUSE bug 1253609CVE-2025-47911 at SUSECVE-2025-47911 at NVDCVE-2025-47913 at SUSECVE-2025-47913 at NVDCVE-2025-58190 at SUSECVE-2025-58190 at NVDSecurity update for cpp-httplib (Critical)openSUSE Leap 16.0
This update for cpp-httplib fixes the following issues:
- CVE-2025-66570: IP spoofing, log poisoning, and authorization bypass via header shadowing due to acceptance and
parsing of client-controlled injected HTTP headers in incoming requests (bsc#1254734).
- CVE-2025-66577: access and error log poisoning with spoofed client IPs due to unconditional acceptance of
client-controlled `X-Forwarded-For` and `X-Real-IP` headers (bsc#1254735).
CriticalSUSE bug 1254734SUSE bug 1254735CVE-2025-66570 at SUSECVE-2025-66570 at NVDCVE-2025-66577 at SUSECVE-2025-66577 at NVDSecurity update for docker (Critical)openSUSE Leap 16.0
This update for docker fixes the following issues:
Changes in docker:
- Update to Docker 28.5.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2851>
- Update to Docker 28.5.0-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2850>
- Update to docker-buildx v0.29.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.29.0>
- Remove git-core recommends on SLE. Most SLE systems have
installRecommends=yes by default and thus end up installing git with Docker.
bsc#1250508
This feature is mostly intended for developers ("docker build git://") so
most users already have the dependency installed, and the error when git is
missing is fairly straightforward (so they can easily figure out what they
need to install).
- Update to docker-buildx v0.28.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.28.0>
- Update to Docker 28.4.0-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2840>
* Fixes a nil pointer panic in "docker push". bsc#1248373
- Update warnings and errors related to "docker buildx ..." so that they
reference our openSUSE docker-buildx packages.
- Enable building docker-buildx for SLE15 systems with SUSEConnect secret
injection enabled. PED-12534 PED-8905 bsc#1247594
As docker-buildx does not support our SUSEConnect secret injection (and some
users depend "docker build" working transparently), patch the docker CLI so
that "docker build" will no longer automatically call "docker buildx build",
effectively making DOCKER_BUILDKIT=0 the default configuration. Users can
manually use "docker buildx ..." commands or set DOCKER_BUILDKIT=1 in order
to opt-in to using docker-buildx.
Users can silence the "docker build" warning by setting DOCKER_BUILDKIT=0
explicitly.
In order to inject SCC credentials with docker-buildx, users should use
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
in their Dockerfiles, and
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
when doing their builds.
- Update to Docker 28.3.3-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2833>
CVE-2025-54388 bsc#1247367
- Update to docker-buildx v0.26.1. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.26.1>
- Update to docker-buildx v0.26.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.26.0>
CriticalSUSE bug 1247367SUSE bug 1247594SUSE bug 1248373SUSE bug 1250508CVE-2025-54388 at SUSECVE-2025-54388 at NVDSecurity update for cargo-c (Moderate)openSUSE Leap 16.0
This update for cargo-c fixes the following issues:
- CVE-2025-4574: crossbeam-channel: Fixed double-free on drop in Channel::discard_all_messages (bsc#1243179)
- CVE-2025-58160: tracing-subscriber: Fixed log pollution (bsc#1249012)
- CVE-2024-12224: idna: Fixed improper validation of Punycode labels (bsc#1243851)
Other fixes:
- Fixed _service file to have proper versioning
- Update to version 0.10.15~git0.3e178d5:
* Bump actions/download-artifact from 4 to 5
* Update implib requirement from 0.3.5 to 0.4.0
* Add rlib to the targets when building tests
* Allow disabling emission of library version constants in header files
* Bump to cargo 0.90
* Fix static_libraries swallowing sequence of -framework flags
* Fix non-POSIX paths in Libdir under Windows
* Bump actions-rs-plus/clippy-check from 2.2.1 to 2.3.0
* Fix clippy lints
* Bump cargo-0.89, object-0.37.1, cbindgen-0.29
ModerateSUSE bug 1243179SUSE bug 1243851SUSE bug 1249012CVE-2024-12224 at SUSECVE-2024-12224 at NVDCVE-2025-4574 at SUSECVE-2025-4574 at NVDCVE-2025-58160 at SUSECVE-2025-58160 at NVDSecurity update for rust1.91, rust1.92 (Moderate)openSUSE Leap 16.0
This update for rust1.91 and rust1.92 fixes the following issues:
Rust is shipped in 1.91.0 version.
Please see https://github.com/rust-lang/rust/releases/tag/1.91.0 for changes.
Rust is shipped in 1.92.0 version.
Please see https://github.com/rust-lang/rust/releases/tag/1.92.0 for changes.
ModerateSecurity update for webkit2gtk3 (Important)openSUSE Leap 16.0
This update for webkit2gtk3 fixes the following issues:
Update to version 2.50.4.
Security issues fixed:
- CVE-2025-13502: processing of maliciously crafted payloads by the GLib remote inspector server may lead to a
UIProcess crash due to an out-of-bounds read and an integer underflow (bsc#1254208).
- CVE-2025-13947: use of the file drag-and-drop mechanism may lead to remote information disclosure due to a lack of
verification of the origins of drag operations (bsc#1254473).
- CVE-2025-14174: processing maliciously crafted web content may lead to memory corruption due to improper validation
(bsc#1255497).
- CVE-2025-43272: processing maliciously crafted web content may lead to an unexpected process crash due to improper
memory handling (bsc#1250439).
- CVE-2025-43342: processing maliciously crafted web content may lead to an unexpected process crash due to a
correctness issue and missing checks (bsc#1250440).
- CVE-2025-43343: processing maliciously crafted web content may lead to an unexpected process crash due to improper
memory handling (bsc#1251975).
- CVE-2025-43356: a website may be able to access sensor information without user consent due to improper cache handling
(bsc#1250441).
- CVE-2025-43368: processing maliciously crafted web content may lead to an unexpected process crash due to a
use-after-free issue (bsc#1250442).
- CVE-2025-43392: websites may exfiltrate image data cross-origin due to issues with cache handling (bsc#1254165).
- CVE-2025-43419: processing maliciously crafted web content may lead to memory corruption due to improper memory
handling (bsc#1254166).
- CVE-2025-43421: processing maliciously crafted web content may lead to an unexpected process crash due to enabled
array allocation sinking (bsc#1254167).
- CVE-2025-43425: processing maliciously crafted web content may lead to an unexpected process crash due to improper
memory handling (bsc#1254168).
- CVE-2025-43427: processing maliciously crafted web content may lead to an unexpected process crash due to issues with
state management (bsc#1254169).
- CVE-2025-43429: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer
overflow issue (bsc#1254174).
- CVE-2025-43430: processing maliciously crafted web content may lead to an unexpected process crash due to issues with
state management (bsc#1254172).
- CVE-2025-43431: processing maliciously crafted web content may lead to memory corruption due to improper memory
handling (bsc#1254170).
- CVE-2025-43432: processing maliciously crafted web content may lead to an unexpected process crash due to a
use-after-free issue (bsc#1254171).
- CVE-2025-43434: processing maliciously crafted web content may lead to an unexpected process crash due to a
use-after-free issue (bsc#1254179).
- CVE-2025-43440: processing maliciously crafted web content may lead to an unexpected process crash due to missing
checks (bsc#1254177).
- CVE-2025-43443: processing maliciously crafted web content may lead to an unexpected process crash due to missing
checks (bsc#1254176).
- CVE-2025-43458: processing maliciously crafted web content may lead to an unexpected process crash due to issues with
state management (bsc#1254498).
- CVE-2025-43501: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer
overflow issue (bsc#1255194).
- CVE-2025-43529: processing maliciously crafted web content may lead to arbitrary code execution due to a
use-after-free issue (bsc#1255198).
- CVE-2025-43531: processing maliciously crafted web content may lead to an unexpected process crash due to a race
condition (bsc#1255183).
- CVE-2025-43535: processing maliciously crafted web content may lead to an unexpected process crash due to improper
memory handling (bsc#1255195).
- CVE-2025-43536: processing maliciously crafted web content may lead to an unexpected process crash due to a
use-after-free issue (bsc#1255200).
- CVE-2025-43541: processing maliciously crafted web content may lead to an unexpected process crash due to type
confusion (bsc#1255191).
- CVE-2025-66287: processing maliciously crafted web content may lead to an unexpected process crash due to improper
memory handling (bsc#1254509).
Other issues fixed and changes:
- Version 2.50.4:
* Correctly handle the program name passed to the sleep disabler.
* Ensure GStreamer is initialized before using the Quirks.
* Fix several crashes and rendering issues.
- Version 2.50.3:
* Fix seeking and looping of media elements that set the "loop" property.
* Fix several crashes and rendering issues.
- Version 2.50.2:
* Prevent unsafe URI schemes from participating in media playback.
* Make jsc_value_array_buffer_get_data() function introspectable.
* Fix logging in to Google accounts that have a WebAuthn second factor configured.
* Fix loading webkit://gpu when there are no threads configured for GPU rendering.
* Fix rendering gradiants that use the CSS hue interpolation method.
* Fix pasting image data from the clipboard.
* Fix font-family selection when the font name contains spaces.
* Fix the build with standard C libraries that lack execinfo.h, like Musl or uClibc.
* Fix capturing canvas snapshots in the Web Inspector.
* Fix several crashes and rendering issues.
- Version 2.50.1:
* Improve text rendering performance.
* Fix audio playback broken on instagram.
* Fix rendering of layers with fractional transforms.
* Fix the build with ENABLE(VIDEO) disabled.
* Fix the build in s390x.
* Fix several crashes and rendering issues.
- Version 2.50.0:
* Improved rendering performance by recording each layer once and replaying every dirty region in different worker
threads.
* Enable damage propagation to the UI process by default.
* CSS property font-variant-emoji is now enabled by default.
* Font synthesis properties (bold/italic) are now properly handled.
* Ensure web view is focused on tap gesture.
* Added new API to get the theme color of a WebKitWebView.
- Version 2.49.90:
* Add support for font collection / fragment identifiers.
* Fix web process deadlock on exit.
* Fix stuttering when playing WebP animations
* Fix CSS animations with cubic-bezier timing function.
* Do not start the MemoryPressureMonitor if it’s disabled
* Fix several crashes and rendering issues.
* Updated translations.
- Version 2.48.6:
* Fix emojis incorrectly rendered in their text variant.
* Add support for font collection / fragment identifiers.
* Fix web process deadlock on exit.
* Fix stuttering when playing WebP animations.
* Fix CSS animations with cubic-bezier timing function.
* Do not start the MemoryPressureMonitor if it's disabled.
* Fix several crashes and rendering issues.
- Fix a11y regression where AT-SPI roles were mapped incorrectly.
- Disable skia on ppc64le.
ImportantSUSE bug 1250439SUSE bug 1250440SUSE bug 1250441SUSE bug 1250442SUSE bug 1251975SUSE bug 1254164SUSE bug 1254165SUSE bug 1254166SUSE bug 1254167SUSE bug 1254168SUSE bug 1254169SUSE bug 1254170SUSE bug 1254171SUSE bug 1254172SUSE bug 1254174SUSE bug 1254175SUSE bug 1254176SUSE bug 1254177SUSE bug 1254179SUSE bug 1254208SUSE bug 1254473SUSE bug 1254498SUSE bug 1254509SUSE bug 1255183SUSE bug 1255191SUSE bug 1255194SUSE bug 1255195SUSE bug 1255198SUSE bug 1255200SUSE bug 1255497CVE-2023-43000 at SUSECVE-2023-43000 at NVDCVE-2025-13502 at SUSECVE-2025-13502 at NVDCVE-2025-13947 at SUSECVE-2025-13947 at NVDCVE-2025-14174 at SUSECVE-2025-14174 at NVDCVE-2025-43272 at SUSECVE-2025-43272 at NVDCVE-2025-43342 at SUSECVE-2025-43342 at NVDCVE-2025-43343 at SUSECVE-2025-43343 at NVDCVE-2025-43356 at SUSECVE-2025-43356 at NVDCVE-2025-43368 at SUSECVE-2025-43368 at NVDCVE-2025-43392 at SUSECVE-2025-43392 at NVDCVE-2025-43419 at SUSECVE-2025-43419 at NVDCVE-2025-43421 at SUSECVE-2025-43421 at NVDCVE-2025-43425 at SUSECVE-2025-43425 at NVDCVE-2025-43427 at SUSECVE-2025-43427 at NVDCVE-2025-43429 at SUSECVE-2025-43429 at NVDCVE-2025-43430 at SUSECVE-2025-43430 at NVDCVE-2025-43431 at SUSECVE-2025-43431 at NVDCVE-2025-43432 at SUSECVE-2025-43432 at NVDCVE-2025-43434 at SUSECVE-2025-43434 at NVDCVE-2025-43440 at SUSECVE-2025-43440 at NVDCVE-2025-43443 at SUSECVE-2025-43443 at NVDCVE-2025-43458 at SUSECVE-2025-43458 at NVDCVE-2025-43480 at SUSECVE-2025-43480 at NVDCVE-2025-43501 at SUSECVE-2025-43501 at NVDCVE-2025-43529 at SUSECVE-2025-43529 at NVDCVE-2025-43531 at SUSECVE-2025-43531 at NVDCVE-2025-43535 at SUSECVE-2025-43535 at NVDCVE-2025-43536 at SUSECVE-2025-43536 at NVDCVE-2025-43541 at SUSECVE-2025-43541 at NVDCVE-2025-66287 at SUSECVE-2025-66287 at NVDSecurity update of open-vm-tools (Important)openSUSE Leap 16.0
This update for open-vm-tools fixes the following issues:
Update to open-vm-tools 13.0.5 based on build 24915695. (boo#1250692):
Please refer to the Release Notes at
https://github.com/vmware/open-vm-tools/blob/stable-13.0.5/ReleaseNotes.md.
The granular changes that have gone into the open-vm-tools 13.0.5 release
are in the ChangeLog at
https://github.com/vmware/open-vm-tools/blob/stable-13.0.5/open-vm-tools/ChangeLog.
There are no new features in the open-vm-tools 13.0.5 release. This is
primarily a maintenance release that addresses a security issue.
This release resolves and includes the patch for CVE-2025-41244. For more
information on this vulnerability and its impact on Broadcom products,
see VMSA-2025-0015.
A minor enhancement has been made for Guest OS Customization. The
DeployPkg plugin has been updated to use "systemctl reboot", if available.
For a more complete list of issues addressed in this release, see the
What's New and Resolved Issues section of the Release Notes.
ImportantSUSE bug 1250373SUSE bug 1250692CVE-2025-41244 at SUSECVE-2025-41244 at NVDSecurity update for podman (Important)openSUSE Leap 16.0
This update for podman fixes the following issues:
- CVE-2025-31133,CVE-2025-52565,CVE-2025-52881: container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files (bsc#1252376).
- CVE-2025-9566: kube play command may overwrite host files (bsc#1249154).
ImportantSUSE bug 1249154SUSE bug 1252376CVE-2025-31133 at SUSECVE-2025-31133 at NVDCVE-2025-52565 at SUSECVE-2025-52565 at NVDCVE-2025-52881 at SUSECVE-2025-52881 at NVDCVE-2025-9566 at SUSECVE-2025-9566 at NVDSecurity update for libpcap (Low)openSUSE Leap 16.0
This update for libpcap fixes the following issues:
- CVE-2025-11961: missing validation of provided MAC-48 address string in `pcap_ether_aton()` can lead to out-of-bounds
read and write (bsc#1255765).
LowSUSE bug 1255765CVE-2025-11961 at SUSECVE-2025-11961 at NVDSecurity update for libheif (Moderate)openSUSE Leap 16.0
This update for libheif fixes the following issues:
- CVE-2025-68431: heap buffer over-read in `HeifPixelImage::overlay()` via crafted HEIF file that exercises the overlay
image item path (bsc#1255735).
ModerateSUSE bug 1255735CVE-2025-68431 at SUSECVE-2025-68431 at NVDSecurity update for go1.24 (Important)openSUSE Leap 16.0
This update for go1.24 fixes the following issues:
Update to go1.24.12 (released 2026-01-15) (bsc#1236217)
Security fixes:
- CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821).
- CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820).
- CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819).
- CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817).
- CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818).
Other fixes:
* go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
* go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes
* go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
* go#76796 runtime: race detector crash on ppc64le
* go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range
ImportantSUSE bug 1236217SUSE bug 1256816SUSE bug 1256817SUSE bug 1256818SUSE bug 1256819SUSE bug 1256820SUSE bug 1256821CVE-2025-61726 at SUSECVE-2025-61726 at NVDCVE-2025-61728 at SUSECVE-2025-61728 at NVDCVE-2025-61730 at SUSECVE-2025-61730 at NVDCVE-2025-61731 at SUSECVE-2025-61731 at NVDCVE-2025-68119 at SUSECVE-2025-68119 at NVDCVE-2025-68121 at SUSECVE-2025-68121 at NVDSecurity update for buildah (Important)openSUSE Leap 16.0
This update for buildah fixes the following issues:
- CVE-2025-47914: golang.org/x/crypto/ssh/agent: Fixed non validated message size causing a panic due to an out
of bounds read (bsc#1254054)
- CVE-2025-47913: golang.org/x/crypto/ssh/agent: Fixed client process termination when receiving an unexpected
message type in response to a key listing or signing request (bsc#1253598)
- CVE-2025-31133,CVE-2025-52565,CVE-2025-52881: Fixed container breakouts by bypassing runc's restrictions for writing to arbitrary /proc
files (bsc#1253096)
Other fixes:
- Updated to version 1.39.5.
ImportantSUSE bug 1253096SUSE bug 1253598SUSE bug 1254054CVE-2025-31133 at SUSECVE-2025-31133 at NVDCVE-2025-47913 at SUSECVE-2025-47913 at NVDCVE-2025-47914 at SUSECVE-2025-47914 at NVDCVE-2025-52565 at SUSECVE-2025-52565 at NVDCVE-2025-52881 at SUSECVE-2025-52881 at NVDSecurity update for python313 (Moderate)openSUSE Leap 16.0
This update for python313 fixes the following issues:
- Update to 3.13.11:
- Security
- CVE-2025-12084: cpython: Fixed quadratic algorithm in
xml.dom.minidom leading to denial of service (bsc#1254997)
- CVE-2025-13836: Fixed default Content-Lenght read amount
from HTTP response (bsc#1254400)
- CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401)
- CVE-2025-8291: Fixed validity of the ZIP64 End of Central Directory
(EOCD) not checked by the 'zipfile' module (bsc#1251305)
- gh-137836: Add support of the “plaintext” element, RAWTEXT
elements “xmp”, “iframe”, “noembed” and “noframes”, and
optionally RAWTEXT element “noscript” in
html.parser.HTMLParser.
- gh-136063: email.message: ensure linear complexity for
legacy HTTP parameters parsing. Patch by B?n?dikt Tran.
- CVE-2025-6075: Fixed performance issues caused by user-controller
os.path.expandvars() (bsc#1252974)
- Library
- gh-140797: Revert changes to the undocumented re.Scanner
class. Capturing groups are still allowed for backward
compatibility, although using them can lead to incorrect
result. They will be forbidden in future Python versions.
- gh-142206: The resource tracker in the multiprocessing
module now uses the original communication protocol, as in
Python 3.14.0 and below, by default. This avoids issues
with upgrading Python while it is running. (Note that such
‘in-place’ upgrades are not tested.) The tracker remains
compatible with subprocesses that use new protocol (that
is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).
- Core and Builtins
- gh-142218: Fix crash when inserting into a split table
dictionary with a non str key that matches an existing key.
- Update to 3.13.10:
- Tools/Demos
- gh-141442: The iOS testbed now correctly handles test
arguments that contain spaces.
- Tests
- gh-140482: Preserve and restore the state of stty echo as
part of the test environment.
- gh-140082: Update python -m test to set FORCE_COLOR=1 when
being run with color enabled so that unittest which is run
by it with redirected output will output in color.
- gh-136442: Use exitcode 1 instead of 5 if
unittest.TestCase.setUpClass() raises an exception
- Library
- gh-74389: When the stdin being used by a subprocess.Popen
instance is closed, this is now ignored in
subprocess.Popen.communicate() instead of leaving the class
in an inconsistent state.
- gh-87512: Fix subprocess.Popen.communicate() timeout
handling on Windows when writing large input. Previously,
the timeout was ignored during stdin writing, causing the
method to block indefinitely if the child process did not
consume input quickly. The stdin write is now performed in
a background thread, allowing the timeout to be properly
enforced.
- gh-141473: When subprocess.Popen.communicate() was called
with input and a timeout and is called for a second time
after a TimeoutExpired exception before the process has
died, it should no longer hang.
- gh-59000: Fix pdb breakpoint resolution for class methods
when the module defining the class is not imported.
- gh-141570: Support file-like object raising OSError from
fileno() in color detection (_colorize.can_colorize()).
This can occur when sys.stdout is redirected.
- gh-141659: Fix bad file descriptor errors from
_posixsubprocess on AIX.
- gh-141497: ipaddress: ensure that the methods
IPv4Network.hosts() and IPv6Network.hosts() always return
an iterator.
- gh-140938: The statistics.stdev() and statistics.pstdev()
functions now raise a ValueError when the input contains an
infinity or a NaN.
- gh-124111: Updated Tcl threading configuration in _tkinter
to assume that threads are always available in Tcl 9 and
later.
- gh-137109: The os.fork and related forking APIs will no
longer warn in the common case where Linux or macOS
platform APIs return the number of threads in a process and
find the answer to be 1 even when a os.register_at_fork()
after_in_parent= callback (re)starts a thread.
- gh-141314: Fix assertion failure in io.TextIOWrapper.tell()
when reading files with standalone carriage return (\r)
line endings.
- gh-141311: Fix assertion failure in io.BytesIO.readinto()
and undefined behavior arising when read position is above
capcity in io.BytesIO.
- gh-141141: Fix a thread safety issue with
base64.b85decode(). Contributed by Benel Tayar.
- gh-140911: collections: Ensure that the methods
UserString.rindex() and UserString.index() accept
collections.UserString instances as the sub argument.
- gh-140797: The undocumented re.Scanner class now forbids
regular expressions containing capturing groups in its
lexicon patterns. Patterns using capturing groups could
previously lead to crashes with segmentation fault. Use
non-capturing groups (?:…) instead.
- gh-140815: faulthandler now detects if a frame or a code
object is invalid or freed. Patch by Victor Stinner.
- gh-100218: Correctly set errno when socket.if_nametoindex()
or socket.if_indextoname() raise an OSError. Patch by
B?n?dikt Tran.
- gh-140875: Fix handling of unclosed character references
(named and numerical) followed by the end of file in
html.parser.HTMLParser with convert_charrefs=False.
- gh-140734: multiprocessing: fix off-by-one error when
checking the length of a temporary socket file path. Patch
by B?n?dikt Tran.
- gh-140874: Bump the version of pip bundled in ensurepip to
version 25.3
- gh-140691: In urllib.request, when opening a FTP URL fails
because a data connection cannot be made, the control
connection’s socket is now closed to avoid
a ResourceWarning.
- gh-103847: Fix hang when cancelling process created by
asyncio.create_subprocess_exec() or
asyncio.create_subprocess_shell(). Patch by Kumar Aditya.
- gh-140590: Fix arguments checking for the
functools.partial.__setstate__() that may lead to internal
state corruption and crash. Patch by Sergey Miryanov.
- gh-140634: Fix a reference counting bug in
os.sched_param.__reduce__().
- gh-140633: Ignore AttributeError when setting a module’s
__file__ attribute when loading an extension module
packaged as Apple Framework.
- gh-140593: xml.parsers.expat: Fix a memory leak that could
affect users with ElementDeclHandler() set to a custom
element declaration handler. Patch by Sebastian Pipping.
- gh-140607: Inside io.RawIOBase.read(), validate that the
count of bytes returned by io.RawIOBase.readinto() is valid
(inside the provided buffer).
- gh-138162: Fix logging.LoggerAdapter with merge_extra=True
and without the extra argument.
- gh-140474: Fix memory leak in array.array when creating
arrays from an empty str and the u type code.
- gh-140272: Fix memory leak in the clear() method of the
dbm.gnu database.
- gh-140041: Fix import of ctypes on Android and Cygwin when
ABI flags are present.
- gh-139905: Add suggestion to error message for
typing.Generic subclasses when cls.__parameters__ is
missing due to a parent class failing to call
super().__init_subclass__() in its __init_subclass__.
- gh-139845: Fix to not print KeyboardInterrupt twice in
default asyncio REPL.
- gh-139783: Fix inspect.getsourcelines() for the case when
a decorator is followed by a comment or an empty line.
- gh-70765: http.server: fix default handling of HTTP/0.9
requests in BaseHTTPRequestHandler. Previously,
BaseHTTPRequestHandler.parse_request() incorrectly waited
for headers in the request although those are not supported
in HTTP/0.9. Patch by B?n?dikt Tran.
- gh-139391: Fix an issue when, on non-Windows platforms, it
was not possible to gracefully exit a python -m asyncio
process suspended by Ctrl+Z and later resumed by fg other
than with kill.
- gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004',
'euc_jisx0213' and 'euc_jis_2004' codecs truncating null
chars as they were treated as part of multi-character
sequences.
- gh-139246: fix: paste zero-width in default repl width is
wrong.
- gh-90949: Add SetAllocTrackerActivationThreshold() and
SetAllocTrackerMaximumAmplification() to xmlparser objects
to prevent use of disproportional amounts of dynamic memory
from within an Expat parser. Patch by B?n?dikt Tran.
- gh-139065: Fix trailing space before a wrapped long word if
the line length is exactly width in textwrap.
- gh-138993: Dedent credits text.
- gh-138859: Fix generic type parameterization raising
a TypeError when omitting a ParamSpec that has a default
which is not a list of types.
- gh-138775: Use of python -m with base64 has been fixed to
detect input from a terminal so that it properly notices
EOF.
- gh-98896: Fix a failure in multiprocessing resource_tracker
when SharedMemory names contain colons. Patch by Rani
Pinchuk.
- gh-75989: tarfile.TarFile.extractall() and
tarfile.TarFile.extract() now overwrite symlinks when
extracting hardlinks. (Contributed by Alexander Enrique
Urieles Nieto in gh-75989.)
- gh-83424: Allows creating a ctypes.CDLL without name when
passing a handle as an argument.
- gh-136234: Fix asyncio.WriteTransport.writelines() to be
robust to connection failure, by using the same behavior as
write().
- gh-136057: Fixed the bug in pdb and bdb where next and step
can’t go over the line if a loop exists in the line.
- gh-135307: email: Fix exception in set_content() when
encoding text and max_line_length is set to 0 or None
(unlimited).
- gh-134453: Fixed subprocess.Popen.communicate() input=
handling of memoryview instances that were non-byte shaped
on POSIX platforms. Those are now properly cast to a byte
shaped view instead of truncating the input. Windows
platforms did not have this bug.
- gh-102431: Clarify constraints for “logical” arguments in
methods of decimal.Context.
- IDLE
- gh-96491: Deduplicate version number in IDLE shell title
bar after saving to a file.
- Documentation
- gh-141994: xml.sax.handler: Make Documentation of
xml.sax.handler.feature_external_ges warn of opening up to
external entity attacks. Patch by Sebastian Pipping.
- gh-140578: Remove outdated sencence in the documentation
for multiprocessing, that implied that
concurrent.futures.ThreadPoolExecutor did not exist.
- Core and Builtins
- gh-142048: Fix quadratically increasing garbage collection
delays in free-threaded build.
- gh-141930: When importing a module, use Python’s regular
file object to ensure that writes to .pyc files are
complete or an appropriate error is raised.
- gh-120158: Fix inconsistent state when enabling or
disabling monitoring events too many times.
- gh-141579: Fix sys.activate_stack_trampoline() to properly
support the perf_jit backend. Patch by Pablo Galindo.
- gh-141312: Fix the assertion failure in the __setstate__
method of the range iterator when a non-integer argument is
passed. Patch by Sergey Miryanov.
- gh-140939: Fix memory leak when bytearray or bytes is
formated with the
%*b format with a large width that results in
%a MemoryError.
- gh-140530: Fix a reference leak when raise exc from cause
fails. Patch by B?n?dikt Tran.
- gh-140576: Fixed crash in tokenize.generate_tokens() in
case of specific incorrect input. Patch by Mikhail Efimov.
- gh-140551: Fixed crash in dict if dict.clear() is called at
the lookup stage. Patch by Mikhail Efimov and Inada Naoki.
- gh-140471: Fix potential buffer overflow in ast.AST node
initialization when encountering malformed _fields
containing non-str.
- gh-140406: Fix memory leak when an object’s __hash__()
method returns an object that isn’t an int.
- gh-140306: Fix memory leaks in cross-interpreter channel
operations and shared namespace handling.
- gh-140301: Fix memory leak of PyConfig in subinterpreters.
- gh-140000: Fix potential memory leak when a reference cycle
exists between an instance of typing.TypeAliasType,
typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple
and its __name__ attribute. Patch by Mikhail Efimov.
- gh-139748: Fix reference leaks in error branches of
functions accepting path strings or bytes such as compile()
and os.system(). Patch by B?n?dikt Tran.
- gh-139516: Fix lambda colon erroneously start format spec
in f-string in tokenizer.
- gh-139640: Fix swallowing some syntax warnings in different
modules if they accidentally have the same message and are
emitted from the same line. Fix duplicated warnings in the
finally block.
- gh-137400: Fix a crash in the free threading build when
disabling profiling or tracing across all threads with
PyEval_SetProfileAllThreads() or
PyEval_SetTraceAllThreads() or their Python equivalents
threading.settrace_all_threads() and
threading.setprofile_all_threads().
- gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to
match old pre-3.13 REPL behavior.
- C API
- gh-140042: Removed the sqlite3_shutdown call that could
cause closing connections for sqlite when used with
multiple sub interpreters.
- gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API
3.11 and older: don’t treat Py_NotImplemented as immortal.
Patch by Victor Stinner.
- Update to 3.13.9:
- Library
- gh-139783: Fix inspect.getsourcelines() for the case when a
decorator is followed by a comment or an empty line.
- Update to 3.13.8:
- Tools/Demos
- gh-139330: SBOM generation tool didn’t cross-check the version
and checksum values against the Modules/expat/refresh.sh script,
leading to the values becoming out-of-date during routine
updates.
- gh-137873: The iOS test runner has been simplified, resolving
some issues that have been observed using the runner in GitHub
Actions and Azure Pipelines test environments.
- Tests
- gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the
--verbose option anymore. Patch by Victor Stinner.
- Security
- gh-139400: xml.parsers.expat: Make sure that parent Expat
parsers are only garbage-collected once they are no longer
referenced by subparsers created by
ExternalEntityParserCreate(). Patch by Sebastian Pipping.
- gh-139283: sqlite3: correctly handle maximum number of rows to
fetch in Cursor.fetchmany and reject negative values for
Cursor.arraysize. Patch by B?n?dikt Tran.
- gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
according to the HTML5 standard: ] ]> and ]] > no longer end the
CDATA section. Add private method _set_support_cdata() which can
be used to specify how to parse <[CDATA[ — as a CDATA section in
foreign content (SVG or MathML) or as a bogus comment in the
HTML namespace.
- Library
- gh-139312: Upgrade bundled libexpat to 2.7.3
- gh-139289: Do a real lazy-import on rlcompleter in pdb and
restore the existing completer after importing rlcompleter.
- gh-139210: Fix use-after-free when reporting unknown event in
xml.etree.ElementTree.iterparse(). Patch by Ken Jin.
- gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in
subprocess.
- gh-112729: Fix crash when calling _interpreters.create when the
process is out of memory.
- gh-139076: Fix a bug in the pydoc module that was hiding
functions in a Python module if they were implemented in an
extension module and the module did not have __all__.
- gh-138998: Update bundled libexpat to 2.7.2
- gh-130567: Fix possible crash in locale.strxfrm() due to a
platform bug on macOS.
- gh-138779: Support device numbers larger than 2**63-1 for the
st_rdev field of the os.stat_result structure.
- gh-128636: Fix crash in PyREPL when os.environ is overwritten
with an invalid value for mac
- gh-88375: Fix normalization of the robots.txt rules and URLs in
the urllib.robotparser module. No longer ignore trailing ?.
Distinguish raw special characters ?, = and & from the
percent-encoded ones.
- gh-138515: email is added to Emscripten build.
- gh-111788: Fix parsing errors in the urllib.robotparser module.
Don’t fail trying to parse weird paths. Don’t fail trying to
decode non-UTF-8 robots.txt files.
- gh-138432: zoneinfo.reset_tzpath() will now convert any
os.PathLike objects it receives into strings before adding them
to TZPATH. It will raise TypeError if anything other than a
string is found after this conversion. If given an os.PathLike
object that represents a relative path, it will now raise
ValueError instead of TypeError, and present a more informative
error message.
- gh-138008: Fix segmentation faults in the ctypes module due to
invalid argtypes. Patch by Dung Nguyen.
- gh-60462: Fix locale.strxfrm() on Solaris (and possibly other
platforms).
- gh-138204: Forbid expansion of shared anonymous memory maps on
Linux, which caused a bus error.
- gh-138010: Fix an issue where defining a class with a
@warnings.deprecated-decorated base class may not invoke the
correct __init_subclass__() method in cases involving multiple
inheritance. Patch by Brian Schubert.
- gh-138133: Prevent infinite traceback loop when sending CTRL^C
to Python through strace.
- gh-134869: Fix an issue where pressing Ctrl+C during tab
completion in the REPL would leave the autocompletion menu in a
corrupted state.
- gh-137317: inspect.signature() now correctly handles classes
that use a descriptor on a wrapped __init__() or __new__()
method. Contributed by Yongyu Yan.
- gh-137754: Fix import of the zoneinfo module if the C
implementation of the datetime module is not available.
- gh-137490: Handle ECANCELED in the same way as EINTR in
signal.sigwaitinfo() on NetBSD.
- gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and
inspect.getsource() for generator expressions.
- gh-137017: Fix threading.Thread.is_alive to remain True until
the underlying OS thread is fully cleaned up. This avoids false
negatives in edge cases involving thread monitoring or premature
threading.Thread.is_alive calls.
- gh-136134: SMTP.auth_cram_md5() now raises an SMTPException
instead of a ValueError if Python has been built without MD5
support. In particular, SMTP clients will not attempt to use
this method even if the remote server is assumed to support it.
Patch by B?n?dikt Tran.
- gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if
CRAM-MD5 authentication is not supported. Patch by B?n?dikt
Tran.
- gh-135386: Fix opening a dbm.sqlite3 database for reading from
read-only file or directory.
- gh-126631: Fix multiprocessing forkserver bug which prevented
__main__ from being preloaded.
- gh-123085: In a bare call to importlib.resources.files(), ensure
the caller’s frame is properly detected when importlib.resources
is itself available as a compiled module only (no source).
- gh-118981: Fix potential hang in
multiprocessing.popen_spawn_posix that can happen when the child
proc dies early by closing the child fds right away.
- gh-78319: UTF8 support for the IMAP APPEND command has been made
RFC compliant.
- bpo-38735: Fix failure when importing a module from the root
directory on unix-like platforms with sys.pycache_prefix set.
- bpo-41839: Allow negative priority values from
os.sched_get_priority_min() and os.sched_get_priority_max()
functions.
- Core and Builtins
- gh-134466: Don’t run PyREPL in a degraded environment where
setting termios attributes is not allowed.
- gh-71810: Raise OverflowError for (-1).to_bytes() for signed
conversions when bytes count is zero. Patch by Sergey B
Kirpichev.
- gh-105487: Remove non-existent __copy__(), __deepcopy__(), and
__bases__ from the __dir__() entries of types.GenericAlias.
- gh-134163: Fix a hang when the process is out of memory inside
an exception handler.
- gh-138479: Fix a crash when a generic object’s __typing_subst__
returns an object that isn’t a tuple.
- gh-137576: Fix for incorrect source code being shown in
tracebacks from the Basic REPL when PYTHONSTARTUP is given.
Patch by Adam Hartz.
- gh-132744: Certain calls now check for runaway recursion and
respect the system recursion limit.
- C API
- gh-87135: Attempting to acquire the GIL after runtime
finalization has begun in a different thread now causes the
thread to hang rather than terminate, which avoids potential
crashes or memory corruption caused by attempting to terminate a
thread that is running code not specifically designed to support
termination. In most cases this hanging is harmless since the
process will soon exit anyway.
While not officially marked deprecated until 3.14,
PyThread_exit_thread is no longer called internally and remains
solely for interface compatibility. Its behavior is inconsistent
across platforms, and it can only be used safely in the unlikely
case that every function in the entire call stack has been
designed to support the platform-dependent termination
mechanism. It is recommended that users of this function change
their design to not require thread termination. In the unlikely
case that thread termination is needed and can be done safely,
users may migrate to calling platform-specific APIs such as
pthread_exit (POSIX) or _endthreadex (Windows) directly.
- Build
- gh-135734: Python can correctly be configured and built with
./configure --enable-optimizations --disable-test-modules.
Previously, the profile data generation step failed due to PGO
tests where immortalization couldn’t be properly suppressed.
- Update to 3.13.7:
- gh-137583: Fix a deadlock introduced in 3.13.6 when a call
to ssl.SSLSocket.recv was blocked in one thread, and then
another method on the object (such as ssl.SSLSocket.send) was
subsequently called in another thread.
- gh-137044: Return large limit values as positive integers
instead of negative integers in resource.getrlimit().
Accept large values and reject negative values (except
RLIM_INFINITY) for limits in resource.setrlimit().
- gh-136914: Fix retrieval of doctest.DocTest.lineno
for objects decorated with functools.cache() or
functools.cached_property.
- gh-131788: Make ResourceTracker.send from multiprocessing
re-entrant safe
- gh-136155: We are now checking for fatal errors in EPUB
builds in CI.
- gh-137400: Fix a crash in the free threading build when
disabling profiling or tracing across all threads with
PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads()
or their Python equivalents threading.settrace_all_threads()
and threading.setprofile_all_threads().
- Update to 3.13.6:
- Security
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
- gh-102555: Fix comment parsing in html.parser.HTMLParser
according to the HTML5 standard.
- CVE-2025-6069: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors
are now handled according to the HTML5 specs – comments and
declarations are automatically closed, tags are ignored
(gh-135462, bsc#1244705).
- CVE-2025-8194: tarfile now validates archives to ensure member
offsets are non-negative. (gh-130577, bsc#1247249).
- gh-118350: Fix support of escapable raw text mode (elements
“textarea” and “title”) in html.parser.HTMLParser.
- Core and Builtins
- gh-58124: Fix name of the Python encoding in Unicode errors
of the code page codec: use “cp65000” and “cp65001” instead
of “CP_UTF7” and “CP_UTF8” which are not valid Python code
names. Patch by Victor Stinner.
- gh-137314: Fixed a regression where raw f-strings
incorrectly interpreted escape sequences in format
specifications. Raw f-strings now properly preserve literal
backslashes in format specs, matching the behavior from
Python 3.11. For example, rf"{obj:\xFF}" now correctly
produces '\\xFF' instead of '?'. Patch by Pablo Galindo.
- gh-136541: Fix some issues with the perf trampolines
on x86-64 and aarch64. The trampolines were not being
generated correctly for some cases, which could lead to
the perf integration not working correctly. Patch by Pablo
Galindo.
- gh-109700: Fix memory error handling in
PyDict_SetDefault().
- gh-78465: Fix error message for cls.__new__(cls, ...) where
cls is not instantiable builtin or extension type (with
tp_new set to NULL).
- gh-135871: Non-blocking mutex lock attempts now return
immediately when the lock is busy instead of briefly
spinning in the free threading build.
- gh-135607: Fix potential weakref races in an object’s
destructor on the free threaded build.
- gh-135496: Fix typo in the f-string conversion type error
(“exclamanation” -> “exclamation”).
- gh-130077: Properly raise custom syntax errors when
incorrect syntax containing names that are prefixes of soft
keywords is encountered. Patch by Pablo Galindo.
- gh-135148: Fixed a bug where f-string debug expressions
(using =) would incorrectly strip out parts of strings
containing escaped quotes and # characters. Patch by Pablo
Galindo.
- gh-133136: Limit excess memory usage in the free threading
build when a large dictionary or list is resized and
accessed by multiple threads.
- gh-132617: Fix dict.update() modification check that could
incorrectly raise a “dict mutated during update” error when
a different dictionary was modified that happens to share
the same underlying keys object.
- gh-91153: Fix a crash when a bytearray is concurrently
mutated during item assignment.
- gh-127971: Fix off-by-one read beyond the end of a string
in string search.
- gh-125723: Fix crash with gi_frame.f_locals when generator
frames outlive their generator. Patch by Mikhail Efimov.
- Library
- gh-132710: If possible, ensure that uuid.getnode()
returns the same result even across different processes.
Previously, the result was constant only within the same
process. Patch by B?n?dikt Tran.
- gh-137273: Fix debug assertion failure in
locale.setlocale() on Windows.
- gh-137257: Bump the version of pip bundled in ensurepip to
version 25.2
- gh-81325: tarfile.TarFile now accepts a path-like when
working on a tar archive. (Contributed by Alexander Enrique
Urieles Nieto in gh-81325.)
- gh-130522: Fix unraisable TypeError raised during
interpreter shutdown in the threading module.
- gh-136549: Fix signature of threading.excepthook().
- gh-136523: Fix wave.Wave_write emitting an unraisable when
open raises.
- gh-52876: Add missing keepends (default True)
parameter to codecs.StreamReaderWriter.readline() and
codecs.StreamReaderWriter.readlines().
- gh-85702: If zoneinfo._common.load_tzdata is given a
package without a resource a zoneinfo.ZoneInfoNotFoundError
is raised rather than a PermissionError. Patch by Victor
Stinner.
- gh-134759: Fix UnboundLocalError in
email.message.Message.get_payload() when the payload to
decode is a bytes object. Patch by Kliment Lamonov.
- gh-136028: Fix parsing month names containing “İ” (U+0130,
LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime().
This affects locales az_AZ, ber_DZ, ber_MA and crh_UA.
- gh-135995: In the palmos encoding, make byte 0x9b decode to
› (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK).
- gh-53203: Fix time.strptime() for %c and %x formats on
locales byn_ER, wal_ET and lzh_TW, and for %X format on
locales ar_SA, bg_BG and lzh_TW.
- gh-91555: An earlier change, which was introduced in
3.13.4, has been reverted. It disabled logging for a logger
during handling of log messages for that logger. Since the
reversion, the behaviour should be as it was before 3.13.4.
- gh-135878: Fixes a crash of types.SimpleNamespace on free
threading builds, when several threads were calling its
__repr__() method at the same time.
- gh-135836: Fix IndexError in
asyncio.loop.create_connection() that could occur when
non-OSError exception is raised during connection and
socket’s close() raises OSError.
- gh-135836: Fix IndexError in
asyncio.loop.create_connection() that could occur when the
Happy Eyeballs algorithm resulted in an empty exceptions
list during connection attempts.
- gh-135855: Raise TypeError instead of SystemError when
_interpreters.set___main___attrs() is passed a non-dict
object. Patch by Brian Schubert.
- gh-135815: netrc: skip security checks if os.getuid() is
missing. Patch by B?n?dikt Tran.
- gh-135640: Address bug where it was possible to call
xml.etree.ElementTree.ElementTree.write() on an ElementTree
object with an invalid root element. This behavior blanked
the file passed to write if it already existed.
- gh-135444: Fix asyncio.DatagramTransport.sendto() to
account for datagram header size when data cannot be sent.
- gh-135497: Fix os.getlogin() failing for longer usernames
on BSD-based platforms.
- gh-135487: Fix reprlib.Repr.repr_int() when given integers
with more than sys.get_int_max_str_digits() digits. Patch
by B?n?dikt Tran.
- gh-135335: multiprocessing: Flush stdout and stderr after
preloading modules in the forkserver.
- gh-135244: uuid: when the MAC address cannot be
determined, the 48-bit node ID is now generated with a
cryptographically-secure pseudo-random number generator
(CSPRNG) as per RFC 9562, ?6.10.3. This affects uuid1().
- gh-135069: Fix the “Invalid error handling” exception in
encodings.idna.IncrementalDecoder to correctly replace the
‘errors’ parameter.
- gh-134698: Fix a crash when calling methods of
ssl.SSLContext or ssl.SSLSocket across multiple threads.
- gh-132124: On POSIX-compliant systems,
multiprocessing.util.get_temp_dir() now ignores TMPDIR
(and similar environment variables) if the path length of
AF_UNIX socket files exceeds the platform-specific maximum
length when using the forkserver start method. Patch by
B?n?dikt Tran.
- gh-133439: Fix dot commands with trailing spaces are
mistaken for multi-line SQL statements in the sqlite3
command-line interface.
- gh-132969: Prevent the ProcessPoolExecutor executor thread,
which remains running when shutdown(wait=False), from
attempting to adjust the pool’s worker processes after
the object state has already been reset during shutdown.
A combination of conditions, including a worker process
having terminated abormally, resulted in an exception and
a potential hang when the still-running executor thread
attempted to replace dead workers within the pool.
- gh-130664: Support the '_' digit separator in formatting
of the integral part of Decimal’s. Patch by Sergey B
Kirpichev.
- gh-85702: If zoneinfo._common.load_tzdata is given a
package without a resource a ZoneInfoNotFoundError is
raised rather than a IsADirectoryError.
- gh-130664: Handle corner-case for Fraction’s formatting:
treat zero-padding (preceding the width field by a zero
('0') character) as an equivalent to a fill character of
'0' with an alignment type of '=', just as in case of
float’s.
- Tools/Demos
- gh-135968: Stubs for strip are now provided as part of an
iOS install.
- Tests
- gh-135966: The iOS testbed now handles the app_packages
folder as a site directory.
- gh-135494: Fix regrtest to support excluding tests from
--pgo tests. Patch by Victor Stinner.
- gh-135489: Show verbose output for failing tests during PGO
profiling step with –enable-optimizations.
- Documentation
- gh-135171: Document that the iterator for the leftmost for
clause in the generator expression is created immediately.
- Build
- gh-135497: Fix the detection of MAXLOGNAME in the
configure.ac script.
ModerateSUSE bug 1244680SUSE bug 1244705SUSE bug 1247249SUSE bug 1251305SUSE bug 1252974SUSE bug 1254400SUSE bug 1254401SUSE bug 1254997CVE-2025-12084 at SUSECVE-2025-12084 at NVDCVE-2025-13836 at SUSECVE-2025-13836 at NVDCVE-2025-13837 at SUSECVE-2025-13837 at NVDCVE-2025-6069 at SUSECVE-2025-6069 at NVDCVE-2025-6075 at SUSECVE-2025-6075 at NVDCVE-2025-8194 at SUSECVE-2025-8194 at NVDCVE-2025-8291 at SUSECVE-2025-8291 at NVDSecurity update for rabbitmq-server (Moderate)openSUSE Leap 16.0
This update for rabbitmq-server fixes the following issues:
Changes in rabbitmq-server:
Update to 4.1.5:
* Highlights
- Khepri, an alternative schema data store developed to replace Mnesia,
has matured and is now fully supported (it previously was an experimental feature)
- AMQP 1.0 is now a core protocol that is always enabled. Its plugin is now a no-op that only exists to simplify upgrades.
- The AMQP 1.0 implementation is now significantly more efficient: its peak throughput is more than double than that of 3.13.x
on some workloads
- Efficient sub-linear quorum queue recovery on node startup using checkpoints
- Quorum queues now support priorities (but not exactly the same way as classic queues)
- AMQP 1.0 clients now can manage topologies similarly to how AMQP 0-9-1 clients do it
- The AMQP 1.0 convention (address format) used for interacting with with AMQP 0-9-1 entities is now easier to reason about
- Mirroring (replication) of classic queues was removed after several years of deprecation. For replicated messaging data types,
use quorum queues and/or streams. Non-replicated classic queues remain and their development continues
- Classic queue storage efficiency improvements, in particular recovery time and storage of multi-MiB messages
- Nodes with multiple enabled plugins and little on disk data to recover now start up to 20-30% faster
- New exchange type: Local Random Exchange
- Quorum queue log reads are now offloaded to channels (sessions, connections).
- Initial Support for AMQP 1.0 Filter Expressions
- Feature Flags Quality of Life Improvements
- rabbitmqadmin v2
* Breaking Changes
- Before a client connection can negotiate a maximum frame size (frame_max), it must authenticate
successfully. Before the authenticated phase, a special lower frame_max value
is used.
- With this release, the value was increased from the original 4096 bytes to 8192
to accommodate larger JWT tokens.
- amqplib is a popular client library that has been using
a low frame_max default of 4096. Its users must upgrade to a compatible version
(starting with 0.10.7) or explicitly use a higher frame_max.
amqplib versions older than 0.10.7 will not be able to connect to
RabbitMQ 4.1.0 and later versions due to the initial AMQP 0-9-1 maximum frame size
increase covered above.
- The default MQTT Maximum Packet Size changed from 256 MiB to 16 MiB.
- The following rabbitmq.conf settings are unsupported:
- cluster_formation.etcd.ssl_options.fail_if_no_peer_cert
- cluster_formation.etcd.ssl_options.dh
- cluster_formation.etcd.ssl_options.dhfile
- Classic Queues is Now a Non-Replicated Queue Type
- Quorum Queues Now Have a Default Redelivery Limit
- Up to RabbitMQ 3.13, when an AMQP 0.9.1 client (re-)published a message to RabbitMQ, RabbitMQ interpreted the
- AMQP 0.9.1 x-death header in the published message's basic_message.content.properties.headers field.
- RabbitMQ 4.x will not interpret this x-death header anymore when clients (re-)publish a message.
- CQv1 Storage Implementation was Removed
- Settings cluster_formation.randomized_startup_delay_range.* were Removed
- Several Disk I/O-Related Metrics were Removed
- Default Maximum Message Size Reduced to 16 MiB
- RabbitMQ 3.13 rabbitmq.conf setting rabbitmq_amqp1_0.default_vhost is unsupported in RabbitMQ 4.0.
- RabbitMQ 3.13 rabbitmq.conf settings mqtt.default_user, mqtt.default_password,
and amqp1_0.default_user are unsupported in RabbitMQ 4.0.
- Starting with Erlang 26, client side TLS peer certificate chain verification settings are enabled by default in most contexts:
from federation links to shovels to TLS-enabled LDAP client connections.
- RabbitMQ Shovels will be able connect to a RabbitMQ 4.0 node via AMQP 1.0 only when the Shovel runs on a RabbitMQ node >= 3.13.7.
* See https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.0.1
* and https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.1.0 for more info
- Restore SLES logrotate file, (bsc#1246091)
ModerateSUSE bug 1246091CVE-2025-30219 at SUSECVE-2025-30219 at NVDSecurity update for libpng16 (Moderate)openSUSE Leap 16.0
This update for libpng16 fixes the following issues:
- CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525).
- CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526).
ModerateSUSE bug 1256525SUSE bug 1256526CVE-2026-22695 at SUSECVE-2026-22695 at NVDCVE-2026-22801 at SUSECVE-2026-22801 at NVDSecurity update for gdk-pixbuf (Important)openSUSE Leap 16.0
This update for gdk-pixbuf fixes the following issues:
- CVE-2025-7345: heap buffer overflow in gdk-pixbuf within the gdk_pixbuf__jpeg_image_load_increment function
(io-jpeg.c) and in glib g_base64_encode_step (bsc#1246114).
- CVE-2025-6199: uninitialized memory could lead to leak arbitrary memory contents (bsc#1245227).
ImportantSUSE bug 1245227SUSE bug 1246114CVE-2025-6199 at SUSECVE-2025-6199 at NVDCVE-2025-7345 at SUSECVE-2025-7345 at NVDSecurity update for go1.25 (Important)openSUSE Leap 16.0
This update for go1.25 fixes the following issues:
Update to go1.25.6 (released 2026-01-15) (bsc#1244485)
Security fixes:
- CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821).
- CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820).
- CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819).
- CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817).
- CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818).
Other fixes:
* go#76392 os: package initialization hangs is Stdin is blocked
* go#76409 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
* go#76620 os: on Unix, Readdirnames skips directory entries with zero inodes
* go#76761 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
* go#76776 runtime: race detector crash on ppc64le
* go#76967 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range
* go#76973 errors: errors.Join behavior changed in 1.25
ImportantSUSE bug 1244485SUSE bug 1256816SUSE bug 1256817SUSE bug 1256818SUSE bug 1256819SUSE bug 1256820SUSE bug 1256821CVE-2025-61726 at SUSECVE-2025-61726 at NVDCVE-2025-61728 at SUSECVE-2025-61728 at NVDCVE-2025-61730 at SUSECVE-2025-61730 at NVDCVE-2025-61731 at SUSECVE-2025-61731 at NVDCVE-2025-68119 at SUSECVE-2025-68119 at NVDCVE-2025-68121 at SUSECVE-2025-68121 at NVDSecurity update for python-virtualenv (Moderate)openSUSE Leap 16.0
This update for python-virtualenv fixes the following issues:
- CVE-2026-22702: Fixed local attacker can redirect file operations via TOCTOU race condition (bsc#1256458).
ModerateSUSE bug 1256458CVE-2026-22702 at SUSECVE-2026-22702 at NVDSecurity update for python-marshmallow (Moderate)openSUSE Leap 16.0
This update for python-marshmallow fixes the following issues:
- CVE-2025-68480: Fixed possible DoS when using Schema.load(data, many=True) (bsc#1255473).
ModerateSUSE bug 1255473CVE-2025-68480 at SUSECVE-2025-68480 at NVDSecurity update for python-urllib3 (Moderate)openSUSE Leap 16.0
This update for python-urllib3 fixes the following issues:
- CVE-2026-21441: Fixed excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331).
ModerateSUSE bug 1256331CVE-2026-21441 at SUSECVE-2026-21441 at NVDSecurity update for python-pyasn1 (Important)openSUSE Leap 16.0
This update for python-pyasn1 fixes the following issues:
- CVE-2026-23490: Fixed Denial-of-Service issue that may lead to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets (bsc#1256902)
ImportantSUSE bug 1256902CVE-2026-23490 at SUSECVE-2026-23490 at NVDSecurity update for busybox (Important)openSUSE Leap 16.0
This update for busybox fixes the following issues:
Security fixes:
- CVE-2025-60876: HTTP request header injection in wget (bsc#1253245).
- CVE-2025-46394: Fixed tar hidden files via escape sequence (bsc#1241661).
Other fixes:
- Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670)
- Fix unshare -mrpf sh core dump on ppc64le (bsc#1249237)
ImportantSUSE bug 1236670SUSE bug 1241661SUSE bug 1249237SUSE bug 1253245CVE-2025-46394 at SUSECVE-2025-46394 at NVDCVE-2025-60876 at SUSECVE-2025-60876 at NVDSecurity update for bind (Important)openSUSE Leap 16.0
This update for bind fixes the following issues:
Upgrade to release 9.20.18:
- CVE-2025-13878: Fixed incorrect length checks for BRID and HHIT records (bsc#1256997)
Feature Changes:
* Add more information to the rndc recursing output about
fetches.
* Reduce the number of outgoing queries.
* Provide more information when memory allocation fails.
Bug Fixes:
* Make DNSSEC key rollovers more robust.
* Fix a catalog zone issue, where member zones could fail to
load.
* Allow glue in delegations with QTYPE=ANY.
* Fix slow speed when signing a large delegation zone with NSEC3
opt-out.
* Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to
be invalid.
* Fix a possible catalog zone issue during reconfiguration.
* Fix the charts in the statistics channel.
* Adding NSEC3 opt-out records could leave invalid records in
chain.
* Fix spurious timeouts while resolving names.
* Fix bug where zone switches from NSEC3 to NSEC after
retransfer.
* AMTRELAY type 0 presentation format handling was wrong.
* Fix parsing bug in remote-servers with key or TLS.
* Fix DoT reconfigure/reload bug in the resolver.
* Skip unsupported algorithms when looking for a signing key.
* Fix dnssec-keygen key collision checking for KEY RRtype keys.
* dnssec-verify now uses exit code 1 when failing due to illegal
options.
* Prevent assertion failures of dig when a server is specified
before the -b option.
* Skip buffer allocations if not logging.
ImportantSUSE bug 1256997CVE-2025-13878 at SUSECVE-2025-13878 at NVDSecurity update for python-jaraco.context (Important)openSUSE Leap 16.0
This update for python-jaraco.context fixes the following issues:
- CVE-2026-23949: Fixed malicious tar archives may lead to path traversal (bsc#1256954).
ImportantSUSE bug 1256954CVE-2026-23949 at SUSECVE-2026-23949 at NVDSecurity update for avahi (Moderate)openSUSE Leap 16.0
This update for avahi fixes the following issues:
- CVE-2025-68276: Fixed refuse to create wide-area record browsers when
wide-area is off (bsc#1256498)
- CVE-2025-68471: Fixed DoS bug by changing assert to return (bsc#1256500)
- CVE-2025-68468: Fixed DoS bug by removing incorrect assertion (bsc#1256499)
ModerateSUSE bug 1256498SUSE bug 1256499SUSE bug 1256500CVE-2025-68276 at SUSECVE-2025-68276 at NVDCVE-2025-68468 at SUSECVE-2025-68468 at NVDCVE-2025-68471 at SUSECVE-2025-68471 at NVDSecurity update for php8 (Moderate)openSUSE Leap 16.0
This update for php8 fixes the following issues:
Version update to 8.4.16:
Security fixes:
- CVE-2025-14177: getimagesize() function may leak uninitialized heap memory into the APPn segments when reading images in multi-chunk mode (bsc#1255710).
- CVE-2025-14178: heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE (bsc#1255711).
- CVE-2025-14180: null pointer dereference in pdo_parse_params() function when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled (bsc#1255712).
Other fixes:
- php8 contains Directories owned by wwwrun but does not require User. (bsc#1255043)
ModerateSUSE bug 1255043SUSE bug 1255710SUSE bug 1255711SUSE bug 1255712CVE-2025-14177 at SUSECVE-2025-14177 at NVDCVE-2025-14178 at SUSECVE-2025-14178 at NVDCVE-2025-14180 at SUSECVE-2025-14180 at NVDRecommended update of flake-pilot (Moderate)openSUSE Leap 16.0
This update for flake-pilot fixes the following issues:
Update version to 3.1.22.
- Fixes to use flakes as normal user
Running a flake is a container based instance provisioning
and startup. Some part of this process requires root permissions
for example mounting the container instance store for the
provisioning step. This commit fixes the required calls to
be properly managed by sudo.
- seed from entropy
- Fix assignment of random sequence number
We should use a seed for the sequence as described in
https://rust-random.github.io/book/guide-seeding.html#a-simple-number
In addition the logic when a random sequence number should
be used was wrong and needed a fix regarding resume and
attach type flakes which must not use a random sequence
- Pass --init option for resume type flakes
In resume mode a sleep command is used to keep the container
open. However, without the --init option there is no signal
handling available. This commit fixes it
- Revert "kill prior remove when using %remove flag"
This reverts commit 06c7d4aa71f74865dfecba399fd08cc2fde2e1f2.
no hard killing needed with the event loop entrypoint
- Fixed CVE-2025-55159 slab: incorrect bounds check
Update to slab 0.4.11 to fix the mentioned CVE.
This Fixes bsc#1248004
- Apply clippy fixes
- Create sequence number for the same invocation
If a flake which is not a resume or attach flake is called twice
with the same invocation arguments an error message is displayed
to give this invocation a new name via the @NAME runtime option.
This commit makes this more comfortable and automatically assigns
a random sequence number for the call if no @NAME is given.
- kill prior remove when using %remove flag
In case the container instance should be removed via the %remove
flag, send a kill first, followed by a force remove. The reason
for this is because we use a never ending sleep command as entry
point for resume type containers. If they should be removed the
standard signal send on podman rm will not stop the sleep and
after a period of 10 seconds podman sends a kill signal itself.
We can speedup this process as we know the entry point command
and send the kill signal first followed by the remove which
saves us some wait time spent in podman otherwise.
- Fix clippy hints
variables can be used directly in the format! string
- Prune old images after load
Make sure no <none> image references stay in the registry
ModerateSUSE bug 1248004CVE-2025-55159 at SUSECVE-2025-55159 at NVDSecurity update for cockpit-subscriptions (Moderate)openSUSE Leap 16.0
This update for cockpit-subscriptions fixes the following issues:
Update to version 12.1:
- CVE-2025-64718: js-yaml: fixed prototype pollution in merge (bsc#1255425).
ModerateSUSE bug 1255425CVE-2025-64718 at SUSECVE-2025-64718 at NVDSecurity update for ImageMagick (Important)openSUSE Leap 16.0
This update for ImageMagick fixes the following issues:
- CVE-2025-65955: Fixed use-after-free/double-free in ImageMagick (bsc#1254435)
- CVE-2025-66628: Fixed Integer Overflow leading to out of bounds read in ImageMagick (32-bit only) (bsc#1254820)
- CVE-2025-68618: Fixed that reading a malicious SVG file may result in a DoS attack (bsc#1255821)
- CVE-2025-68950: Fixed check for circular references in mvg files may lead to stack overflow (bsc#1255822)
- CVE-2025-69204: Fixed an integer overflow can lead to a DoS attack (bsc#1255823)
ImportantSUSE bug 1254435SUSE bug 1254820SUSE bug 1255821SUSE bug 1255822SUSE bug 1255823CVE-2025-65955 at SUSECVE-2025-65955 at NVDCVE-2025-66628 at SUSECVE-2025-66628 at NVDCVE-2025-68618 at SUSECVE-2025-68618 at NVDCVE-2025-68950 at SUSECVE-2025-68950 at NVDCVE-2025-69204 at SUSECVE-2025-69204 at NVDSecurity update for python-FontTools (Moderate)openSUSE Leap 16.0
This update for python-FontTools fixes the following issues:
- CVE-2025-66034: Fixed arbitrary file write vulnerability that could lead to remote code execution (bsc#1254366).
ModerateSUSE bug 1254366CVE-2025-66034 at SUSECVE-2025-66034 at NVDSecurity update for python-h2 (Moderate)openSUSE Leap 16.0
This update for python-h2 fixes the following issues:
- CVE-2025-57804: Fixed HTTP Request Smuggling due to illegal characters in headers (bsc#1248737)
ModerateSUSE bug 1248737CVE-2025-57804 at SUSECVE-2025-57804 at NVDSecurity update for xkbcomp (Low)openSUSE Leap 16.0
This update for xkbcomp fixes the following issues:
- CVE-2018-15863, CVE-2018-15861, CVE-2018-15859, CVE-2018-15853:
Fixed multiple memory handling and correctness issues (bsc#1105832)
LowSUSE bug 1105832CVE-2018-15853 at SUSECVE-2018-15853 at NVDCVE-2018-15859 at SUSECVE-2018-15859 at NVDCVE-2018-15861 at SUSECVE-2018-15861 at NVDCVE-2018-15863 at SUSECVE-2018-15863 at NVDSecurity update for ucode-amd (Important)openSUSE Leap 16.0
This update for ucode-amd fixes the following issues:
Changes in ucode-amd:
- Update to version 20251203 (git commit a0f0e52138e5):
* linux-firmware: Update amd-ucode copyright information
* linux-firmware: Update AMD cpu microcode
- Update to version 20251113 (git commit fb0dbcd30118):
* linux-firmware: Update AMD cpu microcode
- Update to version 20251031 (git commit 04b323bb64f9):
* linux-firmware: Update AMD cpu microcode
- Update to version 20251028 (git commit 4f72031fc195):
* linux-firmware: Update AMD cpu microcode
- Update to version 20251024 (git commit 9b899c779b8a):
* amd-ucode: Fix minimum revisions in README
- Update to version 20250730 (git commit 910c19074091):
* linux-firmware: Update AMD cpu microcode
ImportantSecurity update for python-python-multipart (Important)openSUSE Leap 16.0
This update for python-python-multipart fixes the following issues:
- CVE-2026-24486: Fixed non-default configuration options can lead to path traversal (bsc#1257301).
ImportantSUSE bug 1257301CVE-2026-24486 at SUSECVE-2026-24486 at NVDSecurity update for java-21-openjdk (Important)openSUSE Leap 16.0
This update for java-21-openjdk fixes the following issues:
Update to upstream tag jdk-21.0.10+7 (January 2026 CPU)
Security fixes:
- CVE-2026-21925: Fixed Oracle Java SE component RMI (bsc#1257034).
- CVE-2026-21932: Fixed Oracle Java SE component AWT and JavaFX (bsc#1257036).
- CVE-2026-21933: Fixed Oracle Java SE component Networking (bsc#1257037).
- CVE-2026-21945: Fixed Oracle Java SE component Security (bsc#1257038).
Other fixes:
- Do not depend on update-desktop-files (jsc#PED-14507, jsc#PED-15217).
ImportantSUSE bug 1257034SUSE bug 1257036SUSE bug 1257037SUSE bug 1257038CVE-2026-21925 at SUSECVE-2026-21925 at NVDCVE-2026-21932 at SUSECVE-2026-21932 at NVDCVE-2026-21933 at SUSECVE-2026-21933 at NVDCVE-2026-21945 at SUSECVE-2026-21945 at NVDSecurity update for python-urllib3 (Important)openSUSE Leap 16.0
This update for python-urllib3 fixes the following issues:
- CVE-2025-66471: Fixed excessive resource consumption via decompression
of highly compressed data in Streaming API (bsc#1254867)
- CVE-2025-66418: Fixed resource exhaustion via unbounded number of links
in the decompression chain (bsc#1254866)
ImportantSUSE bug 1254866SUSE bug 1254867CVE-2025-66418 at SUSECVE-2025-66418 at NVDCVE-2025-66471 at SUSECVE-2025-66471 at NVDRecommended update for cloud-init (Important)openSUSE Leap 16.0
This update for cloud-init fixes the following issues:
Changes in cloud-init:
- Fix dependency replace -serial with -pyserial
- Drop unneeded test dependency on httpretty, fixed long ago
* https://github.com/canonical/cloud-init/pull/1720
- Update to version 25.1.3 (bsc#1245401 , CVE-2024-6174, bsc#1245403, CVE-2024-11584)
ImportantSUSE bug 1245401SUSE bug 1245403CVE-2024-11584 at SUSECVE-2024-11584 at NVDCVE-2024-6174 at SUSECVE-2024-6174 at NVDSecurity update for postgresql16 (Important)openSUSE Leap 16.0
This update for postgresql16 fixes the following issues:
Security fixes:
- CVE-2025-12817: Missing check for CREATE
privileges on the schema in CREATE STATISTICS allowed table
owners to create statistics in any schema, potentially leading
to unexpected naming conflicts (bsc#1253332)
- CVE-2025-12818: Several places in libpq were not
sufficiently careful about computing the required size of a
memory allocation. Sufficiently large inputs could cause
integer overflow, resulting in an undersized buffer, which
would then lead to writing past the end of the buffer (bsc#1253333)
Other fixes:
- Upgrade to 16.11
ImportantSUSE bug 1253332SUSE bug 1253333CVE-2025-12817 at SUSECVE-2025-12817 at NVDCVE-2025-12818 at SUSECVE-2025-12818 at NVDSecurity update for postgresql17 and postgresql18 (Important)openSUSE Leap 16.0
This update for postgresql17 and postgresql18 fixes the following issues:
Changes in postgresql17, postgresql18:
Update to 17.7:
* https://www.postgresql.org/about/news/p-3171/
* https://www.postgresql.org/docs/release/17.7/
* bsc#1253332, CVE-2025-12817: Missing check for CREATE
privileges on the schema in CREATE STATISTICS allowed table
owners to create statistics in any schema, potentially leading
to unexpected naming conflicts.
* bsc#1253333, CVE-2025-12818: Several places in libpq were not
sufficiently careful about computing the required size of a
memory allocation. Sufficiently large inputs could cause
integer overflow, resulting in an undersized buffer, which
would then lead to writing past the end of the buffer.
Postgresql is shipped in version 18.1.
pgvector was updated to 0.8.1 to support postgresql18.
pgaudit was updated to support postgresql18.
ImportantSUSE bug 1253332SUSE bug 1253333CVE-2025-12817 at SUSECVE-2025-12817 at NVDCVE-2025-12818 at SUSECVE-2025-12818 at NVDSecurity update for elemental-register, elemental-toolkit (Important)openSUSE Leap 16.0
This update for elemental-register, elemental-toolkit fixes the following issues:
elemental-register was updated to 1.8.1:
Changes on top of v1.8.1:
* Update headers to 2026
* Update questions to include SL Micro 6.2
Update to v1.8.1:
* Install yip config files in before-install step
* Bump github.com/rancher-sandbox/go-tpm and its dependencies
This includes few CVE fixes:
* bsc#1241826 (CVE-2025-22872)
* bsc#1241857 (CVE-2025-22872)
* bsc#1251511 (CVE-2025-47911)
* bsc#1251679 (CVE-2025-58190)
elemental-toolkit was updated to v2.3.2:
* Bump golang.org/x/crypto library
This includes few CVE fixes:
* bsc#1241826 (CVE-2025-22872)
* bsc#1241857 (CVE-2025-22872)
* bsc#1251511 (CVE-2025-47911)
* bsc#1251679 (CVE-2025-58190)
* bsc#1253581 (CVE-2025-47913)
* bsc#1253901 (CVE-2025-58181)
* bsc#1254079 (CVE-2025-47914)
ImportantSUSE bug 1241826SUSE bug 1241857SUSE bug 1251511SUSE bug 1251679SUSE bug 1253581SUSE bug 1253901SUSE bug 1254079CVE-2025-22872 at SUSECVE-2025-22872 at NVDCVE-2025-47911 at SUSECVE-2025-47911 at NVDCVE-2025-47913 at SUSECVE-2025-47913 at NVDCVE-2025-47914 at SUSECVE-2025-47914 at NVDCVE-2025-58181 at SUSECVE-2025-58181 at NVDCVE-2025-58190 at SUSECVE-2025-58190 at NVDSecurity update for glibc (Important)openSUSE Leap 16.0
This update for glibc fixes the following issues:
Security fixes:
- CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282).
- CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766).
- CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822).
- CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005).
Other fixes:
- NPTL: Optimize trylock for high cache contention workloads (bsc#1256436)
ImportantSUSE bug 1236282SUSE bug 1256436SUSE bug 1256766SUSE bug 1256822SUSE bug 1257005CVE-2025-0395 at SUSECVE-2025-0395 at NVDCVE-2025-15281 at SUSECVE-2025-15281 at NVDCVE-2026-0861 at SUSECVE-2026-0861 at NVDCVE-2026-0915 at SUSECVE-2026-0915 at NVDSecurity update for java-17-openjdk (Important)openSUSE Leap 16.0
This update for java-17-openjdk fixes the following issues:
Upgrade to upstream tag jdk-17.0.18+8 (January 2026 CPU)
Security fixes:
- CVE-2026-21925: Fixed Oracle Java SE component RMI (bsc#1257034).
- CVE-2026-21932: Fixed Oracle Java SE component AWT and JavaFX (bsc#1257036).
- CVE-2026-21933: Fixed Oracle Java SE component Networking (bsc#1257037).
- CVE-2026-21945: Fixed Oracle Java SE component Security (bsc#1257038).
Other fixes:
- OpenJDK rendering blue borders when it should not, due to missing the fix for JDK-6304250 from upstream (bsc#1255446).
- Do not depend on update-desktop-files (jsc#PED-14507, jsc#PED-15216).
ImportantSUSE bug 1255446SUSE bug 1257034SUSE bug 1257036SUSE bug 1257037SUSE bug 1257038CVE-2026-21925 at SUSECVE-2026-21925 at NVDCVE-2026-21932 at SUSECVE-2026-21932 at NVDCVE-2026-21933 at SUSECVE-2026-21933 at NVDCVE-2026-21945 at SUSECVE-2026-21945 at NVDSecurity update for samba (Critical)openSUSE Leap 16.0
This update for samba fixes the following issues:
Update to 4.22.5:
* CVE-2025-10230: Command injection via WINS server hook script (bsc#1251280).
* CVE-2025-9640: uninitialized memory disclosure via vfs_streams_xattr (bsc#1251279).
- Relax samba-gpupdate requirement for cepces, certmonger, and sscep
to a recommends. They are only required if utilizing certificate
auto enrollment (bsc#1249087).
- Disable timeouts for smb.service so that possibly slow running
ExecStartPre script 'update-samba-security-profile' doesn't
cause service start to fail due to timeouts (bsc#1249181).
- Ensure semanage is pulled in as a requirement when samba in
installed when selinux security access mechanism that is used
(bsc#1249180).
- don't attempt to label paths that don't exist, also remove
unecessary evaluation of semange & restorecon cmds (bsc#1249179).
Update to 4.22.4:
* netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
SysvolReady=0
* getpwuid does not shift to new DC when current DC is down
* Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName-
* Unresponsive second DC can cause idmapping failure when using
idmap_ad-
* kinit command is failing with Missing cache Error.
* Figuring out the DC name from IP address fails and breaks
fork_domain_child().
* vfs_streams_depot fstatat broken.
* Delayed leader broadcast can block ctdb forever.
* Apparently there is a conflict between shadow_copy2 module
and virusfilter (action quarantine).
* Fix handling of empty GPO link.
* SMB ACL inheritance doesn't work for files created.
- adjust gpgme build dependency for future-proofing
CriticalSUSE bug 1249087SUSE bug 1249179SUSE bug 1249180SUSE bug 1249181SUSE bug 1251279SUSE bug 1251280CVE-2025-10230 at SUSECVE-2025-10230 at NVDCVE-2025-9640 at SUSECVE-2025-9640 at NVDSecurity update for gpg2 (Important)openSUSE Leap 16.0
This update for gpg2 fixes the following issues:
- CVE-2026-24882: stack-based buffer overflow in TPM2 PKDECRYPT for TPM-backed RSA and ECC keys (bsc#1257396).
- CVE-2026-24883: denial of service due to long signature packet length causing parse_signature to return success with sig->data[] set to a NULL value (bsc#1257395).
- gpg.fail/filename: GnuPG Accepts Path Separators and Path Traversals in Literal Data "Filename" Field (bsc#1256389).
ImportantSUSE bug 1256389SUSE bug 1257395SUSE bug 1257396CVE-2026-24882 at SUSECVE-2026-24882 at NVDCVE-2026-24883 at SUSECVE-2026-24883 at NVDSecurity update for openvpn (Important)openSUSE Leap 16.0
This update for openvpn fixes the following issues:
- CVE-2025-13086: Fixed improper validation of source IP addresses in OpenVPN that could lead to DoS (bsc#1254486).
ImportantSUSE bug 1254486CVE-2025-13086 at SUSECVE-2025-13086 at NVDSecurity update for jasper (Moderate)openSUSE Leap 16.0
This update for jasper fixes the following issues:
Update to 4.2.8:
- CVE-2025-8837: Fixed a bug in the JPC decoder that could cause bad memory accesses if the debug level is set sufficiently high (bsc#1247901).
- CVE-2025-8836: Added some missing range checking on several coding parameters in the JPC encoder (bsc#1247902).
- CVE-2025-8835: Added a check for a missing color component in the jas_image_chclrspc function (bsc#1247904).
ModerateSUSE bug 1247901SUSE bug 1247902SUSE bug 1247904CVE-2025-8835 at SUSECVE-2025-8835 at NVDCVE-2025-8836 at SUSECVE-2025-8836 at NVDCVE-2025-8837 at SUSECVE-2025-8837 at NVDSecurity update for unbound (Moderate)openSUSE Leap 16.0
This update for unbound fixes the following issues:
Update to 1.24.1:
- CVE-2025-11411: Fixed possible domain hijacking attack (bsc#1252525).
ModerateSUSE bug 1252525CVE-2025-11411 at SUSECVE-2025-11411 at NVDSecurity update for alloy (Important)openSUSE Leap 16.0
This update for alloy fixes the following issues:
Update to 1.12.2:
Security fixes:
- CVE-2025-68156: github.com/expr-lang/expr/builtin: Fixed potential DoS via unbounded recursion (bsc#1255333):
- CVE-2025-31133, CVE-2025-52565, CVE-2025-52881: github.com/opencontainers/runc: Fixed container
breakouts by bypassing runc's restrictions for writing to arbitrary /proc files (bsc#1255074)
Other fixes:
- Add missing configuration parameter
deployment_name_from_replicaset to k8sattributes processor
(5b90a9d) (@dehaansa)
- database_observability: Fix schema_details collector to fetch
column definitions with case sensitive table names (#4872)
(560dff4) (@jharvey10, @fridgepoet)
- deps: Update jose2go to 1.7.0 (#4858) (dfdd341) (@jharvey10)
- deps: Update npm dependencies [backport] (#5201) (8e06c26)
(@jharvey10)
- Ensure the squid exporter wrapper properly brackets ipv6
addresses [backport] (#5205) (e329cc6) (@dehaansa)
- Preserve meta labels in loki.source.podlogs (#5097) (ab4b21e)
(@kalleep)
- Prevent panic in import.git when update fails [backport]
(#5204) (c82fbae) (@dehaansa, @jharvey10)
- show correct fallback alloy version instead of v1.13.0
(#5110) (b72be99) (@dehaansa, @jharvey10)
ImportantSUSE bug 1255074SUSE bug 1255333CVE-2025-31133 at SUSECVE-2025-31133 at NVDCVE-2025-52565 at SUSECVE-2025-52565 at NVDCVE-2025-52881 at SUSECVE-2025-52881 at NVDCVE-2025-68156 at SUSECVE-2025-68156 at NVDSecurity update for udisks2 (Moderate)openSUSE Leap 16.0
This update for udisks2 fixes the following issues:
- CVE-2025-8067: Fixed a missing bounds check that could lead to out-of-bounds
read in udisks daemon (bsc#1248502).
ModerateSUSE bug 1248502CVE-2025-8067 at SUSECVE-2025-8067 at NVDSecurity update for libsoup (Important)openSUSE Leap 16.0
This update for libsoup fixes the following issues:
- CVE-2025-11021: Fixed out-of-bounds read in Cookie Date Handling of libsoup HTTP Library (bsc#1250562).
- CVE-2026-0719: Fixed stack-based buffer overflow in NTLM authentication can lead to arbitrary code execution (bsc#1256399).
- CVE-2026-0716: Fixed improper bounds handling may allow out-of-bounds read (bsc#1256418).
ImportantSUSE bug 1250562SUSE bug 1256399SUSE bug 1256418CVE-2025-11021 at SUSECVE-2025-11021 at NVDCVE-2026-0716 at SUSECVE-2026-0716 at NVDCVE-2026-0719 at SUSECVE-2026-0719 at NVDSecurity update for java-25-openjdk (Important)openSUSE Leap 16.0
This update for java-25-openjdk fixes the following issues:
Update to upstream tag jdk-25.0.2+10 (January 2026 CPU)
Security fixes:
- CVE-2026-21925: Fixed Oracle Java SE component RMI (bsc#1257034).
- CVE-2026-21932: Fixed Oracle Java SE component AWT and JavaFX (bsc#1257036).
- CVE-2026-21933: Fixed Oracle Java SE component Networking (bsc#1257037).
- CVE-2026-21945: Fixed Oracle Java SE component Security (bsc#1257038).
Other fixes:
- Do not depend on update-desktop-files (jsc#PED-14507, jsc#PED-15221).
ImportantSUSE bug 1257034SUSE bug 1257036SUSE bug 1257037SUSE bug 1257038CVE-2026-21925 at SUSECVE-2026-21925 at NVDCVE-2026-21932 at SUSECVE-2026-21932 at NVDCVE-2026-21933 at SUSECVE-2026-21933 at NVDCVE-2026-21945 at SUSECVE-2026-21945 at NVDSecurity update for python-filelock (Moderate)openSUSE Leap 16.0
This update for python-filelock fixes the following issues:
- CVE-2025-68146: TOCTOU race condition may allow local attackers to corrupt or truncate arbitrary user files (bsc#1255244).
- CVE-2026-22701: TOCTOU race condition in the SoftFileLock implementation (bsc#1256457).
ModerateSUSE bug 1255244SUSE bug 1256457CVE-2025-68146 at SUSECVE-2025-68146 at NVDCVE-2026-22701 at SUSECVE-2026-22701 at NVDSecurity update for tiff (Important)openSUSE Leap 16.0
This update for tiff fixes the following issues:
tiff was updated to 4.7.1:
* Software configuration changes:
* Define HAVE_JPEGTURBO_DUAL_MODE_8_12 and LERC_STATIC in tif_config.h.
* CMake: define WORDS_BIGENDIAN via tif_config.h
* doc/CMakeLists.txt: remove useless cmake_minimum_required()
* CMake: fix build with LLVM/Clang 17 (fixes issue #651)
* CMake: set CMP0074 new policy
* Set LINKER_LANGUAGE for C targets with C deps
* Export tiffxx cmake target (fixes issue #674)
* autogen.sh: Enable verbose wget.
* configure.ac: Syntax updates for Autoconf 2.71
* autogen.sh: Re-implement based on autoreconf. Failure to update
config.guess/config.sub does not return error (fixes issue #672)
* CMake: fix CMake 4.0 warning when minimum required version is < 3.10.
* CMake: Add build option tiff-static (fixes issue #709)
Library changes:
* Add TIFFOpenOptionsSetWarnAboutUnknownTags() for explicit control
about emitting warnings for unknown tags. No longer emit warnings
about unknown tags by default
* tif_predict.c: speed-up decompression in some cases.
* Bug fixes:
* tif_fax3: For fax group 3 data if no EOL is detected, reading is
retried without synchronisation for EOLs. (fixes issue #54)
* Updating TIFFMergeFieldInfo() with read_count=write_count=0 for
FIELD_IGNORE. Updating TIFFMergeFieldInfo() with read_count=write_count=0 for
FIELD_IGNORE. Improving handling when field_name = NULL. (fixes issue #532)
* tiff.h: add COMPRESSION_JXL_DNG_1_7=52546 as used for JPEGXL compression in
the DNG 1.7 specification
* TIFFWriteDirectorySec: Increment string length for ASCII tags for codec tags
defined with FIELD_xxx bits, as it is done for FIELD_CUSTOM tags. (fixes issue #648)
* Do not error out on a tag whose tag count value is zero, just issue a warning.
Fix parsing a private tag 0x80a6 (fixes issue #647)
* TIFFDefaultTransferFunction(): give up beyond td_bitspersample = 24
Fixes https://github.com/OSGeo/gdal/issues/10875)
* tif_getimage.c: Remove unnecessary calls to TIFFRGBAImageOK() (fixes issue #175)
* Fix writing a Predictor=3 file with non-native endianness
* _TIFFVSetField(): fix potential use of unallocated memory (out-of-bounds
* read / nullptr dereference) in case of out-of-memory situation when dealing with
custom tags (fixes issue #663)
* tif_fax3.c: Error out for CCITT fax encoding if SamplesPerPixel is not equal 1 and
PlanarConfiguration = Contiguous (fixes issue #26)
* tif_fax3.c: error out after a number of times end-of-line or unexpected bad code
words have been reached. (fixes issue #670)
* Fix memory leak in TIFFSetupStrips() (fixes issue #665)
* tif_zip.c: Provide zlib allocation functions. Otherwise for zlib built with
-DZ_SOLO inflating will fail.
* Fix memory leak in _TIFFSetDefaultCompressionState. (fixes issue #676)
* tif_predict.c: Don’t overwrite input buffer of TIFFWriteScanline() if "prediction"
is enabled. Use extra working buffer in PredictorEncodeRow(). (fixes issue #5)
* tif_getimage.c: update some integer overflow checks (fixes issue #79)
* tif_getimage.c: Fix buffer underflow crash for less raster rows at
TIFFReadRGBAImageOriented() (fixes issue #704, bsc#1250413, CVE-2025-9900)
* TIFFReadRGBAImage(): several fixes to avoid buffer overflows.
* Correct passing arguments to TIFFCvtIEEEFloatToNative() and TIFFCvtIEEEDoubleToNative()
if HAVE_IEEEFP is not defined. (fixes issue #699)
* LZWDecode(): avoid nullptr dereference when trying to read again after EOI marker
has been found with remaining output bytes (fixes issue #698)
* TIFFSetSubDirectory(): check _TIFFCheckDirNumberAndOffset() return.
* TIFFUnlinkDirectory() and TIFFWriteDirectorySec(): clear tif_rawcp when clearing
tif_rawdata (fixes issue #711)
* JPEGEncodeRaw(): error out if a previous scanline failed to be written, to avoid
out-of-bounds access (fixes issue #714)
* tif_jpeg: Fix bug in JPEGDecodeRaw() if JPEG_LIB_MK1_OR_12BIT is defined for 8/12bit
dual mode, introduced in libjpeg-turbo 2.2, which was actually released as 3.0.
Fixes issue #717
* add assert for TIFFReadCustomDirectory infoarray check.
* ppm2tiff: Fix bug in pack_words trailing bytes, where last two bytes of each line
were written wrongly. (fixes issue #467)
* fax2ps: fix regression of commit 28c38d648b64a66c3218778c4745225fe3e3a06d where
TIFFTAG_FAXFILLFUNC is being used rather than an output buffer (fixes issue #649)
* tiff2pdf: Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH (fixes issue #650)
* tiff2pdf: check h_samp and v_samp for range 1 to 4 to avoid division by zero.
Fixes issue #654
* tiff2pdf: avoid null pointer dereference. (fixes issue #741)
* Improve non-secure integer overflow check (comparison of division result with
multiplicant) at compiler optimisation in tiffcp, rgb2ycbcr and tiff2rgba.
Fixes issue #546
* tiff2rgba: fix some "a partial expression can generate an overflow before it is
assigned to a broader type" warnings. (fixes issue #682)
* tiffdither/tiffmedian: Don't skip the first line of the input image. (fixes issue #703)
* tiffdither: avoid out-of-bounds read identified in issue #733
* tiffmedian: error out if TIFFReadScanline() fails (fixes issue #707)
* tiffmedian: close input file. (fixes issue #735)
* thumbail: avoid potential out of bounds access (fixes issue #715)
* tiffcrop: close open TIFF files and release allocated buffers before exiting in case
of error to avoid memory leaks. (fixes issue #716)
* tiffcrop: fix double-free and memory leak exposed by issue #721
* tiffcrop: avoid buffer overflow. (fixes issue #740)
* tiffcrop: avoid nullptr dereference. (fixes issue #734)
* tiffdump: Fix coverity scan issue CID 1373365: Passing tainted expression *datamem
to PrintData, which uses it as a divisor or modulus.
* tiff2ps: check return of TIFFGetFiled() for TIFFTAG_STRIPBYTECOUNTS and
TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer dereference. (fixes issue #718)
* tiffcmp: fix memory leak when second file cannot be opened. (fixes issue #718 and issue #729)
* tiffcp: fix setting compression level for lossless codecs. (fixes issue #730)
* raw2tiff: close input file before exit (fixes issue #742)
Tools changes:
* tiffinfo: add a -W switch to warn about unknown tags.
* tiffdither: process all pages in input TIFF file.
* Documentation:
* TIFFRGBAImage.rst note added for incorrect saving of images with TIFF orientation
from 5 (LeftTop) to 8 (LeftBottom) in the raster.
* TIFFRGBAImage.rst note added about un-associated alpha handling (fixes issue #67)
* Update "Defining New TIFF Tags" description. (fixes issue #642)
* Fix return type of TIFFReadEncodedTile()
* Update the documentation to reflect deprecated typedefs.
* TIFFWriteDirectory.rst: Clarify TIFFSetWriteOffset() only sets offset for image
data and not for IFD data.
* Update documentation on re-entrancy and thread safety.
* Remove dead links to no more existing Awaresystems web-site.
* Updating BigTIFF specification and some miscelaneous editions.
* Replace some last links and remove last todos.
* Added hints for correct allocation of TIFFYCbCrtoRGB structure and its
associated buffers. (fixes issue #681)
* Added chapter to "Using the TIFF Library" with links to handling multi-page TIFF
and custom directories. (fixes issue #43)
* update TIFFOpen.rst with the return values of mapproc and unmapproc. (fixes issue #12)
Security issues fixed:
* CVE-2025-8961: Fix segmentation fault via main function of tiffcrop utility [bsc#1248117]
* CVE-2025-8534: Fix null pointer dereference in function PS_Lvl2page [bsc#1247582]
* CVE-2025-9165: Fix local execution manipulation can lead to memory leak [bsc#1248330]
* CVE-2024-13978: Fix null pointer dereference in tiff2pdf [bsc#1247581]
* CVE-2025-8176: Fix heap use-after-free in tools/tiffmedian.c [bsc#1247108]
* CVE-2025-8177: Fix possible buffer overflow in tools/thumbnail.c:setrow() [bsc#1247106]
- Fix TIFFMergeFieldInfo() read_count=write_count=0 (bsc#1243503)
ImportantSUSE bug 1243503SUSE bug 1247106SUSE bug 1247108SUSE bug 1247581SUSE bug 1247582SUSE bug 1248117SUSE bug 1248330SUSE bug 1250413CVE-2024-13978 at SUSECVE-2024-13978 at NVDCVE-2025-8176 at SUSECVE-2025-8176 at NVDCVE-2025-8177 at SUSECVE-2025-8177 at NVDCVE-2025-8534 at SUSECVE-2025-8534 at NVDCVE-2025-8961 at SUSECVE-2025-8961 at NVDCVE-2025-9165 at SUSECVE-2025-9165 at NVDCVE-2025-9900 at SUSECVE-2025-9900 at NVDSecurity update for the Linux Kernel (Important)openSUSE Leap 16.0
The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2025-38704: rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer (bsc#1254408).
- CVE-2025-39880: ceph: fix race condition validating r_parent before applying state (bsc#1250388).
- CVE-2025-39977: futex: Prevent use-after-free during requeue-PI (bsc#1252046).
- CVE-2025-40042: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference (bsc#1252861).
- CVE-2025-40123: bpf: Enforce expected_attach_type for tailcall compatibility (bsc#1253365).
- CVE-2025-40130: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling
- CVE-2025-40160: xen/events: Cleanup find_virq() return codes (bsc#1253400).
- CVE-2025-40167: ext4: detect invalid INLINE_DATA + EXTENTS flag combination (bsc#1253458).
- CVE-2025-40170: net: use dst_dev_rcu() in sk_setup_caps() (bsc#1253413).
- CVE-2025-40179: ext4: verify orphan file size is not too big (bsc#1253442).
- CVE-2025-40190: ext4: guard against EA inode refcount underflow in xattr update (bsc#1253623).
- CVE-2025-40214: af_unix: Initialise scc_index in unix_add_edge() (bsc#1254961).
- CVE-2025-40215: xfrm: delete x->tunnel as we delete x (bsc#1254959).
- CVE-2025-40218: mm/damon/vaddr: do not repeat pte_offset_map_lock() until success (bsc#1254964).
- CVE-2025-40220: fuse: fix livelock in synchronous file put from fuseblk workers (bsc#1254520).
- CVE-2025-40231: vsock: fix lock inversion in vsock_assign_transport() (bsc#1254815).
- CVE-2025-40233: ocfs2: clear extent cache after moving/defragmenting extents (bsc#1254813).
- CVE-2025-40237: fs/notify: call exportfs_encode_fid with s_umount (bsc#1254809).
- CVE-2025-40238: net/mlx5: Fix IPsec cleanup over MPV device (bsc#1254871).
- CVE-2025-40239: net: phy: micrel: always set shared->phydev for LAN8814 (bsc#1254868).
- CVE-2025-40242: gfs2: Fix unlikely race in gdlm_put_lock (bsc#1255075).
- CVE-2025-40246: xfs: fix out of bounds memory read error in symlink repair (bsc#1254861).
- CVE-2025-40248: vsock: Ignore signal/timeout on connect() if already established (bsc#1254864).
- CVE-2025-40250: net/mlx5: Clean up only new IRQ glue on request_irq() failure (bsc#1254854).
- CVE-2025-40251: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy (bsc#1254856).
- CVE-2025-40252: net: qlogic/qede: fix potential out-of-bounds read in
qede_tpa_cont() and qede_tpa_end() (bsc#1254849).
- CVE-2025-40254: net: openvswitch: remove never-working support for setting nsh fields (bsc#1254852).
- CVE-2025-40255: net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower() (bsc#1255156).
- CVE-2025-40258: mptcp: fix race condition in mptcp_schedule_work() (bsc#1254843).
- CVE-2025-40264: be2net: pass wrb_params in case of OS2BMC (bsc#1254835).
- CVE-2025-40268: cifs: client: fix memory leak in smb3_fs_context_parse_param (bsc#1255082).
- CVE-2025-40271: fs/proc: fix uaf in proc_readdir_de() (bsc#1255297).
- CVE-2025-40274: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying (bsc#1254830).
- CVE-2025-40276: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached (bsc#1254824).
- CVE-2025-40278: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak (bsc#1254825).
- CVE-2025-40279: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak (bsc#1254846).
- CVE-2025-40280: tipc: Fix use-after-free in tipc_mon_reinit_self() (bsc#1254847).
- CVE-2025-40292: virtio-net: fix received length check in big packets (bsc#1255175).
- CVE-2025-40293: iommufd: Don't overflow during division for dirty tracking (bsc#1255179).
- CVE-2025-40297: net: bridge: fix use-after-free due to MST port state bypass (bsc#1255187).
- CVE-2025-40319: bpf: Sync pending IRQ work before freeing ring buffer (bsc#1254794).
- CVE-2025-40328: smb: client: fix potential UAF in smb2_close_cached_fid() (bsc#1254624).
- CVE-2025-40330: bnxt_en: Shutdown FW DMA in bnxt_shutdown() (bsc#1254616).
- CVE-2025-40331: sctp: Prevent TOCTOU out-of-bounds write (bsc#1254615).
- CVE-2025-40338: ASoC: Intel: avs: Do not share the name pointer between components (bsc#1255273).
- CVE-2025-40346: arch_topology: Fix incorrect error check in topology_parse_cpu_capacity() (bsc#1255318).
- CVE-2025-40347: net: enetc: fix the deadlock of enetc_mdio_lock (bsc#1255262).
- CVE-2025-40350: net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ (bsc#1255260).
- CVE-2025-40355: sysfs: check visibility before changing group attribute ownership (bsc#1255261).
- CVE-2025-40357: net/smc: fix general protection fault in __smc_diag_dump (bsc#1255097).
- CVE-2025-40359: perf/x86/intel: Fix KASAN global-out-of-bounds warning (bsc#1255087).
- CVE-2025-40362: ceph: fix multifs mds auth caps issue (bsc#1255103).
- CVE-2025-68171: x86/fpu: Ensure XFD state on signal delivery (bsc#1255255).
- CVE-2025-68197: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() (bsc#1255242).
- CVE-2025-68198: crash: fix crashkernel resource shrink (bsc#1255243).
- CVE-2025-68202: sched_ext: Fix unsafe locking in the scx_dump_state() (bsc#1255223).
- CVE-2025-68206: netfilter: nft_ct: add seqadj extension for natted connections (bsc#1255142).
- CVE-2025-68208: bpf: account for current allocated stack depth in widen_imprecise_scalars() (bsc#1255227).
- CVE-2025-68209: mlx5: Fix default values in create CQ (bsc#1255230).
- CVE-2025-68215: ice: fix PTP cleanup on driver removal in error path (bsc#1255226).
- CVE-2025-68239: binfmt_misc: restore write access before closing files opened by open_exec() (bsc#1255272).
- CVE-2025-68259: KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced (bsc#1255199).
- CVE-2025-68264: ext4: refresh inline data size before write operations (bsc#1255380).
- CVE-2025-68283: libceph: replace BUG_ON with bounds check for map->max_osd (bsc#1255379).
- CVE-2025-68284: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() (bsc#1255377).
- CVE-2025-68285: libceph: fix potential use-after-free in have_mon_and_osd_map() (bsc#1255401).
- CVE-2025-68293: mm/huge_memory: fix NULL pointer deference when splitting folio (bsc#1255150).
- CVE-2025-68301: net: atlantic: fix fragment overflow handling in RX path (bsc#1255120).
- CVE-2025-68302: net: sxgbe: fix potential NULL dereference in sxgbe_rx() (bsc#1255121).
- CVE-2025-68317: io_uring/zctx: check chained notif contexts (bsc#1255354).
- CVE-2025-68340: team: Move team device type change at the end of team_port_add (bsc#1255507).
- CVE-2025-68353: net: vxlan: prevent NULL deref in vxlan_xmit_one (bsc#1255533).
- CVE-2025-68363: bpf: Check skb->transport_header is set in bpf_skb_check_mtu (bsc#1255552).
- CVE-2025-68378: bpf: Refactor stack map trace depth calculation into helper function (bsc#1255614).
- CVE-2025-68736: landlock: Optimize file path walks and prepare for audit support (bsc#1255698).
- CVE-2025-68742: bpf: Fix invalid prog->stats access when update_effective_progs fails (bsc#1255707).
- CVE-2025-68744: bpf: Free special fields when update [lru_,]percpu_hash maps (bsc#1255709).
- CVE-2025-71096: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly (bsc#1256606).
The following non security issues were fixed:
- KVM: SEV: Drop GHCB_VERSION_DEFAULT and open code it (bsc#1255672).
- Set HZ=1000 for ppc64 default configuration (jsc#PED-14344)
- bpf: Do not limit bpf_cgroup_from_id to current's namespace (bsc#1255433).
- btrfs: handle aligned EOF truncation correctly for subpage cases (bsc#1253238).
- cgroup: rstat: use LOCK CMPXCHG in css_rstat_updated (bsc#1255434).
- cifs: update dstaddr whenever channel iface is updated (git-fixes).
- cpuidle: menu: Use residency threshold in polling state override decisions (bsc#1255026).
- cpuset: fix warning when disabling remote partition (bsc#1256794).
- ext4: use optimized mballoc scanning regardless of inode format (bsc#1254378).
- net: usb: pegasus: fix memory leak in update_eth_regs_async() (git-fixes).
- netdevsim: print human readable IP address (bsc#1255071).
- powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event
handling (bsc#1253262 ltc#216029).
- powerpc/kexec: Enable SMT before waking offline CPUs (bsc#1214285
bsc#1205462 ltc#200161 ltc#200588 git-fixes bsc#1253739 ltc#211493
bsc#1254244 ltc#216496).
- sched: Increase sched_tick_remote timeout (bsc#1254510).
- selftests: net: fib-onlink-tests: Set high metric for default IPv6 route (bsc#1255346).
- selftests: net: use slowwait to make sure IPv6 setup finished (bsc#1255349).
- selftests: net: use slowwait to stabilize vrf_route_leaking test (bsc#1255349).
- serial: xilinx_uartps: Use helper function hrtimer_update_function() (stable-fixes).
- supported.conf: Mark lan 743x supported (jsc#PED-14571)
- tick/sched: Limit non-timekeeper CPUs calling jiffies update (bsc#1254477).
- wifi: ath10k: Avoid vdev delete timeout when firmware is already down (stable-fixes).
- x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo (bsc#1256495).
- x86/microcode/AMD: Make __verify_patch_size() return bool (bsc#1256495).
- x86/microcode/AMD: Remove bogus comment from parse_container() (bsc#1256495).
- x86/microcode/AMD: Select which microcode patch to load (bsc#1256495).
- x86/microcode/AMD: Use sha256() instead of init/update/final (bsc#1256495).
ImportantSUSE bug 1205462SUSE bug 1214285SUSE bug 1243112SUSE bug 1245193SUSE bug 1247500SUSE bug 1250388SUSE bug 1252046SUSE bug 1252861SUSE bug 1253155SUSE bug 1253238SUSE bug 1253262SUSE bug 1253365SUSE bug 1253400SUSE bug 1253413SUSE bug 1253414SUSE bug 1253442SUSE bug 1253458SUSE bug 1253623SUSE bug 1253674SUSE bug 1253739SUSE bug 1254126SUSE bug 1254128SUSE bug 1254195SUSE bug 1254244SUSE bug 1254363SUSE bug 1254378SUSE bug 1254408SUSE bug 1254477SUSE bug 1254510SUSE bug 1254518SUSE bug 1254519SUSE bug 1254520SUSE bug 1254615SUSE bug 1254616SUSE bug 1254618SUSE bug 1254621SUSE bug 1254624SUSE bug 1254791SUSE bug 1254793SUSE bug 1254794SUSE bug 1254795SUSE bug 1254796SUSE bug 1254797SUSE bug 1254798SUSE bug 1254808SUSE bug 1254809SUSE bug 1254813SUSE bug 1254815SUSE bug 1254821SUSE bug 1254824SUSE bug 1254825SUSE bug 1254827SUSE bug 1254828SUSE bug 1254829SUSE bug 1254830SUSE bug 1254832SUSE bug 1254835SUSE bug 1254840SUSE bug 1254843SUSE bug 1254846SUSE bug 1254847SUSE bug 1254849SUSE bug 1254850SUSE bug 1254851SUSE bug 1254852SUSE bug 1254854SUSE bug 1254856SUSE bug 1254858SUSE bug 1254860SUSE bug 1254861SUSE bug 1254864SUSE bug 1254868SUSE bug 1254869SUSE bug 1254871SUSE bug 1254894SUSE bug 1254957SUSE bug 1254959SUSE bug 1254961SUSE bug 1254964SUSE bug 1254996SUSE bug 1255026SUSE bug 1255030SUSE bug 1255034SUSE bug 1255035SUSE bug 1255039SUSE bug 1255040SUSE bug 1255041SUSE bug 1255042SUSE bug 1255057SUSE bug 1255058SUSE bug 1255064SUSE bug 1255065SUSE bug 1255068SUSE bug 1255071SUSE bug 1255072SUSE bug 1255075SUSE bug 1255077SUSE bug 1255081SUSE bug 1255082SUSE bug 1255083SUSE bug 1255087SUSE bug 1255092SUSE bug 1255094SUSE bug 1255095SUSE bug 1255097SUSE bug 1255099SUSE bug 1255103SUSE bug 1255116SUSE bug 1255120SUSE bug 1255121SUSE bug 1255122SUSE bug 1255124SUSE bug 1255131SUSE bug 1255134SUSE bug 1255135SUSE bug 1255136SUSE bug 1255138SUSE bug 1255140SUSE bug 1255142SUSE bug 1255145SUSE bug 1255146SUSE bug 1255149SUSE bug 1255150SUSE bug 1255152SUSE bug 1255154SUSE bug 1255155SUSE bug 1255156SUSE bug 1255161SUSE bug 1255167SUSE bug 1255169SUSE bug 1255171SUSE bug 1255175SUSE bug 1255179SUSE bug 1255181SUSE bug 1255182SUSE bug 1255186SUSE bug 1255187SUSE bug 1255190SUSE bug 1255193SUSE bug 1255196SUSE bug 1255197SUSE bug 1255199SUSE bug 1255202SUSE bug 1255203SUSE bug 1255206SUSE bug 1255209SUSE bug 1255218SUSE bug 1255220SUSE bug 1255221SUSE bug 1255223SUSE bug 1255226SUSE bug 1255227SUSE bug 1255228SUSE bug 1255230SUSE bug 1255231SUSE bug 1255233SUSE bug 1255234SUSE bug 1255242SUSE bug 1255243SUSE bug 1255246SUSE bug 1255247SUSE bug 1255251SUSE bug 1255252SUSE bug 1255253SUSE bug 1255255SUSE bug 1255256SUSE bug 1255259SUSE bug 1255260SUSE bug 1255261SUSE bug 1255262SUSE bug 1255272SUSE bug 1255273SUSE bug 1255274SUSE bug 1255276SUSE bug 1255279SUSE bug 1255297SUSE bug 1255312SUSE bug 1255316SUSE bug 1255318SUSE bug 1255325SUSE bug 1255329SUSE bug 1255346SUSE bug 1255349SUSE bug 1255351SUSE bug 1255354SUSE bug 1255357SUSE bug 1255377SUSE bug 1255379SUSE bug 1255380SUSE bug 1255395SUSE bug 1255401SUSE bug 1255415SUSE bug 1255428SUSE bug 1255433SUSE bug 1255434SUSE bug 1255480SUSE bug 1255483SUSE bug 1255488SUSE bug 1255489SUSE bug 1255493SUSE bug 1255495SUSE bug 1255505SUSE bug 1255507SUSE bug 1255508SUSE bug 1255509SUSE bug 1255533SUSE bug 1255541SUSE bug 1255550SUSE bug 1255552SUSE bug 1255553SUSE bug 1255567SUSE bug 1255580SUSE bug 1255601SUSE bug 1255603SUSE bug 1255611SUSE bug 1255614SUSE bug 1255672SUSE bug 1255688SUSE bug 1255698SUSE bug 1255706SUSE bug 1255707SUSE bug 1255709SUSE bug 1255722SUSE bug 1255723SUSE bug 1255724SUSE bug 1255812SUSE bug 1255813SUSE bug 1255814SUSE bug 1255816SUSE bug 1255931SUSE bug 1255932SUSE bug 1255934SUSE bug 1255943SUSE bug 1255944SUSE bug 1256238SUSE bug 1256495SUSE bug 1256606SUSE bug 1256794CVE-2025-38704 at SUSECVE-2025-38704 at NVDCVE-2025-39880 at SUSECVE-2025-39880 at NVDCVE-2025-39977 at SUSECVE-2025-39977 at NVDCVE-2025-40042 at SUSECVE-2025-40042 at NVDCVE-2025-40123 at SUSECVE-2025-40123 at NVDCVE-2025-40130 at SUSECVE-2025-40130 at NVDCVE-2025-40160 at SUSECVE-2025-40160 at NVDCVE-2025-40167 at SUSECVE-2025-40167 at NVDCVE-2025-40170 at SUSECVE-2025-40170 at NVDCVE-2025-40179 at SUSECVE-2025-40179 at NVDCVE-2025-40190 at SUSECVE-2025-40190 at NVDCVE-2025-40209 at SUSECVE-2025-40209 at NVDCVE-2025-40211 at SUSECVE-2025-40211 at NVDCVE-2025-40212 at SUSECVE-2025-40212 at NVDCVE-2025-40213 at SUSECVE-2025-40213 at NVDCVE-2025-40214 at SUSECVE-2025-40214 at NVDCVE-2025-40215 at SUSECVE-2025-40215 at NVDCVE-2025-40218 at SUSECVE-2025-40218 at NVDCVE-2025-40219 at SUSECVE-2025-40219 at NVDCVE-2025-40220 at SUSECVE-2025-40220 at NVDCVE-2025-40221 at SUSECVE-2025-40221 at NVDCVE-2025-40223 at SUSECVE-2025-40223 at NVDCVE-2025-40225 at SUSECVE-2025-40225 at NVDCVE-2025-40226 at SUSECVE-2025-40226 at NVDCVE-2025-40231 at SUSECVE-2025-40231 at NVDCVE-2025-40233 at SUSECVE-2025-40233 at NVDCVE-2025-40235 at SUSECVE-2025-40235 at NVDCVE-2025-40237 at SUSECVE-2025-40237 at NVDCVE-2025-40238 at SUSECVE-2025-40238 at NVDCVE-2025-40239 at SUSECVE-2025-40239 at NVDCVE-2025-40240 at SUSECVE-2025-40240 at NVDCVE-2025-40242 at SUSECVE-2025-40242 at NVDCVE-2025-40246 at SUSECVE-2025-40246 at NVDCVE-2025-40248 at SUSECVE-2025-40248 at NVDCVE-2025-40250 at SUSECVE-2025-40250 at NVDCVE-2025-40251 at SUSECVE-2025-40251 at NVDCVE-2025-40252 at SUSECVE-2025-40252 at NVDCVE-2025-40254 at SUSECVE-2025-40254 at NVDCVE-2025-40255 at SUSECVE-2025-40255 at NVDCVE-2025-40256 at SUSECVE-2025-40256 at NVDCVE-2025-40258 at SUSECVE-2025-40258 at NVDCVE-2025-40262 at SUSECVE-2025-40262 at NVDCVE-2025-40263 at SUSECVE-2025-40263 at NVDCVE-2025-40264 at SUSECVE-2025-40264 at NVDCVE-2025-40266 at SUSECVE-2025-40266 at NVDCVE-2025-40268 at SUSECVE-2025-40268 at NVDCVE-2025-40269 at SUSECVE-2025-40269 at NVDCVE-2025-40271 at SUSECVE-2025-40271 at NVDCVE-2025-40272 at SUSECVE-2025-40272 at NVDCVE-2025-40273 at SUSECVE-2025-40273 at NVDCVE-2025-40274 at SUSECVE-2025-40274 at NVDCVE-2025-40275 at SUSECVE-2025-40275 at NVDCVE-2025-40276 at SUSECVE-2025-40276 at NVDCVE-2025-40277 at SUSECVE-2025-40277 at NVDCVE-2025-40278 at SUSECVE-2025-40278 at NVDCVE-2025-40279 at SUSECVE-2025-40279 at NVDCVE-2025-40280 at SUSECVE-2025-40280 at NVDCVE-2025-40282 at SUSECVE-2025-40282 at NVDCVE-2025-40283 at SUSECVE-2025-40283 at NVDCVE-2025-40284 at SUSECVE-2025-40284 at NVDCVE-2025-40287 at SUSECVE-2025-40287 at NVDCVE-2025-40288 at SUSECVE-2025-40288 at NVDCVE-2025-40289 at SUSECVE-2025-40289 at NVDCVE-2025-40292 at SUSECVE-2025-40292 at NVDCVE-2025-40293 at SUSECVE-2025-40293 at NVDCVE-2025-40294 at SUSECVE-2025-40294 at NVDCVE-2025-40297 at SUSECVE-2025-40297 at NVDCVE-2025-40301 at SUSECVE-2025-40301 at NVDCVE-2025-40302 at SUSECVE-2025-40302 at NVDCVE-2025-40303 at SUSECVE-2025-40303 at NVDCVE-2025-40304 at SUSECVE-2025-40304 at NVDCVE-2025-40307 at SUSECVE-2025-40307 at NVDCVE-2025-40308 at SUSECVE-2025-40308 at NVDCVE-2025-40309 at SUSECVE-2025-40309 at NVDCVE-2025-40310 at SUSECVE-2025-40310 at NVDCVE-2025-40311 at SUSECVE-2025-40311 at NVDCVE-2025-40314 at SUSECVE-2025-40314 at NVDCVE-2025-40315 at SUSECVE-2025-40315 at NVDCVE-2025-40316 at SUSECVE-2025-40316 at NVDCVE-2025-40317 at SUSECVE-2025-40317 at NVDCVE-2025-40318 at SUSECVE-2025-40318 at NVDCVE-2025-40319 at SUSECVE-2025-40319 at NVDCVE-2025-40320 at SUSECVE-2025-40320 at NVDCVE-2025-40321 at SUSECVE-2025-40321 at NVDCVE-2025-40322 at SUSECVE-2025-40322 at NVDCVE-2025-40323 at SUSECVE-2025-40323 at NVDCVE-2025-40324 at SUSECVE-2025-40324 at NVDCVE-2025-40328 at SUSECVE-2025-40328 at NVDCVE-2025-40329 at SUSECVE-2025-40329 at NVDCVE-2025-40330 at SUSECVE-2025-40330 at NVDCVE-2025-40331 at SUSECVE-2025-40331 at NVDCVE-2025-40332 at SUSECVE-2025-40332 at NVDCVE-2025-40337 at SUSECVE-2025-40337 at NVDCVE-2025-40338 at SUSECVE-2025-40338 at NVDCVE-2025-40339 at SUSECVE-2025-40339 at NVDCVE-2025-40340 at SUSECVE-2025-40340 at NVDCVE-2025-40342 at SUSECVE-2025-40342 at NVDCVE-2025-40343 at SUSECVE-2025-40343 at NVDCVE-2025-40344 at SUSECVE-2025-40344 at NVDCVE-2025-40345 at SUSECVE-2025-40345 at NVDCVE-2025-40346 at SUSECVE-2025-40346 at NVDCVE-2025-40347 at SUSECVE-2025-40347 at NVDCVE-2025-40350 at SUSECVE-2025-40350 at NVDCVE-2025-40353 at SUSECVE-2025-40353 at NVDCVE-2025-40354 at SUSECVE-2025-40354 at NVDCVE-2025-40355 at SUSECVE-2025-40355 at NVDCVE-2025-40357 at SUSECVE-2025-40357 at NVDCVE-2025-40359 at SUSECVE-2025-40359 at NVDCVE-2025-40360 at SUSECVE-2025-40360 at NVDCVE-2025-40362 at SUSECVE-2025-40362 at NVDCVE-2025-68167 at SUSECVE-2025-68167 at NVDCVE-2025-68170 at SUSECVE-2025-68170 at NVDCVE-2025-68171 at SUSECVE-2025-68171 at NVDCVE-2025-68172 at SUSECVE-2025-68172 at NVDCVE-2025-68176 at SUSECVE-2025-68176 at NVDCVE-2025-68180 at SUSECVE-2025-68180 at NVDCVE-2025-68181 at SUSECVE-2025-68181 at NVDCVE-2025-68183 at SUSECVE-2025-68183 at NVDCVE-2025-68184 at SUSECVE-2025-68184 at NVDCVE-2025-68185 at SUSECVE-2025-68185 at NVDCVE-2025-68190 at SUSECVE-2025-68190 at NVDCVE-2025-68192 at SUSECVE-2025-68192 at NVDCVE-2025-68194 at SUSECVE-2025-68194 at NVDCVE-2025-68195 at SUSECVE-2025-68195 at NVDCVE-2025-68197 at SUSECVE-2025-68197 at NVDCVE-2025-68198 at SUSECVE-2025-68198 at NVDCVE-2025-68201 at SUSECVE-2025-68201 at NVDCVE-2025-68202 at SUSECVE-2025-68202 at NVDCVE-2025-68206 at SUSECVE-2025-68206 at NVDCVE-2025-68207 at SUSECVE-2025-68207 at NVDCVE-2025-68208 at SUSECVE-2025-68208 at NVDCVE-2025-68209 at SUSECVE-2025-68209 at NVDCVE-2025-68210 at SUSECVE-2025-68210 at NVDCVE-2025-68213 at SUSECVE-2025-68213 at NVDCVE-2025-68215 at SUSECVE-2025-68215 at NVDCVE-2025-68217 at SUSECVE-2025-68217 at NVDCVE-2025-68222 at SUSECVE-2025-68222 at NVDCVE-2025-68223 at SUSECVE-2025-68223 at NVDCVE-2025-68230 at SUSECVE-2025-68230 at NVDCVE-2025-68233 at SUSECVE-2025-68233 at NVDCVE-2025-68235 at SUSECVE-2025-68235 at NVDCVE-2025-68237 at SUSECVE-2025-68237 at NVDCVE-2025-68238 at SUSECVE-2025-68238 at NVDCVE-2025-68239 at SUSECVE-2025-68239 at NVDCVE-2025-68242 at SUSECVE-2025-68242 at NVDCVE-2025-68244 at SUSECVE-2025-68244 at NVDCVE-2025-68249 at SUSECVE-2025-68249 at NVDCVE-2025-68252 at SUSECVE-2025-68252 at NVDCVE-2025-68254 at SUSECVE-2025-68254 at NVDCVE-2025-68255 at SUSECVE-2025-68255 at NVDCVE-2025-68256 at SUSECVE-2025-68256 at NVDCVE-2025-68257 at SUSECVE-2025-68257 at NVDCVE-2025-68258 at SUSECVE-2025-68258 at NVDCVE-2025-68259 at SUSECVE-2025-68259 at NVDCVE-2025-68264 at SUSECVE-2025-68264 at NVDCVE-2025-68283 at SUSECVE-2025-68283 at NVDCVE-2025-68284 at SUSECVE-2025-68284 at NVDCVE-2025-68285 at SUSECVE-2025-68285 at NVDCVE-2025-68286 at SUSECVE-2025-68286 at NVDCVE-2025-68287 at SUSECVE-2025-68287 at NVDCVE-2025-68289 at SUSECVE-2025-68289 at NVDCVE-2025-68290 at SUSECVE-2025-68290 at NVDCVE-2025-68293 at SUSECVE-2025-68293 at NVDCVE-2025-68298 at SUSECVE-2025-68298 at NVDCVE-2025-68301 at SUSECVE-2025-68301 at NVDCVE-2025-68302 at SUSECVE-2025-68302 at NVDCVE-2025-68303 at SUSECVE-2025-68303 at NVDCVE-2025-68305 at SUSECVE-2025-68305 at NVDCVE-2025-68306 at SUSECVE-2025-68306 at NVDCVE-2025-68307 at SUSECVE-2025-68307 at NVDCVE-2025-68308 at SUSECVE-2025-68308 at NVDCVE-2025-68311 at SUSECVE-2025-68311 at NVDCVE-2025-68312 at SUSECVE-2025-68312 at NVDCVE-2025-68313 at SUSECVE-2025-68313 at NVDCVE-2025-68317 at SUSECVE-2025-68317 at NVDCVE-2025-68327 at SUSECVE-2025-68327 at NVDCVE-2025-68328 at SUSECVE-2025-68328 at NVDCVE-2025-68330 at SUSECVE-2025-68330 at NVDCVE-2025-68331 at SUSECVE-2025-68331 at NVDCVE-2025-68332 at SUSECVE-2025-68332 at NVDCVE-2025-68335 at SUSECVE-2025-68335 at NVDCVE-2025-68339 at SUSECVE-2025-68339 at NVDCVE-2025-68340 at SUSECVE-2025-68340 at NVDCVE-2025-68342 at SUSECVE-2025-68342 at NVDCVE-2025-68343 at SUSECVE-2025-68343 at NVDCVE-2025-68344 at SUSECVE-2025-68344 at NVDCVE-2025-68345 at SUSECVE-2025-68345 at NVDCVE-2025-68346 at SUSECVE-2025-68346 at NVDCVE-2025-68347 at SUSECVE-2025-68347 at NVDCVE-2025-68351 at SUSECVE-2025-68351 at NVDCVE-2025-68352 at SUSECVE-2025-68352 at NVDCVE-2025-68353 at SUSECVE-2025-68353 at NVDCVE-2025-68354 at SUSECVE-2025-68354 at NVDCVE-2025-68362 at SUSECVE-2025-68362 at NVDCVE-2025-68363 at SUSECVE-2025-68363 at NVDCVE-2025-68378 at SUSECVE-2025-68378 at NVDCVE-2025-68380 at SUSECVE-2025-68380 at NVDCVE-2025-68724 at SUSECVE-2025-68724 at NVDCVE-2025-68732 at SUSECVE-2025-68732 at NVDCVE-2025-68736 at SUSECVE-2025-68736 at NVDCVE-2025-68740 at SUSECVE-2025-68740 at NVDCVE-2025-68742 at SUSECVE-2025-68742 at NVDCVE-2025-68744 at SUSECVE-2025-68744 at NVDCVE-2025-68746 at SUSECVE-2025-68746 at NVDCVE-2025-68747 at SUSECVE-2025-68747 at NVDCVE-2025-68748 at SUSECVE-2025-68748 at NVDCVE-2025-68749 at SUSECVE-2025-68749 at NVDCVE-2025-68750 at SUSECVE-2025-68750 at NVDCVE-2025-68753 at SUSECVE-2025-68753 at NVDCVE-2025-68757 at SUSECVE-2025-68757 at NVDCVE-2025-68758 at SUSECVE-2025-68758 at NVDCVE-2025-68759 at SUSECVE-2025-68759 at NVDCVE-2025-68765 at SUSECVE-2025-68765 at NVDCVE-2025-68766 at SUSECVE-2025-68766 at NVDCVE-2025-71096 at SUSECVE-2025-71096 at NVDSecurity update for python-wheel (Important)openSUSE Leap 16.0
This update for python-wheel fixes the following issues:
- CVE-2026-24049: Fixed absent path sanitization can cause arbitrary file permission modification (bsc#1257100).
ImportantSUSE bug 1257100CVE-2026-24049 at SUSECVE-2026-24049 at NVDSecurity update for dpdk (Moderate)openSUSE Leap 16.0
This update for dpdk fixes the following issues:
Update to version 24.11.4.
Security issues fixed:
- CVE-2025-23259: issue in the Poll Mode Driver (PMD) allows an attacker on a VM in the system to leak information and
cause a denial of service on the network interface (bsc#1254161).
Other issues fixed:
- Remove obsolete build option -Denable_kmods.
- Add "which" as a build requirement.
- Drop pesign and needssslcertforbuild because we don't build a kmp anymore (bsc#1247389).
ModerateSUSE bug 1247389SUSE bug 1254161CVE-2025-23259 at SUSECVE-2025-23259 at NVDSecurity update for glib2 (Important)openSUSE Leap 16.0
This update for glib2 fixes the following issues:
- CVE-2026-1485: Fixed buffer underflow and out-of-bounds access due to integer wraparound in content type parsing (bsc#1257354).
- CVE-2026-1484: Fixed buffer underflow and out-of-bounds access due to miscalculated buffer boundaries in the Base64 encoding routine (bsc#1257355).
- CVE-2026-1489: Fixed undersized heap allocation followed by out-of-bounds access due to integer overflow in Unicode case conversion (bsc#1257353).
- CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049).
ImportantSUSE bug 1257049SUSE bug 1257353SUSE bug 1257354SUSE bug 1257355CVE-2026-0988 at SUSECVE-2026-0988 at NVDCVE-2026-1484 at SUSECVE-2026-1484 at NVDCVE-2026-1485 at SUSECVE-2026-1485 at NVDCVE-2026-1489 at SUSECVE-2026-1489 at NVDSecurity update for wireshark (Moderate)openSUSE Leap 16.0
This update for wireshark fixes the following issues:
Update to Wireshark 4.4.13:
- CVE-2025-11626: MONGO dissector infinite loop (bsc#1251933).
- CVE-2025-13499: Kafka dissector crash (bsc#1254108).
- CVE-2025-13945: HTTP3 dissector crash (bsc#1254471).
- CVE-2025-13946: MEGACO dissector infinite loop (bsc#1254472).
- CVE-2025-9817: SSH dissector crash (bsc#1249090).
- CVE-2026-0959: IEEE 802.11 dissector crash (bsc#1256734).
- CVE-2026-0961: BLF file parser crash (bsc#1256738).
- CVE-2026-0962: SOME/IP-SD dissector crash (bsc#1256739).
Full changelog:
https://www.wireshark.org/docs/relnotes/wireshark-4.4.13.html
ModerateSUSE bug 1249090SUSE bug 1251933SUSE bug 1254108SUSE bug 1254471SUSE bug 1254472SUSE bug 1256734SUSE bug 1256738SUSE bug 1256739CVE-2025-11626 at SUSECVE-2025-11626 at NVDCVE-2025-13499 at SUSECVE-2025-13499 at NVDCVE-2025-13945 at SUSECVE-2025-13945 at NVDCVE-2025-13946 at SUSECVE-2025-13946 at NVDCVE-2025-9817 at SUSECVE-2025-9817 at NVDCVE-2026-0959 at SUSECVE-2026-0959 at NVDCVE-2026-0961 at SUSECVE-2026-0961 at NVDCVE-2026-0962 at SUSECVE-2026-0962 at NVDSecurity update for openssl-3 (Important)openSUSE Leap 16.0
This update for openssl-3 fixes the following issues:
Security fixes:
- CVE-2025-11187: Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (bsc#1256829).
- CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830).
- CVE-2025-15468: NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (bsc#1256831).
- CVE-2025-15469: "openssl dgst" one-shot codepath silently truncates inputs >16MB (bsc#1256832).
- CVE-2025-66199: TLS 1.3 CompressedCertificate excessive memory allocation (bsc#1256833).
- CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834).
- CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835).
- CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836).
- CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837).
- CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838).
- CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839).
- CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840).
Other fixes:
- Enable livepatching support for ppc64le (bsc#1257274).
ImportantSUSE bug 1256829SUSE bug 1256830SUSE bug 1256831SUSE bug 1256832SUSE bug 1256833SUSE bug 1256834SUSE bug 1256835SUSE bug 1256836SUSE bug 1256837SUSE bug 1256838SUSE bug 1256839SUSE bug 1256840SUSE bug 1257274CVE-2025-11187 at SUSECVE-2025-11187 at NVDCVE-2025-15467 at SUSECVE-2025-15467 at NVDCVE-2025-15468 at SUSECVE-2025-15468 at NVDCVE-2025-15469 at SUSECVE-2025-15469 at NVDCVE-2025-66199 at SUSECVE-2025-66199 at NVDCVE-2025-68160 at SUSECVE-2025-68160 at NVDCVE-2025-69418 at SUSECVE-2025-69418 at NVDCVE-2025-69419 at SUSECVE-2025-69419 at NVDCVE-2025-69420 at SUSECVE-2025-69420 at NVDCVE-2025-69421 at SUSECVE-2025-69421 at NVDCVE-2026-22795 at SUSECVE-2026-22795 at NVDCVE-2026-22796 at SUSECVE-2026-22796 at NVDSecurity update for libxslt (Important)openSUSE Leap 16.0
This update for libxslt fixes the following issues:
Changes in libxslt:
- CVE-2025-11731: Fixed type confusion in exsltFuncResultCompfunction leading to denial of service (bsc#1251979)
- CVE-2025-10911: Fixed use-after-free with key data stored cross-RVT (bsc#1250553)
ImportantSUSE bug 1250553SUSE bug 1251979CVE-2025-10911 at SUSECVE-2025-10911 at NVDCVE-2025-11731 at SUSECVE-2025-11731 at NVDSecurity update for cups (Critical)openSUSE Leap 16.0
This update for cups fixes the following issues:
Update to version 2.4.16.
Security issues fixed:
- CVE-2025-61915: local denial-of-service via cupsd.conf update and related issues (bsc#1253783).
- CVE-2025-58436: slow client communication leads to a possible DoS attack (bsc#1244057).
- CVE-2025-58364: unsafe deserialization and validation of printer attributes can cause a null dereference (bsc#1249128).
- CVE-2025-58060: authentication bypass with AuthType Negotiate (bsc#1249049).
Other updates and bugfixes:
- Version upgrade to 2.4.16:
* 'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences,
potentially reading past the end of the source string
(Issue #1438)
* The web interface did not support domain usernames fully
(Issue #1441)
* Fixed an infinite loop issue in the GTK+ print dialog
(Issue #1439 boo#1254353)
* Fixed stopping scheduler on unknown directive in
configuration (Issue #1443)
* Fixed packages for Immutable Mode (jsc#PED-14775
from epic jsc#PED-14688)
- Version upgrade to 2.4.15:
* Fixed potential crash in 'cups-driverd' when there are
duplicate PPDs (Issue #1355)
* Fixed error recovery when scanning for PPDs
in 'cups-driverd' (Issue #1416)
- Version upgrade to 2.4.14.
- Version upgrade to 2.4.13:
* Added 'print-as-raster' printer and job attributes
for forcing rasterization (Issue #1282)
* Updated documentation (Issue #1086)
* Updated IPP backend to try a sanitized user name if the
printer/server does not like the value (Issue #1145)
* Updated the scheduler to send the "printer-added"
or "printer-modified" events whenever an IPP Everywhere PPD
is installed (Issue #1244)
* Updated the scheduler to send the "printer-modified" event
whenever the system default printer is changed (Issue #1246)
* Fixed a memory leak in 'httpClose' (Issue #1223)
* Fixed missing commas in 'ippCreateRequestedArray'
(Issue #1234)
* Fixed subscription issues in the scheduler and D-Bus notifier
(Issue #1235)
* Fixed media-default reporting for custom sizes (Issue #1238)
* Fixed support for IPP/PPD options with periods or underscores
(Issue #1249)
* Fixed parsing of real numbers in PPD compiler source files
(Issue #1263)
* Fixed scheduler freezing with zombie clients (Issue #1264)
* Fixed support for the server name in the ErrorLog filename
(Issue #1277)
* Fixed job cleanup after daemon restart (Issue #1315)
* Fixed handling of buggy DYMO USB printer serial numbers
(Issue #1338)
* Fixed unreachable block in IPP backend (Issue #1351)
* Fixed memory leak in _cupsConvertOptions (Issue #1354)
- Version upgrade to 2.4.12:
* GnuTLS follows system crypto policies now (Issue #1105)
* Added `NoSystem` SSLOptions value (Issue #1130)
* Now we raise alert for certificate issues (Issue #1194)
* Added Kyocera USB quirk (Issue #1198)
* The scheduler now logs a job's debugging history
if the backend fails (Issue #1205)
* Fixed a potential timing issue with `cupsEnumDests`
(Issue #1084)
* Fixed a potential "lost PPD" condition in the scheduler
(Issue #1109)
* Fixed a compressed file error handling bug (Issue #1070)
* Fixed a bug in the make-and-model whitespace trimming
code (Issue #1096)
* Fixed a removal of IPP Everywhere permanent queue
if installation failed (Issue #1102)
* Fixed `ServerToken None` in scheduler (Issue #1111)
* Fixed invalid IPP keyword values created from PPD
option names (Issue #1118)
* Fixed handling of "media" and "PageSize" in the same
print request (Issue #1125)
* Fixed client raster printing from macOS (Issue #1143)
* Fixed the default User-Agent string.
* Fixed a recursion issue in `ippReadIO`.
* Fixed handling incorrect radix in `scan_ps()` (Issue #1188)
* Fixed validation of dateTime values with time zones
more than UTC+11 (Issue #1201)
* Fixed attributes returned by the Create-Xxx-Subscriptions
requests (Issue #1204)
* Fixed `ippDateToTime` when using a non GMT/UTC timezone
(Issue #1208)
* Fixed `job-completed` event notifications for jobs that are
cancelled before started (Issue #1209)
* Fixed DNS-SD discovery with `ippfind` (Issue #1211)
CriticalSUSE bug 1244057SUSE bug 1249049SUSE bug 1249128SUSE bug 1253783SUSE bug 1254353CVE-2025-58060 at SUSECVE-2025-58060 at NVDCVE-2025-58364 at SUSECVE-2025-58364 at NVDCVE-2025-58436 at SUSECVE-2025-58436 at NVDCVE-2025-61915 at SUSECVE-2025-61915 at NVDSecurity update for golang-github-prometheus-prometheus (Important)openSUSE Leap 16.0
This update for golang-github-prometheus-prometheus fixes the following issues:
Update to version 3.5.0:
Security issues fixed:
- CVE-2025-13465: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods from global (bsc#1257329).
- CVE-2025-12816: interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588).
Other updates and bugfixes:
- Update to 3.5.0 (jsc#PED-13824):
* [FEATURE] Remote-write: Add support for Azure Workload Identity
as an authentication method for the receiver.
* [FEATURE] PromQL: Add first_over_time(...) and
ts_of_first_over_time(...) behind feature flag.
* [FEATURE] Federation: Add support for native histograms with
custom buckets (NHCB).
* [ENHANCEMENT] PromQL: Add warn-level annotations for counter
reset conflicts in certain histogram operations.
* [ENHANCEMENT] UI: Add scrape interval and scrape timeout to
targets page.
- Update to 3.4.0:
* Add unified AWS service discovery for ec2, lightsail and ecs services.
* [FEATURE] Native histograms are now a stable, but optional
feature.
* [FEATURE] UI: Show detailed relabeling steps for each
discovered target.
* [ENHANCEMENT] Alerting: Add "unknown" state for alerting rules
that haven't been evaluated yet.
* [BUGFIX] Scrape: Fix a bug where scrape cache would not be
cleared on startup.
- Update to 3.3.0:
* [FEATURE] Spring Boot 3.3 includes support for the Prometheus
Client 1.x.
* [ENHANCEMENT] Dependency management for Dropwizard Metrics has
been removed.
- Update to 3.2.0:
* [FEATURE] OAuth2: support jwt-bearer grant-type (RFC7523 3.1).
* [ENHANCEMENT] PromQL: Reconcile mismatched NHCB bounds in Add
and Sub.
* [BUGFIX] TSDB: Native Histogram Custom Bounds with a NaN
threshold are now rejected.
- Update to 3.1.0:
* [FEATURE] Remote-write 2 (receiving): Update to 2.0-rc.4 spec.
"created timestamp" (CT) is now called "start timestamp" (ST).
* [BUGFIX] Mixin: Add static UID to the remote-write dashboard.
- Update to 3.0.1:
* [BUGFIX] Promql: Make subqueries left open.
* [BUGFIX] Fix memory leak when query log is enabled.
* [BUGFIX] Support utf8 names on /v1/label/:name/values endpoint.
- Update to 3.0.0:
* [CHANGE] Deprecated feature flags removed.
* [FEATURE] New UI.
* [FEATURE] Remote Write 2.0.
* [FEATURE] OpenTelemetry Support.
* [FEATURE] UTF-8 support is now stable and enabled by default.
* [FEATURE] OTLP Ingestion.
* [FEATURE] Native Histograms.
* [BUGFIX] PromQL: Fix count_values for histograms.
* [BUGFIX] TSDB: Fix race on stale values in headAppender.
* [BUGFIX] UI: Fix selector / series formatting for empty metric
names.
- Update to 2.55.0:
* [FEATURE] PromQL: Add `last_over_time` function.
* [FEATURE] Agent: Add `prometheus_agent_build_info` metric.
* [ENHANCEMENT] PromQL: Optimise `group()` and `group by()`.
* [ENHANCEMENT] TSDB: Reduce memory usage when loading blocks.
* [BUGFIX] Scrape: Fix a bug where a target could be scraped
multiple times.
- Update to 2.54.0:
* [CHANGE] Remote-Write: highest_timestamp_in_seconds and
queue_highest_sent_timestamp_seconds metrics now initialized to
0.
* [CHANGE] API: Split warnings from info annotations in API
response.
* [FEATURE] Remote-Write: Version 2.0 experimental, plus metadata
in WAL via feature flag.
* [FEATURE] PromQL: add limitk() and limit_ratio() aggregation
operators.
* [ENHANCEMENT] PromQL: Accept underscores in literal numbers.
* [ENHANCEMENT] PromQL: float literal numbers and durations are
now interchangeable (experimental).
* [ENHANCEMENT] PromQL (experimental native histograms): Optimize
histogram_count and histogram_sum functions.
* [BUGFIX] PromQL: Fix various issues with native histograms.
* [BUGFIX] TSDB: Fix race on stale values in headAppender.
* [BUGFIX] OTLP receiver: Allow colons in non-standard units.
ImportantSUSE bug 1255588SUSE bug 1257329CVE-2025-12816 at SUSECVE-2025-12816 at NVDCVE-2025-13465 at SUSECVE-2025-13465 at NVDSecurity update for libxml2 (Moderate)openSUSE Leap 16.0
This update for libxml2 fixes the following issues:
- CVE-2026-0989: Fixed call stack exhaustion leading to application crash
due to RelaxNG parser not limiting the recursion depth when
resolving `<include>` directives (bsc#1256805).
ModerateSUSE bug 1256805CVE-2026-0989 at SUSECVE-2026-0989 at NVDSecurity update for python-maturin (Moderate)openSUSE Leap 16.0
This update for python-maturin fixes the following issues:
- CVE-2025-58160: tracing-subscriber: Fixed log pollution (bsc#1249011)
ModerateSUSE bug 1249011CVE-2025-58160 at SUSECVE-2025-58160 at NVDSecurity update for cockpit-subscriptions (Important)openSUSE Leap 16.0
This update for cockpit-subscriptions fixes the following issues:
- CVE-2025-13465: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods from global
prototypes (bsc#1257324).
ImportantSUSE bug 1257324CVE-2025-13465 at SUSECVE-2025-13465 at NVDSecurity update for cockpit (Important)openSUSE Leap 16.0
This update for cockpit fixes the following issues:
- CVE-2025-13465: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods from global
prototypes (bsc#1257324).
ImportantSUSE bug 1257324CVE-2025-13465 at SUSECVE-2025-13465 at NVDSecurity update for cockpit-packages (Important)openSUSE Leap 16.0
This update for cockpit-packages fixes the following issues:
- CVE-2025-13465: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods from global
(bsc#1257325).
ImportantSUSE bug 1257325CVE-2025-13465 at SUSECVE-2025-13465 at NVDSecurity update for libsoup (Important)openSUSE Leap 16.0
This update for libsoup fixes the following issues:
- CVE-2026-1536: HTTP header injection or response splitting via CRLF injection in the Content-Disposition header
(bsc#1257440).
- CVE-2026-1761: incorrect length calculation when parsing of multipart HTTP responses can lead to a stack-based
buffer overflow (bsc#1257598).
ImportantSUSE bug 1257440SUSE bug 1257598CVE-2026-1536 at SUSECVE-2026-1536 at NVDCVE-2026-1761 at SUSECVE-2026-1761 at NVDSecurity update for xorg-x11-server (Important)openSUSE Leap 16.0
This update for xorg-x11-server fixes the following issues:
- CVE-2025-62229: Fixed use-after-free in XPresentNotify structures creation (bsc#1251958).
- CVE-2025-62230: Fixed use-after-free in Xkb client resource removal (bsc#1251959).
- CVE-2025-62231: Fixed value overflow in Xkb extension XkbSetCompatMap() (bsc#1251960).
ImportantSUSE bug 1251958SUSE bug 1251959SUSE bug 1251960CVE-2025-62229 at SUSECVE-2025-62229 at NVDCVE-2025-62230 at SUSECVE-2025-62230 at NVDCVE-2025-62231 at SUSECVE-2025-62231 at NVDSecurity update for python-pip (Low)openSUSE Leap 16.0
This update for python-pip fixes the following issues:
- CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously
crafted wheel archives (bsc#1257599).
LowSUSE bug 1257599CVE-2026-1703 at SUSECVE-2026-1703 at NVDSecurity update for openjpeg2 (Low)openSUSE Leap 16.0
This update for openjpeg2 fixes the following issues:
- CVE-2023-39327: Fixed malicious files can cause a large loop that continuously prints warning messages on the terminal (bsc#1227412).
LowSUSE bug 1227412CVE-2023-39327 at SUSECVE-2023-39327 at NVDSecurity update for python-aiohttp, python-Brotli (Important)openSUSE Leap 16.0
This update for python-aiohttp, python-Brotli fixes the following issues:
Changes in python-aiohttp:
- CVE-2025-69228: Fixed denial of service through large payloads (bsc#1256022).
- CVE-2025-69226: Fixed brute-force leak of internal static file path components (bsc#1256020).
- CVE-2025-69224: Fixed unicode processing of header values could cause parsing discrepancies (bsc#1256018).
- CVE-2025-69223: Fixed aiohttp HTTP Parser auto_decompress feature susceptible to zip bomb (bsc#1256017).
- CVE-2025-69227: Fixed DoS when bypassing asserts (bsc#1256021).
- CVE-2025-69225: Fixed unicode match groups in regexes for ASCII protocol elements (bsc#1256019).
- CVE-2025-69229: Fixed DoS through chunked messages (bsc#1256023).
- CVE-2025-53643: Fixed request smuggling due to incorrect parsing of chunked trailer section (bsc#1246517).
Changes in python-Brotli:
- Add max length decompression (bsc#1254867, bsc#1256017).
ImportantSUSE bug 1246517SUSE bug 1254867SUSE bug 1256017SUSE bug 1256018SUSE bug 1256019SUSE bug 1256020SUSE bug 1256021SUSE bug 1256022SUSE bug 1256023CVE-2025-53643 at SUSECVE-2025-53643 at NVDCVE-2025-69223 at SUSECVE-2025-69223 at NVDCVE-2025-69224 at SUSECVE-2025-69224 at NVDCVE-2025-69225 at SUSECVE-2025-69225 at NVDCVE-2025-69226 at SUSECVE-2025-69226 at NVDCVE-2025-69227 at SUSECVE-2025-69227 at NVDCVE-2025-69228 at SUSECVE-2025-69228 at NVDCVE-2025-69229 at SUSECVE-2025-69229 at NVDSecurity update for rust1.93 (Moderate)openSUSE Leap 16.0
This update for rust1.93 fixes the following issues:
Rust is shipped in 1.93.0 version.
Please see https://github.com/rust-lang/rust/releases/tag/1.93.0 for changes.
ModerateSecurity update for kepler (Moderate)openSUSE Leap 16.0
This update for kepler fixes the following issues:
Update to version 0.11.3.
Security issues fixed:
- CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents
(bsc#1251427).
- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially
crafted input (bsc#1251632).
Other updates and bugfixes:
- Version 0.11.2:
* Fix: Fix node power metrics for Virtual Machines.
* Fix: Resolve an issue with pod energy metrics when a container has no usage.
- Version 0.11.1:
* Fix: Added missing serviceaccount in the Helm chart.
- Version 0.11.0:
* Feature: Added support for platform power metrics (AC).
* Feature: Introduced experimental support for trained power models.
* Fix: Improved the accuracy of power estimation for Virtual Machines.
* Breaking Change: Metrics related to `kepler_vm_` have been refactored.
- Version 0.10.1:
* Feature: Added support for the ARM64 architecture.
* Fix: Addressed issues when running on Virtual Machines without RAPL.
* Fix: Includes several other bug fixes and stability improvements.
- Version 0.10.0:
* Breaking Change: This is a major rewrite with significant architectural changes.
* Breaking Change: Legacy versions (0.9.0 and earlier) are now frozen, with no new features or bug fixes.
* Breaking Change: The configuration format has been updated.
* Breaking Change: The Kepler Model Server is not compatible with this version and above.
* Feature: New modular architecture for better extensibility.
* Feature: Enhanced performance and accuracy with dynamic detection of RAPL zones.
* Feature: Reduced security requirements, no longer needing CAP_SYS_ADMIN or CAP_BPF capabilities.
* Fix: Significantly reduced resource usage.
- Version 0.9.0:
* Note: This is the final legacy release.
* Feature: Added support for GPU power monitoring.
* Feature: Introduced a model server for training power models.
- Version 0.8.2:
* Fix: Addressed a bug in RAPL power calculation on multi-socket systems.
- Version 0.8.1:
* Fix: This version includes multiple bug fixes and stability improvements.
- Version 0.8.0:
* Feature: Introduced a new estimator framework.
* Breaking Change: The API is backward incompatible with previous versions.
- Version 0.7.12:
* Fix: This version includes multiple bug fixes and stability improvements.
ModerateSUSE bug 1251427SUSE bug 1251632CVE-2025-47911 at SUSECVE-2025-47911 at NVDCVE-2025-58190 at SUSECVE-2025-58190 at NVDSecurity update for go1.25 (Critical)openSUSE Leap 16.0
This update for go1.25 fixes the following issues:
Update to version 1.25.7.
Security issues fixed:
- CVE-2025-61732: cmd/go: discrepancy between Go and C/C++ comment parsing allows for C code smuggling (bsc#1257692).
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does
not account for the expiration of full certificate chain (bsc#1256818).
Other updates and bugfixes:
- version update to 1.25.7:
* go#75844 cmd/compile: OOM killed on linux/arm64
* go#77323 crypto/x509: single-label excluded DNS name constraints incorrectly match all wildcard SANs
* go#77425 crypto/tls: CL 737700 broke session resumption on macOS
CriticalSUSE bug 1244485SUSE bug 1256818SUSE bug 1257692CVE-2025-61732 at SUSECVE-2025-61732 at NVDCVE-2025-68121 at SUSECVE-2025-68121 at NVDSecurity update for go1.24 (Critical)openSUSE Leap 16.0
This update for go1.24 fixes the following issues:
Update to version 1.24.13.
Security issues fixed:
- CVE-2025-61732: cmd/go: discrepancy between Go and C/C++ comment parsing allows for C code smuggling (bsc#1257692).
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does
not account for the expiration of full certificate chain (bsc#1256818).
- CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc1256820).
Other updates and bugfixes:
- version update to 1.24.13:
* go#77323 crypto/x509: single-label excluded DNS name constraints incorrectly match all wildcard SANs
* go#77424 crypto/tls: CL 737700 broke session resumption on macOS
CriticalSUSE bug 1236217SUSE bug 1256818SUSE bug 1256820SUSE bug 1257692CVE-2025-61732 at SUSECVE-2025-61732 at NVDCVE-2025-68119 at SUSECVE-2025-68119 at NVDCVE-2025-68121 at SUSECVE-2025-68121 at NVDSecurity update for patch (Low)openSUSE Leap 16.0
This update for patch fixes the following issues:
- CVE-2021-45261: invalid pointer via another_hunk function can cause a denial-of-service (bsc#1194037).
LowSUSE bug 1194037CVE-2021-45261 at SUSECVE-2021-45261 at NVDSecurity update for openCryptoki (Moderate)openSUSE Leap 16.0
This update for openCryptoki fixes the following issues:
Upgrade openCryptoki to 3.26 (jsc#PED-14609)
Security fixes:
- CVE-2026-22791: supplying malformed compressed EC public key can lead to heap corruption or denial-of-service (bsc#1256673).
- CVE-2026-23893: Privilege Escalation or Data Exposure via Symlink Following (bsc#1257116).
Other fixes:
* Soft: Add support for RSA keys up to 16K bits.
* CCA: Add support for RSA keys up to 8K bits (requires CCA v8.4 or v7.6 or later).
* p11sak: Add support for generating RSA keys up to 16K bits.
* Soft/ICA: Add support for SHA512/224 and SHA512/256 key derivation mechanism (CKM_SHA512_224_KEY_DERIVATION and CKM_SHA512_256_KEY_DERIVATION).
* Soft/ICA/CCA/EP11: Add support for SHA-HMAC key types CKK_SHAxxx_HMAC and key gen mechanisms CKM_SHAxxx_KEY_GEN.
* p11sak: Add support for SHA-HMAC key types and key generation.
* p11sak: Add support for key wrap and unwrap commands to export and import private and secret keys by means of key wrapping/unwrapping
with various key wrapping mechanism.
* p11kmip: Add support for using an HSM-protected TLS client key via a PKCS#11 provider.
* p11sak: Add support for exporting non-sensitive private keys to password protected PEM files.
* Add support for canceling an operation via NULL mechanism pointer at C_XxxInit() call as an alternative to C_SessionCancel() (PKCS#11 v3.0).
* EP11: Add support for pairing friendly BLS12-381 EC curve for sign/verify using CKM_IBM_ECDSA_OTHER and signature/public key aggregation using CKM_IBM_EC_AGGREGATE.
* p11sak: Add support for generating BLS12-381 EC keys.
* EP11: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires an EP11 host library v4.2 or later, and
a CEX8P crypto card with firmware v9.6 or later on IBM z17, and v8.39 or later on IBM z16).
* CCA: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires CCA v8.4 or later).
* Soft: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires OpenSSL 3.5 or later, or the OQS-provider must be configured).
* p11sak: Add support for IBM-specific ML-DSA and ML-KEM key types.
* Bug fixes.
ModerateSUSE bug 1256673SUSE bug 1257116CVE-2026-22791 at SUSECVE-2026-22791 at NVDCVE-2026-23893 at SUSECVE-2026-23893 at NVDSecurity update for fontforge (Important)openSUSE Leap 16.0
This update for fontforge fixes the following issues:
Update to version 20251009.
Security issues fixed:
- CVE-2025-15279: remote code execution via heap-based buffer overflow in BMP file parsing (bsc#1256013).
- CVE-2025-15269: remote code execution via use-after-free in SFD file parsing (bsc#1256032).
- CVE-2025-15275: arbitrary code execution via SFD file parsing buffer overflow (bsc#1256025).
- CVE-2025-50949: memory leak in function DlgCreate8 (bsc#1252652).
Other updates and bugfixes:
- fix multiple crashes in Multiple Masters.
- fix crash for content over 32767 characters in GDraw multiline text field.
- fix crash on Up/Down
- fix crash in Metrics View.
- fix UFO crash for empty contours.
- fix crash issue in allmarkglyphs.
- Version update to 20251009:
* Update documentation for py scripts (#5180)
* Update GitHub CI runners (#5328)
* Update po files from Croudin sources. (#5330)
* Use consistent Python in MacOS GitHub runner (#5331)
* Fix CI for Windows GitHub runner (#5335)
* Fix lookup flags parsing (#5338)
* Fixes (#5332): glyph file names uXXXXX (#5333)
* make harmonization robust and avoid zero handles after harmonization (#5262)
* Quiet strict prototypes warnings. (#5313)
* Fix crash in parsegvar() due to insufficient buffer (#5339)
* Handle failed iconv conversion. Unhandled execution path was UB, causing a segfault for me (#5329)
* Fix CMake function _get_git_version() (#5342)
* Don't require individual tuple encapsulation in fontforge.font.bitmapSizes setter (#5138)
* nltransform of anchor points (#5345)
* Fix generateFontPostHook being called instead of generateFontPreHook (#5226)
* Always set usDefaultChar to 0 (.notdef) (#5242)
* add font attributes, method to Python docs (#5353)
* fix segfault triggered by Python del c[i:j] (#5352)
* Autoselect internal WOFF2 format (#5346)
* Fix typos in the FAQ (#5355)
* add font.style_set_names attribute to Python API (#5354)
* Bulk tester (#5365)
* Fix Splinefont shell invocation (#5367)
* Fix the lists of Windows language IDs (#5359)
* Support suplementary planes in SFD (emojis etc.) (#5364)
* Remove psaltnames for multi-code-point names (#5305)
* doc: added missing sudo to installation instructions (#5300)
* Fix data corruption on SFD reading (#5380)
* Compare vertical metrics check when generating TTC (#5372)
* Treat FT_PIXEL_MODE_MONO as 2 grey levels (#5379)
* Don't attempt to copy anchors into NULL font (#5405)
* Fix export of supplementary plane characters in font name to TTF (#5396)
* Defer crowdin update to the end of the pipeline (#5409)
* Fix generated feature file bugs (#5384)
* crowdin: update to java 17 (#5447)
* Remove assert from Python script processor (#5410)
* Use sysconfig for Python module locations (#5423)
* Use PyConfig API on Python 3.8 (#5404)
* Fix resource leak in unParseTTInstrs (#5476)
* Only install GUI-specific files if ENABLE_GUI is set (#5451)
* add math device tables to Python API (#5348)
* Update CI runner to macOS 13 (#5482)
* Allow hyphen and special characters in Feature File glyph names (#5358)
* Fix Python font.appendSFNTName() function (#5494)
* Update mm.c (#5386)
* Warning rollup (probably some hidden bugs!) from clang trunk (#5492)
* Fix function PyFFFont_addSmallCaps. (#5519)
* Make SmallCaps() create symbols (#5517)
* Segfault fix and complete implementation of "Don't generate FFTM tables" (#5509)
* Modernize fixed pitch flag computation (#5506)
* fix memleak in function utf7toutf8_copy (#5495)
* Avoid crashes in Python scripts when objects are accessed in invalid state (#5483)
* Fix CI for Ubuntu 24 (#5531)
* Bump GitHub CI runner to Ubuntu 22 (#5551)
* Fix memory corruption in SFUnicodeRanges() (#5537)
* Add contour draw option to H.Metrics. (#5496)
* Fix scaling of references in CharView (#5558)
* Fix TTF validation on load for fixed pitch fonts (#5562)
* Performance fixes for GSUB/GPOS dumps (#5547)
* Simple GTK-based dialog with CSS appearance support (#5546)
* Support Harfbuzz in Metrics View (#5522)
* Update po files from crowdin translations (#5575)
* Be more clever about label text in gtextfield (#5583)
* Add minimal support for GDEF version 1.3 (#5584)
* Sanitize messages from python (#5589)
* Fix a crash caused by deleting a glyph with vertical kerning pairs. (#5592)
* THEME -> GUI_THEME (#5596)
* Update po translations from Crowdin (#5593)
* Upgrade to Unicode 16.0.0 (#5594)
* Fix Linux AppImage (#5599)
* Upgrade to Unicode 17.0.0 and extend the language and script lists (#5618)
* Remove X11 and non-Cairo drawing backends (#5612)
* Add macOS dependency setup script (#5563)
* Fix hotkeys in BitmapView (#5626)
* Manually install Inno Setup 6 (#5621)
* Remove cv->back_img_out_of_date and cv->backimgs (#5625)
* fix spelling "bt" -> "but" (#5636)
* Fix typos in Python module docs (#5634)
- Version update to 20230101+git59.770356c9b:
* Add contour draw option to H.Metrics. (#5496)
* Fix memory corruption in SFUnicodeRanges() (#5537)
* Bump GitHub CI runner to Ubuntu 22 (#5551)
* Fix CI for Ubuntu 24 (#5531)
* Avoid crashes in Python scripts when objects are accessed in
invalid state (#5483)
* fix memleak in function utf7toutf8_copy (#5495)
* Modernize fixed pitch flag computation (#5506)
* Segfault fix and complete implementation of "Don't generate
FFTM tables" (#5509)
* Make SmallCaps() translate symbols, too. Update
documentation accordingly. (#5517)
* Fix function PyFFFont_addSmallCaps. (#5519)
* Warning rollup (probably some hidden bugs!) from clang trunk
(#5492)
* Update mm.c (#5386)
* fix memleak in function DlgCreate8 (#5491)
* Fix Python font.appendSFNTName() function (#5494)
* Allow hyphen and special characters in Feature File glyph names
(#5358)
* Update CI runner to macOS 13 (#5482)
* add math device tables to Python API (#5348)
* Only install GUI-specific files if ENABLE_GUI is set (#5451)
* Fix resource leak in unParseTTInstrs (#5476)
* Use PyConfig API on Python 3.8 (#5404)
* Use sysconfig for Python module locations (#5423)
* More crowdin fix
* Python script shall trigger no asserts (#5410)
* crowdin: update to java 17 (#5447)
* try fix crowdin
* Fix generated feature file bugs (#5384)
* Defer crowdin update to the end of the pipeline (#5409)
* Fix export of supplementary plane characters in font name to
TTF (#5396)
* Don't attempt to copy anchors into NULL font (#5405)
* Treat FT_PIXEL_MODE_MONO as 2 grey levels (#5379)
* Compare vertical metrics check when generating TTC (#5372)
* Fix data corruption on SFD reading (#5380)
* doc: added missing sudo to installation instructions (#5300)
* Remove `psaltnames` for multi-code-point names (#5305)
* Support suplementary planes in SFD (emojis etc.) (#5364)
* Fix the lists of Windows language IDs (#5359)
* fix splinefont shell command injection (#5367)
* Bulk tester (#5365)
* add `font.style_set_names` attribute to Python API (#5354)
* Fix typos in the FAQ (#5355)
* Autoselect internal WOFF2 format (#5346)
* fix segfault triggered by Python `del c[i:j]` (#5352)
* add `font` attributes, method to Python docs (#5353)
* Always set `usDefaultChar` to 0 (.notdef) (#5242)
* Fix generateFontPostHook being called instead of
generateFontPreHook (#5226)
* nltransform of anchor points (#5345)
* Don't require individual tuple encapsulation in
fontforge.font.bitmapSizes setter (#5138)
* Fix CMake function _get_git_version() (#5342)
* Handle failed iconv conversion. Unhandled execution path was
UB, causing a segfault for me (#5329)
* Fix crash in parsegvar() due to insufficient buffer (#5339)
* Quiet strict prototypes warnings. (#5313)
* harmonizing can now no longer produce zero handles, the
computation of harmonization is now numerically robust (#5262)
* Fix glyph file names uXXXXX (#5333)
* Fix lookup flags parsing (#5338)
* Duplicate libfontforge.dll for "py" and "pyhook" tests. (#5335)
* Use consistent Python in MacOS GitHub runner (#5331)
* Update po files from Croudin sources after fixing problems
* Fix GinHub CI runners (#5328)
ImportantSUSE bug 1252652SUSE bug 1256013SUSE bug 1256025SUSE bug 1256032CVE-2025-15269 at SUSECVE-2025-15269 at NVDCVE-2025-15275 at SUSECVE-2025-15275 at NVDCVE-2025-15279 at SUSECVE-2025-15279 at NVDCVE-2025-50949 at SUSECVE-2025-50949 at NVDSecurity update for nodejs22 (Important)openSUSE Leap 16.0
This update for nodejs22 fixes the following issues:
Update to 22.22.0:
- CVE-2025-55130: file system permissions bypass via crafted symlinks (bsc#1256569).
- CVE-2025-55131: timeout-based race conditions allow for allocations that contain leftover data from previous operations and lead to exposure of in-process secrets (bsc#1256570).
- CVE-2025-55132: a file's access and modification timestamps can be changed via `futimes()` even when the process has only read permissions (bsc#1256571).
- CVE-2025-59465: malformed HTTP/2 HEADERS frame with invalid HPACK data can cause a crash due to an unhandled error (bsc#1256573).
- CVE-2025-59466: uncatchable "Maximum call stack size exceeded" error when `async_hooks.createHook()` is enabled can lead to crash (bsc#1256574).
- CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).
- CVE-2026-22036: undici: unbounded decompression chain in HTTP responses via Content-Encoding may lead to resource exhaustion (bsc#1256848).
For full changelog, please see https://nodejs.org/en/blog
ImportantSUSE bug 1256569SUSE bug 1256570SUSE bug 1256571SUSE bug 1256573SUSE bug 1256574SUSE bug 1256576SUSE bug 1256848CVE-2025-55130 at SUSECVE-2025-55130 at NVDCVE-2025-55131 at SUSECVE-2025-55131 at NVDCVE-2025-55132 at SUSECVE-2025-55132 at NVDCVE-2025-59465 at SUSECVE-2025-59465 at NVDCVE-2025-59466 at SUSECVE-2025-59466 at NVDCVE-2026-21637 at SUSECVE-2026-21637 at NVDCVE-2026-22036 at SUSECVE-2026-22036 at NVDSecurity update for expat (Important)openSUSE Leap 16.0
This update for expat fixes the following issues:
- CVE-2025-59375: Fixed large dynamic memory allocations via a small document submitted for parsing (bsc#1249584)
ImportantSUSE bug 1249584CVE-2025-59375 at SUSECVE-2025-59375 at NVDSecurity update for golang-github-prometheus-prometheus (Critical)openSUSE Leap 16.0
This update for golang-github-prometheus-prometheus fixes the following issues:
- CVE-2026-25547: Fixed an unbounded brace range expansion leading to excessive CPU and memory consumption. (bsc#1257841)
- CVE-2026-1615: Fixed arbitrary code injection due to unsafe evaluation of user-supplied JSON Path expressions in jsonpath. (bsc#1257897)
- CVE-2025-61140: Fixed a function vulnerable to prototype pollution in jsonpath. (bsc#1257442)
CriticalSUSE bug 1257442SUSE bug 1257841SUSE bug 1257897CVE-2025-61140 at SUSECVE-2025-61140 at NVDCVE-2026-1615 at SUSECVE-2026-1615 at NVDCVE-2026-25547 at SUSECVE-2026-25547 at NVDSecurity update for cockpit-machines, cockpit (Important)openSUSE Leap 16.0
This update for cockpit-machines, cockpit fixes the following issues:
- CVE-2025-13465: Update the lodash dependencie to avoid prototype pollution. (bsc#1257324)
Changes in cockpit-machines:
- Update to 346
* 346
- Performance improvements
- Translation updates
* 345
- New virtual machines don't get SPICE graphics anymore
- Support for network port forwarding
- Bug fixes and translation updates
- Update to 344
* 344
- Port forwarding for user session VMs
- "Shutdown and restart" action
- Faster startup
* 343
- Memory usage now shows numbers reported by the guest (RHEL-116731)
- Update to 342
* 342
- Bug fixes and translation updates
* 341
- Improved UX for Disks and Network interface tables
- Bug fixes and translation updates
* 340
- Use exclusive VNC connections with "Remote resizing"
- Update to 339
* 339
- Serial consoles now keep their content and stay alive
- No longer copies qemu.conf values into VM definitions
* 338
- Translation and dependency updates
- Detachable VNC console
- Update to 337
* 337
- Bug fixes and translation updates
* 336
- Graphical VNC and serial consoles improvements
- Control VNC console resizing and scaling
- Bug fixes and translation updates
* 335
- Bug fixes and translation updates
* 334
- Bug fixes and translation updates
Changes in cockpit:
- Update to 354
* changes since 351
- 354
* Convert documentation to AsciiDoc
* Work around Firefox 146/147 bug (rhbz#2422331)
* Bug fixes
- 353
* Networking: Suggest prefix length and gateway address
* Bug fixes and translation updates
- 352
* Shown a warning if the last shutdown/reboot was unclean
* Bug fixes and translation updates
- Update to 351
* Changes since 349
- 351
* Firewall ports can be deleted individually
- 350
* networking: fix renaming of bridges and other groups (RHEL-117883)
* bridge: fix OpenSSH_10.2p1 host key detection
- Update to 349
* Changes since 346
- 349
* Package manifests: add any test
* Bug fixes and translation updates
- 348
* Bug fixes and translation updates
- 347
* Site-specific branding support
- Update to 346
* Changes since 344
- 346
* Support branding Cockpit pages
* Storage: Support for Stratis "V2" pools
- 345
* Translation and dependency updates
* Shorter IPv6 addresses
* IPv6 addresses for WireGuard
- Update to 344
* Changes since 340
- 344
* Bug fixes and translation updates
- 343
* login: Improve error message for unsupported shells
* cockpit: Handle file access issues with files in machines.d
* Translation updates
- 342
* systemd: ensure update() is called at least once for tuned-dialog
* Translation updates
- 341
* services: show link to podman page for quadlets
* Bug fixes and translation updates
ImportantSUSE bug 1221342SUSE bug 1236149SUSE bug 1239759SUSE bug 1248250SUSE bug 1249828SUSE bug 1249830SUSE bug 1257324SUSE bug 1257325CVE-2025-13465 at SUSECVE-2025-13465 at NVDSecurity update for wicked2nm (Important)openSUSE Leap 16.0
This update for wicked2nm fixes the following issues:
- Update to version 1.4.1
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257908).
ImportantSUSE bug 1257911CVE-2026-25727 at SUSECVE-2026-25727 at NVDSecurity update for docker (Moderate)openSUSE Leap 16.0
This update for docker fixes the following issues:
- CVE-2025-58181: not validating the number of mechanisms can cause unlimited memory consumption (bsc#1253904).
ModerateSUSE bug 1253904CVE-2025-58181 at SUSECVE-2025-58181 at NVDSecurity update for cockpit-repos (Important)openSUSE Leap 16.0
This update for cockpit-repos fixes the following issues:
Update to version 4.7.
Security issues fixed:
- CVE-2025-13465: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods from global
(bsc#1257325).
- CVE-2025-64718: js-yaml prototype pollution in merge (bsc#1255425).
Other updates and bugfixes:
- version update to 4.7
* Translation updates
- version update to 4.6:
* Translation updates
* Dependency updates
* Fix translations pot file not being update
- version update to 4.5:
* Dependency updates
- version update to 4.4:
* Translation updates
* Dependency updates
ImportantSUSE bug 1255425SUSE bug 1257325CVE-2025-13465 at SUSECVE-2025-13465 at NVDCVE-2025-64718 at SUSECVE-2025-64718 at NVDSecurity update for MozillaFirefox (Moderate)openSUSE Leap 16.0
This update for MozillaFirefox fixes the following issues:
Changes in MozillaFirefox:
Firefox Extended Support Release 140.7.1 ESR was released:
* Fixed: Security fix.
MFSA 2026-10 (bsc#1258231):
* CVE-2026-2447: Heap buffer overflow in libvpx.
ModerateSUSE bug 1258231CVE-2026-2447 at SUSECVE-2026-2447 at NVDSecurity update for openexr (Moderate)openSUSE Leap 16.0
This update for openexr fixes the following issues:
- CVE-2025-64181: Fixed use of uninitialized memory in function generic_unpack() (bsc#1253233)
ModerateSUSE bug 1253233CVE-2025-64181 at SUSECVE-2025-64181 at NVDSecurity update for python313 (Important)openSUSE Leap 16.0
This update for python313 fixes the following issues:
Update to version 3.13.12.
Security issues fixed:
- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable
characters (bsc#1257029).
- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).
- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel
(bsc#1257031).
- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).
- CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in `BytesGenerator`
(bsc#1257181).
Other updates and bugfixes:
- Update to version 3.13.12.
- Library
- gh-144380: Improve performance of io.BufferedReader line
iteration by ~49%.
- gh-144169: Fix three crashes when non-string keyword
arguments are supplied to objects in the ast module.
- gh-144100: Fixed a crash in ctypes when using a deprecated
POINTER(str) type in argtypes. Instead of aborting, ctypes
now raises a proper Python exception when the pointer
target type is unresolved.
- gh-144050: Fix stat.filemode() in the pure-Python
implementation to avoid misclassifying invalid mode values
as block devices.
- gh-144023: Fixed validation of file descriptor 0 in posix
functions when used with follow_symlinks parameter.
- gh-143999: Fix an issue where inspect.getgeneratorstate()
and inspect.getcoroutinestate() could fail for generators
wrapped by types.coroutine() in the suspended state.
- gh-143706: Fix multiprocessing forkserver so that sys.argv
is correctly set before __main__ is preloaded. Previously,
sys.argv was empty during main module import in forkserver
child processes. This fixes a regression introduced in
3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test
provided by Thomas Watson, thanks!
- gh-143638: Forbid reentrant calls of the pickle.Pickler and
pickle.Unpickler methods for the C implementation.
Previously, this could cause crash or data corruption, now
concurrent calls of methods of the same object raise
RuntimeError.
- gh-78724: Raise RuntimeError's when user attempts to call
methods on half-initialized Struct objects, For example,
created by Struct.__new__(Struct). Patch by Sergey
B Kirpichev.
- gh-143602: Fix a inconsistency issue in write() that leads
to unexpected buffer overwrite by deduplicating the buffer
exports.
- gh-143547: Fix sys.unraisablehook() when the hook raises an
exception and changes sys.unraisablehook(): hold a strong
reference to the old hook. Patch by Victor Stinner.
- gh-143378: Fix use-after-free crashes when a BytesIO object
is concurrently mutated during write() or writelines().
- gh-143346: Fix incorrect wrapping of the Base64 data in
plistlib._PlistWriter when the indent contains a mix of
tabs and spaces.
- gh-143310: tkinter: fix a crash when a Python list is
mutated during the conversion to a Tcl object (e.g., when
setting a Tcl variable). Patch by Benedikt Tran.
- gh-143309: Fix a crash in os.execve() on non-Windows
platforms when given a custom environment mapping which is
then mutated during parsing. Patch by Benedikt Tran.
- gh-143308: pickle: fix use-after-free crashes when
a PickleBuffer is concurrently mutated by a custom buffer
callback during pickling. Patch by Benedikt Tran and Aaron
Wieczorek.
- gh-143237: Fix support of named pipes in the rotating
logging handlers.
- gh-143249: Fix possible buffer leaks in Windows overlapped
I/O on error handling.
- gh-143241: zoneinfo: fix infinite loop in
ZoneInfo.from_file when parsing a malformed TZif file.
Patch by Fatih Celik.
- gh-142830: sqlite3: fix use-after-free crashes when the
connection's callbacks are mutated during a callback
execution. Patch by Benedikt Tran.
- gh-143200: xml.etree.ElementTree: fix use-after-free
crashes in __getitem__() and __setitem__() methods of
Element when the element is concurrently mutated. Patch by
Benedikt Tran.
- gh-142195: Updated timeout evaluation logic in subprocess
to be compatible with deterministic environments like
Shadow where time moves exactly as requested.
- gh-143145: Fixed a possible reference leak in ctypes when
constructing results with multiple output parameters on
error.
- gh-122431: Corrected the error message in
readline.append_history_file() to state that nelements must
be non-negative instead of positive.
- gh-143004: Fix a potential use-after-free in
collections.Counter.update() when user code mutates the
Counter during an update.
- gh-143046: The asyncio REPL no longer prints copyright and
version messages in the quiet mode (-q). Patch by Bartosz
Slawecki.
- gh-140648: The asyncio REPL now respects the -I flag
(isolated mode). Previously, it would load and execute
PYTHONSTARTUP even if the flag was set. Contributed by
Bartosz Slawecki.
- gh-142991: Fixed socket operations such as recvfrom() and
sendto() for FreeBSD divert(4) socket.
- gh-143010: Fixed a bug in mailbox where the precise timing
of an external event could result in the library opening an
existing file instead of a file it expected to create.
- gh-142881: Fix concurrent and reentrant call of
atexit.unregister().
- gh-112127: Fix possible use-after-free in
atexit.unregister() when the callback is unregistered
during comparison.
- gh-142783: Fix zoneinfo use-after-free with descriptor
_weak_cache. a descriptor as _weak_cache could cause
crashes during object creation. The fix ensures proper
reference counting for descriptor-provided objects.
- gh-142754: Add the ownerDocument attribute to
xml.dom.minidom elements and attributes created by directly
instantiating the Element or Attr class. Note that this way
of creating nodes is not supported; creator functions like
xml.dom.Document.documentElement() should be used instead.
- gh-142784: The asyncio REPL now properly closes the loop
upon the end of interactive session. Previously, it could
cause surprising warnings. Contributed by Bartosz Slawecki.
- gh-142555: array: fix a crash in a[i] = v when converting
i to an index via i.__index__ or i.__float__ mutates the
array.
- gh-142594: Fix crash in TextIOWrapper.close() when the
underlying buffer's closed property calls detach().
- gh-142451: hmac: Ensure that the HMAC.block_size attribute
is correctly copied by HMAC.copy. Patch by Benedikt Tran.
- gh-142495: collections.defaultdict now prioritizes
__setitem__() when inserting default values from
default_factory. This prevents race conditions where
a default value would overwrite a value set before
default_factory returns.
- gh-142651: unittest.mock: fix a thread safety issue where
Mock.call_count may return inaccurate values when the mock
is called concurrently from multiple threads.
- gh-142595: Added type check during initialization of the
decimal module to prevent a crash in case of broken stdlib.
Patch by Sergey B Kirpichev.
- gh-142517: The non-compat32 email policies now correctly
handle refolding encoded words that contain bytes that can
not be decoded in their specified character set. Previously
this resulted in an encoding exception during folding.
- gh-112527: The help text for required options in argparse
no longer extended with "(default: None)".
- gh-142315: Pdb can now run scripts from anonymous pipes
used in process substitution. Patch by Bartosz Slawecki.
- gh-142282: Fix winreg.QueryValueEx() to not accidentally
read garbage buffer under race condition.
- gh-75949: Fix argparse to preserve | separators in mutually
exclusive groups when the usage line wraps due to length.
- gh-68552: MisplacedEnvelopeHeaderDefect and Missing header
name defects are now correctly passed to the handle_defect
method of policy in FeedParser.
- gh-142006: Fix a bug in the email.policy.default folding
algorithm which incorrectly resulted in a doubled newline
when a line ending at exactly max_line_length was followed
by an unfoldable token.
- gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving
underlying cancelled asyncio task running.
- gh-139971: pydoc: Ensure that the link to the online
documentation of a stdlib module is correct.
- gh-139262: Some keystrokes can be swallowed in the new
PyREPL on Windows, especially when used together with the
ALT key. Fix by Chris Eibl.
- gh-138897: Improved license/copyright/credits display in
the REPL: now uses a pager.
- gh-79986: Add parsing for References and In-Reply-To
headers to the email library that parses the header content
as lists of message id tokens. This prevents them from
being folded incorrectly.
- gh-109263: Starting a process from spawn context in
multiprocessing no longer sets the start method globally.
- gh-90871: Fixed an off by one error concerning the backlog
parameter in create_unix_server(). Contributed by Christian
Harries.
- gh-133253: Fix thread-safety issues in linecache.
- gh-132715: Skip writing objects during marshalling once
a failure has occurred.
- gh-127529: Correct behavior of
asyncio.selector_events.BaseSelectorEventLoop._accept_connection()
in handling ConnectionAbortedError in a loop. This improves
performance on OpenBSD.
- IDLE
- gh-143774: Better explain the operation of Format / Format
Paragraph.
- Core and Builtins
- gh-144307: Prevent a reference leak in module teardown at
interpreter finalization.
- gh-144194: Fix error handling in perf jitdump
initialization on memory allocation failure.
- gh-141805: Fix crash in set when objects with the same hash
are concurrently added to the set after removing an element
with the same hash while the set still contains elements
with the same hash.
- gh-143670: Fixes a crash in ga_repr_items_list function.
- gh-143377: Fix a crash in _interpreters.capture_exception()
when the exception is incorrectly formatted. Patch by
Benedikt Tran.
- gh-143189: Fix crash when inserting a non-str key into
a split table dictionary when the key matches an existing
key in the split table but has no corresponding value in
the dict.
- gh-143228: Fix use-after-free in perf trampoline when
toggling profiling while threads are running or during
interpreter finalization with daemon threads active. The
fix uses reference counting to ensure trampolines are not
freed while any code object could still reference them.
Pach by Pablo Galindo
- gh-142664: Fix a use-after-free crash in
memoryview.__hash__ when the __hash__ method of the
referenced object mutates that object or the view. Patch by
Benedikt Tran.
- gh-142557: Fix a use-after-free crash in bytearray.__mod__
when the bytearray is mutated while formatting the %-style
arguments. Patch by Benedikt Tran.
- gh-143195: Fix use-after-free crashes in bytearray.hex()
and memoryview.hex() when the separator's __len__() mutates
the original object. Patch by Benedikt Tran.
- gh-143135: Set sys.flags.inspect to 1 when PYTHONINSPECT is
0. Previously, it was set to 0 in this case.
- gh-143003: Fix an overflow of the shared empty buffer in
bytearray.extend() when __length_hint__() returns 0 for
non-empty iterator.
- gh-143006: Fix a possible assertion error when comparing
negative non-integer float and int with the same number of
bits in the integer part.
- gh-142776: Fix a file descriptor leak in import.c
- gh-142829: Fix a use-after-free crash in
contextvars.Context comparison when a custom __eq__ method
modifies the context via set().
- gh-142766: Clear the frame of a generator when
generator.close() is called.
- gh-142737: Tracebacks will be displayed in fallback mode
even if io.open() is lost. Previously, this would crash the
interpreter. Patch by Bartosz Slawecki.
- gh-142554: Fix a crash in divmod() when
_pylong.int_divmod() does not return a tuple of length two
exactly. Patch by Benedikt Tran.
- gh-142560: Fix use-after-free in bytearray search-like
methods (find(), count(), index(), rindex(), and rfind())
by marking the storage as exported which causes
reallocation attempts to raise BufferError. For contains(),
split(), and rsplit() the buffer protocol is used for this.
- gh-142343: Fix SIGILL crash on m68k due to incorrect
assembly constraint.
- gh-141732: Ensure the __repr__() for ExceptionGroup and
BaseExceptionGroup does not change when the exception
sequence that was original passed in to its constructor is
subsequently mutated.
- gh-100964: Fix reference cycle in exhausted generator
frames. Patch by Savannah Ostrowski.
- gh-140373: Correctly emit PY_UNWIND event when generator
object is closed. Patch by Mikhail Efimov.
- gh-138568: Adjusted the built-in help() function so that
empty inputs are ignored in interactive mode.
- gh-127773: Do not use the type attribute cache for types
with incompatible MRO.
- C API
- gh-142571: PyUnstable_CopyPerfMapFile() now checks that
opening the file succeeded before flushing.
- Build
- gh-142454: When calculating the digest of the JIT stencils
input, sort the hashed files by filenames before adding
their content to the hasher. This ensures deterministic
hash input and hence deterministic hash, independent on
filesystem order.
- gh-141808: When running make clean-retain-profile, keep the
generated JIT stencils. That way, the stencils are not
generated twice when Profile-guided optimization (PGO) is
used. It also allows distributors to supply their own
pre-built JIT stencils.
- gh-138061: Ensure reproducible builds by making JIT stencil
header generation deterministic.
ImportantSUSE bug 1257029SUSE bug 1257031SUSE bug 1257042SUSE bug 1257046SUSE bug 1257181CVE-2025-11468 at SUSECVE-2025-11468 at NVDCVE-2025-15282 at SUSECVE-2025-15282 at NVDCVE-2026-0672 at SUSECVE-2026-0672 at NVDCVE-2026-0865 at SUSECVE-2026-0865 at NVDCVE-2026-1299 at SUSECVE-2026-1299 at NVDSecurity update for docker-stable (Moderate)openSUSE Leap 16.0
This update for docker-stable fixes the following issues:
- Enable SELinux in default daemon.json config (--selinux-enabled).
This has no practical impact on non-SELinux systems (bsc#1252290).
- Remove git-core recommends on SLE. Most SLE systems have installRecommends=yes
by default and thus end up installing git with Docker (bsc#1250508).
- Include historical changelog data from before the docker-stable fork.
This includes CVE numbers for security tracking reasons (bsc#1250596).
ModerateSUSE bug 1250508SUSE bug 1250596SUSE bug 1252290Security update for postgresql14 (Important)openSUSE Leap 16.0
This update for postgresql14 fixes the following issues:
Update to version 14.21.
Security issues fixed:
- CVE-2026-2003: improper validation of type "oidvector" may allow disclose a few bytes of server memory (bsc#1258008).
- CVE-2026-2004: intarray missing validation of type of input to selectivity estimator could lead to arbitrary code
execution (bsc#1258009).
- CVE-2026-2005: buffer overrun in contrib/pgcrypto's PGP decryption functions could lead to arbitrary code execution
(bsc#1258010).
- CVE-2026-2006: inadequate validation of multibyte character lengths could lead to arbitrary code execution
(bsc#1258011).
- CVE-2025-12817: missing check for CREATE privileges on the schema in CREATE STATISTICS (bsc#1253332).
- CVE-2025-12818: integer overflow in allocation-size calculations within libpq (bsc#1253333).
ImportantSUSE bug 1253332SUSE bug 1253333SUSE bug 1258008SUSE bug 1258009SUSE bug 1258010SUSE bug 1258011CVE-2025-12817 at SUSECVE-2025-12817 at NVDCVE-2025-12818 at SUSECVE-2025-12818 at NVDCVE-2026-2003 at SUSECVE-2026-2003 at NVDCVE-2026-2004 at SUSECVE-2026-2004 at NVDCVE-2026-2005 at SUSECVE-2026-2005 at NVDCVE-2026-2006 at SUSECVE-2026-2006 at NVDSecurity update for postgresql15 (Important)openSUSE Leap 16.0
This update for postgresql15 fixes the following issues:
Update to version 15.16.
Security issues fixed:
- CVE-2026-2003: improper validation of type "oidvector" may allow disclose a few bytes of server memory (bsc#1258008).
- CVE-2026-2004: intarray missing validation of type of input to selectivity estimator could lead to arbitrary code
execution (bsc#1258009).
- CVE-2026-2005: buffer overrun in contrib/pgcrypto's PGP decryption functions could lead to arbitrary code execution
(bsc#1258010).
- CVE-2026-2006: inadequate validation of multibyte character lengths could lead to arbitrary code execution
(bsc#1258011).
- CVE-2025-12817: missing check for CREATE privileges on the schema in CREATE STATISTICS (bsc#1253332).
- CVE-2025-12818: integer overflow in allocation-size calculations within libpq (bsc#1253333).
ImportantSUSE bug 1253332SUSE bug 1253333SUSE bug 1258008SUSE bug 1258009SUSE bug 1258010SUSE bug 1258011CVE-2025-12817 at SUSECVE-2025-12817 at NVDCVE-2025-12818 at SUSECVE-2025-12818 at NVDCVE-2026-2003 at SUSECVE-2026-2003 at NVDCVE-2026-2004 at SUSECVE-2026-2004 at NVDCVE-2026-2005 at SUSECVE-2026-2005 at NVDCVE-2026-2006 at SUSECVE-2026-2006 at NVDSecurity update for autogen (Low)openSUSE Leap 16.0
This update for autogen fixes the following issues:
- CVE-2025-8746: Fixed improper input validation and memory bounds checking
when processing certain malformed configuration files (bsc#1247921)
LowSUSE bug 1247921CVE-2025-8746 at SUSECVE-2025-8746 at NVDSecurity update for python-urllib3_1 (Moderate)openSUSE Leap 16.0
This update for python-urllib3_1 fixes the following issues:
- CVE-2025-66471: excessive resource consumption via decompression of highly compressed data in Streaming API (bsc#1254867).
- CVE-2025-66418: resource exhaustion via unbounded number of links in the decompression chain (bsc#1254866).
- CVE-2026-21441: excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331).
ModerateSUSE bug 1254866SUSE bug 1254867SUSE bug 1256331CVE-2025-66418 at SUSECVE-2025-66418 at NVDCVE-2025-66471 at SUSECVE-2025-66471 at NVDCVE-2026-21441 at SUSECVE-2026-21441 at NVDSecurity update for 7zip (Moderate)openSUSE Leap 16.0
This update for 7zip fixes the following issues:
- Update to 25.01 (boo#1249130)
* The code for handling symbolic links has been changed to
provide greater security when extracting files from archives
* Command line switch -snld20 can be used to bypass default
security checks when creating symbolic links.
- Update to 25.00:
* bzip2 compression speed was increased by 15-40%.
* deflate (zip/gz) compression speed was increased by 1-3%.
* improved support for zip, cpio and fat archives.
* CVE-2025-53816: Fixed input manipulation leading
to heap buffer overflow (bsc#1246706)
* CVE-2025-53817: Fixed null pointer dereference leading
to denial of service (bsc#1246707)
ModerateSUSE bug 1246706SUSE bug 1246707SUSE bug 1249130CVE-2025-53816 at SUSECVE-2025-53816 at NVDCVE-2025-53817 at SUSECVE-2025-53817 at NVDSecurity update for containerized-data-importer (Important)openSUSE Leap 16.0
This update for containerized-data-importer fixes the following issues:
Update to version 1.64.0.
Security issues fixed:
- CVE-2024-28180: improper handling of highly compressed data (bsc#1235204).
- CVE-2024-45338: denial of service due to non-linear parsing of case-insensitive content (bsc#1235365).
- CVE-2025-22868: unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239205).
ImportantSUSE bug 1235204SUSE bug 1235365SUSE bug 1239205CVE-2024-28180 at SUSECVE-2024-28180 at NVDCVE-2024-45338 at SUSECVE-2024-45338 at NVDCVE-2025-22868 at SUSECVE-2025-22868 at NVDSecurity update for kubevirt (Important)openSUSE Leap 16.0
This update for kubevirt fixes the following issues:
Update to version 1.7.0 (bsc#1257128).
Security issues fixed:
- CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS
(bsc#1253189).
- CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into
creating empty files/directories on host (bsc#1257422).
- CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction
(bsc#1241772).
- CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to
bypass existing RBAC controls (bsc#1253181).
- CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).
- CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations
(bsc#1253186).
- CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).
- CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users
(bsc#1253748).
Other updates and bugfixes:
- Upstream now uses stateless firmware for CoCo VMs.
ImportantSUSE bug 1241772SUSE bug 1253181SUSE bug 1253185SUSE bug 1253186SUSE bug 1253189SUSE bug 1253194SUSE bug 1253748SUSE bug 1257128SUSE bug 1257422CVE-2024-45310 at SUSECVE-2024-45310 at NVDCVE-2025-22872 at SUSECVE-2025-22872 at NVDCVE-2025-64324 at SUSECVE-2025-64324 at NVDCVE-2025-64432 at SUSECVE-2025-64432 at NVDCVE-2025-64433 at SUSECVE-2025-64433 at NVDCVE-2025-64434 at SUSECVE-2025-64434 at NVDCVE-2025-64435 at SUSECVE-2025-64435 at NVDCVE-2025-64437 at SUSECVE-2025-64437 at NVDSecurity update for libsoup2 (Important)openSUSE Leap 16.0
This update for libsoup2 fixes the following issues:
- CVE-2026-1761: incorrect length calculation when parsing of multipart HTTP responses can lead to a stack-based
buffer overflow (bsc#1257598).
ImportantSUSE bug 1257598CVE-2026-1761 at SUSECVE-2026-1761 at NVDSecurity update for the Linux Kernel (Important)openSUSE Leap 16.0
The SUSE Linux Enterprise 16.0 and SL MIxro 6.2 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2025-40147: blk-throttle: fix access race during throttle policy activation (bsc#1253344).
- CVE-2025-40257: mptcp: fix a race in mptcp_pm_del_add_timer() (bsc#1254842).
- CVE-2025-40259: scsi: sg: Do not sleep in atomic context (bsc#1254845).
- CVE-2025-40261: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() (bsc#1254839).
- CVE-2025-40363: net: ipv6: fix field-spanning memcpy warning in AH output (bsc#1255102).
- CVE-2025-68174: amd/amdkfd: enhance kfd process check in switch partition (bsc#1255327).
- CVE-2025-68178: blk-cgroup: fix possible deadlock while configuring policy (bsc#1255266).
- CVE-2025-68188: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() (bsc#1255269).
- CVE-2025-68200: bpf: Add bpf_prog_run_data_pointers() (bsc#1255241).
- CVE-2025-68211: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item (bsc#1255319).
- CVE-2025-68218: nvme-multipath: fix lockdep WARN due to partition scan work (bsc#1255245).
- CVE-2025-68227: mptcp: Fix proto fallback detection with BPF (bsc#1255216).
- CVE-2025-68241: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe (bsc#1255157).
- CVE-2025-68245: net: netpoll: fix incorrect refcount handling causing incorrect cleanup (bsc#1255268).
- CVE-2025-68261: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() (bsc#1255164).
- CVE-2025-68296: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup (bsc#1255128).
- CVE-2025-68297: ceph: fix crash in process_v2_sparse_read() for encrypted directories (bsc#1255403).
- CVE-2025-68320: lan966x: Fix sleeping in atomic context (bsc#1255172).
- CVE-2025-68325: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop (bsc#1255417).
- CVE-2025-68337: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted (bsc#1255482).
- CVE-2025-68341: veth: reduce XDP no_direct return section to fix race (bsc#1255506).
- CVE-2025-68348: block: fix memory leak in __blkdev_issue_zero_pages (bsc#1255694).
- CVE-2025-68349: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid (bsc#1255544).
- CVE-2025-68356: gfs2: Prevent recursive memory reclaim (bsc#1255593).
- CVE-2025-68359: btrfs: fix double free of qgroup record after failure to add delayed ref head (bsc#1255542).
- CVE-2025-68360: wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks (bsc#1255536).
- CVE-2025-68361: erofs: limit the level of fs stacking for file-backed mounts (bsc#1255526).
- CVE-2025-68366: nbd: defer config unlock in nbd_genl_connect (bsc#1255622).
- CVE-2025-68367: macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse (bsc#1255547).
- CVE-2025-68368: md: init bioset in mddev_init (bsc#1255527).
- CVE-2025-68372: nbd: defer config put in recv_work (bsc#1255537).
- CVE-2025-68374: md: fix rcu protection in md_wakeup_thread (bsc#1255530).
- CVE-2025-68376: coresight: ETR: Fix ETR buffer use-after-free issue (bsc#1255529).
- CVE-2025-68379: RDMA/rxe: Fix null deref on srq->rq.queue after resize failure (bsc#1255695).
- CVE-2025-68735: drm/panthor: Prevent potential UAF in group creation (bsc#1255811).
- CVE-2025-68741: scsi: qla2xxx: Fix improper freeing of purex item (bsc#1255703).
- CVE-2025-68743: mshv: Fix create memory region overlap check (bsc#1255708).
- CVE-2025-68764: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags (bsc#1255930).
- CVE-2025-68768: inet: frags: add inet_frag_queue_flush() (bsc#1256579).
- CVE-2025-68770: bnxt_en: Fix XDP_TX path (bsc#1256584).
- CVE-2025-68771: ocfs2: fix kernel BUG in ocfs2_find_victim_chain (bsc#1256582).
- CVE-2025-68775: net/handshake: duplicate handshake cancellations leak socket (bsc#1256665).
- CVE-2025-68776: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() (bsc#1256659).
- CVE-2025-68784: xfs: fix a UAF problem in xattr repair (bsc#1256793).
- CVE-2025-68788: fsnotify: do not generate ACCESS/MODIFY events on child for special files (bsc#1256638).
- CVE-2025-68792: tpm2-sessions: Fix out of range indexing in name_size (bsc#1256656).
- CVE-2025-68795: ethtool: Avoid overflowing userspace buffer on stats query (bsc#1256688).
- CVE-2025-68798: perf/x86/amd: Check event before enable to avoid GPF (bsc#1256689).
- CVE-2025-68799: caif: fix integer underflow in cffrml_receive() (bsc#1256643).
- CVE-2025-68800: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats (bsc#1256646).
- CVE-2025-68801: mlxsw: spectrum_router: Fix neighbour use-after-free (bsc#1256653).
- CVE-2025-68803: NFSD: NFSv4 file creation neglects setting ACL (bsc#1256770).
- CVE-2025-68811: svcrdma: use rc_pageoff for memcpy byte offset (bsc#1256677).
- CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path (bsc#1256641).
- CVE-2025-68814: io_uring: fix filename leak in __io_openat_prep() (bsc#1256651).
- CVE-2025-68815: net/sched: ets: Remove drr class from the active list if it changes to strict (bsc#1256680).
- CVE-2025-68816: net/mlx5: fw_tracer, Validate format string parameters (bsc#1256674).
- CVE-2025-68820: ext4: xattr: fix null pointer deref in ext4_raw_inode() (bsc#1256754).
- CVE-2025-68821: fuse: fix readahead reclaim deadlock (bsc#1256667).
- CVE-2025-71064: net: hns3: using the num_tqps in the vf driver to apply for resources (bsc#1256654).
- CVE-2025-71066: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change (bsc#1256645).
- CVE-2025-71077: tpm: Cap the number of PCR banks (bsc#1256613).
- CVE-2025-71080: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT (bsc#1256608).
- CVE-2025-71084: RDMA/cm: Fix leaking the multicast GID table reference (bsc#1256622).
- CVE-2025-71085: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (bsc#1256623).
- CVE-2025-71087: iavf: fix off-by-one issues in iavf_config_rss_reg() (bsc#1256628).
- CVE-2025-71088: mptcp: fallback earlier on simult connection (bsc#1256630).
- CVE-2025-71089: iommu: disable SVA when CONFIG_X86 is set (bsc#1256612).
- CVE-2025-71091: team: fix check for port enabled in team_queue_override_port_prio_changed() (bsc#1256773).
- CVE-2025-71093: e1000: fix OOB in e1000_tbi_should_accept() (bsc#1256777).
- CVE-2025-71094: net: usb: asix: ax88772: Increase phy_name size (bsc#1256597).
- CVE-2025-71095: net: stmmac: fix the crash issue for zero copy XDP_TX action (bsc#1256605).
- CVE-2025-71097: ipv4: Fix reference count leak when using error routes with nexthop objects (bsc#1256607).
- CVE-2025-71098: ip6_gre: make ip6gre_header() robust (bsc#1256591).
- CVE-2025-71112: net: hns3: add VLAN id validation before using (bsc#1256726).
- CVE-2025-71116: libceph: make decode_pool() more resilient against corrupted osdmaps (bsc#1256744).
- CVE-2025-71120: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf (bsc#1256779).
- CVE-2025-71123: ext4: fix string copying in parse_apply_sb_mount_options() (bsc#1256757).
- CVE-2025-71126: mptcp: avoid deadlock on fallback while reinjecting (bsc#1256755).
- CVE-2025-71132: smc91x: fix broken irq-context in PREEMPT_RT (bsc#1256737).
- CVE-2025-71133: RDMA/irdma: avoid invalid read in irdma_net_event (bsc#1256733).
- CVE-2025-71135: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() (bsc#1256761).
- CVE-2025-71137: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" (bsc#1256760).
- CVE-2025-71148: net/handshake: restore destructor on submit failure (bsc#1257159).
- CVE-2025-71149: io_uring/poll: correctly handle io_poll_add() return value on update (bsc#1257164).
- CVE-2025-71156: gve: defer interrupt enabling until NAPI registration (bsc#1257167).
- CVE-2025-71157: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() (bsc#1257168).
- CVE-2026-22976: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset (bsc#1257035).
- CVE-2026-22977: net: sock: fix hardened usercopy panic in sock_recv_errqueue (bsc#1257053).
- CVE-2026-22981: idpf: detach and close netdevs while handling a reset (bsc#1257225).
- CVE-2026-22982: net: mscc: ocelot: Fix crash when adding interface under a lag (bsc#1257179).
- CVE-2026-22984: libceph: prevent potential out-of-bounds reads in handle_auth_done() (bsc#1257217).
- CVE-2026-22986: gpiolib: fix race condition for gdev->srcu (bsc#1257276).
- CVE-2026-22990: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (bsc#1257221).
- CVE-2026-22991: libceph: make free_choose_arg_map() resilient to partial allocation (bsc#1257220).
- CVE-2026-22992: libceph: return the handler error from mon_handle_auth_done() (bsc#1257218).
- CVE-2026-22993: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations (bsc#1257180).
- CVE-2026-22996: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv.
- CVE-2026-22999: net/sched: sch_qfq: do not free existing class in qfq_change_class() (bsc#1257236).
- CVE-2026-23000: net/mlx5e: Fix crash on profile change rollback failure (bsc#1257234).
- CVE-2026-23001: macvlan: fix possible UAF in macvlan_forward_source() (bsc#1257232).
- CVE-2026-23005: x86/fpu: Clear XSTATE_BV in guest XSAVE state whenever XFD[i]=1 (bsc#1257245).
- CVE-2026-23011: ipv4: ip_gre: make ipgre_header() robust (bsc#1257207).
The following non security issues were fixed:
- ALSA: usb-audio: Update for native DSD support quirks (stable-fixes).
- Add bugnumber to an existing hv_netvsc change (bsc#1257473).
- Fix locking issue introduced by a CVE backport (bsc#1256975 bsc#1254977).
- Update config files: disable CONFIG_DEVPORT for arm64 (bsc#1256792)
- arm64: Update config files. Disable DEVPORT (bsc#1256792)
- bpf/selftests: test_select_reuseport_kern: Remove unused header (bsc#1257603).
- bpf: Do not let BPF test infra emit invalid GSO types to stack (bsc#1255569).
- btrfs: pass fs_info to btrfs_delete_ref_head() (git-fixes).
- btrfs: scrub: always update btrfs_scrub_progress::last_physical (git-fixes).
- bus: fsl-mc: Constify fsl_mc_device_match() (jsc#PED-10906 git-fixes).
- drm/imagination: Wait for FW trace update command completion (git-fixes).
- drm/msm/a6xx: fix bogus hwcg register updates (git-fixes).
- ice: use netif_get_num_default_rss_queues() (bsc#1247712).
- libbpf: Fix -Wdiscarded-qualifiers under C23 (bsc#1257309).
- mm, page_alloc, thp: prevent reclaim for __GFP_THISNODE THP allocations (bsc#1254447 bsc#1253087).
- net: mana: Fix incorrect speed reported by debugfs (bsc#1255232).
- net: mana: Support HW link state events (bsc#1253049).
- nfsd: adjust WARN_ON_ONCE in revoke_delegation (bsc#1257015).
- nvme: nvme-fc: move tagset removal to nvme_fc_delete_ctrl() (git-fixes).
- powerpc/addnote: Fix overflow on 32-bit builds (bsc#1215199).
- sched/fair: Disable scheduler feature NEXT_BUDDY (bsc#1255459).
- scsi: lpfc: Rework lpfc_sli4_fcf_rr_next_index_get() (bsc#1256864).
- scsi: lpfc: Update lpfc version to 14.4.0.13 (bsc#1256864).
- scsi: qla2xxx: Add Speed in SFP print information (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Add bsg interface to support firmware img validation (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Add load flash firmware mailbox support for 28xxx (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Add support for 64G SFP speed (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Allow recovery for tape devices (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Delay module unload while fabric scan in progress (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Fix bsg_done() causing double free (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Free sp in error path to fix system crash (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Query FW again before proceeding with login (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Update version to 10.02.10.100-k (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Validate MCU signature before executing MBC 03h (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Validate sp before freeing associated memory (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: storvsc: Process unsupported MODE_SENSE_10 (bsc#1257296).
- selftests: net: fib-onlink-tests: Convert to use namespaces by default (bsc#1255346).
- slimbus: core: Constify slim_eaddr_equal() (jsc#PED-10906 git-fixes).
- smb: client: split cached_fid bitfields to avoid shared-byte RMW races (bsc#1250748,bsc#1257154).
- smb: client: update cfid->last_access_time in open_cached_dir_by_dentry() (git-fixes).
- smb: improve directory cache reuse for readdir operations (bsc#1252712).
- tsm-mr: Add TVM Measurement Register support (bsc#1257504).
- tsm-mr: Add tsm-mr sample code (bsc#1257504).
- virt: tdx-guest: Expose TDX MRs as sysfs attributes (bsc#1257504).
- virt: tdx-guest: Refactor and streamline TDREPORT generation (bsc#1257504).
- virt: tdx-guest: Transition to scoped_cond_guard for mutex operations (bsc#1257504).
- wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize() (git-fixes).
- x86/tdx: Add tdx_mcall_extend_rtmr() interface (bsc#1257504).
- x86/tdx: tdx_mcall_get_report0: Return -EBUSY on TDCALL_OPERAND_BUSY error (bsc#1257504).
ImportantSUSE bug 1205462SUSE bug 1214285SUSE bug 1215199SUSE bug 1235905SUSE bug 1242505SUSE bug 1242974SUSE bug 1242986SUSE bug 1243452SUSE bug 1243507SUSE bug 1243662SUSE bug 1246184SUSE bug 1246282SUSE bug 1247030SUSE bug 1247292SUSE bug 1247712SUSE bug 1248166SUSE bug 1248175SUSE bug 1248178SUSE bug 1248179SUSE bug 1248185SUSE bug 1248188SUSE bug 1248196SUSE bug 1248206SUSE bug 1248208SUSE bug 1248209SUSE bug 1248211SUSE bug 1248212SUSE bug 1248213SUSE bug 1248214SUSE bug 1248216SUSE bug 1248217SUSE bug 1248222SUSE bug 1248227SUSE bug 1248228SUSE bug 1248229SUSE bug 1248232SUSE bug 1248234SUSE bug 1248240SUSE bug 1248360SUSE bug 1248366SUSE bug 1248384SUSE bug 1248626SUSE bug 1249307SUSE bug 1249609SUSE bug 1249895SUSE bug 1249998SUSE bug 1250032SUSE bug 1250082SUSE bug 1250388SUSE bug 1250705SUSE bug 1250738SUSE bug 1250748SUSE bug 1252712SUSE bug 1252773SUSE bug 1252784SUSE bug 1252891SUSE bug 1252900SUSE bug 1253049SUSE bug 1253078SUSE bug 1253079SUSE bug 1253087SUSE bug 1253344SUSE bug 1253500SUSE bug 1253739SUSE bug 1254244SUSE bug 1254308SUSE bug 1254447SUSE bug 1254839SUSE bug 1254842SUSE bug 1254845SUSE bug 1254977SUSE bug 1255102SUSE bug 1255128SUSE bug 1255157SUSE bug 1255164SUSE bug 1255172SUSE bug 1255216SUSE bug 1255232SUSE bug 1255241SUSE bug 1255245SUSE bug 1255266SUSE bug 1255268SUSE bug 1255269SUSE bug 1255319SUSE bug 1255327SUSE bug 1255346SUSE bug 1255403SUSE bug 1255417SUSE bug 1255459SUSE bug 1255482SUSE bug 1255506SUSE bug 1255526SUSE bug 1255527SUSE bug 1255529SUSE bug 1255530SUSE bug 1255536SUSE bug 1255537SUSE bug 1255542SUSE bug 1255544SUSE bug 1255547SUSE bug 1255569SUSE bug 1255593SUSE bug 1255622SUSE bug 1255694SUSE bug 1255695SUSE bug 1255703SUSE bug 1255708SUSE bug 1255811SUSE bug 1255930SUSE bug 1256579SUSE bug 1256582SUSE bug 1256584SUSE bug 1256586SUSE bug 1256591SUSE bug 1256592SUSE bug 1256593SUSE bug 1256594SUSE bug 1256597SUSE bug 1256605SUSE bug 1256607SUSE bug 1256608SUSE bug 1256609SUSE bug 1256610SUSE bug 1256611SUSE bug 1256612SUSE bug 1256613SUSE bug 1256616SUSE bug 1256617SUSE bug 1256619SUSE bug 1256622SUSE bug 1256623SUSE bug 1256625SUSE bug 1256627SUSE bug 1256628SUSE bug 1256630SUSE bug 1256632SUSE bug 1256638SUSE bug 1256641SUSE bug 1256643SUSE bug 1256645SUSE bug 1256646SUSE bug 1256650SUSE bug 1256651SUSE bug 1256653SUSE bug 1256654SUSE bug 1256655SUSE bug 1256656SUSE bug 1256659SUSE bug 1256660SUSE bug 1256661SUSE bug 1256664SUSE bug 1256665SUSE bug 1256667SUSE bug 1256668SUSE bug 1256674SUSE bug 1256677SUSE bug 1256680SUSE bug 1256682SUSE bug 1256683SUSE bug 1256688SUSE bug 1256689SUSE bug 1256716SUSE bug 1256726SUSE bug 1256728SUSE bug 1256730SUSE bug 1256733SUSE bug 1256737SUSE bug 1256741SUSE bug 1256742SUSE bug 1256744SUSE bug 1256748SUSE bug 1256749SUSE bug 1256752SUSE bug 1256754SUSE bug 1256755SUSE bug 1256756SUSE bug 1256757SUSE bug 1256759SUSE bug 1256760SUSE bug 1256761SUSE bug 1256763SUSE bug 1256770SUSE bug 1256773SUSE bug 1256774SUSE bug 1256777SUSE bug 1256779SUSE bug 1256781SUSE bug 1256785SUSE bug 1256792SUSE bug 1256793SUSE bug 1256794SUSE bug 1256864SUSE bug 1256865SUSE bug 1256867SUSE bug 1256975SUSE bug 1257015SUSE bug 1257035SUSE bug 1257053SUSE bug 1257154SUSE bug 1257155SUSE bug 1257158SUSE bug 1257159SUSE bug 1257163SUSE bug 1257164SUSE bug 1257167SUSE bug 1257168SUSE bug 1257179SUSE bug 1257180SUSE bug 1257202SUSE bug 1257204SUSE bug 1257207SUSE bug 1257208SUSE bug 1257215SUSE bug 1257217SUSE bug 1257218SUSE bug 1257220SUSE bug 1257221SUSE bug 1257225SUSE bug 1257227SUSE bug 1257232SUSE bug 1257234SUSE bug 1257236SUSE bug 1257243SUSE bug 1257245SUSE bug 1257276SUSE bug 1257277SUSE bug 1257279SUSE bug 1257282SUSE bug 1257296SUSE bug 1257309SUSE bug 1257473SUSE bug 1257504SUSE bug 1257603CVE-2024-54031 at SUSECVE-2024-54031 at NVDCVE-2025-37744 at SUSECVE-2025-37744 at NVDCVE-2025-37751 at SUSECVE-2025-37751 at NVDCVE-2025-37841 at SUSECVE-2025-37841 at NVDCVE-2025-37845 at SUSECVE-2025-37845 at NVDCVE-2025-37904 at SUSECVE-2025-37904 at NVDCVE-2025-37955 at SUSECVE-2025-37955 at NVDCVE-2025-38243 at SUSECVE-2025-38243 at NVDCVE-2025-38262 at SUSECVE-2025-38262 at NVDCVE-2025-38297 at SUSECVE-2025-38297 at NVDCVE-2025-38298 at SUSECVE-2025-38298 at NVDCVE-2025-38379 at SUSECVE-2025-38379 at NVDCVE-2025-38423 at SUSECVE-2025-38423 at NVDCVE-2025-38505 at SUSECVE-2025-38505 at NVDCVE-2025-38507 at SUSECVE-2025-38507 at NVDCVE-2025-38510 at SUSECVE-2025-38510 at NVDCVE-2025-38511 at SUSECVE-2025-38511 at NVDCVE-2025-38512 at SUSECVE-2025-38512 at NVDCVE-2025-38513 at SUSECVE-2025-38513 at NVDCVE-2025-38515 at SUSECVE-2025-38515 at NVDCVE-2025-38516 at SUSECVE-2025-38516 at NVDCVE-2025-38520 at SUSECVE-2025-38520 at NVDCVE-2025-38521 at SUSECVE-2025-38521 at NVDCVE-2025-38529 at SUSECVE-2025-38529 at NVDCVE-2025-38530 at SUSECVE-2025-38530 at NVDCVE-2025-38535 at SUSECVE-2025-38535 at NVDCVE-2025-38537 at SUSECVE-2025-38537 at NVDCVE-2025-38538 at SUSECVE-2025-38538 at NVDCVE-2025-38539 at SUSECVE-2025-38539 at NVDCVE-2025-38540 at SUSECVE-2025-38540 at NVDCVE-2025-38541 at SUSECVE-2025-38541 at NVDCVE-2025-38543 at SUSECVE-2025-38543 at NVDCVE-2025-38547 at SUSECVE-2025-38547 at NVDCVE-2025-38548 at SUSECVE-2025-38548 at NVDCVE-2025-38550 at SUSECVE-2025-38550 at NVDCVE-2025-38551 at SUSECVE-2025-38551 at NVDCVE-2025-38569 at SUSECVE-2025-38569 at NVDCVE-2025-38589 at SUSECVE-2025-38589 at NVDCVE-2025-38590 at SUSECVE-2025-38590 at NVDCVE-2025-38645 at SUSECVE-2025-38645 at NVDCVE-2025-39689 at SUSECVE-2025-39689 at NVDCVE-2025-39795 at SUSECVE-2025-39795 at NVDCVE-2025-39813 at SUSECVE-2025-39813 at NVDCVE-2025-39814 at SUSECVE-2025-39814 at NVDCVE-2025-39817 at SUSECVE-2025-39817 at NVDCVE-2025-39829 at SUSECVE-2025-39829 at NVDCVE-2025-39880 at SUSECVE-2025-39880 at NVDCVE-2025-39913 at SUSECVE-2025-39913 at NVDCVE-2025-39927 at SUSECVE-2025-39927 at NVDCVE-2025-40030 at SUSECVE-2025-40030 at NVDCVE-2025-40045 at SUSECVE-2025-40045 at NVDCVE-2025-40097 at SUSECVE-2025-40097 at NVDCVE-2025-40106 at SUSECVE-2025-40106 at NVDCVE-2025-40147 at SUSECVE-2025-40147 at NVDCVE-2025-40195 at SUSECVE-2025-40195 at NVDCVE-2025-40257 at SUSECVE-2025-40257 at NVDCVE-2025-40259 at SUSECVE-2025-40259 at NVDCVE-2025-40261 at SUSECVE-2025-40261 at NVDCVE-2025-40363 at SUSECVE-2025-40363 at NVDCVE-2025-68174 at SUSECVE-2025-68174 at NVDCVE-2025-68178 at SUSECVE-2025-68178 at NVDCVE-2025-68188 at SUSECVE-2025-68188 at NVDCVE-2025-68200 at SUSECVE-2025-68200 at NVDCVE-2025-68211 at SUSECVE-2025-68211 at NVDCVE-2025-68218 at SUSECVE-2025-68218 at NVDCVE-2025-68227 at SUSECVE-2025-68227 at NVDCVE-2025-68241 at SUSECVE-2025-68241 at NVDCVE-2025-68245 at SUSECVE-2025-68245 at NVDCVE-2025-68261 at SUSECVE-2025-68261 at NVDCVE-2025-68296 at SUSECVE-2025-68296 at NVDCVE-2025-68297 at SUSECVE-2025-68297 at NVDCVE-2025-68320 at SUSECVE-2025-68320 at NVDCVE-2025-68325 at SUSECVE-2025-68325 at NVDCVE-2025-68337 at SUSECVE-2025-68337 at NVDCVE-2025-68341 at SUSECVE-2025-68341 at NVDCVE-2025-68348 at SUSECVE-2025-68348 at NVDCVE-2025-68349 at SUSECVE-2025-68349 at NVDCVE-2025-68356 at SUSECVE-2025-68356 at NVDCVE-2025-68359 at SUSECVE-2025-68359 at NVDCVE-2025-68360 at SUSECVE-2025-68360 at NVDCVE-2025-68361 at SUSECVE-2025-68361 at NVDCVE-2025-68366 at SUSECVE-2025-68366 at NVDCVE-2025-68367 at SUSECVE-2025-68367 at NVDCVE-2025-68368 at SUSECVE-2025-68368 at NVDCVE-2025-68372 at SUSECVE-2025-68372 at NVDCVE-2025-68374 at SUSECVE-2025-68374 at NVDCVE-2025-68376 at SUSECVE-2025-68376 at NVDCVE-2025-68379 at SUSECVE-2025-68379 at NVDCVE-2025-68725 at SUSECVE-2025-68725 at NVDCVE-2025-68735 at SUSECVE-2025-68735 at NVDCVE-2025-68741 at SUSECVE-2025-68741 at NVDCVE-2025-68743 at SUSECVE-2025-68743 at NVDCVE-2025-68764 at SUSECVE-2025-68764 at NVDCVE-2025-68768 at SUSECVE-2025-68768 at NVDCVE-2025-68770 at SUSECVE-2025-68770 at NVDCVE-2025-68771 at SUSECVE-2025-68771 at NVDCVE-2025-68773 at SUSECVE-2025-68773 at NVDCVE-2025-68775 at SUSECVE-2025-68775 at NVDCVE-2025-68776 at SUSECVE-2025-68776 at NVDCVE-2025-68777 at SUSECVE-2025-68777 at NVDCVE-2025-68778 at SUSECVE-2025-68778 at NVDCVE-2025-68783 at SUSECVE-2025-68783 at NVDCVE-2025-68784 at SUSECVE-2025-68784 at NVDCVE-2025-68788 at SUSECVE-2025-68788 at NVDCVE-2025-68789 at SUSECVE-2025-68789 at NVDCVE-2025-68792 at SUSECVE-2025-68792 at NVDCVE-2025-68795 at SUSECVE-2025-68795 at NVDCVE-2025-68797 at SUSECVE-2025-68797 at NVDCVE-2025-68798 at SUSECVE-2025-68798 at NVDCVE-2025-68799 at SUSECVE-2025-68799 at NVDCVE-2025-68800 at SUSECVE-2025-68800 at NVDCVE-2025-68801 at SUSECVE-2025-68801 at NVDCVE-2025-68802 at SUSECVE-2025-68802 at NVDCVE-2025-68803 at SUSECVE-2025-68803 at NVDCVE-2025-68804 at SUSECVE-2025-68804 at NVDCVE-2025-68808 at SUSECVE-2025-68808 at NVDCVE-2025-68811 at SUSECVE-2025-68811 at NVDCVE-2025-68813 at SUSECVE-2025-68813 at NVDCVE-2025-68814 at SUSECVE-2025-68814 at NVDCVE-2025-68815 at SUSECVE-2025-68815 at NVDCVE-2025-68816 at SUSECVE-2025-68816 at NVDCVE-2025-68819 at SUSECVE-2025-68819 at NVDCVE-2025-68820 at SUSECVE-2025-68820 at NVDCVE-2025-68821 at SUSECVE-2025-68821 at NVDCVE-2025-68822 at SUSECVE-2025-68822 at NVDCVE-2025-71064 at SUSECVE-2025-71064 at NVDCVE-2025-71066 at SUSECVE-2025-71066 at NVDCVE-2025-71073 at SUSECVE-2025-71073 at NVDCVE-2025-71076 at SUSECVE-2025-71076 at NVDCVE-2025-71077 at SUSECVE-2025-71077 at NVDCVE-2025-71078 at SUSECVE-2025-71078 at NVDCVE-2025-71079 at SUSECVE-2025-71079 at NVDCVE-2025-71080 at SUSECVE-2025-71080 at NVDCVE-2025-71081 at SUSECVE-2025-71081 at NVDCVE-2025-71082 at SUSECVE-2025-71082 at NVDCVE-2025-71083 at SUSECVE-2025-71083 at NVDCVE-2025-71084 at SUSECVE-2025-71084 at NVDCVE-2025-71085 at SUSECVE-2025-71085 at NVDCVE-2025-71086 at SUSECVE-2025-71086 at NVDCVE-2025-71087 at SUSECVE-2025-71087 at NVDCVE-2025-71088 at SUSECVE-2025-71088 at NVDCVE-2025-71089 at SUSECVE-2025-71089 at NVDCVE-2025-71091 at SUSECVE-2025-71091 at NVDCVE-2025-71093 at SUSECVE-2025-71093 at NVDCVE-2025-71094 at SUSECVE-2025-71094 at NVDCVE-2025-71095 at SUSECVE-2025-71095 at NVDCVE-2025-71097 at SUSECVE-2025-71097 at NVDCVE-2025-71098 at SUSECVE-2025-71098 at NVDCVE-2025-71099 at SUSECVE-2025-71099 at NVDCVE-2025-71100 at SUSECVE-2025-71100 at NVDCVE-2025-71101 at SUSECVE-2025-71101 at NVDCVE-2025-71108 at SUSECVE-2025-71108 at NVDCVE-2025-71111 at SUSECVE-2025-71111 at NVDCVE-2025-71112 at SUSECVE-2025-71112 at NVDCVE-2025-71113 at SUSECVE-2025-71113 at NVDCVE-2025-71114 at SUSECVE-2025-71114 at NVDCVE-2025-71116 at SUSECVE-2025-71116 at NVDCVE-2025-71118 at SUSECVE-2025-71118 at NVDCVE-2025-71119 at SUSECVE-2025-71119 at NVDCVE-2025-71120 at SUSECVE-2025-71120 at NVDCVE-2025-71123 at SUSECVE-2025-71123 at NVDCVE-2025-71126 at SUSECVE-2025-71126 at NVDCVE-2025-71130 at SUSECVE-2025-71130 at NVDCVE-2025-71131 at SUSECVE-2025-71131 at NVDCVE-2025-71132 at SUSECVE-2025-71132 at NVDCVE-2025-71133 at SUSECVE-2025-71133 at NVDCVE-2025-71135 at SUSECVE-2025-71135 at NVDCVE-2025-71136 at SUSECVE-2025-71136 at NVDCVE-2025-71137 at SUSECVE-2025-71137 at NVDCVE-2025-71138 at SUSECVE-2025-71138 at NVDCVE-2025-71141 at SUSECVE-2025-71141 at NVDCVE-2025-71142 at SUSECVE-2025-71142 at NVDCVE-2025-71143 at SUSECVE-2025-71143 at NVDCVE-2025-71145 at SUSECVE-2025-71145 at NVDCVE-2025-71147 at SUSECVE-2025-71147 at NVDCVE-2025-71148 at SUSECVE-2025-71148 at NVDCVE-2025-71149 at SUSECVE-2025-71149 at NVDCVE-2025-71154 at SUSECVE-2025-71154 at NVDCVE-2025-71156 at SUSECVE-2025-71156 at NVDCVE-2025-71157 at SUSECVE-2025-71157 at NVDCVE-2025-71162 at SUSECVE-2025-71162 at NVDCVE-2025-71163 at SUSECVE-2025-71163 at NVDCVE-2026-22976 at SUSECVE-2026-22976 at NVDCVE-2026-22977 at SUSECVE-2026-22977 at NVDCVE-2026-22978 at SUSECVE-2026-22978 at NVDCVE-2026-22981 at SUSECVE-2026-22981 at NVDCVE-2026-22982 at SUSECVE-2026-22982 at NVDCVE-2026-22984 at SUSECVE-2026-22984 at NVDCVE-2026-22985 at SUSECVE-2026-22985 at NVDCVE-2026-22986 at SUSECVE-2026-22986 at NVDCVE-2026-22988 at SUSECVE-2026-22988 at NVDCVE-2026-22989 at SUSECVE-2026-22989 at NVDCVE-2026-22990 at SUSECVE-2026-22990 at NVDCVE-2026-22991 at SUSECVE-2026-22991 at NVDCVE-2026-22992 at SUSECVE-2026-22992 at NVDCVE-2026-22993 at SUSECVE-2026-22993 at NVDCVE-2026-22996 at SUSECVE-2026-22996 at NVDCVE-2026-22997 at SUSECVE-2026-22997 at NVDCVE-2026-22999 at SUSECVE-2026-22999 at NVDCVE-2026-23000 at SUSECVE-2026-23000 at NVDCVE-2026-23001 at SUSECVE-2026-23001 at NVDCVE-2026-23002 at SUSECVE-2026-23002 at NVDCVE-2026-23005 at SUSECVE-2026-23005 at NVDCVE-2026-23006 at SUSECVE-2026-23006 at NVDCVE-2026-23011 at SUSECVE-2026-23011 at NVDSecurity update for haproxy (Moderate)openSUSE Leap 16.0
This update for haproxy fixes the following issues:
- Update to version 3.2.12+git0.6011f448e
- CVE-2026-26081: Fixed a DOS vulnerability in QUIC. (bsc#1257976)
- CVE-2026-26080: Fixed a DOS vulnerability in QUIC. (bsc#1257976)
ModerateSUSE bug 1257521SUSE bug 1257976CVE-2026-26080 at SUSECVE-2026-26080 at NVDCVE-2026-26081 at SUSECVE-2026-26081 at NVDSecurity update for fluidsynth (Important)openSUSE Leap 16.0
This update for fluidsynth fixes the following issues:
- CVE-2025-56225: NULL pointer deference when loading and invalid MIDI file (bsc#1256435).
ImportantSUSE bug 1256435CVE-2025-56225 at SUSECVE-2025-56225 at NVDSecurity update for ongres-scram (Important)openSUSE Leap 16.0
This update for ongres-scram fixes the following issues:
- CVE-2025-59432: Fixed timing attack vulnerability in SCRAM Authentication (bsc#1250399)
ImportantSUSE bug 1250399CVE-2025-59432 at SUSECVE-2025-59432 at NVDSecurity update for python-azure-core (Important)openSUSE Leap 16.0
This update for python-azure-core fixes the following issues:
- CVE-2026-21226: Fixed deserialization of untrusted data which may allow an authorized attacker to execute code over a network. (bsc#1257703)
ImportantSUSE bug 1257703CVE-2026-21226 at SUSECVE-2026-21226 at NVDSecurity update for cpp-httplib (Important)openSUSE Leap 16.0
This update for cpp-httplib fixes the following issues:
- CVE-2025-53629: header can allocate memory arbitrarily in the server, potentially leading to its exhaustion
(bsc#1246471).
- CVE-2025-53628: HTTP header smuggling due to insecure trailers merge (bsc#1246468).
ImportantSUSE bug 1246468SUSE bug 1246471CVE-2025-53628 at SUSECVE-2025-53628 at NVDCVE-2025-53629 at SUSECVE-2025-53629 at NVDSecurity update for rhino (Moderate)openSUSE Leap 16.0
This update for rhino fixes the following issues:
Update to 1.7.15.1:
- CVE-2025-66453: Fixed a problem with formatting of floating-point numbers to strings that may result in DoS (bsc#1254481).
ModerateSUSE bug 1254481CVE-2025-66453 at SUSECVE-2025-66453 at NVDSecurity update for assertj-core (Moderate)openSUSE Leap 16.0
This update for assertj-core fixes the following issues:
Upgrade to version 3.27.7:
- CVE-2026-24400: Fix XXE vulnerability in isXmlEqualTo assertion (bsc#1257293).
ModerateSUSE bug 1257293CVE-2026-24400 at SUSECVE-2026-24400 at NVDSecurity update for go1.25-openssl (Important)openSUSE Leap 16.0
This update for go1.25-openssl fixes the following issues:
- Update to version 1.25.7 (jsc#SLE-18320)
- CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821)
- CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820)
- CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819)
- CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817)
- CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816)
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818)
- CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation (bsc#1254431)
- CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SA (bsc#1254430)
- CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255)
- CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress (bsc#1251253)
- CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260)
- CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258)
- CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259)
- CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256)
- CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261)
- CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257)
- CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints (bsc#1251254)
- CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262)
ImportantSUSE bug 1244485SUSE bug 1245878SUSE bug 1249985SUSE bug 1251253SUSE bug 1251254SUSE bug 1251255SUSE bug 1251256SUSE bug 1251257SUSE bug 1251258SUSE bug 1251259SUSE bug 1251260SUSE bug 1251261SUSE bug 1251262SUSE bug 1254227SUSE bug 1254430SUSE bug 1254431SUSE bug 1256816SUSE bug 1256817SUSE bug 1256818SUSE bug 1256819SUSE bug 1256820SUSE bug 1256821SUSE bug 1257486CVE-2025-47912 at SUSECVE-2025-47912 at NVDCVE-2025-58183 at SUSECVE-2025-58183 at NVDCVE-2025-58185 at SUSECVE-2025-58185 at NVDCVE-2025-58186 at SUSECVE-2025-58186 at NVDCVE-2025-58187 at SUSECVE-2025-58187 at NVDCVE-2025-58188 at SUSECVE-2025-58188 at NVDCVE-2025-58189 at SUSECVE-2025-58189 at NVDCVE-2025-61723 at SUSECVE-2025-61723 at NVDCVE-2025-61724 at SUSECVE-2025-61724 at NVDCVE-2025-61725 at SUSECVE-2025-61725 at NVDCVE-2025-61726 at SUSECVE-2025-61726 at NVDCVE-2025-61727 at SUSECVE-2025-61727 at NVDCVE-2025-61728 at SUSECVE-2025-61728 at NVDCVE-2025-61729 at SUSECVE-2025-61729 at NVDCVE-2025-61730 at SUSECVE-2025-61730 at NVDCVE-2025-61731 at SUSECVE-2025-61731 at NVDCVE-2025-68119 at SUSECVE-2025-68119 at NVDCVE-2025-68121 at SUSECVE-2025-68121 at NVDSecurity update for podman (Important)openSUSE Leap 16.0
This update for podman fixes the following issues:
Changes in podman:
- Add symlink to catatonit in /usr/libexec/podman (bsc#1248988)
- CVE-2025-47914: Fixed golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read (bsc#1253993)
- CVE-2025-47913: Fixed golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request (bsc#1253542):
- CVE-2025-31133,CVE-2025-52565,CVE-2025-52881: Fixed runc: Container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files (bsc#1252376):
- CVE-2025-9566: Fixed that podman kube play command may overwrite host files (bsc#1249154):
ImportantSUSE bug 1248988SUSE bug 1249154SUSE bug 1252376SUSE bug 1253542SUSE bug 1253993CVE-2025-22869 at SUSECVE-2025-22869 at NVDCVE-2025-31133 at SUSECVE-2025-31133 at NVDCVE-2025-47913 at SUSECVE-2025-47913 at NVDCVE-2025-47914 at SUSECVE-2025-47914 at NVDCVE-2025-52565 at SUSECVE-2025-52565 at NVDCVE-2025-52881 at SUSECVE-2025-52881 at NVDCVE-2025-6032 at SUSECVE-2025-6032 at NVDCVE-2025-9566 at SUSECVE-2025-9566 at NVDSecurity update for expat (Moderate)openSUSE Leap 16.0
This update for expat fixes the following issues:
- CVE-2026-24515: failure to copy the encoding handler data passed to XML_SetUnknownEncodingHandler may cause a NULL
dereference (bsc#1257144).
- CVE-2026-25210: lack of buffer size check can lead to an integer overflow (bsc#1257496).
ModerateSUSE bug 1257144SUSE bug 1257496CVE-2026-24515 at SUSECVE-2026-24515 at NVDCVE-2026-25210 at SUSECVE-2026-25210 at NVDSecurity update for go1.24-openssl (Critical)openSUSE Leap 16.0
This update for go1.24-openssl fixes the following issues:
- Update to version 1.24.13 (jsc#SLE-18320)
- CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information. (bsc#1251255)
- CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress. (bsc#1251253)
- CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys. (bsc#1251260)
- CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion. (bsc#1251258)
- CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion. (bsc#1251259)
- CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs. (bsc#1251256)
- CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map. (bsc#1251261)
- CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames. (bsc#1251257)
- CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints. (bsc#1251254)
- CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse. (bsc#1251262)
- CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation. (bsc#1254431)
- CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN. (bsc#1254430)
- CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level. (bsc#1256821)
- CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution. (bsc#1256819)
- CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm. (bsc#1256817)
- CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives. (bsc#1256816)
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain. (bsc#1256818)
- CVE-2025-61732: cmd/go: potential code smuggling using doc comments. (bsc#1257692)
- CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain. (bsc#1256820)
CriticalSUSE bug 1236217SUSE bug 1245878SUSE bug 1247816SUSE bug 1248082SUSE bug 1249985SUSE bug 1251253SUSE bug 1251254SUSE bug 1251255SUSE bug 1251256SUSE bug 1251257SUSE bug 1251258SUSE bug 1251259SUSE bug 1251260SUSE bug 1251261SUSE bug 1251262SUSE bug 1254430SUSE bug 1254431SUSE bug 1256816SUSE bug 1256817SUSE bug 1256818SUSE bug 1256819SUSE bug 1256820SUSE bug 1256821SUSE bug 1257692CVE-2025-47912 at SUSECVE-2025-47912 at NVDCVE-2025-58183 at SUSECVE-2025-58183 at NVDCVE-2025-58185 at SUSECVE-2025-58185 at NVDCVE-2025-58186 at SUSECVE-2025-58186 at NVDCVE-2025-58187 at SUSECVE-2025-58187 at NVDCVE-2025-58188 at SUSECVE-2025-58188 at NVDCVE-2025-58189 at SUSECVE-2025-58189 at NVDCVE-2025-61723 at SUSECVE-2025-61723 at NVDCVE-2025-61724 at SUSECVE-2025-61724 at NVDCVE-2025-61725 at SUSECVE-2025-61725 at NVDCVE-2025-61726 at SUSECVE-2025-61726 at NVDCVE-2025-61727 at SUSECVE-2025-61727 at NVDCVE-2025-61728 at SUSECVE-2025-61728 at NVDCVE-2025-61729 at SUSECVE-2025-61729 at NVDCVE-2025-61730 at SUSECVE-2025-61730 at NVDCVE-2025-61731 at SUSECVE-2025-61731 at NVDCVE-2025-61732 at SUSECVE-2025-61732 at NVDCVE-2025-68119 at SUSECVE-2025-68119 at NVDCVE-2025-68121 at SUSECVE-2025-68121 at NVDSecurity update for cockpit-podman (Important)openSUSE Leap 16.0
This update for cockpit-podman fixes the following issues:
- CVE-2025-13465: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods from global
prototypes (bsc#1257324).
ImportantSUSE bug 1257324CVE-2025-13465 at SUSECVE-2025-13465 at NVDSecurity update for libxml2, libxslt (Moderate)openSUSE Leap 16.0
This update for libxml2, libxslt fixes the following issues:
Changes in libxml2:
- CVE-2026-0990: call stack overflow may lead to application crash due to infinite recursion in
`xmlCatalogXMLResolveURI` (bsc#1256807, bsc#1256811).
- CVE-2026-0992: excessive resource consumption when processing XML catalogs due to exponential behavior when handling
`nextCatalog` elements (bsc#1256809, bsc#1256812).
- CVE-2025-8732: infinite recursion in catalog parsing functions when processing malformed SGML catalog files
(bsc#1247858).
- CVE-2026-1757: memory leak in the `xmllint` interactive shell (bsc#1257594, bsc#1257595).
- CVE-2025-10911: parsing xsl nodes may lead to use-after-free with key data stored cross-RVT (bsc#1250553)
ModerateSUSE bug 1247850SUSE bug 1247858SUSE bug 1250553SUSE bug 1256804SUSE bug 1256807SUSE bug 1256808SUSE bug 1256809SUSE bug 1256810SUSE bug 1256811SUSE bug 1256812SUSE bug 1257593SUSE bug 1257594SUSE bug 1257595CVE-2025-10911 at SUSECVE-2025-10911 at NVDCVE-2025-8732 at SUSECVE-2025-8732 at NVDCVE-2026-0990 at SUSECVE-2026-0990 at NVDCVE-2026-0992 at SUSECVE-2026-0992 at NVDCVE-2026-1757 at SUSECVE-2026-1757 at NVDRecommended update for shim (Moderate)openSUSE Leap 16.0
This update for shim fixes the following issues:
This update for shim fixes the following issues:
shim is updated to version 16.1:
- shim_start_image(): fix guid/handle pairing when uninstalling protocols
- Fix uncompressed ipv6 netboot
- fix test segfaults caused by uninitialized memory
- SbatLevel_Variable.txt: minor typo fix.
- Realloc() needs to allocate one more byte for sprintf()
- IPv6: Add more check to avoid multiple double colon and illegal char
- Loader proto v2
- loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages
- Generate Authenticode for the entire PE file
- README: mention new loader protocol and interaction with UKIs
- shim: change automatically enable MOK_POLICY_REQUIRE_NX
- Save var info
- add SbatLevel entry 2025051000 for PSA-2025-00012-1
- Coverity fixes 20250804
- fix http boot
- Fix double free and leak in the loader protocol
shim is updated to version 16.0:
- Validate that a supplied vendor cert is not in PEM format
- sbat: Add grub.peimage,2 to latest (CVE-2024-2312)
- sbat: Also bump latest for grub,4 (and to todays date)
- undo change that limits certificate files to a single file
- shim: don't set second_stage to the empty string
- Fix SBAT.md for today's consensus about numbers
- Update Code of Conduct contact address
- make-certs: Handle missing OpenSSL installation
- Update MokVars.txt
- export DEFINES for sub makefile
- Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition
- Null-terminate 'arguments' in fallback
- Fix "Verifiying" typo in error message
- Update Fedora CI targets
- Force gcc to produce DWARF4 so that gdb can use it
- Minor housekeeping 2024121700
- Discard load-options that start with WINDOWS
- Fix the issue that the gBS->LoadImage pointer was empty.
- shim: Allow data after the end of device path node in load options
- Handle network file not found like disks
- Update gnu-efi submodule for EFI_HTTP_ERROR
- Increase EFI file alignment
- avoid EFIv2 runtime services on Apple x86 machines
- Improve shortcut performance when comparing two boolean expressions
- Provide better error message when MokManager is not found
- tpm: Boot with a warning if the event log is full
- MokManager: remove redundant logical constraints
- Test import_mok_state() when MokListRT would be bigger than available size
- test-mok-mirror: minor bug fix
- Fix file system browser hang when enrolling MOK from disk
- Ignore a minor clang-tidy nit
- Allow fallback to default loader when encountering errors on network boot
- test.mk: don't use a temporary random.bin
- pe: Enhance debug report for update_mem_attrs
- Multiple certificate handling improvements
- Generate SbatLevel Metadata from SbatLevel_Variable.txt
- Apply EKU check with compile option
- Add configuration option to boot an alternative 2nd stage
- Loader protocol (with Device Path resolution support)
- netboot cleanup for additional files
- Document how revocations can be delivered
- post-process-pe: add tests to validate NX compliance
- regression: CopyMem() in ad8692e copies out of bounds
- Save the debug and error logs in mok-variables
- Add features for the Host Security ID program
- Mirror some more efi variables to mok-variables
- This adds DXE Services measurements to HSI and uses them for NX
- Add shim's current NX_COMPAT status to HSIStatus
- README.tpm: reflect that vendor_db is in fact logged as "vendor_db"
- Reject HTTP message with duplicate Content-Length header fields
- Disable log saving
- fallback: don't add new boot order entries backwards
- README.tpm: Update MokList entry to MokListRT
- SBAT Level update for February 2025 GRUB CVEs
ModerateSUSE bug 1205588SUSE bug 1247432SUSE bug 1254336SUSE bug 1254679CVE-2024-2312 at SUSECVE-2024-2312 at NVDSecurity update for virtiofsd (Important)openSUSE Leap 16.0
This update for virtiofsd fixes the following issue:
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257912).
ImportantSUSE bug 1257912CVE-2026-25727 at SUSECVE-2026-25727 at NVDSecurity update for helm (Moderate)openSUSE Leap 16.0
This update for helm fixes the following issues:
- Update to version 3.19.1:
* CVE-2025-47911: golang.org/x/net/html: Fixed various algorithms with
quadratic complexity when parsing HTML documents (bsc#1251442)
* CVE-2025-58190: golang.org/x/net/html: Fixed xcessive memory
consumption by `html.ParseFragment` when processing specially
crafted input (bsc#1251649)
* jsonschema: warn and ignore unresolved URN $ref to match
v3.18.4
* Avoid "panic: interface conversion: interface {} is nil"
* Fix `helm pull` untar dir check with repo urls
* Fix deprecation warning
* Add timeout flag to repo add and update flags
- Update to version 3.19.0:
* bump version to v3.19.0
* fix: use username and password if provided
* fix(helm-lint): fmt
* fix(helm-lint): Add TLSClientConfig
* fix(helm-lint): Add HTTP/HTTPS URL support for json schema references
* chore(deps): bump the k8s-io group with 7 updates
* fix: go mod tidy for v3
* fix Chart.yaml handling
* Handle messy index files
* json schema fix
* fix: k8s version parsing to match original
* Do not explicitly set SNI in HTTPGetter
* Disabling linter due to unknown issue
* Updating link handling
* fix: user username password for login
* Update pkg/registry/transport.go
* fix: add debug logging to oci transport
* fix: legacy docker support broken for login
* fix: plugin installer test with no Internet
* Handle an empty registry config file.
* Prevent fetching newReference again as we have in calling method
* Prevent failure when resolving version tags in oras memory store
* fix(client): skipnode utilization for PreCopy
* test: Skip instead of returning early. looks more intentional
* test: tests repo stripping functionality
* test: include tests for Login based on different protocol prefixes
* fix(client): layers now returns manifest - remove duplicate from descriptors
* fix(client): return nil on non-allowed media types
* Fix 3.18.0 regression: registry login with scheme
* Update pkg/plugin/plugin.go
* Wait for Helm v4 before raising when platformCommand and Command are set
* Revert "fix (helm) : toToml` renders int as float [ backport to v3 ]"
* build(deps): bump the k8s-io group with 7 updates
* chore: update generalization warning message
* fix: move warning to top of block
* fix: govulncheck workflow
* fix: replace fmt warning with slog
* fix: add warning when ignore repo flag
* feat: add httproute from gateway-api to create chart template
- Update to version 3.18.6:
* fix(helm-lint): fmt
* fix(helm-lint): Add TLSClientConfig
* fix(helm-lint): Add HTTP/HTTPS URL support for json schema
references
- Update to version 3.18.5:
* fix Chart.yaml handling 7799b48 (Matt Farina)
* Handle messy index files dd8502f (Matt Farina)
* json schema fix cb8595b (Robert Sirchia)
- Fix shell completion dependencies
* Add BuildRequires to prevent inclusion of folders owned by shells.
* Add Requires because installing completions without appropriate
shell is questionable.
- Fix zsh completion location
ModerateSUSE bug 1251442SUSE bug 1251649CVE-2025-47911 at SUSECVE-2025-47911 at NVDCVE-2025-58190 at SUSECVE-2025-58190 at NVDSecurity update for gstreamer-rtsp-server, gstreamer-plugins-ugly, gstreamer-plugins-rs, gstreamer-plugins-libav, gstreamer-plugins-good, gstreamer-plugins-base, gstreamer-plugins-bad, gstreamer-docs, gstreamer-devtools, gstreamer (Moderate)openSUSE Leap 16.0
This update for gstreamer-rtsp-server, gstreamer-plugins-ugly, gstreamer-plugins-rs, gstreamer-plugins-libav, gstreamer-plugins-good, gstreamer-plugins-base, gstreamer-plugins-bad, gstreamer-docs, gstreamer-devtools, gstreamer fixes the following issues:
Changes in gstreamer-rtsp-server:
- Update to version 1.26.7:
+ Fix issues with G_DISABLE_CHECKS & G_DISABLE_ASSERT.
+ rtsp-server: tests: Switch to fixtures to ensure pool shutdown
+ rtsp-server: tests: Fix a few memory leaks
Changes in gstreamer-plugins-ugly:
- Update to version 1.26.7:
+ No changes, stable version bump only.
Changes in gstreamer-plugins-rs:
- Update to version 1.26.7+git0.6ab75814:
* tracers: Fix inverted append logic when writing log files
* threadshare:
- examples: standalone: also handle buffer lists
- Pad push_list: downgrade Pad flushing log level
- sinks: fix / handle query()
- backpressure: abort pending items on flush start
- udpsink: fix panic recalculating latency from certain
executors
- audiotestsrc:
. support more Audio formats
. use AudioInfo
. fix latency
. act as a pseudo live source by default
- runtime task: execute action in downward transition
- example cleanups
- udpsink: distinguish sync status for latency & report added
latency
- sink elements: implement `send_event`
- dataqueue elements: report min and max latency
* rtp:
- Add linear audio (L8, L16, L24) RTP payloaders / depayloaders
* rtp: basedepay: reuse last PTS, when possible
* skia: Update to skia-safe 0.89
* mp4: Update to mp4-atom 0.9
* Update dependencies
* webrtc: livekit: Drop connection lock after take()
* onvifmetadatapay: copy metadata from source buffer
* fallbacksrc: Fix custom source reuse case
* add `rust-tls-native-roots` feature to the `reqwest` dep
* rtpamrpay2:
- Actually forward the frame quality indicator
- Set frame quality indicator flag
- Add patch to fix reproducibility of package build (boo#1237097)
- Update to version 1.26.6+git20.e287e869:
* Fix some new clippy 1.90 warnings
* colordetect: Don't use deprecated color_name API
* deny: Update
* quinn: Update to web-transport-quinn 0.8
* skia: Update to skia-safe 0.88
* Update Cargo.lock
* Allow windows-sys 0.61 too
* intersink: add sync property
* meson: Fix .pc files installation and simplify build output
handling. This also fixes the .pc file install directory and
ensures that the .pc files are only installed when static
builds is enabled.
- Drop devel subpackage following upstream changes.
- Update to version 1.26.6:
+ aws: Ensure task stopping on paused-to-ready state change
+ fallbacksrc:
- Don't panic during retries if the element was shut down in
parallel
- Don't restart source if the element is just being shut down
- Fix some custom source deadlocks
- Fix sources only being restarted once
+ gtk4: Try importing dmabufs withouth DMA_DRM caps
+ inter: Give the appsrc/appsink a name that has the parent
element as prefix
+ mp4: Skip tests using x264enc if it does not exist
+ rtpgccbwe: avoid clamp() panic when min_bitrate > max_bitrate
+ rtpmp4gdepay2: allow only constantduration with neither
constantsize nor sizelength set
+ rtprecv: fix race condition on first buffer
+ speechmatics: Specify rustls as an explicit dependency
+ spotify: update to librespot 0.7
+ threadshare:
- add a blocking adapter element
- always use block_on_or_add_subtask
- audiotestsrc: fix setting samples-per-buffer...
- blocking_adapter: fix Since marker in docs
- fix resources not available when preparing asynchronously
- fix ts-inter test one_to_one_up_first
- have: have Task log its obj
- intersink: return from blocking tasks when stopping
- inter: update doc example
- runtime/pad: lower log level pushing Buffer to flushing pad
- separate blocking & throttling schedulers
- update examples
- Update to getifaddrs 0.5
- Fix macOS build post getifaddrs 0.5 update
- Bump up getiffaddrs to 0.1.5 and revert "udp: avoid
getifaddrs in android"
- Reapply "udp: avoid getifaddrs in android"
+ transcriberbin: Fix some deadlocks
+ Update dependencies
+ webrtc: Migrate to warp 0.4 and switch to tokio-rustls
+ webrtc/signalling: Fix setting of host address
+ ci: add script to check readme against plugins list
+ Fix various new clippy 1.89 warnings
+ Don't suggest running cargo cinstall after cargo cbuild
+ meson: Isolate built plugins from cargo target directory
- Update to version 1.26.5+git11.949807a4 (boo#1248053,
CVE-2025-55159):
+ rtprecv: fix race condition on first buffer
+ threadshare: intersink: return from blocking tasks when
stopping
+ threadshare: inter: store upstream latency in InterContext
+ threadshare: add a blocking adapter element
+ transcriberbin: Fix settings/state lock order violation in
set_property()
+ transcriberbin: Don't keep state locked while querying upstream
latency
+ threadshare: audiotestsrc: fix setting samples-per-buffer...
+ rtpgccbwe: avoid clamp() panic when min_bitrate > max_bitrate
+ fallbacksrc: Don't restart source if the element is just being
shut down
+ aws: Ensure task stopping on paused-to-ready state change
+ fallbacksrc: Don't panic during retries if the element was shut
down in parallel
+ Update Cargo.lock.
- Update to version 1.26.5:
+ awstranscriber2, awstranslate: Handle multiple stream-start
event
+ ceaX08overlay: support ANY caps features, allowing e.g.
memory:GLMemory if downstream supports the overlay composition
meta
+ hlsmultivariantsink: Fix master playlist version
+ rtprecv: Drop state lock before chaining RTCP packets from the
RTP chain function
+ Add rtpbin2 examples
+ rtpmp4apay2: fix payload size prefix
+ rtp: threadshare: fix some property ranges
+ mpegtslivesrc: Remove leftover debug message
+ ts-audiotestsrc fixes
+ threadshare: fix flush for ts-queue ts-proxy & ts-intersrc
+ threadshare: fix regression in ts-proxysrc
+ threadshare: improvements to some elements
+ threadshare: Enable windows Win32_Networking feature
+ threadshare: queue & proxy: fix race condition stopping
+ threadshare: Also enable windows Win32_Networking_WinSock
feature
+ tracers: pipeline-snapshot: reduce WebSocket connection log
level
+ tracers: queue-levels: add support for threadshare DataQueue
related elements
+ tracers: Update to etherparse 0.19
+ transcriberbin: Fix handling of upstream latency query
+ webrtcsink: Move videorate before videoconvert and videoscale
to avoid processing frames that would be dropped
+ Fix various new clippy 1.89 warnings
- Update to version 1.26.4:
+ aws: s3hlssink: Write to S3 on OutputStream flush
+ cea708mux: fix clipping function
+ dav1ddec: Use video decoder base class latency reporting API
+ elevenlabssynthesizer: fix running time checks
+ gopbuffer: Push GOPs in order of time on EOS
+ gtk4: Improve color-state fallbacks for unknown values
+ gtk4: Add YCbCr memory texture formats
+ gtk4: Promote set_caps debug log to info
+ hlssink3: Fix a comment typo
+ hlssink3: Use closed fragment location in playlist generation
+ livekit: add room-timeout
+ mccparse: Convert "U" to the correct byte representation
+ mp4mux: add TAI timestamp element and muxing
+ threadshare: add a ts-rtpdtmfsrc element
+ rtp: Update to rtcp-types 0.2
+ rtpsend: Don't configure a zero min RTCP interval for senders
+ rtpbin2: Fix handling of unknown PTs and don't warn about
incomplete RTP caps to allow for bundling
+ rtpbin2: Improve rtcp-mux support
+ rtpbin2: fix race condition on serialized Queries
+ rtpbin2: sync: fix race condition
+ rtprecv optimize src pad scheduling
+ rtprecv: fix SSRC collision event sent in wrong direction
+ skia: Add harfbuzz, freetype and fontconfig as dependencies in
the meson build
+ tttocea{6,7}08: Disallow pango markup from input caps
+ ts-intersrc: handle dynamic inter-ctx changes
+ threadshare: src elements: don't pause the task in downward
state transitions
+ webrtc: sink: avoid recursive locking of the session
+ webrtcsink: fix deadlock on error setting remote description
+ webrtcsink: add mitigation modes parameter and signal
+ webrtc: fix Safari addIceCandidate crash
+ webrtc-api: Set default bundle policy to max-bundle
+ WHIP client: emit shutdown after DELETE request
+ Fix various new clippy 1.88 warnings
+ Update dependencies
- Update to version 1.26.3:
+ Add new speech synthesis element around ElevenLabs API
+ cea708mux: fix another WouldOverflow case
+ cea708mux: support configuring a limit to how much data will be
pending.
+ cea708overlay: also reset the output size on flush stop
+ gcc: handle out of order packets
+ fmp4mux: Fix panic on late GOP
+ livekit: expose a connection state property
+ mp4mux: add taic box
+ mp4mux: test the trak structure
+ pcap_writer: Make target-property and pad-path properties
writable again
+ skia: Don't build skia plugin by default for now
+ threadshare: cleanups & usability improvements
+ threadshare: sync runtime with latest async-io
+ threadshare: fix kqueue reactor
+ threadshare: Update to getifaddrs 0.2
+ threadshare: add new thread-sharing inter elements
+ threadshare: add a ts-rtpdtmfsrc element
+ transcriberbin: fix naming of subtitle pads
+ tttocea708: don't panic if a new service would overflow
+ webrtc: android: Update Gradle and migrate to
FindGStreamerMobile
+ webrtc: add new examples for stream selection over data channel
+ webrtcsrc: the webrtcbin get-transceiver index is not
mlineindex
+ webrtcsrc: send CustomUpstream events over control channel ..
+ webrtcsink: Don't require encoder element for pre-encoded
streams
+ webrtcsink: Don't reject caps events if the codec_data changes
+ whip: server: pick session-id from the endpoint if specified
+ cargo: add config file to force
CARGO_NET_GIT_FETCH_WITH_CLI=true
+ Cargo.lock, deny: Update dependencies and log duplicated
targo-lexicon
+ Update windows-sys dependency from ">=0.52, <=0.59" to ">=0.52,
<=0.60"
+ deny: Add override for windows-sys 0.59
+ deny: Update lints
+ cargo_wrapper: Fix backslashes being parsed as escape codes on
Windows
+ Fixes for Clock: non-optional return types
+ Rename relationmeta plugin to analytics
Changes in gstreamer-plugins-libav:
- Update to version 1.26.7:
+ No changes, stable versionbump only.
Changes in gstreamer-plugins-good:
- Update to version 1.26.7:
+ matroskamux: Properly check if pads are EOS in find_best_pad
+ qtdemux:
- Bad performance with GoPro videos containing FDSC metadata
tracks
- Fix open/seek perf for GoPro files with SOS track
- Handle unsupported channel layout tags gracefully
- Set channel-mask to 0 for unknown layout tags
+ rtspsrc: Send RTSP keepalives in TCP/interleaved modes
+ v4l2:
- Add GstV4l2Error handling in gst_v4l2_get_capabilities
- Fix memory leak for DRM caps negotiation
+ v4l2transform: reconfigure v4l2object only if respective caps
changed
+ Fix issues with G_DISABLE_CHECKS & G_DISABLE_ASSERT
- Update to version 1.26.6:
+ adaptivedemux2: fix crash due to log
+ adaptivedemux2: Crash in logging when "Dropping EOS before next
period"
+ hlsdemux2: Fix parsing of byterange and init map directives
+ mpg123audiodec: Always break the decoding loop and relay
downstream flow errors upstream
+ v4l2: Add support for WVC1 and WMV3
+ Monorepo: dv plugin requires explicit enablement now for a
build using the Meson subproject fallback
- Update to version 1.26.5:
+ 4l2: fix memory leak for dynamic resolution change
+ videorate, imagefreeze: add support for JPEG XS
- Update to version 1.26.4:
+ adaptivedemux2: Fixed reverse playback
+ matroskademux: Send tags after seeking
+ qtdemux: Fix incorrect FourCC used when iterating over sbgp
atoms
+ qtdemux: Incorrect sibling type used in sbgp iteration loop
+ rtph265pay: add profile-id, tier-flag, and level-id to output
rtp caps
+ rtpjpeg: fix copying of quant data if it spans memory segments
+ soup: Disable range requests when talking to Python's
http.server
+ v4l2videodec: need replace acquired_caps on set_format success
+ Fix various valgrind/test errors when GST_DEBUG is enabled
+ More valgrind and test fixes
+ Various ASAN fixes
- Update to version 1.26.3:
+ aacparse: Fix counting audio channels in program_config_element
+ adaptivedemux2: free cancellable when freeing transfer task
+ dashdemux2: Fix seeking in a stream with gaps
+ decodebin wavparse cannot pull header
+ imagefreeze: fix not negotiate log when stop
+ osxvideosink: Use gst_pad_push_event() and post navigation
messages
+ qml6glsink: Allow configuring if the item will consume input
events
+ qtmux: Update chunk offsets when converting stco to co64 with
faststart
+ splitmuxsink: Only send closed message once per open fragment
+ rtph265depay: CRA_NUT can also start an (open) GOP
+ rtph265depay: fix codec_data generation
+ rtspsrc: Don't emit error during close if server is EOF
+ twcc: Fix reference timestamp wrapping (again)
+ v4l2: Fix possible internal pool leak
+ v4l2object: Add support for colorimetry bt2100-pq and 1:4:5:3
+ wavparse: Don't error out always when parsing acid chunks
Changes in gstreamer-plugins-base:
- Update to version 1.26.7:
+ discoverer: Mark gst_discoverer_stream_info_list_free() as
transfer full
+ riff: Add channel reorder maps for 3 and 7 channel audio
+ sdp: proper usage of gst_buffer_append
+ videorate: fix assert fail due to invalid buffer duration
+ Fix build error with glib < 2.68
- Update to version 1.26.6:
+ decodebin3: Update stream tags
+ rtpbasedepayload: Avoid potential use-after free
+ rtspconnection: Add get_url and get_ip return value annotation
+ gst_rtsp_connection_get_url return value transfer annotation
missing
+ videometa: Fix valgrind warning when deserializing video meta
+ videorate: don't hold the reference to the buffer in drop-only
mode
+ gst-device-monitor-1.0: Fix device-path regression on Windows
+ gst-device-monitor-1.0: Add quoting for powershell and cmd
+ Monorepo: opengl, vorbis, plugins require explicit enablement
now for a build using the Meson subproject fallback
- Update to version 1.26.5:
+ audioconvert: mix-matrix causes caps negotiation failure
+ decodebin3: Don't error on an incoming ONVIF metadata stream
+ gloverlay: Recompute geometry when caps change, and load
texture after stopping and starting again
+ uridecodebin3: Add missing locking and NULL checks when adding
URIs to messages
+ uridecodebin3: segfault in update_message_with_uri() if no
decoder available
+ videorate, imagefreeze: add support for JPEG XS
+ gst-device-monitor-1.0: Add shell quoting for launch lines
+ gst-device-monitor-1.0: Fix criticals, and also accept utf8 in
launch lines
+ gst-device-monitor-1.0: Use gst_print instead of g_print
- Update to version 1.26.4:
+ Revert "streamsynchronizer: Consider streams having received
stream-start as waiting"
+ alsa: free conf cache under valgrind
+ gst-device-monitor: Fix caps filter splitting
+ Fix various valgrind/test errors when GST_DEBUG is enabled
+ More valgrind and test fixes
+ Various ASAN fixes
- Update to version 1.26.3:
+ GstAudioAggregator: fix structure unref in peek_next_sample()
+ audioconvert: Fix setting mix-matrix when input caps changes
+ encodebasebin: Duplicate encoding profile in property setter
+ gl: simplify private
gst_gl_gst_meta_api_type_tags_contain_only()
+ osxvideosink: Use gst_pad_push_event() and post navigation
messages
+ playsink: Fix race condition in stream synchronizer pad cleanup
during state changes
+ python: Fix pulling events from appsink
+ streamsynchronizer: Consider streams having received
stream-start as waiting
+ urisourcebin: Text tracks are no longer set as sparse stream in
urisourcebin's multiqueue
Changes in gstreamer-plugins-bad:
- Update to version 1.26.7:
+ cuda: Fix runtime kernel compile with CUDA 13.0
+ d3d12convert: Fix crop meta support
+ d3d12deinterlace: Fix passthrough handling
+ gst: Fix a few small leaks
+ matroskamux: Properly check if pads are EOS in find_best_pad
+ tsdemux: Directly forward Opus AUs without opus_control_header
+ tsmux: Write a full Opus channel configuration if no matching
Vorbis one is found
+ unixfd: Fix case of buffer with big payload
+ vacompositor: Correct scale-method properties
+ webrtc: nice: Fix a use-after-free and a mem leak
+ Fix all compiler warnings on Fedora
+ Fix issues with G_DISABLE_CHECKS & G_DISABLE_ASSERT
- Update to version 1.26.6:
+ analytics: always add GstTensorMeta
+ cccombiner: Crash fixes
+ curlsmtpsink: adapt to date formatting issue
+ decklinkvideosrc: fix decklinkvideosrc becomes unrecoverable if
it fails to start streaming
+ decklinkvideosrc gets into unrecoverable state if device is
busy
+ dwrite: Fix D3D12 critical warning
+ hlsdemux: Fix parsing of byterange and init map directives
+ mpegtsmux: Caps event fails with stream type change error
+ vulkanh24xdec: couple of fixes
+ vulkanh26xdec: fix discont state handling
+ waylandsink: add some error handler for event dispatch
+ zbar: tests: Handle symbol-bytes as not null-terminated
+ Monorepo: avtp, codec2json, iqa, microdns, openjpeg, qroverlay,
soundtouch, tinyalsa plugins require explicit enablement now
for a build using the Meson subproject fallback
- Update to version 1.26.5:
+ av1parse: Don't error out on "currently" undefined seq-level
indices
+ av1parse: fails to parse AV1 bitstreams generated by FFmpeg
using the av1_nvenc hardware encoder
+ d3d12screencapturedevice: Avoid false device removal on monitor
reconfiguration
+ d3d12screencapturesrc: Fix OS handle leaks/random crash in WGC
mode
+ meson: d3d12: Add support for MinGW DirectXMath package
+ va: Re-negotiate after FLUSH
+ vaXXXenc: calculate latency with corrected framerate
+ vaXXXenc: fix potential race condition
+ vkphysicaldevice: enable sampler ycbcr conversion,
synchronization2 and timeline semaphore features
+ vulkan: ycbcr conversion extension got promoted in 1.1.0
+ wasapi2: Port to IMMDevice based device selection
- Fix really disabling faad when building without faad support.
- Do not build with faad in SLE16 where faad2 is not available.
- Update to version 1.26.4:
+ avtp: crf: Setup socket during state change to ensure we handle
failure
+ d3d12screencapture: Add support for monitor add/remove in
device provider
+ mpegtsmux: fix double free caused by shared PMT descriptor
+ openh264: Ensure src_pic is initialized before use
+ rtmp2src: various fixes to make it play back AWS medialive
streams
+ ssdobjectdetector: Use correct tensor data index for the scores
+ v4l2codecs: h265dec: Fix zero-copy of cropped window located at
position 0,0
+ vp9parse: Fix handling of spatial SVC decoding
+ vp9parse: Revert "Always default to super-frame"
+ vtenc: Fix negotiation failure with profile=main-422-10
+ vulkan: Fix drawing too many triangles in fullscreenquad
+ vulkanfullscreenquad: add locks for synchronisation
+ Fix various valgrind/test errors when GST_DEBUG is enabled
+ More valgrind and test fixes
+ Various ASAN fixes
- Provide and Obsolete gstreamer-1.20-plugin-openh264 too, not just
gstreamer-plugin-openh264.
- Update to version 1.26.3:
+ amc: Overhaul hw-accelerated video codecs detection
+ bayer2rgb: Fix RGB stride calculation
+ d3d12compositor: Fix critical warnings
+ dashsink: Fix failing test
+ decklink: calculate internal using values closer to the current
clock times
+ decklinkvideosink: show preroll frame correctly
+ decklink: clock synchronization after pause
+ h266parser: Fix overflow when parsing subpic_level_info
+ lcevcdec: Check for errors after receiving all enhanced and
base pictures
+ meson: fix building -bad tests with disabled soundtouch
+ mpegts: handle MPEG2-TS with KLV metadata safely by preventing
out of bounds
+ mpegtsmux: Corrections around Teletext handling
+ srtsink: Fix header buffer filtering
+ transcoder: Fix uritranscodebin reference handling
+ tsdemux: Allow access unit parsing failures
+ tsdemux: Send new-segment before GAP
+ vulkanupload: fix regression for uploading VulkanBuffer
+ vulkanupload: fix regression when uploading to single memory
multiplaned memory images
+ webrtcbin: disconnect signal ICE handlers on dispose
+ {d3d12,d3d11}compositor: Fix negative position handling
+ {nv,d3d12,d3d11}decoder: Use interlace info in input caps
- Build with noopenh264, move plugin to main package.
- Drop conditionals for fdk-aac, explicitly build it for all
targets.
- Move faad plugin to main package.
Changes in gstreamer-docs:
- Update to version 1.26.7:
+ No changes, stable bump only.
+ Update docs.
Changes in gstreamer-devtools:
- Update to version 1.26.7:
+ Fix issues with G_DISABLE_CHECKS & G_DISABLE_ASSERT
- Update to version 1.26.6:
+ validate: http-actions: Replace GUri with GstURI for GLib 2.64
compatibility
+ Fix memory leak and use of incorrect context
- Update to version 1.26.5:
+ No changes, stable bump only.
- Update vendored dependencies (boo#1248053, CVE-2025-55159).
- Update to version 1.26.4:
+ Update various Rust dependencies
- Update to version 1.26.3:
+ validate: More memory leaks
+ validate: Valgrind fixes
Changes in gstreamer:
- Update to version 1.26.7:
+ Highlighted bugfixes in 1.26.7:
- cea608overlay: improve handling of non-system memory
- cuda: Fix runtime kernel compile with CUDA 13.0
- d3d12: Fix crop meta support in converter and passthrough
handling in deinterlacer
- fallbacksrc: source handling improvements; no-more-pads
signal for streams-unaware parents
- inter: add properties to fine tune the inner elements
- qtdemux: surround sound channel layout handling fixes and
performance improvements for GoPro videos
- rtp: Add linear audio (L8, L16, L24) RTP payloaders /
depayloaders
- rtspsrc: Send RTSP keepalives in TCP/interleaved modes
- rtpamrpay2: frame quality indicator flag related fixes
- rtpbasepay2: reuse last PTS when possible, to work around
problems with NVIDIA Jetson AV1 encoder
- mpegtsmux, tsdemux: Opus audio handling fixes
- threadshare: latency related improvements and many other
fixes
- matroskamux, tsmux, flvmux, cea608mux: Best pad determination
fixes at EOS
- unixfd: support buffers with a big payload
- videorate unknown buffer duration assertion failure with
variable framerates
- editing services: Make GESTimeline respect
SELECT_ELEMENT_TRACK signal discard decision; memory leak
fixes
- gobject-introspection annotation fixes
- cerbero: Update meson to 1.9.0 to enable Xcode 26
compatibility
- Various bug fixes, build fixes, memory leak fixes, and other
stability and reliability improvements
+ gstreamer:
- controller: Fix get_all() return type annotation
- gst-launch: Do not assume error messages have a src element
- multiqueue: Fix object reference handling in signal callbacks
- netclientclock: Fix memory leak in error paths
- Update to version 1.26.6:
+ Highlighted bugfixes in 1.26.6:
- analytics GstTensorMeta handling changes (see note below)
- closed caption combiner and transcriberbin stability fixes
- decklinkvideosrc: fix unrecoverable state after failing to
start streaming because device is busy
- decodebin3 tag handling improvements
- fallbacksrc: Fix sources only being restarted once, as well
as some deadlocks and race conditions on shutdown
- gtk4paintablesink: Try importing dmabufs withouth DMA_DRM
caps
- hlsdemux2: Fix parsing of byterange and init map directives
- rtpmp4gdepay2: allow only constantduration with neither
constantsize nor sizelength set
- spotifysrc: update to librespot 0.7 to make work after recent
Spotify changes
- threadshare: new blocking adapter element for use in front of
block elements such as sinks that sync to the clock
- threadshare: various other threadshare element fixes and
improvements
- v4l2: Add support for WVC1 and WMV3
- videorate: possible performance improvements when operating
in drop-only mode
- GstBaseParse fixes
- Vulkan video decoder fixes
- Fix gst-device-monitor-1.0 tool device-path regression on
Windows
- Monorepo development environment builds fewer plugins using
subprojects by default, those require explicit enablement now
- Python bindings: Handle buffer PTS, DTS, duration, offset,
and offset-end as unsigned long long (regression fix)
- Cerbero: Reduce recipe parallelism in various cases and dump
cerbero and recipe versions into datadir during packaging
- Various bug fixes, build fixes, memory leak fixes, and other
stability and reliability improvements
+ Possibly breaking behavioural changes:
- Previously it was guaranteed that there is only ever up to
one GstTensorMeta per buffer. This is no longer true and code
working with GstTensorMeta must be able to handle multiple
GstTensorMeta now.
+ gstreamer:
- baseparse: Try harder to fixate caps based on upstream in
default negotiation
- gst-discoverer reports 1x1 dimensions for "valid" MP4 files
- baseparse: don't clear most sticky events after a FLUSH_STOP
event
- gstreamer: Disable miniobject inline functions for
gobject-introspection for non-subprojects too
- gstreamer: Make sure to zero-initialize the GValue before
G_VALUE_COLLECT_INIT
- ptp: Fix a new Rust 1.89 compiler warning on Windows
- ptp: Fix new compiler warning with Rust 1.89
- Segmentation fault when compiled with
"-ftrivial-auto-var-init=pattern". Use of unitialized GValue
- Update to version 1.26.5:
+ Highlighted bugfixes:
- audioconvert: Fix caps negotiation regression when using a
mix matrix
- cea608overlay, cea708overlay: Accept GPU memory buffers if
downstream supports the overlay composition meta
- d3d12screencapture source element and device provider fixes
- decodebin3: Don't error on an incoming ONVIF metadata stream
- uridecodebin3: Fix potential crash when adding URIs to
messages, e.g. if no decoder is available
- v4l2: Fix memory leak for dynamic resolution change
- VA encoder fixes
- videorate, imagefreeze: Add support for JPEG XS
- Vulkan integration fixes
- wasapi2 audio device monitor improvements
- threadshare: Many improvements and fixes to the generic
threadshare and RTP threadshare elements
- rtpbin2 improvements and fixes
- gst-device-monitor-1.0 command line tool improvements
- Various bug fixes, build fixes, memory leak fixes, and other
stability and reliability improvements
+ gstreamer:
- aggregator: add sub_latency_min to pad queue size
- build: Disable C5287 warning on MSVC
- Update to version 1.26.4:
+ Highlighted bugfixes in 1.26.4:
- adaptivedemux2: Fixed reverse playback
- d3d12screencapture: Add support for monitor add/remove in
device provider
- rtmp2src: various fixes to make it play back AWS medialive
streams
- rtph265pay: add profile-id, tier-flag, and level-id to output
rtp caps
- vp9parse: Fix handling of spatial SVC decoding
- vtenc: Fix negotiation failure with profile=main-422-10
- gtk4paintablesink: Add YCbCr memory texture formats and other
improvements
- livekit: add room-timeout
- mp4mux: add TAI timestamp muxing support
- rtpbin2: fix various race conditions, plus other bug fixes
and performance improvements
- threadshare: add a ts-rtpdtmfsrc element, implement run-time
input switching in ts-intersrc
- webrtcsink: fix deadlock on error setting remote description
and other fixes.
- cerbero: WiX installer: fix missing props files in the MSI
packages
- smaller macOS/iOS package sizes
- Various bug fixes, build fixes, memory leak fixes, and other
stability and reliability improvements
+ gstreamer:
- tracers: Fix deadlock in latency tracer
- Fix various valgrind/test errors when GST_DEBUG is enabled
- More valgrind and test fixes
- Various ASAN fixes
- Update to version 1.26.3:
+ Highlighted bugfixes in 1.26.3:
- Security fix for the H.266 video parser
- Fix regression for WAV files with acid chunks
- Fix high memory consumption caused by a text handling
regression in uridecodebin3 and playbin3
- Fix panic on late GOP in fragmented MP4 muxer
- Closed caption conversion, rendering and muxing improvements
- Decklink video sink preroll frame rendering and clock drift
handling fixes
- MPEG-TS demuxing and muxing fixes
- MP4 muxer fixes for creating very large files with faststart
support
- New thread-sharing 1:N inter source and sink elements, and a
ts-rtpdtmfsrc
- New speech synthesis element around ElevenLabs API
- RTP H.265 depayloader fixes and improvements, as well as TWCC
and GCC congestion control fixes
- Seeking improvements in DASH client for streams with gaps
- WebRTC sink and source fixes and enhancements, including to
LiveKit and WHIP signallers
- The macOS osxvideosink now posts navigation messages
- QtQML6GL video sink input event handling improvements
- Overhaul detection of hardware-accelerated video codecs on
Android
- Video4Linux capture source fixes and support for BT.2100 PQ
and 1:4:5:3 colorimetry
- Vulkan buffer upload and memory handling regression fixes
- gst-python: fix various regressions introduced in 1.26.2
- cerbero: fix text relocation issues on 32-bit Android and fix
broken VisualStudio VC templates
- packages: ship pbtypes plugin and update openssl to 3.5.0 LTS
- Various bug fixes, build fixes, memory leak fixes, and other
stability and reliability improvements
+ gstreamer:
- aggregator: Do not set event seqnum to INVALID
- baseparse: test: Fix race on test start
- pad: Only remove TAG events on STREAM_START if the stream-id
actually changes
- utils: Mark times array as static to avoid symbol conflict
with the POSIX function
- vecdeque: Use correct index type gst_vec_deque_drop_struct()
ModerateSUSE bug 1237097SUSE bug 1248053CVE-2025-55159 at SUSECVE-2025-55159 at NVDSecurity update for python-uv (Important)openSUSE Leap 16.0
This update for python-uv fixes the following issue:
- CVE-2025-13327: parsing differentials when processing specially crafted ZIP archives during package installation
can lead to arbitrary code execution (bsc#1258993).
ImportantSUSE bug 1258993CVE-2025-13327 at SUSECVE-2025-13327 at NVDSecurity update for ImageMagick (Important)openSUSE Leap 16.0
This update for ImageMagick fixes the following issues:
- CVE-2026-22770: improper pointer initialization can cause denial of service (bsc#1256969).
- CVE-2026-23874: manipulation of digital images can lead to stack overflow (bsc#1256976).
- CVE-2026-23876: ImageMagick: maliciously crafted image can lead to heap buffer overflow (bsc#1256962).
- CVE-2026-23952: processing comment tag can cause null pointer dereference (bsc#1257076).
- CVE-2026-24481: Possible Heap Information Disclosure in PSD ZIP Decompression (bsc#1258743).
- CVE-2026-24484: denial of service vulnerability via multi-layer nested MVG to SVG conversion (bsc#1258790).
- CVE-2026-24485: denial of service via malformed PCD file processing (bsc#1258791).
- CVE-2026-25576: Out of bounds read in multiple coders that read raw pixel data (bsc#1258748).
- CVE-2026-25637: Denial of Service via crafted image due to memory leak (bsc#1258759).
- CVE-2026-25638: Denial of Service due to memory leak in image processing (bsc#1258793).
- CVE-2026-25794: Heap-buffer-overflow via signed integer overflow in `WriteUHDRImage` when writing UHDR images with
large dimensions (bsc#1258749).
- CVE-2026-25795: Denial of Service due to NULL pointer dereference during temporary file creation failure
(bsc#1258792).
- CVE-2026-25796: Memory leak of watermark Image object in ReadSTEGANOImage on multiple error/early-return paths
(bsc#1258757).
- CVE-2026-25797: Code injection in various encoders (bsc#1258770).
- CVE-2026-25798: NULL Pointer Dereference in ClonePixelCacheRepository via crafted image (bsc#1258787).
- CVE-2026-25799: Division-by-Zero in YUV sampling factor validation leads to crash (bsc#1258786).
- CVE-2026-25897: Out-of-bounds heap write via integer overflow in sun decoder (bsc#1258799).
- CVE-2026-25898: Information disclosure or denial of service via crafted image with invalid pixel index (bsc#1258807).
- CVE-2026-25965: Policy bypass through path traversal allows reading restricted content despite secured policy
(bsc#1258785).
- CVE-2026-25966: Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access
(bsc#1258780).
- CVE-2026-25967: Stack buffer overflow in FTXT reader via oversized integer field (bsc#1258779).
- CVE-2026-25968: MSL attribute stack buffer overflow leads to out of bounds write (bsc#1258776).
- CVE-2026-25969: Memory Leak in coders/ashlar.c (bsc#1258775).
- CVE-2026-25970: Memory corruption and denial of service via signed integer overflow in SIXEL decoder (bsc#1258802).
- CVE-2026-25971: MSL: Stack overflow in ProcessMSLScript (bsc#1258774).
- CVE-2026-25982: Heap Out-of-Bounds Read in DCM Decoder (bsc#1258772).
- CVE-2026-25983: Denial of service via crafted MSL script (bsc#1258805).
- CVE-2026-25985: Memory allocation with excessive without limits in the internal SVG decoder (bsc#1258812).
- CVE-2026-25986: Denial of Service via malicious YUV image processing (bsc#1258818).
- CVE-2026-25987: Memory disclosure and denial of service via crafted MAP files (bsc#1258821).
- CVE-2026-25988: Denial of Service due to memory leak in image processing (bsc#1258810).
- CVE-2026-25989: Integer overflow or wraparound and incorrect conversion between numeric types in the internal SVG
decoder (bsc#1258771).
- CVE-2026-26066: Infinite loop when writing IPTCTEXT leads to denial of service via crafted profile (bsc#1258769).
- CVE-2026-26283: Possible infinite loop in JPEG encoder when using `jpeg: extent` (bsc#1258767).
- CVE-2026-26284: Heap overflow in pcd decoder leads to out of bounds read (bsc#1258765).
- CVE-2026-26983: Invalid MSL <map> can result in a use after free (bsc#1258763).
- CVE-2026-27798: Heap Buffer Over-read in WaveletDenoise when processing small images (bsc#1259018).
- CVE-2026-27799: ImageMagick has a heap Buffer Over-read in its DJVU image format handler (bsc#1259017).
ImportantSUSE bug 1256962SUSE bug 1256969SUSE bug 1256976SUSE bug 1257076SUSE bug 1258743SUSE bug 1258748SUSE bug 1258749SUSE bug 1258757SUSE bug 1258759SUSE bug 1258763SUSE bug 1258765SUSE bug 1258767SUSE bug 1258769SUSE bug 1258770SUSE bug 1258771SUSE bug 1258772SUSE bug 1258774SUSE bug 1258775SUSE bug 1258776SUSE bug 1258779SUSE bug 1258780SUSE bug 1258785SUSE bug 1258786SUSE bug 1258787SUSE bug 1258790SUSE bug 1258791SUSE bug 1258792SUSE bug 1258793SUSE bug 1258799SUSE bug 1258802SUSE bug 1258805SUSE bug 1258807SUSE bug 1258810SUSE bug 1258812SUSE bug 1258818SUSE bug 1258821SUSE bug 1259017SUSE bug 1259018CVE-2026-22770 at SUSECVE-2026-22770 at NVDCVE-2026-23874 at SUSECVE-2026-23874 at NVDCVE-2026-23876 at SUSECVE-2026-23876 at NVDCVE-2026-23952 at SUSECVE-2026-23952 at NVDCVE-2026-24481 at SUSECVE-2026-24481 at NVDCVE-2026-24484 at SUSECVE-2026-24484 at NVDCVE-2026-24485 at SUSECVE-2026-24485 at NVDCVE-2026-25576 at SUSECVE-2026-25576 at NVDCVE-2026-25637 at SUSECVE-2026-25637 at NVDCVE-2026-25638 at SUSECVE-2026-25638 at NVDCVE-2026-25794 at SUSECVE-2026-25794 at NVDCVE-2026-25795 at SUSECVE-2026-25795 at NVDCVE-2026-25796 at SUSECVE-2026-25796 at NVDCVE-2026-25797 at SUSECVE-2026-25797 at NVDCVE-2026-25798 at SUSECVE-2026-25798 at NVDCVE-2026-25799 at SUSECVE-2026-25799 at NVDCVE-2026-25897 at SUSECVE-2026-25897 at NVDCVE-2026-25898 at SUSECVE-2026-25898 at NVDCVE-2026-25965 at SUSECVE-2026-25965 at NVDCVE-2026-25966 at SUSECVE-2026-25966 at NVDCVE-2026-25967 at SUSECVE-2026-25967 at NVDCVE-2026-25968 at SUSECVE-2026-25968 at NVDCVE-2026-25969 at SUSECVE-2026-25969 at NVDCVE-2026-25970 at SUSECVE-2026-25970 at NVDCVE-2026-25971 at SUSECVE-2026-25971 at NVDCVE-2026-25982 at SUSECVE-2026-25982 at NVDCVE-2026-25983 at SUSECVE-2026-25983 at NVDCVE-2026-25985 at SUSECVE-2026-25985 at NVDCVE-2026-25986 at SUSECVE-2026-25986 at NVDCVE-2026-25987 at SUSECVE-2026-25987 at NVDCVE-2026-25988 at SUSECVE-2026-25988 at NVDCVE-2026-25989 at SUSECVE-2026-25989 at NVDCVE-2026-26066 at SUSECVE-2026-26066 at NVDCVE-2026-26283 at SUSECVE-2026-26283 at NVDCVE-2026-26284 at SUSECVE-2026-26284 at NVDCVE-2026-26983 at SUSECVE-2026-26983 at NVDCVE-2026-27798 at SUSECVE-2026-27798 at NVDCVE-2026-27799 at SUSECVE-2026-27799 at NVDSecurity update for freerdp (Important)openSUSE Leap 16.0
This update for freerdp fixes the following issues:
Update to version 3.22.0 (jsc#PED-15526):
+ Major bugfix release:
* Complete overhaul of SDL client
* Introduction of new WINPR_ATTR_NODISCARD macro wrapping compiler or C language version specific [[nodiscard]] attributes
* Addition of WINPR_ATTR_NODISCARD to (some) public API functions so usage errors are producing warnings now
* Add some more stringify functions for logging
* We've received CVE reports, check
https://github.com/FreeRDP/FreeRDP/security/advisories for more details!
@Keryer reported an issue affecting client and proxy:
* CVE-2026-23948
@ehdgks0627 did some more fuzzying and found quite a number of client side bugs.
* CVE-2026-24682
* CVE-2026-24683
* CVE-2026-24676
* CVE-2026-24677
* CVE-2026-24678
* CVE-2026-24684
* CVE-2026-24679
* CVE-2026-24681
* CVE-2026-24675
* CVE-2026-24491
* CVE-2026-24680
- Changes from version 3.21.0
* [core,info] fix missing NULL check (#12157)
* [gateway,tsg] fix TSG_PACKET_RESPONSE parsing (#12161)
* Allow querying auth identity with kerberos when running as a server (#12162)
* Sspi krb heimdal (#12163)
* Tsg fix idleTimeout parsing (#12167)
* [channels,smartcard] revert 649f7de (#12166)
* [crypto] deprecate er and der modules (#12170)
* [channels,rdpei] lock full update, not only parts (#12175)
* [winpr,platform] add WINPR_ATTR_NODISCARD macro (#12178)
* Wlog cleanup (#12179)
* new stringify functions & touch API defines (#12180)
* Add support for querying SECPKG_ATTR_PACKAGE_INFO to NTLM and Kerberos (#12171)
* [channels,video] measure times in ns (#12184)
* [utils] Nodiscard (#12187)
* Error handling fixes (#12186)
* [channels,drdynvc] check pointer before reset (#12189)
* Winpr api def (#12190)
* [winpr,platform] drop C23 [[nodiscard]] (#12192)
* [gdi] add additional checks for a valid rdpGdi (#12194)
* Sdl3 high dpiv2 (#12173)
* peer: Disconnect if Logon() returned FALSE (#12196)
* [channels,rdpecam] fix PROPERTY_DESCRIPTION parsing (#12197)
* [channel,rdpsnd] only clean up thread before free (#12199)
* [channels,rdpei] add RDPINPUT_CONTACT_FLAG_UP (#12195)
- Update to version 3.21.0:
+ Bugfix release with a few new API functions addressing shortcomings with
regard to input data validation.
Thanks to @ehdgks0627 we have fixed the following additional (medium)
client side vulnerabilities:
* CVE-2026-23530
* CVE-2026-23531
* CVE-2026-23532
* CVE-2026-23533
* CVE-2026-23534
* CVE-2026-23732
* CVE-2026-23883
* CVE-2026-23884
- Changes from version 3.20.2
* [client,sdl] fix monitor resolution (#12142)
* [codec,progressive] fix progressive_rfx_upgrade_block (#12143)
* Krb cache fix (#12145)
* Rdpdr improved checks (#12141)
* Codec advanced length checks (#12146)
* Glyph fix length checks (#12151)
* Wlog printf format string checks (#12150)
* [warnings,format] fix format string warnings (#12152)
* Double free fixes (#12153)
* [clang-tidy] clean up code warnings (#12154)
- Update to version 3.20.2:
+ Patch release fixing a regression with gateway connections
introduced with 3.20.1
## What's Changed
* Warnings and missing enumeration types (#12137)
- Changes from version 3.20.1:
+ New years cleanup release. Fixes some issues reported and does
a cleaning sweep to bring down warnings.
Thanks to @ehdgks0627 doing some code review/testing we've
uncovered the following (medium) vulnerabilities:
* CVE-2026-22851
* CVE-2026-22852
* CVE-2026-22853
* CVE-2026-22854
* CVE-2026-22855
* CVE-2026-22856
* CVE-2026-22857
* CVE-2026-22858
* CVE-2026-22859
+ These affect FreeRDP based clients only, with the exception of
CVE-2026-22858 also affecting FreeRDP proxy. FreeRDP based
servers are not affected.
- Update to version 3.20.0:
* Mingw fixes (#12070)
* [crypto,certificate_data] add some hostname sanitation
* [client,common]: Fix loading of rdpsnd channel
* [client,sdl] set touch and pen hints
- Changes from version 3.19.1:
* [core,transport] improve SSL error logging
* [utils,helpers] fix freerdp_settings_get_legacy_config_path
* From stdin and sdl-creds improve
* [crypto,certificate] sanitize hostnames
* [channels,drdynvc] propagate error in dynamic channel
* [CMake] make Mbed-TLS and LibreSSL experimental
* Json fix
* rdpecam: send sample only if it's available
* [channels,rdpecam] allow MJPEG frame skip and direct passthrough
* [winpr,utils] explicit NULL checks in jansson WINPR_JSON_ParseWithLength
- Changes from version 3.19.0:
* [client,common] fix retry counter
* [cmake] fix aarch64 neon detection
* Fix response body existence check when using RDP Gateway
* fix line clipping issue
* Clip coord fix
* [core,input] Add debug log to keyboard state sync
* Update command line usage for gateway option
* [codec,ffmpeg] 8.0 dropped AV_PROFILE_AAC_MAIN
* [channels,audin] fix pulse memory leak
* [channels,drive] Small performance improvements in drive channel
* [winpr,utils] fix command line error logging
* [common,test] Adjust AVC and H264 expectations
* drdynvc: implement compressed packet
* [channels,rdpecam] improve log messages
* Fix remote credential guard channel loading
* Fix inverted ifdef
* [core,nego] disable all enabled modes except the one requested
* rdpear: handle basic NTLM commands and fix server-side
* [smartcardlogon] Fix off-by-one error in `smartcard_hw_enumerateCerts`
* rdpecam: fix camera sample grabbing
- Update to version 3.18.0:
+ Fix a regression reading passwords from stdin
+ Fix a timer regression (?s instead of ms)
+ Improved multitouch support
+ Fix a bug with PLANAR codec (used with /bpp:32 or sometimes with /gfx)
+ Better error handling for ARM transport (Entra)
+ Fix audio encoder lag (microphone/AAC) with FFMPEG
+ Support for janssen JSON library
- Update to version 3.17.2:
+ Minor improvements and bugfix release.
+ Most notably resource usage (file handles) has been greatly reduced and
static build pkg-config have been fixed.
For users of xfreerdp RAILS/RemoteApp mode the switch to DesktopSession
mode has been fixed (working UAC screen)
- Changes from version 3.17.1
+ Minor improvements and bugfix release.
* most notably a memory leak was addressed
* fixed header files missing C++ guards
* xfreerdp as well as the SDL clients now support a system wide configuration file
* Heimdal kerberos support was improved
* builds with [MS-RDPEAR] now properly abort at configure if Heimdal is used
(this configuration was never supported, so ensure nobody compiles it that way)
- Enable openh264 support, we can build against the noopenh264 stub
- Update to 3.17.0:
* [client,sdl2] fix build with webview (#11685)
* [core,nla] use wcslen for password length (#11687)
* Clear channel error prior to call channel init event proc (#11688)
* Warn args (#11689)
* [client,common] fix -mouse-motion (#11690)
* [core,proxy] fix IPv4 and IPv6 length (#11692)
* Regression fix2 (#11696)
* Log fixes (#11693)
* [common,settings] fix int casts (#11699)
* [core,connection] fix log level of several messages (#11697)
* [client,sdl] print current video driver (#11701)
* [crypto,tls] print big warning for /cert:ignore (#11704)
* [client,desktop] fix StartupWMClass setting (#11708)
* [cmake] unify version creation (#11711)
* [common,settings] force reallocation on caps copy (#11715)
* [manpages] Add example of keyboard remapping (#11718)
* Some fixes in Negotiate and NLA (#11722)
* [client,x11] fix clipboard issues (#11724)
* kerberos: do various tries for TGT retrieval in u2u (#11723)
* Cmdline escape strings (#11735)
* [winpr,utils] do not log command line arguments (#11736)
* [api,doc] Add stylesheed for doxygen (#11738)
* [core,proxy] fix BIO read methods (#11739)
* [client,common] fix sso_mib_get_access_token return value in error case (#11741)
* [crypto,tls] do not use context->settings->instance (#11749)
* winpr: re-introduce the credentials module (#11734)
* [winpr,timezone] ensure thread-safe initialization (#11754)
* core/redirection: Ensure stream has enough space for the certificate (#11762)
* [client,common] do not log success (#11766)
* Clean up bugs exposed on systems with high core counts (#11761)
* [cmake] add installWithRPATH (#11747)
* [clang-tidy] fix various warnings (#11769)
* Wlog improve type checks (#11774)
* [client,common] fix tenantid command line parsing (#11779)
* Proxy module static and shared linking support (#11768)
* LoadLibrary Null fix (#11786)
* [client,common] add freerdp_client_populate_settings_from_rdp_file_un… (#11780)
* Fullchain support (#11787)
* [client,x11] ignore floatbar events (#11771)
* [winpr,credentials] prefer utf-8 over utf-16-LE #11790
* [proxy,modules] ignore bitmap-filter skip remaining #11789
- Update to 3.16.0:
* Lots of improvements for the SDL3 client
* Various X11 client improvements
* Add a timer implementation
* Various AAD/Azure/Entra improvements
* YUV420 primitives fixes
- Update to 3.15.0:
* [client,sdl] fix crash on suppress output
* [channels,remdesk] fix possible memory leak
* [client,x11] map exit code success
* Hidef rail checks and deprecation fixe
* Standard rdp security network issues
* [core,rdp] fix check for SEC_FLAGSHI_VALID
* [core,caps] fix rdp_apply_order_capability_set
* [core,proxy] align no_proxy to curl
* [core,gateway] fix string reading for TSG
* [client,sdl] refactor display update
- Update to version 3.14.0:
+ Bugfix and cleanup release. Due to some new API functions the
minor version has been increased.
- Changes from version 3.13.0:
+ Friends of old hardware rejoice, serial port redirection got an
update (not kidding you)
+ Android builds have been updated to be usable again
+ Mingw builds now periodically do a shared and static build
+ Fixed some bugs and regressions along the way and improved test
coverage as well
- Changes from version 3.12.0:
+ Multimonitor backward compatibility fixes
+ Smartcard compatibility
+ Improve the [MS-RDPECAM] support
+ Improve smartcard redirection support
+ Refactor SSE optimizations: Split headers, unify load/store,
require SSE3 for all optimized functions
+ Refactors the CMake build to better support configuration based
builders
+ Fix a few regressions from last release (USB redirection and
graphical glitches)
- Changes from version 3.11.0:
+ A new release with bugfixes and code cleanups as well as a few
nifty little features
- CVE-2024-22211: In affected versions an integer overflow in
`freerdp_bitmap_planar_context_reset` leads to heap-buffer
overflow. (bsc#1219049)
- CVE-2024-32658: Fixedout-of-bounds read in Interleaved RLE Bitmap Codec in FreeRDP based clients (bsc#1223353)
- Multiple CVE fixes
+ CVE-2024-32659: Fixed out-of-bounds read if `((nWidth == 0) and (nHeight == 0))`(bsc#1223346)
+ CVE-2024-32660: Fixed client crash via invalid huge allocation size (bsc#1223347)
+ CVE-2024-32661: Fixed client NULL pointer dereference (bsc#1223348)
- Multiple CVE fixes:
* bsc#1223293, CVE-2024-32039
* bsc#1223294, CVE-2024-32040
* bsc#1223295, CVE-2024-32041
* bsc#1223296, CVE-2024-32458
* bsc#1223297, CVE-2024-32459
* bsc#1223298, CVE-2024-32460
* Fix CVE-2023-40574 - bsc#1214869: Out-Of-Bounds Write in general_YUV444ToRGB_8u_P3AC4R_BGRX
* Fix CVE-2023-40575 - bsc#1214870: Out-Of-Bounds Read in general_YUV444ToRGB_8u_P3AC4R_BGRX
* Fix CVE-2023-40576 - bsc#1214871: Out-Of-Bounds Read in RleDecompress
ImportantSUSE bug 1214869SUSE bug 1214870SUSE bug 1214871SUSE bug 1219049SUSE bug 1223293SUSE bug 1223294SUSE bug 1223295SUSE bug 1223296SUSE bug 1223297SUSE bug 1223298SUSE bug 1223346SUSE bug 1223347SUSE bug 1223348SUSE bug 1223353SUSE bug 1243109SUSE bug 1256717SUSE bug 1256718SUSE bug 1256719SUSE bug 1256720SUSE bug 1256721SUSE bug 1256722SUSE bug 1256723SUSE bug 1256724SUSE bug 1256725SUSE bug 1256940SUSE bug 1256941SUSE bug 1256942SUSE bug 1256943SUSE bug 1256944SUSE bug 1256945SUSE bug 1256946SUSE bug 1256947CVE-2023-40574 at SUSECVE-2023-40574 at NVDCVE-2023-40575 at SUSECVE-2023-40575 at NVDCVE-2023-40576 at SUSECVE-2023-40576 at NVDCVE-2024-22211 at SUSECVE-2024-22211 at NVDCVE-2024-32039 at SUSECVE-2024-32039 at NVDCVE-2024-32040 at SUSECVE-2024-32040 at NVDCVE-2024-32041 at SUSECVE-2024-32041 at NVDCVE-2024-32458 at SUSECVE-2024-32458 at NVDCVE-2024-32459 at SUSECVE-2024-32459 at NVDCVE-2024-32460 at SUSECVE-2024-32460 at NVDCVE-2024-32658 at SUSECVE-2024-32658 at NVDCVE-2024-32659 at SUSECVE-2024-32659 at NVDCVE-2024-32660 at SUSECVE-2024-32660 at NVDCVE-2024-32661 at SUSECVE-2024-32661 at NVDCVE-2025-4478 at SUSECVE-2025-4478 at NVDCVE-2026-22851 at SUSECVE-2026-22851 at NVDCVE-2026-22852 at SUSECVE-2026-22852 at NVDCVE-2026-22853 at SUSECVE-2026-22853 at NVDCVE-2026-22854 at SUSECVE-2026-22854 at NVDCVE-2026-22855 at SUSECVE-2026-22855 at NVDCVE-2026-22856 at SUSECVE-2026-22856 at NVDCVE-2026-22857 at SUSECVE-2026-22857 at NVDCVE-2026-22858 at SUSECVE-2026-22858 at NVDCVE-2026-22859 at SUSECVE-2026-22859 at NVDCVE-2026-23530 at SUSECVE-2026-23530 at NVDCVE-2026-23531 at SUSECVE-2026-23531 at NVDCVE-2026-23532 at SUSECVE-2026-23532 at NVDCVE-2026-23533 at SUSECVE-2026-23533 at NVDCVE-2026-23534 at SUSECVE-2026-23534 at NVDCVE-2026-23732 at SUSECVE-2026-23732 at NVDCVE-2026-23883 at SUSECVE-2026-23883 at NVDCVE-2026-23884 at SUSECVE-2026-23884 at NVDCVE-2026-23948 at SUSECVE-2026-23948 at NVDCVE-2026-24491 at SUSECVE-2026-24491 at NVDCVE-2026-24675 at SUSECVE-2026-24675 at NVDCVE-2026-24676 at SUSECVE-2026-24676 at NVDCVE-2026-24677 at SUSECVE-2026-24677 at NVDCVE-2026-24678 at SUSECVE-2026-24678 at NVDCVE-2026-24679 at SUSECVE-2026-24679 at NVDCVE-2026-24680 at SUSECVE-2026-24680 at NVDCVE-2026-24681 at SUSECVE-2026-24681 at NVDCVE-2026-24682 at SUSECVE-2026-24682 at NVDCVE-2026-24683 at SUSECVE-2026-24683 at NVDCVE-2026-24684 at SUSECVE-2026-24684 at NVDSecurity update for cJSON (Important)openSUSE Leap 16.0
This update for cJSON fixes the following issues:
- Update to version 1.7.19
* Check for NULL in cJSON_DetachItemViaPointer.
* Check overlap before calling strcpy in cJSON_SetValuestring.
* Fix Max recursion depth for cJSON_Duplicate to prevent stack
exhaustion.
* Allocate memory for the temporary buffer when paring numbers.
This fixes CVE-2023-26819. (bsc#1241502)
* Fix the incorrect check in decode_array_index_from_pointer.
This fixes CVE-2025-57052. (bsc#1249112)
- Remove not longer needed patch for NULL to deallocated pointers.
ImportantSUSE bug 1241502SUSE bug 1249112CVE-2023-26819 at SUSECVE-2023-26819 at NVDCVE-2025-57052 at SUSECVE-2025-57052 at NVDSecurity update for kea (Important)openSUSE Leap 16.0
This update for kea fixes the following issues:
Update to release 3.0.1:
- CVE-2025-40779: Fixed crash upon interaction between specific client options and subnet selection (bsc#1248801).
ImportantSUSE bug 1248801CVE-2025-40779 at SUSECVE-2025-40779 at NVDSecurity update for go1.26 (Important)openSUSE Leap 16.0
This update for go1.26 fixes the following issues:
Changes in go1.26:
go1.26.1 (released 2026-03-05) includes security fixes to the
crypto/x509, html/template, net/url, and os packages, as well as
bug fixes to the go command, the go fix command, the compiler,
and the os and reflect packages. ( boo#1255111)
CVE-2026-25679 CVE-2026-27142 CVE-2026-27137 CVE-2026-27138 CVE-2026-27139
* go#77970 go#77578 boo#1259264 security: fix CVE-2026-25679 net/url: reject IPv6 literal not at start of host
* go#77972 go#77954 boo#1259265 security: fix CVE-2026-27142 html/template: URLs in meta content attribute actions are not escaped
* go#77973 go#77952 boo#1259266 security: fix CVE-2026-27137 crypto/x509: incorrect enforcement of email constraints
* go#77974 go#77953 boo#1259267 security: fix CVE-2026-27138 crypto/x509: panic in name constraint checking for malformed certificates
* go#77834 go#77827 boo#1259268 security: fix CVE-2026-27139 os: FileInfo can escape from a Root
* go#77252 cmd/compile: miscompile of global array initialization
* go#77407 os: Go 1.25.x regression on RemoveAll for windows
* go#77474 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable flag in pkg-config
* go#77529 cmd/fix, x/tools/go/analysis/passes/modernize: stringscut: OOB panic in indexArgValid analyzing "buf.Bytes()" call
* go#77532 net/smtp: expiry date of localhostCert for testing is too short
* go#77536 cmd/compile: internal compiler error: 'main.func1': not lowered: v15, Load STRUCT PTR SSA
* go#77618 strings: HasSuffix doesn't work correctly for multibyte runes in go 1.26
* go#77623 cmd/compile: internal compiler error on : "tried to free an already free register" with generic function and type >= 192 bytes
* go#77624 cmd/fix, x/tools/go/analysis/passes/modernize: stringsbuilder breaks code when combining two strings.Builders
* go#77680 cmd/link: TestFlagW/-w_-linkmode=external fails on illumos
* go#77766 cmd/fix,x/tools/go/analysis/passes/modernize: rangeint uses target platform's type in the range expression, breaking other platforms
* go#77780 reflect: breaking change for reflect.Value.Interface behaviour
* go#77786 cmd/compile: rewriteFixedLoad does not properly sign extend AuxInt
* go#77803 cmd/fix,x/tools/go/analysis/passes/modernize: reflect.TypeOf(nil) transformed into reflect.TypeFor[untyped nil]()
* go#77804 cmd/fix,x/tools/go/analysis/passes/modernize: minmax breaks select statements
* go#77805 cmd/fix, x/tools/go/analysis/passes/modernize: waitgroup leads to a compilation error
* go#77807 cmd/fix,x/tools/go/analysis/passes/modernize: stringsbuilder ignores variables if they are used multiple times
* go#77849 cmd/fix,x/tools/go/analysis/passes/modernize: stringscut rewrite changes behavior
* go#77860 cmd/go: change go mod init default go directive back to 1.N
* go#77899 cmd/fix, x/tools/go/analysis/passes/modernize: bad rangeint rewriting
* go#77904 x/tools/go/analysis/passes/modernize: stringsbuilder breaks code when GenDecl is a block declaration
go1.26.0 (released 2026-02-10) is a major release of Go.
go1.26.x minor releases will be provided through February 2027.
https://github.com/golang/go/wiki/Go-Release-Cycle
go1.26 arrives six months after Go 1.25. Most of its changes are
in the implementation of the toolchain, runtime, and
libraries. As always, the release maintains the Go 1 promise of
compatibility. We expect almost all Go programs to continue to
compile and run as before. (boo#1255111)
* Language change: The built-in new function, which creates a new
variable, now allows its operand to be an expression,
specifying the initial value of the variable.
* Language change: The restriction that a generic type may not
refer to itself in its type parameter list has been lifted. It
is now possible to specify type constraints that refer to the
generic type being constrained.
* go command: The venerable go fix command has been completely
revamped and is now the home of Go’s modernizers. It provides a
dependable, push-button way to update Go code bases to the
latest idioms and core library APIs. The initial suite of
modernizers includes dozens of fixers to make use of modern
features of the Go language and library, as well a source-level
inliner that allows users to automate their own API migrations
using //go:fix inline directives. These fixers should not
change the behavior of your program, so if you encounter any
issues with a fix performed by go fix, please report it.
* go command: The rewritten go fix command builds atop the exact
same Go analysis framework as go vet. This means the same
analyzers that provide diagnostics in go vet can be used to
suggest and apply fixes in go fix. The go fix command’s
historical fixers, all of which were obsolete, have been
removed.
* go command: Two upcoming Go blog posts will go into more detail
on modernizers, the inliner, and how to get the most out of go
fix.
* go command: go mod init now defaults to a lower go version in
new go.mod files. Running go mod init using a toolchain of
version 1.N.X will create a go.mod file specifying the Go
version go 1.(N-1).0. Pre-release versions of 1.N will create
go.mod files specifying go 1.(N-2).0. For example, the Go 1.26
release candidates will create go.mod files with go 1.24.0, and
Go 1.26 and its minor releases will create go.mod files with go
1.25.0. This is intended to encourage the creation of modules
that are compatible with currently supported versions of
Go. For additional control over the go version in new modules,
go mod init can be followed up with go get go@version.
* go command: cmd/doc, and go tool doc have been deleted. go doc
can be used as a replacement for go tool doc: it takes the same
flags and arguments and has the same behavior.
* pprof: The pprof tool web UI, enabled with the -http flag, now
defaults to the flame graph view. The previous graph view is
available in the “View -> Graph” menu, or via /ui/graph.
* Runtime: The new Green Tea garbage collector, previously
available as an experiment in Go 1.25, is now enabled by
default after incorporating feedback. This garbage collector’s
design improves the performance of marking and scanning small
objects through better locality and CPU scalability. Benchmark
results vary, but we expect somewhere between a 10–40%
reduction in garbage collection overhead in real-world programs
that heavily use the garbage collector. Further improvements,
on the order of 10% in garbage collection overhead, are
expected when running on newer amd64-based CPU platforms (Intel
Ice Lake or AMD Zen 4 and newer), as the garbage collector now
leverages vector instructions for scanning small objects when
possible. The new garbage collector may be disabled by setting
GOEXPERIMENT=nogreenteagc at build time. This opt-out setting
is expected to be removed in Go 1.27. If you disable the new
garbage collector for any reason related to its performance or
behavior, please file an issue.
* Runtime: cgo: The baseline runtime overhead of cgo calls has
been reduced by ~30%.
* Runtime: Heap base address randomization: On 64-bit platforms,
the runtime now randomizes the heap base address at
startup. This is a security enhancement that makes it harder
for attackers to predict memory addresses and exploit
vulnerabilities when using cgo. This feature may be disabled by
setting GOEXPERIMENT=norandomizedheapbase64 at build time. This
opt-out setting is expected to be removed in a future Go
release.
* Runtime: Experimental goroutine leak profile: A new profile
type that reports leaked goroutines is now available as an
experiment. The new profile type, named goroutineleak in the
runtime/pprof package, may be enabled by setting
GOEXPERIMENT=goroutineleakprofile at build time. Enabling the
experiment also makes the profile available as a net/http/pprof
endpoint, /debug/pprof/goroutineleak. A leaked goroutine is a
goroutine blocked on some concurrency primitive (channels,
sync.Mutex, sync.Cond, etc) that cannot possibly become
unblocked. The runtime detects leaked goroutines using the
garbage collector: if a goroutine G is blocked on concurrency
primitive P, and P is unreachable from any runnable goroutine
or any goroutine that those could unblock, then P cannot be
unblocked, so goroutine G can never wake up. While it is
impossible to detect permanently blocked goroutines in all
cases, this approach detects a large class of such
leaks. Because this technique builds on reachability, the
runtime may fail to identify leaks caused by blocking on
concurrency primitives reachable through global variables or
the local variables of runnable goroutines. Special thanks to
Vlad Saioc at Uber for contributing this work. The underlying
theory is presented in detail in a publication by Saioc et
al. The implementation is production-ready, and is only
considered an experiment for the purposes of collecting
feedback on the API, specifically the choice to make it a new
profile. The feature is also designed to not incur any
additional run-time overhead unless it is actively in-use. We
encourage users to try out the new feature in the Go
playground, in tests, in continuous integration, and in
production. We welcome additional feedback on the proposal
issue. We aim to enable goroutine leak profiles by default in
Go 1.27.
* Compiler: The compiler can now allocate the backing store for
slices on the stack in more situations, which improves
performance. If this change is causing trouble, the bisect tool
can be used to find the allocation causing trouble using the
-compile=variablemake flag. All such new stack allocations can
also be turned off using -gcflags=all=-d=variablemakehash=n. If
you encounter issues with this optimization, please file an
issue.
* Linker: On 64-bit ARM-based Windows (the windows/arm64 port),
the linker now supports internal linking mode of cgo programs,
which can be requested with the -ldflags=-linkmode=internal
flag.
* Linker: There are several minor changes to executable
files. These changes do not affect running Go programs. They
may affect programs that analyze Go executables, and they may
affect people who use external linking mode with custom linker
scripts.
* Linker: The moduledata structure is now in its own section,
named .go.module.
* Linker: The moduledata cutab field, which is a slice, now has
the correct length; previously the length was four times too
large.
* Linker: The pcHeader found at the start of the .gopclntab
section no longer records the start of the text section. That
field is now always zero.
* Linker: That pcHeader change was made so that the .gopclntab
section no longer contains any relocations. On platforms that
support relro, the section has moved from the relro segment to
the rodata segment.
* Linker: The funcdata symbols and the findfunctab have moved
from the .rodata section to the .gopclntab section.
* Linker: The .gosymtab section has been removed. It was
previously always present but empty.
* Linker: When using internal linking, ELF sections now appear in
the section header list sorted by address. The previous order
was somewhat unpredictable.
* Linker: The references to section names here use the ELF names
as seen on Linux and other systems. The Mach-O names as seen on
Darwin start with a double underscore and do not contain any
dots.
* Bootstrap: As mentioned in the Go 1.24 release notes, Go 1.26
now requires Go 1.24.6 or later for bootstrap. We expect that
Go 1.28 will require a minor release of Go 1.26 or later for
bootstrap.
* Standard Library: New crypto/hpke package: The new crypto/hpke
package implements Hybrid Public Key Encryption (HPKE) as
specified in RFC 9180, including support for post-quantum
hybrid KEMs.
* Standard Library: New experimental simd/archsimd package: Go
1.26 introduces a new experimental simd/archsimd package, which
can be enabled by setting the environment variable
GOEXPERIMENT=simd at build time. This package provides access
to architecture-specific SIMD operations. It is currently
available on the amd64 architecture and supports 128-bit,
256-bit, and 512-bit vector types, such as Int8x16 and
Float64x8, with operations such as Int8x16.Add. The API is not
yet considered stable. We intend to provide support for other
architectures in future versions, but the API intentionally
architecture-specific and thus non-portable. In addition, we
plan to develop a high-level portable SIMD package in the
future.
* Standard Library: New experimental runtime/secret package: The
new runtime/secret package is available as an experiment, which
can be enabled by setting the environment variable
GOEXPERIMENT=runtimesecret at build time. It provides a
facility for securely erasing temporaries used in code that
manipulates secret information—typically cryptographic in
nature—such as registers, stack, new heap allocations. This
package is intended to make it easier to ensure forward
secrecy. It currently supports the amd64 and arm64
architectures on Linux.
* bytes: The new Buffer.Peek method returns the next n bytes from
the buffer without advancing it.
* crypto: The new Encapsulator and Decapsulator interfaces allow
accepting abstract KEM encapsulation or decapsulation keys.
* crypto/dsa: The random parameter to GenerateKey is now
ignored. Instead, it now always uses a secure source of
cryptographically random bytes. For deterministic testing, use
the new testing/cryptotest.SetGlobalRandom function. The new
GODEBUG setting cryptocustomrand=1 temporarily restores the old
behavior.
* crypto/ecdh: The random parameter to Curve.GenerateKey is now
ignored. Instead, it now always uses a secure source of
cryptographically random bytes. For deterministic testing, use
the new testing/cryptotest.SetGlobalRandom function. The new
GODEBUG setting cryptocustomrand=1 temporarily restores the old
behavior. The new KeyExchanger interface, implemented by
PrivateKey, makes it possible to accept abstract ECDH private
keys, e.g. those implemented in hardware.
* crypto/ecdsa: The big.Int fields of PublicKey and PrivateKey
are now deprecated. The random parameter to GenerateKey,
SignASN1, Sign, and PrivateKey.Sign is now ignored. Instead,
they now always use a secure source of cryptographically random
bytes. For deterministic testing, use the new
testing/cryptotest.SetGlobalRandom function. The new GODEBUG
setting cryptocustomrand=1 temporarily restores the old
behavior.
* crypto/ed25519: If the random parameter to GenerateKey is nil,
GenerateKey now always uses a secure source of
cryptographically random bytes, instead of crypto/rand.Reader
(which could have been overridden). The new GODEBUG setting
cryptocustomrand=1 temporarily restores the old behavior.
* crypto/fips140: The new WithoutEnforcement and Enforced
functions now allow running in GODEBUG=fips140=only mode while
selectively disabling the strict FIPS 140-3 checks. Version
returns the resolved FIPS 140-3 Go Cryptographic Module version
when building against a frozen module with GOFIPS140.
* crypto/mlkem: The new DecapsulationKey768.Encapsulator and
DecapsulationKey1024.Encapsulator methods implement the new
crypto.Decapsulator interface.
* crypto/mlkem/mlkemtest: The new crypto/mlkem/mlkemtest package
exposes the Encapsulate768 and Encapsulate1024 functions which
implement derandomized ML-KEM encapsulation, for use with
known-answer tests.
* crypto/rand: The random parameter to Prime is now
ignored. Instead, it now always uses a secure source of
cryptographically random bytes. For deterministic testing, use
the new testing/cryptotest.SetGlobalRandom function. The new
GODEBUG setting cryptocustomrand=1 temporarily restores the old
behavior.
* crypto/rsa: The new EncryptOAEPWithOptions function allows
specifying different hash functions for OAEP padding and MGF1
mask generation.
* crypto/rsa: The random parameter to GenerateKey,
GenerateMultiPrimeKey, and EncryptPKCS1v15 is now
ignored. Instead, they now always use a secure source of
cryptographically random bytes. For deterministic testing, use
the new testing/cryptotest.SetGlobalRandom function. The new
GODEBUG setting cryptocustomrand=1 temporarily restores the old
behavior.
* crypto/rsa: If PrivateKey fields are modified after calling
PrivateKey.Precompute, PrivateKey.Validate now fails.
* crypto/rsa: PrivateKey.D is now checked for consistency with
precomputed values, even if it is not used.
* crypto/rsa: Unsafe PKCS #1 v1.5 encryption padding (implemented
by EncryptPKCS1v15, DecryptPKCS1v15, and
DecryptPKCS1v15SessionKey) is now deprecated.
* crypto/subtle: The WithDataIndependentTiming function no longer
locks the calling goroutine to the OS thread while executing
the passed function. Additionally, any goroutines which are
spawned during the execution of the passed function and their
descendants now inherit the properties of
WithDataIndependentTiming for their lifetime. This change also
affects cgo in the following ways:
* crypto/subtle: Any C code called via cgo from within the
function passed to WithDataIndependentTiming, or from a
goroutine spawned by the function passed to
WithDataIndependentTiming and its descendants, will also have
data independent timing enabled for the duration of the
call. If the C code disables data independent timing, it will
be re-enabled on return to Go.
* crypto/subtle: If C code called via cgo, from the function
passed to WithDataIndependentTiming or elsewhere, enables or
disables data independent timing then calling into Go will
preserve that state for the duration of the call.
* crypto/tls: The hybrid SecP256r1MLKEM768 and SecP384r1MLKEM1024
post-quantum key exchanges are now enabled by default. They can
be disabled by setting Config.CurvePreferences or with the
tlssecpmlkem=0 GODEBUG setting.
* crypto/tls: The new ClientHelloInfo.HelloRetryRequest field
indicates if the ClientHello was sent in response to a
HelloRetryRequest message. The new
ConnectionState.HelloRetryRequest field indicates if the server
sent a HelloRetryRequest, or if the client received a
HelloRetryRequest, depending on connection role.
* crypto/tls: The QUICConn type used by QUIC implementations
includes a new event for reporting TLS handshake errors.
* crypto/tls: If Certificate.PrivateKey implements
crypto.MessageSigner, its SignMessage method is used instead of
Sign in TLS 1.2 and later.
* crypto/tls: The following GODEBUG settings introduced in Go
1.22 and Go 1.23 will be removed in the next major Go
release. Starting in Go 1.27, the new behavior will apply
regardless of GODEBUG setting or go.mod language version.
* crypto/tls: GODEBUG tlsunsafeekm:
ConnectionState.ExportKeyingMaterial will require TLS 1.3 or
Extended Master Secret.
* crypto/tls: GODEBUG tlsrsakex: legacy RSA-only key exchanges
without ECDH won’t be enabled by default.
* crypto/tls: GODEBUG tls10server: the default minimum TLS
version for both clients and servers will be TLS 1.2.
* crypto/tls: GODEBUG tls3des: the default cipher suites will not
include 3DES.
* crypto/tls: GODEBUG x509keypairleaf: X509KeyPair and
LoadX509KeyPair will always populate the Certificate.Leaf
field.
* crypto/x509: The ExtKeyUsage and KeyUsage types now have String
methods that return the corresponding OID names as defined in
RFC 5280 and other registries.
* crypto/x509: The ExtKeyUsage type now has an OID method that
returns the corresponding OID for the EKU.
* crypto/x509: The new OIDFromASN1OID function allows converting
an encoding/asn1.ObjectIdentifier into an OID.
* debug/elf: Additional R_LARCH_* constants from LoongArch ELF
psABI v20250521 (global version v2.40) are defined for use with
LoongArch systems.
* errors: The new AsType function is a generic version of As. It
is type-safe, faster, and, in most cases, easier to use.
* fmt: For unformatted strings, fmt.Errorf("x") now allocates
less and generally matches the allocations for errors.New("x").
* go/ast: The new ParseDirective function parses directive
comments, which are comments such as //go:generate. Source code
tools can support their own directive comments and this new API
should help them implement the conventional syntax.
* go/ast: The new BasicLit.ValueEnd field records the precise end
position of a literal so that the BasicLit.End method can now
always return the correct answer. (Previously it was computed
using a heuristic that was incorrect for multi-line raw string
literals in Windows source files, due to removal of carriage
returns.)
* go/ast: Programs that update the ValuePos field of BasicLits
produced by the parser may need to also update or clear the
ValueEnd field to avoid minor differences in formatted output.
* go/token: The new File.End convenience method returns the
file’s end position.
* go/types: The gotypesalias GODEBUG setting introduced in Go
1.22 will be removed in the next major Go release. Starting in
Go 1.27, the go/types package will always produce an Alias type
for the representation of type aliases regardless of GODEBUG
setting or go.mod language version.
* image/jpeg: The JPEG encoder and decoder have been replaced
with new, faster, more accurate implementations. Code that
expects specific bit-for-bit outputs from the encoder or
decoder may need to be updated.
* io: ReadAll now allocates less intermediate memory and returns
a minimally sized final slice. It is often about two times
faster while typically allocating around half as much total
memory, with more benefit for larger inputs.
* log/slog: The NewMultiHandler function creates a MultiHandler
that invokes all the given Handlers. Its Enabled method reports
whether any of the handlers’ Enabled methods return true. Its
Handle, WithAttrs and WithGroup methods call the corresponding
method on each of the enabled handlers.
* net: The new Dialer methods DialIP, DialTCP, DialUDP, and
DialUnix permit dialing specific network types with context
values.
* net/http: The new HTTP2Config.StrictMaxConcurrentRequests field
controls whether a new connection should be opened if an
existing HTTP/2 connection has exceeded its stream limit.
* net/http: The new Transport.NewClientConn method returns a
client connection to an HTTP server. Most users should continue
to use Transport.RoundTrip to make requests, which manages a
pool of connections. NewClientConn is useful for users who need
to implement their own connection management.
* net/http: Client now uses and sets cookies scoped to URLs with
the host portion matching Request.Host when
available. Previously, the connection address host was always
used.
* net/http/httptest: The HTTP client returned by Server.Client
will now redirect requests for example.com and any subdomains
to the server being tested.
* net/http/httputil: The ReverseProxy.Director configuration
field is deprecated in favor of ReverseProxy.Rewrite.
* net/http/httputil: A malicious client can remove headers added
by a Director function by designating those headers as
hop-by-hop. Since there is no way to address this problem
within the scope of the Director API, we added a new Rewrite
hook in Go 1.20. Rewrite hooks are provided with both the
unmodified inbound request received by the proxy and the
outbound request which will be sent by the proxy. Since the
Director hook is fundamentally unsafe, we are now deprecating
it.
* net/netip: The new Prefix.Compare method compares two prefixes.
* net/url: Parse now rejects malformed URLs containing colons in
the host subcomponent, such as http://::1/ or
http://localhost:80:80/. URLs containing bracketed IPv6
addresses, such as http://[::1]/ are still accepted. The new
GODEBUG setting urlstrictcolons=0 restores the old behavior.
* os: The new Process.WithHandle method provides access to an
internal process handle on supported platforms (pidfd on Linux
5.4 or later, Handle on Windows).
* os: On Windows, the OpenFile flag parameter can now contain any
combination of Windows-specific file flags, such as
FILE_FLAG_OVERLAPPED and FILE_FLAG_SEQUENTIAL_SCAN, for control
of file or device caching behavior, access modes, and other
special-purpose flags.
* os/signal: NotifyContext now cancels the returned context with
context.CancelCauseFunc and an error indicating which signal
was received.
* reflect: The new methods Type.Fields, Type.Methods, Type.Ins
and Type.Outs return iterators for a type’s fields (for a
struct type), methods, inputs and outputs parameters (for a
function type), respectively. Similarly, the new methods
Value.Fields and Value.Methods return iterators over a value’s
fields or methods, respectively. Each iteration yields the type
information (StructField or Method) of a field or method, along
with the field or method Value.
* runtime/metrics: Several new scheduler metrics have been added,
including counts of goroutines in various states (waiting,
runnable, etc.) under the /sched/goroutines prefix, the number
of OS threads the runtime is aware of with
/sched/threads:threads, and the total number of goroutines
created by the program with
/sched/goroutines-created:goroutines.
* testing: The new methods T.ArtifactDir, B.ArtifactDir, and
F.ArtifactDir return a directory in which to write test output
files (artifacts).
* testing: When the -artifacts flag is provided to go test, this
directory will be located under the output directory (specified
with -outputdir, or the current directory by
default). Otherwise, artifacts are stored in a temporary
directory which is removed after the test completes.
* testing: The first call to ArtifactDir when -artifacts is
provided writes the location of the directory to the test log.
* testing: The B.Loop method no longer prevents inlining in the
loop body, which could lead to unanticipated allocation and
slower benchmarks. With this fix, we expect that all benchmarks
can be converted from the old B.N style to the new B.Loop style
with no ill effects. Within the body of a for b.Loop() { ... }
loop, function call parameters, results, and assigned variables
are still kept alive, preventing the compiler from optimizing
away entire parts of the benchmark.
* testing/cryptotest: The new SetGlobalRandom function configures
a global, deterministic cryptographic randomness source for the
duration of the test. It affects crypto/rand, and all implicit
sources of cryptographic randomness in the crypto/... packages.
* time: The asynctimerchan GODEBUG setting introduced in Go 1.23
will be removed in the next major Go release. Starting in Go
1.27, the time package will always use unbuffered (synchronous)
channels for timers regardless of GODEBUG setting or go.mod
language version.
* Ports: Darwin: Go 1.26 is the last release that will run on
macOS 12 Monterey. Go 1.27 will require macOS 13 Ventura or
later.
* Ports: FreeBSD: The freebsd/riscv64 port (GOOS=freebsd
GOARCH=riscv64) has been marked broken. See issue 76475 for
details.
* Ports: Windows: As announced in the Go 1.25 release notes, the
broken 32-bit windows/arm port (GOOS=windows GOARCH=arm) has
been removed.
* Ports: PowerPC: Go 1.26 is the last release that supports the
ELFv1 ABI on the big-endian 64-bit PowerPC port on Linux
(GOOS=linux GOARCH=ppc64). It will switch to the ELFv2 ABI in
Go 1.27. As the port does not currently support linking against
other ELF objects, we expect this change to be transparent to
users.
* Ports: RISC-V: The linux/riscv64 port now supports the race
detector.
* Ports: S390X: The s390x port now supports passing function
arguments and results using registers.
* Ports: WebAssembly: The compiler now unconditionally makes use
of the sign extension and non-trapping floating-point to
integer conversion instructions. These features have been
standardized since at least Wasm 2.0. The corresponding GOWASM
settings, signext and satconv, are now ignored.
* Ports: WebAssembly: For WebAssembly applications, the runtime
now manages chunks of heap memory in much smaller increments,
leading to significantly reduced memory usage for applications
with heaps less than around 16 MiB in size.
ImportantSUSE bug 1255111SUSE bug 1259264SUSE bug 1259265SUSE bug 1259266SUSE bug 1259267SUSE bug 1259268CVE-2026-25679 at SUSECVE-2026-25679 at NVDCVE-2026-27137 at SUSECVE-2026-27137 at NVDCVE-2026-27138 at SUSECVE-2026-27138 at NVDCVE-2026-27139 at SUSECVE-2026-27139 at NVDCVE-2026-27142 at SUSECVE-2026-27142 at NVDSecurity update for tomcat (Important)openSUSE Leap 16.0
This update for tomcat fixes the following issues:
Update to Tomcat 9.0.115:
- CVE-2025-66614: client certificate verification bypass due to virtual host mapping (bsc#1258371).
- CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385).
- CVE-2026-24734: certificate revocation bypass due to incomplete OCSP verification checks (bsc#1258387).
* Catalina
+ Fix: 69623: Additional fix for the long standing regression that meant
that calls to ClassLoader.getResource().getContent() failed when made from
within a web application with resource caching enabled if the target
resource was packaged in a JAR file. (markt)
+ Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the
CsrfPreventionFilter. (schultz)
+ Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2
requests when the content-length header is not set. (dsoumis)
+ Update: Update the minimum and recommended versions for Tomcat Native to
1.3.4. (markt)
+ Add: Add a new ssoReauthenticationMode to the Tomcat provided
Authenticators that provides a per Authenticator override of the SSO Valve
requireReauthentication attribute. (markt)
+ Fix: Ensure URL encoding errors in the Rewrite Valve trigger an exception
rather than silently using a replacement character. (markt)
+ Fix: 69871: Increase log level to INFO for missing configuration for the
rewrite valve. (remm)
+ Fix: Add log warnings for additional Host appBase suspicious values.
(remm)
+ Fix: Remove hard dependency on tomcat-jni.jar for catalina.jar.
org.apache.catalina.Connector no longer requires
org.apache.tomcat.jni.AprStatus to be present. (markt)
+ Add: Add the ability to use a custom function to generate the client
identifier in the CrawlerSessionManagerValve. This is only available
programmatically. Pull request #902 by Brian Matzon. (markt)
+ Fix: Change the SSO reauthentication behaviour for SPNEGO authentication
so that a normal SPNEGO authentication is performed if the SSL Valve is
configured with reauthentication enabled. This is so that the delegated
credentials will be available to the web application. (markt)
+ Fix: When generating the class path in the Loader, re-order the check on
individual class path components to avoid a potential
NullPointerException. Identified by Coverity Scan. (markt)
+ Fix: Fix SSL socket factory configuration in the JNDI realm. Based on pull
request #915 by Joshua Rogers. (remm)
+ Update: Add an attribute, digestInRfc3112Order, to
MessageDigestCredentialHandler to control the order in which the
credential and salt are digested. By default, the current, non-RFC 3112
compliant, order of salt then credential will be used. This default will
change in Tomcat 12 to the RFC 3112 compliant order of credential then
salt. (markt)
* Cluster
+ Add: 62814: Document that human-readable names maybe used for
mapSendOptions and align documentation with channelSendOptions. Based on
pull request #929 by archan0621. (markt)
* Clustering
+ Fix: Correct a regression introduced in 9.0.109 that broke some clustering
configurations. (markt)
* Coyote
+ Fix: Prevent concurrent release of OpenSSLEngine resources and the
termination of the Tomcat Native library as it can cause crashes during
Tomcat shutdown. (markt)
+ Fix: Avoid possible NPEs when using a TLS enabled custom connector. (remm)
+ Fix: Improve warnings when setting ciphers lists in the FFM code,
mirroring the tomcat-native changes. (remm)
+ Fix: 69910: Dereference TLS objects right after closing a socket to
improve memory efficiency. (remm)
+ Fix: Relax the JSSE vs OpenSSL configuration style checks on SSLHostConfig
to reflect the existing implementation that allows one configuration style
to be used for the trust attributes and a different style for all the
other attributes. (markt)
+ Fix: Better warning message when OpenSSLConf configuration elements are
used with a JSSE TLS implementation. (markt)
+ Fix: When using OpenSSL via FFM, don't log a warning about missing CA
certificates unless CA certificates were configured and the configuration
failed. (markt)
+ Add: For configuration consistency between OpenSSL and JSSE TLS
implementations, TLSv1.3 cipher suites included in the ciphers attribute
of an SSLHostConfig are now always ignored (previously they would be
ignored with OpenSSL implementations and used with JSSE implementations)
and a warning is logged that the cipher suite has been ignored. (markt)
+ Add: Add the ciphersuite attribute to SSLHostConfig to configure the
TLSv1.3 cipher suites. (markt)
+ Add: Add OCSP support to JSSE based TLS connectors and make the use of
OCSP configurable per connector for both JSSE and OpenSSL based TLS
implementations. Align the checks performed by OpenSSL with those
performed by JSSE. (markt)
+ Add: Add support for soft failure of OCSP checks with soft failure support
disabled by default. (markt)
+ Add: Add support for configuring the verification flags passed to
OCSP_basic_verify when using an OpenSSL based TLS implementation. (markt)
+ Fix: Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5.
+ Fix: Don't log an incorrect certificate KeyStore location when creating a
TLS connector if the KeyStore instance has been set directly on the
connector. (markt)
+ Fix: HTTP/0.9 only allows GET as the HTTP method. (remm)
+ Add: Add strictSni attribute on the Connector to allow matching the
SSLHostConfig configuration associated with the SNI host name to the
SSLHostConfig configuration matched from the HTTP protocol host name. Non
matching configurations will cause the request to be rejected. The
attribute default value is true, enabling the matching. (remm)
+ Fix: Graceful failure for OCSP on BoringSSL in the FFM code. (remm)
+ Fix: 69866: Fix a memory leak when using a trust store with the OpenSSL
provider. Pull request #912 by aogburn. (markt)
+ Fix: Fix AJP message length check. Pull request #916 by Joshua Rogers.
* Jasper
+ Fix: 69333: Correct a regression in the previous fix for 69333 and ensure
that reuse() or release() is always called for a tag. (markt)
+ Fix: 69877: Catch IllegalArgumentException when processing URIs when
creating the classpath to handle invalid URIs. (remm)
+ Fix: Fix populating the classpath with the webapp classloader
repositories. (remm)
+ Fix: 69862: Avoid NPE unwrapping Servlet exception which would hide some
exception details. Patch submitted by Eric Blanquer. (remm)
* Jdbc-pool
+ Fix: 64083: If the underlying connection has been closed, don't add it to
the pool when it is returned. Pull request #235 by Alex Panchenko. (markt)
* Web applications
+ Fix: Manager: Fix abrupt truncation of the HTML and JSON complete server
status output if one or more of the web applications failed to start.
(schultz)
+ Add: Manager: Include web application state in the HTML and JSON complete
server status output. (markt)
+ Add: Documentation: Expand the documentation to better explain when OCSP
is supported and when it is not. (markt)
* Websocket
+ Fix: 69920: When attempting to write to a closed Writer or OutputStream
obtained from a WebSocket session, throw an IOException rather than an
IllegalStateExcpetion as required by Writer and strongly suggested by
OutputStream. (markt)
* Other
+ Add: Add property "gpg.sign.files" to optionally disable release artefact
signing with GPG. (rjung)
+ Add: Add test.silent property to suppress JUnit console output during test
execution. Useful for cleaner console output when running tests with
multiple threads. (csutherl)
+ Update: Update the internal fork of Commons Pool to 2.13.1. (markt)
+ Update: Update the internal fork of Commons DBCP to 2.14.0. (markt)
+ Update: Update Commons Daemon to 1.5.1. (markt)
+ Update: Update ByteBuddy to 1.18.3. (markt)
+ Update: Update UnboundID to 7.0.4. (markt)
+ Update: Update Checkstyle to 12.3.1. (markt)
+ Add: Improvements to French translations. (markt)
+ Add: Improvements to Japanese translations provided by tak7iji. (markt)
+ Add: Improvements to Chinese translations provided by Yang. vincent.h and
yong hu. (markt)
+ Update: Update Tomcat Native to 1.3.5. (markt)
+ Add: Add test profile system for selective test execution. Profiles can be
specified via -Dtest.profile=<name> to run specific test subsets without
using patterns directly. Profile patterns are defined in
test-profiles.properties. (csutherl)
+ Update: Update file extension to media type mappings to align with the
current list used by the Apache Web Server (httpd). (markt)
+ Update: Update Commons Daemon to 1.5.0. (markt)
+ Update: Update Byte Buddy to 1.18.2. (markt)
+ Update: Update Checkstyle to 12.2.0. (markt)
+ Add: Improvements to Spanish translations provided by White Vogel. (markt)
+ Add: Improvements to French translations. (remm)
+ Update: Update the internal fork of Apache Commons BCEL to 6.11.0. (markt)
+ Update: Update to Byte Buddy 1.17.8. (markt)
+ Update: Update to Checkstyle 12.1.1. (markt)
+ Update: Update to Jacoco 0.8.14. (markt)
+ Update: Update to SpotBugs 4.9.8. (markt)
+ Update: Update to JSign 7.4. (markt)
+ Update: Update Maven Resolver Ant Tasks to 1.6.0. (rjung)
ImportantSUSE bug 1253460SUSE bug 1258371SUSE bug 1258385SUSE bug 1258387CVE-2025-66614 at SUSECVE-2025-66614 at NVDCVE-2026-24733 at SUSECVE-2026-24733 at NVDCVE-2026-24734 at SUSECVE-2026-24734 at NVDSecurity update for amazon-ssm-agent (Important)openSUSE Leap 16.0
This update for amazon-ssm-agent fixes the following issues:
- CVE-2025-47913: client process termination when receiving an unexpected message type in response to a key listing or
signing request (bsc#1253611).
ImportantSUSE bug 1253611CVE-2025-47913 at SUSECVE-2025-47913 at NVDSecurity update for libsoup2 (Important)openSUSE Leap 16.0
This update for libsoup2 fixes the following issues:
- CVE-2025-4476: null pointer dereference may lead to denial of service (bsc#1243422).
- CVE-2025-14523: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (bsc#1254876).
- CVE-2025-32049: Denial of Service attack to websocket server (bsc#1240751).
- CVE-2026-0716: improper bounds handling may allow out-of-bounds read (bsc#1256418).
- CVE-2026-0719: stack-based buffer overflow in NTLM authentication can lead to arbitrary code execution (bsc#1256399).
- CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests (bsc#1257398).
- CVE-2026-1539: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects
(bsc#1257441).
- CVE-2026-1760: improper handling of HTTP requests combining certain headers by SoupServer can lead to HTTP request
smuggling and potential DoS (bsc#1257597).
- CVE-2026-2369: Buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).
- CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information
disclosure to remote attackers (bsc#1258170).
- CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).
ImportantSUSE bug 1240751SUSE bug 1243422SUSE bug 1254876SUSE bug 1256399SUSE bug 1256418SUSE bug 1257398SUSE bug 1257441SUSE bug 1257597SUSE bug 1258120SUSE bug 1258170SUSE bug 1258508CVE-2025-14523 at SUSECVE-2025-14523 at NVDCVE-2025-32049 at SUSECVE-2025-32049 at NVDCVE-2025-4476 at SUSECVE-2025-4476 at NVDCVE-2026-0716 at SUSECVE-2026-0716 at NVDCVE-2026-0719 at SUSECVE-2026-0719 at NVDCVE-2026-1467 at SUSECVE-2026-1467 at NVDCVE-2026-1539 at SUSECVE-2026-1539 at NVDCVE-2026-1760 at SUSECVE-2026-1760 at NVDCVE-2026-2369 at SUSECVE-2026-2369 at NVDCVE-2026-2443 at SUSECVE-2026-2443 at NVDCVE-2026-2708 at SUSECVE-2026-2708 at NVDSecurity update for qemu (Moderate)openSUSE Leap 16.0
This update for qemu fixes the following issues:
- Update to version 10.0.8
- CVE-2025-14876: Fixed unbounded allocation in virtio-crypto. (bsc#1255400)
- CVE-2026-0665: Fixed PIRQ bounds check in xen_physdev_map_pirq. (bsc#1256484)
ModerateSUSE bug 1255400SUSE bug 1256484SUSE bug 1257474SUSE bug 1257492CVE-2025-14876 at SUSECVE-2025-14876 at NVDCVE-2026-0665 at SUSECVE-2026-0665 at NVDSecurity update for rust-keylime (Important)openSUSE Leap 16.0
This update for rust-keylime fixes the following issues:
- Update to version 0.2.8+116:
- CVE-2026-25727: Update vendored crates to fix a date parser can lead to stack exhaustion in Time. (bsc#1257908)
ImportantSUSE bug 1247193SUSE bug 1248006SUSE bug 1257908CVE-2025-55159 at SUSECVE-2025-55159 at NVDCVE-2025-58266 at SUSECVE-2025-58266 at NVDCVE-2026-25727 at SUSECVE-2026-25727 at NVDSecurity update for MozillaFirefox (Important)openSUSE Leap 16.0
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 140.8.0 ESR (bsc#1258568)
- CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video component
- CVE-2026-2758: Use-after-free in the JavaScript: GC component
- CVE-2026-2759: Incorrect boundary conditions in the Graphics: ImageLib component
- CVE-2026-2760: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component
- CVE-2026-2761: Sandbox escape in the Graphics: WebRender component
- CVE-2026-2762: Integer overflow in the JavaScript: Standard Library component
- CVE-2026-2763: Use-after-free in the JavaScript Engine component
- CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component
- CVE-2026-2765: Use-after-free in the JavaScript Engine component
- CVE-2026-2766: Use-after-free in the JavaScript Engine: JIT component
- CVE-2026-2767: Use-after-free in the JavaScript: WebAssembly component
- CVE-2026-2768: Sandbox escape in the Storage: IndexedDB component
- CVE-2026-2769: Use-after-free in the Storage: IndexedDB component
- CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component
- CVE-2026-2771: Undefined behavior in the DOM: Core HTML component
- CVE-2026-2772: Use-after-free in the Audio/Video: Playback component
- CVE-2026-2773: Incorrect boundary conditions in the Web Audio component
- CVE-2026-2774: Integer overflow in the Audio/Video component
- CVE-2026-2775: Mitigation bypass in the DOM: HTML Parser component
- CVE-2026-2776: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software
- CVE-2026-2777: Privilege escalation in the Messaging System component
- CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the DOM: Core HTML component
- CVE-2026-2779: Incorrect boundary conditions in the Networking: JAR component
- CVE-2026-2780: Privilege escalation in the Netmonitor component
- CVE-2026-2781: Integer overflow in the Libraries component in NSS
- CVE-2026-2782: Privilege escalation in the Netmonitor component
- CVE-2026-2783: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component
- CVE-2026-2784: Mitigation bypass in the DOM: Security component
- CVE-2026-2785: Invalid pointer in the JavaScript Engine component
- CVE-2026-2786: Use-after-free in the JavaScript Engine component
- CVE-2026-2787: Use-after-free in the DOM: Window and Location component
- CVE-2026-2788: Incorrect boundary conditions in the Audio/Video: GMP component
- CVE-2026-2789: Use-after-free in the Graphics: ImageLib component
- CVE-2026-2790: Same-origin policy bypass in the Networking: JAR component
- CVE-2026-2791: Mitigation bypass in the Networking: Cache component
- CVE-2026-2792: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148
- CVE-2026-2793: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148
ImportantSUSE bug 1258568CVE-2026-2757 at SUSECVE-2026-2757 at NVDCVE-2026-2758 at SUSECVE-2026-2758 at NVDCVE-2026-2759 at SUSECVE-2026-2759 at NVDCVE-2026-2760 at SUSECVE-2026-2760 at NVDCVE-2026-2761 at SUSECVE-2026-2761 at NVDCVE-2026-2762 at SUSECVE-2026-2762 at NVDCVE-2026-2763 at SUSECVE-2026-2763 at NVDCVE-2026-2764 at SUSECVE-2026-2764 at NVDCVE-2026-2765 at SUSECVE-2026-2765 at NVDCVE-2026-2766 at SUSECVE-2026-2766 at NVDCVE-2026-2767 at SUSECVE-2026-2767 at NVDCVE-2026-2768 at SUSECVE-2026-2768 at NVDCVE-2026-2769 at SUSECVE-2026-2769 at NVDCVE-2026-2770 at SUSECVE-2026-2770 at NVDCVE-2026-2771 at SUSECVE-2026-2771 at NVDCVE-2026-2772 at SUSECVE-2026-2772 at NVDCVE-2026-2773 at SUSECVE-2026-2773 at NVDCVE-2026-2774 at SUSECVE-2026-2774 at NVDCVE-2026-2775 at SUSECVE-2026-2775 at NVDCVE-2026-2776 at SUSECVE-2026-2776 at NVDCVE-2026-2777 at SUSECVE-2026-2777 at NVDCVE-2026-2778 at SUSECVE-2026-2778 at NVDCVE-2026-2779 at SUSECVE-2026-2779 at NVDCVE-2026-2780 at SUSECVE-2026-2780 at NVDCVE-2026-2781 at SUSECVE-2026-2781 at NVDCVE-2026-2782 at SUSECVE-2026-2782 at NVDCVE-2026-2783 at SUSECVE-2026-2783 at NVDCVE-2026-2784 at SUSECVE-2026-2784 at NVDCVE-2026-2785 at SUSECVE-2026-2785 at NVDCVE-2026-2786 at SUSECVE-2026-2786 at NVDCVE-2026-2787 at SUSECVE-2026-2787 at NVDCVE-2026-2788 at SUSECVE-2026-2788 at NVDCVE-2026-2789 at SUSECVE-2026-2789 at NVDCVE-2026-2790 at SUSECVE-2026-2790 at NVDCVE-2026-2791 at SUSECVE-2026-2791 at NVDCVE-2026-2792 at SUSECVE-2026-2792 at NVDCVE-2026-2793 at SUSECVE-2026-2793 at NVDSecurity update for docker-stable (Important)openSUSE Leap 16.0
This update for docker-stable fixes the following issues:
- CVE-2025-58181: Fixed unbounded memory consumption. (bsc#1253904)
- CVE-2025-30204: Fixed a bug in jwt-go which allows excessive memory allocation during header parsing. (bsc#1240513)
ImportantSUSE bug 1240513SUSE bug 1253904SUSE bug 1254206CVE-2025-30204 at SUSECVE-2025-30204 at NVDCVE-2025-58181 at SUSECVE-2025-58181 at NVDSecurity update for MozillaFirefox (Important)openSUSE Leap 16.0
This update for MozillaFirefox fixes the following issues:
Changes in MozillaFirefox:
Firefox Extended Support Release 140.5.0 ESR:
* Fixed: Various security fixes (MFSA 2025-88 bsc#1253188):
* CVE-2025-13012
Race condition in the Graphics component
* CVE-2025-13016
Incorrect boundary conditions in the JavaScript: WebAssembly
component
* CVE-2025-13017
Same-origin policy bypass in the DOM: Notifications component
* CVE-2025-13018
Mitigation bypass in the DOM: Security component
* CVE-2025-13019
Same-origin policy bypass in the DOM: Workers component
* CVE-2025-13013
Mitigation bypass in the DOM: Core & HTML component
* CVE-2025-13020
Use-after-free in the WebRTC: Audio/Video component
* CVE-2025-13014
Use-after-free in the Audio/Video component
* CVE-2025-13015
Spoofing issue in Firefox
- Firefox Extended Support Release 140.4.0 ESR
* Fixed: Various security fixes.
MFSA 2025-83 (bsc#1251263)
* CVE-2025-11708
Use-after-free in MediaTrackGraphImpl::GetInstance()
* CVE-2025-11709
Out of bounds read/write in a privileged process triggered by
WebGL textures
* CVE-2025-11710
Cross-process information leaked due to malicious IPC
messages
* CVE-2025-11711
Some non-writable Object properties could be modified
* CVE-2025-11712
An OBJECT tag type attribute overrode browser behavior on web
resources without a content-type
* CVE-2025-11713
Potential user-assisted code execution in “Copy as cURL”
command
* CVE-2025-11714
Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
* CVE-2025-11715
Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
ESR 140.4, Firefox 144 and Thunderbird 144
- Firefox Extended Support Release 140.3.1 ESR (bsc#1250452)
* Fixed: Improved reliability when HTTP/3 connections fail:
Firefox no longer forces HTTP/2 during fallback, allowing the
server to choose the protocol and preventing stalls on some
sites.
Firefox Extended Support Release 140.3.0 ESR
* Fixed: Various security fixes (MFSA 2025-75 bsc#1249391)
* CVE-2025-10527
Sandbox escape due to use-after-free in the Graphics:
Canvas2D component
* CVE-2025-10528
Sandbox escape due to undefined behavior, invalid pointer in
the Graphics: Canvas2D component
* CVE-2025-10529
Same-origin policy bypass in the Layout component
* CVE-2025-10532
Incorrect boundary conditions in the JavaScript: GC component
* CVE-2025-10533
Integer overflow in the SVG component
* CVE-2025-10536
Information disclosure in the Networking: Cache component
* CVE-2025-10537
Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird
ESR 140.3, Firefox 143 and Thunderbird 143
ImportantSUSE bug 1249391SUSE bug 1250452SUSE bug 1251263SUSE bug 1253188CVE-2025-10527 at SUSECVE-2025-10527 at NVDCVE-2025-10528 at SUSECVE-2025-10528 at NVDCVE-2025-10529 at SUSECVE-2025-10529 at NVDCVE-2025-10532 at SUSECVE-2025-10532 at NVDCVE-2025-10533 at SUSECVE-2025-10533 at NVDCVE-2025-10536 at SUSECVE-2025-10536 at NVDCVE-2025-10537 at SUSECVE-2025-10537 at NVDCVE-2025-11708 at SUSECVE-2025-11708 at NVDCVE-2025-11709 at SUSECVE-2025-11709 at NVDCVE-2025-11710 at SUSECVE-2025-11710 at NVDCVE-2025-11711 at SUSECVE-2025-11711 at NVDCVE-2025-11712 at SUSECVE-2025-11712 at NVDCVE-2025-11713 at SUSECVE-2025-11713 at NVDCVE-2025-11714 at SUSECVE-2025-11714 at NVDCVE-2025-11715 at SUSECVE-2025-11715 at NVDCVE-2025-13012 at SUSECVE-2025-13012 at NVDCVE-2025-13013 at SUSECVE-2025-13013 at NVDCVE-2025-13014 at SUSECVE-2025-13014 at NVDCVE-2025-13015 at SUSECVE-2025-13015 at NVDCVE-2025-13016 at SUSECVE-2025-13016 at NVDCVE-2025-13017 at SUSECVE-2025-13017 at NVDCVE-2025-13018 at SUSECVE-2025-13018 at NVDCVE-2025-13019 at SUSECVE-2025-13019 at NVDCVE-2025-13020 at SUSECVE-2025-13020 at NVDSecurity update for ocaml (Important)openSUSE Leap 16.0
This update for ocaml fixes the following issues:
- CVE-2026-28364: missing bounds validation in readblock() can lead to arbitrary code execution (bsc#1258992)
ImportantSUSE bug 1258992CVE-2026-28364 at SUSECVE-2026-28364 at NVDSecurity update for python-maturin (Important)openSUSE Leap 16.0
This update for python-maturin fixes the following issue:
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257918).
ImportantSUSE bug 1257918CVE-2026-25727 at SUSECVE-2026-25727 at NVDSecurity update for libpng16 (Important)openSUSE Leap 16.0
This update for libpng16 fixes the following issues:
- CVE-2026-25646: Heap buffer overflow vulnerability in png_set_dither/png_set_quantize (bsc#1258020)
- CVE-2025-28162: Fixed a memory leaks when running `pngimage`. (bsc#1257364)
- CVE-2025-28164: Fixed a memory leaks when running `pngimage`. (bsc#1257365)
ImportantSUSE bug 1257364SUSE bug 1257365SUSE bug 1258020CVE-2025-28162 at SUSECVE-2025-28162 at NVDCVE-2025-28164 at SUSECVE-2025-28164 at NVDCVE-2026-25646 at SUSECVE-2026-25646 at NVDSecurity update for snpguest (Important)openSUSE Leap 16.0
This update for snpguest fixes the following issues:
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257927).
- Update to version 0.10.0 (bsc#1257877):
* chore: updating tool version to 0.10.0
* refactor(certs): remove redundant branch in file-write logic
* Docs: Adding verify measure, host-data, report-data to docs
* verify: verify measurent, host data, and report data attributes from the attestation report.
* library: Updating sev library to 7.1.0
* ci: replace deprecated gh actions
* feat: multi-format integer parsing for key subcommand arguments
* chore(main): remove unused import `clap::arg`
* feat(fetch): add fetch crl subcommand
* .github/lint: Bump toolchain version to 1.86
* Bump rust version to 1.86
* feat: bumping tool to version 0.9.2
* fix(verify): silence mismatched_lifetime_syntaxes in SnpOid::oid
* feat: support SEV-SNP ABI Spec 1.58 (bump sev to v6.3.0)
* docs: restore and clarify Global Options section
* doc: fix CL argument orders + address recent changes
* fix(hyperv): downgrade VMPL check from error to warning
* fix(report.rs): remove conflict check between --random flag and Hyper-V
* fix(report.rs): Decouple runtime behavior from hyperv build feature
* refactor: clarify --platform error message
* docs: add Azure/Hyper-V build note for --platform
* docs: Update README.md
* report: Writing Req Data as Binary (#101)
* deps: bump virtee/sev to 6.2.1 (fix TCB-serialization bug) (#99)
ImportantSUSE bug 1257877SUSE bug 1257927CVE-2026-25727 at SUSECVE-2026-25727 at NVDSecurity update for net-snmp (Important)openSUSE Leap 16.0
This update for net-snmp fixes the following issues:
- CVE-2025-68615: Fixed snmptrapd buffer overflow (bsc#1255491).
ImportantSUSE bug 1255491CVE-2025-68615 at SUSECVE-2025-68615 at NVDSecurity update for libsoup (Important)openSUSE Leap 16.0
This update for libsoup fixes the following issues:
Update to libsoup 3.6.6:
- CVE-2025-12105: heap use-after-free in message queue handling during HTTP/2 read completion (bsc#1252555).
- CVE-2025-14523: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (bsc#1254876).
- CVE-2025-32049: Denial of Service attack to websocket server (bsc#1240751).
- CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests (bsc#1257398).
- CVE-2026-1539: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects
(bsc#1257441).
- CVE-2026-1760: improper handling of HTTP requests combining certain headers by SoupServer can lead to HTTP request
smuggling and potential DoS (bsc#1257597).
- CVE-2026-2369: Buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).
- CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information
disclosure to remote attackers (bsc#1258170).
- CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).
Changelog:
- websocket: Fix out-of-bounds read in process_frame
- Check nulls returned by soup_date_time_new_from_http_string()
- Numerous fixes to handling of Range headers
- server: close the connection after responsing a request
containing Content-Length and Transfer-Encoding
- Use CRLF as line boundary when parsing chunked enconding data
- websocket: do not accept messages frames after closing due to
an error
- Sanitize filename of content disposition header values
- Always validate the headers value when coming from untrusted
source
- uri-utils: do host validation when checking if a GUri is valid
- multipart: check length of bytes read
soup_filter_input_stream_read_until()
- message-headers: Reject duplicate Host headers
- server: null-check soup_date_time_to_string()
- auth-digest: fix crash in
soup_auth_digest_get_protection_space()
- session: fix 'heap-use-after-free' caused by 'finishing' queue
item twice
- cookies: Avoid expires attribute if date is invalid
- http1: Set EOF flag once content-length bytes have been read
- date-utils: Add value checks for date/time parsing
- multipart: Fix multiple boundry limits
- Fixed multiple possible memory leaks
- message-headers: Correct merge of ranges
- body-input-stream: Correct chunked trailers end detection
- server-http2: Correctly validate URIs
- multipart: Fix read out of buffer bounds under
soup_multipart_new_from_message()
- headers: Ensure Request-Line comprises entire first line
- tests: Fix MSVC build error
- Fix possible deadlock on init from gmodule usage
- Updated translations.
ImportantSUSE bug 1240751SUSE bug 1252555SUSE bug 1254876SUSE bug 1257398SUSE bug 1257441SUSE bug 1257597SUSE bug 1258120SUSE bug 1258170SUSE bug 1258508CVE-2025-12105 at SUSECVE-2025-12105 at NVDCVE-2025-14523 at SUSECVE-2025-14523 at NVDCVE-2025-32049 at SUSECVE-2025-32049 at NVDCVE-2026-1467 at SUSECVE-2026-1467 at NVDCVE-2026-1539 at SUSECVE-2026-1539 at NVDCVE-2026-1760 at SUSECVE-2026-1760 at NVDCVE-2026-2369 at SUSECVE-2026-2369 at NVDCVE-2026-2443 at SUSECVE-2026-2443 at NVDCVE-2026-2708 at SUSECVE-2026-2708 at NVDSecurity update for libjxl (Important)openSUSE Leap 16.0
This update for libjxl fixes the following issues:
Update to libjxl 0.11.2:
- CVE-2025-12474: a specially crafted file can cause the decoder to read pixel data from uninitialized allocated memory
(bsc#1258090).
- CVE-2026-1837: a specially crafted file can cause the decoder to write pixel data to uninitialized unallocated memory
(bsc#1258091).
ImportantSUSE bug 1258090SUSE bug 1258091CVE-2025-12474 at SUSECVE-2025-12474 at NVDCVE-2026-1837 at SUSECVE-2026-1837 at NVDSecurity update for cosign (Moderate)openSUSE Leap 16.0
This update for cosign fixes the following issues:
Update to version 3.0.5:
- CVE-2026-24122: Fixed improper validation of certificates that outlive
expired CA certificates (bsc#1258542)
- CVE-2026-26958: Fixed filippo.io/edwards25519: failure to initialize receiver
in MultiScalarMult can produce invalid results and lead to undefined behavior
(bsc#1258612)
- CVE-2026-24137: Fixed github.com/sigstore/sigstore/pkg/tuf: legacy TUF client
allows for arbitrary file writes with target cache path traversal
(bsc#1257139)
- CVE-2026-22772: Fixed github.com/sigstore/fulcio: bypass MetaIssuer URL
validation bypass can trigger SSRF to arbitrary internal services
(bsc#1256562)
- CVE-2026-23991: Fixed github.com/theupdateframework/go-tuf/v2: denial of
service due to invalid TUF metadata JSON returned by TUF repository
(bsc#1257080)
- CVE-2026-23992: Fixed github.com/theupdateframework/go-tuf/v2: unauthorized
modification to TUF metadata files due to a compromised or misconfigured TUF
repository (bsc#1257085)
- CVE-2025-11065: Fixed github.com/go-viper/mapstructure/v2: sensitive
Information leak in logs (bsc#1250620)
- CVE-2026-22703: Fixed that cosign verification accepts any valid Rekor entry
under certain conditions (bsc#1256496)
- CVE-2025-58181: Fixed golang.org/x/crypto/ssh: invalidated number of
mechanisms can cause unbounded memory consumption (bsc#1253913)
ModerateSUSE bug 1250620SUSE bug 1253913SUSE bug 1256496SUSE bug 1256562SUSE bug 1257080SUSE bug 1257085SUSE bug 1257139SUSE bug 1258542SUSE bug 1258612CVE-2025-11065 at SUSECVE-2025-11065 at NVDCVE-2025-58181 at SUSECVE-2025-58181 at NVDCVE-2026-22703 at SUSECVE-2026-22703 at NVDCVE-2026-22772 at SUSECVE-2026-22772 at NVDCVE-2026-23991 at SUSECVE-2026-23991 at NVDCVE-2026-23992 at SUSECVE-2026-23992 at NVDCVE-2026-24122 at SUSECVE-2026-24122 at NVDCVE-2026-24137 at SUSECVE-2026-24137 at NVDCVE-2026-26958 at SUSECVE-2026-26958 at NVDSecurity update for busybox (Important)openSUSE Leap 16.0
This update for busybox fixes the following issues:
Changes in busybox:
- CVE-2026-26157: Fixed arbitrary file overwrite and potential code execution via incomplete path sanitization. (bsc#1258163)
- CVE-2026-26158: Fixed arbitrary file modification and privilege escalation via unvalidated tar archive entries. (bsc#1258167)
ImportantSUSE bug 1258163SUSE bug 1258167CVE-2026-26157 at SUSECVE-2026-26157 at NVDCVE-2026-26158 at SUSECVE-2026-26158 at NVDSecurity update for postgresql17 (Important)openSUSE Leap 16.0
This update for postgresql17 fixes the following issues:
- Update to version 17.9. (bsc#1258754)
- CVE-2026-2003: Guard against unexpected dimensions of oidvector/int2vector (bsc#1258008)
- CVE-2026-2004: Harden selectivity estimators against being attached to operators that accept unexpected data types. (bsc#1258009)
- CVE-2026-2005: Fix buffer overrun in contrib/pgcrypto's PGP decryption functions. (bsc#1258010)
- CVE-2026-2006: Fix inadequate validation of multibyte character lengths. (bsc#1258011)
ImportantSUSE bug 1258008SUSE bug 1258009SUSE bug 1258010SUSE bug 1258011SUSE bug 1258754CVE-2026-2003 at SUSECVE-2026-2003 at NVDCVE-2026-2004 at SUSECVE-2026-2004 at NVDCVE-2026-2005 at SUSECVE-2026-2005 at NVDCVE-2026-2006 at SUSECVE-2026-2006 at NVDSecurity update for protobuf (Moderate)openSUSE Leap 16.0
This update for protobuf fixes the following issues:
Security fixes:
- CVE-2025-4565: Fixed parsing of untrusted Protocol Buffers data containing an arbitrary number of recursive
groups or messages that could lead to crash due to RecursionError (bsc#1244663).
- CVE-2026-0994: Fixed google.protobuf.Any recursion depth bypass in Python json_format.ParseDict (bsc#1257173).
Other fixes:
- Fixed import issues of reverse-dependency packages within the google namespace (bsc#1244918).
ModerateSUSE bug 1244663SUSE bug 1244918SUSE bug 1257173CVE-2025-4565 at SUSECVE-2025-4565 at NVDCVE-2026-0994 at SUSECVE-2026-0994 at NVDSecurity update for librsvg (Moderate)openSUSE Leap 16.0
This update for librsvg fixes the following issues:
Update to version 2.60.2:
- CVE-2024-12224: Fixed idna accepts Punycode labels that do not produce any non-ASCII when decoded (bsc#1243867).
- CVE-2024-43806: Fixed memory explosion in rustix (bsc#1229950).
ModerateSUSE bug 1229376SUSE bug 1229950SUSE bug 1243867CVE-2024-12224 at SUSECVE-2024-12224 at NVDCVE-2024-43806 at SUSECVE-2024-43806 at NVDSecurity update for poppler (Moderate)openSUSE Leap 16.0
This update for poppler fixes the following issues:
- CVE-2025-11896: infinite recursion leading to stack overflow due to object loop in PDF CMap (bsc#1252337).
ModerateSUSE bug 1252337CVE-2025-11896 at SUSECVE-2025-11896 at NVDSecurity update for keylime (Critical)openSUSE Leap 16.0
This update for keylime fixes the following issues:
- Update to version 7.14.0+0 (CVE-2026-1709, bsc#1257895):
- CVE-2026-1709: Fixed an authentication bypass which may allow unauthorized administrative operations due to missing client-side TLS authentication. (bsc#1257895)
CriticalSUSE bug 1257895CVE-2026-1709 at SUSECVE-2026-1709 at NVDSecurity update for libsodium (Moderate)openSUSE Leap 16.0
This update for libsodium fixes the following issues:
- CVE-2025-15444: Fixed cryptographic bypass via improper elliptic curve point validation (bsc#1256070).
ModerateSUSE bug 1256070CVE-2025-15444 at SUSECVE-2025-15444 at NVDSecurity update for ucode-intel (Moderate)openSUSE Leap 16.0
This update for ucode-intel fixes the following issues:
- Intel CPU Microcode was updated to the 20260210 release (bsc#1258046):
- CVE-2024-24853: Updated fix for incorrect behavior order in transition
between executive monitor and SMI transfer monitor (STM) in some Intel(R)
Processor may allow a privileged user to potentially enable escalation
of privilege via local access (bsc#1229129).
- CVE-2025-31648: Improper handling of values in the
microcode flow for some Intel Processor Family may allow
an escalation of privilege (bsc#1258046).
- Intel CPU Microcode was updated to the 20251111 release (bsc#1253319):
- Update for functional issues.
- switch the supplements to use supplements + kernel to allow
moving a installation to Intel hardware (bsc#1249138)
- Intel CPU Microcode was updated to the 20241029 release (bsc#1230400):
- Update for functional issues.
ModerateSUSE bug 1229129SUSE bug 1230400SUSE bug 1249138SUSE bug 1253319SUSE bug 1258046CVE-2024-24853 at SUSECVE-2024-24853 at NVDCVE-2025-31648 at SUSECVE-2025-31648 at NVDSecurity update for gstreamer-plugins-ugly (Important)openSUSE Leap 16.0
This update for gstreamer-plugins-ugly fixes the following issues:
- CVE-2026-2920: GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability (bsc#1259367).
- CVE-2026-2922: GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability (bsc#1259370).
ImportantSUSE bug 1259367SUSE bug 1259370CVE-2026-2920 at SUSECVE-2026-2920 at NVDCVE-2026-2922 at SUSECVE-2026-2922 at NVDSecurity update for vim (Important)openSUSE Leap 16.0
This update for vim fixes the following issues:
- Update Vim to version 9.2.0110 that includes security fixes for:
* CVE-2026-28417: crafted URL parsed by netrw plugin can lead to execute arbitrary shell commands (bsc#1259051).
* CVE-2026-26269: stack buffer overflow in Vim's NetBeans integration when processing the specialKeys command (bsc#1258229).
* CVE-2025-53906: path traversal in Vim's zip.vim plugin (bsc#1246602).
- Other changes:
* Add wayland-client to BuildRequires and enable Wayland support.
* Add Wayland include path to CFLAGS to fix clipboard compilation.
* Package new Swedish (sv) man pages and clean up duplicate encodings (sv.ISO8859-1 and sv.UTF-8).
ImportantSUSE bug 1246602SUSE bug 1258229SUSE bug 1259051CVE-2025-53906 at SUSECVE-2025-53906 at NVDCVE-2026-26269 at SUSECVE-2026-26269 at NVDCVE-2026-28417 at SUSECVE-2026-28417 at NVDSecurity update for curl (Important)openSUSE Leap 16.0
This update for curl fixes the following issues:
- CVE-2026-1965: bad reuse of HTTP Negotiate connection (bsc#1259362).
- CVE-2026-3783: token leak with redirect and netrc (bsc#1259363).
- CVE-2026-3784: wrong proxy connection reuse with credentials (bsc#1259364).
- CVE-2026-3805: use after free in SMB connection reuse (bsc#1259365).
ImportantSUSE bug 1259362SUSE bug 1259363SUSE bug 1259364SUSE bug 1259365CVE-2026-1965 at SUSECVE-2026-1965 at NVDCVE-2026-3783 at SUSECVE-2026-3783 at NVDCVE-2026-3784 at SUSECVE-2026-3784 at NVDCVE-2026-3805 at SUSECVE-2026-3805 at NVDSecurity update for ImageMagick (Important)openSUSE Leap 16.0
This update for ImageMagick fixes the following issues:
- CVE-2026-24484: denial of service vulnerability via multi-layer nested MVG to SVG conversion (bsc#1258790).
- CVE-2026-28493: integer overflow in the SIXEL decoder leads to out-of-bounds write (bsc#1259446).
- CVE-2026-28494: missing bounds checks in the morphology kernel parsing functions can lead to a stack buffer overflow
(bsc#1259447).
- CVE-2026-28686: undersized output buffer allocation in the PCL encoder can lead to a heap buffer overflow
(bsc#1259448).
- CVE-2026-28687: heap use-after-free vulnerability in the MSL decoder via a crafted MSL file (bsc#1259450).
- CVE-2026-28688: heap use-after-free in the MSL encoder when a cloned image is destroyed twice (bsc#1259451).
- CVE-2026-28689: `domain="path"` authorization is checked before final file open/use and allows for read/write bypass
via symlink swaps (bsc#1259452).
- CVE-2026-28690: missing bounds check in the MNG encoder can lead to a stack buffer overflow (bsc#1259456).
- CVE-2026-28691: missing check in the JBIG decoder can lead to an uninitialized pointer dereference (bsc#1259455).
- CVE-2026-28692: 32-bit integer overflow in MAT decoder can lead to a heap buffer over-read (bsc#1259457).
- CVE-2026-28693: integer overflow in the DIB coder can lead to an out-of-bounds read or write (bsc#1259466).
- CVE-2026-30883: missing bounds check when encoding a PNG image can lead to a heap buffer over-write (bsc#1259467).
- CVE-2026-30929: improper use of fixed-size stack buffer in `MagnifyImage`can lead to a stack buffer overflow
(bsc#1259468).
- CVE-2026-30931: value truncation in the UHDR encoder can lead to a heap buffer overflow (bsc#1259469).
- CVE-2026-30935: heap-based buffer over-read in BilateralBlurImage (bsc#1259497).
- CVE-2026-30936: heap Buffer Overflow in WaveletDenoiseImage (bsc#1259464).
- CVE-2026-30937: heap buffer overflow in XWD encoder due to CARD32 arithmetic overflow (bsc#1259463).
- CVE-2026-31853: heap buffer overflow leads to crash in the SFW decoder of 32-bit systems when processing extremely
large images (bsc#1259528).
ImportantSUSE bug 1258790SUSE bug 1259446SUSE bug 1259447SUSE bug 1259448SUSE bug 1259450SUSE bug 1259451SUSE bug 1259452SUSE bug 1259455SUSE bug 1259456SUSE bug 1259457SUSE bug 1259463SUSE bug 1259464SUSE bug 1259466SUSE bug 1259467SUSE bug 1259468SUSE bug 1259469SUSE bug 1259497SUSE bug 1259528CVE-2026-24484 at SUSECVE-2026-24484 at NVDCVE-2026-28493 at SUSECVE-2026-28493 at NVDCVE-2026-28494 at SUSECVE-2026-28494 at NVDCVE-2026-28686 at SUSECVE-2026-28686 at NVDCVE-2026-28687 at SUSECVE-2026-28687 at NVDCVE-2026-28688 at SUSECVE-2026-28688 at NVDCVE-2026-28689 at SUSECVE-2026-28689 at NVDCVE-2026-28690 at SUSECVE-2026-28690 at NVDCVE-2026-28691 at SUSECVE-2026-28691 at NVDCVE-2026-28692 at SUSECVE-2026-28692 at NVDCVE-2026-28693 at SUSECVE-2026-28693 at NVDCVE-2026-30883 at SUSECVE-2026-30883 at NVDCVE-2026-30929 at SUSECVE-2026-30929 at NVDCVE-2026-30931 at SUSECVE-2026-30931 at NVDCVE-2026-30935 at SUSECVE-2026-30935 at NVDCVE-2026-30936 at SUSECVE-2026-30936 at NVDCVE-2026-30937 at SUSECVE-2026-30937 at NVDCVE-2026-31853 at SUSECVE-2026-31853 at NVDSecurity update for poppler (Important)openSUSE Leap 16.0
This update for poppler fixes the following issues:
- CVE-2025-52885: Fixed raw pointers leading to dangling pointers when the vector is resized (bsc#1251940)
ImportantSUSE bug 1251940CVE-2025-52885 at SUSECVE-2025-52885 at NVDSecurity update for python-tornado6 (Important)openSUSE Leap 16.0
This update for python-tornado6 fixes the following issues:
- CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service (bsc#1259553).
- incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes
(bsc#1259630).
ImportantSUSE bug 1259553SUSE bug 1259630CVE-2026-31958 at SUSECVE-2026-31958 at NVDSecurity update for python-orjson (Moderate)openSUSE Leap 16.0
This update for python-orjson fixes the following issues:
- CVE-2025-67221: Fixed write outsize of allocated memory on json dump (bsc#1257121).
ModerateSUSE bug 1257121CVE-2025-67221 at SUSECVE-2025-67221 at NVDSecurity update for postgresql18 (Important)openSUSE Leap 16.0
This update for postgresql18 fixes the following issues:
- Update to version 18.3. (bsc#1258754)
- CVE-2026-2003: Guard against unexpected dimensions of oidvector/int2vector (bsc#1258008)
- CVE-2026-2004: Harden selectivity estimators against being attached to operators that accept unexpected data types. (bsc#1258009)
- CVE-2026-2005: Fix buffer overrun in contrib/pgcrypto's PGP decryption functions. (bsc#1258010)
- CVE-2026-2006: Fix inadequate validation of multibyte character lengths. (bsc#1258011)
- CVE-2026-2007: Harden contrib/pg_trgm against changes in string lowercasing behavior. (bsc#1258012)
ImportantSUSE bug 1258008SUSE bug 1258009SUSE bug 1258010SUSE bug 1258011SUSE bug 1258012SUSE bug 1258754CVE-2026-2003 at SUSECVE-2026-2003 at NVDCVE-2026-2004 at SUSECVE-2026-2004 at NVDCVE-2026-2005 at SUSECVE-2026-2005 at NVDCVE-2026-2006 at SUSECVE-2026-2006 at NVDCVE-2026-2007 at SUSECVE-2026-2007 at NVDSecurity update for harfbuzz (Moderate)openSUSE Leap 16.0
This update for harfbuzz fixes the following issues:
Update to version 11.4.5:
Security fixes:
- CVE-2026-22693: Fixed a NULL pointer dereference in SubtableUnicodesCache::create (bsc#1256459).
Other fixes:
- Bug fixes for “AAT” shaping, and other shaping micro
optimizations.
- Fix a shaping regression affecting mark glyphs in certain
fonts.
- Fix pruning of mark filtering sets when subsetting fonts, which
caused changes in shaping behaviour.
- Make shaping fail much faster for certain malformed fonts
(e.g., those that trigger infinite recursion).
- Fix undefined behaviour introduced in 11.4.2.
- Fix detection of the “Cambria Math” font when fonts are scaled,
so the workaround for the bad MATH table constant is applied.
- Various performance and memory usage improvements.
- The hb-shape command line tool can now be built with the
amalgamated harfbuzz.cc source.
- Fix regression in handling version 2 of avar table.
- Increase various buffer length limits for better handling of
fonts that generate huge number of glyphs per codepoint (e.g.
Noto Sans Duployan).
- Improvements to the harfrust shaper for more accurate testing.
- Fix clang compiler warnings.
- General shaping and subsetting speedups.
- Fix in Graphite shaping backend when glyph advances became
negative.
- Subsetting improvements, pruning empty mark-attachment lookups.
- Don't use the macro name _S, which is reserved by system
liberaries.
- Build fixes and speedup.
- Add a kbts shaping backend that calls into the kb_text_shape
single-header shaping library. This is purely for testing and
performance evaluation and we do NOT recommend using it for any
other purposes.
- Fix bug in vertical shaping of fonts without the vmtx table.
- Fix build with non-compliant C++11 compilers that don't
recognize the "and" keyword.
- Fix crasher in the glyph_v_origin function introduced in
11.3.0.
- Speed up handling fonts with very large number of variations.
- Speed up getting horizontal and vertical glyph advances by up
to 24%.
- Significantly speed up vertical text shaping.
- Various documentation improvements.
- Various build improvements.
- Various subsetting improvements.
- Various improvements to Rust font functions (fontations
integration) and shaper (HarfRust integration).
- Rename harfruzz option and shaper to harfrust following
upstream rename.
- Implement hb_face_reference_blob() for DirectWrite font
functions.
- Various build improvements.
- Fix build with HB_NO_DRAW and HB_NO_PAINT.
- Add an optional harfruzz shaper that uses HarfRuzz; an ongoing
Rust port of HarfBuzz shaping. This shaper is mainly used for
testing the output of the Rust implementation.
- Fix regression that caused applying unsafe_to_break() to the
whole buffer to be ignored.
- Update USE data files.
- Fix getting advances of out-of-rage glyph indices in
DirectWrite font functions.
- Painting of COLRv1 fonts without clip boxes is now about 10
times faster.
- Synthetic bold/slant of a sub font is now respected, instead of
using the parent’s.
- Glyph extents for fonts synthetic bold/slant are now accurately
calculated.
- Various build fixes.
- Include bidi mirroring variants of the requested codepoints
when subsetting. The new HB_SUBSET_FLAGS_NO_BIDI_CLOSURE can be
used to disable this behaviour.
- Various bug fixes.
- Various build fixes and improvements.
- Various test suite improvements.
- The change in version 10.3.0 to apply “trak” table tracking
values to glyph advances directly has been reverted as it
required every font functions implementation to handle it,
which breaks existing custom font functions. Tracking is
instead back to being applied during shaping.
- When directwrite integration is enabled, we now link to
dwrite.dll instead of dynamically loading it.
- A new experimental APIs for getting raw “CFF” and “CFF2”
CharStrings.
- We now provide manpages for the various command line utilities.
Building manpages requires “help2man” and will be skipped if it
is not present.
- The command line utilities now set different return value for
different kinds of failures. Details are provided in the
manpages.
- Various fixes and improvements to fontations font functions.
- All shaping operations using the ot shaper have become memory
allocation-free.
- Glyph extents returned by hb-ot and hb-ft font functions are
now rounded in stead of flooring/ceiling them, which also
matches what other font libraries do.
- Fix “AAT” deleted glyph marks interfering with fallback mark
positioning.
- Glyph outlines emboldening have been moved out of hb-ot and
hb-ft font functions to the HarfBuzz font layer, so that it
works with any font functions implementation.
- Fix our fallback C++11 atomics integration, which seems to not
be widely used.
- Various testing fixes and improvements.
- Various subsetting fixes and improvements.
- Various other fixes and improvements.
ModerateSUSE bug 1256459CVE-2026-22693 at SUSECVE-2026-22693 at NVDSecurity update for exiv2 (Important)openSUSE Leap 16.0
This update for exiv2 fixes the following issues:
Update to exiv2 0.28.8:
- CVE-2024-24826: out-of-bounds read in QuickTimeVideo: NikonTagsDecoder (bsc#1219870).
- CVE-2024-25112: denial of service due to unbounded recursion in QuickTimeVideo: multipleEntriesDecoder (bsc#1219871).
- CVE-2024-39695: out-of-bounds read in AsfVideo: streamProperties (bsc#1227528).
- CVE-2025-26623: heap buffer overflow via writing metadata into a crafted image file (bsc#1237347).
- CVE-2025-54080: out-of-bounds read in `Exiv2: EpsImage: writeMetadata()` when writing metadata into a crafted image
file (bsc#1248962).
- CVE-2025-55304: quadratic performance algorithm in the ICC profile parsing code of `JpegBase: readMetadata`
(bsc#1248963).
- CVE-2026-25884: out-of-bounds read in `CrwMap: decode0x0805` (bsc#1259083).
- CVE-2026-27596: integer overflow in `LoaderNative: getData()` leads to out-of-bounds read (bsc#1259084).
- CVE-2026-27631: crash due to uncaught exception when trying to create `std: vector` larger than `max_size()`
(bsc#1259085).
ImportantSUSE bug 1219870SUSE bug 1219871SUSE bug 1227528SUSE bug 1237347SUSE bug 1248962SUSE bug 1248963SUSE bug 1259083SUSE bug 1259084SUSE bug 1259085CVE-2024-24826 at SUSECVE-2024-24826 at NVDCVE-2024-25112 at SUSECVE-2024-25112 at NVDCVE-2024-39695 at SUSECVE-2024-39695 at NVDCVE-2025-26623 at SUSECVE-2025-26623 at NVDCVE-2025-54080 at SUSECVE-2025-54080 at NVDCVE-2025-55304 at SUSECVE-2025-55304 at NVDCVE-2026-25884 at SUSECVE-2026-25884 at NVDCVE-2026-27596 at SUSECVE-2026-27596 at NVDCVE-2026-27631 at SUSECVE-2026-27631 at NVDSecurity update for salt (Important)openSUSE Leap 16.0
This update for salt fixes the following issues:
Changes in salt:
- Security issues fixed:
* CVE-2025-67724: fixed missing validation of supplied reason phrase (bsc#1254903)
* CVE-2025-67725: fixed DoS via malicious HTTP request (bsc#1254905)
* CVE-2025-67726: fixed HTTP header parameter parsing algorithm (bsc#1254904)
- Fixed KeyError in postgres module with PostgreSQL 17 (bsc#1254325)
- Use internal deb classes instead of external aptsource lib
- Improved performance of wheel key.finger call (bsc#1240532)
- Improved performance of utils.find_json function (bsc#1246130)
- Extend warn_until period to 2027
ImportantSUSE bug 1240532SUSE bug 1246130SUSE bug 1254325SUSE bug 1254903SUSE bug 1254904SUSE bug 1254905CVE-2025-13836 at SUSECVE-2025-13836 at NVDCVE-2025-67724 at SUSECVE-2025-67724 at NVDCVE-2025-67725 at SUSECVE-2025-67725 at NVDCVE-2025-67726 at SUSECVE-2025-67726 at NVDSecurity update for nghttp2 (Important)openSUSE Leap 16.0
This update for nghttp2 fixes the following issue:
- CVE-2026-27135: assertion failure due to missing state validation can lead to DoS (bsc#1259845).
ImportantSUSE bug 1259845CVE-2026-27135 at SUSECVE-2026-27135 at NVDSecurity update for tomcat11 (Important)openSUSE Leap 16.0
This update for tomcat11 fixes the following issues:
Update to Tomcat 11.0.18:
- CVE-2025-66614: client certificate verification bypass due to virtual host mapping (bsc#1258371).
- CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385).
- CVE-2026-24734: certificate revocation bypass due to incomplete OCSP verification checks (bsc#1258387).
Changelog:
+ Fix: 69932: Fix request end access log pattern regression, which would log
the start time of the request instead. (remm)
+ Fix: 69623: Additional fix for the long standing regression that meant
that calls to ClassLoader.getResource().getContent() failed when made from
within a web application with resource caching enabled if the target
resource was packaged in a JAR file. (markt)
+ Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the
CsrfPreventionFilter. (schultz)
+ Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2
requests when the content-length header is not set. (dsoumis)
+ Update: Enable minimum and recommended Tomcat Native versions to be set
separately for Tomcat Native 1.x and 2.x. Update the minimum and
recommended versions for Tomcat Native 1.x to 1.3.4. Update the minimum
and recommended versions for Tomcat Native 2.x to 2.0.12. (markt)
+ Add: Add a new ssoReauthenticationMode to the Tomcat provided
Authenticators that provides a per Authenticator override of the SSO Valve
requireReauthentication attribute. (markt)
+ Fix: Ensure URL encoding errors in the Rewrite Valve trigger an exception
rather than silently using a replacement character. (markt)
+ Fix: 69871: Increase log level to INFO for missing configuration for the
rewrite valve. (remm)
+ Fix: Add log warnings for additional Host appBase suspicious values.
(remm)
+ Fix: Remove hard dependency on tomcat-jni.jar for catalina.jar.
org.apache.catalina.Connector no longer requires
org.apache.tomcat.jni.AprStatus to be present. (markt)
+ Add: Add the ability to use a custom function to generate the client
identifier in the CrawlerSessionManagerValve. This is only available
programmatically. Pull request #902 by Brian Matzon. (markt)
+ Fix: Change the SSO reauthentication behaviour for SPNEGO authentication
so that a normal SPNEGO authentication is performed if the SSL Valve is
configured with reauthentication enabled. This is so that the delegated
credentials will be available to the web application. (markt)
+ Fix: When generating the class path in the Loader, re-order the check on
individual class path components to avoid a potential
NullPointerException. Identified by Coverity Scan. (markt)
+ Fix: Fix SSL socket factory configuration in the JNDI realm. Based on pull
request #915 by Joshua Rogers. (remm)
+ Update: Add an attribute, digestInRfc3112Order, to
MessageDigestCredentialHandler to control the order in which the
credential and salt are digested. By default, the current, non-RFC 3112
compliant, order of salt then credential will be used. This default will
change in Tomcat 12 to the RFC 3112 compliant order of credential then
salt. (markt)
* Cluster
+ Add: 62814: Document that human-readable names may be used for
mapSendOptions and align documentation with channelSendOptions. Based on
pull request #929 by archan0621. (markt)
* Clustering
+ Fix: Correct a regression introduced in 11.0.11 that broke some clustering
configurations. (markt)
* Coyote
+ Fix: 69936: Fix bug in previous fix for Tomcat Native crashes on shutdown
that triggered a significant memory leak. Patch provided by Wes. (markt)
+ Fix: Prevent concurrent release of OpenSSLEngine resources and the
termination of the Tomcat Native library as it can cause crashes during
Tomcat shutdown. (markt)
+ Fix: Improve warnings when setting ciphers lists in the FFM code,
mirroring the tomcat-native changes. (remm)
+ Fix: 69910: Dereference TLS objects right after closing a socket to
improve memory efficiency. (remm)
+ Fix: Relax the JSSE vs OpenSSL configuration style checks on SSLHostConfig
to reflect the existing implementation that allows one configuration style
to be used for the trust attributes and a different style for all the
other attributes. (markt)
+ Fix: Better warning message when OpenSSLConf configuration elements are
used with a JSSE TLS implementation. (markt)
+ Fix: When using OpenSSL via FFM, don't log a warning about missing CA
certificates unless CA certificates were configured and the configuration
failed. (markt)
+ Add: For configuration consistency between OpenSSL and JSSE TLS
implementations, TLSv1.3 cipher suites included in the ciphers attribute
of an SSLHostConfig are now always ignored (previously they would be
ignored with OpenSSL implementations and used with JSSE implementations)
and a warning is logged that the cipher suite has been ignored. (markt)
+ Add: Add the ciphersuite attribute to SSLHostConfig to configure the
TLSv1.3 cipher suites. (markt)
+ Add: Add OCSP support to JSSE based TLS connectors and make the use of
OCSP configurable per connector for both JSSE and OpenSSL based TLS
implementations. Align the checks performed by OpenSSL with those
performed by JSSE. (markt)
+ Add: Add support for soft failure of OCSP checks with soft failure support
disabled by default. (markt)
+ Add: Add support for configuring the verification flags passed to
OCSP_basic_verify when using an OpenSSL based TLS implementation. (markt)
+ Fix: Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5.
+ Fix: Don't log an incorrect certificate KeyStore location when creating a
TLS connector if the KeyStore instance has been set directly on the
connector. (markt)
+ Fix: HTTP/0.9 only allows GET as the HTTP method. (remm)
+ Add: Add strictSni attribute on the Connector to allow matching the
SSLHostConfig configuration associated with the SNI host name to the
SSLHostConfig configuration matched from the HTTP protocol host name. Non
matching configurations will cause the request to be rejected. The
attribute default value is true, enabling the matching. (remm)
+ Fix: Graceful failure for OCSP on BoringSSL in the FFM code. (remm)
+ Fix: 69866: Fix a memory leak when using a trust store with the OpenSSL
provider. Pull request #912 by aogburn. (markt)
+ Fix: Fix potential crash on shutdown when a Connector depends on the
Tomcat Native library. (markt)
+ Fix: Fix AJP message length check. Pull request #916 by Joshua Rogers.
* Jasper
+ Fix: 69333: Correct a regression in the previous fix for 69333 and ensure
that reuse() or release() is always called for a tag. (markt)
+ Fix: 69877: Catch IllegalArgumentException when processing URIs when
creating the classpath to handle invalid URIs. (remm)
+ Fix: Fix populating the classpath with the webapp classloader
repositories. (remm)
+ Fix: 69862: Avoid NPE unwrapping Servlet exception which would hide some
exception details. Patch submitted by Eric Blanquer. (remm)
* Jdbc-pool
+ Fix: 64083: If the underlying connection has been closed, don't add it to
the pool when it is returned. Pull request #235 by Alex Panchenko. (markt)
* Web applications
+ Fix: Manager: Fix abrupt truncation of the HTML and JSON complete server
status output if one or more of the web applications failed to start.
(schultz)
+ Add: Manager: Include web application state in the HTML and JSON complete
server status output. (markt)
+ Add: Documentation: Expand the documentation to better explain when OCSP
is supported and when it is not. (markt)
* Websocket
+ Fix: 69920: When attempting to write to a closed Writer or OutputStream
obtained from a WebSocket session, throw an IOException rather than an
IllegalStateExcpetion as required by Writer and strongly suggested by
OutputStream. (markt)
* Other
+ Add: Add property "gpg.sign.files" to optionally disable release artefact
signing with GPG. (rjung)
+ Add: Add test.silent property to suppress JUnit console output during test
execution. Useful for cleaner console output when running tests with
multiple threads. (csutherl)
+ Update: Update the internal fork of Commons Pool to 2.13.1. (markt)
+ Update: Update the internal fork of Commons DBCP to 2.14.0. (markt)
+ Update: Update Commons Daemon to 1.5.1. (markt)
+ Update: Update to the Eclipse JDT compiler 4.37. (markt)
+ Update: Update ByteBuddy to 1.18.3. (markt)
+ Update: Update UnboundID to 7.0.4. (markt)
+ Update: Update Checkstyle to 12.3.1. (markt)
+ Add: Improvements to French translations. (markt)
+ Add: Improvements to Japanese translations provided by tak7iji. (markt)
+ Add: Improvements to Chinese translations provided by Yang. vincent.h and
yong hu. (markt)
+ Update: Update Tomcat Native to 2.0.12. (markt)
+ Add: Add test profile system for selective test execution. Profiles can be
specified via -Dtest.profile=<name> to run specific test subsets without
using patterns directly. Profile patterns are defined in
test-profiles.properties. (csutherl)
+ Update: Update file extension to media type mappings to align with the
current list used by the Apache Web Server (httpd). (markt)
+ Update: Update the packaged version of the Tomcat Migration Tool for
Jakarta EE to 1.0.10. (markt)
+ Update: Update Commons Daemon to 1.5.0. (markt)
+ Update: Update Byte Buddy to 1.18.2. (markt)
+ Update: Update Checkstyle to 12.2.0. (markt)
+ Add: Improvements to Spanish translations provided by White Vogel. (markt)
+ Add: Improvements to French translations. (remm)
+ Update: Update the internal fork of Apache Commons BCEL to 6.11.0. (markt)
+ Update: Update to Byte Buddy 1.17.8. (markt)
+ Update: Update to Checkstyle 12.1.1. (markt)
+ Update: Update to Jacoco 0.8.14. (markt)
+ Update: Update to SpotBugs 4.9.8. (markt)
+ Update: Update to JSign 7.4. (markt)
+ Update: Update Maven Resolver Ant Tasks to 1.6.0. (rjung)
ImportantSUSE bug 1253460SUSE bug 1258371SUSE bug 1258385SUSE bug 1258387CVE-2025-66614 at SUSECVE-2025-66614 at NVDCVE-2026-24733 at SUSECVE-2026-24733 at NVDCVE-2026-24734 at SUSECVE-2026-24734 at NVDSecurity update for 389-ds (Important)openSUSE Leap 16.0
This update for 389-ds fixes the following issue:
Update to 389-ds 3.0.6~git249.6688af9b2:
- CVE-2025-14905: heap buffer overflow due to improper size calculation in `schema_attr_enum_callback` can lead to DoS
and RCE (bsc#1258727).
Changelog:
* Issue 7277 - UI - Fix Japanese translation for "Successfully updated group" in Cockpit UI (#7278)
* Issue 7275 - UI - Improve password policy field validation in Cockpit UI (#7276)
* Issue 7279 - UI - Fix typo in export certificate dialog (#7280)
* Issue 7273 - In a chaining environment binding as remote user causes an invalid error in the logs
* Issue 7271 - plugins that create threads need to update active thread count
* Issue 5853 - Update concread to 0.5.10
* Issue 7053 - Remove memberof_del_dn_from_groups from MemberOf plugin (#7064)
* Issue 7223 - Remove integerOrderingMatch requirement for parentid (#7264)
* Issue 7066/7052 - allow password history to be set to zero and remove history
* Issue 7223 - Use lexicographical order for ancestorid (#7256)
* Issue 7213 - (2nd) MDB_BAD_VALSIZE error while handling VLV (#7258)
* Issue 7184 - (2nd) argparse.HelpFormatter _format_actions_usage() is deprecated (#7257)
* Issue - CLI - dsctl db2index needs some hardening with MBD
* Issue 7248 - CLI - attribute uniqueness - fix usage for exclude subtree option
* Issue 7231 - Sync repl tests fail in FIPS mode due to non FIPS compliant crypto (#7232)
* Issue 7121 - (2nd) LeakSanitizer: various leaks during replication (#7212)
* Issue 6947 - Fix health_system_indexes_test.py
* Issue 7076 - Fix revert_cache() never called in modrdn (#7220)
* Issue 7076, 6992, 6784, 6214 - Fix CI test failures (#7077)
* Issue 7096 - (2nd) During replication online total init the function idl_id_is_in_idlist is not scaling with large
database (#7205)
* Issue 3555 - UI - Fix audit issue with npm - @isaacs/brace-expansion (#7228)
* Issue 7223 - Add dsctl index-check command for offline index repair
* Issue 7223 - Detect and log index ordering mismatch during backend startup
* Issue 7223 - Add upgrade function to remove ancestorid index config entry
* Issue 7223 - Add upgrade function to remove nsIndexIDListScanLimit from parentid
* Issue 7223 - Revert index scan limits for system indexes
* Issue 6542 - RPM build errors on Fedora 42
* Issue 7224 - CI Test - Simplify test_reserve_descriptor_validation (#7225)
* Issue 7194 - Repl Log Analysis - Add CSN propagation details (#7195)
* Issue 7213 - MDB_BAD_VALSIZE error while handling VLV (#7214)
* Issue 7027 - (2nd) 389-ds-base OpenScanHub Leaks Detected (#7211)
* Issue 7184 - argparse.HelpFormatter _format_actions_usage() is deprecated
* Issue 7198 - Web console doesn't show sub-suffix when parent-suffix points to an entry (#7202)
* Issue 7189 - DSBLE0007 generates incorrect remediation commands for scan limits
* Bump lodash from 4.17.21 to 4.17.23 in /src/cockpit/389-console (#7203)
* Issue 7172 - (2nd) Index ordering mismatch after upgrade (#7180)
* Issue 7172 - Index ordering mismatch after upgrade (#7173)
* Issue - Revise paged result search locking
* Issue 7096 - During replication online total init the function idl_id_is_in_idlist is not scaling with large
database (#7145)
* Revert "Issue 7160 - Add lib389 version sync check to configure (#7165)"
* Issue 7160 - Add lib389 version sync check to configure (#7165)
* Issue 7049 - RetroCL plugin generates invalid LDIF
* Issue 7150 - Compressed access log rotations skipped, accesslog-list out of sync (#7151)
* Restore definition for slapi_entry_attr_get_valuearray
* Issue 1793 - RFE - Dynamic lists - UI and CLI updates
* Issue 7119 - Fix DNA shared config replication test (#7143)
* Issue 7081 - Repl Log Analysis - Implement data sampling with performance and timezone fixes (#7086)
* Issue 1793 - RFE - Implement dynamic lists
* Issue 6753 - Port ticket tests
* Issue 6753 - Port and fix ticket 47823 tests
* Issue 6753 - Add 'add_exclude_subtree' and 'remove_exclude_subtree' methods to Attribute uniqueness plugin
* Issue 6753 - Port ticket test 48026
* Issue 7128 - memory corruption in alias entry plugin (#7131)
* Issue 7091 - Duplicate local password policy entries listed (#7092)
* Issue 7124 - BDB cursor race condition with transaction isolation (#7125)
* Issue 7132 - Keep alive entry updated too soon after an offline import (#7133)
* Issue 7121 - LeakSanitizer: various leaks during replication (#7122)
* Issue 7115 - LeakSanitizer: leak in `slapd_bind_local_user()` (#7116)
* Issue 7109 - AddressSanitizer: SEGV ldap/servers/slapd/csnset.c:302 in csnset_dup (#7114)
* Issue 7056 - DSBLE0007 doesn't generate remediation steps for missing indexes
* Issue 7119 - Harden DNA plugin locking for shared server list operations (#7120)
* Issue 7084 - UI - schema - sorting attributes breaks expanded row
* Issue 7007 - Improve paged result search locking
* Issue 3555 - UI - Fix audit issue with npm - glob (#7107)
* Issue 6846 - Attribute uniqueness is not enforced with modrdn (#7026)
* Issue 6901 - Update changelog trimming logging - fix tests
* Issue 6901 - Update changelog trimming logging
* Bump js-yaml from 4.1.0 to 4.1.1 in /src/cockpit/389-console (#7097)
* Issue 7069 - Fix error reporting in HAProxy trusted IP parsing (#7094)
* Issue 7055 - Online initialization of consumers fails with error -23 (#7075)
* Issue 7042 - Enable global_backend_lock when memberofallbackend is enabled (#7043)
* Issue 7078 - audit json logging does not encode binary values
* Issue 7069 - Add Subnet/CIDR Support for HAProxy Trusted IPs (#7070)
* Issue 6660 - CLI, UI - Improve replication log analyzer usability (#7062)
* Issue 7065 - A search filter containing a non normalized DN assertion does not return matching entries (#7068)
* Issue 7071 - search filter (&(cn:dn:=groups)) no longer returns results
* Issue 7073 - Add NDN cache size configuration and enforcement tests (#7074)
* Issue 7041 - CLI/UI - memberOf - no way to add/remove specific group filters
* Issue 7061 - CLI/UI - Improve error messages for dsconf localpwp list
* Issue 7059 - UI - unable to upload pem file
* Issue 7032 - The new ipahealthcheck test ipahealthcheck.ds.backends.BackendsCheck raises CRITICAL issue (#7036)
* Issue 7047 - MemberOf plugin logs null attribute name on fixup task completion (#7048)
* Issue 7044 - RFE - index sudoHost by default (#7046)
* Issue 6979 - Improve the way to detect asynchronous operations in the access logs (#6980)
* Issue 7035 - RFE - memberOf - adding scoping for specific groups
* Issue - CLI/UI - Add option to delete all replication conflict entries
* Issue 7033 - lib389 - basic plugin status not in JSON
* Issue 7023 - UI - if first instance that is loaded is stopped it breaks parts of the UI
* Issue 7027 - 389-ds-base OpenScanHub Leaks Detected (#7028)
* Issue 6966 - On large DB, unlimited IDL scan limit reduce the SRCH performance (#6967)
* Issue 6660 - UI - Improve replication log analysis charts and usability (#6968)
* Issue 6982 - UI - MemberOf shared config does not validate DN properly (#6983)
* Issue 7021 - Units for changing MDB max size are not consistent across different tools (#7022)
* Issue 6954 - do not delete referrals on chain_on_update backend
* Issue 7018 - BUG - prevent stack depth being hit (#7019)
* Issue 6928 - The parentId attribute is indexed with improper matching rule
* Issue 6933 - When deferred memberof update is enabled after the server crashed it should not launch memberof fixup
task by default (#6935)
* Issue 6904 - Fix config_test.py::test_lmdb_config
* Issue 7014 - memberOf - ignored deferred updates with LMDB
* Issue 7012 - improve dscrl dbverify result when backend does not exists (#7013)
* Issue 6929 - Compilation failure with rust-1.89 on Fedora ELN
* Issue 6990 - UI - Replace deprecated Select components with new TypeaheadSelect (#6996)
* Issue 6990 - UI - Fix typeahead Select fields losing values on Enter keypress (#6991)
* Issue 6887 - Enhance logconv.py to add support for JSON access logs (#6889)
* Issue 6985 - Some logconv CI tests fail with BDB (#6986)
* Issue 6891 - JSON logging - add wrapper function that checks for NULL
* Issue 6977 - UI - Show error message when trying to use unavailable ports (#6978)
* Issue 6956 - More UI fixes
* Issue 6947 - Revise time skew check in healthcheck tool and add option to exclude checks
* Issue 6805 - RFE - Multiple backend entry cache tuning
* Issue 6843 - Add CI tests for logconv.py (#6856)
* Issue - UI - update Radio handlers and LDAP entries last modified time
* Issue 6660 - UI - Fix minor typo (#6955)
* Issue 6910 - Fix latest coverity issues
* Issue 6919 - numSubordinates/tombstoneNumSubordinates are inconsisten... (#6920)
* Issue 6663 - Fix NULL subsystem crash in JSON error logging (#6883)
* Issue 6940 - dsconf monitor server fails with ldapi:// due to absent server ID (#6941)
* Issue 6936 - Make user/subtree policy creation idempotent (#6937)
* Issue 6865 - AddressSanitizer: leak in agmt_update_init_status
* Issue 6848 - AddressSanitizer: leak in do_search
* Issue 6850 - AddressSanitizer: memory leak in mdb_init
* Issue 6778 - Memory leak in roles_cache_create_object_from_entry part 2
* Issue 6778 - Memory leak in roles_cache_create_object_from_entry
* Issue 6181 - RFE - Allow system to manage uid/gid at startup
* Issues 6913, 6886, 6250 - Adjust xfail marks (#6914)
* Issue 6768 - ns-slapd crashes when a referral is added (#6780)
* Issue 6468 - CLI - Fix default error log level
* Issue 6339 - Address Coverity scan issues in memberof and bdb_layer (#6353)
* Issue 6897 - Fix disk monitoring test failures and improve test maintainability (#6898)
* Issue 6884 - Mask password hashes in audit logs (#6885)
* Issue 6594 - Add test for numSubordinates replication consistency with tombstones (#6862)
* Issue 6250 - Add test for entryUSN overflow on failed add operations (#6821)
* Issue 6895 - Crash if repl keep alive entry can not be created
* Issue 6893 - Log user that is updated during password modify extended operation
* Issue 6772 - dsconf - Replicas with the "consumer" role allow for viewing and modification of their
changelog. (#6773)
* Issue 6888 - Missing access JSON logging for TLS/Client auth
* Issue 6680 - instance read-only mode is broken (#6681)
* Issue 6878 - Prevent repeated disconnect logs during shutdown (#6879)
* Issue 6872 - compressed log rotation creates files with world readable permission
* Issue 6859 - str2filter is not fully applying matching rules
* Issue 6868 - UI - schema attribute table expansion break after moving to a new page
* Issue 6854 - Refactor for improved data management (#6855)
* Issue 6756 - CLI, UI - Properly handle disabled NDN cache (#6757)
* Issue 6857 - uiduniq: allow specifying match rules in the filter
* Issue 6838 - lib389/replica.py is using nonexistent datetime.UTC in Python 3.9
* Issue 6822 - Backend creation cleanup and Database UI tab error handling (#6823)
* Issue 6782 - Improve paged result locking
* Issue 6825 - RootDN Access Control Plugin with wildcards for IP addre... (#6826)
* Issue 6736 - Exception thrown by dsconf instance repl get_ruv (#6742)
* Issue 6819 - Incorrect pwdpolicysubentry returned for an entry with user password policy
* Issue 6553 - Update concread to 0.5.6 (#6824)
* Issue 1081 - Add a CI test (#6063)
* Issue 6761 - Password modify extended operation should skip password policy checks when executed by root DN
* Issue 6791 - crash in liblmdb during instance shutdown (#6793)
* Issue 6641 - modrdn fails when a user is member of multiple groups (#6643)
* Issue 6776 - Enabling audit log makes slapd coredump
* Issue 6534 - CI fails with Fedora 41 and DNF5
* Issue 6787 - Improve error message when bulk import connection is closed
* Issue 6727 - RFE - database compaction interval should be persistent
* Issue 6438 - Add basic dsidm organizational unit tests
* Issue 6439 - Fix dsidm service get_dn option
* Issue 5120 - ns-slapd doesn't start in referral mode (#6763)
ImportantSUSE bug 1258727CVE-2025-14905 at SUSECVE-2025-14905 at NVDSecurity update for the Linux Kernel (Important)openSUSE Leap 16.0
The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues.
The following security issues were fixed:
- CVE-2025-39753: gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops (bsc#1249590).
- CVE-2025-39964: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg (bsc#1251966).
- CVE-2025-40099: cifs: parse_dfs_referrals: prevent oob on malformed input (bsc#1252911).
- CVE-2025-40103: smb: client: Fix refcount leak for cifs_sb_tlink (bsc#1252924).
- CVE-2025-40230: mm: prevent poison consumption when splitting THP (bsc#1254817).
- CVE-2025-68173: ftrace: Fix softlockup in ftrace_module_enable (bsc#1255311).
- CVE-2025-68186: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up (bsc#1255144).
- CVE-2025-68292: mm/memfd: fix information leak in hugetlb folios (bsc#1255148).
- CVE-2025-68295: smb: client: fix memory leak in cifs_construct_tcon() (bsc#1255129).
- CVE-2025-68329: tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs (bsc#1255490).
- CVE-2025-68371: scsi: smartpqi: Fix device resources accessed after device removal (bsc#1255572).
- CVE-2025-68745: scsi: qla2xxx: Clear cmds after chip reset (bsc#1255721).
- CVE-2025-68785: net: openvswitch: fix middle attribute validation in push_nsh() action (bsc#1256640).
- CVE-2025-68810: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot (bsc#1256679).
- CVE-2025-71071: iommu/mediatek: fix use-after-free on probe deferral (bsc#1256802).
- CVE-2025-71104: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer (bsc#1256708).
- CVE-2025-71125: tracing: Do not register unsupported perf events (bsc#1256784).
- CVE-2025-71134: mm/page_alloc: change all pageblocks migrate type on coalescing (bsc#1256732).
- CVE-2025-71161: dm-verity: disable recursive forward error correction (bsc#1257174).
- CVE-2025-71184: btrfs: tracepoints: use btrfs_root_id() to get the id of a root (bsc#1257635).
- CVE-2025-71193: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend (bsc#1257686).
- CVE-2025-71225: md: suspend array while updating raid_disks via sysfs (bsc#1258411).
- CVE-2026-22979: net: fix memory leak in skb_segment_list for GRO packets (bsc#1257228).
- CVE-2026-22998: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec (bsc#1257209).
- CVE-2026-23003: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() (bsc#1257246).
- CVE-2026-23004: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() (bsc#1257231).
- CVE-2026-23010: ipv6: Fix use-after-free in inet6_addr_del() (bsc#1257332).
- CVE-2026-23017: idpf: fix error handling in the init_task on load (bsc#1257552).
- CVE-2026-23022: idpf: fix memory leak in idpf_vc_core_deinit() (bsc#1257581).
- CVE-2026-23023: idpf: fix memory leak in idpf_vport_rel() (bsc#1257556).
- CVE-2026-23024: idpf: fix memory leak of flow steer list on rmmod (bsc#1257572).
- CVE-2026-23035: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv (bsc#1257559).
- CVE-2026-23042: idpf: fix aux device unplugging when rdma is not supported by vport (bsc#1257705).
- CVE-2026-23047: libceph: make calc_target() set t->paused, not just clear it (bsc#1257682).
- CVE-2026-23053: NFS: Fix a deadlock involving nfs_release_folio() (bsc#1257718).
- CVE-2026-23057: vsock/virtio: Coalesce only linear skb (bsc#1257740).
- CVE-2026-23064: net/sched: act_ife: avoid possible NULL deref (bsc#1257765).
- CVE-2026-23066: rxrpc: Fix recvmsg() unconditional requeue (bsc#1257726).
- CVE-2026-23068: spi: spi-sprd-adi: Fix double free in probe error path (bsc#1257805).
- CVE-2026-23069: vsock/virtio: fix potential underflow in virtio_transport_get_credit() (bsc#1257755).
- CVE-2026-23070: Octeontx2-af: Add proper checks for fwdata (bsc#1257709).
- CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc (bsc#1257749).
- CVE-2026-23083: tools: ynl-gen: use big-endian netlink attribute types (bsc#1257745).
- CVE-2026-23084: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list (bsc#1257830).
- CVE-2026-23085: irqchip/gic-v3-its: Avoid truncating memory addresses (bsc#1257758).
- CVE-2026-23086: vsock/virtio: cap TX credit to local buffer size (bsc#1257757).
- CVE-2026-23088: tracing: Fix crash on synthetic stacktrace field usage (bsc#1257814).
- CVE-2026-23095: gue: Fix skb memleak with inner IP protocol 0 (bsc#1257808).
- CVE-2026-23097: migrate: correct lock ordering for hugetlb file folios (bsc#1257815).
- CVE-2026-23099: bonding: limit BOND_MODE_8023AD to Ethernet devices (bsc#1257816).
- CVE-2026-23100: mm/hugetlb: fix hugetlb_pmd_shared() (bsc#1257817).
- CVE-2026-23102: arm64/fpsimd: signal: Fix restoration of SVE context (bsc#1257772).
- CVE-2026-23104: ice: fix devlink reload call trace (bsc#1257763).
- CVE-2026-23105: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag (bsc#1257775).
- CVE-2026-23107: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA (bsc#1257762).
- CVE-2026-23110: scsi: core: Wake up the error handler when final completions race against each other (bsc#1257761).
- CVE-2026-23111: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() (bsc#1258181).
- CVE-2026-23112: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec (bsc#1258184).
- CVE-2026-23116: pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu (bsc#1258277).
- CVE-2026-23119: bonding: provide a net pointer to __skb_flow_dissect() (bsc#1258273).
- CVE-2026-23136: libceph: reset sparse-read state in osd_fault() (bsc#1258303).
- CVE-2026-23139: netfilter: nf_conncount: update last_gc only when GC has been performed (bsc#1258304).
- CVE-2026-23141: btrfs: send: check for inline extents in range_is_hole_in_parent() (bsc#1258377).
- CVE-2026-23142: mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure (bsc#1258289).
- CVE-2026-23144: mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure (bsc#1258290).
- CVE-2026-23148: nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference (bsc#1258258).
- CVE-2026-23154: net: fix segmentation of forwarding fraglist GRO (bsc#1258286).
- CVE-2026-23161: mm/shmem, swap: fix race of truncate and swap entry split (bsc#1258355).
- CVE-2026-23166: ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues (bsc#1258272).
- CVE-2026-23169: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() (bsc#1258389).
- CVE-2026-23171: bonding: fix use-after-free due to enslave fail after slave array update (bsc#1258349).
- CVE-2026-23173: net/mlx5e: TC, delete flows only for existing peers (bsc#1258520).
- CVE-2026-23179: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() (bsc#1258394).
- CVE-2026-23189: ceph: fix NULL pointer dereference in ceph_mds_auth_match() (bsc#1258308).
- CVE-2026-23198: KVM: Don't clobber irqfd routing type when deassigning irqfd (bsc#1258321).
- CVE-2026-23208: ALSA: usb-audio: Prevent excessive number of frames (bsc#1258468).
- CVE-2026-23209: macvlan: fix error recovery in macvlan_common_newlink() (bsc#1258518).
- CVE-2026-23210: ice: Fix PTP NULL pointer dereference during VSI rebuild (bsc#1258517).
- CVE-2026-23214: btrfs: reject new transactions if the fs is fully read-only (bsc#1258464).
- CVE-2026-23223: xfs: fix UAF in xchk_btree_check_block_owner (bsc#1258483).
- CVE-2026-23224: erofs: fix UAF issue for file-backed mounts w/ directio option (bsc#1258461).
The following non security issues were fixed:
- ALSA: usb-audio: Update the number of packets properly at receiving (stable-fixes).
- ALSA: usb-audio: fix broken logic in snd_audigy2nx_led_update() (git-fixes).
- ASoC: SOF: ipc4-control: If there is no data do not send bytes update (git-fixes).
- Add bugnumber to existing mana and mana_ib changes (bsc#1251135 bsc#1251971).
- HID: apple: Add EPOMAKER TH87 to the non-apple keyboards list (bsc#1258455).
- HID: intel-ish-hid: Update ishtp bus match to support device ID table (stable-fixes).
- PCI/DOE: Poll DOE Busy bit for up to 1 second in pci_doe_send_req() (bsc#1255868).
- PCI: Add ASPEED vendor ID to pci_ids.h (bsc#1258672)
- PCI: Add PCI_BRIDGE_NO_ALIAS quirk for ASPEED AST1150 (bsc#1258672)
- PM: sleep: wakeirq: Update outdated documentation comments (git-fixes).
- Refresh and move upstreamed ath12k patch into sorted section
- Update "drm/mgag200: fix mgag200_bmc_stop_scanout()" bug number (bsc#1258153)
- add bugnumber to existing mana change (bsc#1252266).
- arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS (bsc#1259329)
- bonding: only set speed/duplex to unknown, if getting speed failed (bsc#1253691).
- can: bcm: fix locking for bcm_op runtime updates (git-fixes).
- clk: qcom: gcc-sm8450: Update the SDCC RCGs to use shared_floor_ops (git-fixes).
- clocksource: Fix the CPUs' choice in the watchdog per CPU verification (bsc#1257818).
- clocksource: Print durations for sync check unconditionally (bsc#1257818).
- clocksource: Reduce watchdog readout delay limit to prevent false positives (bsc#1257818).
- clocksource: Use pr_info() for "Checking clocksource synchronization" message (bsc#1257818).
- dm: Fix deadlock when reloading a multipath table (bsc#1254928).
- drm/i915/display: Add quirk to skip retraining of dp link (bsc#1253129).
- ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref (git-fixes).
- gpiolib-acpi: Update file references in the Documentation and MAINTAINERS (git-fixes).
- i3c: master: Update hot-join flag only on success (git-fixes).
- ktls, sockmap: Fix missing uncharge operation (bsc#1252008).
- media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update() (git-fixes).
- modpost: Ensure exported symbol namespaces are not quoted (bsc#1258489).
- net: mana: Handle hardware recovery events when probing the device (bsc#1257466).
- net: mana: Implement ndo_tx_timeout and serialize queue resets per port (bsc#1257472).
- platform/x86/amd: amd_3d_vcache: Add AMD 3D V-Cache optimizer driver (jsc#PED-11563).
- sched/core: Avoid direct access to hrtimer clockbase (bsc#1234634).
- sched/deadline: Fix race in push_dl_task() (bsc#1234634).
- sched/deadline: Stop dl_server before CPU goes offline (bsc#1234634).
- sched/fair: Fix pelt clock sync when entering idle (bsc#1234634).
- sched/fair: Fix pelt lost idle time detection (bsc#1234634).
- staging: rtl8723bs: fix missing status update on sdio_alloc_irq() failure (stable-fixes).
- wifi: cfg80211: Fix use_for flag update on BSS refresh (git-fixes).
ImportantSUSE bug 1234634SUSE bug 1249590SUSE bug 1250748SUSE bug 1251135SUSE bug 1251966SUSE bug 1251971SUSE bug 1252008SUSE bug 1252266SUSE bug 1252911SUSE bug 1252924SUSE bug 1253129SUSE bug 1253691SUSE bug 1254817SUSE bug 1254928SUSE bug 1255129SUSE bug 1255144SUSE bug 1255148SUSE bug 1255311SUSE bug 1255490SUSE bug 1255572SUSE bug 1255721SUSE bug 1255868SUSE bug 1256640SUSE bug 1256675SUSE bug 1256679SUSE bug 1256708SUSE bug 1256732SUSE bug 1256784SUSE bug 1256802SUSE bug 1256865SUSE bug 1256867SUSE bug 1257154SUSE bug 1257174SUSE bug 1257209SUSE bug 1257222SUSE bug 1257228SUSE bug 1257231SUSE bug 1257246SUSE bug 1257332SUSE bug 1257466SUSE bug 1257472SUSE bug 1257473SUSE bug 1257551SUSE bug 1257552SUSE bug 1257553SUSE bug 1257554SUSE bug 1257556SUSE bug 1257557SUSE bug 1257559SUSE bug 1257560SUSE bug 1257561SUSE bug 1257562SUSE bug 1257565SUSE bug 1257570SUSE bug 1257572SUSE bug 1257573SUSE bug 1257576SUSE bug 1257579SUSE bug 1257580SUSE bug 1257581SUSE bug 1257586SUSE bug 1257600SUSE bug 1257631SUSE bug 1257635SUSE bug 1257679SUSE bug 1257682SUSE bug 1257686SUSE bug 1257687SUSE bug 1257688SUSE bug 1257704SUSE bug 1257705SUSE bug 1257706SUSE bug 1257707SUSE bug 1257709SUSE bug 1257714SUSE bug 1257715SUSE bug 1257716SUSE bug 1257718SUSE bug 1257722SUSE bug 1257723SUSE bug 1257726SUSE bug 1257729SUSE bug 1257730SUSE bug 1257732SUSE bug 1257734SUSE bug 1257735SUSE bug 1257737SUSE bug 1257739SUSE bug 1257740SUSE bug 1257741SUSE bug 1257742SUSE bug 1257743SUSE bug 1257745SUSE bug 1257749SUSE bug 1257750SUSE bug 1257755SUSE bug 1257757SUSE bug 1257758SUSE bug 1257759SUSE bug 1257761SUSE bug 1257762SUSE bug 1257763SUSE bug 1257765SUSE bug 1257768SUSE bug 1257770SUSE bug 1257772SUSE bug 1257775SUSE bug 1257776SUSE bug 1257788SUSE bug 1257789SUSE bug 1257790SUSE bug 1257805SUSE bug 1257808SUSE bug 1257809SUSE bug 1257811SUSE bug 1257813SUSE bug 1257814SUSE bug 1257815SUSE bug 1257816SUSE bug 1257817SUSE bug 1257818SUSE bug 1257830SUSE bug 1257942SUSE bug 1257952SUSE bug 1258153SUSE bug 1258181SUSE bug 1258184SUSE bug 1258222SUSE bug 1258232SUSE bug 1258234SUSE bug 1258237SUSE bug 1258245SUSE bug 1258249SUSE bug 1258252SUSE bug 1258256SUSE bug 1258258SUSE bug 1258259SUSE bug 1258272SUSE bug 1258273SUSE bug 1258276SUSE bug 1258277SUSE bug 1258279SUSE bug 1258286SUSE bug 1258289SUSE bug 1258290SUSE bug 1258297SUSE bug 1258298SUSE bug 1258299SUSE bug 1258303SUSE bug 1258304SUSE bug 1258308SUSE bug 1258309SUSE bug 1258313SUSE bug 1258317SUSE bug 1258321SUSE bug 1258323SUSE bug 1258324SUSE bug 1258326SUSE bug 1258331SUSE bug 1258338SUSE bug 1258349SUSE bug 1258354SUSE bug 1258355SUSE bug 1258358SUSE bug 1258374SUSE bug 1258376SUSE bug 1258377SUSE bug 1258379SUSE bug 1258389SUSE bug 1258394SUSE bug 1258395SUSE bug 1258397SUSE bug 1258411SUSE bug 1258415SUSE bug 1258419SUSE bug 1258421SUSE bug 1258422SUSE bug 1258424SUSE bug 1258429SUSE bug 1258430SUSE bug 1258442SUSE bug 1258455SUSE bug 1258461SUSE bug 1258464SUSE bug 1258465SUSE bug 1258468SUSE bug 1258469SUSE bug 1258483SUSE bug 1258484SUSE bug 1258489SUSE bug 1258517SUSE bug 1258518SUSE bug 1258519SUSE bug 1258520SUSE bug 1258524SUSE bug 1258544SUSE bug 1258660SUSE bug 1258672SUSE bug 1258824SUSE bug 1259329CVE-2025-39753 at SUSECVE-2025-39753 at NVDCVE-2025-39964 at SUSECVE-2025-39964 at NVDCVE-2025-40099 at SUSECVE-2025-40099 at NVDCVE-2025-40103 at SUSECVE-2025-40103 at NVDCVE-2025-40230 at SUSECVE-2025-40230 at NVDCVE-2025-68173 at SUSECVE-2025-68173 at NVDCVE-2025-68186 at SUSECVE-2025-68186 at NVDCVE-2025-68292 at SUSECVE-2025-68292 at NVDCVE-2025-68295 at SUSECVE-2025-68295 at NVDCVE-2025-68329 at SUSECVE-2025-68329 at NVDCVE-2025-68371 at SUSECVE-2025-68371 at NVDCVE-2025-68745 at SUSECVE-2025-68745 at NVDCVE-2025-68785 at SUSECVE-2025-68785 at NVDCVE-2025-68810 at SUSECVE-2025-68810 at NVDCVE-2025-68818 at SUSECVE-2025-68818 at NVDCVE-2025-71071 at SUSECVE-2025-71071 at NVDCVE-2025-71104 at SUSECVE-2025-71104 at NVDCVE-2025-71125 at SUSECVE-2025-71125 at NVDCVE-2025-71134 at SUSECVE-2025-71134 at NVDCVE-2025-71161 at SUSECVE-2025-71161 at NVDCVE-2025-71182 at SUSECVE-2025-71182 at NVDCVE-2025-71183 at SUSECVE-2025-71183 at NVDCVE-2025-71184 at SUSECVE-2025-71184 at NVDCVE-2025-71185 at SUSECVE-2025-71185 at NVDCVE-2025-71186 at SUSECVE-2025-71186 at NVDCVE-2025-71188 at SUSECVE-2025-71188 at NVDCVE-2025-71189 at SUSECVE-2025-71189 at NVDCVE-2025-71190 at SUSECVE-2025-71190 at NVDCVE-2025-71191 at SUSECVE-2025-71191 at NVDCVE-2025-71192 at SUSECVE-2025-71192 at NVDCVE-2025-71193 at SUSECVE-2025-71193 at NVDCVE-2025-71194 at SUSECVE-2025-71194 at NVDCVE-2025-71195 at SUSECVE-2025-71195 at NVDCVE-2025-71196 at SUSECVE-2025-71196 at NVDCVE-2025-71197 at SUSECVE-2025-71197 at NVDCVE-2025-71198 at SUSECVE-2025-71198 at NVDCVE-2025-71199 at SUSECVE-2025-71199 at NVDCVE-2025-71200 at SUSECVE-2025-71200 at NVDCVE-2025-71222 at SUSECVE-2025-71222 at NVDCVE-2025-71224 at SUSECVE-2025-71224 at NVDCVE-2025-71225 at SUSECVE-2025-71225 at NVDCVE-2025-71229 at SUSECVE-2025-71229 at NVDCVE-2025-71231 at SUSECVE-2025-71231 at NVDCVE-2025-71232 at SUSECVE-2025-71232 at NVDCVE-2025-71233 at SUSECVE-2025-71233 at NVDCVE-2025-71234 at SUSECVE-2025-71234 at NVDCVE-2025-71235 at SUSECVE-2025-71235 at NVDCVE-2025-71236 at SUSECVE-2025-71236 at NVDCVE-2026-22979 at SUSECVE-2026-22979 at NVDCVE-2026-22980 at SUSECVE-2026-22980 at NVDCVE-2026-22998 at SUSECVE-2026-22998 at NVDCVE-2026-23003 at SUSECVE-2026-23003 at NVDCVE-2026-23004 at SUSECVE-2026-23004 at NVDCVE-2026-23010 at SUSECVE-2026-23010 at NVDCVE-2026-23017 at SUSECVE-2026-23017 at NVDCVE-2026-23018 at SUSECVE-2026-23018 at NVDCVE-2026-23021 at SUSECVE-2026-23021 at NVDCVE-2026-23022 at SUSECVE-2026-23022 at NVDCVE-2026-23023 at SUSECVE-2026-23023 at NVDCVE-2026-23024 at SUSECVE-2026-23024 at NVDCVE-2026-23026 at SUSECVE-2026-23026 at NVDCVE-2026-23030 at SUSECVE-2026-23030 at NVDCVE-2026-23031 at SUSECVE-2026-23031 at NVDCVE-2026-23033 at SUSECVE-2026-23033 at NVDCVE-2026-23035 at SUSECVE-2026-23035 at NVDCVE-2026-23037 at SUSECVE-2026-23037 at NVDCVE-2026-23038 at SUSECVE-2026-23038 at NVDCVE-2026-23042 at SUSECVE-2026-23042 at NVDCVE-2026-23047 at SUSECVE-2026-23047 at NVDCVE-2026-23049 at SUSECVE-2026-23049 at NVDCVE-2026-23050 at SUSECVE-2026-23050 at NVDCVE-2026-23053 at SUSECVE-2026-23053 at NVDCVE-2026-23054 at SUSECVE-2026-23054 at NVDCVE-2026-23055 at SUSECVE-2026-23055 at NVDCVE-2026-23056 at SUSECVE-2026-23056 at NVDCVE-2026-23057 at SUSECVE-2026-23057 at NVDCVE-2026-23058 at SUSECVE-2026-23058 at NVDCVE-2026-23059 at SUSECVE-2026-23059 at NVDCVE-2026-23060 at SUSECVE-2026-23060 at NVDCVE-2026-23061 at SUSECVE-2026-23061 at NVDCVE-2026-23062 at SUSECVE-2026-23062 at NVDCVE-2026-23063 at SUSECVE-2026-23063 at NVDCVE-2026-23064 at SUSECVE-2026-23064 at NVDCVE-2026-23065 at SUSECVE-2026-23065 at NVDCVE-2026-23066 at SUSECVE-2026-23066 at NVDCVE-2026-23068 at SUSECVE-2026-23068 at NVDCVE-2026-23069 at SUSECVE-2026-23069 at NVDCVE-2026-23070 at SUSECVE-2026-23070 at NVDCVE-2026-23071 at SUSECVE-2026-23071 at NVDCVE-2026-23073 at SUSECVE-2026-23073 at NVDCVE-2026-23074 at SUSECVE-2026-23074 at NVDCVE-2026-23076 at SUSECVE-2026-23076 at NVDCVE-2026-23078 at SUSECVE-2026-23078 at NVDCVE-2026-23080 at SUSECVE-2026-23080 at NVDCVE-2026-23082 at SUSECVE-2026-23082 at NVDCVE-2026-23083 at SUSECVE-2026-23083 at NVDCVE-2026-23084 at SUSECVE-2026-23084 at NVDCVE-2026-23085 at SUSECVE-2026-23085 at NVDCVE-2026-23086 at SUSECVE-2026-23086 at NVDCVE-2026-23088 at SUSECVE-2026-23088 at NVDCVE-2026-23089 at SUSECVE-2026-23089 at NVDCVE-2026-23090 at SUSECVE-2026-23090 at NVDCVE-2026-23091 at SUSECVE-2026-23091 at NVDCVE-2026-23094 at SUSECVE-2026-23094 at NVDCVE-2026-23095 at SUSECVE-2026-23095 at NVDCVE-2026-23096 at SUSECVE-2026-23096 at NVDCVE-2026-23097 at SUSECVE-2026-23097 at NVDCVE-2026-23099 at SUSECVE-2026-23099 at NVDCVE-2026-23100 at SUSECVE-2026-23100 at NVDCVE-2026-23101 at SUSECVE-2026-23101 at NVDCVE-2026-23102 at SUSECVE-2026-23102 at NVDCVE-2026-23104 at SUSECVE-2026-23104 at NVDCVE-2026-23105 at SUSECVE-2026-23105 at NVDCVE-2026-23107 at SUSECVE-2026-23107 at NVDCVE-2026-23108 at SUSECVE-2026-23108 at NVDCVE-2026-23110 at SUSECVE-2026-23110 at NVDCVE-2026-23111 at SUSECVE-2026-23111 at NVDCVE-2026-23112 at SUSECVE-2026-23112 at NVDCVE-2026-23116 at SUSECVE-2026-23116 at NVDCVE-2026-23119 at SUSECVE-2026-23119 at NVDCVE-2026-23121 at SUSECVE-2026-23121 at NVDCVE-2026-23123 at SUSECVE-2026-23123 at NVDCVE-2026-23128 at SUSECVE-2026-23128 at NVDCVE-2026-23129 at SUSECVE-2026-23129 at NVDCVE-2026-23131 at SUSECVE-2026-23131 at NVDCVE-2026-23133 at SUSECVE-2026-23133 at NVDCVE-2026-23135 at SUSECVE-2026-23135 at NVDCVE-2026-23136 at SUSECVE-2026-23136 at NVDCVE-2026-23137 at SUSECVE-2026-23137 at NVDCVE-2026-23139 at SUSECVE-2026-23139 at NVDCVE-2026-23141 at SUSECVE-2026-23141 at NVDCVE-2026-23142 at SUSECVE-2026-23142 at NVDCVE-2026-23144 at SUSECVE-2026-23144 at NVDCVE-2026-23145 at SUSECVE-2026-23145 at NVDCVE-2026-23146 at SUSECVE-2026-23146 at NVDCVE-2026-23148 at SUSECVE-2026-23148 at NVDCVE-2026-23150 at SUSECVE-2026-23150 at NVDCVE-2026-23151 at SUSECVE-2026-23151 at NVDCVE-2026-23152 at SUSECVE-2026-23152 at NVDCVE-2026-23154 at SUSECVE-2026-23154 at NVDCVE-2026-23155 at SUSECVE-2026-23155 at NVDCVE-2026-23156 at SUSECVE-2026-23156 at NVDCVE-2026-23157 at SUSECVE-2026-23157 at NVDCVE-2026-23158 at SUSECVE-2026-23158 at NVDCVE-2026-23161 at SUSECVE-2026-23161 at NVDCVE-2026-23163 at SUSECVE-2026-23163 at NVDCVE-2026-23166 at SUSECVE-2026-23166 at NVDCVE-2026-23167 at SUSECVE-2026-23167 at NVDCVE-2026-23169 at SUSECVE-2026-23169 at NVDCVE-2026-23170 at SUSECVE-2026-23170 at NVDCVE-2026-23171 at SUSECVE-2026-23171 at NVDCVE-2026-23172 at SUSECVE-2026-23172 at NVDCVE-2026-23173 at SUSECVE-2026-23173 at NVDCVE-2026-23176 at SUSECVE-2026-23176 at NVDCVE-2026-23177 at SUSECVE-2026-23177 at NVDCVE-2026-23178 at SUSECVE-2026-23178 at NVDCVE-2026-23179 at SUSECVE-2026-23179 at NVDCVE-2026-23182 at SUSECVE-2026-23182 at NVDCVE-2026-23188 at SUSECVE-2026-23188 at NVDCVE-2026-23189 at SUSECVE-2026-23189 at NVDCVE-2026-23190 at SUSECVE-2026-23190 at NVDCVE-2026-23191 at SUSECVE-2026-23191 at NVDCVE-2026-23198 at SUSECVE-2026-23198 at NVDCVE-2026-23202 at SUSECVE-2026-23202 at NVDCVE-2026-23207 at SUSECVE-2026-23207 at NVDCVE-2026-23208 at SUSECVE-2026-23208 at NVDCVE-2026-23209 at SUSECVE-2026-23209 at NVDCVE-2026-23210 at SUSECVE-2026-23210 at NVDCVE-2026-23213 at SUSECVE-2026-23213 at NVDCVE-2026-23214 at SUSECVE-2026-23214 at NVDCVE-2026-23221 at SUSECVE-2026-23221 at NVDCVE-2026-23222 at SUSECVE-2026-23222 at NVDCVE-2026-23223 at SUSECVE-2026-23223 at NVDCVE-2026-23224 at SUSECVE-2026-23224 at NVDCVE-2026-23229 at SUSECVE-2026-23229 at NVDCVE-2026-23230 at SUSECVE-2026-23230 at NVDSecurity update for python-black (Important)openSUSE Leap 16.0
This update for python-black fixes the following issues:
- CVE-2026-31900: a malicious pyproject.toml edit can lead to arbitrary code execution (bsc#1259546).
- CVE-2026-32274: arbitrary file writes from unsanitized user input in cache file name (bsc#1259608).
ImportantSUSE bug 1259546SUSE bug 1259608CVE-2026-31900 at SUSECVE-2026-31900 at NVDCVE-2026-32274 at SUSECVE-2026-32274 at NVDSecurity update for python-pyasn1 (Important)openSUSE Leap 16.0
This update for python-pyasn1 fixes the following issue:
- CVE-2026-30922: Denial of Service via Unbounded Recursion (bsc#1259803).
ImportantSUSE bug 1259803CVE-2026-30922 at SUSECVE-2026-30922 at NVDSecurity update for python-pyOpenSSL (Important)openSUSE Leap 16.0
This update for python-pyOpenSSL fixes the following issues:
- CVE-2026-27448: unhandled exception can result in connection not being cancelled (bsc#1259804).
- CVE-2026-27459: large cookie value can lead to a buffer overflow (bsc#1259808).
ImportantSUSE bug 1259804SUSE bug 1259808CVE-2026-27448 at SUSECVE-2026-27448 at NVDCVE-2026-27459 at SUSECVE-2026-27459 at NVDSecurity update for ffmpeg-7 (Moderate)openSUSE Leap 16.0
This update for ffmpeg-7 fixes the following issues:
- Updated to version 7.1.2:
* avcodec/librsvgdec: fix compilation with librsvg 2.50.3
* libavfilter/af_firequalizer: Add check for av_malloc_array()
* avcodec/libsvtav1: unbreak build with latest svtav1
* avformat/hls: Fix Youtube AAC
* Various bugfixes.
* CVE-2025-7700: Fixed NULL Pointer Dereference in ALS Decoder (bsc#1246790)
ModerateSUSE bug 1246790CVE-2025-7700 at SUSECVE-2025-7700 at NVDSecurity update for python-ldap (Moderate)openSUSE Leap 16.0
This update for python-ldap fixes the following issues:
- CVE-2025-61911: Enforce str for escape_filter_chars (bsc#1251912).
- CVE-2025-61912: Escape NULs as per RFC 4514 in escape_dn_chars (bsc#1251913).
ModerateSUSE bug 1251912SUSE bug 1251913CVE-2025-61911 at SUSECVE-2025-61911 at NVDCVE-2025-61912 at SUSECVE-2025-61912 at NVDSecurity update for python-PyJWT (Important)openSUSE Leap 16.0
This update for python-PyJWT fixes the following issue:
Update to PyJWT 2.12.1:
- CVE-2026-32597: PyJWT accepts unknown `crit` header extensions (bsc#1259616).
Changelog:
Update to 2.12.1:
- Add missing typing_extensions dependency for Python < 3.11 in
#1150
Update to 2.12.0:
- Annotate PyJWKSet.keys for pyright by @tamird in #1134
- Close HTTPError response to prevent ResourceWarning on
Python 3.14 by @veeceey in #1133
- Do not keep algorithms dict in PyJWK instances by @akx in
#1143
- Use PyJWK algorithm when encoding without explicit
algorithm in #1148
- Docs: Add PyJWKClient API reference and document the
two-tier caching system (JWK Set cache and signing key LRU
cache).
Update to 2.11.0:
- Enforce ECDSA curve validation per RFC 7518 Section 3.4.
- Fix build system warnings by @kurtmckee in #1105
- Validate key against allowed types for Algorithm family in
#964
- Add iterator for JWKSet in #1041
- Validate iss claim is a string during encoding and decoding
by @pachewise in #1040
- Improve typing/logic for options in decode, decode_complete
by @pachewise in #1045
- Declare float supported type for lifespan and timeout by
@nikitagashkov in #1068
- Fix SyntaxWarnings/DeprecationWarnings caused by invalid
escape sequences by @kurtmckee in #1103
- Development: Build a shared wheel once to speed up test
suite setup times by @kurtmckee in #1114
- Development: Test type annotations across all supported
Python versions, increase the strictness of the type
checking, and remove the mypy pre-commit hook by @kurtmckee
in #1112
- Support Python 3.14, and test against PyPy 3.10 and 3.11 by
@kurtmckee in #1104
- Development: Migrate to build to test package building in
CI by @kurtmckee in #1108
- Development: Improve coverage config and eliminate unused
test suite code by @kurtmckee in #1115
- Docs: Standardize CHANGELOG links to PRs by @kurtmckee in
#1110
- Docs: Fix Read the Docs builds by @kurtmckee in #1111
- Docs: Add example of using leeway with nbf by @djw8605 in
#1034
- Docs: Refactored docs with autodoc; added PyJWS and
jwt.algorithms docs by @pachewise in #1045
- Docs: Documentation improvements for "sub" and "jti" claims
by @cleder in #1088
- Development: Add pyupgrade as a pre-commit hook by
@kurtmckee in #1109
- Add minimum key length validation for HMAC and RSA keys
(CWE-326). Warns by default via InsecureKeyLengthWarning
when keys are below minimum recommended lengths per RFC
7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass
enforce_minimum_key_length=True in options to PyJWT or
PyJWS to raise InvalidKeyError instead.
- Refactor PyJWT to own an internal PyJWS instance instead of
calling global api_jws functions.
ImportantSUSE bug 1259616CVE-2026-32597 at SUSECVE-2026-32597 at NVDSecurity update for fetchmail (Moderate)openSUSE Leap 16.0
This update for fetchmail fixes the following issues:
- CVE-2025-61962: Fixed denial of service (bsc#1251194)
ModerateSUSE bug 1251194CVE-2025-61962 at SUSECVE-2025-61962 at NVDSecurity update for openexr (Important)openSUSE Leap 16.0
This update for openexr fixes the following issue:
- CVE-2026-27622: crafted multipart deep EXR can cause an heap out-of-bound write (bsc#1259177).
ImportantSUSE bug 1259177CVE-2026-27622 at SUSECVE-2026-27622 at NVDSecurity update for net-tools (Moderate)openSUSE Leap 16.0
This update for net-tools fixes the following issues:
- Fix stack buffer overflow in parse_hex (bsc#1248687, GHSA-h667-qrp8-gj58).
- Fix stack-based buffer overflow in proc_gen_fmt (bsc#1248687, GHSA-w7jq-cmw2-cq59).
- Avoid unsafe memcpy in ifconfig (bsc#1248687).
- Prevent overflow in ax25 and netrom (bsc#1248687)
- Keep possibility to enter long interface names, even if they are
not accepted by the kernel, because it was always possible up to
CVE-2025-46836 fix. But issue a warning about an interface name
concatenation (bsc#1248410).
ModerateSUSE bug 1243581SUSE bug 1248410SUSE bug 1248687SUSE bug 142461SUSE bug 430864SUSE bug 544339CVE-2025-46836 at SUSECVE-2025-46836 at NVDSecurity update for docker-compose (Important)openSUSE Leap 16.0
This update for docker-compose fixes the following issues:
- CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in
response to a key listing or signing request (bsc#1253584).
- CVE-2025-47914: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds
read (bsc#1254041).
- CVE-2025-62725: OCI compose artifacts can be used to escape the cache directory and overwrite arbitrary files
(bsc#1252752).
ImportantSUSE bug 1252752SUSE bug 1253584SUSE bug 1254041CVE-2025-47913 at SUSECVE-2025-47913 at NVDCVE-2025-47914 at SUSECVE-2025-47914 at NVDCVE-2025-62725 at SUSECVE-2025-62725 at NVDSecurity update for MozillaFirefox (Important)openSUSE Leap 16.0
This update for MozillaFirefox fixes the following issues:
Update to Firefox 140.9.0 ESR (MFSA 2026-22, bsc#1260083):
- CVE-2026-4684: Race condition, use-after-free in the Graphics: WebRender component
- CVE-2026-4685: Incorrect boundary conditions in the Graphics: Canvas2D component
- CVE-2026-4686: Incorrect boundary conditions in the Graphics: Canvas2D component
- CVE-2026-4687: Sandbox escape due to incorrect boundary conditions in the Telemetry component
- CVE-2026-4688: Sandbox escape due to use-after-free in the Disability Access APIs component
- CVE-2026-4689: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component
- CVE-2026-4690: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component
- CVE-2026-4691: Use-after-free in the CSS Parsing and Computation component
- CVE-2026-4692: Sandbox escape in the Responsive Design Mode component
- CVE-2026-4693: Incorrect boundary conditions in the Audio/Video: Playback component
- CVE-2026-4694: Incorrect boundary conditions, integer overflow in the Graphics component
- CVE-2026-4695: Incorrect boundary conditions in the Audio/Video: Web Codecs component
- CVE-2026-4696: Use-after-free in the Layout: Text and Fonts component
- CVE-2026-4697: Incorrect boundary conditions in the Audio/Video: Web Codecs component
- CVE-2026-4698: JIT miscompilation in the JavaScript Engine: JIT component
- CVE-2026-4699: Incorrect boundary conditions in the Layout: Text and Fonts component
- CVE-2026-4700: Mitigation bypass in the Networking: HTTP component
- CVE-2026-4701: Use-after-free in the JavaScript Engine component
- CVE-2026-4702: JIT miscompilation in the JavaScript Engine component
- CVE-2026-4704: Denial-of-service in the WebRTC: Signaling component
- CVE-2026-4705: Undefined behavior in the WebRTC: Signaling component
- CVE-2026-4706: Incorrect boundary conditions in the Graphics: Canvas2D component
- CVE-2026-4707: Incorrect boundary conditions in the Graphics: Canvas2D component
- CVE-2026-4708: Incorrect boundary conditions in the Graphics component
- CVE-2026-4709: Incorrect boundary conditions in the Audio/Video: GMP component
- CVE-2026-4710: Incorrect boundary conditions in the Audio/Video component
- CVE-2026-4711: Use-after-free in the Widget: Cocoa component
- CVE-2026-4712: Information disclosure in the Widget: Cocoa component
- CVE-2026-4713: Incorrect boundary conditions in the Graphics component
- CVE-2026-4714: Incorrect boundary conditions in the Audio/Video component
- CVE-2026-4715: Uninitialized memory in the Graphics: Canvas2D component
- CVE-2026-4716: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component
- CVE-2026-4717: Privilege escalation in the Netmonitor component
- CVE-2025-59375: Denial-of-service in the XML component
- CVE-2026-4718: Undefined behavior in the WebRTC: Signaling component
- CVE-2026-4719: Incorrect boundary conditions in the Graphics: Text component
- CVE-2026-4720: Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and
Thunderbird 149
- CVE-2026-4721: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9,
Firefox 149 and Thunderbird 149
ImportantSUSE bug 1260083CVE-2025-59375 at SUSECVE-2025-59375 at NVDCVE-2026-4684 at SUSECVE-2026-4684 at NVDCVE-2026-4685 at SUSECVE-2026-4685 at NVDCVE-2026-4686 at SUSECVE-2026-4686 at NVDCVE-2026-4687 at SUSECVE-2026-4687 at NVDCVE-2026-4688 at SUSECVE-2026-4688 at NVDCVE-2026-4689 at SUSECVE-2026-4689 at NVDCVE-2026-4690 at SUSECVE-2026-4690 at NVDCVE-2026-4691 at SUSECVE-2026-4691 at NVDCVE-2026-4692 at SUSECVE-2026-4692 at NVDCVE-2026-4693 at SUSECVE-2026-4693 at NVDCVE-2026-4694 at SUSECVE-2026-4694 at NVDCVE-2026-4695 at SUSECVE-2026-4695 at NVDCVE-2026-4696 at SUSECVE-2026-4696 at NVDCVE-2026-4697 at SUSECVE-2026-4697 at NVDCVE-2026-4698 at SUSECVE-2026-4698 at NVDCVE-2026-4699 at SUSECVE-2026-4699 at NVDCVE-2026-4700 at SUSECVE-2026-4700 at NVDCVE-2026-4701 at SUSECVE-2026-4701 at NVDCVE-2026-4702 at SUSECVE-2026-4702 at NVDCVE-2026-4704 at SUSECVE-2026-4704 at NVDCVE-2026-4705 at SUSECVE-2026-4705 at NVDCVE-2026-4706 at SUSECVE-2026-4706 at NVDCVE-2026-4707 at SUSECVE-2026-4707 at NVDCVE-2026-4708 at SUSECVE-2026-4708 at NVDCVE-2026-4709 at SUSECVE-2026-4709 at NVDCVE-2026-4710 at SUSECVE-2026-4710 at NVDCVE-2026-4711 at SUSECVE-2026-4711 at NVDCVE-2026-4712 at SUSECVE-2026-4712 at NVDCVE-2026-4713 at SUSECVE-2026-4713 at NVDCVE-2026-4714 at SUSECVE-2026-4714 at NVDCVE-2026-4715 at SUSECVE-2026-4715 at NVDCVE-2026-4716 at SUSECVE-2026-4716 at NVDCVE-2026-4717 at SUSECVE-2026-4717 at NVDCVE-2026-4718 at SUSECVE-2026-4718 at NVDCVE-2026-4719 at SUSECVE-2026-4719 at NVDCVE-2026-4720 at SUSECVE-2026-4720 at NVDCVE-2026-4721 at SUSECVE-2026-4721 at NVDSecurity update for GraphicsMagick (Important)openSUSE Leap 16.0
This update for GraphicsMagick fixes the following issues:
- CVE-2026-25799: Division-by-Zero in YUV sampling factor validation leads to crash (bsc#1258786).
- CVE-2026-28690: missing bounds check in the MNG encoder can lead to a stack buffer overflow (bsc#1259456).
- CVE-2026-30883: missing bounds check when encoding a PNG image can lead to a heap buffer over-write (bsc#1259467).
ImportantSUSE bug 1258786SUSE bug 1259456SUSE bug 1259467CVE-2026-25799 at SUSECVE-2026-25799 at NVDCVE-2026-28690 at SUSECVE-2026-28690 at NVDCVE-2026-30883 at SUSECVE-2026-30883 at NVDSecurity update for runc (Important)openSUSE Leap 16.0
This update for runc fixes the following issues:
- Update to runc v1.3.3:
* CVE-2025-31133, CVE-2025-52565, CVE-2025-52881: Fixed container breakouts by bypassing
runc's restrictions for writing to arbitrary /proc files (bsc#1252232)
ImportantSUSE bug 1252110SUSE bug 1252232CVE-2025-31133 at SUSECVE-2025-31133 at NVDCVE-2025-52565 at SUSECVE-2025-52565 at NVDCVE-2025-52881 at SUSECVE-2025-52881 at NVDSecurity update for tomcat10 (Important)openSUSE Leap 16.0
This update for tomcat10 fixes the following issues:
Update to Tomcat 10.1.52:
- CVE-2025-55752: directory traversal via rewrite with possible RCE if PUT is enabled (bsc#1252753).
- CVE-2025-55754: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat
(bsc#1252905).
- CVE-2025-61795: temporary copies during the processing of multipart upload can lead to a denial of service
(bsc#1252756).
- CVE-2025-66614: client certificate verification bypass due to virtual host mapping (bsc#1258371).
- CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385).
- CVE-2026-24734: certificate revocation bypass due to incomplete OCSP verification checks (bsc#1258387).
Changelog:
+ Fix: 69623: Additional fix for the long standing regression that meant
that calls to ClassLoader.getResource().getContent() failed when made from
within a web application with resource caching enabled if the target
resource was packaged in a JAR file. (markt)
+ Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the
CsrfPreventionFilter. (schultz)
+ Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2
requests when the content-length header is not set. (dsoumis)
+ Update: Enable minimum and recommended Tomcat Native versions to be set
separately for Tomcat Native 1.x and 2.x. Update the minimum and
recommended versions for Tomcat Native 1.x to 1.3.4. Update the minimum
and recommended versions for Tomcat Native 2.x to 2.0.12. (markt)
+ Add: Add a new ssoReauthenticationMode to the Tomcat provided
Authenticators that provides a per Authenticator override of the SSO Valve
requireReauthentication attribute. (markt)
+ Fix: Ensure URL encoding errors in the Rewrite Valve trigger an exception
rather than silently using a replacement character. (markt)
+ Fix: 69932: Fix request end access log pattern regression, which would log
the start time of the request instead. (remm)
+ Fix: 69871: Increase log level to INFO for missing configuration for the
rewrite valve. (remm)
+ Fix: Add log warnings for additional Host appBase suspicious values.
(remm)
+ Fix: Remove hard dependency on tomcat-jni.jar for catalina.jar.
org.apache.catalina.Connector no longer requires
org.apache.tomcat.jni.AprStatus to be present. (markt)
+ Add: Add the ability to use a custom function to generate the client
identifier in the CrawlerSessionManagerValve. This is only available
programmatically. Pull request #902 by Brian Matzon. (markt)
+ Fix: Change the SSO reauthentication behaviour for SPNEGO authentication
so that a normal SPNEGO authentication is performed if the SSL Valve is
configured with reauthentication enabled. This is so that the delegated
credentials will be available to the web application. (markt)
+ Fix: When generating the class path in the Loader, re-order the check on
individual class path components to avoid a potential
NullPointerException. Identified by Coverity Scan. (markt)
+ Fix: Fix SSL socket factory configuration in the JNDI realm. Based on pull
request #915 by Joshua Rogers. (remm)
+ Update: Add an attribute, digestInRfc3112Order, to
MessageDigestCredentialHandler to control the order in which the
credential and salt are digested. By default, the current, non-RFC 3112
compliant, order of salt then credential will be used. This default will
change in Tomcat 12 to the RFC 3112 compliant order of credential then
salt. (markt)
+ Fix: Log warnings when the SSO configuration does not comply with the
documentation. (remm)
+ Update: Deprecate the RemoteAddrFilter and RemoteAddrValve in favour of
the RemoteCIDRFilter and RemoteCIDRValve. (markt)
+ Fix: 69837: Fix corruption of the class path generated by the Loader when
running on Windows. (markt)
+ Fix: Reject requests that map to invalid Windows file names earlier.
(markt)
+ Fix: 69839: Ensure that changes to session IDs (typically after
authentication) are promulgated to the SSO Valve to ensure that SSO
entries are fully clean-up on session expiration. Patch provided by Kim
Johan Andersson. (markt)
+ Fix: Fix a race condition in the creation of the storage location for the
FileStore. (markt)
* Cluster
+ Add: 62814: Document that human-readable names may be used for
mapSendOptions and align documentation with channelSendOptions. Based on
pull request #929 by archan0621. (markt)
* Clustering
+ Fix: Correct a regression introduced in 10.1.45 that broke some clustering
configurations. (markt)
* Coyote
+ Fix: 69936: Fix bug in previous fix for Tomcat Native crashes on shutdown
that triggered a significant memory leak. Patch provided by Wes. (markt)
+ Fix: Avoid possible NPEs when using a TLS enabled custom connector. (remm)
+ Fix: Improve warnings when setting ciphers lists in the FFM code,
mirroring the tomcat-native changes. (remm)
+ Fix: 69910: Dereference TLS objects right after closing a socket to
improve memory efficiency. (remm)
+ Fix: Relax the JSSE vs OpenSSL configuration style checks on SSLHostConfig
to reflect the existing implementation that allows one configuration style
to be used for the trust attributes and a different style for all the
other attributes. (markt)
+ Fix: Better warning message when OpenSSLConf configuration elements are
used with a JSSE TLS implementation. (markt)
+ Fix: When using OpenSSL via FFM, don't log a warning about missing CA
certificates unless CA certificates were configured and the configuration
failed. (markt)
+ Add: For configuration consistency between OpenSSL and JSSE TLS
implementations, TLSv1.3 cipher suites included in the ciphers attribute
of an SSLHostConfig are now always ignored (previously they would be
ignored with OpenSSL implementations and used with JSSE implementations)
and a warning is logged that the cipher suite has been ignored. (markt)
+ Add: Add the ciphersuite attribute to SSLHostConfig to configure the
TLSv1.3 cipher suites. (markt)
+ Add: Add OCSP support to JSSE based TLS connectors and make the use of
OCSP configurable per connector for both JSSE and OpenSSL based TLS
implementations. Align the checks performed by OpenSSL with those
performed by JSSE. (markt)
+ Add: Add support for soft failure of OCSP checks with soft failure support
disabled by default. (markt)
+ Add: Add support for configuring the verification flags passed to
OCSP_basic_verify when using an OpenSSL based TLS implementation. (markt)
+ Fix: Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5.
+ Fix: Prevent concurrent release of OpenSSLEngine resources and the
termination of the Tomcat Native library as it can cause crashes during
Tomcat shutdown. (markt)
+ Fix: Don't log an incorrect certificate KeyStore location when creating a
TLS connector if the KeyStore instance has been set directly on the
connector. (markt)
+ Fix: HTTP/0.9 only allows GET as the HTTP method. (remm)
+ Add: Add strictSni attribute on the Connector to allow matching the
SSLHostConfig configuration associated with the SNI host name to the
SSLHostConfig configuration matched from the HTTP protocol host name. Non
matching configurations will cause the request to be rejected. The
attribute default value is true, enabling the matching. (remm)
+ Fix: Graceful failure for OCSP on BoringSSL in the FFM code. (remm)
+ Fix: Fix use of deferAccept attribute in JMX, since it is normally only
removed in Tomcat 11. (remm)
+ Fix: 69866: Fix a memory leak when using a trust store with the OpenSSL
provider. Pull request #912 by aogburn. (markt)
+ Fix: Fix potential crash on shutdown when a Connector depends on the
Tomcat Native library. (markt)
+ Fix: Fix AJP message length check. Pull request #916 by Joshua Rogers.
+ Fix: 69848: Fix copy/paste errors in 10.1.47 that meant DELETE requests
received via the AJP connector were processed as OPTIONS requests and
PROPFIND requests were processed as TRACE. (markt)
+ Fix: Various OCSP processing issues in the OpenSSL FFM code. (dsoumis)
* General
+ Add: Add test.silent property to suppress JUnit console output during test
execution. Useful for cleaner console output when running tests with
multiple threads. (csutherl)
* Jasper
+ Fix: 69333: Correct a regression in the previous fix for 69333 and ensure
that reuse() or release() is always called for a tag. (markt)
+ Fix: 69877: Catch IllegalArgumentException when processing URIs when
creating the classpath to handle invalid URIs. (remm)
+ Fix: Fix populating the classpath with the webapp classloader
repositories. (remm)
+ Fix: 69862: Avoid NPE unwrapping Servlet exception which would hide some
exception details. Patch submitted by Eric Blanquer. (remm)
* Jdbc-pool
+ Fix: 64083: If the underlying connection has been closed, don't add it to
the pool when it is returned. Pull request #235 by Alex Panchenko. (markt)
* Web applications
+ Fix: Manager: Fix abrupt truncation of the HTML and JSON complete server
status output if one or more of the web applications failed to start.
(schultz)
+ Add: Manager: Include web application state in the HTML and JSON complete
server status output. (markt)
+ Add: Documentation: Expand the documentation to better explain when OCSP
is supported and when it is not. (markt)
* Websocket
+ Fix: 69920: When attempting to write to a closed Writer or OutputStream
obtained from a WebSocket session, throw an IOException rather than an
IllegalStateExcpetion as required by Writer and strongly suggested by
OutputStream. (markt)
+ Fix: 69845: When using permessage-deflate with Java 25 onwards, handle the
underlying Inflater and/or Deflater throwing IllegalStateException when
closed rather than NullPointerException as they do in Java 24 and earlier.
* Other
+ Update: Update the internal fork of Commons Pool to 2.13.1. (markt)
+ Update: Update the internal fork of Commons DBCP to 2.14.0. (markt)
+ Update: Update Commons Daemon to 1.5.1. (markt)
+ Update: Update ByteBuddy to 1.18.3. (markt)
+ Update: Update UnboundID to 7.0.4. (markt)
+ Update: Update Checkstyle to 12.3.1. (markt)
+ Add: Improvements to French translations. (markt)
+ Add: Improvements to Japanese translations provided by tak7iji. (markt)
+ Add: Improvements to Chinese translations provided by Yang. vincent.h and
yong hu. (markt)
+ Update: Update Tomcat Native to 2.0.12. (markt)
+ Add: Add property "gpg.sign.files" to optionally disable release artefact
signing with GPG. (rjung)
+ Add: Add test profile system for selective test execution. Profiles can be
specified via -Dtest.profile=<name> to run specific test subsets without
using patterns directly. Profile patterns are defined in
test-profiles.properties. (csutherl)
+ Update: Update file extension to media type mappings to align with the
current list used by the Apache Web Server (httpd). (markt)
+ Update: Update the packaged version of the Tomcat Migration Tool for
Jakarta EE to 1.0.10. (markt)
+ Update: Update Commons Daemon to 1.5.0. (markt)
+ Update: Update Byte Buddy to 1.18.2. (markt)
+ Update: Update Checkstyle to 12.2.0. (markt)
+ Add: Improvements to Spanish translations provided by White Vogel. (markt)
+ Add: Improvements to French translations. (remm)
+ Update: Update the internal fork of Apache Commons BCEL to 6.11.0. (markt)
+ Update: Update to Byte Buddy 1.17.8. (markt)
+ Update: Update to Checkstyle 12.1.1. (markt)
+ Update: Update to Jacoco 0.8.14. (markt)
+ Update: Update to SpotBugs 4.9.8. (markt)
+ Update: Update to JSign 7.4. (markt)
+ Update: Update Maven Resolver Ant Tasks to 1.6.0. (rjung)
Update to Tomcat 10.1.48:
+ Update: Deprecate the RemoteAddrFilter and RemoteAddValve in favour of the
RemoteCIDRFilter and RemoteCIDRValve. (markt)
+ Fix: HTTP methods are case-sensitive so always use case sensitive
comparisons when comparing HTTP methods. (markt)
+ Fix: 69814: Ensure that HttpSession.isNew() returns false once the client
has joined the session. (markt)
+ Fix: Further performance improvements for ParameterMap. (jengebr/markt)
+ Code: Refactor access log time stamps to be based on the Instant request
processing starts. (markt)
+ Fix: Fix a case-sensitivity issue in the trailer header allow list.
+ Fix: Be proactive in cleaning up temporary files after a failed multi-part
upload rather than waiting for GC to do it. (markt)
+ Update: Change the digest used to calculate strong ETags (if enabled) for
the default Servlet from SHA-1 to SHA-256 to align with the recommendation
in RFC 9110 that hash functions used to generate strong ETags should be
collision resistant. (markt)
+ Fix: Correct a regression in the fix for 69781 that broke FileStore.
+ Code: Remove a number of unnecessary packages from the
catalina-deployer.jar. (markt)
+ Fix: 69781: Fix concurrent access issues in the session FileStore
implementation that were causing lost sessions when the store was used
with the PersistentValve. Based on pull request #882 by Aaron Ogburn.
+ Fix: Fix handling of QSA and QSD flags in RewriteValve. (markt)
+ Fix: Prevent the channel configuration (sender, receiver, membership
service) from being changed unless the channel is fully stopped. (markt)
+ Fix: Handle spurious wake-ups during leader election for
NonBlockingCoordinator. (markt)
+ Fix: Handle spurious wake-ups during sending of messages by RpcChannel.
+ Update: Add specific certificate selection code for TLS 1.3 supporting
post quantum cryptography. Certificates defined with type MLDSA will be
selected depending on the TLS client hello. (remm)
+ Update: Add groups attribute on SSLHostConfig allowing to restrict which
groups can be enabled on the SSL engine. (remm)
+ Add: Optimize the conversion of HTTP method from byte form to String form.
+ Fix: Store HTTP request headers using the original case for the header
name rather than forcing it to lower case. (markt)
+ Update: Add hybrid PQC support to OpenSSL, based on code from mod_ssl.
Using this OpenSSL specific code path, additional PQC certificates defined
with type MLDSA are added to contexts which use classic certificates.
(jfclere/remm)
+ Fix: Ensure keys are handed out to OpenSSL even if PEMFile fails to
process it, with appropriate logging. (remm)
+ Fix: Add new ML-DSA key algorithm to PEMFile and improve reporting when
reading a key fails. (remm)
+ Fix: Fix possible early timeouts for network operations caused by a
spurious wake-up of a waiting thread. Found by Coverity Scan. (markt)
+ Fix: Documentation. Clarify the purpose of the maxPostSize attribute of
the Connector element. (markt)
+ Fix: Avoid NPE in manager webapp displaying certificate information.
+ Update: Update Byte Buddy to 1.17.7. (markt)
+ Update: Update Checkstyle to 11.1.0. (markt)
+ Update: Update SpotBugs to 4.9.6. (markt)
+ Update: Update Jsign to 7.2. (markt)
+ Add: Improvements to Russian translations provided by usmazat. (markt)
+ Update: Minor refactoring in JULI loggers. Patch provided by minjund.
+ Code: Review logging and include the full stack trace and exception
message by default rather then just the exception message when logging an
error or warning in response to an exception. (markt)
+ Add: Add escaping to log formatters to align with JSON formatter. (markt)
+ Update: Update Checkstyle to 11.0.0. (markt)
ImportantSUSE bug 1252753SUSE bug 1252756SUSE bug 1252905SUSE bug 1253460SUSE bug 1258371SUSE bug 1258385SUSE bug 1258387CVE-2025-55752 at SUSECVE-2025-55752 at NVDCVE-2025-55754 at SUSECVE-2025-55754 at NVDCVE-2025-61795 at SUSECVE-2025-61795 at NVDCVE-2025-66614 at SUSECVE-2025-66614 at NVDCVE-2026-24733 at SUSECVE-2026-24733 at NVDCVE-2026-24734 at SUSECVE-2026-24734 at NVDSecurity update for gnutls (Moderate)openSUSE Leap 16.0
This update for gnutls fixes the following issues:
- CVE-2025-14831: Fixed DoS via excessive resource consumption during certificate verification. (bsc#1257960)
- CVE-2025-9820: Fixed a buffer overflow in gnutls_pkcs11_token_init. (bsc#1254132)
- Add the functionality to allow to specify the hash algorithm for the PSK. This fixes a bug in the current implementation where the binder is always calculated with SHA256. (bsc#1258083, jsc#PED-15752, jsc#PED-15753)
ModerateSUSE bug 1254132SUSE bug 1257960SUSE bug 1258083CVE-2025-14831 at SUSECVE-2025-14831 at NVDCVE-2025-9820 at SUSECVE-2025-9820 at NVDSecurity update for postgresql16 (Important)openSUSE Leap 16.0
This update for postgresql16 fixes the following issues:
- Update to versio 16.13. (bsc#1258754)
- CVE-2026-2003: Guard against unexpected dimensions of oidvector/int2vector (bsc#1258008)
- CVE-2026-2004: Harden selectivity estimators against being attached to operators that accept unexpected data types. (bsc#1258009)
- CVE-2026-2005: Fix buffer overrun in contrib/pgcrypto's PGP decryption functions. (bsc#1258010)
- CVE-2026-2006: Fix inadequate validation of multibyte character lengths. (bsc#1258011)
ImportantSUSE bug 1258008SUSE bug 1258009SUSE bug 1258010SUSE bug 1258011SUSE bug 1258754CVE-2026-2003 at SUSECVE-2026-2003 at NVDCVE-2026-2004 at SUSECVE-2026-2004 at NVDCVE-2026-2005 at SUSECVE-2026-2005 at NVDCVE-2026-2006 at SUSECVE-2026-2006 at NVDSecurity update for expat (Important)openSUSE Leap 16.0
This update for expat fixes the following issues:
- CVE-2026-32776: NULL pointer dereference when processing empty external parameter entities inside an entity
declaration value (bsc#1259726).
- CVE-2026-32777: denial of service due to infinite loop in DTD content parsing (bsc#1259711).
- CVE-2026-32778: NULL pointer dereference in `setContext` on retry after an out-of-memory condition
(bsc#1259729).
ImportantSUSE bug 1259711SUSE bug 1259726SUSE bug 1259729CVE-2026-32776 at SUSECVE-2026-32776 at NVDCVE-2026-32777 at SUSECVE-2026-32777 at NVDCVE-2026-32778 at SUSECVE-2026-32778 at NVDSecurity update for postgresql13 (Important)openSUSE Leap 16.0
This update for postgresql13 fixes the following issues:
Security fixes:
- CVE-2025-12817: Fixed missing check for CREATE privileges
on the schema in CREATE STATISTICS allowed table owners to create
statistics in any schema, potentially leading to unexpected naming
conflicts (bsc#1253332)
- CVE-2025-12818: Fixed several places in libpq were not
sufficiently careful about computing the required size of a memory
allocation. Sufficiently large inputs could cause integer overflow,
resulting in an undersized buffer, which would then lead to writing
past the end of the buffer (bsc#1253333)
Other fixes:
- Update to 13.23
* https://www.postgresql.org/about/news/p-3171/
* https://www.postgresql.org/docs/release/13.23
ImportantSUSE bug 1253332SUSE bug 1253333CVE-2025-12817 at SUSECVE-2025-12817 at NVDCVE-2025-12818 at SUSECVE-2025-12818 at NVDSecurity update for gnome-online-accounts, gvfs (Important)openSUSE Leap 16.0
This update for gnome-online-accounts, gvfs fixes the following issues:
Changes for gvfs:
Update gvfs to 1.59.90:
- CVE-2026-28295: information disclosure when processing untrusted PASV responses from FTP servers (bsc#1258953).
- CVE-2026-28296: arbitrary FTP command injection due to unsanitized CRLF sequences in user supplied file paths
(bsc#1258954).
Changelog:
Update to version 1.59.90:
+ client: Fix use-after-free when creating async proxy failed
+ udisks2: Emit changed signals from update_all()
+ daemon: Fix race on subscribers list when on thread
+ ftp: Validate fe_size when parsing symlink target
+ ftp: Check localtime() return value before use
+ gphoto2: Use g_try_realloc() instead of g_realloc()
+ cdda: Reject path traversal in mount URI host
+ client: Fail when URI has invalid UTF-8 chars
+ udisks2: Fix memory corruption with duplicate mount paths
+ build: Update GOA dependency to > 3.57.0
+ Some other fixes
+ ftp: Use control connection address for PASV data.
+ ftp: Reject paths containing CR/LF characters
Update to version 1.59.1:
+ mtp: replace Android extension checks with capability checks
+ dav: Add X-OC-Mtime header on push to preserve last modified
time
+ udisks2: Use hash tables in the volume monitor to improve
performance
+ onedrive: Check for identity instead of presentation identity
+ build: Disable google option and mark as deprecated
Update to version 1.58.2:
+ ftp: Use control connection address for PASV data
+ ftp: Reject paths containing CR/LF characters
Update to version 1.58.1:
+ cdda: Fix duration of last track for some media
+ build: Fix build when google option is disabled
+ Fix various memory leaks
+ Updated translations.
Update to version 1.58.0:
+ mtp: Allow cancelling ongoing folder enumerations
+ wsdd: Use socket-activated service if available
+ onedrive: Set emblem for remote data
+ fix: Add file rename support in MTP backend move operation
+ mtp: Fix -Wmaybe-uninitialized warning in pad_file
+ fuse: use fuse_(un)set_feature_flag for libfuse 3.17+
+ smbbrowse: Purge server cache for next auth try
+ metatree: Open files with O_CLOEXEC
+ cdda: Fix incorrect track duration for 99-track CDs
+ metadata: Fix journal file permissions inconsistency
+ dav: recognize 308 Permanent Redirect
Changes for gnome-online-accounts:
Update to version 3.58.0:
+ SMTP server without password cannot be configured
+ Remove unneeded SMTP password escaping
+ build: Disable google provider Files feature
+ MS365: Fix mail address and name
+ Google: Set mail name to presentation identity
+ Updated translations.
Update to version 3.57.1:
+ Default Microsoft 365 client is unverified
+ Microsoft 365: Make use of email for id
+ goadaemon: Allow manage system notifications
+ goamsgraphprovider: bump credentials generation
+ goaprovider: Allow to disable, instead of enable, selected
providers
Changes from version 3.57.0:
+ Support for saving a Kerberos password to the keychain after
the first login
+ changing expired kerberos password is not supported.
+ Provided Files URI does not override undiscovered endpoint
+ DAV client rejects 204 status in OPTIONS request handler
+ Include emblem-default-symbolic.svg
+ Connecting a Runbox CardDAV/CalDAV account hangs/freezes after
sign in
+ i81n: fix translatable string
+ goaimapsmptprovider: fix accounts without SMTP or
authentication-less SMTP
+ build: only install icons for the goabackend build
+ build: don't require goabackend to build documentation
+ ci: test the build without gtk4
+ DAV-client: Added short path for SOGo
Update to version 3.56.4:
+ Bugs fixed:
- Unclear which part of "IMAP+SMTP" account test failed
- Adding nextcloud account which has a subfolder does not work
- goadaemon: Handle broken account configs
Update to version 3.56.3:
- Add DAV detection and configuration for SOGo
- DAV discovery fails when certain SRV lookups fail
Update to version 3.56.1:
- Support for saving a Kerberos password after the first login
- Changing expired kerberos password is not supported
- Provided Files URI does not override undiscovered endpoint
- DAV client rejects 204 status in OPTIONS request handler
Update to version 3.56.0:
+ Code style and logging cleanups
+ Updated translations
Update to version 3.55.2:
+ goaoauth2provider: improve error handling for auth/token
endpoints
Update to version 3.55.1:
- Support Webflow authentication for Nextcloud
- Rename dconf key in gnome-online-accounts settings
- "Account Name" GUI field is a bit ambiguous
- Failed to generate a new POT file for the user interface of
"gnome-online-accounts" (domain: "po") and some missing files
from POTFILES.in
Update to version 3.55.0:
- Add progress spinner for OAuth2 dialogs
- Remove Windows Live! option
- Improve goa_oauth2_provider_ensure_credentials_sync
- Authentication failure in goa IMAP accounts
- Missing files from POTFILES.in
- WebDAV not detected for mail.ru
- goaoauth2provider: fix task chaining for subclasses
- Always lowercase domains when looking up base
- goadavclient: check Nextcloud fallback last
- goabackend: add a composite widget for authflow links
- goadavclient: fix the mailbox.org preconfig
Update to version 3.54.5:
- Adding GOA account fails with sonic.net IMAP service
- Cannot add a ProtonMail bridge with IMAP + TLS
- Nextcloud login does not work anymore due to OPTIONS /login
request
- Linked online accounts no longer work
- Invalid URI when adding Google account
- goamsgraphprovider: ensure a valid PresentationIdentity
- goadaemon: complete GTasks to avoid a scary debug warning
ImportantSUSE bug 1258953SUSE bug 1258954CVE-2026-28295 at SUSECVE-2026-28295 at NVDCVE-2026-28296 at SUSECVE-2026-28296 at NVDSecurity update for alloy (Moderate)openSUSE Leap 16.0
This update for alloy fixes the following issues:
- CVE-2025-58058: Removed dependency on vulnerable github.com/ulikunitz/xz (bsc#1248960).
- CVE-2025-11065: Fixed sensitive information leak in logs (bsc#1250621).
ModerateSUSE bug 1248960SUSE bug 1250621CVE-2025-11065 at SUSECVE-2025-11065 at NVDCVE-2025-58058 at SUSECVE-2025-58058 at NVDSecurity update for kea (Important)openSUSE Leap 16.0
This update for kea fixes the following issues:
Update to 3.0.3:
- CVE-2025-11232: invalid characters cause assert (bsc#1252863).
- CVE-2026-3608: stack overflow via maliciously crafted message (bsc#1260380).
Changelog:
* A large number of bracket pairs in a JSON payload directed to
any endpoint would result in a stack overflow, due to recursive
calls when parsing the JSON. This has been fixed.
(CVE-2026-3608)
[bsc#1260380]
* When a hostname or FQDN received from a client is reduced to an
empty string by hostname sanitizing, kea-dhcp4 and kea-dhcp6
will now drop the option.
(CVE-2025-11232)
[bsc#1252863]
* A null dereference is now no longer possible when configuring
the Control Agent with a socket that lacks the mandatory
socket-name entry.
* UNIX sockets are now created as group-writable.
* Removed logging an error in ping check hook library if using
lease cache treshold.
* Fixed deadlock in ping-check hooks library.
* Fixed a data race in ping-check hooks library.
ImportantSUSE bug 1252863SUSE bug 1260380CVE-2025-11232 at SUSECVE-2025-11232 at NVDCVE-2026-3608 at SUSECVE-2026-3608 at NVDFeature update for himmelblau (Important)openSUSE Leap 16.0
This update for himmelblau fixes the following issues:
Update to himmelblau 2.3.8 (jsc#PED-14511):
Security issues:
- CVE-2025-54882: world readable cloud TGT token (bsc#1247735).
- CVE-2025-58160: tracing-subscriber: Tracing log pollution (bsc#1249013).
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257904).
- CVE-2026-31979: race condition when accessiung /tmp/krb5cc_<uid> (bsc#1259548).
Non security issues:
- Fix SELinux module packaging to use standard policy macros (bsc#1258236).
Changelog:
Version 2.3.8:
* Add PrivateTmp back to Tasks Daemon
* Drop dead code
* Drop krb5 ccache dir code
* Add a TODO comment
* Drop non working packaged krb5 snippet file
* Write kerberos config snippet
* Extend resolver interface to return kerberos config together with TGTs
* Backport SELinux fixes from main
* Use libkrimes to store TGTs
Version 2.3.7:
* cargo vet
* Fix AWS-LC has PKCS7_verify Certificate Chain Validation Bypass
* Revert dependency change which broke the nightly build
* gen_dockerfiles: only himmelblaud has tpm feature, fix all others
* fix(build): gen_dockerfiles.py mutates shared features list mid-loop
Version 2.3.5:
* Better handle Intune API version
* Update make vet from main branch
* pam_himmelblau: call split_username once in chauthtok
* pam_himmelblau: return PAM_IGNORE in chauthtok for local users
* Don't attempt a DAG when Hello fails with SSPR demand
Version 2.3.4:
* deps(rust): bump the all-cargo-updates group across 1 directory with 8 updates
* Revert sketching update (which breaks SLE16 build)
Version 2.3.3:
* /var/cache/private/himmelblaud should not be created tmpfiles
* Updatee python vers for dataclasses dep
* deps(rust): bump the all-cargo-updates group across 1 directory with 3 updates
* Generate pin init service file systemd < 250
* Checkin missing himmelblaud.if file for SELinux
* Resolve typos in selinux package commands
Version 2.3.2:
* Compile SELinux policy at install time for cross-distro compatibility
* Improve PAM configuration on openSUSE/SLE
* Fix SELinux policy
* Add a git hook to ensure selinux policy is tested
* Ignore generated himmelblau-hsm-pin-init service file
* Refactor SELinux policy for cross-distro compatibility
* Fix NSS lookup for mapped local users
* Skip OS version compliance checks when min/max values are empty
Version 2.3.1:
* Remove references to qrcodegen (these are 3.x features)
* QR Greeter compatibility for old GNOME
* Enable QR greeter automatically
* ci: Use latest cargo-vet from git to fix CI
* Fix HSM pin migration failure on Debian/Ubuntu upgrades from v1.4.x
Version 2.3.0:
* Autostart the daemons on fresh install or upgrade
* Restart sshd when installing the ssh config
* Allow tasks daemon to write krb ccache
* Do not enumerate mapped users in NSS
* Update libhimmelblau to latest version
* Fix Tumbleweed build
Version 2.2.0:
* Update libhimmelblau to 0.8.x series
* deps(rust): bump the all-cargo-updates group with 17 updates
* Only use OpenSSH bug workaround for ssh service
* Fix debug noise from removing user from sudo group
* systemd: install files to /usr/lib/, not /etc/
Version 2.1.0:
* Fix nightly authselect build failure
* Generate the authselect profiles for each distro
* Improve pam config handling in aad-tool
* Make `aad-tool configure-pam` detect location of pam files
Version 2.0.5:
* /var/lib/private/himmelblaud should be owned by root
* Use tmpfiles.d to create himmelblaud private data directory
* deps(rust): bump the all-cargo-updates group with 13 updates
Version 2.0.4:
* Update kanidm_build_profiles mask version
* Utilize cargo vet from main
* Add policies cache patch via systemd-tmpfiles
* Fix man page comments about change idmap_range
* Stub picky-krb for osc build
* Stub a kanidm_build_profiles which builds in osc
* Ensure nss cache is created on Ubuntu/Debian
* Request a user token if NSS hasn't been called
Version 2.0.3:
* Add nss cache patch via systemd-tmpfiles
Version 2.0.2:
* Recommend `patch` with the pam package
* Fix passwordless FIDO authentication not being used when available
* Git workflow updates for stable-2.x
* Only warn on Intune failure
Version 2.0.1:
* Force o365 desktop files to always rebuild
* Always rebuild the o365 apps
* Add restart on-failure to systemd services
* Clarify `domain` SHOULD match login domain
* Remove warning about `domain` himmelblau.conf opt
* Pseudo eliminate multi-tenant and domains section
* Revert "Fix Hello PIN lookup when an alias domain"
* Comment out `KbdInteractiveAuthentication on` in sshd conf
* Check the nxset sooner, to avoid unwanted errors
* Recommend oddjob_mkhomedir with authselect
* Pin libhimmelblau to 0.7.x
* Deprecate Fedora 41
* deps(rust): bump the all-cargo-updates group with 11 updates
* Bump github/codeql-action from 4.30.8 to 4.31.2
* Bump cachix/install-nix-action from 31.8.1 to 31.8.2
* Bump actions/upload-artifact from 4.6.2 to 5.0.0
* cargo clippy and rebase fix
* fixup! add extra debug output to NotFound error code
* force error output to show up in CI logs
* wrap repeated sources of IdpError::NotFound in helper functions
* add extra debug output to NotFound error code
* use direnv for loading the nix devshell
* We should still encourage mapping by name
* Add support for Fedora 43
* Provide a offline 'breakglass' mode
* cargo clippy
* Add warning about incorrect nsswitch configuration
* Distinguish between online and offline token fail
* Ensure user token uses original name
* Fix alias domain in auth result causing failure
* Resolve cargo clippy warnings
* Only map on cn name for the primary domain
* Install systemd in build scripts for gen service
* Fix systemd version parsing
* Update libhimmelblau to 0.7.19
* Resolve SELinux build failures in nightly (part 2)
* Rocky container image updates were failing
* Warn instead of error when no idmap_range specified
* deps(rust): bump the all-cargo-updates group across 1 directory with 7 updates
* Trim whitespace from local group names
* Fix borrowing error
* Fix reference to local_sudo_group in condition
* Only run sudo_groups if local_groups does not contain local_sudo_group
* Leave SELinux in permissive mode for Himmelblau
* Resolve SELinux build failures in nightly
* nix: add join_type option to nixos-module settings
* Build host configuration changes
* Ensure that hsm_pin isn't present decrypted
* Document Soft HSM changes to TPM bound
* Disable SELinux by default on NixOS
* sh doesn't have `source`
* Encrypt hsm-pin using systemd-creds
* Recommend uuid id mapping
* Improve himmelblau.conf man page formatting
* Implement Local User Mapping
* Add o365 dependency for jq
* Add selinux rules for gdm login
* Narrow the scope of selinux policy with audit2allow
* Generate the systemd service files
* Fix selinux build for SLE16
* Resolve SLE16 build dependency failure
* Fix the rawhide build
* Mask the sshkey-attest package
* Bump cachix/install-nix-action from 31.7.0 to 31.8.1
* cargo vet dependency updates
* deps(rust): bump the all-cargo-updates group across 1 directory with 13 updates
* Bump actions/dependency-review-action from 4.8.0 to 4.8.1
* Bump cachix/install-nix-action from 31.7.0 to 31.8.0
* Bump github/codeql-action from 3.30.5 to 4.30.8
* Bump ossf/scorecard-action from 2.4.2 to 2.4.3
* SELinux improvements
* Fix a typo in package gen scripts
* cargo fmt
* Permit NSS response for mapped primary fake group
* Fix Nix Error With Fuzz
* Decrease CI fuzzer setup time
* Document join types
* Support for Entra registered devices
* Run `cargo test` in a container
* Bump cachix/install-nix-action from 31.6.2 to 31.7.0
* deps(rust): bump the all-cargo-updates group across 1 directory with 2 updates
* Bump github/codeql-action from 3.30.4 to 3.30.5
* Use pastey crate instead of unmaintained paste
* Pin unmaintained serde_cbor dep to serde_cbor_2
* Resolve tower-http `cargo audit` warning
* Replace unmaintained fxhash with own version
* Resolve warning about workflow top level write permissions
* Remove dependabot automerge
* Resolve division by 0 in idmap code
* [StepSecurity] ci: Harden GitHub Actions
* Only idmap against initialized domains
* Resolve invalid init of idmap with same domain
* Add fuzzing of idmap code
* Add basic fuzzing of the config options
* Resolve error found by fuzzing
* cargo vet prune
* deps(rust): bump regex in the all-cargo-updates group
* Bump actions/dependency-review-action from 4.7.3 to 4.8.0
* Bump actions/checkout from 3.6.0 to 5.0.0
* Bump cachix/cachix-action from 14 to 16
* Bump ossf/scorecard-action from 2.4.0 to 2.4.2
* Bump cachix/install-nix-action from 25 to 31
* Add the OpenSSF Best Practices badge
* Add scorecard badge
* [StepSecurity] Apply security best practices
* Fix group static mapping
* Move aad-tool idmap cache clear to the idmap cmd
* Resolve errant "Hello key missing." messages
* Update flake.nix
* Slow the dependabot update frequency
* Audit dependabot updates
* deps(rust): bump the all-cargo-updates group across 1 directory with 11 updates
* feat: Add support for aarch64 on Debian-based distributions
* Resolve possible invalid pointer dereferences
* Avoid revealing account ids in debug log
* Cause doc links to open in the correct apps
* Permit opening multiple instances of Word/Excel
* Modify systray and app close behavior
* Don't use questionably licensed icons for o365
* Resolve NixOS CI failure
* Fix building w/out deprecated interactive feature
* Update himmelblau.conf.5 sudo_groups example
* Entra group based sudo access
* Audited the cargo updates
* deps(rust): bump the all-cargo-updates group with 6 updates
* Vet libhimmelblau
* Add `make vet` command
* Update deny.toml
* Remove incompatible licenses from deps
* Fix RHEL8 package signing
* Add SBOM generation
* Add an IRP checklist for security incidents
* Run the nixos build/release on the correct version
* Add crate dependency auditing on MR
* Add some exceptions
* Initialize cargo vet
* Remove in-tree kanidm dependencies
* Fix Hello PIN lookup when an alias domain
* Raise maximum group lookup from 100 to 999
* Always work with lowercase account names
* Modify FUNDING.yml for funding sources
* Remove glib dependency
* deps(rust): bump the all-cargo-updates group with 10 updates
* Add CI check for licenses
* Update dependabot.yml to target all stable branches
* Add authselect module for Rocky/Fedora
* Recommend packages, instead of require
* Add a Contributing document
* Add a Code of Conduct
* add withSelinux flag to nix build, brings SELinux binaries into the build environment.
* deps(rust): bump tracing-subscriber in the cargo group
* Don't overwrite the himmelblau.conf on rpm upgrade
* Add help output to the Makefile
* Fix building packages with docker in root mode
* Update to latest libhimmelblau and identity_dbus_broker
* Make PRT SSO cookie via broker work as well for Edge
* Make broker work for Edge
* Generate Office 365 desktop apps
* Update README
* Add `make uninstall` command
* Remove the deprecated tests suite
* Himmelblau no longer has git submodules
* Make install using packages
* Add Debian 13 packages
* Generate Dockerfiles automatically
* Add SELinux configuration
* Himmelblau daemon requires system tss user
* Add cron dependency for Intune scripts
* Do not mangle /usr/etc configuration files
* deps(rust): bump the all-cargo-updates group with 7 updates
* Add SLE16 (beta) build target
* Automatically append to nsswitch.conf in postinst
* Correct the RPM postinst script syntax
* Fix Kerberos credential cache permissions
* Set file owner and group before writing its content
* Create SECURITY.md
* Rev the dev version to 2.0.0
* Ensure alias domains match when checking Intune device id
* Debian 12 doesn't support ConditionPathExists and notify-reload
* Write scripts policy to a readable directory
* Apply Intune policies right after enrollment
* Add more debug instrumentation
* Provide device_id to Intune enrollment if not cached
* Ensure nss cache directory is created during install
* Remove /var/cache/himmelblaud access from tasks daemon
* Resolve daemon startup absolute path warnings
* Delay Intune enrollment on Device Auth fail
* Do not leak the Intune IW service token in the logs
Version 1.4.2:
* Revert libhimmelblau unstable update
Version 1.4.1:
* Update Intune to use app version 1.2511.7
Version 1.4.0:
* Resolve build failures
* deps(rust): bump the all-cargo-updates group across 1 directory with 6 updates
Version 1.3.0:
* Revert the self-hosted runner name
* deps(rust): bump the all-cargo-updates group with 23 updates
* Include latest branch in CI
* Self hosted runners
Version 1.1.0:
* Fix policy application
* Add remaining Linux password compliance policies
* Add custom compliance enforcement
* deps(rust): bump the all-cargo-updates group with 3 updates
* deps(rust): bump the all-cargo-updates group with 5 updates
* Add SLE15SP7 build target
* Add RHEL 10 build target
* Fix Intermittent auth issue AADSTSError 16000
* Remove old utf8proc dependency
* Add `fedora42` build target
* Handle PRT expiration and tie to offline auth
* Correctly delete the Hello keys on bad pin count
* Add ability to disable Hello PIN per-service
* Update NixOS support to 25.05
* Handle disabled device by attempting re-enrollment
* Always attempt confidential client creds for aad-tool
* Include HSM option defs in himmelblau.conf man page
* Improve the aad-tool cache-clear command
* Add `mfaSshWorkaroundFlag` configuration option to Nix Flake.
* Add the ability to remove confidential client creds
* If bad PIN count is exceeded, delete the Hello key
* deps(rust): bump the all-cargo-updates group with 4 updates
* Add instructions for creating developer builds
* Fix GDM3 first time login password prompt
* Default HsmType should be soft
* Add himmelblaud to tss group for TPM startup
* Enforce strict order for the systemd units
* Update libhimmelblau and compact_jwt
* Fix builds w/tpm
* aad-tool Authentication flow improvements
* Filter out irrelevant debug in aad-tool
* Create a unified login experience for aad-tool
* Utilize confidential creds for aad-tool enumerate
* himmelblau should get posix attributes w/out delegate user access
* Always use the Object Id for mapping Group to GID
* Update enhancement-request.md for SPI donations
* Update bug_report.md with SPI donation
* Update build requires in README.md
* Update FUNDING.yml with SPI Paypal donation button
* Don't break from tasks loop when policies fail
* Enroll in Intune as soon as it is enabled
* Implement `decoupled hello` behavior
* Cache encrypted PRT to disk for offline login SSO
* Update to latest hsm-crypto
* Enable tpm functionality
* Allow altering the password and PIN prompt messages
* Ensure Hello PIN lockout happens when online
* Cache the build target output to improve build times
* Easier build selection w/ Makefile
* Revert mistaken removal from Makefile
* Make the user wait longer with each incorrect PIN
* Make the bad PIN count configurable
* Improve aad-tool manpage
* aad-tool fails if the user has FIDO2 enabled
* Offline auth permits authentication with invalid Hello PIN
* PIN complexity to match Windows
* Update to latest SSSD idmap code
* Add aad-tool options for setting posix attrs
* Add scopes and redirect uris aad-tool application create
* Add aad-tool commands for managaging extension attrs
* Utilize the sidtoname call for object id mapping
* Add commands for listing/creating App registrations
* Potential fix for code scanning alert no. 2: Workflow does not contain permissions
* Potential fix for code scanning alert no. 4: Workflow does not contain permissions
* Potential fix for code scanning alert: Workflow does not contain permissions
* Never write the app_id to the server config
* Disable passwordless Fido by default
* Stop using deprecated `users` crate
* When group membership lookup fails, use cached groups
* aad-tool command for enumerating users and groups
* Name-Based Group Matching in `pam_allow_groups` Leads to Potential Security Bypass
* Add the configure-pam option to aad-tool man page
* Add static idmap cache for on-prem to cloud migration
* Update bug_report.md with request for himmelblau.conf
* deps(rust): bump the all-cargo-updates group with 2 updates
* Update crates in a group
* Update crate bumps
* Utilize new Intune compliance enforcement via libhimmelblau
* Correct the README regarding Intune policy compliance
* Disable Chromium policy
* Re-enable Intune policy and add scripts and compliance policies
* himmelblau.conf alias `domain` as `domains`
* Support Fido auth in pam passwd
* Add TAP support to himmelblaud and pam passwd
* Mixed case names should properly identify Hello Key
* Update linux-entra-sso to latest version
* Fix group lookup for Entra Id group name
* Fix mixed case name lookup from PRT cache
* Crate updates
* Fix tasks daemon debug output
* Remove write locks where unecessary
* Fix deadlock in nss
* systemd notify fixes
* Console
* Address Feedback
* Order services before gdb/nss-user-target
* deps(rust): bump rpassword from 7.3.1 to 7.4.0
* deps(rust): bump tokio from 1.44.2 to 1.45.0
* deps(rust): bump sha2 from 0.10.8 to 0.10.9
* deps(rust): bump systemd-journal-logger from 2.2.0 to 2.2.2
* deps(rust): bump clap from 4.5.31 to 4.5.38
* Update notify-debouncer-full
* Update opentelemetry
* Update dependencies
* deps(rust): bump time from 0.3.39 to 0.3.41
* Replace source filter that blacklists files with filter that whitelists files.
* Mark himmelblau.conf as config in rpm
* Update README.md
* Ensure only the base URL is printed to log
* If unix_user_get fails, wait, and try again
* Supplying a PRT cookie to SSO doesn't require network
* Don't send a password prompt if the network is down
* Auth via MFA if Hello PIN fails 3 times
* Improve Hello PIN failed auth error
* Fix rocky9 build
* deps(rust): bump anyhow from 1.0.96 to 1.0.98
* deps(rust): bump libc from 0.2.170 to 0.2.172
* deps(rust): bump cc from 1.2.16 to 1.2.19
* deps(rust): bump tokio from 1.43.0 to 1.44.2
* deps(rust): bump openssl from 0.10.71 to 0.10.72 in the cargo group
* deps(rust): bump reqwest from 0.12.12 to 0.12.15
* Update libhimmelblau in Cargo.lock
* Fix nss and offline checks for domain aliases
* Report error when MS Authenticator denies authorization
* Bail out of invalid offline auth
* Handle AADSTS errors from BeginAuth response
* Never dump failed reqwests to the log
* Update sccache-action version to use new cache service
* Permit daemon to start when network is down
* Add an nss cache for when daemon is down
* Additional pam info cues
* Proceed with Hello auth even with net down
* Indicate to the user what the password and PIN are
* Ensure pam messages are seen
* Display the minimum PIN length during Hello setup
* PAM should loop, not die on error
* Ensure prompt msg remains for confirmation
* Update bug_report.md
* Ignore demands for setting up MS Authenticator
* Login fails if Entra is configured to recommend MS authenticator
* Add pam configure command to aad-tool
* Update README.md with pam passwd instructions
* aad-tool authtest needs to map names
* Update demo video in README.md
* Sign RPM packages
* Ensure the pam module is installed correctly for SLE
* Improve pam error handling and messaging
* Only push cachix builds for stable releases
* Terminate linux-entra-sso when browser terminates
* On deb, push pam config after install
* Increase priority of deb PAM passwd for Himmelblau
* Improve offline state handling
* Specify request for Entra Id password in PAM
* QR Greeter also supports gnome-shell 47
* Fix profile photo loading
* Clarify pam_allow_groups in himmelblau.conf man page
* Don't hide debug for pam_allow_groups miss
* Handle failures in passwordless auth
* build all root packages
* split config options that can be defined per-domain from those which are global only
* configure cachix signing and upload in ci
* deps(rust): bump serde_json from 1.0.138 to 1.0.140
* deps(rust): bump serde from 1.0.218 to 1.0.219
* deps(rust): bump time from 0.3.37 to 0.3.39
* deps(rust): bump bytes from 1.10.0 to 1.10.1
* deps(rust): bump pkg-config from 0.3.31 to 0.3.32
* Entra Id is case insensitive, cache lookup must match
* deps(rust): bump ring from 0.17.9 to 0.17.13 in the cargo group
* Support CompanionAppsNotification mfa method
* QR code for gnome-shell greeter
* Allow tasks to start if AccountsService dir missing
* Remove invalid python dependency from sso package
* Fixes https://github.com/himmelblau-idm/himmelblau/issues/397
* Clear server config when clearing cache
* Update version in the Cargo.lock
* deps(rust): bump async-trait from 0.1.86 to 0.1.87
* deps(rust): bump chrono from 0.4.39 to 0.4.40
* Fix himmelblau.conf man page cn_name_mapping entry
* deps(rust): bump pem from 3.0.4 to 3.0.5
* deps(rust): bump serde from 1.0.217 to 1.0.218
Version 1.0.0:
* deps(rust): bump cc from 1.2.15 to 1.2.16
* Update workflow versions
ImportantSUSE bug 1247735SUSE bug 1249013SUSE bug 1257904SUSE bug 1258236SUSE bug 1259548CVE-2025-54882 at SUSECVE-2025-54882 at NVDCVE-2025-58160 at SUSECVE-2025-58160 at NVDCVE-2026-25727 at SUSECVE-2026-25727 at NVDCVE-2026-31979 at SUSECVE-2026-31979 at NVDSecurity update for python-Pillow (Important)openSUSE Leap 16.0
This update for python-Pillow fixes the following issues:
- CVE-2026-25990: Fixed an out-of-bounds write when opening a specially crafted PSD image. (bsc#1258125)
ImportantSUSE bug 1258125CVE-2026-25990 at SUSECVE-2026-25990 at NVDSecurity update for perl-XML-Parser (Important)openSUSE Leap 16.0
This update for perl-XML-Parser fixes the following issues:
- CVE-2006-10002: heap buffer overflow in `parse_stream` when processing UTF-8 input streams (bsc#1259901).
- CVE-2006-10003: off-by-one heap buffer overflow in `st_serial_stack` (bsc#1259902).
ImportantSUSE bug 1259901SUSE bug 1259902CVE-2006-10002 at SUSECVE-2006-10002 at NVDCVE-2006-10003 at SUSECVE-2006-10003 at NVDSecurity update for dnsdist (Low)openSUSE Leap 16.0
This update for dnsdist fixes the following issues:
Update to dnsdist 1.9.11:
- CVE-2025-8671: add mitigations for the HTTP/2 MadeYouReset attack (bsc#1253852).
- CVE-2025-30187: denial of service via crafted DoH exchange (bsc#1250054).
LowSUSE bug 1250054SUSE bug 1253852CVE-2025-30187 at SUSECVE-2025-30187 at NVDCVE-2025-8671 at SUSECVE-2025-8671 at NVDSecurity update for cockpit-repos (Important)openSUSE Leap 16.0
This update for cockpit-repos fixes the following issue:
- CVE-2026-26996: minimatch: ReDoS when glob pattern contains many consecutive wildcards followed by a literal character
that doesn't appear in the test string (bsc#1258637).
ImportantSUSE bug 1258637CVE-2026-26996 at SUSECVE-2026-26996 at NVDSecurity update for tigervnc (Important)openSUSE Leap 16.0
This update for tigervnc fixes the following issues:
- CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. (bsc#1260871)
ImportantSUSE bug 1260871CVE-2026-34352 at SUSECVE-2026-34352 at NVDSecurity update for libpng16 (Important)openSUSE Leap 16.0
This update for libpng16 fixes the following issues:
- CVE-2026-33416: use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE` can lead to arbitrary code
execution (bsc#1260754).
- CVE-2026-33636: out-of-bounds read/write in the palette expansion on ARM Neon can lead to information leak and
crashes (bsc#1260755).
ImportantSUSE bug 1260754SUSE bug 1260755CVE-2026-33416 at SUSECVE-2026-33416 at NVDCVE-2026-33636 at SUSECVE-2026-33636 at NVDSecurity update for python-cbor2 (Important)openSUSE Leap 16.0
This update for python-cbor2 fixes the following issues:
- CVE-2025-68131: CBORDecoder reuse across trust boundaries can lead to leak of shareable values from previous decode
calls via attacker-controlled messages (bsc#1255783).
- CVE-2026-26209: uncontrolled recursion via crafted CBOR payloads can cause a denial of service (bsc#1260367).
ImportantSUSE bug 1255783SUSE bug 1260367CVE-2025-68131 at SUSECVE-2025-68131 at NVDCVE-2026-26209 at SUSECVE-2026-26209 at NVDSecurity update for cockpit-packages (Important)openSUSE Leap 16.0
This update for cockpit-packages fixes the following issue:
Update cockpit-packages to version 4:
- CVE-2026-26996: minimatch: ReDoS when glob pattern contains many consecutive wildcards followed by a literal character
that doesn't appear in the test string (bsc#1258641).
Changes for cockpit-packages:
* Translation updates
* Dependency updates
ImportantSUSE bug 1258641CVE-2026-26996 at SUSECVE-2026-26996 at NVDSecurity update for libtasn1 (Moderate)openSUSE Leap 16.0
This update for libtasn1 fixes the following issues:
- CVE-2025-13151: lack of validation of input data size leads to stack-based buffer overflow in
`asn1_expend_octet_string` (bsc#1256341).
ModerateSUSE bug 1256341CVE-2025-13151 at SUSECVE-2025-13151 at NVDSecurity update for systemd (Important)openSUSE Leap 16.0
This update for systemd fixes the following issues:
Update to systemd v257.13:
Security issues:
- CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method (bsc#1259650).
- CVE-2026-29111: local unprivileged user can trigger an assert in systemd (bsc#1259418).
- udev: local root execution via malicious hardware devices and unsanitized kernel output (bsc#1259697).
Non security issues:
- Avoid shipping (empty) directories and ghost files in /var (jsc#PED-14853).
- Sign systemd-boot EFI binary on aarch64 (bsc#1258344)
- terminal-util: stop doing 0/upper bound check in tty_is_vc() (bsc#1255326)
Changelog:
- 6941d92dc2 machined: reject invalid class types when registering machines (bsc#1259650 CVE-2026-4105)
- 03bb697b8d udev: check for invalid chars in various fields received from the kernel (bsc#1259697)
- 54588d2ded core: validate input cgroup path more prudently (bsc#1259418 CVE-2026-29111)
- fb9d92682b terminal-util: stop doing 0/upper bound check in tty_is_vc() (bsc#1255326)
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/3c53ef3ea20bd43ef587cbdfa7107aeb1ef55654...d349fc5cd4f9ee2b7884c2610647e92806d14b28
ImportantSUSE bug 1255326SUSE bug 1258344SUSE bug 1259418SUSE bug 1259650SUSE bug 1259697CVE-2026-29111 at SUSECVE-2026-29111 at NVDCVE-2026-4105 at SUSECVE-2026-4105 at NVDSecurity update for tar (Important)openSUSE Leap 16.0
This update for tar fixes the following issue:
Security issue:
- CVE-2025-45582: file overwrite via directory traversal in crafted TAR archives (bsc#1246399).
Non security issue:
- Fixes tar creating invalid tarballs when used with --delete (bsc#1246607)
ImportantSUSE bug 1246399SUSE bug 1246607CVE-2025-45582 at SUSECVE-2025-45582 at NVDSecurity update for the Linux Kernel (Important)openSUSE Leap 16.0
The SUSE Linux Enterprise Server 16.0 and SUSE Linux Micro 6.2 kernel was updated to receive various security bugfixes.
The following security bugs were fixed:
- CVE-2024-53164: net: sched: fix ordering of qlen adjustment (bsc#1234863).
- CVE-2024-57891: sched_ext: Fix invalid irq restore in scx_ops_bypass() (bsc#1235953).
- CVE-2024-57951: hrtimers: Handle CPU state correctly on hotplug (bsc#1237108).
- CVE-2024-57952: Revert "libfs: fix infinite directory reads for offset dir" (bsc#1237131).
- CVE-2024-58090: sched/core: Prevent rescheduling when interrupts are disabled (bsc#1240324).
- CVE-2025-22034: mm/rmap: avoid -EBUSY from make_device_exclusive() (bsc#1241435).
- CVE-2025-22077: Revert "smb: client: fix TCP timers deadlock after rmmod" (bsc#1241403).
- CVE-2025-23141: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (bsc#1242782).
- CVE-2025-37821: sched/eevdf: Fix se->slice being set to U64_MAX and resulting (bsc#1242864).
- CVE-2025-37849: KVM: arm64: Tear down vGIC on failed vCPU creation (bsc#1243000).
- CVE-2025-37856: btrfs: harden block_group::bg_list against list_del() races (bsc#1243068).
- CVE-2025-37861: scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue (bsc#1243055).
- CVE-2025-37864: net: dsa: clean up FDB, MDB, VLAN entries on unbind (bsc#1242965).
- CVE-2025-38006: net: mctp: Do not access ifa_index when missing (bsc#1244930).
- CVE-2025-38008: mm/page_alloc: fix race condition in unaccepted memory handling (bsc#1244939).
- CVE-2025-38019: mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices (bsc#1245000).
- CVE-2025-38034: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref (bsc#1244792).
- CVE-2025-38038: cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost (bsc#1244812).
- CVE-2025-38058: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock (bsc#1245151).
- CVE-2025-38062: kABI: restore layout of struct msi_desc (bsc#1245216).
- CVE-2025-38075: scsi: target: iscsi: Fix timeout on deleted connection (bsc#1244734).
- CVE-2025-38101: ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() (bsc#1245659).
- CVE-2025-38103: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() (bsc#1245663).
- CVE-2025-38106: io_uring/sqpoll: do not put task_struct on tctx setup failure (bsc#1245664).
- CVE-2025-38117: hci_dev centralize extra lock (bsc#1245695).
- CVE-2025-38119: scsi: core: ufs: Fix a hang in the error handler (bsc#1245700).
- CVE-2025-38125: net: stmmac: make sure that ptp_rate is not 0 before configuring EST (bsc#1245710).
- CVE-2025-38146: net: openvswitch: Fix the dead loop of MPLS parse (bsc#1245767).
- CVE-2025-38160: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() (bsc#1245780).
- CVE-2025-38168: perf: arm-ni: Unregister PMUs on probe failure (bsc#1245763).
- CVE-2025-38180: net: atm: fix /proc/net/atm/lec handling (bsc#1245970).
- CVE-2025-38182: ublk: santizize the arguments from userspace when adding a device (bsc#1245937).
- CVE-2025-38184: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (bsc#1245956).
- CVE-2025-38185: atm: atmtcp: Free invalid length skb in atmtcp_c_send() (bsc#1246012).
- CVE-2025-38190: atm: Revert atm_account_tx() if copy_from_iter_full() fails (bsc#1245973).
- CVE-2025-38201: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX (bsc#1245977).
- CVE-2025-38205: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 (bsc#1246005).
- CVE-2025-38208: smb: client: add NULL check in automount_fullpath (bsc#1245815).
- CVE-2025-38216: iommu/vt-d: Restore context entry setup order for aliased devices (bsc#1245963).
- CVE-2025-38220: ext4: only dirty folios when data journaling regular files (bsc#1245966).
- CVE-2025-38222: ext4: inline: fix len overflow in ext4_prepare_inline_data (bsc#1245976).
- CVE-2025-38242: mm: userfaultfd: fix race of userfaultfd_move and swap cache (bsc#1246176).
- CVE-2025-38244: smb: client: fix potential deadlock when reconnecting channels (bsc#1246183).
- CVE-2025-38245: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister() (bsc#1246193).
- CVE-2025-38251: atm: clip: prevent NULL deref in clip_push() (bsc#1246181).
- CVE-2025-38256: io_uring/rsrc: fix folio unpinning (bsc#1246188).
- CVE-2025-38258: mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write (bsc#1246185).
- CVE-2025-38263: bcache: fix NULL pointer in cache_set_flush() (bsc#1246248).
- CVE-2025-38267: ring-buffer: Do not trigger WARN_ON() due to a commit_overrun (bsc#1246245).
- CVE-2025-38270: net: drv: netdevsim: do not napi_complete() from netpoll (bsc#1246252).
- CVE-2025-38272: net: dsa: b53: do not enable EEE on bcm63xx (bsc#1246268).
- CVE-2025-38301: nvmem: zynqmp_nvmem: unbreak driver after cleanup (bsc#1246351).
- CVE-2025-38306: fs/fhandle.c: fix a race in call of has_locked_children() (bsc#1246366).
- CVE-2025-38311: iavf: get rid of the crit lock (bsc#1246376).
- CVE-2025-38318: perf: arm-ni: Fix missing platform_set_drvdata() (bsc#1246444).
- CVE-2025-38322: perf/x86/intel: Fix crash in icl_update_topdown_event() (bsc#1246447).
- CVE-2025-38323: net: atm: add lec_mutex (bsc#1246473).
- CVE-2025-38337: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() (bsc#1246253).
- CVE-2025-38341: eth: fbnic: avoid double free when failing to DMA-map FW msg (bsc#1246260).
- CVE-2025-38349: eventpoll: do not decrement ep refcount while still holding the ep mutex (bsc#1246777).
- CVE-2025-38350: net/sched: Always pass notifications when child class becomes empty (bsc#1246781).
- CVE-2025-38351: KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush (bsc#1246782).
- CVE-2025-38352: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1246911).
- CVE-2025-38359: s390/mm: Fix in_atomic() handling in do_secure_storage_access() (bsc#1247076).
- CVE-2025-38360: drm/amd/display: Add more checks for DSC / HUBP ONO guarantees (bsc#1247078).
- CVE-2025-38365: btrfs: fix a race between renames and directory logging (bsc#1247023).
- CVE-2025-38374: optee: ffa: fix sleep in atomic context (bsc#1247024).
- CVE-2025-38382: btrfs: fix iteration of extrefs during log replay (bsc#1247031).
- CVE-2025-38383: mm/vmalloc: fix data race in show_numa_info() (bsc#1247250).
- CVE-2025-38392: idpf: convert control queue mutex to a spinlock (bsc#1247169).
- CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247156).
- CVE-2025-38399: scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() (bsc#1247097).
- CVE-2025-38402: idpf: return 0 size for RSS key if not supported (bsc#1247262).
- CVE-2025-38408: genirq/irq_sim: Initialize work context pointers properly (bsc#1247126).
- CVE-2025-38418: remoteproc: core: Release rproc->clean_table after rproc_attach() fails (bsc#1247137).
- CVE-2025-38419: remoteproc: core: Cleanup acquired resources when
rproc_handle_resources() fails in rproc_attach() (bsc#1247136).
- CVE-2025-38426: drm/amdgpu: Add basic validation for RAS header (bsc#1247252).
- CVE-2025-38439: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT (bsc#1247155).
- CVE-2025-38440: net/mlx5e: Fix race between DIM disable and net_dim() (bsc#1247290).
- CVE-2025-38441: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() (bsc#1247167).
- CVE-2025-38444: raid10: cleanup memleak at raid10_make_request (bsc#1247162).
- CVE-2025-38445: md/raid1: Fix stack memory use after return in raid1_reshape (bsc#1247229).
- CVE-2025-38451: md/md-bitmap: fix GPF in bitmap_get_stats() (bsc#1247102).
- CVE-2025-38453: kABI: io_uring: msg_ring ensure io_kiocb freeing is deferred (bsc#1247234).
- CVE-2025-38456: ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() (bsc#1247099).
- CVE-2025-38457: net/sched: Abort __tc_modify_qdisc if parent class does not exist (bsc#1247098).
- CVE-2025-38458: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() (bsc#1247116).
- CVE-2025-38459: atm: clip: Fix infinite recursive call of clip_push() (bsc#1247119).
- CVE-2025-38460: atm: clip: Fix potential null-ptr-deref in to_atmarpd() (bsc#1247143).
- CVE-2025-38463: tcp: Correct signedness in skb remaining space calculation (bsc#1247113).
- CVE-2025-38464: tipc: Fix use-after-free in tipc_conn_close() (bsc#1247112).
- CVE-2025-38470: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime (bsc#1247288).
- CVE-2025-38472: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (bsc#1247313).
- CVE-2025-38475: smc: Fix various oops due to inet_sock type confusion (bsc#1247308).
- CVE-2025-38488: smb: client: fix use-after-free in crypt_message when using async crypto (bsc#1247239).
- CVE-2025-38490: net: libwx: remove duplicate page_pool_put_full_page() (bsc#1247243).
- CVE-2025-38491: mptcp: make fallback action and fallback decision atomic (bsc#1247280).
- CVE-2025-38493: tracing/osnoise: Fix crash in timerlat_dump_stack() (bsc#1247283).
- CVE-2025-38497: usb: gadget: configfs: Fix OOB read on empty string write (bsc#1247347).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976).
- CVE-2025-38500: xfrm: interface: fix use-after-free after changing collect_md xfrm interface (bsc#1248088).
- CVE-2025-38508: x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation (bsc#1248190).
- CVE-2025-38514: rxrpc: Fix oops due to non-existence of prealloc backlog struct (bsc#1248202).
- CVE-2025-38524: rxrpc: Fix recv-recv race of completed call (bsc#1248194).
- CVE-2025-38526: ice: add NULL check in eswitch lag check (bsc#1248192).
- CVE-2025-38527: smb: client: fix use-after-free in cifs_oplock_break (bsc#1248199).
- CVE-2025-38533: net: libwx: fix the using of Rx buffer DMA (bsc#1248200).
- CVE-2025-38539: tracing: Add down_write(trace_event_sem) when adding trace event (bsc#1248211).
- CVE-2025-38544: rxrpc: Fix bug due to prealloc collision (bsc#1248225).
- CVE-2025-38545: net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info (bsc#1248224).
- CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223).
- CVE-2025-38549: efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths (bsc#1248235).
- CVE-2025-38554: mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped (bsc#1248299).
- CVE-2025-38556: HID: core: Harden s32ton() against conversion to 0 bits (bsc#1248296).
- CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312).
- CVE-2025-38566: sunrpc: fix handling of server side tls alerts (bsc#1248374).
- CVE-2025-38571: sunrpc: fix client side handling of tls alerts (bsc#1248401).
- CVE-2025-38572: ipv6: reject malicious packets in ipv6_gso_segment() (bsc#1248399).
- CVE-2025-38574: pptp: ensure minimal skb length in pptp_xmit() (bsc#1248365).
- CVE-2025-38584: padata: Fix pd UAF once and for all (bsc1248343).
- CVE-2025-38588: ipv6: prevent infinite loop in rt6_nlmsg_size() (bsc#1248368).
- CVE-2025-38593: kABI workaround for bluetooth discovery_state change (bsc#1248357).
- CVE-2025-38597: drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port (bsc#1248378).
- CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338).
- CVE-2025-38614: eventpoll: Fix semi-unbounded recursion (bsc#1248392).
- CVE-2025-38616: tls: handle data disappearing from under the TLS ULP (bsc#1248512).
- CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511).
- CVE-2025-38622: net: drop UFO packets in udp_rcv_segment() (bsc#1248619).
- CVE-2025-38623: PCI: pnv_php: Fix surprise plug detection and recovery (bsc#1248610).
- CVE-2025-38628: vdpa/mlx5: Fix release of uninitialized resources on error path (bsc#1248616).
- CVE-2025-38639: netfilter: xt_nfacct: do not assume acct name is null-terminated (bsc#1248674).
- CVE-2025-38640: bpf: Disable migration in nf_hook_run_bpf() (bsc#1248622).
- CVE-2025-38643: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() (bsc#1248681).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248748).
- CVE-2025-38659: gfs2: No more self recovery (bsc#1248639).
- CVE-2025-38660: [ceph] parse_longname(): strrchr() expects NUL-terminated string (bsc#1248634).
- CVE-2025-38664: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() (bsc#1248628).
- CVE-2025-38676: iommu/amd: Avoid stack buffer overflow from kernel cmdline (bsc#1248775).
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249126).
- CVE-2025-38684: net/sched: ets: use old 'nbands' while purging unused classes (bsc#1249156).
- CVE-2025-38686: userfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry (bsc#1249160).
- CVE-2025-38700: scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated (bsc#1249182).
- CVE-2025-38701: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr (bsc#1249258).
- CVE-2025-38709: loop: Avoid updating block size under exclusive owner (bsc#1249199).
- CVE-2025-38710: gfs2: Validate i_depth for exhash directories (bsc#1249201).
- CVE-2025-38730: io_uring/net: commit partial buffers on retry (bsc#1249172).
- CVE-2025-38734: net/smc: fix UAF on smcsk after smc_listen_out() (bsc#1249324).
- CVE-2025-39673: ppp: fix race conditions in ppp_fill_forward_path (bsc#1249320).
- CVE-2025-39677: net/sched: Fix backlog accounting in qdisc_dequeue_internal (bsc#1249300).
- CVE-2025-39681: x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper (bsc#1249303).
- CVE-2025-39682: tls: fix handling of zero-length records on the rx_list (bsc#1249284).
- CVE-2025-39683: tracing: Limit access to parser->buffer when trace_get_user failed (bsc#1249286).
- CVE-2025-39691: fs/buffer: fix use-after-free when call bh_read() helper (bsc#1249374).
- CVE-2025-39698: io_uring/futex: ensure io_futex_wait() cleans up properly on failure (bsc#1249322).
- CVE-2025-39703: net, hsr: reject HSR frame if skb can't hold tag (bsc#1249315).
- CVE-2025-39723: kABI: netfs: handle new netfs_io_stream flag (bsc#1249314).
- CVE-2025-39744: rcu: Fix rcu_read_unlock() deadloop due to IRQ work (bsc#1249494).
- CVE-2025-39749: rcu: Protect ->defer_qs_iw_pending from data race (bsc#1249533).
- CVE-2025-39754: mm/smaps: fix race between smaps_hugetlb_range and migration (bsc#1249524).
- CVE-2025-39766: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit (bsc#1249510).
- CVE-2025-39770: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM (bsc#1249508).
- CVE-2025-39773: net: bridge: fix soft lockup in br_multicast_query_expired() (bsc#1249504).
- CVE-2025-39775: mm/mremap: fix WARN with uffd that has remap events disabled (bsc#1249500).
- CVE-2025-39782: jbd2: prevent softlockup in jbd2_log_do_checkpoint() (bsc#1249526).
- CVE-2025-39791: dm: dm-crypt: Do not partially accept write BIOs with zoned targets (bsc#1249550).
- CVE-2025-39792: dm: Always split write BIOs to zoned device limits (bsc#1249618).
- CVE-2025-39797: xfrm: xfrm_alloc_spi shouldn't use 0 as SPI (bsc#1249608).
- CVE-2025-39813: ftrace: Also allocate and copy hash for reading of filter files (bsc#1250032).
- CVE-2025-39816: io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths (bsc#1249906).
- CVE-2025-39823: KVM: x86: use array_index_nospec with indices that come from guest (bsc#1250002).
- CVE-2025-39825: smb: client: fix race with concurrent opens in rename(2) (bsc#1250179).
- CVE-2025-39828: kABI workaround for struct atmdev_ops extension (bsc#1250205).
- CVE-2025-39830: net/mlx5: HWS, Fix memory leak in hws_pool_buddy_init error path (bsc#1249974).
- CVE-2025-39838: cifs: prevent NULL pointer dereference in UTF16 conversion (bsc#1250365).
- CVE-2025-39842: ocfs2: prevent release journal inode after journal shutdown (bsc#1250267).
- CVE-2025-39847: ppp: fix memory leak in pad_compress_skb (bsc#1250292).
- CVE-2025-39850: vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects (bsc#1250276).
- CVE-2025-39851: vxlan: Fix NPD when refreshing an FDB entry with a nexthop object (bsc#1250296).
- CVE-2025-39852: net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 (bsc#1250258).
- CVE-2025-39853: i40e: Fix potential invalid access when MAC list is empty (bsc#1250275).
- CVE-2025-39854: ice: fix NULL access of tx->in_use in ice_ll_ts_intr (bsc#1250297).
- CVE-2025-39857: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() (bsc#1250251).
- CVE-2025-39865: tee: fix NULL pointer dereference in tee_shm_put (bsc#1250294).
- CVE-2025-39875: igb: Fix NULL pointer dereference in ethtool loopback test (bsc#1250398).
- CVE-2025-39885: ocfs2: fix recursive semaphore deadlock in fiemap call (bsc#1250407).
- CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom (bsc#1250742).
- CVE-2025-39900: net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y (bsc#1250758).
- CVE-2025-39902: mm/slub: avoid accessing metadata when pointer is invalid in object_err() (bsc#1250702).
- CVE-2025-39922: ixgbe: fix incorrect map used in eee linkmode (bsc#1250722).
- CVE-2025-39926: genetlink: fix genl_bind() invoking bind() after -EPERM (bsc#1250737).
- CVE-2025-39945: cnic: Fix use-after-free bugs in cnic_delete_task (bsc#1251230).
- CVE-2025-39946: tls: make sure to abort the stream if headers are bogus (bsc#1251114).
- CVE-2025-40300: x86/vmscape: Warn when STIBP is disabled with SMT (bsc#1247483).
- CVE-2026-38264: nvme-tcp: sanitize request list handling (bsc#1246387).
The following non-security bugs were fixed:
- ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() (git-fixes).
- ACPI/processor_idle: Add FFH state handling (jsc#PED-13815).
- ACPI/processor_idle: Export acpi_processor_ffh_play_dead() (jsc#PED-13815).
- ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path (stable-fixes).
- ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered (stable-fixes).
- ACPI: EC: Add device to acpi_ec_no_wakeup[] qurik list (stable-fixes).
- ACPI: LPSS: Remove AudioDSP related ID (git-fixes).
- ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message (git-fixes).
- ACPI: RISC-V: Fix FFH_CPPC_CSR error handling (git-fixes).
- ACPI: Return -ENODEV from acpi_parse_spcr() when SPCR support is disabled (stable-fixes).
- ACPI: Suppress misleading SPCR console message when SPCR table is absent (stable-fixes).
- ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT (git-fixes).
- ACPI: battery: Add synchronization between interface updates (git-fixes).
- ACPI: debug: fix signedness issues in read/write helpers (git-fixes).
- ACPI: pfr_update: Fix the driver update version check (git-fixes).
- ACPI: processor: Rescan "dead" SMT siblings during initialization (jsc#PED-13815).
- ACPI: processor: fix acpi_object initialization (stable-fixes).
- ACPI: processor: idle: Fix memory leak when register cpuidle device failed (git-fixes).
- ACPI: processor: perflib: Fix initial _PPC limit application (git-fixes).
- ACPI: processor: perflib: Move problematic pr->performance check (git-fixes).
- ACPI: property: Fix buffer properties extraction for subnodes (git-fixes).
- ACPICA: Fix largest possible resource descriptor index (git-fixes).
- ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported (stable-fixes).
- ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (stable-fixes).
- ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() (git-fixes).
- ALSA: hda/cs35l56: Workaround bad dev-index on Lenovo Yoga Book 9i GenX (stable-fixes).
- ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model (stable-fixes).
- ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx (stable-fixes).
- ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa0xxx (stable-fixes).
- ALSA: hda/realtek - Fix mute LED for HP Victus 16-d1xxx (MB 8A26) (stable-fixes).
- ALSA: hda/realtek - Fix mute LED for HP Victus 16-r0xxx (stable-fixes).
- ALSA: hda/realtek - Fix mute LED for HP Victus 16-r1xxx (stable-fixes).
- ALSA: hda/realtek - Fix mute LED for HP Victus 16-s0xxx (stable-fixes).
- ALSA: hda/realtek: Add ALC295 Dell TAS2781 I2C fixup (git-fixes).
- ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks (stable-fixes).
- ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS (stable-fixes).
- ALSA: hda/realtek: Add support for ASUS NUC using CS35L41 HDA (stable-fixes).
- ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 (stable-fixes).
- ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again (git-fixes).
- ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY (stable-fixes).
- ALSA: hda/realtek: Fix headset mic on ASUS Zenbook 14 (git-fixes).
- ALSA: hda/realtek: Fix headset mic on HONOR BRB-X (stable-fixes).
- ALSA: hda/realtek: Fix mute LED mask on HP OMEN 16 laptop (git-fixes).
- ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx (stable-fixes).
- ALSA: hda/realtek: add LG gram 16Z90R-A to alc269 fixup table (stable-fixes).
- ALSA: hda: Disable jack polling at shutdown (stable-fixes).
- ALSA: hda: Handle the jack polling always via a work (stable-fixes).
- ALSA: hda: intel-dsp-config: Prevent SEGFAULT if ACPI_HANDLE() is NULL (git-fixes).
- ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 (stable-fixes).
- ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() (git-fixes).
- ALSA: lx_core: use int type to store negative error codes (git-fixes).
- ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT (git-fixes).
- ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop (stable-fixes).
- ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() (git-fixes).
- ALSA: timer: fix ida_free call while not allocated (git-fixes).
- ALSA: usb-audio: Add DSD support for Comtrue USB Audio device (stable-fixes).
- ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 (stable-fixes).
- ALSA: usb-audio: Add mute TLV for playback volumes on more devices (stable-fixes).
- ALSA: usb-audio: Add mute TLV for playback volumes on some devices (stable-fixes).
- ALSA: usb-audio: Allow Focusrite devices to use low samplerates (git-fixes).
- ALSA: usb-audio: Avoid multiple assignments in mixer_quirks (stable-fixes).
- ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros (stable-fixes).
- ALSA: usb-audio: Convert comma to semicolon (git-fixes).
- ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks (stable-fixes).
- ALSA: usb-audio: Fix block comments in mixer_quirks (stable-fixes).
- ALSA: usb-audio: Fix build with CONFIG_INPUT=n (git-fixes).
- ALSA: usb-audio: Fix code alignment in mixer_quirks (stable-fixes).
- ALSA: usb-audio: Fix size validation in convert_chmap_v3() (git-fixes).
- ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks (stable-fixes).
- ALSA: usb-audio: Simplify NULL comparison in mixer_quirks (stable-fixes).
- ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation (git-fixes).
- ALSA: usb-audio: Validate UAC3 cluster segment descriptors (git-fixes).
- ALSA: usb-audio: Validate UAC3 power domain descriptors, too (git-fixes).
- ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free (git-fixes).
- ALSA: usb-audio: move mixer_quirks' min_mute into common quirk (stable-fixes).
- ASoC: Intel: avs: Fix uninitialized pointer error in probe() (stable-fixes).
- ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping (git-fixes).
- ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (git-fixes).
- ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping (git-fixes).
- ASoC: Intel: catpt: Expose correct bit depth to userspace (git-fixes).
- ASoC: Intel: fix SND_SOC_SOF dependencies (stable-fixes).
- ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback (git-fixes).
- ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel (git-fixes).
- ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead of buffer time (git-fixes).
- ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message (git-fixes).
- ASoC: SOF: amd: acp-loader: Use GFP_KERNEL for DMA allocations in resume context (git-fixes).
- ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down (git-fixes).
- ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer size (git-fixes).
- ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size (git-fixes).
- ASoC: SOF: topology: Parse the dapm_widget_tokens in case of DSPless mode (stable-fixes).
- ASoC: amd: acp: Adjust pdm gain value (stable-fixes).
- ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx (stable-fixes).
- ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx (stable-fixes).
- ASoC: amd: yc: add DMI quirk for ASUS M6501RM (stable-fixes).
- ASoC: codecs: rt5640: Retry DEVICE_ID verification (stable-fixes).
- ASoC: codecs: tx-macro: correct tx_macro_component_drv name (stable-fixes).
- ASoC: codecs: wcd9375: Fix double free of regulator supplies (git-fixes).
- ASoC: codecs: wcd937x: Drop unused buck_supply (git-fixes).
- ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() (stable-fixes).
- ASoC: fsl_sai: replace regmap_write with regmap_update_bits (git-fixes).
- ASoC: fsl_xcvr: get channel status data when PHY is not exists (git-fixes).
- ASoC: hdac_hdmi: Rate limit logging on connection and disconnection (stable-fixes).
- ASoC: imx-hdmi: remove cpu_pdev related code (git-fixes).
- ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv (git-fixes).
- ASoC: mediatek: use reserved memory or enable buffer pre-allocation (git-fixes).
- ASoC: ops: dynamically allocate struct snd_ctl_elem_value (git-fixes).
- ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface (git-fixes).
- ASoC: qcom: audioreach: fix potential null pointer dereference (git-fixes).
- ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed (git-fixes).
- ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S (git-fixes).
- ASoC: qcom: use drvdata instead of component to keep id (stable-fixes).
- ASoC: rt5682s: Adjust SAR ADC button mode to fix noise issue (stable-fixes).
- ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() (git-fixes).
- ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed (stable-fixes).
- ASoC: tas2781: Fix the wrong step for TLV on tas2781 (git-fixes).
- ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data() (git-fixes).
- ASoC: wm8940: Correct PLL rate rounding (git-fixes).
- ASoC: wm8940: Correct typo in control name (git-fixes).
- ASoC: wm8974: Correct PLL rate rounding (git-fixes).
- Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() (git-fixes).
- Bluetooth: ISO: Fix possible UAF on iso_conn_free (git-fixes).
- Bluetooth: ISO: do not leak skb in ISO_CONT RX (git-fixes).
- Bluetooth: ISO: free rx_skb if not consumed (git-fixes).
- Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO (git-fixes).
- Bluetooth: MGMT: Fix possible UAFs (git-fixes).
- Bluetooth: btmtk: Fix wait_on_bit_timeout interruption during shutdown (git-fixes).
- Bluetooth: btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1 (stable-fixes).
- Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano (stable-fixes).
- Bluetooth: btusb: Add new VID/PID 0489/e14e for MT7925 (stable-fixes).
- Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() (git-fixes).
- Bluetooth: hci_core: Fix using {cis,bis}_capable for current settings (git-fixes).
- Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced (git-fixes).
- Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync (git-fixes).
- Bluetooth: hci_event: Mark connection as closed during suspend disconnect (git-fixes).
- Bluetooth: hci_event: Mask data status from LE ext adv reports (git-fixes).
- Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success (git-fixes).
- Bluetooth: hci_event: fix MTU for BN == 0 in CIS Established (git-fixes).
- Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() (stable-fixes).
- Bluetooth: hci_sync: Avoid adding default advertising on startup (stable-fixes).
- Bluetooth: hci_sync: Fix hci_resume_advertising_sync (git-fixes).
- Bluetooth: hci_sync: Fix scan state after PA Sync has been established (git-fixes).
- Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements (git-fixes).
- Bluetooth: hci_sync: Prevent unintended PA sync when SID is 0xFF (git-fixes).
- Bluetooth: hci_sync: fix set_local_name race condition (git-fixes).
- Bluetooth: vhci: Prevent use-after-free by removing debugfs files early (git-fixes).
- CONFIG & no reference -> OK temporarily, must be resolved eventually
- Disable CET before shutdown by tboot (bsc#1247950).
- Docs/ABI: Fix sysfs-kernel-address_bits path (git-fixes).
- Documentation/x86: Document new attack vector controls (git-fixes).
- Documentation: ACPI: Fix parent device references (git-fixes).
- Documentation: KVM: Fix unexpected unindent warning (git-fixes).
- Documentation: KVM: Fix unexpected unindent warnings (git-fixes).
- Documentation: usb: gadget: Wrap remaining usage snippets in literal code block (git-fixes).
- Drop ath12k patch that was reverted in the upstream (git-fixes)
- EDAC/{i10nm,skx,skx_common}: Support UV systems (bsc#1234693).
- Enable CONFIG_CMA_SYSFS This is a generally useful feature for anyone
using CMA or investigating CMA issues, with a small and simple code base
and no runtime overhead.
- Enable MT7925 WiFi drivers for openSUSE Leap 16.0 (bsc#1247325)
- Enable SMC_LO (a.k.a SMC-D) (jsc#PED-13256).
- Fix bogus i915 patch backport (bsc#1238972) It's been already cherry-picked in 6.12 kernel itself.
- Fix dma_unmap_sg() nents value (git-fixes)
- HID: amd_sfh: Add sync across amd sfh work functions (git-fixes).
- HID: apple: avoid setting up battery timer for devices without battery (git-fixes).
- HID: apple: validate feature-report field count to prevent NULL pointer dereference (git-fixes).
- HID: asus: add support for missing PX series fn keys (stable-fixes).
- HID: asus: fix UAF via HID_CLAIMED_INPUT validation (git-fixes).
- HID: core: do not bypass hid_hw_raw_request (stable-fixes).
- HID: core: ensure the allocated report buffer can contain the reserved report ID (stable-fixes).
- HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() (stable-fixes).
- HID: hidraw: tighten ioctl command parsing (git-fixes).
- HID: input: rename hidinput_set_battery_charge_status() (stable-fixes).
- HID: input: report battery status changes immediately (git-fixes).
- HID: intel-ish-ipc: Remove redundant ready check after timeout function (git-fixes).
- HID: logitech: Add ids for G PRO 2 LIGHTSPEED (stable-fixes).
- HID: magicmouse: avoid setting up battery timer when not needed (git-fixes).
- HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (git-fixes).
- HID: quirks: add support for Legion Go dual dinput modes (stable-fixes).
- HID: wacom: Add a new Art Pen 2 (stable-fixes).
- IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions (git-fixes)
- IB/sa: Fix sa_local_svc_timeout_ms read race (git-fixes)
- Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table (stable-fixes).
- Input: iqs7222 - avoid enabling unused interrupts (stable-fixes).
- Input: psxpad-spi - add a check for the return value of spi_setup() (git-fixes).
- Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak (git-fixes).
- KEYS: X.509: Fix Basic Constraints CA flag parsing (git-fixes).
- KEYS: trusted_tpm1: Compare HMAC values in constant time (git-fixes).
- KVM: Allow CPU to reschedule while setting per-page memory attributes (git-fixes).
- KVM: Bail from the dirty ring reset flow if a signal is pending (git-fixes).
- KVM: Bound the number of dirty ring entries in a single reset at INT_MAX (git-fixes).
- KVM: Conditionally reschedule when resetting the dirty ring (git-fixes).
- KVM: PPC: Fix misleading interrupts comment in kvmppc_prepare_to_enter() (bsc#1215199).
- KVM: SVM: Disable interception of SPEC_CTRL iff the MSR exists for the guest (git-fixes).
- KVM: SVM: Fix SNP AP destroy race with VMRUN (git-fixes).
- KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight (git-fixes).
- KVM: TDX: Add new TDVMCALL status code for unsupported subfuncs (jsc#PED-13302).
- KVM: TDX: Do not report base TDVMCALLs (git-fixes).
- KVM: TDX: Exit to userspace for GetTdVmCallInfo (jsc#PED-13302).
- KVM: TDX: Exit to userspace for SetupEventNotifyInterrupt (jsc#PED-13302).
- KVM: TDX: Handle TDG.VP.VMCALL<GetQuote> (jsc#PED-13302).
- KVM: TDX: Report supported optional TDVMCALLs in TDX capabilities (jsc#PED-13302).
- KVM: TDX: Use kvm_arch_vcpu.host_debugctl to restore the host's DEBUGCTL (git-fixes).
- KVM: VMX: Apply MMIO Stale Data mitigation if KVM maps MMIO into the guest (git-fixes).
- KVM: VMX: Ensure unused kvm_tdx_capabilities fields are zeroed out (jsc#PED-13302).
- KVM: arm64: Adjust range correctly during host stage-2 faults (git-fixes).
- KVM: arm64: Do not free hyp pages with pKVM on GICv2 (git-fixes).
- KVM: arm64: Fix error path in init_hyp_mode() (git-fixes).
- KVM: arm64: Mark freed S2 MMUs as invalid (git-fixes).
- KVM: arm64: vgic: fix incorrect spinlock API usage (git-fixes).
- KVM: s390: Fix access to unavailable adapter indicator pages during postcopy (git-fixes bsc#1250124).
- KVM: s390: Fix incorrect usage of mmu_notifier_register() (git-fixes bsc#1250123).
- KVM: x86/mmu: Locally cache whether a PFN is host MMIO when making a SPTE (git-fixes).
- KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table (git-fixes).
- KVM: x86: Avoid calling kvm_is_mmio_pfn() when kvm_x86_ops.get_mt_mask is NULL (git-fixes).
- KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap (git-fixes).
- KVM: x86: Drop pending_smi vs. INIT_RECEIVED check when setting MP_STATE (git-fixes).
- KVM: x86: Reject KVM_SET_TSC_KHZ vCPU ioctl for TSC protected guest (git-fixes).
- KVM: x86: avoid underflow when scaling TSC frequency (git-fixes).
- Limit patch filenames to 100 characters (bsc#1249604).
- Move upstreamed SPI patch into sorted section
- NFS: Fix a race when updating an existing write (git-fixes).
- NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() (git-fixes).
- NFS: Fix the setting of capabilities when automounting a new filesystem (git-fixes).
- NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() (git-fixes).
- NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY (git-fixes).
- NFS: nfs_invalidate_folio() must observe the offset and size arguments (git-fixes).
- NFSD: Define a proc_layoutcommit for the FlexFiles layout type (git-fixes).
- NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul() (git-fixes).
- NFSD: detect mismatch of file handle and delegation stateid in OPEN op (git-fixes).
- NFSv4.1: fix backchannel max_resp_sz verification check (git-fixes).
- NFSv4.2: another fix for listxattr (git-fixes).
- NFSv4/flexfiles: Fix layout merge mirror check (git-fixes).
- NFSv4: Clear NFS_CAP_OPEN_XOR and NFS_CAP_DELEGTIME if not supported (git-fixes).
- NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set (git-fixes).
- NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server (git-fixes).
- NFSv4: Do not clear capabilities that won't be reset (git-fixes).
- Octeontx2-af: Skip overlap check for SPI field (git-fixes).
- PCI/ACPI: Fix pci_acpi_preserve_config() memory leak (git-fixes).
- PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes).
- PCI/AER: Fix missing uevent on recovery when a reset is requested (git-fixes).
- PCI/ERR: Fix uevent on failure to recover (git-fixes).
- PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV (git-fixes).
- PCI/MSI: Export pci_msix_prepare_desc() for dynamic MSI-X allocations (bsc#1245457).
- PCI/portdrv: Use is_pciehp instead of is_hotplug_bridge (git-fixes).
- PCI/pwrctrl: Fix device leak at registration (git-fixes).
- PCI/sysfs: Ensure devices are powered for config reads (git-fixes).
- PCI: Extend isolated function probing to LoongArch (git-fixes).
- PCI: Rename PCIE_RESET_CONFIG_DEVICE_WAIT_MS to PCIE_RESET_CONFIG_WAIT_MS (git-fixes).
- PCI: Support Immediate Readiness on devices without PM capabilities (git-fixes).
- PCI: dw-rockchip: Replace PERST# sleep time with proper macro (git-fixes).
- PCI: dw-rockchip: Wait PCIE_RESET_CONFIG_WAIT_MS after link-up IRQ (git-fixes).
- PCI: dwc: Ensure that dw_pcie_wait_for_link() waits 100 ms after link up (stable-fixes).
- PCI: endpoint: Fix configfs group list head handling (git-fixes).
- PCI: endpoint: Fix configfs group removal on driver teardown (git-fixes).
- PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute (git-fixes).
- PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails (git-fixes).
- PCI: hv: Allow dynamic MSI-X vector allocation (bsc#1245457).
- PCI: imx6: Add IMX8MM_EP and IMX8MP_EP fixed 256-byte BAR 4 in epc_features (git-fixes).
- PCI: imx6: Add IMX8MQ_EP third 64-bit BAR in epc_features (git-fixes).
- PCI: imx6: Add i.MX8Q PCIe Endpoint (EP) support (git-fixes).
- PCI: imx6: Delay link start until configfs 'start' written (git-fixes).
- PCI: imx6: Remove apps_reset toggling from imx_pcie_{assert/deassert}_core_reset (git-fixes).
- PCI: j721e: Fix incorrect error message in probe() (git-fixes).
- PCI: j721e: Fix programming sequence of "strap" settings (git-fixes).
- PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit (git-fixes).
- PCI: pnv_php: Clean up allocated IRQs on unplug (bsc#1215199).
- PCI: pnv_php: Work around switches with broken presence detection (bsc#1215199).
- PCI: qcom: Wait PCIE_RESET_CONFIG_WAIT_MS after link-up IRQ (git-fixes).
- PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion (git-fixes).
- PCI: rcar-gen4: Assure reset occurs before DBI access (git-fixes).
- PCI: rcar-gen4: Fix PHY initialization (git-fixes).
- PCI: rcar-gen4: Fix inverted break condition in PHY initialization (git-fixes).
- PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock (git-fixes).
- PCI: rcar-host: Drop PMSR spinlock (git-fixes).
- PCI: rockchip-host: Fix "Unexpected Completion" log message (git-fixes).
- PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining (git-fixes).
- PCI: rockchip: Use standard PCIe definitions (git-fixes).
- PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq() (git-fixes).
- PCI: tegra194: Fix duplicate PLL disable in pex_ep_event_pex_rst_assert() (git-fixes).
- PCI: tegra194: Handle errors in BPMP response (git-fixes).
- PCI: tegra194: Reset BARs when running in PCIe endpoint mode (git-fixes).
- PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock (git-fixes).
- PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation (git-fixes).
- PCI: xilinx-nwl: Fix ECAM programming (git-fixes).
- PM / devfreq: Check governor before using governor->name (git-fixes).
- PM / devfreq: Fix a index typo in trans_stat (git-fixes).
- PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() (stable-fixes).
- PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() (git-fixes).
- PM / devfreq: rockchip-dfi: double count on RK3588 (git-fixes).
- PM: EM: use kfree_rcu() to simplify the code (stable-fixes).
- PM: cpufreq: powernv/tracing: Move powernv_throttle trace event (git-fixes).
- PM: hibernate: Add pm_hibernation_mode_is_suspend() (bsc#1243112).
- PM: hibernate: Add stub for pm_hibernate_is_recovering() (bsc#1243112).
- PM: hibernate: Fix pm_hibernation_mode_is_suspend() build breakage (bsc#1243112).
- PM: hibernate: add new api pm_hibernate_is_recovering() (bsc#1243112).
- PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() (stable-fixes).
- PM: runtime: Take active children into account in pm_runtime_get_if_in_use() (git-fixes).
- PM: sleep: console: Fix the black screen issue (stable-fixes).
- PM: sleep: core: Clear power.must_resume in noirq suspend error path (git-fixes).
- RAS/AMD/ATL: Include row bit in row retirement (bsc#1242034).
- RAS/AMD/FMPM: Get masked address (bsc#1242034).
- RDMA/bnxt_re: Fix a possible memory leak in the driver (git-fixes)
- RDMA/bnxt_re: Fix size of uverbs_copy_to() in BNXT_RE_METHOD_GET_TOGGLE_MEM (git-fixes)
- RDMA/bnxt_re: Fix to do SRQ armena by default (git-fixes)
- RDMA/bnxt_re: Fix to initialize the PBL array (git-fixes)
- RDMA/bnxt_re: Fix to remove workload check in SRQ limit path (git-fixes)
- RDMA/cm: Rate limit destroy CM ID timeout error message (git-fixes)
- RDMA/core: Rate limit GID cache warning messages (git-fixes)
- RDMA/core: Resolve MAC of next-hop device without ARP support (git-fixes)
- RDMA/core: reduce stack using in nldev_stat_get_doit() (git-fixes)
- RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA counters (git-fixes)
- RDMA/erdma: Fix ignored return value of init_kernel_qp (git-fixes)
- RDMA/hns: Drop GFP_NOWARN (git-fixes)
- RDMA/hns: Fix -Wframe-larger-than issue (git-fixes)
- RDMA/hns: Fix HW configurations not cleared in error flow (git-fixes)
- RDMA/hns: Fix accessing uninitialized resources (git-fixes)
- RDMA/hns: Fix dip entries leak on devices newer than hip09 (git-fixes)
- RDMA/hns: Fix double destruction of rsv_qp (git-fixes)
- RDMA/hns: Fix querying wrong SCC context for DIP algorithm (git-fixes)
- RDMA/hns: Get message length of ack_req from FW (git-fixes)
- RDMA/mana_ib: Add device statistics support (bsc#1246651).
- RDMA/mana_ib: Drain send wrs of GSI QP (bsc#1251135).
- RDMA/mana_ib: Extend modify QP (bsc#1251135).
- RDMA/mana_ib: Fix DSCP value in modify QP (git-fixes).
- RDMA/mana_ib: add additional port counters (git-fixes).
- RDMA/mana_ib: add support of multiple ports (git-fixes).
- RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count (git-fixes)
- RDMA/mlx5: Check CAP_NET_RAW in user namespace for anchor create (git-fixes)
- RDMA/mlx5: Check CAP_NET_RAW in user namespace for devx create (git-fixes)
- RDMA/mlx5: Check CAP_NET_RAW in user namespace for flow create (git-fixes)
- RDMA/mlx5: Fix UMR modifying of mkey page size (git-fixes)
- RDMA/mlx5: Fix compilation warning when USER_ACCESS isn't set (git-fixes)
- RDMA/mlx5: Fix vport loopback forcing for MPV device (git-fixes)
- RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify (git-fixes)
- RDMA/rxe: Fix race in do_task() when draining (git-fixes)
- RDMA/rxe: Flush delayed SKBs while releasing RXE resources (git-fixes)
- RDMA/siw: Always report immediate post SQ errors (git-fixes)
- RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages (git-fixes)
- RDMA/uverbs: Add empty rdma_uattrs_has_raw_cap() declaration (git-fixes)
- RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create (git-fixes)
- RDMA/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create (git-fixes)
- RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create (git-fixes)
- RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() (git-fixes)
- README.BRANCH: mfranc@suse.cz leaving SUSE
- RISC-V: Add defines for the SBI nested acceleration extension (jsc#PED-348).
- Reapply "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" (git-fixes).
- Reapply "x86/smp: Eliminate mwait_play_dead_cpuid_hint()" (jsc#PED-13815).
- Revert "SUNRPC: Do not allow waiting for exiting tasks" (git-fixes).
- Revert "drm/amdgpu: fix incorrect vm flags to map bo" (stable-fixes).
- Revert "drm/nouveau: check ioctl command codes better" (git-fixes).
- Revert "gpio: mlxbf3: only get IRQ for device instance 0" (git-fixes).
- Revert "leds: trigger: netdev: Configure LED blink interval for HW offload" (git-fixes).
- Revert "mac80211: Dynamically set CoDel parameters per station" (stable-fixes).
- Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running" (git-fixes).
- Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" (stable-fixes).
- Revert "wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO" (git-fixes).
- SUNRPC: call xs_sock_process_cmsg for all cmsg (git-fixes).
- Squashfs: add additional inode sanity checking (git-fixes).
- Squashfs: fix uninit-value in squashfs_get_parent (git-fixes).
- Squashfs: reject negative file sizes in squashfs_read_inode() (git-fixes).
- USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels (git-fixes).
- USB: gadget: f_hid: Fix memory leak in hidg_bind error path (git-fixes).
- USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI (stable-fixes).
- USB: serial: option: add Foxconn T99W640 (stable-fixes).
- USB: serial: option: add Foxconn T99W709 (stable-fixes).
- USB: serial: option: add SIMCom 8230C compositions (stable-fixes).
- USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition (stable-fixes).
- USB: serial: option: add Telit Cinterion FN990A w/audio compositions (stable-fixes).
- USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions (stable-fixes).
- USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera (stable-fixes).
- USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles (stable-fixes).
- Update config files. (bsc#1249186) Enable where we define KABI refs + rely on Kconfig deps.
- Update config files: revive pwc driver for Leap (bsc#1249060)
- accel/habanalabs/gaudi2: Use kvfree() for memory allocated with kvcalloc() (git-fixes).
- accel/ivpu: Correct DCT interrupt handling (git-fixes).
- accel/ivpu: Fix reset_engine debugfs file logic (stable-fixes).
- accel/ivpu: Fix warning in ivpu_gem_bo_free() (git-fixes).
- accel/ivpu: Prevent recovery work from being queued during device removal (git-fixes).
- amdgpu/amdgpu_discovery: increase timeout limit for IFWI init (stable-fixes).
- aoe: defer rexmit timer downdev work to workqueue (git-fixes).
- arch/powerpc: Remove .interp section in vmlinux (bsc#1215199).
- arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() (git-fixes)
- arm64/mm: Check PUD_TYPE_TABLE in pud_bad() (git-fixes)
- arm64/mm: Check pmd_table() in pmd_trans_huge() (git-fixes)
- arm64/mm: Close theoretical race where stale TLB entry remains valid (git-fixes)
- arm64/mm: Drop wrong writes into TCR2_EL1 (git-fixes)
- arm64/mm: Ensure adequate HUGE_MAX_HSTATE (git-fixes)
- arm64/sysreg: Add register fields for HDFGRTR2_EL2 (git-fixes)
- arm64/sysreg: Add register fields for HDFGWTR2_EL2 (git-fixes)
- arm64/sysreg: Add register fields for HFGITR2_EL2 (git-fixes)
- arm64/sysreg: Add register fields for HFGRTR2_EL2 (git-fixes)
- arm64/sysreg: Add register fields for HFGWTR2_EL2 (git-fixes)
- arm64/sysreg: Update register fields for ID_AA64MMFR0_EL1 (git-fixes)
- arm64: Filter out SME hwcaps when FEAT_SME isn't implemented (git-fixes)
- arm64: Handle KCOV __init vs inline mismatches (git-fixes)
- arm64: Mark kernel as tainted on SAE and SError panic (git-fixes)
- arm64: Restrict pagetable teardown to avoid false warning (git-fixes)
- arm64: config: Make tpm_tis_spi module build-in (bsc#1246896)
- arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes)
- arm64: dts: add big-endian property back into watchdog node (git-fixes)
- arm64: dts: apple: Add ethernet0 alias for J375 template (git-fixes)
- arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map (git-fixes)
- arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename (git-fixes)
- arm64: dts: exynos: gs101: Add 'local-timer-stop' to cpuidle nodes (git-fixes)
- arm64: dts: exynos: gs101: ufs: add dma-coherent property (git-fixes)
- arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on (git-fixes)
- arm64: dts: freescale: imx93-tqma9352: Limit BUCK2 to 600mV (git-fixes)
- arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed (git-fixes)
- arm64: dts: imx8mm-beacon: Fix RTC capacitive load (git-fixes)
- arm64: dts: imx8mm-beacon: Set SAI5 MCLK direction to output for HDMI (git-fixes)
- arm64: dts: imx8mm-venice-gw700x: Increase HS400 USDHC clock speed (git-fixes)
- arm64: dts: imx8mm-venice-gw7901: Increase HS400 USDHC clock speed (git-fixes)
- arm64: dts: imx8mm-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes)
- arm64: dts: imx8mm-venice-gw7903: Increase HS400 USDHC clock speed (git-fixes)
- arm64: dts: imx8mm-venice-gw7904: Increase HS400 USDHC clock speed (git-fixes)
- arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed (git-fixes)
- arm64: dts: imx8mn-beacon: Fix RTC capacitive load (git-fixes)
- arm64: dts: imx8mn-beacon: Set SAI5 MCLK direction to output for HDMI (git-fixes)
- arm64: dts: imx8mn-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes)
- arm64: dts: imx8mp-beacon: Fix RTC capacitive load (git-fixes)
- arm64: dts: imx8mp-tqma8mpql: fix LDO5 power off (git-fixes)
- arm64: dts: imx8mp-venice-gw702x: Increase HS400 USDHC clock speed (git-fixes)
- arm64: dts: imx8mp-venice-gw71xx: fix TPM SPI frequency (git-fixes)
- arm64: dts: imx8mp-venice-gw72xx: fix TPM SPI frequency (git-fixes)
- arm64: dts: imx8mp-venice-gw73xx: fix TPM SPI frequency (git-fixes)
- arm64: dts: imx8mp-venice-gw74xx: fix TPM SPI frequency (git-fixes)
- arm64: dts: imx8mp: Correct thermal sensor index (git-fixes)
- arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics (git-fixes)
- arm64: dts: imx8mp: Fix missing microSD slot vqmmc on Data Modul (git-fixes)
- arm64: dts: imx93-kontron: Fix GPIO for panel regulator (git-fixes)
- arm64: dts: imx93-kontron: Fix USB port assignment (git-fixes)
- arm64: dts: imx95: Correct the DMA interrupter number of pcie0_ep (git-fixes)
- arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid (git-fixes)
- arm64: dts: marvell: cn9132-clearfog: disable eMMC high-speed modes (git-fixes)
- arm64: dts: marvell: cn9132-clearfog: fix multi-lane pci x2 and x4 (git-fixes)
- arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi 4B (git-fixes).
- arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi CM5 (git-fixes)
- arm64: dts: rockchip: Add vcc-supply to SPI flash on (git-fixes)
- arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3566-rock3c (git-fixes)
- arm64: dts: rockchip: Fix Bluetooth interrupts flag on Neardi LBA3368 (git-fixes)
- arm64: dts: rockchip: Fix the headphone detection on the orangepi 5 (git-fixes)
- arm64: dts: rockchip: Move SHMEM memory to reserved memory on rk3588 (git-fixes)
- arm64: dts: rockchip: Update eMMC for NanoPi R5 series (git-fixes)
- arm64: dts: rockchip: disable unrouted USB controllers and PHY on (git-fixes)
- arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma (git-fixes)
- arm64: dts: rockchip: fix endpoint dtc warning for PX30 ISP (git-fixes)
- arm64: dts: rockchip: fix internal USB hub instability on RK3399 Puma (git-fixes)
- arm64: dts: rockchip: use cs-gpios for spi1 on ringneck (git-fixes)
- arm64: dts: st: fix timer used for ticks (git-fixes)
- arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module (git-fixes)
- arm64: map [_text, _stext) virtual address range (git-fixes)
- arm64: mte: Do not flag the zero page as PG_mte_tagged (git-fixes)
- arm64: poe: Handle spurious Overlay faults (git-fixes)
- arm64: rust: clean Rust 1.85.0 warning using softfloat target (git-fixes)
- arm64: stacktrace: Check kretprobe_find_ret_addr() return value (git-fixes)
- arm64: tegra: Add uartd serial alias for Jetson TX1 module (git-fixes)
- arm64: tegra: Drop remaining serial clock-names and reset-names (git-fixes)
- arm64: tegra: Resize aperture for the IGX PCIe C5 slot (git-fixes)
- arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator (git-fixes)
- arm64: zynqmp: add clock-output-names property in clock nodes (git-fixes)
- ata: ahci: Disable DIPM if host lacks support (stable-fixes).
- ata: ahci: Disallow LPM policy control if not supported (stable-fixes).
- ata: libata-sata: Add link_power_management_supported sysfs attribute (git-fixes).
- ata: libata-sata: Disallow changing LPM state if not supported (stable-fixes).
- ata: libata-scsi: Fix CDL control (git-fixes).
- audit,module: restore audit logging in load failure case (git-fixes).
- ax25: properly unshare skbs in ax25_kiss_rcv() (git-fixes).
- batman-adv: fix OOB read/write in network-coding decode (git-fixes).
- benet: fix BUG when creating VFs (git-fixes).
- block: Introduce bio_needs_zone_write_plugging() (git-fixes).
- block: Make REQ_OP_ZONE_FINISH a write operation (git-fixes, bsc#1249552).
- block: ensure discard_granularity is zero when discard is not supported (git-fixes).
- block: fix kobject leak in blk_unregister_queue (git-fixes).
- block: mtip32xx: Fix usage of dma_map_sg() (git-fixes).
- block: sanitize chunk_sectors for atomic write limits (git-fixes).
- bnxt_en: Add a helper function to configure MRU and RSS (git-fixes).
- bnxt_en: Adjust TX rings if reservation is less than requested (git-fixes).
- bnxt_en: Fix DCB ETS validation (git-fixes).
- bnxt_en: Fix memory corruption when FW resources change during ifdown (git-fixes).
- bnxt_en: Fix stats context reservation logic (git-fixes).
- bnxt_en: Flush FW trace before copying to the coredump (git-fixes).
- bnxt_en: Update MRU and RSS table of RSS contexts on queue reset (git-fixes).
- bnxt_en: eliminate the compile warning in bnxt_request_irq due to CONFIG_RFS_ACCEL (git-fixes).
- bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free() (git-fixes)
- bpf, arm64: Fix fp initialization for exception boundary (git-fixes)
- bpf, docs: Fix broken link to renamed bpf_iter_task_vmas.c (git-fixes).
- bpf, sockmap: Fix psock incorrectly pointing to sk (git-fixes).
- bpf: Adjust free target to avoid global starvation of LRU map (git-fixes).
- bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps (git-fixes).
- bpf: Avoid RCU context warning when unpinning htab with internal structs (git-fixes).
- bpf: Check link_create.flags parameter for multi_kprobe (git-fixes).
- bpf: Check link_create.flags parameter for multi_uprobe (git-fixes).
- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (git-fixes).
- bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ (git-fixes).
- bpf: Forget ranges when refining tnum after JSET (git-fixes).
- bpf: Make reg_not_null() true for CONST_PTR_TO_MAP (git-fixes).
- bpf: Only fails the busy counter check in bpf_cgrp_storage_get if it creates storage (git-fixes).
- bpf: Reject %p% format string in bprintf-like helpers (git-fixes).
- bpf: Reject attaching fexit/fmod_ret to __noreturn functions (git-fixes).
- bpf: Reject narrower access to pointer ctx fields (git-fixes).
- bpf: Return prog btf_id without capable check (git-fixes).
- bpf: Use preempt_count() directly in bpf_send_signal_common() (git-fixes).
- bpf: Use proper type to calculate bpf_raw_tp_null_args.mask index (git-fixes).
- bpf: fix possible endless loop in BPF map iteration (git-fixes).
- btrfs: abort transaction during log replay if walk_log_tree() failed (git-fixes).
- btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() (git-fixes).
- btrfs: add assertions and comment about path expectations to btrfs_cross_ref_exist() (git-fixes).
- btrfs: add debug build only WARN (bsc#1249038).
- btrfs: add function comment for check_committed_ref() (git-fixes).
- btrfs: always abort transaction on failure to add block group to free space tree (git-fixes).
- btrfs: avoid load/store tearing races when checking if an inode was logged (git-fixes).
- btrfs: avoid redundant call to get inline ref type at check_committed_ref() (git-fixes).
- btrfs: avoid starting new transaction when cleaning qgroup during subvolume drop (git-fixes).
- btrfs: clear dirty status from extent buffer on error at insert_new_root() (git-fixes).
- btrfs: codify pattern for adding block_group to bg_list (git-fixes).
- btrfs: convert ASSERT(0) with handled errors to DEBUG_WARN() (bsc#1249038).
- btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling (git-fixes).
- btrfs: correctly escape subvol in btrfs_show_options() (git-fixes).
- btrfs: do not allow relocation of partially dropped subvolumes (bsc#1249540).
- btrfs: do not ignore inode missing when replaying log tree (git-fixes).
- btrfs: do not output error message if a qgroup has been already cleaned up (git-fixes).
- btrfs: do not return VM_FAULT_SIGBUS on failure to set delalloc for mmap write (bsc#1247949).
- btrfs: do not silently ignore unexpected extent type when replaying log (git-fixes).
- btrfs: do not skip remaining extrefs if dir not found during log replay (git-fixes).
- btrfs: enhance ASSERT() to take optional format string (bsc#1249038).
- btrfs: error on missing block group when unaccounting log tree extent buffers (git-fixes).
- btrfs: exit after state split error at set_extent_bit() (git-fixes).
- btrfs: explicitly ref count block_group on new_bgs list (bsc#1243068)
- btrfs: fix -ENOSPC mmap write failure on NOCOW files/extents (bsc#1247949).
- btrfs: fix assertion when building free space tree (git-fixes).
- btrfs: fix corruption reading compressed range when block size is smaller than page size (git-fixes).
- btrfs: fix data overwriting bug during buffered write when block size < page size (git-fixes).
- btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents() (git-fixes).
- btrfs: fix incorrect log message for nobarrier mount option (git-fixes).
- btrfs: fix inode lookup error handling during log replay (git-fixes).
- btrfs: fix invalid extref key setup when replaying dentry (git-fixes).
- btrfs: fix invalid inode pointer after failure to create reloc inode (git-fixes).
- btrfs: fix invalid inode pointer dereferences during log replay (git-fixes).
- btrfs: fix iteration bug in __qgroup_excl_accounting() (git-fixes).
- btrfs: fix log tree replay failure due to file with 0 links and extents (git-fixes).
- btrfs: fix missing error handling when searching for inode refs during log replay (git-fixes).
- btrfs: fix non-empty delayed iputs list on unmount due to async workers (git-fixes).
- btrfs: fix printing of mount info messages for NODATACOW/NODATASUM (git-fixes).
- btrfs: fix race between logging inode and checking if it was logged before (git-fixes).
- btrfs: fix race between setting last_dir_index_offset and inode logging (git-fixes).
- btrfs: fix squota compressed stats leak (git-fixes).
- btrfs: fix ssd_spread overallocation (git-fixes).
- btrfs: fix subvolume deletion lockup caused by inodes xarray race (git-fixes).
- btrfs: fix the inode leak in btrfs_iget() (git-fixes).
- btrfs: fix two misuses of folio_shift() (git-fixes).
- btrfs: fix wrong length parameter for btrfs_cleanup_ordered_extents() (git-fixes).
- btrfs: handle unaligned EOF truncation correctly for subpage cases (bsc#1249038).
- btrfs: initialize inode::file_extent_tree after i_mode has been set (git-fixes).
- btrfs: make btrfs_discard_workfn() block_group ref explicit (bsc#1243068)
- btrfs: make btrfs_iget() return a btrfs inode instead (git-fixes).
- btrfs: make btrfs_iget_path() return a btrfs inode instead (git-fixes).
- btrfs: move transaction aborts to the error site in add_block_group_free_space() (git-fixes).
- btrfs: pass a btrfs_inode to fixup_inode_link_count() (git-fixes).
- btrfs: pass struct btrfs_inode to btrfs_defrag_file() (git-fixes).
- btrfs: pass struct btrfs_inode to btrfs_double_mmap_lock() (git-fixes).
- btrfs: pass struct btrfs_inode to btrfs_double_mmap_unlock() (git-fixes).
- btrfs: pass struct btrfs_inode to btrfs_extent_same_range() (git-fixes).
- btrfs: pass struct btrfs_inode to btrfs_fill_inode() (git-fixes).
- btrfs: pass struct btrfs_inode to btrfs_iget_locked() (git-fixes).
- btrfs: pass struct btrfs_inode to btrfs_inode_inherit_props() (git-fixes).
- btrfs: pass struct btrfs_inode to btrfs_inode_type() (git-fixes).
- btrfs: pass struct btrfs_inode to btrfs_load_inode_props() (git-fixes).
- btrfs: pass struct btrfs_inode to btrfs_read_locked_inode() (git-fixes).
- btrfs: pass struct btrfs_inode to can_nocow_extent() (git-fixes).
- btrfs: pass struct btrfs_inode to clone_copy_inline_extent() (git-fixes).
- btrfs: pass struct btrfs_inode to extent_range_clear_dirty_for_io() (git-fixes).
- btrfs: pass struct btrfs_inode to fill_stack_inode_item() (git-fixes).
- btrfs: pass struct btrfs_inode to new_simple_dir() (git-fixes).
- btrfs: pass true to btrfs_delalloc_release_space() at btrfs_page_mkwrite() (bsc#1247949).
- btrfs: propagate last_unlink_trans earlier when doing a rmdir (git-fixes).
- btrfs: props: switch prop_handler::apply to struct btrfs_inode (git-fixes).
- btrfs: props: switch prop_handler::extract to struct btrfs_inode (git-fixes).
- btrfs: push cleanup into btrfs_read_locked_inode() (git-fixes).
- btrfs: qgroup: fix qgroup create ioctl returning success after quotas disabled (git-fixes).
- btrfs: qgroup: fix race between quota disable and quota rescan ioctl (git-fixes).
- btrfs: qgroup: remove no longer used fs_info->qgroup_ulist (git-fixes).
- btrfs: qgroup: set quota enabled bit if quota disable fails flushing reservations (git-fixes).
- btrfs: record new subvolume in parent dir earlier to avoid dir logging races (git-fixes).
- btrfs: remove conditional path allocation in btrfs_read_locked_inode() (git-fixes).
- btrfs: remove no longer needed strict argument from can_nocow_extent() (git-fixes).
- btrfs: remove redundant path release when replaying a log tree (git-fixes).
- btrfs: remove the snapshot check from check_committed_ref() (git-fixes).
- btrfs: restore mount option info messages during mount (git-fixes).
- btrfs: return a btrfs_inode from btrfs_iget_logging() (git-fixes).
- btrfs: return a btrfs_inode from read_one_inode() (git-fixes).
- btrfs: return any hit error from extent_writepage_io() (git-fixes).
- btrfs: send: remove unnecessary inode lookup at send_encoded_inline_extent() (git-fixes).
- btrfs: simplify arguments for btrfs_cross_ref_exist() (git-fixes).
- btrfs: simplify early error checking in btrfs_page_mkwrite() (bsc#1247949).
- btrfs: simplify error detection flow during log replay (git-fixes).
- btrfs: simplify return logic at check_committed_ref() (git-fixes).
- btrfs: subpage: fix the bitmap dump of the locked flags (git-fixes).
- btrfs: tests: fix chunk map leak after failure to add it to the tree (git-fixes).
- btrfs: tree-checker: fix the incorrect inode ref size check (git-fixes).
- btrfs: unfold transaction aborts when replaying log trees (git-fixes).
- btrfs: unify ordering of btrfs_key initializations (git-fixes).
- btrfs: update superblock's device bytes_used when dropping chunk (git-fixes).
- btrfs: use a single variable to track return value at btrfs_page_mkwrite() (bsc#1247949).
- btrfs: use btrfs_record_snapshot_destroy() during rmdir (git-fixes).
- btrfs: use filemap_get_folio() helper (git-fixes).
- btrfs: use struct btrfs_inode inside btrfs_get_name() (git-fixes).
- btrfs: use struct btrfs_inode inside btrfs_get_parent() (git-fixes).
- btrfs: use struct btrfs_inode inside btrfs_remap_file_range() (git-fixes).
- btrfs: use struct btrfs_inode inside btrfs_remap_file_range_prep() (git-fixes).
- btrfs: use struct btrfs_inode inside create_pending_snapshot() (git-fixes).
- btrfs: use verbose ASSERT() in volumes.c (bsc#1249038).
- build_bug.h: Add KABI assert (bsc#1249186).
- bus: firewall: Fix missing static inline annotations for stubs (git-fixes).
- bus: fsl-mc: Check return value of platform_get_resource() (git-fixes).
- bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() (git-fixes).
- bus: mhi: ep: Fix chained transfer handling in read path (git-fixes).
- bus: mhi: host: Detect events pointing to unexpected TREs (git-fixes).
- bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup() (git-fixes).
- bus: mhi: host: pci_generic: Fix the modem name of Foxconn T99W640 (git-fixes).
- can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow (git-fixes).
- can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled (stable-fixes).
- can: hi311x: populate ndo_change_mtu() to prevent buffer overflow (git-fixes).
- can: j1939: implement NETDEV_UNREGISTER notification handler (git-fixes).
- can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails (git-fixes).
- can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed (git-fixes).
- can: kvaser_pciefd: Store device channel index (git-fixes).
- can: kvaser_usb: Assign netdev.dev_port based on device channel index (git-fixes).
- can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow (git-fixes).
- can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode (git-fixes).
- can: peak_usb: fix USB FD devices potential malfunction (git-fixes).
- can: peak_usb: fix shift-out-of-bounds issue (git-fixes).
- can: rcar_can: rcar_can_resume(): fix s2ram with PSCI (stable-fixes).
- can: rcar_canfd: Fix controller mode setting (stable-fixes).
- can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow (git-fixes).
- can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB (git-fixes).
- cdc-acm: fix race between initial clearing halt and open (git-fixes).
- cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN (stable-fixes).
- cdx: Fix off-by-one error in cdx_rpmsg_probe() (git-fixes).
- cgroup/cpuset: Fix a partition error with CPU hotplug (bsc#1241166).
- cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key (bsc#1241166).
- cgroup: Add compatibility option for content of /proc/cgroups (jsc#PED-12405).
- cgroup: Print message when /proc/cgroups is read on v2-only system (jsc#PED-12405).
- cgroup: llist: avoid memory tears for llist_node (bsc#1247963).
- cgroup: make css_rstat_updated nmi safe (bsc#1247963).
- cgroup: remove per-cpu per-subsystem locks (bsc#1247963).
- cgroup: support to enable nmi-safe css_rstat_updated (bsc#1247963).
- char: misc: Fix improper and inaccurate error code returned by misc_init() (stable-fixes).
- clk: at91: peripheral: fix return value (git-fixes).
- clk: at91: sam9x7: update pll clk ranges (git-fixes).
- clk: clk-axi-clkgen: fix fpfd_max frequency for zynq (git-fixes).
- clk: davinci: Add NULL check in davinci_lpsc_clk_register() (git-fixes).
- clk: imx95-blk-ctl: Fix synchronous abort (git-fixes).
- clk: mediatek: clk-mux: Do not pass flags to clk_mux_determine_rate_flags() (git-fixes).
- clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m (git-fixes).
- clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register() (git-fixes).
- clk: qcom: gcc-ipq8074: fix broken freq table for nss_port6_tx_clk_src (git-fixes).
- clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk (git-fixes).
- clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init() (git-fixes).
- clk: renesas: rzv2h: Fix missing CLK_SET_RATE_PARENT flag for ddiv clocks (git-fixes).
- clk: samsung: exynos850: fix a comment (git-fixes).
- clk: samsung: gs101: fix CLK_DOUT_CMU_G3D_BUSD (git-fixes).
- clk: samsung: gs101: fix alternate mout_hsi0_usb20_ref parent clock (git-fixes).
- clk: sunxi-ng: v3s: Fix de clock definition (git-fixes).
- clk: tegra: do not overallocate memory for bpmp clocks (git-fixes).
- clk: thead: th1520-ap: Correctly refer the parent of osc_12m (git-fixes).
- clk: xilinx: vcu: unregister pll_post only if registered correctly (git-fixes).
- comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() (git-fixes).
- comedi: Make insn_rw_emulate_bits() do insn->n samples (git-fixes).
- comedi: fix race between polling and detaching (git-fixes).
- comedi: pcl726: Prevent invalid irq number (git-fixes).
- compiler-clang.h: define __SANITIZE_*__ macros only when undefined (stable-fixes).
- compiler: remove __ADDRESSABLE_ASM{_STR,}() again (git-fixes).
- config.sh: SLFO 1.2 branched in IBS
- config: arm64: default: enable mtu3 dual-role support for MediaTek platforms (bsc#1245206)
- coredump: Fixes core_pipe_limit sysctl proc_handler (git-fixes).
- cpu: Define attack vectors (git-fixes).
- cpufreq/amd-pstate: Fix a regression leading to EPP 0 after resume (git-fixes).
- cpufreq/amd-pstate: Fix setting of CPPC.min_perf in active mode for performance governor (git-fixes).
- cpufreq/sched: Explicitly synchronize limits_changed flag (git-fixes)
- cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS (git-fixes)
- cpufreq: Add SM8650 to cpufreq-dt-platdev blocklist (stable-fixes).
- cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay (stable-fixes).
- cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag (stable-fixes).
- cpufreq: Exit governor when failed to start old governor (stable-fixes).
- cpufreq: Init policy->rwsem before it may be possibly used (git-fixes).
- cpufreq: Initialize cpufreq-based frequency-invariance later (git-fixes).
- cpufreq: Initialize cpufreq-based invariance before subsys (git-fixes).
- cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency (stable-fixes git-fixes).
- cpufreq: Reference count policy in cpufreq_update_limits() (git-fixes).
- cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table() (stable-fixes).
- cpufreq: armada-8k: make both cpu masks static (git-fixes).
- cpufreq: cppc: Fix invalid return value in .get() callback (git-fixes).
- cpufreq: governor: Fix negative 'idle_time' handling in dbs_update() (git-fixes).
- cpufreq: intel_pstate: Add Granite Rapids support in no-HWP mode (stable-fixes).
- cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode (git-fixes).
- cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() (git-fixes).
- cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode (git-fixes).
- cpufreq: mediatek: fix device leak on probe failure (git-fixes).
- cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus() (git-fixes).
- cpufreq: scmi: Skip SCMI devices that are not used by the CPUs (stable-fixes).
- cpufreq: scpi: compare kHz instead of Hz (git-fixes).
- cpufreq: sun50i: prevent out-of-bounds access (git-fixes).
- cpufreq: tegra186: Set target frequency for all cpus in policy (git-fixes).
- cpufreq: tegra186: Share policy per cluster (stable-fixes).
- cpupower: Fix a bug where the -t option of the set subcommand was not working (stable-fixes).
- crypto: af_alg - Set merge to zero early in af_alg_sendmsg (git-fixes).
- crypto: arm/aes-neonbs - work around gcc-15 warning (git-fixes).
- crypto: aspeed - Fix dma_unmap_sg() direction (git-fixes).
- crypto: atmel - Fix dma_unmap_sg() direction (git-fixes).
- crypto: caam - Prevent crash on suspend with iMX8QM / iMX8ULP (git-fixes).
- crypto: ccp - Add missing bootloader info reg for pspv6 (stable-fixes).
- crypto: ccp - Fix crash when rebind ccp device for ccp.ko (git-fixes).
- crypto: ccp - Fix locking on alloc failure handling (git-fixes).
- crypto: essiv - Check ssize for decryption and in-place encryption (git-fixes).
- crypto: hisilicon - re-enable address prefetch after device resuming (git-fixes).
- crypto: hisilicon/hpre - fix dma unmap sequence (stable-fixes).
- crypto: hisilicon/qm - check whether the input function and PF are on the same device (git-fixes).
- crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs (git-fixes).
- crypto: hisilicon/zip - remove unnecessary validation for high-performance mode configurations (git-fixes).
- crypto: img-hash - Fix dma_unmap_sg() nents value (git-fixes).
- crypto: inside-secure - Fix `dma_unmap_sg()` nents value (git-fixes).
- crypto: jitter - fix intermediary handling (stable-fixes).
- crypto: keembay - Add missing check after sg_nents_for_len() (git-fixes).
- crypto: keembay - Fix dma_unmap_sg() nents value (git-fixes).
- crypto: marvell/cesa - Fix engine load inaccuracy (git-fixes).
- crypto: octeontx2 - Call strscpy() with correct size argument (git-fixes).
- crypto: octeontx2 - Fix address alignment issue on ucode loading (stable-fixes).
- crypto: octeontx2 - Fix address alignment on CN10K A0/A1 and OcteonTX2 (stable-fixes).
- crypto: octeontx2 - Fix address alignment on CN10KB and CN10KA-B0 (stable-fixes).
- crypto: octeontx2 - add timeout for load_fvc completion poll (stable-fixes).
- crypto: qat - allow enabling VFs in the absence of IOMMU (git-fixes).
- crypto: qat - disable ZUC-256 capability for QAT GEN5 (git-fixes).
- crypto: qat - fix DMA direction for compression on GEN2 devices (git-fixes).
- crypto: qat - fix seq_file position update in adf_ring_next() (git-fixes).
- crypto: qat - fix state restore for banks with exceptions (git-fixes).
- crypto: qat - flush misc workqueue during device shutdown (git-fixes).
- crypto: qat - lower priority for skcipher and aead algorithms (stable-fixes).
- crypto: qat - use unmanaged allocation for dc_data (git-fixes).
- crypto: rng - Ensure set_ent is always present (git-fixes).
- crypto: rockchip - Fix dma_unmap_sg() nents value (git-fixes).
- crypto: sun8i-ce - fix nents passed to dma_unmap_sg() (git-fixes).
- devlink: Add support for u64 parameters (jsc#PED-13331).
- devlink: avoid param type value translations (jsc#PED-13331).
- devlink: define enum for attr types of dynamic attributes (jsc#PED-13331).
- devlink: introduce devlink_nl_put_u64() (jsc#PED-13331).
- devlink: let driver opt out of automatic phys_port_name generation (git-fixes).
- dm-mpath: do not print the "loaded" message if registering fails (git-fixes).
- dm-stripe: limit chunk_sectors to the stripe size (git-fixes).
- dm-table: fix checking for rq stackable devices (git-fixes).
- dm: Check for forbidden splitting of zone write operations (git-fixes).
- dm: split write BIOs on zone boundaries when zone append is not emulated (git-fixes).
- dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted (stable-fixes).
- dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation (git-fixes).
- dmaengine: dw-edma: Drop unused dchan2dev() and chan2dev() (git-fixes).
- dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate (git-fixes).
- dmaengine: fsl-dpaa2-qdma: Drop unused mc_enc() (git-fixes).
- dmaengine: idxd: Fix double free in idxd_setup_wqs() (git-fixes).
- dmaengine: idxd: Fix refcount underflow on module unload (git-fixes).
- dmaengine: idxd: Remove improper idxd_free (git-fixes).
- dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() (git-fixes).
- dmaengine: mmp: Fix again Wvoid-pointer-to-enum-cast warning (git-fixes).
- dmaengine: mv_xor: Fix missing check after DMA map and missing unmap (git-fixes).
- dmaengine: nbpfaxi: Add missing check after DMA map (git-fixes).
- dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees (git-fixes).
- dmaengine: qcom: gpi: Drop unused gpi_write_reg_field() (git-fixes).
- dmaengine: stm32-dma: configure next sg only if there are more than 2 sgs (stable-fixes).
- dmaengine: ti: edma: Fix memory allocation size for queue_priority_map (git-fixes).
- docs: admin-guide: update to current minimum pipe size default (git-fixes).
- dpll: Add basic Microchip ZL3073x support (jsc#PED-13331).
- dpll: Make ZL3073X invisible (jsc#PED-13331).
- dpll: zl3073x: Add support to get/set frequency on pins (jsc#PED-13331).
- dpll: zl3073x: Add support to get/set priority on input pins (jsc#PED-13331).
- dpll: zl3073x: Fetch invariants during probe (jsc#PED-13331).
- dpll: zl3073x: Fix build failure (jsc#PED-13331).
- dpll: zl3073x: Implement input pin selection in manual mode (jsc#PED-13331).
- dpll: zl3073x: Implement input pin state setting in automatic mode (jsc#PED-13331).
- dpll: zl3073x: Read DPLL types and pin properties from system firmware (jsc#PED-13331).
- dpll: zl3073x: Register DPLL devices and pins (jsc#PED-13331).
- dpll: zl3073x: ZL3073X_I2C and ZL3073X_SPI should depend on NET (jsc#PED-13331).
- driver core/PM: Set power.no_callbacks along with power.no_pm (stable-fixes).
- drivers/base/node: fix double free in register_one_node() (git-fixes).
- drivers/base/node: handle error properly in register_one_node() (git-fixes).
- drivers: base: handle module_kobject creation (git-fixes).
- drm/amd : Update MES API header file for v11 & v12 (stable-fixes).
- drm/amd/amdgpu: Declare isp firmware binary file (stable-fixes).
- drm/amd/amdgpu: Fix missing error return on kzalloc failure (git-fixes).
- drm/amd/amdgpu: Implement MES suspend/resume gang functionality for v12 (bsc#1243112).
- drm/amd/amdgpu: disable hwmon power1_cap* for gfx 11.0.3 on vf mode (stable-fixes).
- drm/amd/display: Add NULL check for stream before dereference in 'dm_vupdate_high_irq' (bsc#1243112).
- drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs (git-fixes).
- drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() (git-fixes).
- drm/amd/display: Add primary plane to commits for correct VRR handling (stable-fixes).
- drm/amd/display: Adjust DCE 8-10 clock, do not overclock by 15% (git-fixes).
- drm/amd/display: Allow DCN301 to clear update flags (git-fixes).
- drm/amd/display: Allow RX6xxx & RX7700 to invoke amdgpu_irq_get/put (git-fixes).
- drm/amd/display: Avoid a NULL pointer dereference (stable-fixes).
- drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported (stable-fixes).
- drm/amd/display: Avoid trying AUX transactions on disconnected ports (stable-fixes).
- drm/amd/display: Clear the CUR_ENABLE register on DCN314 w/out DPP PG (stable-fixes).
- drm/amd/display: Default IPS to RCG_IN_ACTIVE_IPS2_IN_OFF (git-fixes).
- drm/amd/display: Disable CRTC degamma LUT for DCN401 (stable-fixes).
- drm/amd/display: Disable DPCD Probe Quirk (bsc#1248121).
- drm/amd/display: Disable dsc_power_gate for dcn314 by default (stable-fixes).
- drm/amd/display: Disable scaling on DCE6 for now (git-fixes).
- drm/amd/display: Do not check for NULL divisor in fixpt code (git-fixes).
- drm/amd/display: Do not overclock DCE 6 by 15% (git-fixes).
- drm/amd/display: Do not overwrite dce60_clk_mgr (git-fixes).
- drm/amd/display: Do not print errors for nonexistent connectors (git-fixes).
- drm/amd/display: Do not warn when missing DCE encoder caps (stable-fixes).
- drm/amd/display: Enable Dynamic DTBCLK Switch (bsc#1243112).
- drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs (stable-fixes).
- drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs (stable-fixes).
- drm/amd/display: Fix 'failed to blank crtc!' (stable-fixes).
- drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 (stable-fixes).
- drm/amd/display: Fix Xorg desktop unresponsive on Replay panel (stable-fixes).
- drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 (git-fixes).
- drm/amd/display: Fix mismatch type comparison (stable-fixes).
- drm/amd/display: Fix vupdate_offload_work doc (bsc#1243112).
- drm/amd/display: Free memory allocation (stable-fixes).
- drm/amd/display: Init DCN35 clocks from pre-os HW values (git-fixes).
- drm/amd/display: Initialize mode_select to 0 (stable-fixes).
- drm/amd/display: Only finalize atomic_obj if it was initialized (stable-fixes).
- drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6 (git-fixes).
- drm/amd/display: Properly disable scaling on DCE6 (git-fixes).
- drm/amd/display: Remove redundant semicolons (git-fixes).
- drm/amd/display: Separate set_gsl from set_gsl_source_select (stable-fixes).
- drm/amd/display: Update DMCUB loading sequence for DCN3.5 (stable-fixes).
- drm/amd/display: add workaround flag to link to force FFE preset (stable-fixes).
- drm/amd/display: fix a Null pointer dereference vulnerability (stable-fixes).
- drm/amd/display: fix dmub access race condition (bsc#1243112).
- drm/amd/display: fix initial backlight brightness calculation (git-fixes).
- drm/amd/display: limit clear_update_flags to dcn32 and above (stable-fixes).
- drm/amd/display: more liberal vmin/vmax update for freesync (bsc#1243112).
- drm/amd/display: remove output_tf_change flag (git-fixes).
- drm/amd/display: use udelay rather than fsleep (git-fixes).
- drm/amd/include : MES v11 and v12 API header update (stable-fixes).
- drm/amd/include : Update MES v12 API for fence update (stable-fixes).
- drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value (git-fixes).
- drm/amd/pm: Adjust si_upload_smc_data register programming (v3) (git-fixes).
- drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2) (git-fixes).
- drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3) (git-fixes).
- drm/amd/pm: Disable ULV even if unsupported (v3) (git-fixes).
- drm/amd/pm: Fix si_upload_smc_data (v3) (git-fixes).
- drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3) (git-fixes).
- drm/amd/pm: fix null pointer access (stable-fixes).
- drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual (stable-fixes).
- drm/amd: Avoid evicting resources at S5 (bsc#1243112).
- drm/amd: Check whether secure display TA loaded successfully (bsc#1243112).
- drm/amd: Fix hybrid sleep (bsc#1243112).
- drm/amd: Only restore cached manual clock settings in restore if OD enabled (bsc#1243112).
- drm/amd: Restore cached manual clock settings during resume (bsc#1243112).
- drm/amd: Restore cached power limit during resume (stable-fixes).
- drm/amdgpu/discovery: fix fw based ip discovery (git-fixes).
- drm/amdgpu/discovery: optionally use fw based ip discovery (stable-fixes).
- drm/amdgpu/gfx10: fix KGQ reset sequence (git-fixes).
- drm/amdgpu/gfx10: fix kiq locking in KCQ reset (git-fixes).
- drm/amdgpu/gfx9.4.3: fix kiq locking in KCQ reset (git-fixes).
- drm/amdgpu/gfx9: fix kiq locking in KCQ reset (git-fixes).
- drm/amdgpu/mes11: implement detect and reset callback (bsc#1243112).
- drm/amdgpu/mes12: implement detect and reset callback (bsc#1243112).
- drm/amdgpu/mes: add front end for detect and reset hung queue (bsc#1243112).
- drm/amdgpu/mes: add missing locking in helper functions (stable-fixes).
- drm/amdgpu/mes: enable compute pipes across all MEC (git-fixes).
- drm/amdgpu/mes: optimize compute loop handling (stable-fixes).
- drm/amdgpu/swm14: Update power limit logic (stable-fixes).
- drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages (stable-fixes).
- drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time (stable-fixes).
- drm/amdgpu/vcn: fix ref counting for ring based profile handling (git-fixes).
- drm/amdgpu/vpe: cancel delayed work in hw_fini (bsc#1243112).
- drm/amdgpu: Add additional DCE6 SCL registers (git-fixes).
- drm/amdgpu: Avoid extra evict-restore process (stable-fixes).
- drm/amdgpu: Avoid rma causes GPU duplicate reset (bsc#1243112).
- drm/amdgpu: Enable MES lr_compute_wa by default (stable-fixes).
- drm/amdgpu: Fix allocating extra dwords for rings (v2) (git-fixes).
- drm/amdgpu: Fix for GPU reset being blocked by KIQ I/O (bsc#1243112).
- drm/amdgpu: Increase reset counter only on success (stable-fixes).
- drm/amdgpu: Initialize data to NULL in imu_v12_0_program_rlc_ram() (git-fixes).
- drm/amdgpu: Power up UVD 3 for FW validation (v2) (git-fixes).
- drm/amdgpu: Remove nbiov7.9 replay count reporting (git-fixes).
- drm/amdgpu: Report individual reset error (bsc#1243112).
- drm/amdgpu: Reset the clear flag in buddy during resume (git-fixes).
- drm/amdgpu: Update external revid for GC v9.5.0 (stable-fixes).
- drm/amdgpu: VCN v5_0_1 to prevent FW checking RB during DPG pause (stable-fixes).
- drm/amdgpu: add kicker fws loading for gfx11/smu13/psp13 (stable-fixes).
- drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities (stable-fixes).
- drm/amdgpu: do not resume device in thaw for normal hibernation (bsc#1243112).
- drm/amdgpu: drop hw access in non-DC audio fini (stable-fixes).
- drm/amdgpu: fix a memory leak in fence cleanup when unloading (git-fixes).
- drm/amdgpu: fix incorrect vm flags to map bo (git-fixes).
- drm/amdgpu: fix link error for !PM_SLEEP (bsc#1243112).
- drm/amdgpu: fix task hang from failed job submission during process kill (git-fixes).
- drm/amdgpu: fix vram reservation issue (git-fixes).
- drm/amdgpu: remove the redeclaration of variable i (git-fixes).
- drm/amdgpu: update mmhub 3.0.1 client id mappings (stable-fixes).
- drm/amdgpu: update mmhub 4.1.0 client id mappings (stable-fixes).
- drm/amdkfd: Destroy KFD debugfs after destroy KFD wq (stable-fixes).
- drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl() (git-fixes).
- drm/amdkfd: Fix mmap write lock not release (bsc#1243112).
- drm/ast: Use msleep instead of mdelay for edid read (git-fixes).
- drm/bridge: fix OF node leak (git-fixes).
- drm/bridge: it6505: select REGMAP_I2C (git-fixes).
- drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() (git-fixes).
- drm/bridge: ti-sn65dsi86: fix REFCLK setting (git-fixes).
- drm/cirrus-qemu: Fix pitch programming (git-fixes).
- drm/connector: hdmi: Evaluate limited range after computing format (git-fixes).
- drm/dp: Add an EDID quirk for the DPCD register access probe (bsc#1248121).
- drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS (stable-fixes).
- drm/dp: Change AUX DPCD probe address from LANE0_1_STATUS to TRAINING_PATTERN_SET (bsc#1248121).
- drm/edid: Add support for quirks visible to DRM core and drivers (bsc#1248121).
- drm/edid: Define the quirks in an enum list (bsc#1248121).
- drm/format-helper: Add conversion from XRGB8888 to BGR888 (stable-fixes).
- drm/gem: Internally test import_attach for imported objects (git-fixes).
- drm/gem: Test for imported GEM buffers with helper (stable-fixes).
- drm/gma500: Fix null dereference in hdmi teardown (git-fixes).
- drm/hisilicon/hibmc: fix the hibmc loaded failed bug (git-fixes).
- drm/hisilicon/hibmc: fix the i2c device resource leak when vdac init failed (git-fixes).
- drm/hisilicon/hibmc: refactored struct hibmc_drm_private (stable-fixes).
- drm/i915/backlight: Return immediately when scale() finds invalid parameters (stable-fixes).
- drm/i915/ddi: change intel_ddi_init_{dp, hdmi}_connector() return type (stable-fixes).
- drm/i915/ddi: gracefully handle errors from intel_ddi_init_hdmi_connector() (stable-fixes).
- drm/i915/ddi: only call shutdown hooks for valid encoders (stable-fixes).
- drm/i915/display: Fix dma_fence_wait_timeout() return value handling (git-fixes).
- drm/i915/display: add intel_encoder_is_hdmi() (stable-fixes).
- drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x (git-fixes).
- drm/i915/dp_mst: Work around Thunderbolt sink disconnect after SINK_COUNT_ESI read (stable-fixes).
- drm/i915/hdmi: add error handling in g4x_hdmi_init() (stable-fixes).
- drm/i915/hdmi: propagate errors from intel_hdmi_init_connector() (stable-fixes).
- drm/i915/icl+/tc: Cache the max lane count value (stable-fixes).
- drm/i915/icl+/tc: Convert AUX powered WARN to a debug message (stable-fixes).
- drm/i915/power: fix size for for_each_set_bit() in abox iteration (git-fixes).
- drm/imagination: Clear runtime PM errors while resetting the GPU (stable-fixes).
- drm/mediatek: Add error handling for old state CRTC in atomic_disable (git-fixes).
- drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv (git-fixes).
- drm/mediatek: fix potential OF node use-after-free (git-fixes).
- drm/msm/dp: account for widebus and yuv420 during mode validation (git-fixes).
- drm/msm/dpu: Fill in min_prefill_lines for SC8180X (git-fixes).
- drm/msm/dpu: fix incorrect type for ret (git-fixes).
- drm/msm/kms: move snapshot init earlier in KMS init (git-fixes).
- drm/msm: Add error handling for krealloc in metadata setup (stable-fixes).
- drm/msm: Defer fd_install in SUBMIT ioctl (git-fixes).
- drm/msm: update the high bitfield of certain DSI registers (git-fixes).
- drm/msm: use trylock for debugfs (stable-fixes).
- drm/nouveau/disp: Always accept linear modifier (git-fixes).
- drm/nouveau/gsp: fix potential leak of memory used during acpi init (git-fixes).
- drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor() (git-fixes).
- drm/nouveau: fix bad ret code in nouveau_bo_move_prep (git-fixes).
- drm/nouveau: fix error path in nvkm_gsp_fwsec_v2 (git-fixes).
- drm/nouveau: fix typos in comments (git-fixes).
- drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr (git-fixes).
- drm/nouveau: remove unused memory target test (git-fixes).
- drm/panel: novatek-nt35560: Fix invalid return value (git-fixes).
- drm/panfrost: Fix panfrost device variable name in devfreq (git-fixes).
- drm/panthor: Add missing explicit padding in drm_panthor_gpu_info (git-fixes).
- drm/panthor: Defer scheduler entitiy destruction to queue release (git-fixes).
- drm/panthor: Fix memory leak in panthor_ioctl_group_create() (git-fixes).
- drm/panthor: validate group queue count (git-fixes).
- drm/radeon/r600_cs: clean up of dead code in r600_cs (git-fixes).
- drm/rcar-du: dsi: Fix 1/2/3 lane support (git-fixes).
- drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed (git-fixes).
- drm/sched: Remove optimization that causes hang when killing dependent jobs (git-fixes).
- drm/simpledrm: Do not upcast in release helpers (git-fixes).
- drm/tests: Fix endian warning (git-fixes).
- drm/ttm: Respect the shrinker core free target (stable-fixes).
- drm/ttm: Should to return the evict error (stable-fixes).
- drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel (git-fixes).
- drm/vmwgfx: Fix Use-after-free in validation (git-fixes).
- drm/vmwgfx: Fix a null-ptr access in the cursor snooper (git-fixes).
- drm/vmwgfx: Fix copy-paste typo in validation (git-fixes).
- drm/xe/bmg: Add new PCI IDs (stable-fixes).
- drm/xe/bmg: Add one additional PCI ID (stable-fixes).
- drm/xe/bmg: Update Wa_22019338487 (git-fixes).
- drm/xe/gsc: do not flush the GSC worker from the reset path (git-fixes).
- drm/xe/hw_engine_group: Fix double write lock release in error path (git-fixes).
- drm/xe/mocs: Initialize MOCS index early (stable-fixes).
- drm/xe/pf: Move VFs reprovisioning to worker (stable-fixes).
- drm/xe/pf: Prepare to stop SR-IOV support prior GT reset (git-fixes).
- drm/xe/pf: Sanitize VF scratch registers on FLR (stable-fixes).
- drm/xe/tile: Release kobject for the failure path (git-fixes).
- drm/xe/uapi: Correct sync type definition in comments (git-fixes).
- drm/xe/uapi: loosen used tracking restriction (git-fixes).
- drm/xe/vf: Disable CSC support on VF (git-fixes).
- drm/xe/vm: Clear the scratch_pt pointer on error (git-fixes).
- drm/xe/xe_query: Use separate iterator while filling GT list (stable-fixes).
- drm/xe/xe_sync: avoid race during ufence signaling (git-fixes).
- drm/xe: Allow dropping kunit dependency as built-in (git-fixes).
- drm/xe: Attempt to bring bos back to VRAM after eviction (git-fixes).
- drm/xe: Carve out wopcm portion from the stolen memory (git-fixes).
- drm/xe: Do not trigger rebind on initial dma-buf validation (git-fixes).
- drm/xe: Ensure fixed_slice_mode gets set after ccs_mode change (git-fixes).
- drm/xe: Fix a NULL vs IS_ERR() in xe_vm_add_compute_exec_queue() (git-fixes).
- drm/xe: Fix build without debugfs (git-fixes).
- drm/xe: Make dma-fences compliant with the safe access rules (stable-fixes).
- drm/xe: Move page fault init after topology init (git-fixes).
- drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ (git-fixes).
- drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path (git-fixes).
- drm: renesas: rz-du: mipi_dsi: Add min check for VCLK range (stable-fixes).
- dt-bindings: dpll: Add DPLL device and pin (jsc#PED-13331).
- dt-bindings: dpll: Add support for Microchip Azurite chip family (jsc#PED-13331).
- e1000e: disregard NVM checksum on tgp when valid checksum bit is not set (git-fixes).
- e1000e: ignore uninitialized checksum word on tgp (git-fixes).
- efi: stmm: Fix incorrect buffer allocation method (git-fixes).
- erofs: avoid reading more for fragment maps (git-fixes).
- erofs: fix atomic context detection when !CONFIG_DEBUG_LOCK_ALLOC (git-fixes).
- execmem: enforce allocation size aligment to PAGE_SIZE (git-fixes).
- exfat: add cluster chain loop check for dir (git-fixes).
- exfat: fdatasync flag should be same like generic_write_sync() (git-fixes).
- ext4: fix checks for orphan inodes (bsc#1250119).
- ext4: remove writable userspace mappings before truncating page cache (bsc#1247223).
- fbcon: Fix OOB access in font allocation (git-fixes).
- fbcon: Fix outdated registered_fb reference in comment (git-fixes).
- fbcon: fix integer overflow in fbcon_do_set_font (git-fixes).
- fbdev: Fix logic error in "offb" name match (git-fixes).
- fbdev: Fix vmalloc out-of-bounds write in fast_imageblit (stable-fixes).
- fbdev: fix potential buffer overflow in do_register_framebuffer() (stable-fixes).
- fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref (git-fixes).
- fbdev: simplefb: Fix use after free in simplefb_detach_genpds() (git-fixes).
- fgraph: Fix set_graph_notrace with setting TRACE_GRAPH_NOTRACE_BIT (git-fixes).
- firewire: core: fix overlooked update of subsystem ABI version (git-fixes).
- firewire: ohci: correct code comments about bus_reset tasklet (git-fixes).
- firmware: arm_ffa: Change initcall level of ffa_init() to rootfs_initcall (stable-fixes).
- firmware: arm_scmi: Convert to SYSTEM_SLEEP_PM_OPS (git-fixes).
- firmware: arm_scmi: Fix up turbo frequencies selection (git-fixes).
- firmware: arm_scmi: Mark VirtIO ready before registering scmi_virtio_driver (git-fixes).
- firmware: arm_scmi: power_control: Ensure SCMI_SYSPOWER_IDLE is set early during resume (stable-fixes).
- firmware: firmware: meson-sm: fix compile-test default (git-fixes).
- firmware: meson_sm: fix device leak at probe (git-fixes).
- firmware: tegra: Fix IVC dependency problems (stable-fixes).
- flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read (git-fixes).
- fs/nfs/io: make nfs_start_io_*() killable (git-fixes).
- fs/proc/task_mmu: check p->vec_buf for NULL (git-fixes).
- fs/proc: Use inode_get_dev() for device numbers in procmap_query References: bsc#1246450
- ftrace: Fix function profiler's filtering functionality (git-fixes).
- ftrace: fix incorrect hash size in register_ftrace_direct() (git-fixes).
- gfs2: Call gfs2_queue_verify_delete from gfs2_evict_inode (bsc#1247220).
- gfs2: Clean up delete work processing (bsc#1247220).
- gfs2: Faster gfs2_upgrade_iopen_glock wakeups (bsc#1247220).
- gfs2: Initialize gl_no_formal_ino earlier (bsc#1247220).
- gfs2: Minor delete_work_func cleanup (bsc#1247220).
- gfs2: Only defer deletes when we have an iopen glock (bsc#1247220).
- gfs2: Prevent inode creation race (2) (bsc#1247220).
- gfs2: Prevent inode creation race (bsc#1247220).
- gfs2: Randomize GLF_VERIFY_DELETE work delay (bsc#1247220).
- gfs2: Rename GIF_{DEFERRED -> DEFER}_DELETE (bsc#1247220).
- gfs2: Rename dinode_demise to evict_behavior (bsc#1247220).
- gfs2: Replace GIF_DEFER_DELETE with GLF_DEFER_DELETE (bsc#1247220).
- gfs2: Return enum evict_behavior from gfs2_upgrade_iopen_glock (bsc#1247220).
- gfs2: Simplify DLM_LKF_QUECVT use (bsc#1247220).
- gfs2: Update to the evict / remote delete documentation (bsc#1247220).
- gfs2: Use mod_delayed_work in gfs2_queue_try_to_evict (bsc#1247220).
- gfs2: gfs2_evict_inode clarification (bsc#1247220).
- gfs2: minor evict fix (bsc#1247220).
- gfs2: skip if we cannot defer delete (bsc#1247220).
- gpio: mlxbf2: use platform_get_irq_optional() (git-fixes).
- gpio: mlxbf3: use platform_get_irq_optional() (git-fixes).
- gpio: tps65912: check the return value of regmap_update_bits() (stable-fixes).
- gpio: virtio: Fix config space reading (git-fixes).
- gpio: wcd934x: check the return value of regmap_update_bits() (stable-fixes).
- gpio: wcd934x: mark the GPIO controller as sleeping (git-fixes).
- gpiolib: Extend software-node support to support secondary software-nodes (git-fixes).
- gve: Fix stuck TX queue for DQ queue format (git-fixes).
- gve: prevent ethtool ops after shutdown (git-fixes).
- habanalabs: fix UAF in export_dmabuf() (git-fixes).
- hid: fix I2C read buffer overflow in raw_event() for mcp2221 (stable-fixes).
- hv_netvsc: Fix panic during namespace deletion with VF (bsc#1248111).
- hv_netvsc: Link queues to NAPIs (git-fixes).
- hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state (stable-fixes).
- hwmon: (gsc-hwmon) fix fan pwm setpoint show functions (git-fixes).
- hwmon: (mlxreg-fan) Separate methods of fan setting coming from different subsystems (git-fixes).
- hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM (git-fixes).
- hwrng: ks-sa - fix division by zero in ks_sa_rng_init (git-fixes).
- hwrng: mtk - handle devm_pm_runtime_enable errors (git-fixes).
- hwrng: nomadik - add ARM_AMBA dependency (git-fixes).
- i2c: Force DLL0945 touchpad i2c freq to 100khz (stable-fixes).
- i2c: designware: Add disabling clocks when probe fails (git-fixes).
- i2c: designware: Add quirk for Intel Xe (stable-fixes).
- i2c: designware: Fix clock issue when PM is disabled (git-fixes).
- i2c: designware: Use temporary variable for struct device (stable-fixes).
- i2c: i801: Hide Intel Birch Stream SoC TCO WDT (git-fixes).
- i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD (git-fixes).
- i2c: muxes: mule: Fix an error handling path in mule_i2c_mux_probe() (git-fixes).
- i2c: omap: Add support for setting mux (stable-fixes).
- i2c: omap: Fix an error handling path in omap_i2c_probe() (git-fixes).
- i2c: omap: Handle omap_i2c_init() errors in omap_i2c_probe() (git-fixes).
- i2c: omap: fix deprecated of_property_read_bool() use (git-fixes).
- i2c: qup: jump out of the loop in case of timeout (git-fixes).
- i2c: riic: Allow setting frequencies lower than 50KHz (git-fixes).
- i2c: tegra: Fix reset error handling with ACPI (git-fixes).
- i2c: tegra: Use internal reset when reset property is not available (bsc#1249143)
- i2c: virtio: Avoid hang by using interruptible completion wait (git-fixes).
- i3c: Fix default I2C adapter timeout value (git-fixes).
- i3c: add missing include to internal header (stable-fixes).
- i3c: do not fail if GETHDRCAP is unsupported (stable-fixes).
- i3c: fix module_i3c_i2c_driver() with I3C=n (git-fixes).
- i3c: master: Initialize ret in i3c_i2c_notifier_call() (stable-fixes).
- i3c: master: svc: Recycle unused IBI slot (git-fixes).
- i3c: master: svc: Use manual response for IBI events (git-fixes).
- i40e: When removing VF MAC filters, only check PF-set MAC (git-fixes).
- i40e: report VF tx_dropped with tx_errors instead of tx_discards (git-fixes).
- ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (git-fixes).
- ice, irdma: fix an off by one in error handling code (bsc#1247712).
- ice, irdma: move interrupts code to irdma (bsc#1247712).
- ice/ptp: fix crosstimestamp reporting (git-fixes).
- ice: Fix signedness bug in ice_init_interrupt_scheme() (bsc#1247712).
- ice: Replace ice specific DSCP mapping num with a kernel define (jsc#PED-13728 jsc#PED-13762).
- ice: check correct pointer in fwlog debugfs (git-fixes).
- ice: count combined queues using Rx/Tx count (bsc#1247712).
- ice: devlink PF MSI-X max and min parameter (bsc#1247712).
- ice: do not leave device non-functional if Tx scheduler config fails (git-fixes).
- ice: enable_rdma devlink param (bsc#1247712).
- ice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset (jsc#PED-13728).
- ice: fix incorrect counter for buffer allocation failures (git-fixes).
- ice: get rid of num_lan_msix field (bsc#1247712).
- ice: init flow director before RDMA (bsc#1247712).
- ice: remove splitting MSI-X between features (bsc#1247712).
- ice: simplify VF MSI-X managing (bsc#1247712).
- ice: treat dyn_allowed only as suggestion (bsc#1247712).
- ice: use fixed adapter index for E825C embedded devices (git-fixes).
- idpf: add PTP clock configuration (jsc#PED-13728 jsc#PED-13762).
- idpf: add Tx timestamp capabilities negotiation (jsc#PED-13728 jsc#PED-13762).
- idpf: add Tx timestamp flows (jsc#PED-13728 jsc#PED-13762).
- idpf: add cross timestamping (jsc#PED-13728).
- idpf: add flow steering support (jsc#PED-13728).
- idpf: add initial PTP support (jsc#PED-13728 jsc#PED-13762).
- idpf: add mailbox access to read PTP clock time (jsc#PED-13728 jsc#PED-13762).
- idpf: add support for Rx timestamping (jsc#PED-13728 jsc#PED-13762).
- idpf: add support for Tx refillqs in flow scheduling mode (jsc#PED-13728).
- idpf: assign extracted ptype to struct libeth_rqe_info field (jsc#PED-13728 jsc#PED-13762).
- idpf: change the method for mailbox workqueue allocation (jsc#PED-13728 jsc#PED-13762).
- idpf: fix UAF in RDMA core aux dev deinitialization (jsc#PED-13728).
- idpf: implement IDC vport aux driver MTU change handler (jsc#PED-13728 jsc#PED-13762).
- idpf: implement RDMA vport auxiliary dev create, init, and destroy (jsc#PED-13728 jsc#PED-13762).
- idpf: implement core RDMA auxiliary dev create, init, and destroy (jsc#PED-13728 jsc#PED-13762).
- idpf: implement get LAN MMIO memory regions (jsc#PED-13728 jsc#PED-13762).
- idpf: implement remaining IDC RDMA core callbacks and handlers (jsc#PED-13728 jsc#PED-13762).
- idpf: improve when to set RE bit logic (jsc#PED-13728).
- idpf: move virtchnl structures to the header file (jsc#PED-13728 jsc#PED-13762).
- idpf: negotiate PTP capabilities and get PTP clock (jsc#PED-13728 jsc#PED-13762).
- idpf: preserve coalescing settings across resets (jsc#PED-13728).
- idpf: remove obsolete stashing code (jsc#PED-13728).
- idpf: remove unreachable code from setting mailbox (jsc#PED-13728 jsc#PED-13762).
- idpf: replace flow scheduling buffer ring with buffer pool (jsc#PED-13728).
- idpf: set mac type when adding and removing MAC filters (jsc#PED-13728).
- idpf: simplify and fix splitq Tx packet rollback error path (jsc#PED-13728).
- idpf: stop Tx if there are insufficient buffer resources (jsc#PED-13728).
- idpf: use reserved RDMA vectors from control plane (jsc#PED-13728 jsc#PED-13762).
- igb: xsk: solve negative overflow of nb_pkts in zerocopy mode (git-fixes).
- igc: disable L1.2 PCI-E link substate to avoid performance issue (git-fixes).
- igc: fix disabling L1.2 PCI-E link substate on I226 on init (git-fixes).
- iidc/ice/irdma: Break iidc.h into two headers (jsc#PED-13728 jsc#PED-13762).
- iidc/ice/irdma: Rename IDC header file (jsc#PED-13728 jsc#PED-13762).
- iidc/ice/irdma: Rename to iidc_* convention (jsc#PED-13728 jsc#PED-13762).
- iidc/ice/irdma: Update IDC to support multiple consumers (jsc#PED-13728 jsc#PED-13762).
- iio/adc/pac1934: fix channel disable configuration (git-fixes).
- iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 (git-fixes).
- iio: accel: fxls8962af: Fix temperature calculation (git-fixes).
- iio: adc: ad7173: fix setting ODR in probe (git-fixes).
- iio: adc: ad7266: Fix potential timestamp alignment issue (git-fixes).
- iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement (stable-fixes).
- iio: adc: ad7768-1: Fix insufficient alignment of timestamp (git-fixes).
- iio: adc: ad_sigma_delta: change to buffer predisable (git-fixes).
- iio: adc: ad_sigma_delta: do not overallocate scan buffer (stable-fixes).
- iio: adc: dln2: Use aligned_s64 for timestamp (git-fixes).
- iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] (stable-fixes).
- iio: adc: max1363: Reorder mode_list[] entries (stable-fixes).
- iio: chemical: pms7003: use aligned_s64 for timestamp (git-fixes).
- iio: chemical: sps30: use aligned_s64 for timestamp (git-fixes).
- iio: common: st_sensors: Fix use of uninitialize device structs (stable-fixes).
- iio: consumers: Fix handling of negative channel scale in iio_convert_raw_to_processed() (git-fixes).
- iio: consumers: Fix offset handling in iio_convert_raw_to_processed() (git-fixes).
- iio: dac: ad5360: use int type to store negative error codes (git-fixes).
- iio: dac: ad5421: use int type to store negative error codes (git-fixes).
- iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE (git-fixes).
- iio: frequency: adf4350: Fix prescaler usage (git-fixes).
- iio: hid-sensor-prox: Fix incorrect OFFSET calculation (git-fixes).
- iio: hid-sensor-prox: Restore lost scale assignments (git-fixes).
- iio: imu: bno055: fix OOB access of hw_xlate array (git-fixes).
- iio: imu: inv_icm42600: Convert to uXX and sXX integer types (stable-fixes).
- iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume (git-fixes).
- iio: imu: inv_icm42600: change invalid data error to -EBUSY (git-fixes).
- iio: imu: inv_icm42600: fix spi burst write not supported (git-fixes).
- iio: imu: inv_icm42600: switch timestamp type from int64_t __aligned(8) to aligned_s64 (stable-fixes).
- iio: imu: inv_icm42600: use = { } instead of memset() (stable-fixes).
- iio: light: Use aligned_s64 instead of open coding alignment (stable-fixes).
- iio: light: as73211: Ensure buffer holes are zeroed (git-fixes).
- iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() (git-fixes).
- iio: pressure: mprls0025pa: use aligned_s64 for timestamp (git-fixes).
- iio: proximity: isl29501: fix buffered read on big-endian systems (git-fixes).
- iio: temperature: maxim_thermocouple: use DMA-safe buffer for spi_read() (git-fixes).
- iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK (git-fixes).
- iio: xilinx-ams: Unmask interrupts after updating alarms (git-fixes).
- integrity/platform_certs: Allow loading of keys in the static key management mode (jsc#PED-13345 jsc#PED-13343).
- intel_idle: Provide the default enter_dead() handler (jsc#PED-13815).
- intel_idle: Rescan "dead" SMT siblings during initialization (jsc#PED-13815).
- intel_idle: Use subsys_initcall_sync() for initialization (jsc#PED-13815).
- interconnect: qcom: sc8180x: specify num_nodes (git-fixes).
- interconnect: qcom: sc8280xp: specify num_links for qnm_a1noc_cfg (git-fixes).
- io_uring/rw: do not mask in f_iocb_flags (jsc#PED-12882 bsc#1237542). Drop blacklisting.
- io_uring: expose read/write attribute capability (jsc#PED-12882 bsc#1237542).
- io_uring: fix potential page leak in io_sqe_buffer_register() (git-fixes).
- iommu/amd: Enable PASID and ATS capabilities in the correct order (git-fixes).
- iommu/amd: Fix alias device DTE setting (git-fixes).
- iommu/amd: Fix geometry.aperture_end for V2 tables (git-fixes).
- iommu/arm-smmu-qcom: Add SM6115 MDSS compatible (git-fixes).
- iommu/arm-smmu-v3: Fix smmu_domain->nr_ats_masters decrement (git-fixes).
- iommu/tegra241-cmdqv: Read SMMU IDR1.CMDQS instead of hardcoding (git-fixes).
- iommu/vt-d: Disallow dirty tracking if incoherent page walk (git-fixes).
- iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() (git-fixes).
- iommu/vt-d: Fix missing PASID in dev TLB flush with cache_tag_flush_all (git-fixes).
- iommu/vt-d: Fix possible circular locking dependency (git-fixes).
- iommu/vt-d: Fix system hang on reboot -f (git-fixes).
- iommu/vt-d: PRS isn't usable if PDS isn't supported (git-fixes).
- iommu: Handle race with default domain setup (git-fixes).
- iosys-map: Fix undefined behavior in iosys_map_clear() (git-fixes).
- ipmi: Fix strcpy source and destination the same (stable-fixes).
- ipmi: Use dev_warn_ratelimited() for incorrect message warnings (stable-fixes).
- ipv6: annotate data-races around rt->fib6_nsiblings (git-fixes).
- ipv6: fix possible infinite loop in fib6_info_uses_dev() (git-fixes).
- ipv6: prevent infinite loop in rt6_nlmsg_size() (git-fixes).
- ipv6: reject malicious packets in ipv6_gso_segment() (git-fixes).
- ipvs: Fix clamp() of ip_vs_conn_tab on small memory systems (git-fixes).
- irdma: free iwdev->rf after removing MSI-X (bsc#1247712).
- isolcpus: add missing hunk back (bsc#1236897 bsc#1249206).
- iwlwifi: Add missing check for alloc_ordered_workqueue (git-fixes).
- ixgbe: fix ixgbe_orom_civd_info struct layout (bsc#1245410).
- ixgbe: prevent from unwanted interface name changes (git-fixes).
- ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc (git-fixes).
- kABI fix after Add TDX support for vSphere (jsc#PED-13302).
- kABI fix after KVM: SVM: Fix SNP AP destroy race with VMRUN (git-fixes).
- kABI fix after KVM: VMX: Apply MMIO Stale Data mitigation if KVM maps MMIO into the guest (git-fixes).
- kABI fix after KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap (git-fixes).
- kABI fix after vhost: Reintroduce kthread API and add mode selection (git-fixes).
- kABI workaround for "drm/dp: Add an EDID quirk for the DPCD register access probe" (bsc#1248121).
- kABI workaround for amd_sfh (git-fixes).
- kABI workaround for drm_gem.h (git-fixes).
- kABI workaround for struct mtk_base_afe changes (git-fixes).
- kABI: Fix the module::name type in audit_context (git-fixes).
- kABI: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes).
- kABI: arm64: ftrace: Restore struct mod_arch_specific layout (git-fixes).
- kABI: fix for struct devlink_port_attrs: move new member to the end (git-fixes).
- kABI: netfilter: supress warnings for nft_set_ops (git-fixes).
- kABI: x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation (git-fixes).
- kabi/severities: ignore kABI compatibility in iio inv_icm42600 drivers They are used only locally
- kabi/severities: ignore two unused/dropped symbols from MEI
- kabi: Hide adding of u64 to devlink_param_type (jsc#PED-12745).
- kabi: Restore layout of parallel_data (bsc1248343).
- kabi: restore layout of struct cgroup_rstat_cpu (bsc#1247963).
- kasan: use vmalloc_dump_obj() for vmalloc error reports (git-fixes).
- kbuild/modpost: Continue processing all unresolved symbols when KLP_SYM_RELA is found (bsc#1218644, bsc#1250655).
- kbuild: rust: add rustc-min-version support function (git-fixes)
- kernel-binary: Another installation ordering fix (bsc#1241353).
- kernel-subpackage-build: Decompress ghost file when compressed version exists (bsc#1249346)
- kernel: globalize lookup_or_create_module_kobject() (stable-fixes).
- kernel: param: rename locate_module_kobject (stable-fixes).
- leds: flash: leds-qcom-flash: Fix registry access after re-bind (git-fixes).
- leds: flash: leds-qcom-flash: Update torch current clamp setting (git-fixes).
- leds: leds-lp50xx: Handle reg to get correct multi_index (stable-fixes).
- leds: leds-lp55xx: Use correct address for memory programming (git-fixes).
- lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() (bsc#1236897).
- libbpf: Add identical pointer detection to btf_dedup_is_equiv() (git-fixes).
- libeth: move idpf_rx_csum_decoded and idpf_rx_extracted (jsc#PED-13728 jsc#PED-13762).
- livepatch: Add stack_order sysfs attribute (poo#187320).
- loop: use kiocb helpers to fix lockdep warning (git-fixes).
- lpfc: do not use file->f_path.dentry for comparisons (bsc#1250519).
- mISDN: Fix memory leak in dsp_hwec_enable() (git-fixes).
- mISDN: hfcpci: Fix warning when deleting uninitialized timer (git-fixes).
- mailbox: Not protect module_put with spin_lock_irqsave (stable-fixes).
- mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data() (git-fixes).
- mailbox: pcc: Always clear the platform ack interrupt first (stable-fixes).
- mailbox: pcc: Fix the possible race in updation of chan_in_use flag (stable-fixes).
- mailbox: pcc: Use acpi_os_ioremap() instead of ioremap() (stable-fixes).
- mailbox: zynqmp-ipi: Fix SGI cleanup on unbind (git-fixes).
- mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop (git-fixes).
- mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes (git-fixes).
- mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call (git-fixes).
- maple_tree: fix MAPLE_PARENT_RANGE32 and parent pointer docs (git-fixes).
- maple_tree: fix status setup on restore to active (git-fixes).
- maple_tree: fix testing for 32 bit builds (git-fixes).
- mctp: no longer rely on net->dev_index_head (git-fixes).
- md/raid1,raid10: strip REQ_NOWAIT from member bios (git-fixes).
- md: allow removing faulty rdev during resync (git-fixes).
- md: dm-zoned-target: Initialize return variable r to avoid uninitialized use (git-fixes).
- md: make rdev_addable usable for rcu mode (git-fixes).
- media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove (git-fixes).
- media: cec: extron-da-hd-4k-plus: drop external-module make commands (git-fixes).
- media: cx18: Add missing check after DMA map (git-fixes).
- media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() (stable-fixes).
- media: dvb-frontends: w7090p: fix null-ptr-deref in
w7090p_tuner_write_serpar and w7090p_tuner_read_serpar (stable-fixes).
- media: gspca: Add bounds checking to firmware parser (git-fixes).
- media: hi556: Fix reset GPIO timings (stable-fixes).
- media: hi556: correct the test pattern configuration (git-fixes).
- media: i2c: mt9v111: fix incorrect type for ret (git-fixes).
- media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe (git-fixes).
- media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() (git-fixes).
- media: ipu-bridge: Add _HID for OV5670 (stable-fixes).
- media: ipu6: isys: Use correct pads for xlate_streams() (git-fixes).
- media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls (git-fixes).
- media: lirc: Fix error handling in lirc_register() (git-fixes).
- media: mc: Fix MUST_CONNECT handling for pads with no links (git-fixes).
- media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval (git-fixes).
- media: ov2659: Fix memory leaks in ov2659_probe() (git-fixes).
- media: pci: ivtv: Add missing check after DMA map (git-fixes).
- media: pci: mg4b: fix uninitialized iio scan data (git-fixes).
- media: pisp_be: Fix pm_runtime underrun in probe (git-fixes).
- media: qcom: camss: cleanup media device allocated resource on error path (git-fixes).
- media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() (git-fixes).
- media: rc: fix races with imon_disconnect() (git-fixes).
- media: rj54n1cb0c: Fix memleak in rj54n1_probe() (git-fixes).
- media: s5p-mfc: remove an unused/uninitialized variable (git-fixes).
- media: st-delta: avoid excessive stack usage (git-fixes).
- media: tc358743: Check I2C succeeded during probe (stable-fixes).
- media: tc358743: Increase FIFO trigger level to 374 (stable-fixes).
- media: tc358743: Return an appropriate colorspace from tc358743_set_fmt (stable-fixes).
- media: ti: j721e-csi2rx: Fix source subdev link creation (git-fixes).
- media: ti: j721e-csi2rx: Use devm_of_platform_populate (git-fixes).
- media: ti: j721e-csi2rx: fix list_del corruption (git-fixes).
- media: tuner: xc5000: Fix use-after-free in xc5000_release (git-fixes).
- media: usb: hdpvr: disable zero-length read messages (stable-fixes).
- media: usbtv: Lock resolution while streaming (git-fixes).
- media: uvcvideo: Add quirk for HP Webcam HD 2300 (stable-fixes).
- media: uvcvideo: Do not mark valid metadata as invalid (git-fixes).
- media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() (git-fixes).
- media: uvcvideo: Fix bandwidth issue for Alcor camera (stable-fixes).
- media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID (git-fixes).
- media: uvcvideo: Rollback non processed entities on error (git-fixes).
- media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control (stable-fixes).
- media: v4l2-ctrls: Do not reset handler's error in v4l2_ctrl_handler_free() (git-fixes).
- media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check (git-fixes).
- media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() (git-fixes).
- media: v4l2: Add support for NV12M tiled variants to v4l2_format_info() (git-fixes).
- media: venus: Add a check for packet size after reading from shared memory (git-fixes).
- media: venus: Fix MSM8998 frequency table (git-fixes).
- media: venus: Fix OOB read due to missing payload bound check (git-fixes).
- media: venus: firmware: Use correct reset sequence for IRIS2 (git-fixes).
- media: venus: hfi: explicitly release IRQ during teardown (git-fixes).
- media: venus: protect against spurious interrupts during probe (git-fixes).
- media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 (git-fixes).
- media: venus: venc: Clamp param smaller than 1fps and bigger than 240 (git-fixes).
- media: verisilicon: Fix AV1 decoder clock frequency (git-fixes).
- media: vivid: fix wrong pixel_array control size (git-fixes).
- media: zoran: Remove zoran_fh structure (git-fixes).
- mei: bus: Check for still connected devices in mei_cl_bus_dev_release() (stable-fixes).
- mei: vsc: Destroy mutex after freeing the IRQ (git-fixes).
- mei: vsc: Do not re-init VSC from mei_vsc_hw_reset() on stop (git-fixes).
- mei: vsc: Drop unused vsc_tp_request_irq() and vsc_tp_free_irq() (stable-fixes).
- mei: vsc: Event notifier fixes (git-fixes).
- mei: vsc: Fix "BUG: Invalid wait context" lockdep error (git-fixes).
- mei: vsc: Run event callback from a workqueue (git-fixes).
- mei: vsc: Unset the event callback on remove and probe errors (git-fixes).
- memory: mtk-smi: Add ostd setting for mt8186 (git-fixes).
- memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe (git-fixes).
- memstick: Fix deadlock by moving removing flag earlier (git-fixes).
- mfd: axp20x: Set explicit ID for AXP313 regulator (stable-fixes).
- mfd: cros_ec: Separate charge-control probing from USB-PD (git-fixes).
- mfd: exynos-lpass: Fix another error handling path in exynos_lpass_probe() (git-fixes).
- mfd: rz-mtu3: Fix MTU5 NFCR register offset (git-fixes).
- mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() (git-fixes).
- microchip: lan865x: Fix LAN8651 autoloading (git-fixes).
- microchip: lan865x: Fix module autoloading (git-fixes).
- microchip: lan865x: fix missing Timer Increment config for Rev.B0/B1 (git-fixes).
- microchip: lan865x: fix missing netif_start_queue() call on device open (git-fixes).
- misc: fastrpc: Fix fastrpc_map_lookup operation (git-fixes).
- misc: fastrpc: Save actual DMA size in fastrpc_map structure (git-fixes).
- misc: fastrpc: Skip reference for DMA handles (git-fixes).
- misc: fastrpc: fix possible map leak in fastrpc_put_args (git-fixes).
- misc: genwqe: Fix incorrect cmd field being reported in error (git-fixes).
- misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type (git-fixes).
- misc: pci_endpoint_test: Give disabled BARs a distinct error code (stable-fixes).
- misc: rtsx: usb: Ensure mmc child device is active when card is present (git-fixes).
- mm/damon/core: avoid destroyed target reference from DAMOS quota (git-fixes).
- mm/damon/core: prevent unnecessary overflow in damos_set_effective_quota() (git-fixes).
- mm/damon/core: set quota->charged_from to jiffies at first charge window (git-fixes).
- mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() (git-fixes).
- mm/damon/ops-common: ignore migration request to invalid nodes (git-fixes).
- mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() (git-fixes).
- mm/damon/sysfs: fix use-after-free in state_show() (git-fixes).
- mm/memory-failure: fix redundant updates for already poisoned pages (bsc#1250087).
- mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() (git-fixes)
- mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE (git-fixes).
- mm: close theoretical race where stale TLB entries could linger (git-fixes).
- mm: fault in complete folios instead of individual pages for tmpfs (git-fixes).
- mm: fix the inaccurate memory statistics issue for users (bsc#1244723).
- mm: introduce and use {pgd,p4d}_populate_kernel() (git-fixes).
- mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma (git-fixes).
- mm: memory-tiering: fix PGPROMOTE_CANDIDATE counting (bsc#1245630).
- mm: memory-tiering: fix PGPROMOTE_CANDIDATE counting - kabi (bsc#1245630).
- mm: move page table sync declarations to linux/pgtable.h (git-fixes).
- mm: swap: fix potential buffer overflow in setup_clusters() (git-fixes).
- mmc: core: Fix variable shadowing in mmc_route_rpmb_frames() (git-fixes).
- mmc: mvsdio: Fix dma_unmap_sg() nents value (git-fixes).
- mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() (stable-fixes).
- mmc: sdhci-cadence: add Mobileye eyeQ support (stable-fixes).
- mmc: sdhci-msm: Ensure SD card power isn't ON when card removed (stable-fixes).
- mmc: sdhci-of-arasan: Ensure CD logic stabilization before power-up (stable-fixes).
- mmc: sdhci-of-arasan: Support for emmc hardware reset (stable-fixes).
- mmc: sdhci-pci-gli: Add a new function to simplify the code (git-fixes).
- mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER (git-fixes).
- mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency (git-fixes).
- mmc: sdhci_am654: Disable HS400 for AM62P SR1.0 and SR1.1 (git-fixes).
- module: Fix memory deallocation on error path in move_module() (git-fixes).
- module: Prevent silent truncation of module name in delete_module(2) (git-fixes).
- module: Remove unnecessary +1 from last_unloaded_module::name size (git-fixes).
- module: Restore the moduleparam prefix length check (git-fixes).
- most: core: Drop device reference after usage in get_channel() (git-fixes).
- mptcp: fix spurious wake-up on under memory pressure (git-fixes).
- mtd: fix possible integer overflow in erase_xfer() (git-fixes).
- mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing (git-fixes).
- mtd: rawnand: atmel: Fix dma_mapping_error() address (git-fixes).
- mtd: rawnand: atmel: Fix error handling path in atmel_nand_controller_add_nands (git-fixes).
- mtd: rawnand: atmel: set pmecc data setup time (git-fixes).
- mtd: rawnand: fsmc: Add missing check after DMA map (git-fixes).
- mtd: rawnand: omap2: fix device leak on probe failure (git-fixes).
- mtd: rawnand: qcom: Fix last codeword read in qcom_param_page_type_exec() (git-fixes).
- mtd: rawnand: renesas: Add missing check after DMA map (git-fixes).
- mtd: rawnand: rockchip: Add missing check after DMA map (git-fixes).
- mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer (git-fixes).
- mtd: rawnand: stm32_fmc2: fix ECC overwrite (git-fixes).
- mtd: spi-nor: Fix spi_nor_try_unlock_all() (git-fixes).
- mtd: spi-nor: spansion: Fixup params->set_4byte_addr_mode for SEMPER (git-fixes).
- mtd: spinand: propagate spinand_wait() errors from spinand_write_page() (git-fixes).
- mwl8k: Add missing check after DMA map (git-fixes).
- neighbour: Fix null-ptr-deref in neigh_flush_dev() (git-fixes).
- net/mlx5: Base ECVF devlink port attrs from 0 (git-fixes).
- net/mlx5: CT: Use the correct counter offset (git-fixes).
- net/mlx5: Check device memory pointer before usage (git-fixes).
- net/mlx5: Correctly set gso_segs when LRO is used (git-fixes).
- net/mlx5: Correctly set gso_size when LRO is used (git-fixes).
- net/mlx5: E-Switch, Fix peer miss rules to use peer eswitch (git-fixes).
- net/mlx5: Fix lockdep assertion on sync reset unload event (git-fixes).
- net/mlx5: Fix memory leak in cmd_exec() (git-fixes).
- net/mlx5: HWS, Fix memory leak in hws_action_get_shared_stc_nic error flow (git-fixes).
- net/mlx5: HWS, Fix pattern destruction in mlx5hws_pat_get_pattern error path (git-fixes).
- net/mlx5: HWS, fix bad parameter in CQ creation (git-fixes).
- net/mlx5: Nack sync reset when SFs are present (git-fixes).
- net/mlx5: Prevent flow steering mode changes in switchdev mode (git-fixes).
- net/mlx5: Reload auxiliary drivers on fw_activate (git-fixes).
- net/mlx5e: Add new prio for promiscuous mode (git-fixes).
- net/mlx5e: Clear Read-Only port buffer size in PBMC before update (git-fixes).
- net/mlx5e: Preserve shared buffer capacity during headroom updates (git-fixes).
- net/mlx5e: Remove skb secpath if xfrm state is not found (git-fixes).
- net/mlx5e: Set local Xoff after FW update (git-fixes).
- net/mlx5e: Update and set Xon/Xoff upon MTU set (git-fixes).
- net/mlx5e: Update and set Xon/Xoff upon port speed set (git-fixes).
- net/packet: fix a race in packet_set_ring() and packet_notifier() (git-fixes).
- net/sched: Restrict conditions for adding duplicating netems to qdisc tree (git-fixes).
- net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing (git-fixes).
- net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class (git-fixes).
- net/sched: taprio: enforce minimum value for picos_per_byte (git-fixes).
- net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll (git-fixes).
- net: 802: LLC+SNAP OID:PID lookup on start of skb data (git-fixes).
- net: dsa: restore dsa_software_vlan_untag() ability to operate on VLAN-untagged traffic (git-fixes).
- net: dsa: tag_ocelot_8021q: fix broken reception (git-fixes).
- net: hsr: fix fill_frame_info() regression vs VLAN packets (git-fixes).
- net: hsr: fix hsr_init_sk() vs network/transport headers (git-fixes).
- net: hv_netvsc: fix loss of early receive events from host during channel open (git-fixes).
- net: ieee8021q: fix insufficient table-size assertion (stable-fixes).
- net: llc: reset skb->transport_header (git-fixes).
- net: mana: Add handler for hardware servicing events (bsc#1245730).
- net: mana: Add speed support in mana_get_link_ksettings (bsc#1245726).
- net: mana: Add support for net_shaper_ops (bsc#1245726).
- net: mana: Allocate MSI-X vectors dynamically (bsc#1245457).
- net: mana: Allow irq_setup() to skip cpus for affinity (bsc#1245457).
- net: mana: Expose additional hardware counters for drop and TC via ethtool (bsc#1245729).
- net: mana: Fix build errors when CONFIG_NET_SHAPER is disabled (gix-fixes).
- net: mana: Fix potential deadlocks in mana napi ops (bsc#1245726).
- net: mana: Handle Reset Request from MANA NIC (bsc#1245728).
- net: mana: Handle unsupported HWC commands (bsc#1245726).
- net: mana: Set tx_packets to post gso processing packet count (bsc#1245731).
- net: mana: Use page pool fragments for RX buffers instead of full pages to improve memory efficiency (bsc#1248754).
- net: mana: explain irq_setup() algorithm (bsc#1245457).
- net: mana: fix spelling for mana_gd_deregiser_irq() (git-fixes).
- net: mctp: handle skb cleanup on sock_queue failures (git-fixes).
- net: mdio: mdio-bcm-unimac: Correct rate fallback logic (git-fixes).
- net: nfc: nci: Add parameter validation for packet data (git-fixes).
- net: page_pool: allow enabling recycling late, fix false positive warning (git-fixes).
- net: phy: bcm54811: PHY initialization (stable-fixes).
- net: phy: fix phy_uses_state_machine() (git-fixes).
- net: phy: micrel: Add ksz9131_resume() (stable-fixes).
- net: phy: micrel: fix KSZ8081/KSZ8091 cable test (git-fixes).
- net: phy: smsc: add proper reset flags for LAN8710A (stable-fixes).
- net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer (git-fixes).
- net: rose: convert 'use' field to refcount_t (git-fixes).
- net: rose: fix a typo in rose_clear_routes() (git-fixes).
- net: rose: include node references in rose_neigh refcount (git-fixes).
- net: rose: split remove and free operations in rose_remove_neigh() (stable-fixes).
- net: thunderbolt: Enable end-to-end flow control also in transmit (stable-fixes).
- net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() (stable-fixes).
- net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast (git-fixes).
- net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock (git-fixes).
- net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization (git-fixes).
- net: usb: asix_devices: add phy_mask for ax88772 mdio bus (git-fixes).
- net: usb: cdc-ncm: check for filtering capability (git-fixes).
- net: usb: qmi_wwan: add Telit Cinterion FN990A w/audio composition (stable-fixes).
- net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions (git-fixes).
- net: usb: qmi_wwan: fix Telit Cinterion FE990A name (stable-fixes).
- net: usb: qmi_wwan: fix Telit Cinterion FN990A name (stable-fixes).
- net: usbnet: Avoid potential RCU stall on LINK_CHANGE event (git-fixes).
- net: usbnet: Fix the wrong netif_carrier_on() call (git-fixes).
- netfilter: ctnetlink: fix refcount leak on table dump (git-fixes).
- netfilter: ctnetlink: remove refcounting in expectation dumpers (git-fixes).
- netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around (git-fixes).
- netfilter: nf_nat: also check reverse tuple to obtain clashing entry (git-fixes).
- netfilter: nf_reject: do not leak dst refcount for loopback packets (git-fixes).
- netfilter: nf_tables: Drop dead code from fill_*_info routines (git-fixes).
- netfilter: nf_tables: adjust lockdep assertions handling (git-fixes).
- netfilter: nf_tables: fix set size with rbtree backend (git-fixes).
- netfilter: nf_tables: imbalance in flowtable binding (git-fixes).
- netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template (git-fixes).
- netfilter: nft_flow_offload: update tcp state flags under lock (git-fixes).
- netfilter: nft_objref: validate objref and objrefmap expressions (bsc#1250237).
- netfilter: nft_set_hash: skip duplicated elements pending gc run (git-fixes).
- netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext (git-fixes).
- netfilter: nft_set_pipapo: prefer kvmalloc for scratch maps (git-fixes).
- netfilter: nft_tunnel: fix geneve_opt dump (git-fixes).
- netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds (git-fixes).
- netlink: fix policy dump for int with validation callback (jsc#PED-13331).
- netlink: specs: devlink: replace underscores with dashes in names (jsc#PED-13331).
- netpoll: prevent hanging NAPI when netcons gets enabled (git-fixes).
- nfs/localio: add direct IO enablement with sync and async IO support (git-fixes).
- nfs/localio: remove extra indirect nfs_to call to check {read,write}_iter (git-fixes).
- nfsd: Fix NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT (git-fixes).
- nfsd: fix access checking for NLM under XPRTSEC policies (git-fixes).
- nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() (git-fixes).
- nouveau: fix disabling the nonstall irq due to storm code (git-fixes).
- nvme-auth: update bi_directional flag (git-fixes).
- nvme-fc: use lock accessing port_state and rport state (bsc#1245193 bsc#1247500).
- nvme-pci: try function level reset on init failure (git-fixes).
- nvme-tcp: log TLS handshake failures at error level (git-fixes).
- nvme-tcp: send only permitted commands for secure concat (git-fixes).
- nvme: fix PI insert on write (git-fixes).
- nvme: fix endianness of command word prints in nvme_log_err_passthru() (git-fixes).
- nvme: fix inconsistent RCU list manipulation in nvme_ns_add_to_ctrl_list() (git-fixes).
- nvme: fix misaccounting of nvme-mpath inflight I/O (git-fixes).
- nvmet-fc: avoid scheduling association deletion twice (bsc#1245193 bsc#1247500).
- nvmet-fc: move lsop put work to nvmet_fc_ls_req_op (bsc#1245193 bsc#1247500).
- nvmet-fcloop: call done callback even when remote port is gone (bsc#1245193 bsc#1247500).
- nvmet-tcp: fix callback lock for TLS handshake (git-fixes).
- nvmet: exit debugfs after discovery subsystem exits (git-fixes).
- nvmet: initialize discovery subsys after debugfs is initialized (git-fixes).
- nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails (git-fixes).
- objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler() (stable-fixes).
- objtool, lkdtm: Obfuscate the do_nothing() pointer (stable-fixes).
- objtool, regulator: rk808: Remove potential undefined behavior in rk806_set_mode_dcdc() (stable-fixes).
- of: dynamic: Fix memleak when of_pci_add_properties() failed (git-fixes).
- of: dynamic: Fix use after free in of_changeset_add_prop_helper() (git-fixes).
- of: resolver: Fix device node refcount leakage in of_resolve_phandles() (git-fixes).
- of: resolver: Simplify of_resolve_phandles() using __free() (stable-fixes).
- of: unittest: Fix device reference count leak in of_unittest_pci_node_verify (git-fixes).
- of: unittest: Unlock on error in unittest_data_add() (git-fixes).
- pNFS/flexfiles: do not attempt pnfs on fatal DS errors (git-fixes).
- pNFS: Fix disk addr range check in block/scsi layout (git-fixes).
- pNFS: Fix stripe mapping in block/scsi layout (git-fixes).
- pNFS: Fix uninited ptr deref in block/scsi layout (git-fixes).
- pNFS: Handle RPC size limit for layoutcommits (git-fixes).
- percpu: fix race on alloc failed warning limit (git-fixes).
- perf bpf-event: Fix use-after-free in synthesis (git-fixes).
- perf bpf-utils: Constify bpil_array_desc (git-fixes).
- perf bpf-utils: Harden get_bpf_prog_info_linear (git-fixes).
- perf dso: Add missed dso__put to dso__load_kcore (git-fixes).
- perf hwmon_pmu: Avoid shortening hwmon PMU name (git-fixes).
- perf parse-events: Set default GH modifier properly (git-fixes).
- perf record: Cache build-ID of hit DSOs only (git-fixes).
- perf sched: Fix memory leaks for evsel->priv in timehist (git-fixes).
- perf sched: Fix memory leaks in 'perf sched latency' (git-fixes).
- perf sched: Fix memory leaks in 'perf sched map' (git-fixes).
- perf sched: Fix thread leaks in 'perf sched timehist' (git-fixes).
- perf sched: Free thread->priv using priv_destructor (git-fixes).
- perf sched: Make sure it frees the usage string (git-fixes).
- perf sched: Use RC_CHK_EQUAL() to compare pointers (git-fixes).
- perf symbol-minimal: Fix ehdr reading in filename__read_build_id (git-fixes).
- perf test: Fix a build error in x86 topdown test (git-fixes).
- perf tests bp_account: Fix leaked file descriptor (git-fixes).
- perf tools: Remove libtraceevent in .gitignore (git-fixes).
- perf topdown: Use attribute to see an event is a topdown metic or slots (git-fixes).
- perf trace: Remove --map-dump documentation (git-fixes).
- phy: fsl-imx8mq-usb: fix phy_tx_vboost_level_from_property() (git-fixes).
- phy: mscc: Fix parsing of unicast frames (git-fixes).
- phy: mscc: Fix timestamping for vsc8584 (git-fixes).
- phy: qcom: phy-qcom-m31: Update IPQ5332 M31 USB phy initialization sequence (git-fixes).
- phy: qualcomm: phy-qcom-eusb2-repeater: Do not zero-out registers (git-fixes).
- phy: qualcomm: phy-qcom-eusb2-repeater: fix override properties (git-fixes).
- phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal (stable-fixes).
- phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568 (git-fixes).
- phy: rockchip: samsung-hdptx: Do no set rk_hdptx_phy->rate in case of errors (git-fixes).
- phy: rockchip: samsung-hdptx: Fix clock ratio setup (git-fixes).
- phy: tegra: xusb: fix device and OF node leak at probe (git-fixes).
- phy: ti-pipe3: fix device leak at unbind (git-fixes).
- phy: ti: omap-usb2: fix device leak at unbind (git-fixes).
- pidfs: Fix memory leak in pidfd_info() (jsc#PED-13113).
- pidfs: raise SB_I_NODEV and SB_I_NOEXEC (bsc#1249562).
- pinctrl: STMFX: add missing HAS_IOMEM dependency (git-fixes).
- pinctrl: berlin: fix memory leak in berlin_pinctrl_build_state() (git-fixes).
- pinctrl: equilibrium: Remove redundant semicolons (git-fixes).
- pinctrl: meson-gxl: add missing i2c_d pinmux (git-fixes).
- pinctrl: renesas: Use int type to store negative error codes (git-fixes).
- pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read() (git-fixes).
- pinctrl: samsung: Drop unused S3C24xx driver data (git-fixes).
- pinctrl: stm32: Manage irq affinity settings (stable-fixes).
- pinctrl: sunxi: Fix memory leak on krealloc failure (git-fixes).
- pinmux: fix race causing mux_owner NULL with active mux_usecount (git-fixes).
- platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() (git-fixes).
- platform/chrome: cros_ec_sensorhub: Retries when a sensor is not ready (stable-fixes).
- platform/chrome: cros_ec_typec: Defer probe on missing EC parent (stable-fixes).
- platform/mellanox: mlxbf-pmc: Remove newline char from event name input (git-fixes).
- platform/mellanox: mlxbf-pmc: Use kstrtobool() to check 0/1 input (git-fixes).
- platform/mellanox: mlxbf-pmc: Validate event/enable input (git-fixes).
- platform/x86/amd/hsmp: Ensure sock->metric_tbl_addr is non-NULL (git-fixes).
- platform/x86/amd/pmc: Add MECHREVO Yilong15Pro to spurious_8042 list (stable-fixes).
- platform/x86/amd/pmc: Add Stellaris Slim Gen6 AMD to spurious 8042 quirks list (stable-fixes).
- platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list (stable-fixes).
- platform/x86/amd/pmf: Support new ACPI ID AMDI0108 (stable-fixes).
- platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list (stable-fixes).
- platform/x86/intel-uncore-freq: Check write blocked for ELC (git-fixes).
- platform/x86/intel: power-domains: Use topology_logical_package_id() for package ID (git-fixes).
- platform/x86: Fix initialization order for firmware_attributes_class (git-fixes).
- platform/x86: asus-nb-wmi: add DMI quirk for ASUS Zenbook Duo UX8406CA (stable-fixes).
- platform/x86: asus-wmi: Fix ROG button mapping, tablet mode on ASUS ROG Z13 (stable-fixes).
- platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk (git-fixes).
- platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk (git-fixes).
- platform/x86: ideapad-laptop: Fix FnLock not remembered among boots (git-fixes).
- platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots (git-fixes).
- platform/x86: lg-laptop: Fix WMAB call in fan_mode_store() (git-fixes).
- pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() (stable-fixes).
- pm: cpupower: bench: Prevent NULL dereference on malloc failure (stable-fixes).
- power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery (git-fixes).
- power: supply: bq27xxx: restrict no-battery detection to bq27000 (git-fixes).
- power: supply: cpcap-charger: Fix null check for power_supply_get_by_name (git-fixes).
- power: supply: cw2015: Fix a alignment coding style issue (git-fixes).
- power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set (git-fixes).
- power: supply: max77976_charger: fix constant current reporting (git-fixes).
- power: supply: qcom_battmgr: Add lithium-polymer entry (stable-fixes).
- powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() (git-fixes).
- powerpc/eeh: Export eeh_unfreeze_pe() (bsc#1215199).
- powerpc/eeh: Make EEH driver device hotplug safe (bsc#1215199).
- powerpc/ftrace: ensure ftrace record ops are always set for NOPs (git-fixes).
- powerpc/ftrace: ensure ftrace record ops are always set for NOPs (jsc#PED-10909 git-fixes).
- powerpc/kernel: Fix ppc_save_regs inclusion in build (bsc#1215199).
- powerpc/kvm: Fix ifdef to remove build warning (bsc#1215199).
- powerpc/powernv/pci: Fix underflow and leak issue (bsc#1215199).
- powerpc/pseries/msi: Fix potential underflow and leak issue (bsc#1215199).
- powerpc/pseries: Correct secvar format representation for static key management (jsc#PED-13345 jsc#PED-13343).
- powerpc/secvar: Expose secvars relevant to the key management mode (jsc#PED-13345 jsc#PED-13343).
- powerpc64/modules: correctly iterate over stubs in setup_ftrace_ool_stubs (jsc#PED-10909 git-fixes).
- powerpc: do not build ppc_save_regs.o always (bsc#1215199).
- powerpc: floppy: Add missing checks after DMA map (bsc#1215199).
- pptp: fix pptp_xmit() error path (git-fixes).
- printk: nbcon: Allow reacquire during panic (bsc#1246688).
- psample: adjust size if rate_as_probability is set (git-fixes).
- ptp: fix breakage after ptp_vclock_in_use() rework (git-fixes).
- pwm: berlin: Fix wrong register in suspend/resume (git-fixes).
- pwm: imx-tpm: Reset counter if CMOD is 0 (git-fixes).
- pwm: mediatek: Fix duty and period setting (git-fixes).
- pwm: mediatek: Handle hardware enable and clock enable separately (stable-fixes).
- pwm: rockchip: Round period/duty down on apply, up on get (git-fixes).
- pwm: tiehrpwm: Do not drop runtime PM reference in .free() (git-fixes).
- pwm: tiehrpwm: Fix corner case in clock divisor calculation (git-fixes).
- pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation (git-fixes).
- pwm: tiehrpwm: Make code comment in .free() more useful (git-fixes).
- r8169: add support for RTL8125D (stable-fixes).
- r8169: disable RTL8126 ZRX-DC timeout (stable-fixes).
- r8169: do not scan PHY addresses > 0 (stable-fixes).
- rcu: Fix racy re-initialization of irq_work causing hangs (git-fixes)
- regmap: Remove superfluous check for !config in __regmap_init() (git-fixes).
- regulator: core: fix NULL dereference on unbind due to stale coupling data (stable-fixes).
- regulator: scmi: Use int type to store negative error codes (git-fixes).
- regulator: sy7636a: fix lifecycle of power good gpio (git-fixes).
- reset: brcmstb: Enable reset drivers for ARCH_BCM2835 (stable-fixes).
- reset: eyeq: fix OF node leak (git-fixes).
- resource: Add resource set range and size helpers (jsc#PED-13728 jsc#PED-13762).
- resource: fix false warning in __request_region() (git-fixes).
- ring-buffer: Do not allow events in NMI with generic atomic64 cmpxchg() (git-fixes).
- ring-buffer: Make reading page consistent with the code logic (git-fixes).
- rpm/config.sh: SLFO 1.2 is now synced to OBS as well
- rtc: ds1307: fix incorrect maximum clock rate handling (git-fixes).
- rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 (stable-fixes).
- rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe (stable-fixes).
- rtc: hym8563: fix incorrect maximum clock rate handling (git-fixes).
- rtc: nct3018y: fix incorrect maximum clock rate handling (git-fixes).
- rtc: optee: fix memory leak on driver removal (git-fixes).
- rtc: pcf85063: fix incorrect maximum clock rate handling (git-fixes).
- rtc: pcf8563: fix incorrect maximum clock rate handling (git-fixes).
- rtc: rv3028: fix incorrect maximum clock rate handling (git-fixes).
- rtc: x1205: Fix Xicor X1205 vendor prefix (git-fixes).
- s390/ap: Unmask SLCF bit in card and queue ap functions sysfs (git-fixes bsc#1247837).
- s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again (git-fixes bsc#1246868).
- s390/cpum_cf: Deny all sampling events by counter PMU (git-fixes bsc#1249477).
- s390/early: Copy last breaking event address to pt_regs (git-fixes bsc#1249061).
- s390/hypfs: Avoid unnecessary ioctl registration in debugfs (bsc#1248727 git-fixes).
- s390/hypfs: Enable limited access during lockdown (bsc#1248727 git-fixes).
- s390/ism: fix concurrency management in ism_cmd() (git-fixes bsc#1247372).
- s390/mm: Allocate page table with PAGE_SIZE granularity (git-fixes bsc#1247838).
- s390/mm: Do not map lowcore with identity mapping (git-fixes bsc#1249066).
- s390/mm: Remove possible false-positive warning in pte_free_defer() (git-fixes bsc#1247366).
- s390/pai: Deny all events not handled by this PMU (git-fixes bsc#1249478).
- s390/pci: Allow automatic recovery with minimal driver support (bsc#1248728 git-fixes).
- s390/sclp: Fix SCCB present check (git-fixes bsc#1249065).
- s390/stp: Remove udelay from stp_sync_clock() (git-fixes bsc#1249062).
- s390/time: Use monotonic clock in get_cycles() (git-fixes bsc#1249064).
- samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora (git-fixes).
- samples: mei: Fix building on musl libc (git-fixes).
- sched/deadline: Always stop dl-server before changing parameters (bsc#1247936).
- sched/deadline: Do not count nr_running for dl_server proxy tasks (git-fixes, bsc#1247936).
- sched/deadline: Fix RT task potential starvation when expiry time passed (git-fixes, bsc#1247936).
- sched/deadline: Fix dl_server_stopped() (bsc#1247936).
- sched/deadline: Initialize dl_servers after SMP (git-fixes)
- sched_ext, sched/core: Do not call scx_group_set_weight() (git-fixes)
- scsi: Revert "scsi: iscsi: Fix HW conn removal use after free" (git-fixes).
- scsi: core: Fix kernel doc for scsi_track_queue_full() (git-fixes).
- scsi: elx: efct: Fix dma_unmap_sg() nents value (git-fixes).
- scsi: fc: Avoid -Wflex-array-member-not-at-end warnings (bsc#1250519).
- scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value (git-fixes).
- scsi: isci: Fix dma_unmap_sg() nents value (git-fixes).
- scsi: lpfc: Abort outstanding ELS WQEs regardless of if rmmod is in progress (bsc#1250519).
- scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET (bsc#1250519).
- scsi: lpfc: Clean up allocated queues when queue setup mbox commands fail (bsc#1250519).
- scsi: lpfc: Clean up extraneous phba dentries (bsc#1250519).
- scsi: lpfc: Convert debugfs directory counts from atomic to unsigned int (bsc#1250519).
- scsi: lpfc: Copyright updates for 14.4.0.11 patches (bsc#1250519).
- scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted (bsc#1250519).
- scsi: lpfc: Define size of debugfs entry for xri rebalancing (bsc#1250519).
- scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point topology (bsc#1250519).
- scsi: lpfc: Fix buffer free/clear order in deferred receive path (bsc#1250519).
- scsi: lpfc: Fix wrong function reference in a comment (bsc#1250519).
- scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup (bsc#1250519).
- scsi: lpfc: Remove redundant assignment to avoid memory leak (bsc#1250519).
- scsi: lpfc: Remove unused member variables in struct lpfc_hba and lpfc_vport (bsc#1250519).
- scsi: lpfc: Update lpfc version to 14.4.0.11 (bsc#1250519).
- scsi: lpfc: Use int type to store negative error codes (bsc#1250519).
- scsi: lpfc: Use switch case statements in DIF debugfs handlers (bsc#1250519).
- scsi: lpfc: use min() to improve code (bsc#1250519).
- scsi: mpi3mr: Event processing debug improvement (bsc#1251186).
- scsi: mpi3mr: Fix I/O failures during controller reset (bsc#1251186).
- scsi: mpi3mr: Fix controller init failure on fault during queue creation (bsc#1251186).
- scsi: mpi3mr: Fix device loss during enclosure reboot due to zero link speed (bsc#1251186).
- scsi: mpi3mr: Fix kernel-doc issues in mpi3mr_app.c (git-fixes).
- scsi: mpi3mr: Fix premature TM timeouts on virtual drives (bsc#1251186).
- scsi: mpi3mr: Fix race between config read submit and interrupt completion (git-fixes).
- scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems (git-fixes).
- scsi: mpi3mr: Update MPI headers to revision 37 (bsc#1251186).
- scsi: mpi3mr: Update driver version to 8.15.0.5.50 (bsc#1251186).
- scsi: mpt3sas: Fix a fw_event memory leak (git-fixes).
- scsi: mvsas: Fix dma_unmap_sg() nents value (git-fixes).
- scsi: qla2xxx: Avoid stack frame size warning in qla_dfs (git-fixes).
- scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES() (git-fixes).
- scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp() (git-fixes).
- scsi: qla2xxx: Remove firmware URL (git-fixes).
- scsi: qla2xxx: Use secs_to_jiffies() instead of msecs_to_jiffies() (git-fixes).
- scsi: qla2xxx: edif: Fix incorrect sign of error code (git-fixes).
- scsi: sd: Make sd shutdown issue START STOP UNIT appropriately (git-fixes).
- scsi: smartpqi: Enhance WWID logging logic (bsc#1246631).
- scsi: smartpqi: Take drives offline when controller is offline (bsc#1246631).
- scsi: smartpqi: Update driver version to 2.1.34-035 (bsc#1246631).
- scsi: ufs: Fix toggling of clk_gating.state when clock gating is not allowed (git-fixes).
- scsi: ufs: Introduce quirk to extend PA_HIBERN8TIME for UFS devices (git-fixes).
- scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails (git-fixes).
- scsi: ufs: core: Add missing post notify for power mode change (git-fixes).
- scsi: ufs: core: Add ufshcd_send_bsg_uic_cmd() for UFS BSG (git-fixes).
- scsi: ufs: core: Always initialize the UIC done completion (git-fixes).
- scsi: ufs: core: Do not perform UFS clkscaling during host async scan (git-fixes).
- scsi: ufs: core: Fix clk scaling to be conditional in reset and restore (git-fixes).
- scsi: ufs: core: Fix error return with query response (git-fixes).
- scsi: ufs: core: Fix spelling of a sysfs attribute name (git-fixes).
- scsi: ufs: core: Fix ufshcd_is_ufs_dev_busy() and ufshcd_eh_timed_out() (git-fixes).
- scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers (git-fixes).
- scsi: ufs: core: Improve ufshcd_mcq_sq_cleanup() (git-fixes).
- scsi: ufs: core: Introduce ufshcd_has_pending_tasks() (git-fixes).
- scsi: ufs: core: Prepare to introduce a new clock_gating lock (git-fixes).
- scsi: ufs: core: Remove redundant query_complete trace (git-fixes).
- scsi: ufs: core: Set default runtime/system PM levels before ufshcd_hba_init() (git-fixes).
- scsi: ufs: core: Update compl_time_stamp_local_clock after completing a cqe (git-fixes).
- scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume (git-fixes).
- scsi: ufs: exynos: Add check inside exynos_ufs_config_smu() (git-fixes).
- scsi: ufs: exynos: Add gs101_ufs_drv_init() hook and enable WriteBooster (git-fixes).
- scsi: ufs: exynos: Enable PRDT pre-fetching with UFSHCD_CAP_CRYPTO (git-fixes).
- scsi: ufs: exynos: Ensure consistent phy reference counts (git-fixes).
- scsi: ufs: exynos: Ensure pre_link() executes before exynos_ufs_phy_init() (git-fixes).
- scsi: ufs: exynos: Fix hibern8 notify callbacks (git-fixes).
- scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE (git-fixes).
- scsi: ufs: exynos: Move UFS shareability value to drvdata (git-fixes).
- scsi: ufs: exynos: Move phy calls to .exit() callback (git-fixes).
- scsi: ufs: exynos: Remove empty drv_init method (git-fixes).
- scsi: ufs: exynos: Remove superfluous function parameter (git-fixes).
- scsi: ufs: exynos: gs101: Put UFS device in reset on .suspend() (git-fixes).
- scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort() (git-fixes).
- scsi: ufs: pltfrm: Disable runtime PM during removal of glue drivers (git-fixes).
- scsi: ufs: pltfrm: Drop PM runtime reference count after ufshcd_remove() (git-fixes).
- scsi: ufs: qcom: Fix crypto key eviction (git-fixes).
- scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get (git-fixes).
- scsi: ufs: ufs-pci: Fix default runtime and system PM levels (git-fixes).
- scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers (git-fixes).
- seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too fast (git-fixes bsc#1250671).
- selftest/livepatch: Only run test-kprobe with CONFIG_KPROBES_ON_FTRACE (poo#187320).
- selftests/cpufreq: Fix cpufreq basic read and update testcases (bsc#1250344).
- selftests/livepatch: Ignore NO_SUPPORT line in dmesg (poo#187320).
- selftests/livepatch: Replace hardcoded module name with variable in test-callbacks.sh (poo#187320).
- selftests/run_kselftest.sh: Fix help string for --per-test-log (poo#187320).
- selftests/run_kselftest.sh: Use readlink if realpath is not available (poo#187320).
- selftests/tracing: Fix false failure of subsystem event test (git-fixes).
- selftests: ALSA: fix memory leak in utimer test (git-fixes).
- selftests: livepatch: add new ftrace helpers functions (poo#187320).
- selftests: livepatch: add test cases of stack_order sysfs interface (poo#187320).
- selftests: livepatch: handle PRINTK_CALLER in check_result() (poo#187320).
- selftests: livepatch: rename KLP_SYSFS_DIR to SYSFS_KLP_DIR (poo#187320).
- selftests: livepatch: save and restore kprobe state (poo#187320).
- selftests: livepatch: test if ftrace can trace a livepatched function (poo#187320).
- selftests: livepatch: test livepatching a kprobed function (poo#187320).
- selftests: ncdevmem: Move ncdevmem under drivers/net/hw (poo#187443).
- selinux: change security_compute_sid to return the ssid or tsid on match (git-fixes).
- selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len (stable-fixes).
- serial: 8250: Touch watchdogs in write_atomic() (bsc#1246688).
- serial: 8250: fix panic due to PSLVERR (git-fixes).
- serial: max310x: Add error checking in probe() (git-fixes).
- serial: sc16is7xx: fix bug in flow control levels init (git-fixes).
- skmsg: Return copied bytes in sk_msg_memcopy_from_iter (bsc#1250650).
- slab: Decouple slab_debug and no_hash_pointers (bsc#1249022).
- smb: client: fix crypto buffers in non-linear memory (bsc#1250491, boo#1239206).
- smb: client: fix netns refcount leak after net_passive changes (git-fixes).
- soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS (git-fixes).
- soc/tegra: pmc: Ensure power-domains are in a known state (git-fixes).
- soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure (git-fixes).
- soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure (git-fixes).
- soc: qcom: QMI encoding/decoding for big endian (git-fixes).
- soc: qcom: fix endianness for QMI header (git-fixes).
- soc: qcom: mdt_loader: Actually use the e_phoff (stable-fixes).
- soc: qcom: mdt_loader: Deal with zero e_shentsize (git-fixes).
- soc: qcom: mdt_loader: Ensure we do not read past the ELF header (git-fixes).
- soc: qcom: mdt_loader: Fix error return values in mdt_header_valid() (git-fixes).
- soc: qcom: pmic_glink: fix OF node leak (git-fixes).
- soc: qcom: rpmh-rsc: Add RSC version 4 support (stable-fixes).
- soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS (git-fixes).
- soundwire: Move handle_nested_irq outside of sdw_dev_lock (stable-fixes).
- soundwire: amd: cancel pending slave status handling workqueue during remove sequence (stable-fixes).
- soundwire: amd: fix for handling slave alerts after link is down (git-fixes).
- soundwire: amd: serialize amd manager resume sequence during pm_prepare (stable-fixes).
- soundwire: stream: restore params when prepare ports fail (git-fixes).
- spi: bcm2835: Remove redundant semicolons (git-fixes).
- spi: cadence-quadspi: Fix cqspi_setup_flash() (git-fixes).
- spi: cadence-quadspi: Flush posted register writes before DAC access (git-fixes).
- spi: cadence-quadspi: Flush posted register writes before INDAC access (git-fixes).
- spi: cadence-quadspi: fix cleanup of rx_chan on failure paths (stable-fixes).
- spi: cs42l43: Property entry should be a null-terminated array (bsc#1246979).
- spi: fix return code when spi device has too many chipselects (git-fixes).
- spi: mtk-snfi: Remove redundant semicolons (git-fixes).
- spi: spi-fsl-lpspi: Clamp too high speed_hz (git-fixes).
- spi: spi-fsl-lpspi: Clear status register after disabling the module (git-fixes).
- spi: spi-fsl-lpspi: Fix transmissions when using CONT (git-fixes).
- spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort (git-fixes).
- spi: spi-fsl-lpspi: Set correct chip-select polarity bit (git-fixes).
- spi: stm32: Check for cfg availability in stm32_spi_probe (git-fixes).
- sprintf.h requires stdarg.h (git-fixes).
- sprintf.h: mask additional include (git-fixes).
- squashfs: fix memory leak in squashfs_fill_super (git-fixes).
- staging: axis-fifo: fix TX handling on copy_from_user() failure (git-fixes).
- staging: axis-fifo: fix maximum TX packet length check (git-fixes).
- staging: axis-fifo: flush RX FIFO on read errors (git-fixes).
- staging: axis-fifo: remove sysfs interface (git-fixes).
- staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() (git-fixes).
- staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() (git-fixes).
- staging: nvec: Fix incorrect null termination of battery manufacturer (git-fixes).
- staging: vchiq_arm: Make vchiq_shutdown never fail (git-fixes).
- struct cdc_ncm_ctx: move new member to end (git-fixes).
- sunrpc: fix client side handling of tls alerts (git-fixes).
- sunrpc: fix handling of server side tls alerts (git-fixes).
- sunrpc: fix null pointer dereference on zero-length checksum (git-fixes).
- sunvdc: Balance device refcount in vdc_port_mpgroup_check (git-fixes).
- supported.conf: Mark ZL3073X modules supported
- supported.conf: mark hyperv_drm as external
- tcp: call tcp_measure_rcv_mss() for ooo packets (git-fixes).
- tcp_bpf: Fix copied value in tcp_bpf_sendmsg (bsc#1250650).
- thermal/drivers/mediatek/lvts_thermal: Add lvts commands and their sizes to driver data (stable-fixes).
- thermal/drivers/mediatek/lvts_thermal: Add mt7988 lvts commands (stable-fixes).
- thermal/drivers/mediatek/lvts_thermal: Change lvts commands array to static const (stable-fixes).
- thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required (stable-fixes).
- thermal/drivers/qcom/lmh: Add missing IRQ includes (git-fixes).
- thermal: sysfs: Return ENODATA instead of EAGAIN for reads (stable-fixes).
- thunderbolt: Compare HMAC values in constant time (git-fixes).
- thunderbolt: Fix copy+paste error in match_service_id() (git-fixes).
- tools/power turbostat: Clustered Uncore MHz counters should honor show/hide options (stable-fixes).
- tools/power turbostat: Fix bogus SysWatt for forked program (git-fixes).
- tools/power turbostat: Fix build with musl (stable-fixes).
- tools/power turbostat: Handle cap_get_proc() ENOSYS (stable-fixes).
- tools/power turbostat: Handle non-root legacy-uncore sysfs permissions (stable-fixes).
- tools/resolve_btfids: Fix build when cross compiling kernel with clang (git-fixes).
- tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single (git-fixes).
- trace/fgraph: Fix error handling (git-fixes).
- trace/ring-buffer: Do not use TP_printk() formatting for boot mapped buffers (git-fixes).
- tracepoint: Print the function symbol when tracepoint_debug is set (jsc#PED-13631).
- tracing/kprobe: Make trace_kprobe's module callback called after jump_label update (git-fixes).
- tracing/kprobes: Fix to free objects when failed to copy a symbol (git-fixes).
- tracing: Correct the refcount if the hist/hist_debug file fails to open (git-fixes).
- tracing: Fix filter string testing (git-fixes).
- tracing: Fix using ret variable in tracing_set_tracer() (git-fixes).
- tracing: Remove unneeded goto out logic (bsc#1249286).
- tracing: Switch trace.c code over to use guard() (git-fixes).
- tracing: Switch trace_events_hist.c code over to use guard() (git-fixes).
- tracing: fprobe events: Fix possible UAF on modules (git-fixes).
- tracing: tprobe-events: Fix leakage of module refcount (git-fixes).
- tty: hvc_console: Call hvc_kick in hvc_write unconditionally (bsc#1230062).
- tty: n_gsm: Do not block input queue by waiting MSC (git-fixes).
- tty: serial: fix print format specifiers (stable-fixes).
- ublk: sanity check add_dev input for underflow (git-fixes).
- ublk: use vmalloc for ublk_device's __queues (git-fixes).
- ucount: fix atomic_long_inc_below() argument type (git-fixes).
- uio: uio_pdrv_genirq: Remove MODULE_DEVICE_TABLE (git-fixes).
- usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() (git-fixes).
- usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call (git-fixes).
- usb: core: Add 0x prefix to quirks debug output (stable-fixes).
- usb: core: config: Prevent OOB read in SS endpoint companion parsing (stable-fixes).
- usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test (git-fixes).
- usb: core: usb_submit_urb: downgrade type check (stable-fixes).
- usb: dwc3: Ignore late xferNotReady event to prevent halt timeout (git-fixes).
- usb: dwc3: Remove WARN_ON for device endpoint command timeouts (stable-fixes).
- usb: dwc3: imx8mp: fix device leak at unbind (git-fixes).
- usb: dwc3: meson-g12a: fix device leaks at unbind (git-fixes).
- usb: dwc3: pci: add support for the Intel Wildcat Lake (stable-fixes).
- usb: dwc3: qcom: Do not leave BCR asserted (git-fixes).
- usb: early: xhci-dbc: Fix early_ioremap leak (git-fixes).
- usb: gadget : fix use-after-free in composite_dev_cleanup() (git-fixes).
- usb: gadget: configfs: Correctly set use_os_string at bind (git-fixes).
- usb: gadget: midi2: Fix MIDI2 IN EP max packet size (git-fixes).
- usb: gadget: midi2: Fix missing UMP group attributes initialization (git-fixes).
- usb: gadget: udc: renesas_usb3: fix device leak at unbind (git-fixes).
- usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup (git-fixes).
- usb: host: xhci-plat: fix incorrect type for of_match variable in xhci_plat_probe() (git-fixes).
- usb: misc: apple-mfi-fastcharge: Make power supply names unique (git-fixes).
- usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls (git-fixes).
- usb: musb: omap2430: fix device leak at unbind (git-fixes).
- usb: phy: twl6030: Fix incorrect type for ret (git-fixes).
- usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive (stable-fixes).
- usb: renesas-xhci: Fix External ROM access timeouts (git-fixes).
- usb: storage: realtek_cr: Use correct byte order for bcs->Residue (git-fixes).
- usb: typec: fusb302: cache PD RX state (git-fixes).
- usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present (stable-fixes).
- usb: typec: maxim_contaminant: disable low power mode when reading comparator values (git-fixes).
- usb: typec: maxim_contaminant: re-enable cc toggle if cc is open and port is clean (git-fixes).
- usb: typec: tcpm/tcpci_maxim: fix irq wake usage (stable-fixes).
- usb: typec: tcpm: allow switching to mode accessory to mux properly (stable-fixes).
- usb: typec: tcpm: allow to use sink in accessory mode (stable-fixes).
- usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach (git-fixes).
- usb: typec: tcpm: properly deliver cable vdms to altmode drivers (git-fixes).
- usb: typec: tipd: Clear interrupts first (git-fixes).
- usb: typec: ucsi: Update power_supply on power role change (git-fixes).
- usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default (stable-fixes).
- usb: typec: ucsi: yoga-c630: fix error and remove paths (git-fixes).
- usb: vhci-hcd: Prevent suspending virtually attached devices (git-fixes).
- usb: xhci: Avoid showing errors during surprise removal (stable-fixes).
- usb: xhci: Avoid showing warnings for dying controller (stable-fixes).
- usb: xhci: Fix slot_id resource race conflict (git-fixes).
- usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command (stable-fixes).
- usb: xhci: print xhci->xhc_state when queue_command failed (stable-fixes).
- use uniform permission checks for all mount propagation changes (git-fixes).
- vdpa/mlx5: Fix needs_teardown flag calculation (git-fixes).
- vdpa: Fix IDR memory leak in VDUSE module exit (git-fixes).
- vhost-scsi: Fix log flooding with target does not exist errors (git-fixes).
- vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() (git-fixes).
- vhost/vsock: Avoid allocating arbitrarily-sized SKBs (git-fixes).
- vhost: Fix ioctl # for VHOST_[GS]ET_FORK_FROM_OWNER (git-fixes).
- vhost: Reintroduce kthread API and add mode selection (git-fixes).
- vhost: fail early when __vhost_add_used() fails (git-fixes).
- virtchnl2: add flow steering support (jsc#PED-13728).
- virtchnl2: rename enum virtchnl2_cap_rss (jsc#PED-13728).
- virtchnl: add PTP virtchnl definitions (jsc#PED-13728 jsc#PED-13762).
- virtio_net: Enforce minimum TX ring size for reliability (git-fixes).
- virtio_ring: Fix error reporting in virtqueue_resize (git-fixes).
- vmci: Prevent the dispatching of uninitialized payloads (git-fixes).
- vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page (git-fixes).
- vsock/virtio: Validate length in packet header before skb_put() (git-fixes).
- vt: defkeymap: Map keycodes above 127 to K_HOLE (git-fixes).
- vt: keyboard: Do not process Unicode characters in K_OFF mode (git-fixes).
- watchdog: dw_wdt: Fix default timeout (stable-fixes).
- watchdog: iTCO_wdt: Report error if timeout configuration fails (stable-fixes).
- watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog (git-fixes).
- watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition (stable-fixes).
- watchdog: ziirave_wdt: check record length in ziirave_firm_verify() (git-fixes).
- wifi: ath10k: avoid unnecessary wait for service ready message (git-fixes).
- wifi: ath10k: shutdown driver when hardware is unreliable (stable-fixes).
- wifi: ath11k: HAL SRNG: do not deinitialize and re-initialize again (git-fixes).
- wifi: ath11k: clear initialized flag for deinit-ed srng lists (git-fixes).
- wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load() (git-fixes).
- wifi: ath11k: fix dest ring-buffer corruption (git-fixes).
- wifi: ath11k: fix dest ring-buffer corruption when ring is full (git-fixes).
- wifi: ath11k: fix group data packet drops during rekey (git-fixes).
- wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask() (git-fixes).
- wifi: ath11k: fix source ring-buffer corruption (git-fixes).
- wifi: ath11k: fix suspend use-after-free after probe failure (git-fixes).
- wifi: ath12k: Add MODULE_FIRMWARE() entries (bsc#1250952).
- wifi: ath12k: Add memset and update default rate value in wmi tx completion (stable-fixes).
- wifi: ath12k: Correct tid cleanup when tid setup fails (stable-fixes).
- wifi: ath12k: Decrement TID on RX peer frag setup error handling (stable-fixes).
- wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 (stable-fixes).
- wifi: ath12k: Fix station association with MBSSID Non-TX BSS (stable-fixes).
- wifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type() (git-fixes).
- wifi: ath12k: fix dest ring-buffer corruption (git-fixes).
- wifi: ath12k: fix dest ring-buffer corruption when ring is full (git-fixes).
- wifi: ath12k: fix endianness handling while accessing wmi service bit (git-fixes).
- wifi: ath12k: fix memory leak in ath12k_pci_remove() (stable-fixes).
- wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event (git-fixes).
- wifi: ath12k: fix source ring-buffer corruption (git-fixes).
- wifi: ath12k: fix the fetching of combined rssi (git-fixes).
- wifi: ath12k: fix wrong handling of CCMP256 and GCMP ciphers (git-fixes).
- wifi: ath12k: fix wrong logging ID used for CE (git-fixes).
- wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE (git-fixes).
- wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work (git-fixes).
- wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() (git-fixes).
- wifi: cfg80211: Fix interface type validation (stable-fixes).
- wifi: cfg80211: fix use-after-free in cmp_bss() (git-fixes).
- wifi: cfg80211: reject HTC bit for management frames (stable-fixes).
- wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (git-fixes).
- wifi: cw1200: cap SSID length in cw1200_do_join() (git-fixes).
- wifi: iwlegacy: Check rate_idx range after addition (stable-fixes).
- wifi: iwlwifi: Add missing firmware info for bz-b0-* models (bsc#1252084).
- wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() (git-fixes).
- wifi: iwlwifi: Fix memory leak in iwl_mvm_init() (git-fixes).
- wifi: iwlwifi: Remove redundant header files (git-fixes).
- wifi: iwlwifi: config: unify fw/pnvm MODULE_FIRMWARE (bsc#1252084).
- wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() (stable-fixes).
- wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect (stable-fixes).
- wifi: iwlwifi: mvm: avoid outdated reorder buffer head_sn (stable-fixes).
- wifi: iwlwifi: mvm: fix scan request validation (stable-fixes).
- wifi: iwlwifi: mvm: set gtk id also in older FWs (stable-fixes).
- wifi: iwlwifi: return ERR_PTR from opmode start() (stable-fixes).
- wifi: iwlwifi: uefi: check DSM item validity (git-fixes).
- wifi: libertas: cap SSID len in lbs_associate() (git-fixes).
- wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() (git-fixes).
- wifi: mac80211: Do not call fq_flow_idx() for management frames (git-fixes).
- wifi: mac80211: Do not schedule stopped TXQs (git-fixes).
- wifi: mac80211: Write cnt before copying in ieee80211_copy_rnr_beacon() (git-fixes).
- wifi: mac80211: avoid weird state in error path (stable-fixes).
- wifi: mac80211: do not complete management TX on SAE commit (stable-fixes).
- wifi: mac80211: do not unreserve never reserved chanctx (stable-fixes).
- wifi: mac80211: fix Rx packet handling when pubsta information is not available (git-fixes).
- wifi: mac80211: fix incorrect type for ret (stable-fixes).
- wifi: mac80211: fix rx link assignment for non-MLO stations (stable-fixes).
- wifi: mac80211: increase scan_ies_len for S1G (stable-fixes).
- wifi: mac80211: reject TDLS operations when station is not associated (git-fixes).
- wifi: mac80211: update radar_required in channel context after channel switch (stable-fixes).
- wifi: mt76: fix linked list corruption (git-fixes).
- wifi: mt76: fix potential memory leak in mt76_wmac_probe() (git-fixes).
- wifi: mt76: free pending offchannel tx frames on wcid cleanup (git-fixes).
- wifi: mt76: mt7915: fix mt7981 pre-calibration (git-fixes).
- wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch (stable-fixes).
- wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure (git-fixes).
- wifi: mt76: mt7925: fix locking in mt7925_change_vif_links() (git-fixes).
- wifi: mt76: mt7925: fix the wrong bss cleanup for SAP (git-fixes).
- wifi: mt76: mt7925u: use connac3 tx aggr check in tx complete (git-fixes).
- wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE (git-fixes).
- wifi: mt76: mt7996: Fix RX packets configuration for primary WED device (git-fixes).
- wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() (git-fixes).
- wifi: mt76: prevent non-offchannel mgmt tx during scan/roc (git-fixes).
- wifi: mwifiex: Initialize the chan_stats array to zero (git-fixes).
- wifi: mwifiex: send world regulatory domain to driver (git-fixes).
- wifi: nl80211: Set num_sub_specs before looping through sub_specs (git-fixes).
- wifi: plfxlc: Fix error handling in usb driver probe (git-fixes).
- wifi: rtl818x: Kill URBs before clearing tx status queue (git-fixes).
- wifi: rtl8xxxu: Do not claim USB ID 07b8:8188 (stable-fixes).
- wifi: rtl8xxxu: Fix RX skb size for aggregation disabled (git-fixes).
- wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() (stable-fixes).
- wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` (stable-fixes).
- wifi: rtlwifi: rtl8192cu: Do not claim USB ID 07b8:8188 (stable-fixes).
- wifi: rtw88: Fix macid assigned to TDLS station (git-fixes).
- wifi: rtw89: Fix rtw89_mac_power_switch() for USB (stable-fixes).
- wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB (stable-fixes).
- wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band (git-fixes).
- wifi: rtw89: avoid circular locking dependency in ser_state_run() (git-fixes).
- wifi: rtw89: scan abort when assign/unassign_vif (stable-fixes).
- wifi: rtw89: wow: Add Basic Rate IE to probe request in scheduled scan mode (stable-fixes).
- wifi: virt_wifi: Fix page fault on connect (stable-fixes).
- wifi: wilc1000: avoid buffer overflow in WID string configuration (stable-fixes).
- writeback: Avoid contention on wb->list_lock when switching inodes (bsc#1237776).
- writeback: Avoid contention on wb->list_lock when switching inodes (kABI fixup) (bsc#1237776).
- writeback: Avoid excessively long inode switching times (bsc#1237776).
- writeback: Avoid softlockup when switching many inodes (bsc#1237776).
- x86/CPU/AMD: Add CPUID faulting support (jsc#PED-13704).
- x86/Kconfig: Add arch attack vector support (git-fixes).
- x86/Kconfig: Always enable ARCH_SPARSEMEM_ENABLE (git-fixes).
- x86/boot: Sanitize boot params before parsing command line (git-fixes).
- x86/bugs: Add SRSO_MITIGATION_NOSMT (git-fixes).
- x86/bugs: Add attack vector controls for BHI (git-fixes).
- x86/bugs: Add attack vector controls for GDS (git-fixes).
- x86/bugs: Add attack vector controls for ITS (git-fixes).
- x86/bugs: Add attack vector controls for L1TF (git-fixes).
- x86/bugs: Add attack vector controls for MDS (git-fixes).
- x86/bugs: Add attack vector controls for MMIO (git-fixes).
- x86/bugs: Add attack vector controls for RFDS (git-fixes).
- x86/bugs: Add attack vector controls for SRBDS (git-fixes).
- x86/bugs: Add attack vector controls for SRSO (git-fixes).
- x86/bugs: Add attack vector controls for SSB (git-fixes).
- x86/bugs: Add attack vector controls for TAA (git-fixes).
- x86/bugs: Add attack vector controls for TSA (git-fixes).
- x86/bugs: Add attack vector controls for retbleed (git-fixes).
- x86/bugs: Add attack vector controls for spectre_v1 (git-fixes).
- x86/bugs: Add attack vector controls for spectre_v2 (git-fixes).
- x86/bugs: Add attack vector controls for spectre_v2_user (git-fixes).
- x86/bugs: Allow ITS stuffing in eIBRS+retpoline mode also (git-fixes).
- x86/bugs: Avoid AUTO after the select step in the retbleed mitigation (git-fixes).
- x86/bugs: Avoid warning when overriding return thunk (git-fixes).
- x86/bugs: Clean up SRSO microcode handling (git-fixes).
- x86/bugs: Define attack vectors relevant for each bug (git-fixes).
- x86/bugs: Fix GDS mitigation selecting when mitigation is off (git-fixes).
- x86/bugs: Introduce cdt_possible() (git-fixes).
- x86/bugs: Print enabled attack vectors (git-fixes).
- x86/bugs: Remove its=stuff dependency on retbleed (git-fixes).
- x86/bugs: Select best SRSO mitigation (git-fixes).
- x86/bugs: Simplify the retbleed=stuff checks (git-fixes).
- x86/bugs: Use IBPB for retbleed if used by SRSO (git-fixes).
- x86/bugs: Use switch/case in its_apply_mitigation() (git-fixes).
- x86/cacheinfo: Properly parse CPUID(0x80000005) L1d/L1i associativity (git-fixes).
- x86/cacheinfo: Properly parse CPUID(0x80000006) L2/L3 associativity (git-fixes).
- x86/cpu: Sanitize CPUID(0x80000000) output (git-fixes).
- x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 (git-fixes).
- x86/fpu/xstate: Fix inconsistencies in guest FPU xfeatures (git-fixes).
- x86/fpu: Avoid copying dynamic FP state from init_task in arch_dup_task_struct() (git-fixes).
- x86/fpu: Delay instruction pointer fixup until after warning (git-fixes).
- x86/fpu: Fix guest FPU state buffer allocation size (git-fixes).
- x86/fpu: Fully optimize out WARN_ON_FPU() (git-fixes).
- x86/fpu: Refactor xfeature bitmask update code for sigframe XSAVE (git-fixes).
- x86/fred/signal: Prevent immediate repeat of single step trap on return from SIGTRAP handler (git-fixes).
- x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers (git-fixes).
- x86/locking: Use ALT_OUTPUT_SP() for percpu_{,try_}cmpxchg{64,128}_op() (git-fixes).
- x86/mce/amd: Add default names for MCA banks and blocks (git-fixes).
- x86/mce: Do not remove sysfs if thresholding sysfs init fails (git-fixes).
- x86/mce: Ensure user polling settings are honored when restarting timer (git-fixes).
- x86/mce: Make sure CMCI banks are cleared during shutdown on Intel (git-fixes).
- x86/microcode/AMD: Handle the case of no BIOS microcode (git-fixes).
- x86/microcode: Consolidate the loader enablement checking (git-fixes).
- x86/microcode: Update the Intel processor flag scan check (git-fixes).
- x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() (git-fixes).
- x86/mm/pat: do not collapse pages without PSE set (git-fixes).
- x86/nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus() (git-fixes).
- x86/percpu: Disable named address spaces for UBSAN_BOOL with KASAN for GCC < 14.2 (git-fixes).
- x86/pkeys: Simplify PKRU update in signal frame (git-fixes).
- x86/platform/olpc: Remove unused variable 'len' in olpc_dt_compatible_match() (git-fixes).
- x86/pti: Add attack vector controls for PTI (git-fixes).
- x86/rdrand: Disable RDSEED on AMD Cyan Skillfish (git-fixes).
- x86/smp: Allow calling mwait_play_dead with an arbitrary hint (jsc#PED-13815).
- x86/smp: Fix mwait_play_dead() and acpi_processor_ffh_play_dead() noreturn behavior (jsc#PED-13815).
- x86/smp: PM/hibernate: Split arch_resume_nosmt() (jsc#PED-13815).
- x86/smpboot: Fix INIT delay assignment for extended Intel Families (git-fixes).
- x86/topology: Implement topology_is_core_online() to address SMT regression (jsc#PED-13815).
- x86/traps: Initialize DR6 by writing its architectural reset value (git-fixes).
- xen/gntdev: remove struct gntdev_copy_batch from stack (git-fixes).
- xen/netfront: Fix TX response spurious interrupts (git-fixes).
- xen: fix UAF in dmabuf_exp_from_pages() (git-fixes).
- xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO (git-fixes).
- xfs: change xfs_xattr_class from a TRACE_EVENT() to DECLARE_EVENT_CLASS() (git-fixes).
- xfs: do not propagate ENODATA disk errors into xattr code (git-fixes).
- xfs: fix scrub trace with null pointer in quotacheck (git-fixes).
- xfs: only create event xfs_file_compat_ioctl when CONFIG_COMPAT is configure (git-fixes).
- xfs: remove unused event xfs_alloc_near_error (git-fixes).
- xfs: remove unused event xfs_alloc_near_nominleft (git-fixes).
- xfs: remove unused event xfs_attr_node_removename (git-fixes).
- xfs: remove unused event xfs_ioctl_clone (git-fixes).
- xfs: remove unused event xfs_pagecache_inval (git-fixes).
- xfs: remove unused event xlog_iclog_want_sync (git-fixes).
- xfs: remove unused trace event xfs_attr_remove_iter_return (git-fixes).
- xfs: remove unused trace event xfs_attr_rmtval_set (git-fixes).
- xfs: remove unused trace event xfs_discard_rtrelax (git-fixes).
- xfs: remove unused trace event xfs_log_cil_return (git-fixes).
- xfs: remove unused trace event xfs_reflink_cow_enospc (git-fixes).
- xfs: remove unused xfs_attr events (git-fixes).
- xfs: remove unused xfs_reflink_compare_extents events (git-fixes).
- xfs: remove usused xfs_end_io_direct events (git-fixes).
- xhci: dbc: Fix full DbC transfer ring after several reconnects (git-fixes).
- xhci: dbc: decouple endpoint allocation from initialization (git-fixes).
- xhci: fix memory leak regression when freeing xhci vdev devices depth first (git-fixes).
- xirc2ps_cs: fix register access when enabling FullDuplex (git-fixes).
- zram: permit only one post-processing operation at a time (git-fixes).
ImportantSUSE bug 1215199SUSE bug 1218644SUSE bug 1230062SUSE bug 1234634SUSE bug 1234693SUSE bug 1234863SUSE bug 1235953SUSE bug 1236897SUSE bug 1237108SUSE bug 1237131SUSE bug 1237542SUSE bug 1237776SUSE bug 1238972SUSE bug 1239206SUSE bug 1240324SUSE bug 1240696SUSE bug 1240966SUSE bug 1240998SUSE bug 1241166SUSE bug 1241353SUSE bug 1241403SUSE bug 1241435SUSE bug 1242034SUSE bug 1242086SUSE bug 1242414SUSE bug 1242782SUSE bug 1242864SUSE bug 1242965SUSE bug 1242995SUSE bug 1243000SUSE bug 1243055SUSE bug 1243068SUSE bug 1243100SUSE bug 1243112SUSE bug 1243774SUSE bug 1244309SUSE bug 1244723SUSE bug 1244734SUSE bug 1244749SUSE bug 1244792SUSE bug 1244812SUSE bug 1244930SUSE bug 1244939SUSE bug 1245000SUSE bug 1245151SUSE bug 1245193SUSE bug 1245206SUSE bug 1245216SUSE bug 1245260SUSE bug 1245410SUSE bug 1245457SUSE bug 1245504SUSE bug 1245506SUSE bug 1245508SUSE bug 1245510SUSE bug 1245596SUSE bug 1245621SUSE bug 1245630SUSE bug 1245654SUSE bug 1245657SUSE bug 1245658SUSE bug 1245659SUSE bug 1245663SUSE bug 1245664SUSE bug 1245665SUSE bug 1245666SUSE bug 1245668SUSE bug 1245669SUSE bug 1245670SUSE bug 1245671SUSE bug 1245675SUSE bug 1245676SUSE bug 1245678SUSE bug 1245683SUSE bug 1245684SUSE bug 1245686SUSE bug 1245688SUSE bug 1245690SUSE bug 1245691SUSE bug 1245695SUSE bug 1245700SUSE bug 1245703SUSE bug 1245705SUSE bug 1245710SUSE bug 1245711SUSE bug 1245713SUSE bug 1245714SUSE bug 1245715SUSE bug 1245717SUSE bug 1245719SUSE bug 1245721SUSE bug 1245723SUSE bug 1245726SUSE bug 1245728SUSE bug 1245729SUSE bug 1245730SUSE bug 1245731SUSE bug 1245735SUSE bug 1245737SUSE bug 1245744SUSE bug 1245745SUSE bug 1245746SUSE bug 1245747SUSE bug 1245748SUSE bug 1245749SUSE bug 1245751SUSE bug 1245757SUSE bug 1245763SUSE bug 1245765SUSE bug 1245767SUSE bug 1245769SUSE bug 1245777SUSE bug 1245780SUSE bug 1245781SUSE bug 1245784SUSE bug 1245785SUSE bug 1245787SUSE bug 1245812SUSE bug 1245814SUSE bug 1245815SUSE bug 1245937SUSE bug 1245945SUSE bug 1245952SUSE bug 1245955SUSE bug 1245956SUSE bug 1245963SUSE bug 1245966SUSE bug 1245970SUSE bug 1245973SUSE bug 1245976SUSE bug 1245977SUSE bug 1245986SUSE bug 1246000SUSE bug 1246002SUSE bug 1246005SUSE bug 1246008SUSE bug 1246012SUSE bug 1246022SUSE bug 1246023SUSE bug 1246031SUSE bug 1246034SUSE bug 1246037SUSE bug 1246041SUSE bug 1246042SUSE bug 1246047SUSE bug 1246049SUSE bug 1246050SUSE bug 1246053SUSE bug 1246054SUSE bug 1246055SUSE bug 1246057SUSE bug 1246098SUSE bug 1246109SUSE bug 1246125SUSE bug 1246166SUSE bug 1246171SUSE bug 1246176SUSE bug 1246181SUSE bug 1246183SUSE bug 1246185SUSE bug 1246186SUSE bug 1246188SUSE bug 1246190SUSE bug 1246192SUSE bug 1246193SUSE bug 1246195SUSE bug 1246220SUSE bug 1246234SUSE bug 1246236SUSE bug 1246240SUSE bug 1246243SUSE bug 1246244SUSE bug 1246245SUSE bug 1246246SUSE bug 1246248SUSE bug 1246250SUSE bug 1246252SUSE bug 1246253SUSE bug 1246255SUSE bug 1246258SUSE bug 1246259SUSE bug 1246260SUSE bug 1246262SUSE bug 1246266SUSE bug 1246268SUSE bug 1246283SUSE bug 1246285SUSE bug 1246286SUSE bug 1246287SUSE bug 1246290SUSE bug 1246292SUSE bug 1246293SUSE bug 1246295SUSE bug 1246297SUSE bug 1246333SUSE bug 1246334SUSE bug 1246337SUSE bug 1246342SUSE bug 1246349SUSE bug 1246351SUSE bug 1246353SUSE bug 1246354SUSE bug 1246358SUSE bug 1246364SUSE bug 1246366SUSE bug 1246370SUSE bug 1246375SUSE bug 1246376SUSE bug 1246385SUSE bug 1246386SUSE bug 1246387SUSE bug 1246438SUSE bug 1246443SUSE bug 1246444SUSE bug 1246447SUSE bug 1246450SUSE bug 1246453SUSE bug 1246473SUSE bug 1246490SUSE bug 1246509SUSE bug 1246547SUSE bug 1246631SUSE bug 1246651SUSE bug 1246688SUSE bug 1246777SUSE bug 1246781SUSE bug 1246782SUSE bug 1246868SUSE bug 1246896SUSE bug 1246911SUSE bug 1246979SUSE bug 1247018SUSE bug 1247020SUSE bug 1247022SUSE bug 1247023SUSE bug 1247024SUSE bug 1247027SUSE bug 1247028SUSE bug 1247031SUSE bug 1247033SUSE bug 1247035SUSE bug 1247061SUSE bug 1247062SUSE bug 1247064SUSE bug 1247076SUSE bug 1247078SUSE bug 1247079SUSE bug 1247088SUSE bug 1247089SUSE bug 1247091SUSE bug 1247097SUSE bug 1247098SUSE bug 1247099SUSE bug 1247101SUSE bug 1247102SUSE bug 1247103SUSE bug 1247104SUSE bug 1247112SUSE bug 1247113SUSE bug 1247116SUSE bug 1247118SUSE bug 1247119SUSE bug 1247123SUSE bug 1247125SUSE bug 1247126SUSE bug 1247128SUSE bug 1247130SUSE bug 1247131SUSE bug 1247132SUSE bug 1247136SUSE bug 1247137SUSE bug 1247138SUSE bug 1247141SUSE bug 1247143SUSE bug 1247145SUSE bug 1247146SUSE bug 1247147SUSE bug 1247149SUSE bug 1247150SUSE bug 1247151SUSE bug 1247152SUSE bug 1247153SUSE bug 1247154SUSE bug 1247155SUSE bug 1247156SUSE bug 1247157SUSE bug 1247160SUSE bug 1247162SUSE bug 1247163SUSE bug 1247164SUSE bug 1247167SUSE bug 1247169SUSE bug 1247170SUSE bug 1247171SUSE bug 1247174SUSE bug 1247176SUSE bug 1247177SUSE bug 1247178SUSE bug 1247181SUSE bug 1247209SUSE bug 1247210SUSE bug 1247220SUSE bug 1247223SUSE bug 1247227SUSE bug 1247229SUSE bug 1247231SUSE bug 1247233SUSE bug 1247234SUSE bug 1247235SUSE bug 1247236SUSE bug 1247238SUSE bug 1247239SUSE bug 1247241SUSE bug 1247243SUSE bug 1247250SUSE bug 1247251SUSE bug 1247252SUSE bug 1247253SUSE bug 1247255SUSE bug 1247262SUSE bug 1247265SUSE bug 1247270SUSE bug 1247271SUSE bug 1247273SUSE bug 1247274SUSE bug 1247276SUSE bug 1247277SUSE bug 1247278SUSE bug 1247279SUSE bug 1247280SUSE bug 1247282SUSE bug 1247283SUSE bug 1247284SUSE bug 1247285SUSE bug 1247288SUSE bug 1247289SUSE bug 1247290SUSE bug 1247293SUSE bug 1247308SUSE bug 1247311SUSE bug 1247313SUSE bug 1247314SUSE bug 1247317SUSE bug 1247325SUSE bug 1247347SUSE bug 1247348SUSE bug 1247349SUSE bug 1247366SUSE bug 1247372SUSE bug 1247376SUSE bug 1247426SUSE bug 1247437SUSE bug 1247442SUSE bug 1247483SUSE bug 1247500SUSE bug 1247712SUSE bug 1247837SUSE bug 1247838SUSE bug 1247935SUSE bug 1247936SUSE bug 1247949SUSE bug 1247950SUSE bug 1247963SUSE bug 1247976SUSE bug 1248088SUSE bug 1248111SUSE bug 1248121SUSE bug 1248183SUSE bug 1248186SUSE bug 1248190SUSE bug 1248192SUSE bug 1248194SUSE bug 1248198SUSE bug 1248199SUSE bug 1248200SUSE bug 1248202SUSE bug 1248205SUSE bug 1248211SUSE bug 1248223SUSE bug 1248224SUSE bug 1248225SUSE bug 1248230SUSE bug 1248235SUSE bug 1248255SUSE bug 1248296SUSE bug 1248297SUSE bug 1248299SUSE bug 1248302SUSE bug 1248304SUSE bug 1248306SUSE bug 1248312SUSE bug 1248333SUSE bug 1248334SUSE bug 1248337SUSE bug 1248338SUSE bug 1248340SUSE bug 1248341SUSE bug 1248343SUSE bug 1248345SUSE bug 1248349SUSE bug 1248350SUSE bug 1248354SUSE bug 1248355SUSE bug 1248357SUSE bug 1248359SUSE bug 1248361SUSE bug 1248363SUSE bug 1248365SUSE bug 1248367SUSE bug 1248368SUSE bug 1248374SUSE bug 1248377SUSE bug 1248378SUSE bug 1248380SUSE bug 1248386SUSE bug 1248390SUSE bug 1248392SUSE bug 1248395SUSE bug 1248396SUSE bug 1248399SUSE bug 1248401SUSE bug 1248511SUSE bug 1248512SUSE bug 1248573SUSE bug 1248575SUSE bug 1248577SUSE bug 1248609SUSE bug 1248610SUSE bug 1248616SUSE bug 1248617SUSE bug 1248619SUSE bug 1248621SUSE bug 1248622SUSE bug 1248624SUSE bug 1248627SUSE bug 1248628SUSE bug 1248634SUSE bug 1248635SUSE bug 1248639SUSE bug 1248643SUSE bug 1248647SUSE bug 1248648SUSE bug 1248652SUSE bug 1248655SUSE bug 1248662SUSE bug 1248664SUSE bug 1248666SUSE bug 1248669SUSE bug 1248674SUSE bug 1248681SUSE bug 1248727SUSE bug 1248728SUSE bug 1248748SUSE bug 1248754SUSE bug 1248775SUSE bug 1249022SUSE bug 1249038SUSE bug 1249060SUSE bug 1249061SUSE bug 1249062SUSE bug 1249064SUSE bug 1249065SUSE bug 1249066SUSE bug 1249126SUSE bug 1249143SUSE bug 1249156SUSE bug 1249159SUSE bug 1249160SUSE bug 1249163SUSE bug 1249164SUSE bug 1249166SUSE bug 1249167SUSE bug 1249169SUSE bug 1249170SUSE bug 1249172SUSE bug 1249176SUSE bug 1249177SUSE bug 1249182SUSE bug 1249186SUSE bug 1249190SUSE bug 1249193SUSE bug 1249195SUSE bug 1249199SUSE bug 1249201SUSE bug 1249202SUSE bug 1249203SUSE bug 1249204SUSE bug 1249206SUSE bug 1249215SUSE bug 1249220SUSE bug 1249221SUSE bug 1249254SUSE bug 1249258SUSE bug 1249262SUSE bug 1249263SUSE bug 1249265SUSE bug 1249266SUSE bug 1249269SUSE bug 1249271SUSE bug 1249272SUSE bug 1249273SUSE bug 1249274SUSE bug 1249278SUSE bug 1249279SUSE bug 1249281SUSE bug 1249282SUSE bug 1249284SUSE bug 1249285SUSE bug 1249286SUSE bug 1249288SUSE bug 1249290SUSE bug 1249292SUSE bug 1249295SUSE bug 1249296SUSE bug 1249297SUSE bug 1249299SUSE bug 1249300SUSE bug 1249301SUSE bug 1249303SUSE bug 1249304SUSE bug 1249305SUSE bug 1249306SUSE bug 1249308SUSE bug 1249309SUSE bug 1249312SUSE bug 1249313SUSE bug 1249314SUSE bug 1249315SUSE bug 1249316SUSE bug 1249318SUSE bug 1249319SUSE bug 1249320SUSE bug 1249321SUSE bug 1249322SUSE bug 1249323SUSE bug 1249324SUSE bug 1249333SUSE bug 1249334SUSE bug 1249338SUSE bug 1249346SUSE bug 1249374SUSE bug 1249413SUSE bug 1249477SUSE bug 1249478SUSE bug 1249479SUSE bug 1249486SUSE bug 1249490SUSE bug 1249494SUSE bug 1249500SUSE bug 1249504SUSE bug 1249506SUSE bug 1249508SUSE bug 1249509SUSE bug 1249510SUSE bug 1249513SUSE bug 1249515SUSE bug 1249516SUSE bug 1249522SUSE bug 1249523SUSE bug 1249524SUSE bug 1249526SUSE bug 1249533SUSE bug 1249538SUSE bug 1249540SUSE bug 1249542SUSE bug 1249545SUSE bug 1249547SUSE bug 1249548SUSE bug 1249550SUSE bug 1249552SUSE bug 1249554SUSE bug 1249562SUSE bug 1249566SUSE bug 1249587SUSE bug 1249598SUSE bug 1249604SUSE bug 1249608SUSE bug 1249615SUSE bug 1249618SUSE bug 1249774SUSE bug 1249833SUSE bug 1249887SUSE bug 1249888SUSE bug 1249901SUSE bug 1249904SUSE bug 1249906SUSE bug 1249915SUSE bug 1249974SUSE bug 1249975SUSE bug 1250002SUSE bug 1250007SUSE bug 1250021SUSE bug 1250025SUSE bug 1250028SUSE bug 1250032SUSE bug 1250087SUSE bug 1250088SUSE bug 1250119SUSE bug 1250123SUSE bug 1250124SUSE bug 1250177SUSE bug 1250179SUSE bug 1250203SUSE bug 1250204SUSE bug 1250205SUSE bug 1250237SUSE bug 1250242SUSE bug 1250247SUSE bug 1250249SUSE bug 1250251SUSE bug 1250258SUSE bug 1250262SUSE bug 1250266SUSE bug 1250267SUSE bug 1250268SUSE bug 1250275SUSE bug 1250276SUSE bug 1250281SUSE bug 1250291SUSE bug 1250292SUSE bug 1250294SUSE bug 1250296SUSE bug 1250297SUSE bug 1250298SUSE bug 1250334SUSE bug 1250344SUSE bug 1250365SUSE bug 1250371SUSE bug 1250377SUSE bug 1250386SUSE bug 1250389SUSE bug 1250398SUSE bug 1250402SUSE bug 1250406SUSE bug 1250407SUSE bug 1250408SUSE bug 1250450SUSE bug 1250491SUSE bug 1250519SUSE bug 1250522SUSE bug 1250650SUSE bug 1250655SUSE bug 1250671SUSE bug 1250702SUSE bug 1250711SUSE bug 1250712SUSE bug 1250713SUSE bug 1250716SUSE bug 1250719SUSE bug 1250722SUSE bug 1250729SUSE bug 1250736SUSE bug 1250737SUSE bug 1250739SUSE bug 1250741SUSE bug 1250742SUSE bug 1250758SUSE bug 1250952SUSE bug 1251100SUSE bug 1251114SUSE bug 1251134SUSE bug 1251135SUSE bug 1251143SUSE bug 1251146SUSE bug 1251186SUSE bug 1251216SUSE bug 1251230SUSE bug 1251810SUSE bug 1252084CVE-2024-53164 at SUSECVE-2024-53164 at NVDCVE-2024-57891 at SUSECVE-2024-57891 at NVDCVE-2024-57951 at SUSECVE-2024-57951 at NVDCVE-2024-57952 at SUSECVE-2024-57952 at NVDCVE-2024-58090 at SUSECVE-2024-58090 at NVDCVE-2025-22034 at SUSECVE-2025-22034 at NVDCVE-2025-22077 at SUSECVE-2025-22077 at NVDCVE-2025-23141 at SUSECVE-2025-23141 at NVDCVE-2025-37798 at SUSECVE-2025-37798 at NVDCVE-2025-37821 at SUSECVE-2025-37821 at NVDCVE-2025-37849 at SUSECVE-2025-37849 at NVDCVE-2025-37856 at SUSECVE-2025-37856 at NVDCVE-2025-37861 at SUSECVE-2025-37861 at NVDCVE-2025-37864 at SUSECVE-2025-37864 at NVDCVE-2025-38006 at SUSECVE-2025-38006 at NVDCVE-2025-38008 at SUSECVE-2025-38008 at NVDCVE-2025-38019 at SUSECVE-2025-38019 at NVDCVE-2025-38034 at SUSECVE-2025-38034 at NVDCVE-2025-38038 at SUSECVE-2025-38038 at NVDCVE-2025-38052 at SUSECVE-2025-38052 at NVDCVE-2025-38058 at SUSECVE-2025-38058 at NVDCVE-2025-38062 at SUSECVE-2025-38062 at NVDCVE-2025-38075 at SUSECVE-2025-38075 at NVDCVE-2025-38087 at SUSECVE-2025-38087 at NVDCVE-2025-38088 at SUSECVE-2025-38088 at NVDCVE-2025-38089 at SUSECVE-2025-38089 at NVDCVE-2025-38090 at SUSECVE-2025-38090 at NVDCVE-2025-38091 at SUSECVE-2025-38091 at NVDCVE-2025-38095 at SUSECVE-2025-38095 at NVDCVE-2025-38096 at SUSECVE-2025-38096 at NVDCVE-2025-38098 at SUSECVE-2025-38098 at NVDCVE-2025-38099 at SUSECVE-2025-38099 at NVDCVE-2025-38101 at SUSECVE-2025-38101 at NVDCVE-2025-38102 at SUSECVE-2025-38102 at NVDCVE-2025-38103 at SUSECVE-2025-38103 at NVDCVE-2025-38106 at SUSECVE-2025-38106 at NVDCVE-2025-38107 at SUSECVE-2025-38107 at NVDCVE-2025-38108 at SUSECVE-2025-38108 at NVDCVE-2025-38109 at SUSECVE-2025-38109 at NVDCVE-2025-38110 at SUSECVE-2025-38110 at NVDCVE-2025-38111 at SUSECVE-2025-38111 at NVDCVE-2025-38112 at SUSECVE-2025-38112 at NVDCVE-2025-38113 at SUSECVE-2025-38113 at NVDCVE-2025-38114 at SUSECVE-2025-38114 at NVDCVE-2025-38117 at SUSECVE-2025-38117 at NVDCVE-2025-38118 at SUSECVE-2025-38118 at NVDCVE-2025-38119 at SUSECVE-2025-38119 at NVDCVE-2025-38120 at SUSECVE-2025-38120 at NVDCVE-2025-38122 at SUSECVE-2025-38122 at NVDCVE-2025-38123 at SUSECVE-2025-38123 at NVDCVE-2025-38124 at SUSECVE-2025-38124 at NVDCVE-2025-38125 at SUSECVE-2025-38125 at NVDCVE-2025-38127 at SUSECVE-2025-38127 at NVDCVE-2025-38128 at SUSECVE-2025-38128 at NVDCVE-2025-38129 at SUSECVE-2025-38129 at NVDCVE-2025-38134 at SUSECVE-2025-38134 at NVDCVE-2025-38135 at SUSECVE-2025-38135 at NVDCVE-2025-38136 at SUSECVE-2025-38136 at NVDCVE-2025-38137 at SUSECVE-2025-38137 at NVDCVE-2025-38138 at SUSECVE-2025-38138 at NVDCVE-2025-38140 at SUSECVE-2025-38140 at NVDCVE-2025-38141 at SUSECVE-2025-38141 at NVDCVE-2025-38142 at SUSECVE-2025-38142 at NVDCVE-2025-38143 at SUSECVE-2025-38143 at NVDCVE-2025-38145 at SUSECVE-2025-38145 at NVDCVE-2025-38146 at SUSECVE-2025-38146 at NVDCVE-2025-38148 at SUSECVE-2025-38148 at NVDCVE-2025-38149 at SUSECVE-2025-38149 at NVDCVE-2025-38151 at SUSECVE-2025-38151 at NVDCVE-2025-38153 at SUSECVE-2025-38153 at NVDCVE-2025-38154 at SUSECVE-2025-38154 at NVDCVE-2025-38155 at SUSECVE-2025-38155 at NVDCVE-2025-38156 at SUSECVE-2025-38156 at NVDCVE-2025-38157 at SUSECVE-2025-38157 at NVDCVE-2025-38159 at SUSECVE-2025-38159 at NVDCVE-2025-38160 at SUSECVE-2025-38160 at NVDCVE-2025-38161 at SUSECVE-2025-38161 at NVDCVE-2025-38165 at SUSECVE-2025-38165 at NVDCVE-2025-38168 at SUSECVE-2025-38168 at NVDCVE-2025-38169 at SUSECVE-2025-38169 at NVDCVE-2025-38170 at SUSECVE-2025-38170 at NVDCVE-2025-38172 at SUSECVE-2025-38172 at NVDCVE-2025-38173 at SUSECVE-2025-38173 at NVDCVE-2025-38174 at SUSECVE-2025-38174 at NVDCVE-2025-38177 at SUSECVE-2025-38177 at NVDCVE-2025-38180 at SUSECVE-2025-38180 at NVDCVE-2025-38181 at SUSECVE-2025-38181 at NVDCVE-2025-38182 at SUSECVE-2025-38182 at NVDCVE-2025-38184 at SUSECVE-2025-38184 at NVDCVE-2025-38185 at SUSECVE-2025-38185 at NVDCVE-2025-38186 at SUSECVE-2025-38186 at NVDCVE-2025-38188 at SUSECVE-2025-38188 at NVDCVE-2025-38189 at SUSECVE-2025-38189 at NVDCVE-2025-38190 at SUSECVE-2025-38190 at NVDCVE-2025-38193 at SUSECVE-2025-38193 at NVDCVE-2025-38197 at SUSECVE-2025-38197 at NVDCVE-2025-38198 at SUSECVE-2025-38198 at NVDCVE-2025-38201 at SUSECVE-2025-38201 at NVDCVE-2025-38205 at SUSECVE-2025-38205 at NVDCVE-2025-38208 at SUSECVE-2025-38208 at NVDCVE-2025-38209 at SUSECVE-2025-38209 at NVDCVE-2025-38211 at SUSECVE-2025-38211 at NVDCVE-2025-38213 at SUSECVE-2025-38213 at NVDCVE-2025-38214 at SUSECVE-2025-38214 at NVDCVE-2025-38215 at SUSECVE-2025-38215 at NVDCVE-2025-38216 at SUSECVE-2025-38216 at NVDCVE-2025-38217 at SUSECVE-2025-38217 at NVDCVE-2025-38220 at SUSECVE-2025-38220 at NVDCVE-2025-38222 at SUSECVE-2025-38222 at NVDCVE-2025-38224 at SUSECVE-2025-38224 at NVDCVE-2025-38225 at SUSECVE-2025-38225 at NVDCVE-2025-38226 at SUSECVE-2025-38226 at NVDCVE-2025-38227 at SUSECVE-2025-38227 at NVDCVE-2025-38228 at SUSECVE-2025-38228 at NVDCVE-2025-38229 at SUSECVE-2025-38229 at NVDCVE-2025-38231 at SUSECVE-2025-38231 at NVDCVE-2025-38232 at SUSECVE-2025-38232 at NVDCVE-2025-38233 at SUSECVE-2025-38233 at NVDCVE-2025-38234 at SUSECVE-2025-38234 at NVDCVE-2025-38242 at SUSECVE-2025-38242 at NVDCVE-2025-38244 at SUSECVE-2025-38244 at NVDCVE-2025-38245 at SUSECVE-2025-38245 at NVDCVE-2025-38246 at SUSECVE-2025-38246 at NVDCVE-2025-38249 at SUSECVE-2025-38249 at NVDCVE-2025-38251 at SUSECVE-2025-38251 at NVDCVE-2025-38253 at SUSECVE-2025-38253 at NVDCVE-2025-38255 at SUSECVE-2025-38255 at NVDCVE-2025-38256 at SUSECVE-2025-38256 at NVDCVE-2025-38257 at SUSECVE-2025-38257 at NVDCVE-2025-38258 at SUSECVE-2025-38258 at NVDCVE-2025-38259 at SUSECVE-2025-38259 at NVDCVE-2025-38263 at SUSECVE-2025-38263 at NVDCVE-2025-38264 at SUSECVE-2025-38264 at NVDCVE-2025-38265 at SUSECVE-2025-38265 at NVDCVE-2025-38267 at SUSECVE-2025-38267 at NVDCVE-2025-38268 at SUSECVE-2025-38268 at NVDCVE-2025-38270 at SUSECVE-2025-38270 at NVDCVE-2025-38272 at SUSECVE-2025-38272 at NVDCVE-2025-38273 at SUSECVE-2025-38273 at NVDCVE-2025-38274 at SUSECVE-2025-38274 at NVDCVE-2025-38275 at SUSECVE-2025-38275 at NVDCVE-2025-38277 at SUSECVE-2025-38277 at NVDCVE-2025-38278 at SUSECVE-2025-38278 at NVDCVE-2025-38286 at SUSECVE-2025-38286 at NVDCVE-2025-38287 at SUSECVE-2025-38287 at NVDCVE-2025-38288 at SUSECVE-2025-38288 at NVDCVE-2025-38289 at SUSECVE-2025-38289 at NVDCVE-2025-38290 at SUSECVE-2025-38290 at NVDCVE-2025-38291 at SUSECVE-2025-38291 at NVDCVE-2025-38292 at SUSECVE-2025-38292 at NVDCVE-2025-38293 at SUSECVE-2025-38293 at NVDCVE-2025-38299 at SUSECVE-2025-38299 at NVDCVE-2025-38300 at SUSECVE-2025-38300 at NVDCVE-2025-38301 at SUSECVE-2025-38301 at NVDCVE-2025-38302 at SUSECVE-2025-38302 at NVDCVE-2025-38303 at SUSECVE-2025-38303 at NVDCVE-2025-38304 at SUSECVE-2025-38304 at NVDCVE-2025-38305 at SUSECVE-2025-38305 at NVDCVE-2025-38306 at SUSECVE-2025-38306 at NVDCVE-2025-38307 at SUSECVE-2025-38307 at NVDCVE-2025-38311 at SUSECVE-2025-38311 at NVDCVE-2025-38312 at SUSECVE-2025-38312 at NVDCVE-2025-38313 at SUSECVE-2025-38313 at NVDCVE-2025-38315 at SUSECVE-2025-38315 at NVDCVE-2025-38317 at SUSECVE-2025-38317 at NVDCVE-2025-38318 at SUSECVE-2025-38318 at NVDCVE-2025-38319 at SUSECVE-2025-38319 at NVDCVE-2025-38322 at SUSECVE-2025-38322 at NVDCVE-2025-38323 at SUSECVE-2025-38323 at NVDCVE-2025-38326 at SUSECVE-2025-38326 at NVDCVE-2025-38332 at SUSECVE-2025-38332 at NVDCVE-2025-38335 at SUSECVE-2025-38335 at NVDCVE-2025-38336 at SUSECVE-2025-38336 at NVDCVE-2025-38337 at SUSECVE-2025-38337 at NVDCVE-2025-38338 at SUSECVE-2025-38338 at NVDCVE-2025-38339 at SUSECVE-2025-38339 at NVDCVE-2025-38341 at SUSECVE-2025-38341 at NVDCVE-2025-38342 at SUSECVE-2025-38342 at NVDCVE-2025-38343 at SUSECVE-2025-38343 at NVDCVE-2025-38344 at SUSECVE-2025-38344 at NVDCVE-2025-38345 at SUSECVE-2025-38345 at NVDCVE-2025-38348 at SUSECVE-2025-38348 at NVDCVE-2025-38349 at SUSECVE-2025-38349 at NVDCVE-2025-38350 at SUSECVE-2025-38350 at NVDCVE-2025-38351 at SUSECVE-2025-38351 at NVDCVE-2025-38352 at SUSECVE-2025-38352 at NVDCVE-2025-38353 at SUSECVE-2025-38353 at NVDCVE-2025-38354 at SUSECVE-2025-38354 at NVDCVE-2025-38355 at SUSECVE-2025-38355 at NVDCVE-2025-38356 at SUSECVE-2025-38356 at NVDCVE-2025-38359 at SUSECVE-2025-38359 at NVDCVE-2025-38360 at SUSECVE-2025-38360 at NVDCVE-2025-38361 at SUSECVE-2025-38361 at NVDCVE-2025-38362 at SUSECVE-2025-38362 at NVDCVE-2025-38363 at SUSECVE-2025-38363 at NVDCVE-2025-38364 at SUSECVE-2025-38364 at NVDCVE-2025-38365 at SUSECVE-2025-38365 at NVDCVE-2025-38368 at SUSECVE-2025-38368 at NVDCVE-2025-38369 at SUSECVE-2025-38369 at NVDCVE-2025-38371 at SUSECVE-2025-38371 at NVDCVE-2025-38372 at SUSECVE-2025-38372 at NVDCVE-2025-38373 at SUSECVE-2025-38373 at NVDCVE-2025-38374 at SUSECVE-2025-38374 at NVDCVE-2025-38375 at SUSECVE-2025-38375 at NVDCVE-2025-38376 at SUSECVE-2025-38376 at NVDCVE-2025-38377 at SUSECVE-2025-38377 at NVDCVE-2025-38380 at SUSECVE-2025-38380 at NVDCVE-2025-38381 at SUSECVE-2025-38381 at NVDCVE-2025-38382 at SUSECVE-2025-38382 at NVDCVE-2025-38383 at SUSECVE-2025-38383 at NVDCVE-2025-38384 at SUSECVE-2025-38384 at NVDCVE-2025-38385 at SUSECVE-2025-38385 at NVDCVE-2025-38386 at SUSECVE-2025-38386 at NVDCVE-2025-38387 at SUSECVE-2025-38387 at NVDCVE-2025-38389 at SUSECVE-2025-38389 at NVDCVE-2025-38390 at SUSECVE-2025-38390 at NVDCVE-2025-38391 at SUSECVE-2025-38391 at NVDCVE-2025-38392 at SUSECVE-2025-38392 at NVDCVE-2025-38393 at SUSECVE-2025-38393 at NVDCVE-2025-38395 at SUSECVE-2025-38395 at NVDCVE-2025-38396 at SUSECVE-2025-38396 at NVDCVE-2025-38397 at SUSECVE-2025-38397 at NVDCVE-2025-38399 at SUSECVE-2025-38399 at NVDCVE-2025-38400 at SUSECVE-2025-38400 at NVDCVE-2025-38401 at SUSECVE-2025-38401 at NVDCVE-2025-38402 at SUSECVE-2025-38402 at NVDCVE-2025-38403 at SUSECVE-2025-38403 at NVDCVE-2025-38404 at SUSECVE-2025-38404 at NVDCVE-2025-38405 at SUSECVE-2025-38405 at NVDCVE-2025-38406 at SUSECVE-2025-38406 at NVDCVE-2025-38408 at SUSECVE-2025-38408 at NVDCVE-2025-38409 at SUSECVE-2025-38409 at NVDCVE-2025-38410 at SUSECVE-2025-38410 at NVDCVE-2025-38412 at SUSECVE-2025-38412 at NVDCVE-2025-38413 at SUSECVE-2025-38413 at NVDCVE-2025-38414 at SUSECVE-2025-38414 at NVDCVE-2025-38415 at SUSECVE-2025-38415 at NVDCVE-2025-38416 at SUSECVE-2025-38416 at NVDCVE-2025-38417 at SUSECVE-2025-38417 at NVDCVE-2025-38418 at SUSECVE-2025-38418 at NVDCVE-2025-38419 at SUSECVE-2025-38419 at NVDCVE-2025-38420 at SUSECVE-2025-38420 at NVDCVE-2025-38421 at SUSECVE-2025-38421 at NVDCVE-2025-38424 at SUSECVE-2025-38424 at NVDCVE-2025-38425 at SUSECVE-2025-38425 at NVDCVE-2025-38426 at SUSECVE-2025-38426 at NVDCVE-2025-38427 at SUSECVE-2025-38427 at NVDCVE-2025-38428 at SUSECVE-2025-38428 at NVDCVE-2025-38429 at SUSECVE-2025-38429 at NVDCVE-2025-38430 at SUSECVE-2025-38430 at NVDCVE-2025-38436 at SUSECVE-2025-38436 at NVDCVE-2025-38438 at SUSECVE-2025-38438 at NVDCVE-2025-38439 at SUSECVE-2025-38439 at NVDCVE-2025-38440 at SUSECVE-2025-38440 at NVDCVE-2025-38441 at SUSECVE-2025-38441 at NVDCVE-2025-38443 at SUSECVE-2025-38443 at NVDCVE-2025-38444 at SUSECVE-2025-38444 at NVDCVE-2025-38445 at SUSECVE-2025-38445 at NVDCVE-2025-38446 at SUSECVE-2025-38446 at NVDCVE-2025-38448 at SUSECVE-2025-38448 at NVDCVE-2025-38449 at SUSECVE-2025-38449 at NVDCVE-2025-38450 at SUSECVE-2025-38450 at NVDCVE-2025-38451 at SUSECVE-2025-38451 at NVDCVE-2025-38453 at SUSECVE-2025-38453 at NVDCVE-2025-38454 at SUSECVE-2025-38454 at NVDCVE-2025-38455 at SUSECVE-2025-38455 at NVDCVE-2025-38456 at SUSECVE-2025-38456 at NVDCVE-2025-38457 at SUSECVE-2025-38457 at NVDCVE-2025-38458 at SUSECVE-2025-38458 at NVDCVE-2025-38459 at SUSECVE-2025-38459 at NVDCVE-2025-38460 at SUSECVE-2025-38460 at NVDCVE-2025-38461 at SUSECVE-2025-38461 at NVDCVE-2025-38462 at SUSECVE-2025-38462 at NVDCVE-2025-38463 at SUSECVE-2025-38463 at NVDCVE-2025-38464 at SUSECVE-2025-38464 at NVDCVE-2025-38465 at SUSECVE-2025-38465 at NVDCVE-2025-38466 at SUSECVE-2025-38466 at NVDCVE-2025-38467 at SUSECVE-2025-38467 at NVDCVE-2025-38468 at SUSECVE-2025-38468 at NVDCVE-2025-38470 at SUSECVE-2025-38470 at NVDCVE-2025-38472 at SUSECVE-2025-38472 at NVDCVE-2025-38473 at SUSECVE-2025-38473 at NVDCVE-2025-38474 at SUSECVE-2025-38474 at NVDCVE-2025-38475 at SUSECVE-2025-38475 at NVDCVE-2025-38476 at SUSECVE-2025-38476 at NVDCVE-2025-38477 at SUSECVE-2025-38477 at NVDCVE-2025-38478 at SUSECVE-2025-38478 at NVDCVE-2025-38480 at SUSECVE-2025-38480 at NVDCVE-2025-38481 at SUSECVE-2025-38481 at NVDCVE-2025-38482 at SUSECVE-2025-38482 at NVDCVE-2025-38483 at SUSECVE-2025-38483 at NVDCVE-2025-38484 at SUSECVE-2025-38484 at NVDCVE-2025-38485 at SUSECVE-2025-38485 at NVDCVE-2025-38487 at SUSECVE-2025-38487 at NVDCVE-2025-38488 at SUSECVE-2025-38488 at NVDCVE-2025-38489 at SUSECVE-2025-38489 at NVDCVE-2025-38490 at SUSECVE-2025-38490 at NVDCVE-2025-38491 at SUSECVE-2025-38491 at NVDCVE-2025-38493 at SUSECVE-2025-38493 at NVDCVE-2025-38494 at SUSECVE-2025-38494 at NVDCVE-2025-38495 at SUSECVE-2025-38495 at NVDCVE-2025-38496 at SUSECVE-2025-38496 at NVDCVE-2025-38497 at SUSECVE-2025-38497 at NVDCVE-2025-38499 at SUSECVE-2025-38499 at NVDCVE-2025-38500 at SUSECVE-2025-38500 at NVDCVE-2025-38503 at SUSECVE-2025-38503 at NVDCVE-2025-38506 at SUSECVE-2025-38506 at NVDCVE-2025-38508 at SUSECVE-2025-38508 at NVDCVE-2025-38514 at SUSECVE-2025-38514 at NVDCVE-2025-38524 at SUSECVE-2025-38524 at NVDCVE-2025-38526 at SUSECVE-2025-38526 at NVDCVE-2025-38527 at SUSECVE-2025-38527 at NVDCVE-2025-38528 at SUSECVE-2025-38528 at NVDCVE-2025-38531 at SUSECVE-2025-38531 at NVDCVE-2025-38533 at SUSECVE-2025-38533 at NVDCVE-2025-38539 at SUSECVE-2025-38539 at NVDCVE-2025-38544 at SUSECVE-2025-38544 at NVDCVE-2025-38545 at SUSECVE-2025-38545 at NVDCVE-2025-38546 at SUSECVE-2025-38546 at NVDCVE-2025-38549 at SUSECVE-2025-38549 at NVDCVE-2025-38552 at SUSECVE-2025-38552 at NVDCVE-2025-38553 at SUSECVE-2025-38553 at NVDCVE-2025-38554 at SUSECVE-2025-38554 at NVDCVE-2025-38555 at SUSECVE-2025-38555 at NVDCVE-2025-38556 at SUSECVE-2025-38556 at NVDCVE-2025-38557 at SUSECVE-2025-38557 at NVDCVE-2025-38559 at SUSECVE-2025-38559 at NVDCVE-2025-38560 at SUSECVE-2025-38560 at NVDCVE-2025-38563 at SUSECVE-2025-38563 at NVDCVE-2025-38564 at SUSECVE-2025-38564 at NVDCVE-2025-38565 at SUSECVE-2025-38565 at NVDCVE-2025-38566 at SUSECVE-2025-38566 at NVDCVE-2025-38568 at SUSECVE-2025-38568 at NVDCVE-2025-38571 at SUSECVE-2025-38571 at NVDCVE-2025-38572 at SUSECVE-2025-38572 at NVDCVE-2025-38573 at SUSECVE-2025-38573 at NVDCVE-2025-38574 at SUSECVE-2025-38574 at NVDCVE-2025-38576 at SUSECVE-2025-38576 at NVDCVE-2025-38581 at SUSECVE-2025-38581 at NVDCVE-2025-38582 at SUSECVE-2025-38582 at NVDCVE-2025-38583 at SUSECVE-2025-38583 at NVDCVE-2025-38584 at SUSECVE-2025-38584 at NVDCVE-2025-38585 at SUSECVE-2025-38585 at NVDCVE-2025-38586 at SUSECVE-2025-38586 at NVDCVE-2025-38587 at SUSECVE-2025-38587 at NVDCVE-2025-38588 at SUSECVE-2025-38588 at NVDCVE-2025-38591 at SUSECVE-2025-38591 at NVDCVE-2025-38593 at SUSECVE-2025-38593 at NVDCVE-2025-38595 at SUSECVE-2025-38595 at NVDCVE-2025-38597 at SUSECVE-2025-38597 at NVDCVE-2025-38601 at SUSECVE-2025-38601 at NVDCVE-2025-38602 at SUSECVE-2025-38602 at NVDCVE-2025-38604 at SUSECVE-2025-38604 at NVDCVE-2025-38605 at SUSECVE-2025-38605 at NVDCVE-2025-38608 at SUSECVE-2025-38608 at NVDCVE-2025-38609 at SUSECVE-2025-38609 at NVDCVE-2025-38610 at SUSECVE-2025-38610 at NVDCVE-2025-38612 at SUSECVE-2025-38612 at NVDCVE-2025-38614 at SUSECVE-2025-38614 at NVDCVE-2025-38616 at SUSECVE-2025-38616 at NVDCVE-2025-38617 at SUSECVE-2025-38617 at NVDCVE-2025-38618 at SUSECVE-2025-38618 at NVDCVE-2025-38619 at SUSECVE-2025-38619 at NVDCVE-2025-38621 at SUSECVE-2025-38621 at NVDCVE-2025-38622 at SUSECVE-2025-38622 at NVDCVE-2025-38623 at SUSECVE-2025-38623 at NVDCVE-2025-38624 at SUSECVE-2025-38624 at NVDCVE-2025-38628 at SUSECVE-2025-38628 at NVDCVE-2025-38630 at SUSECVE-2025-38630 at NVDCVE-2025-38631 at SUSECVE-2025-38631 at NVDCVE-2025-38632 at SUSECVE-2025-38632 at NVDCVE-2025-38634 at SUSECVE-2025-38634 at NVDCVE-2025-38635 at SUSECVE-2025-38635 at NVDCVE-2025-38639 at SUSECVE-2025-38639 at NVDCVE-2025-38640 at SUSECVE-2025-38640 at NVDCVE-2025-38643 at SUSECVE-2025-38643 at NVDCVE-2025-38644 at SUSECVE-2025-38644 at NVDCVE-2025-38646 at SUSECVE-2025-38646 at NVDCVE-2025-38648 at SUSECVE-2025-38648 at NVDCVE-2025-38656 at SUSECVE-2025-38656 at NVDCVE-2025-38658 at SUSECVE-2025-38658 at NVDCVE-2025-38659 at SUSECVE-2025-38659 at NVDCVE-2025-38660 at SUSECVE-2025-38660 at NVDCVE-2025-38662 at SUSECVE-2025-38662 at NVDCVE-2025-38664 at SUSECVE-2025-38664 at NVDCVE-2025-38665 at SUSECVE-2025-38665 at NVDCVE-2025-38668 at SUSECVE-2025-38668 at NVDCVE-2025-38670 at SUSECVE-2025-38670 at NVDCVE-2025-38671 at SUSECVE-2025-38671 at NVDCVE-2025-38676 at SUSECVE-2025-38676 at NVDCVE-2025-38678 at SUSECVE-2025-38678 at NVDCVE-2025-38679 at SUSECVE-2025-38679 at NVDCVE-2025-38680 at SUSECVE-2025-38680 at NVDCVE-2025-38681 at SUSECVE-2025-38681 at NVDCVE-2025-38683 at SUSECVE-2025-38683 at NVDCVE-2025-38684 at SUSECVE-2025-38684 at NVDCVE-2025-38685 at SUSECVE-2025-38685 at NVDCVE-2025-38686 at SUSECVE-2025-38686 at NVDCVE-2025-38687 at SUSECVE-2025-38687 at NVDCVE-2025-38691 at SUSECVE-2025-38691 at NVDCVE-2025-38692 at SUSECVE-2025-38692 at NVDCVE-2025-38693 at SUSECVE-2025-38693 at NVDCVE-2025-38694 at SUSECVE-2025-38694 at NVDCVE-2025-38695 at SUSECVE-2025-38695 at NVDCVE-2025-38700 at SUSECVE-2025-38700 at NVDCVE-2025-38701 at SUSECVE-2025-38701 at NVDCVE-2025-38702 at SUSECVE-2025-38702 at NVDCVE-2025-38703 at SUSECVE-2025-38703 at NVDCVE-2025-38705 at SUSECVE-2025-38705 at NVDCVE-2025-38706 at SUSECVE-2025-38706 at NVDCVE-2025-38709 at SUSECVE-2025-38709 at NVDCVE-2025-38710 at SUSECVE-2025-38710 at NVDCVE-2025-38717 at SUSECVE-2025-38717 at NVDCVE-2025-38721 at SUSECVE-2025-38721 at NVDCVE-2025-38722 at SUSECVE-2025-38722 at NVDCVE-2025-38724 at SUSECVE-2025-38724 at NVDCVE-2025-38725 at SUSECVE-2025-38725 at NVDCVE-2025-38727 at SUSECVE-2025-38727 at NVDCVE-2025-38729 at SUSECVE-2025-38729 at NVDCVE-2025-38730 at SUSECVE-2025-38730 at NVDCVE-2025-38732 at SUSECVE-2025-38732 at NVDCVE-2025-38733 at SUSECVE-2025-38733 at NVDCVE-2025-38734 at SUSECVE-2025-38734 at NVDCVE-2025-38735 at SUSECVE-2025-38735 at NVDCVE-2025-38736 at SUSECVE-2025-38736 at NVDCVE-2025-39673 at SUSECVE-2025-39673 at NVDCVE-2025-39675 at SUSECVE-2025-39675 at NVDCVE-2025-39677 at SUSECVE-2025-39677 at NVDCVE-2025-39678 at SUSECVE-2025-39678 at NVDCVE-2025-39679 at SUSECVE-2025-39679 at NVDCVE-2025-39681 at SUSECVE-2025-39681 at NVDCVE-2025-39682 at SUSECVE-2025-39682 at NVDCVE-2025-39683 at SUSECVE-2025-39683 at NVDCVE-2025-39684 at SUSECVE-2025-39684 at NVDCVE-2025-39685 at SUSECVE-2025-39685 at NVDCVE-2025-39686 at SUSECVE-2025-39686 at NVDCVE-2025-39687 at SUSECVE-2025-39687 at NVDCVE-2025-39691 at SUSECVE-2025-39691 at NVDCVE-2025-39693 at SUSECVE-2025-39693 at NVDCVE-2025-39694 at SUSECVE-2025-39694 at NVDCVE-2025-39695 at SUSECVE-2025-39695 at NVDCVE-2025-39697 at SUSECVE-2025-39697 at NVDCVE-2025-39698 at SUSECVE-2025-39698 at NVDCVE-2025-39700 at SUSECVE-2025-39700 at NVDCVE-2025-39701 at SUSECVE-2025-39701 at NVDCVE-2025-39703 at SUSECVE-2025-39703 at NVDCVE-2025-39705 at SUSECVE-2025-39705 at NVDCVE-2025-39706 at SUSECVE-2025-39706 at NVDCVE-2025-39707 at SUSECVE-2025-39707 at NVDCVE-2025-39709 at SUSECVE-2025-39709 at NVDCVE-2025-39710 at SUSECVE-2025-39710 at NVDCVE-2025-39711 at SUSECVE-2025-39711 at NVDCVE-2025-39712 at SUSECVE-2025-39712 at NVDCVE-2025-39713 at SUSECVE-2025-39713 at NVDCVE-2025-39714 at SUSECVE-2025-39714 at NVDCVE-2025-39718 at SUSECVE-2025-39718 at NVDCVE-2025-39719 at SUSECVE-2025-39719 at NVDCVE-2025-39721 at SUSECVE-2025-39721 at NVDCVE-2025-39722 at SUSECVE-2025-39722 at NVDCVE-2025-39723 at SUSECVE-2025-39723 at NVDCVE-2025-39724 at SUSECVE-2025-39724 at NVDCVE-2025-39726 at SUSECVE-2025-39726 at NVDCVE-2025-39727 at SUSECVE-2025-39727 at NVDCVE-2025-39730 at SUSECVE-2025-39730 at NVDCVE-2025-39732 at SUSECVE-2025-39732 at NVDCVE-2025-39738 at SUSECVE-2025-39738 at NVDCVE-2025-39739 at SUSECVE-2025-39739 at NVDCVE-2025-39742 at SUSECVE-2025-39742 at NVDCVE-2025-39744 at SUSECVE-2025-39744 at NVDCVE-2025-39746 at SUSECVE-2025-39746 at NVDCVE-2025-39747 at SUSECVE-2025-39747 at NVDCVE-2025-39748 at SUSECVE-2025-39748 at NVDCVE-2025-39749 at SUSECVE-2025-39749 at NVDCVE-2025-39750 at SUSECVE-2025-39750 at NVDCVE-2025-39751 at SUSECVE-2025-39751 at NVDCVE-2025-39754 at SUSECVE-2025-39754 at NVDCVE-2025-39757 at SUSECVE-2025-39757 at NVDCVE-2025-39758 at SUSECVE-2025-39758 at NVDCVE-2025-39759 at SUSECVE-2025-39759 at NVDCVE-2025-39760 at SUSECVE-2025-39760 at NVDCVE-2025-39761 at SUSECVE-2025-39761 at NVDCVE-2025-39763 at SUSECVE-2025-39763 at NVDCVE-2025-39764 at SUSECVE-2025-39764 at NVDCVE-2025-39765 at SUSECVE-2025-39765 at NVDCVE-2025-39766 at SUSECVE-2025-39766 at NVDCVE-2025-39770 at SUSECVE-2025-39770 at NVDCVE-2025-39772 at SUSECVE-2025-39772 at NVDCVE-2025-39773 at SUSECVE-2025-39773 at NVDCVE-2025-39775 at SUSECVE-2025-39775 at NVDCVE-2025-39782 at SUSECVE-2025-39782 at NVDCVE-2025-39783 at SUSECVE-2025-39783 at NVDCVE-2025-39787 at SUSECVE-2025-39787 at NVDCVE-2025-39788 at SUSECVE-2025-39788 at NVDCVE-2025-39790 at SUSECVE-2025-39790 at NVDCVE-2025-39791 at SUSECVE-2025-39791 at NVDCVE-2025-39792 at SUSECVE-2025-39792 at NVDCVE-2025-39797 at SUSECVE-2025-39797 at NVDCVE-2025-39798 at SUSECVE-2025-39798 at NVDCVE-2025-39800 at SUSECVE-2025-39800 at NVDCVE-2025-39801 at SUSECVE-2025-39801 at NVDCVE-2025-39806 at SUSECVE-2025-39806 at NVDCVE-2025-39807 at SUSECVE-2025-39807 at NVDCVE-2025-39808 at SUSECVE-2025-39808 at NVDCVE-2025-39810 at SUSECVE-2025-39810 at NVDCVE-2025-39811 at SUSECVE-2025-39811 at NVDCVE-2025-39813 at SUSECVE-2025-39813 at NVDCVE-2025-39816 at SUSECVE-2025-39816 at NVDCVE-2025-39823 at SUSECVE-2025-39823 at NVDCVE-2025-39824 at SUSECVE-2025-39824 at NVDCVE-2025-39825 at SUSECVE-2025-39825 at NVDCVE-2025-39826 at SUSECVE-2025-39826 at NVDCVE-2025-39827 at SUSECVE-2025-39827 at NVDCVE-2025-39828 at SUSECVE-2025-39828 at NVDCVE-2025-39830 at SUSECVE-2025-39830 at NVDCVE-2025-39832 at SUSECVE-2025-39832 at NVDCVE-2025-39833 at SUSECVE-2025-39833 at NVDCVE-2025-39834 at SUSECVE-2025-39834 at NVDCVE-2025-39835 at SUSECVE-2025-39835 at NVDCVE-2025-39836 at SUSECVE-2025-39836 at NVDCVE-2025-39838 at SUSECVE-2025-39838 at NVDCVE-2025-39839 at SUSECVE-2025-39839 at NVDCVE-2025-39841 at SUSECVE-2025-39841 at NVDCVE-2025-39842 at SUSECVE-2025-39842 at NVDCVE-2025-39844 at SUSECVE-2025-39844 at NVDCVE-2025-39845 at SUSECVE-2025-39845 at NVDCVE-2025-39847 at SUSECVE-2025-39847 at NVDCVE-2025-39848 at SUSECVE-2025-39848 at NVDCVE-2025-39849 at SUSECVE-2025-39849 at NVDCVE-2025-39850 at SUSECVE-2025-39850 at NVDCVE-2025-39851 at SUSECVE-2025-39851 at NVDCVE-2025-39852 at SUSECVE-2025-39852 at NVDCVE-2025-39853 at SUSECVE-2025-39853 at NVDCVE-2025-39854 at SUSECVE-2025-39854 at NVDCVE-2025-39857 at SUSECVE-2025-39857 at NVDCVE-2025-39860 at SUSECVE-2025-39860 at NVDCVE-2025-39861 at SUSECVE-2025-39861 at NVDCVE-2025-39863 at SUSECVE-2025-39863 at NVDCVE-2025-39864 at SUSECVE-2025-39864 at NVDCVE-2025-39865 at SUSECVE-2025-39865 at NVDCVE-2025-39869 at SUSECVE-2025-39869 at NVDCVE-2025-39870 at SUSECVE-2025-39870 at NVDCVE-2025-39871 at SUSECVE-2025-39871 at NVDCVE-2025-39873 at SUSECVE-2025-39873 at NVDCVE-2025-39875 at SUSECVE-2025-39875 at NVDCVE-2025-39877 at SUSECVE-2025-39877 at NVDCVE-2025-39882 at SUSECVE-2025-39882 at NVDCVE-2025-39884 at SUSECVE-2025-39884 at NVDCVE-2025-39885 at SUSECVE-2025-39885 at NVDCVE-2025-39889 at SUSECVE-2025-39889 at NVDCVE-2025-39890 at SUSECVE-2025-39890 at NVDCVE-2025-39891 at SUSECVE-2025-39891 at NVDCVE-2025-39896 at SUSECVE-2025-39896 at NVDCVE-2025-39898 at SUSECVE-2025-39898 at NVDCVE-2025-39899 at SUSECVE-2025-39899 at NVDCVE-2025-39900 at SUSECVE-2025-39900 at NVDCVE-2025-39902 at SUSECVE-2025-39902 at NVDCVE-2025-39907 at SUSECVE-2025-39907 at NVDCVE-2025-39909 at SUSECVE-2025-39909 at NVDCVE-2025-39916 at SUSECVE-2025-39916 at NVDCVE-2025-39918 at SUSECVE-2025-39918 at NVDCVE-2025-39922 at SUSECVE-2025-39922 at NVDCVE-2025-39923 at SUSECVE-2025-39923 at NVDCVE-2025-39925 at SUSECVE-2025-39925 at NVDCVE-2025-39926 at SUSECVE-2025-39926 at NVDCVE-2025-39931 at SUSECVE-2025-39931 at NVDCVE-2025-39934 at SUSECVE-2025-39934 at NVDCVE-2025-39937 at SUSECVE-2025-39937 at NVDCVE-2025-39938 at SUSECVE-2025-39938 at NVDCVE-2025-39945 at SUSECVE-2025-39945 at NVDCVE-2025-39946 at SUSECVE-2025-39946 at NVDCVE-2025-39952 at SUSECVE-2025-39952 at NVDCVE-2025-39957 at SUSECVE-2025-39957 at NVDCVE-2025-40300 at SUSECVE-2025-40300 at NVDSecurity update for lasso (Critical)openSUSE Leap 16.0
This update for lasso fixes the following issues:
- CVE-2025-46404: specially crafted SAML response can lead to a denial of service (bsc#1253092).
- CVE-2025-46705: specially crafted SAML assertion response can lead to a denial of service (bsc#1253093).
- CVE-2025-47151: type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality can lead to
an arbitrary code execution (bsc#1253095).
CriticalSUSE bug 1253092SUSE bug 1253093SUSE bug 1253095CVE-2025-46404 at SUSECVE-2025-46404 at NVDCVE-2025-46705 at SUSECVE-2025-46705 at NVDCVE-2025-47151 at SUSECVE-2025-47151 at NVDSecurity update for mysql-connector-java (Important)openSUSE Leap 16.0
This update for mysql-connector-java fixes the following issues:
- Upgrade to Version 9.3.0
- CVE-2025-30706: Fixed Connector/J vulnerability (bsc#1241693)
- Updatable ResultSet fails with 'Parameter index out of range'.
- Fixed Resultset UPDATE methods not checking validity of ResultSet.
- DatabaseMetaData clean up.
- Fixed implement missing methods in DatabaseMetaDataUsingInfoSchema.
- Fixed procedure execution failing when the parameter name contains escape character.
- Fixed allow only Krb5LoginModule in Kerberos authentication.
- Fixed EXECUTE on CallableStatement resulting in ArrayIndexOutOfBoundsException.
- Mysql connector use an uneffective way to match numericValue.
- Fixed parameter index validation not proper in CallableStatement
ImportantSUSE bug 1241693CVE-2025-30706 at SUSECVE-2025-30706 at NVDSecurity update for curl (Important)openSUSE Leap 16.0
This update for curl fixes the following issues:
- CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191)
- CVE-2025-11563: Fixed wcurl path traversal with percent-encoded slashes (bsc#1253757)
- CVE-2025-10148: Fixed predictable WebSocket mask (bsc#1249348)
Other fixes:
- tool_operate: fix return code when --retry is used but not
triggered (bsc#1249367)
ImportantSUSE bug 1249191SUSE bug 1249348SUSE bug 1249367SUSE bug 1253757CVE-2025-10148 at SUSECVE-2025-10148 at NVDCVE-2025-11563 at SUSECVE-2025-11563 at NVDCVE-2025-9086 at SUSECVE-2025-9086 at NVDSecurity update for the Linux Kernel (Important)openSUSE Leap 16.0
The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2025-21816: hrtimers: Force migrate away hrtimers queued after (bsc#1238472).
- CVE-2025-38653: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al (bsc#1248630).
- CVE-2025-38718: sctp: linearize cloned gso packets in sctp_rcv (bsc#1249161).
- CVE-2025-39676: scsi: qla4xxx: Prevent a potential error pointer dereference (bsc#1249302).
- CVE-2025-39702: ipv6: sr: Fix MAC comparison to be constant-time (bsc#1249317).
- CVE-2025-39756: fs: Prevent file descriptor table allocations exceeding INT_MAX (bsc#1249512).
- CVE-2025-39779: btrfs: subpage: keep TOWRITE tag until folio is cleaned (bsc#1249495).
- CVE-2025-39812: sctp: initialize more fields in sctp_v6_from_sk() (bsc#1250202).
- CVE-2025-39866: fs: writeback: fix use-after-free in __mark_inode_dirty() (bsc#1250455).
- CVE-2025-39876: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() (bsc#1250400).
- CVE-2025-39881: kernfs: Fix UAF in polling when open file is released (bsc#1250379).
- CVE-2025-39895: sched: Fix sched_numa_find_nth_cpu() if mask offline (bsc#1250721).
- CVE-2025-39903: of_numa: fix uninitialized memory nodes causing kernel panic (bsc#1250749).
- CVE-2025-39911: i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path (bsc#1250704).
- CVE-2025-39947: net/mlx5e: Harden uplink netdev access against device unbind (bsc#1251232).
- CVE-2025-39948: ice: fix Rx page leak on multi-buffer frames (bsc#1251233).
- CVE-2025-39949: qed: Don't collect too many protection override GRC elements (bsc#1251177).
- CVE-2025-39950: net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR (bsc#1251176).
- CVE-2025-39955: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect() (bsc#1251804).
- CVE-2025-39956: igc: don't fail igc_probe() on LED setup error (bsc#1251809).
- CVE-2025-39963: io_uring: fix incorrect io_kiocb reference in io_link_skb (bsc#1251819).
- CVE-2025-39968: i40e: add max boundary check for VF filters (bsc#1252047).
- CVE-2025-39969: i40e: fix validation of VF state in get resources (bsc#1252044).
- CVE-2025-39970: i40e: fix input validation logic for action_meta (bsc#1252051).
- CVE-2025-39971: i40e: fix idx validation in config queues msg (bsc#1252052).
- CVE-2025-39972: i40e: fix idx validation in i40e_validate_queue_map (bsc#1252039).
- CVE-2025-39973: i40e: add validation for ring_len param (bsc#1252035).
- CVE-2025-39978: octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() (bsc#1252069).
- CVE-2025-39979: net/mlx5: fs, add API for sharing HWS action by refcount (bsc#1252067).
- CVE-2025-39984: net: tun: Update napi->skb after XDP process (bsc#1252081).
- CVE-2025-39992: mm: swap: check for stable address space before operating on the VMA (bsc#1252076).
- CVE-2025-40000: wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() (bsc#1252062).
- CVE-2025-40005: spi: cadence-quadspi: Implement refcount to handle unbind during busy (bsc#1252349).
- CVE-2025-40012: net/smc: fix warning in smc_rx_splice() when calling get_page() (bsc#1252330).
- CVE-2025-40018: ipvs: Defer ip_vs_ftp unregister during netns cleanup (bsc#1252688).
- CVE-2025-40040: mm/ksm: fix flag-dropping behavior in ksm_madvise (bsc#1252780).
- CVE-2025-40051: vhost: vringh: Modify the return value check (bsc#1252858).
- CVE-2025-40056: vhost: vringh: Fix copy_to_iter return value check (bsc#1252826).
- CVE-2025-40060: coresight: trbe: Return NULL pointer for allocation failures (bsc#1252848).
- CVE-2025-40078: bpf: Explicitly check accesses to bpf_sock_addr (bsc#1252789).
- CVE-2025-40080: nbd: restrict sockets to TCP and UDP (bsc#1252774).
- CVE-2025-40100: btrfs: do not assert we found block group item when creating free space tree (bsc#1252918).
The following non security issues were fixed:
- add bug reference to existing hv_netvsc change (bsc#1252265)
- amd-pstate-ut: Reset amd-pstate driver mode after running selftests (bsc#1249226).
- cgroup/cpuset: Remove remote_partition_check() & make update_cpumasks_hier() handle remote partition (bsc#1241166).
- cpuset: Use new excpus for nocpu error check when enabling root partition (bsc#1241166).
- cpuset: fix failure to enable isolated partition when containing isolcpus (bsc#1241166).
- doc/README.SUSE: Correct the character used for TAINT_NO_SUPPORT
The character was previously 'N', but upstream used it for TAINT_TEST,
which prompted the change of TAINT_NO_SUPPORT to 'n'.
- dpll: zl3073x: Add firmware loading functionality (bsc#1252253).
- dpll: zl3073x: Add functions to access hardware registers (bsc#1252253).
- dpll: zl3073x: Add low-level flash functions (bsc#1252253).
- dpll: zl3073x: Add support to get fractional frequency offset (bsc#1252253).
- dpll: zl3073x: Add support to get phase offset on connected input pin (bsc#1252253).
- dpll: zl3073x: Add support to get/set esync on pins (bsc#1252253).
- dpll: zl3073x: Fix double free in zl3073x_devlink_flash_update() (bsc#1252253).
- dpll: zl3073x: Handle missing or corrupted flash configuration (bsc#1252253).
- dpll: zl3073x: Implement devlink flash callback (bsc#1252253).
- dpll: zl3073x: Increase maximum size of flash utility (bsc#1252253).
- dpll: zl3073x: Refactor DPLL initialization (bsc#1252253).
- drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table() (git-fixes).
- drm/xe/guc: Prepare GuC register list and update ADS size for error capture (stable-fixes).
- ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd (bsc#1247222).
- ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation (bsc#1247222).
- ixgbevf: fix getting link speed data for E610 devices (bsc#1247222).
- ixgbevf: fix mailbox API compatibility by negotiating supported features (bsc#1247222).
- kbuild/modfinal: Link livepatches with module-common.o (bsc#1218644, bsc#1252270).
- kdb: Replace deprecated strcpy() with memmove() in vkdb_printf() (bsc#1252939).
- kernel-subpackage-spec: Do not doubly-sign modules (bsc#1251930).
- nvme-auth: update sc_c in host response (git-fixes bsc#1249397).
- perf hwmon_pmu: Fix uninitialized variable warning (perf-sle16-v6.13-userspace-update, git-fixes).
- phy: cadence: cdns-dphy: Update calibration wait time for startup state machine (git-fixes).
- powerpc/fadump: skip parameter area allocation when fadump is disabled (jsc#PED-9891 git-fixes).
- proc: fix missing pde_set_flags() for net proc files (bsc#1248630)
- proc: fix type confusion in pde_set_flags() (bsc#1248630)
- rpm/check-for-config-changes: ignore CONFIG_SCHED_PROXY_EXEC, too (bsc#1250946)
- scsi: storvsc: Prefer returning channel with the same CPU as on the I/O issuing CPU (bsc#1252267).
- x86/microcode/AMD: Limit Entrysign signature checking to known generations (bsc#1252725).
- x86/resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID (bsc#1252734).
- x86/resctrl: Refactor resctrl_arch_rmid_read() (bsc#1252734).
- x86/virt/tdx: Mark memory cache state incoherent when making SEAMCALL (jsc#PED-348).
ImportantSUSE bug 1218644SUSE bug 1238472SUSE bug 1239206SUSE bug 1241166SUSE bug 1241637SUSE bug 1247222SUSE bug 1248630SUSE bug 1249161SUSE bug 1249226SUSE bug 1249302SUSE bug 1249317SUSE bug 1249397SUSE bug 1249398SUSE bug 1249495SUSE bug 1249512SUSE bug 1249608SUSE bug 1249735SUSE bug 1250202SUSE bug 1250379SUSE bug 1250400SUSE bug 1250455SUSE bug 1250491SUSE bug 1250704SUSE bug 1250721SUSE bug 1250749SUSE bug 1250946SUSE bug 1251176SUSE bug 1251177SUSE bug 1251232SUSE bug 1251233SUSE bug 1251804SUSE bug 1251809SUSE bug 1251819SUSE bug 1251930SUSE bug 1251967SUSE bug 1252033SUSE bug 1252035SUSE bug 1252039SUSE bug 1252044SUSE bug 1252047SUSE bug 1252051SUSE bug 1252052SUSE bug 1252056SUSE bug 1252060SUSE bug 1252062SUSE bug 1252064SUSE bug 1252065SUSE bug 1252067SUSE bug 1252069SUSE bug 1252070SUSE bug 1252072SUSE bug 1252074SUSE bug 1252075SUSE bug 1252076SUSE bug 1252078SUSE bug 1252079SUSE bug 1252081SUSE bug 1252082SUSE bug 1252083SUSE bug 1252253SUSE bug 1252265SUSE bug 1252267SUSE bug 1252270SUSE bug 1252330SUSE bug 1252333SUSE bug 1252336SUSE bug 1252346SUSE bug 1252348SUSE bug 1252349SUSE bug 1252678SUSE bug 1252679SUSE bug 1252688SUSE bug 1252725SUSE bug 1252734SUSE bug 1252772SUSE bug 1252774SUSE bug 1252780SUSE bug 1252785SUSE bug 1252787SUSE bug 1252789SUSE bug 1252797SUSE bug 1252819SUSE bug 1252822SUSE bug 1252826SUSE bug 1252841SUSE bug 1252848SUSE bug 1252849SUSE bug 1252850SUSE bug 1252851SUSE bug 1252854SUSE bug 1252858SUSE bug 1252862SUSE bug 1252865SUSE bug 1252866SUSE bug 1252873SUSE bug 1252902SUSE bug 1252909SUSE bug 1252915SUSE bug 1252918SUSE bug 1252921SUSE bug 1252939CVE-2025-21816 at SUSECVE-2025-21816 at NVDCVE-2025-38653 at SUSECVE-2025-38653 at NVDCVE-2025-38718 at SUSECVE-2025-38718 at NVDCVE-2025-39676 at SUSECVE-2025-39676 at NVDCVE-2025-39702 at SUSECVE-2025-39702 at NVDCVE-2025-39756 at SUSECVE-2025-39756 at NVDCVE-2025-39779 at SUSECVE-2025-39779 at NVDCVE-2025-39797 at SUSECVE-2025-39797 at NVDCVE-2025-39812 at SUSECVE-2025-39812 at NVDCVE-2025-39866 at SUSECVE-2025-39866 at NVDCVE-2025-39876 at SUSECVE-2025-39876 at NVDCVE-2025-39881 at SUSECVE-2025-39881 at NVDCVE-2025-39895 at SUSECVE-2025-39895 at NVDCVE-2025-39903 at SUSECVE-2025-39903 at NVDCVE-2025-39911 at SUSECVE-2025-39911 at NVDCVE-2025-39947 at SUSECVE-2025-39947 at NVDCVE-2025-39948 at SUSECVE-2025-39948 at NVDCVE-2025-39949 at SUSECVE-2025-39949 at NVDCVE-2025-39950 at SUSECVE-2025-39950 at NVDCVE-2025-39955 at SUSECVE-2025-39955 at NVDCVE-2025-39956 at SUSECVE-2025-39956 at NVDCVE-2025-39963 at SUSECVE-2025-39963 at NVDCVE-2025-39965 at SUSECVE-2025-39965 at NVDCVE-2025-39967 at SUSECVE-2025-39967 at NVDCVE-2025-39968 at SUSECVE-2025-39968 at NVDCVE-2025-39969 at SUSECVE-2025-39969 at NVDCVE-2025-39970 at SUSECVE-2025-39970 at NVDCVE-2025-39971 at SUSECVE-2025-39971 at NVDCVE-2025-39972 at SUSECVE-2025-39972 at NVDCVE-2025-39973 at SUSECVE-2025-39973 at NVDCVE-2025-39978 at SUSECVE-2025-39978 at NVDCVE-2025-39979 at SUSECVE-2025-39979 at NVDCVE-2025-39981 at SUSECVE-2025-39981 at NVDCVE-2025-39982 at SUSECVE-2025-39982 at NVDCVE-2025-39984 at SUSECVE-2025-39984 at NVDCVE-2025-39985 at SUSECVE-2025-39985 at NVDCVE-2025-39986 at SUSECVE-2025-39986 at NVDCVE-2025-39987 at SUSECVE-2025-39987 at NVDCVE-2025-39988 at SUSECVE-2025-39988 at NVDCVE-2025-39991 at SUSECVE-2025-39991 at NVDCVE-2025-39992 at SUSECVE-2025-39992 at NVDCVE-2025-39993 at SUSECVE-2025-39993 at NVDCVE-2025-39994 at SUSECVE-2025-39994 at NVDCVE-2025-39995 at SUSECVE-2025-39995 at NVDCVE-2025-39996 at SUSECVE-2025-39996 at NVDCVE-2025-39997 at SUSECVE-2025-39997 at NVDCVE-2025-40000 at SUSECVE-2025-40000 at NVDCVE-2025-40005 at SUSECVE-2025-40005 at NVDCVE-2025-40009 at SUSECVE-2025-40009 at NVDCVE-2025-40011 at SUSECVE-2025-40011 at NVDCVE-2025-40012 at SUSECVE-2025-40012 at NVDCVE-2025-40013 at SUSECVE-2025-40013 at NVDCVE-2025-40016 at SUSECVE-2025-40016 at NVDCVE-2025-40018 at SUSECVE-2025-40018 at NVDCVE-2025-40019 at SUSECVE-2025-40019 at NVDCVE-2025-40020 at SUSECVE-2025-40020 at NVDCVE-2025-40029 at SUSECVE-2025-40029 at NVDCVE-2025-40032 at SUSECVE-2025-40032 at NVDCVE-2025-40035 at SUSECVE-2025-40035 at NVDCVE-2025-40036 at SUSECVE-2025-40036 at NVDCVE-2025-40037 at SUSECVE-2025-40037 at NVDCVE-2025-40040 at SUSECVE-2025-40040 at NVDCVE-2025-40043 at SUSECVE-2025-40043 at NVDCVE-2025-40044 at SUSECVE-2025-40044 at NVDCVE-2025-40048 at SUSECVE-2025-40048 at NVDCVE-2025-40049 at SUSECVE-2025-40049 at NVDCVE-2025-40051 at SUSECVE-2025-40051 at NVDCVE-2025-40052 at SUSECVE-2025-40052 at NVDCVE-2025-40056 at SUSECVE-2025-40056 at NVDCVE-2025-40058 at SUSECVE-2025-40058 at NVDCVE-2025-40060 at SUSECVE-2025-40060 at NVDCVE-2025-40061 at SUSECVE-2025-40061 at NVDCVE-2025-40062 at SUSECVE-2025-40062 at NVDCVE-2025-40071 at SUSECVE-2025-40071 at NVDCVE-2025-40078 at SUSECVE-2025-40078 at NVDCVE-2025-40080 at SUSECVE-2025-40080 at NVDCVE-2025-40085 at SUSECVE-2025-40085 at NVDCVE-2025-40087 at SUSECVE-2025-40087 at NVDCVE-2025-40091 at SUSECVE-2025-40091 at NVDCVE-2025-40096 at SUSECVE-2025-40096 at NVDCVE-2025-40100 at SUSECVE-2025-40100 at NVDCVE-2025-40104 at SUSECVE-2025-40104 at NVDCVE-2025-40364 at SUSECVE-2025-40364 at NVDSecurity update for xwayland (Important)openSUSE Leap 16.0
This update for xwayland fixes the following issues:
- CVE-2025-62229: Fixed use-after-free in XPresentNotify structures creation (bsc#1251958).
- CVE-2025-62230: Fixed use-after-free in Xkb client resource removal (bsc#1251959).
- CVE-2025-62231: Fixed value overflow in Xkb extension XkbSetCompatMap() (bsc#1251960).
ImportantSUSE bug 1251958SUSE bug 1251959SUSE bug 1251960CVE-2025-62229 at SUSECVE-2025-62229 at NVDCVE-2025-62230 at SUSECVE-2025-62230 at NVDCVE-2025-62231 at SUSECVE-2025-62231 at NVDSecurity update for libvirt (Moderate)openSUSE Leap 16.0
This update for libvirt fixes the following issues:
- CVE-2025-13193: Fixed Information disclosure via world-readable VM snapshots (bsc#1253703)
- CVE-2025-12748: Fixed Denial of service in XML parsing (bsc#1253278)
Other fixes:
- spec: Adjust dbus dependency (bsc#1253642)
- qemu: Add support for Intel TDX (jsc#PED-9265)
ModerateSUSE bug 1253278SUSE bug 1253642SUSE bug 1253703CVE-2025-12748 at SUSECVE-2025-12748 at NVDCVE-2025-13193 at SUSECVE-2025-13193 at NVDSecurity update for tomcat11 (Important)openSUSE Leap 16.0
This update for tomcat11 fixes the following issues:
Update to Tomcat 11.0.13:
- CVE-2025-55752: Fixed directory traversal via rewrite with possible RCE if PUT is enabled (bsc#1252753).
- CVE-2025-55754: Fixed Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat (bsc#1252905).
- CVE-2025-61795: Fixed temporary copies during the processing of multipart upload can lead to a denial of service (bsc#1252756).
ImportantSUSE bug 1252753SUSE bug 1252756SUSE bug 1252905CVE-2025-55752 at SUSECVE-2025-55752 at NVDCVE-2025-55754 at SUSECVE-2025-55754 at NVDCVE-2025-61795 at SUSECVE-2025-61795 at NVDSecurity update for dovecot24 (Moderate)openSUSE Leap 16.0
This update for dovecot24 fixes the following issues:
- Update dovecot to 2.4.2:
- CVE-2025-30189: Fixed users cached with same cache key when
auth cache was enabled (bsc#1252839)
- Changes
- auth: Remove proxy_always field.
- config: Change settings history parsing to use python3.
- doveadm: Print table formatter - Print empty values as "-".
- imapc: Propagate remote error codes properly.
- lda: Default mail_home=$HOME environment if not using userdb
lookup
- lib-dcrypt: Salt for new version 2 keys has been increased to
16 bytes.
- lib-dregex: Add libpcre2 based regular expression support to
Dovecot, if the library is missing, disable all regular
expressions. This adds libpcre2-32 as build dependency.
- lib-oauth2: jwt - Allow nbf and iat to point 1 second into
future.
- lib: Replace libicu with our own unicode library. Removes
libicu as build dependency.
- login-common: If proxying fails due to remote having invalid
SSL cert, don't reconnect.
- New features
- auth: Add ssl_client_cert_fp and ssl_client_cert_pubkey_fp
fields
- config: Add support for $SET:filter/path/setting.
- config: Improve @group includes to work with overwriting
their settings.
- doveadm kick: Add support for kicking multiple usernames
- doveadm mailbox status: Add support for deleted status item.
- imap, imap-client: Add experimental partial IMAP4rev2
support.
- imap: Implement support for UTF8=ACCEPT for APPEND
- lib-oauth2, oauth2: Add oauth2_token_expire_grace setting.
- lmtp: lmtp-client - Support command pipelining.
- login-common: Support local/remote blocks better.
- master: accept() unix/inet connections before creating child
process to handle it. This reduces timeouts when child
processes are slow to spawn themselves.
- Bug fixes
- SMTPUTF8 was accepted even when it wasn't enabled.
- auth, *-login: Direct logging with -L parameter was not
working.
- auth: Crash occured when OAUTH token validation failed with
oauth2_use_worker_with_mech=yes.
- auth: Invalid field handling crashes were fixed.
- auth: ldap - Potential crash could happen at deinit.
- auth: mech-gssapi - Server sending empty initial response
would cause errors.
- auth: mech-winbind - GSS-SPNEGO mechanism was erroneously
marked as
- not accepting NUL.
- config: Multiple issues with $SET handling has been fixed.
- configure: Building without LDAP didn't work.
- doveadm: If source user didn't exist, a crash would occur.
- imap, pop3, submission, imap-urlauth: USER environment usage
was broken when running standalone.
- imap-hibernate: Statistics would get truncated on
unhibernation.
- imap: "SEARCH MIMEPART FILENAME ENDS" command could have
accessed memory outside allocated buffer, resulting in a
crash.
- imapc: Fetching partial headers would cause other cached
headers to be cached empty, breaking e.g. imap envelope
responses when caching to disk.
- imapc: Shared namespace's INBOX mailbox was not always
uppercased.
- imapc: imapc_features=guid-forced GUID generation was not
working correctly.
- lda: USER environment was not accepted if -d hasn't been
specified.
- lib-http: http-url - Significant path percent encoding
through parse and create was not preserved. This is mainly
important for Dovecot's Lua bindings for lib-http.
- lib-settings: Crash would occur when using %variables in
SET_FILE type settings.
- lib-storage: Attachment flags were attempted to be added for
readonly mailboxes with mail_attachment_flags=add-flags.
- lib-storage: Root directory for unusable shared namespaces
was unnecessarily attempted to be created.
- lib: Crash would occur when config was reloaded and logging
to syslog.
- login-common: Crash might have occured when login proxy was
destroyed.
- sqlite: The sqlite_journal_mode=wal setting didn't actually
do anything.
- Many other bugs have been fixed.
- Update pigeonhole to 2.4.2
- Changes
- lib-sieve: Use new regular expression library in core.
- managesieve: Add default
service_extra_groups=$SET:default_internal_group.
- New features
- lib-sieve: Add support for "extlists" extension.
- lib-sieve: regex - Allow unicode comparator.
- Bug fixes
- lib-sieve-tool: sieve-tool - All sieve_script settings were
overriden.
- lib-sieve: storage: dict: sieve_script_dict filter was
missing from settings.
- sieve-ldap-storage: Fix compile without LDAP.
ModerateSUSE bug 1252839CVE-2025-30189 at SUSECVE-2025-30189 at NVDSecurity update for himmelblau (Important)openSUSE Leap 16.0
This update for himmelblau fixes the following issues:
- Update to version 0.9.23+git.0.9776141:
* CVE-2025-59044: Fixed GID collision of same-name groups allowing privilege escalation (bsc#1250687)
* deps(rust): bump the all-cargo-updates group
* CVE-2025-58160: tracing-subscriber: Fixed log pollution (bsc#1249013)
ImportantSUSE bug 1249013SUSE bug 1250687CVE-2025-58160 at SUSECVE-2025-58160 at NVDCVE-2025-59044 at SUSECVE-2025-59044 at NVDSecurity update for openssh (Moderate)openSUSE Leap 16.0
This update for openssh fixes the following issues:
- CVE-2025-61984: code execution via control characters in usernames when a ProxyCommand is used (bsc#1251198).
- CVE-2025-61985: code execution via '\0' character in ssh:// URI when a ProxyCommand is used (bsc#1251199).
ModerateSUSE bug 1251198SUSE bug 1251199CVE-2025-61984 at SUSECVE-2025-61984 at NVDCVE-2025-61985 at SUSECVE-2025-61985 at NVDSecurity update for java-21-openjdk (Important)openSUSE Leap 16.0
This update for java-21-openjdk fixes the following issues:
Update to upstream tag jdk-21.0.9+10 (October 2025 CPU):
- CVE-2025-53066: Fixed enhance path factories (bsc#1252417).
- CVE-2025-61748: Fixed enhance string handling (bsc#1252418).
- CVE-2025-53057: Fixed enhance certificate handling (bsc#1252414).
Other bug fixes:
- Do not embed rebuild counter (bsc#1246806)
ImportantSUSE bug 1246806SUSE bug 1252414SUSE bug 1252417SUSE bug 1252418CVE-2025-53057 at SUSECVE-2025-53057 at NVDCVE-2025-53066 at SUSECVE-2025-53066 at NVDCVE-2025-61748 at SUSECVE-2025-61748 at NVDSecurity update for java-17-openjdk (Important)openSUSE Leap 16.0
This update for java-17-openjdk fixes the following issues:
Upgrade to upstream tag jdk-17.0.17+10 (October 2025 CPU):
- CVE-2025-53066: Fixed enhance path factories (bsc#1252417).
- CVE-2025-53057: Fixed enhance certificate handling (bsc#1252414).
Other bug fixes:
- Do not embed rebuild counter (bsc#1246806).
ImportantSUSE bug 1246806SUSE bug 1252414SUSE bug 1252417CVE-2025-53057 at SUSECVE-2025-53057 at NVDCVE-2025-53066 at SUSECVE-2025-53066 at NVDSecurity update for strongswan (Important)openSUSE Leap 16.0
This update for strongswan fixes the following issues:
- CVE-2025-62291: Fixed buffer overflow when handling EAP-MSCHAPv2 failure requests (bsc#1251941).
ImportantSUSE bug 1251941CVE-2025-62291 at SUSECVE-2025-62291 at NVDSecurity update for python-cbor2 (Important)openSUSE Leap 16.0
This update for python-cbor2 fixes the following issues:
- CVE-2025-64076: Fixed bug in decode_definite_long_string() that causes incorrect chunk length calculation (bsc#1253746).
Already fixed in release 5.6.3:
- CVE-2024-26134: Fixed potential crash when hashing a CBORTag (bsc#1220096).
ImportantSUSE bug 1220096SUSE bug 1253746CVE-2024-26134 at SUSECVE-2024-26134 at NVDCVE-2025-64076 at SUSECVE-2025-64076 at NVDSecurity update for mozjs128 (Important)openSUSE Leap 16.0
This update for mozjs128 fixes the following issues:
- Update to version 128.14.0 (bsc#1248162):
+ CVE-2025-9179: Sandbox escape due to invalid pointer in the
Audio/Video: GMP component
+ CVE-2025-9180: Same-origin policy bypass in the Graphics:
Canvas2D component
+ CVE-2025-9181: Uninitialized memory in the JavaScript Engine
component
+ CVE-2025-9185: Memory safety bugs fixed in Firefox ESR 115.27,
Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2,
Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142
- Update to version 128.13.0:
+ CVE-2025-8027: JavaScript engine only wrote partial return
value to stack
+ CVE-2025-8028: Large branch table could lead to truncated
instruction
+ CVE-2025-8029: javascript: URLs executed on object and embed
tags
+ CVE-2025-8030: Potential user-assisted code execution in “Copy
as cURL” command
+ CVE-2025-8031: Incorrect URL stripping in CSP reports
+ CVE-2025-8032: XSLT documents could bypass CSP
+ CVE-2025-8033: Incorrect JavaScript state machine for
generators
+ CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26,
Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1,
Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
+ CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13,
Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR
140.1, Firefox 141 and Thunderbird 141
- Update to version 128.12.0:
+ CVE-2025-6424: Use-after-free in FontFaceSet
+ CVE-2025-6425: The WebCompat WebExtension shipped with Firefox
exposed a persistent UUID
+ CVE-2025-6426: No warning when opening executable terminal
files on macOS
+ CVE-2025-6429: Incorrect parsing of URLs could have allowed
embedding of youtube.com
+ CVE-2025-6430: Content-Disposition header ignored when a file
is included in an embed or object tag
- Update to version 128.11.0:
+ CVE-2025-5283: Double-free in libvpx encoder
+ CVE-2025-5263: Error handling for script execution was
incorrectly isolated from web content
+ CVE-2025-5264: Potential local code execution in “Copy as cURL”
command
+ CVE-2025-5265: Potential local code execution in “Copy as cURL”
command
+ CVE-2025-5266: Script element events leaked cross-origin
resource status
+ CVE-2025-5267: Clickjacking vulnerability could have led to
leaking saved payment card details
+ CVE-2025-5268: Memory safety bugs fixed in Firefox 139,
Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11
+ CVE-2025-5269: Memory safety bug fixed in Firefox ESR 128.11
and Thunderbird 128.11
ImportantSUSE bug 1248162CVE-2025-5263 at SUSECVE-2025-5263 at NVDCVE-2025-5264 at SUSECVE-2025-5264 at NVDCVE-2025-5265 at SUSECVE-2025-5265 at NVDCVE-2025-5266 at SUSECVE-2025-5266 at NVDCVE-2025-5267 at SUSECVE-2025-5267 at NVDCVE-2025-5268 at SUSECVE-2025-5268 at NVDCVE-2025-5269 at SUSECVE-2025-5269 at NVDCVE-2025-5283 at SUSECVE-2025-5283 at NVDCVE-2025-6424 at SUSECVE-2025-6424 at NVDCVE-2025-6425 at SUSECVE-2025-6425 at NVDCVE-2025-6426 at SUSECVE-2025-6426 at NVDCVE-2025-6429 at SUSECVE-2025-6429 at NVDCVE-2025-6430 at SUSECVE-2025-6430 at NVDCVE-2025-8027 at SUSECVE-2025-8027 at NVDCVE-2025-8028 at SUSECVE-2025-8028 at NVDCVE-2025-8029 at SUSECVE-2025-8029 at NVDCVE-2025-8030 at SUSECVE-2025-8030 at NVDCVE-2025-8031 at SUSECVE-2025-8031 at NVDCVE-2025-8032 at SUSECVE-2025-8032 at NVDCVE-2025-8033 at SUSECVE-2025-8033 at NVDCVE-2025-8034 at SUSECVE-2025-8034 at NVDCVE-2025-8035 at SUSECVE-2025-8035 at NVDCVE-2025-9179 at SUSECVE-2025-9179 at NVDCVE-2025-9180 at SUSECVE-2025-9180 at NVDCVE-2025-9181 at SUSECVE-2025-9181 at NVDCVE-2025-9185 at SUSECVE-2025-9185 at NVDSecurity update for openexr (Important)openSUSE Leap 16.0
This update for openexr fixes the following issues:
Changes in openexr:
- CVE-2025-12495: Fixed a file parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability [bsc#1253714]
- CVE-2025-12839: Fixed a file parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability [bsc#1253715]
- CVE-2025-12840: Fixed a file parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability [bsc#1253713]
ImportantSUSE bug 1253713SUSE bug 1253714SUSE bug 1253715CVE-2025-12495 at SUSECVE-2025-12495 at NVDCVE-2025-12839 at SUSECVE-2025-12839 at NVDCVE-2025-12840 at SUSECVE-2025-12840 at NVDSecurity update for binutils (Important)openSUSE Leap 16.0
This update for binutils fixes the following issues:
Changes in binutils:
- Update to current 2.45 branch at 94cb1c075 to include fix
for PR33584 (a problem related to LTO vs fortran COMMON
blocks).
- Do not enable '-z gcs=implicit' on aarch64 for old codestreams.
Update to version 2.45:
* New versioned release of libsframe.so.2
* s390: tools now support SFrame format 2; recognize "z17" as CPU
name [bsc#1247105, jsc#IBM-1485]
* sframe sections are now of ELF section type SHT_GNU_SFRAME.
* sframe secions generated by the assembler have
SFRAME_F_FDE_FUNC_START_PCREL set.
* riscv: Support more extensions: standard: Zicfiss v1.0, Zicfilp v1.0,
Zcmp v1.0, Zcmt v1.0, Smrnmi v1.0, S[sm]dbltrp v1.0, S[sm]ctr v1.0,
ssqosid v1.0, ssnpm v1.0, smnpm v1.0, smmpm v1.0, sspm v1.0, supm v1.0,
sha v1.0, zce v1.0, smcdeleg v1.0, ssccfg v1.0, svvptc v1.0, zilsd v1.0,
zclsd v1.0, smrnmi v1.0;
vendor: CORE-V, xcvbitmanip v1.0 and xcvsimd v1.0;
SiFive, xsfvqmaccdod v1.0, xsfvqmaccqoqv1.0 and xsfvfnrclipxfqf v1.0;
T-Head: xtheadvdot v1.0;
MIPS: xmipscbop v1.0, xmipscmov v1.0, xmipsexectl v1.0, xmipslsp v1.0.
* Support RISC-V privileged version 1.13, profiles 20/22/23, and
.bfloat16 directive.
* x86: Add support for these ISAs: Intel Diamond Rapids AMX, MOVRS,
AVX10.2 (including SM4), MSR_IMM; Zhaoxin PadLock PHE2, RNG2, GMI, XMODX.
Drop support for AVX10.2 256 bit rounding.
* arm: Add support for most of Armv9.6, enabled by -march=armv9.6-a and
extensions '+cmpbr', '+f8f16mm', '+f8f32mm', '+fprcvt', '+lsfe', '+lsui',
'+occmo', '+pops', '+sme2p2', '+ssve-aes', '+sve-aes', '+sve-aes2',
'+sve-bfscale', '+sve-f16f32mm' and '+sve2p2'.
* Predefined symbols "GAS(version)" and, on non-release builds, "GAS(date)"
are now being made available.
* Add .errif and .warnif directives.
* linker:
- Add --image-base=<ADDR> option to the ELF linker to behave the same
as -Ttext-segment for compatibility with LLD.
- Add support for mixed LTO and non-LTO codes in relocatable output.
- s390: linker generates .eh_frame and/or .sframe for linker
generated .plt sections by default (can be disabled
by --no-ld-generated-unwind-info).
- riscv: add new PLT formats, and GNU property merge rules for zicfiss
and zicfilp extensions.
- gold is no longer included
- Contains fixes for these non-CVEs (not security bugs per upstreams
SECURITY.md):
* bsc#1236632 aka CVE-2025-0840 aka PR32560
* bsc#1236977 aka CVE-2025-1149 aka PR32576
* bsc#1236978 aka CVE-2025-1148 aka PR32576
* bsc#1236999 aka CVE-2025-1176 aka PR32636
* bsc#1237000 aka CVE-2025-1153 aka PR32603
* bsc#1237001 aka CVE-2025-1152 aka PR32576
* bsc#1237003 aka CVE-2025-1151 aka PR32576
* bsc#1237005 aka CVE-2025-1150 aka PR32576
* bsc#1237018 aka CVE-2025-1178 aka PR32638
* bsc#1237019 aka CVE-2025-1181 aka PR32643
* bsc#1237020 aka CVE-2025-1180 aka PR32642
* bsc#1237021 aka CVE-2025-1179 aka PR32640
* bsc#1237042 aka CVE-2025-1182 aka PR32644
* bsc#1240870 aka CVE-2025-3198 aka PR32716
* bsc#1243756 aka CVE-2025-5244 aka PR32858
* bsc#1243760 aka CVE-2025-5245 aka PR32829
* bsc#1246481 aka CVE-2025-7545 aka PR33049
* bsc#1246486 aka CVE-2025-7546 aka PR33050
* bsc#1247114 aka CVE-2025-8224 aka PR32109
* bsc#1247117 aka CVE-2025-8225 no PR
* bsc#1236976 aka CVE-2025-1147 aka PR32556
* bsc#1250632 aka CVE-2025-11083 aka PR33457
* bsc#1251275 aka CVE-2025-11412 aka PR33452
* bsc#1251276 aka CVE-2025-11413 aka PR33456
* bsc#1251277 aka CVE-2025-11414 aka PR33450
* bsc#1251794 aka CVE-2025-11494 aka PR33499
* bsc#1251795 aka CVE-2025-11495 aka PR33502
binutils-2.43-branch.diff.gz
ImportantSUSE bug 1236632SUSE bug 1236976SUSE bug 1236977SUSE bug 1236978SUSE bug 1236999SUSE bug 1237000SUSE bug 1237001SUSE bug 1237003SUSE bug 1237005SUSE bug 1237018SUSE bug 1237019SUSE bug 1237020SUSE bug 1237021SUSE bug 1237042SUSE bug 1240870SUSE bug 1243756SUSE bug 1243760SUSE bug 1246481SUSE bug 1246486SUSE bug 1247105SUSE bug 1247114SUSE bug 1247117SUSE bug 1250632SUSE bug 1251275SUSE bug 1251276SUSE bug 1251277SUSE bug 1251794SUSE bug 1251795CVE-2025-0840 at SUSECVE-2025-0840 at NVDCVE-2025-11083 at SUSECVE-2025-11083 at NVDCVE-2025-11412 at SUSECVE-2025-11412 at NVDCVE-2025-11413 at SUSECVE-2025-11413 at NVDCVE-2025-11414 at SUSECVE-2025-11414 at NVDCVE-2025-1147 at SUSECVE-2025-1147 at NVDCVE-2025-1148 at SUSECVE-2025-1148 at NVDCVE-2025-1149 at SUSECVE-2025-1149 at NVDCVE-2025-11494 at SUSECVE-2025-11494 at NVDCVE-2025-11495 at SUSECVE-2025-11495 at NVDCVE-2025-1150 at SUSECVE-2025-1150 at NVDCVE-2025-1151 at SUSECVE-2025-1151 at NVDCVE-2025-1152 at SUSECVE-2025-1152 at NVDCVE-2025-1153 at SUSECVE-2025-1153 at NVDCVE-2025-1176 at SUSECVE-2025-1176 at NVDCVE-2025-1178 at SUSECVE-2025-1178 at NVDCVE-2025-1179 at SUSECVE-2025-1179 at NVDCVE-2025-1180 at SUSECVE-2025-1180 at NVDCVE-2025-1181 at SUSECVE-2025-1181 at NVDCVE-2025-1182 at SUSECVE-2025-1182 at NVDCVE-2025-3198 at SUSECVE-2025-3198 at NVDCVE-2025-5244 at SUSECVE-2025-5244 at NVDCVE-2025-5245 at SUSECVE-2025-5245 at NVDCVE-2025-7545 at SUSECVE-2025-7545 at NVDCVE-2025-7546 at SUSECVE-2025-7546 at NVDCVE-2025-8224 at SUSECVE-2025-8224 at NVDCVE-2025-8225 at SUSECVE-2025-8225 at NVDSecurity update for chromium (Critical)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Chromium 141.0.7390.76:
* Do not send URLs as AIM input. This is to resolve a privacy
concern, around passing urls to AI Mode.
Chromium 141.0.7390.65 (boo#1251334):
* CVE-2025-11458: Heap buffer overflow in Sync
* CVE-2025-11460: Use after free in Storage
* CVE-2025-11211: Out of bounds read in WebCodecs
Chromium 141.0.7390.54 (stable released 2025-09-30) (boo#1250780)
* CVE-2025-11205: Heap buffer overflow in WebGPU
* CVE-2025-11206: Heap buffer overflow in Video
* CVE-2025-11207: Side-channel information leakage in Storage
* CVE-2025-11208: Inappropriate implementation in Media
* CVE-2025-11209: Inappropriate implementation in Omnibox
* CVE-2025-11210: Side-channel information leakage in Tab
* CVE-2025-11211: Out of bounds read in Media
* CVE-2025-11212: Inappropriate implementation in Media
* CVE-2025-11213: Inappropriate implementation in Omnibox
* CVE-2025-11215: Off by one error in V8
* CVE-2025-11216: Inappropriate implementation in Storage
* CVE-2025-11219: Use after free in V8
* Various fixes from internal audits, fuzzing and other initiatives
Chromium 141.0.7390.37 (beta released 2025-09-24)
Chromium 140.0.7339.207 (boo#1250472)
* CVE-2025-10890: Side-channel information leakage in V8
* CVE-2025-10891: Integer overflow in V8
* CVE-2025-10892: Integer overflow in V8
CriticalSUSE bug 1250472SUSE bug 1250780SUSE bug 1251334CVE-2025-10890 at SUSECVE-2025-10890 at NVDCVE-2025-10891 at SUSECVE-2025-10891 at NVDCVE-2025-10892 at SUSECVE-2025-10892 at NVDCVE-2025-11205 at SUSECVE-2025-11205 at NVDCVE-2025-11206 at SUSECVE-2025-11206 at NVDCVE-2025-11207 at SUSECVE-2025-11207 at NVDCVE-2025-11208 at SUSECVE-2025-11208 at NVDCVE-2025-11209 at SUSECVE-2025-11209 at NVDCVE-2025-11210 at SUSECVE-2025-11210 at NVDCVE-2025-11211 at SUSECVE-2025-11211 at NVDCVE-2025-11212 at SUSECVE-2025-11212 at NVDCVE-2025-11213 at SUSECVE-2025-11213 at NVDCVE-2025-11215 at SUSECVE-2025-11215 at NVDCVE-2025-11216 at SUSECVE-2025-11216 at NVDCVE-2025-11219 at SUSECVE-2025-11219 at NVDCVE-2025-11458 at SUSECVE-2025-11458 at NVDCVE-2025-11460 at SUSECVE-2025-11460 at NVDSecurity update for MozillaThunderbird (Important)openSUSE Leap 16.0
This update for MozillaThunderbird fixes the following issues:
Changes in MozillaThunderbird:
Mozilla Thunderbird 140.3.0 ESR:
* Right-clicking 'List-ID' -> 'Unsubscribe' created double encoded
draft subject
* Thunderbird could crash on startup
* Thunderbird could crash when importing mail
* Opening Website header link in RSS feed incorrectly re-encoded
URL parameters
MFSA 2025-78 (bsc#1249391)
* CVE-2025-10527
Sandbox escape due to use-after-free in the Graphics:
Canvas2D component
* CVE-2025-10528
Sandbox escape due to undefined behavior, invalid pointer in
the Graphics: Canvas2D component
* CVE-2025-10529
Same-origin policy bypass in the Layout component
* CVE-2025-10532
Incorrect boundary conditions in the JavaScript: GC component
* CVE-2025-10533
Integer overflow in the SVG component
* CVE-2025-10536
Information disclosure in the Networking: Cache component
* CVE-2025-10537
Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird
ESR 140.3, Firefox 143 and Thunderbird 143
ImportantSUSE bug 1249391CVE-2025-10527 at SUSECVE-2025-10527 at NVDCVE-2025-10528 at SUSECVE-2025-10528 at NVDCVE-2025-10529 at SUSECVE-2025-10529 at NVDCVE-2025-10532 at SUSECVE-2025-10532 at NVDCVE-2025-10533 at SUSECVE-2025-10533 at NVDCVE-2025-10536 at SUSECVE-2025-10536 at NVDCVE-2025-10537 at SUSECVE-2025-10537 at NVDSecurity update for chromium (Moderate)openSUSE Leap 16.0
This update for chromium fixes the following issues:
- Chromium 144.0.7559.109 (boo#1257404)
* CVE-2026-1504: Inappropriate implementation in Background Fetch API
ModerateSUSE bug 1257404CVE-2026-1504 at SUSECVE-2026-1504 at NVDSecurity update for xrdp (Important)openSUSE Leap 16.0
This update for xrdp fixes the following issues:
Changes in xrdp:
- CVE-2025-68670: Fixed a potential overflow (bsc#1257362).
ImportantSUSE bug 1257362CVE-2025-68670 at SUSECVE-2025-68670 at NVDRecommended update for gimp (Moderate)openSUSE Leap 16.0
This update for gimp fixes the following issues:
Changes in gimp:
- Update to 3.0.8
- Font Loading Performance
- Improvements in start-up time for users with a large number
of fonts was backported from our 3.2 RC2 release. As a
result, we now wait to load images until fonts are
initialized - this prevents some occasional odd displays and
other issues when an XCF file tried to access a partially
loaded font.
- Assorted updates and fixes
- Daniel Plakhotich helped us identify an issue when exporting
a lossless WEBP image could be affected by lossy settings
(such as Quality being less than 100%). We’ve updated our
WEBP plug-in to prevent this from happening.
- Thanks to Jehan‘s efforts, the standard gimp-3.0 executable
can now be run with a --no-interface flag instead of
requiring users to call gimp-console-3.0 even on devices with
no display. The --show-debug-menu flag is now visible as
well.
- programmer_ceds improved our flatpak by adding safe guards to
show the correct configuration directory regardless of
whether XDG_CONFIG_HOME is defined on the user’s system. This
should make it much easier for flatpak users to install and
use third party plug-ins.
- We fixed a rare but possible crash when using the Equalize
filter on images with NaN values. Images that contain these
are usually created from scientific or mapping data, so
you’re unlikely to come across them in standard editing.
- Jeremy Bicha fixed an internal issue where the wrong version
number could be used when installing minor releases (such as
the 3.2 release candidates and upcoming 3.2 stable release).
- As noted in our 3.2RC2 news post, we have updated our SVG
import code to improve the rendered path.
- Further improvements have been made to our non-destructive
filter code to improve stability, especially when copying and
pasting layers and images with filters attached to them. Some
issues related to applying NDE filters on Quick Masks have
also been corrected.
- An unintended Search pop-up that appeared when typing while
the Channels dockable was selected has been turned off.
- When saving XCFs for GIMP 2.10 compatibility, we
unintentionally saved Grid color using the new color format.
This caused errors when reopening the XCF in 2.10. This
problem has now been fixed! If you encounter any other XCF
incompatibility, please let us know.
- Themes and UX
- The Navigation and Selection Editor dockables no longer show
a large bright texture when no image is actively selected.
This was especially noticeable on dark themes.
- When a layer has no active filters, the Fx column had the
same “checkbox” outline when hovered over as the lock column.
This led to confusion about clicking it to add filters. We
have removed the outline on hover as a small step to help
address this.
- Ondřej M?chal fixed alignment and cut-off issues with the
buttons on our Transform tool overlays. All buttons should
now be properly centered and visible.
- The options for filling layers with colors when resizing the
canvas will be turned off when not relevant (such as when you
set layers to not be resized).
- More GUI elements such as dialog header icons will now
respond to your icon size preferences.
- Ondřej M?chal has continued his work to update our UI with
the more usable Spin Scale widget. He has also updated the
widget itself to improve how it works for users and
developers alike.
- Security fixes
- Jacob Boerema and Gabriele Barbero continued to patch
potential security issues related to some of our file format
plug-ins. In addition to existing fixes mentioned in the
release candidate news posts, the following exploits are now
prevented: ZDI-CAN-28232 ZDI-CAN-28265 ZDI-CAN-28530
ZDI-CAN-28591 ZDI-CAN-28599
- Another potential issue related to ICO files with incorrect
metadata was reported by Dhiraj. It does not have a CVE
number yet, but it has been fixed for GIMP 3.0.8. Jacob
Boerema also fixed a potential issue with loading Creator
blocks in Paintshop Pro PSP images.
- API
- For plug-in and script developers, a few new public APIs were
backported to GIMP 3.0.8. gimp_cairo_surface_get_buffer ()
allows you to retrieve a GEGL buffer from a Cairo surface
(such as a text layer). Note that this deprecates
gimp_cairo_surface_create_buffer ().
- gimp_config_set_xcf_version () and
gimp_config_get_xcf_version () can be used to specify a
particular XCF version for a configuration. This will allow
you to have that data serialized/deserialized for certain
versions of GIMP if there were differences (such as the Grid
colors mentioned above).
- Fixes were made for retrieving image metadata via scripting.
GimpMetadata is now a visible child of GExiv2Metadata, so you
can use standard gexiv2 functions to retrieve information
from it.
- Original thumbnail metadata is also now removed on export to
prevent potential issues when exporting into a new format.
ModerateSUSE bug 1255293SUSE bug 1255294SUSE bug 1255295SUSE bug 1255296SUSE bug 1255766CVE-2025-14422 at SUSECVE-2025-14422 at NVDCVE-2025-14423 at SUSECVE-2025-14423 at NVDCVE-2025-14424 at SUSECVE-2025-14424 at NVDCVE-2025-14425 at SUSECVE-2025-14425 at NVDCVE-2025-15059 at SUSECVE-2025-15059 at NVDSecurity update for python-Django (Important)openSUSE Leap 16.0
This update for python-Django fixes the following issues:
- CVE-2025-59681: Fixed a potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (boo#1250485)
- CVE-2025-59682: Fixed a potential partial directory-traversal via archive.extract() (boo#1250487)
ImportantSUSE bug 1250485SUSE bug 1250487CVE-2025-59681 at SUSECVE-2025-59681 at NVDCVE-2025-59682 at SUSECVE-2025-59682 at NVDSecurity update for chromium (Important)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
- Chromium 144.0.7559.132 (boo#1257650)
* CVE-2026-1861: Heap buffer overflow in libvpx in Google Chrome
prior to 144.0.7559.132 allowed a remote attacker to potentially
exploit heap corruption via a crafted HTML page.
* CVE-2026-1862: Type Confusion in V8 in Google Chrome prior to
144.0.7559.132 allowed a remote attacker to potentially exploit
heap corruption via a crafted HTML page.
ImportantSUSE bug 1257650CVE-2026-1861 at SUSECVE-2026-1861 at NVDCVE-2026-1862 at SUSECVE-2026-1862 at NVDSecurity update for python-Django (Important)openSUSE Leap 16.0
This update for python-Django fixes the following issues:
Changes in python-Django:
- CVE-2026-1312: Fixed potential SQL injection via QuerySet.order_by and FilteredRelation (bsc#1257408).
- CVE-2026-1287: Fixed potential SQL injection in column aliases via control characters (bsc#1257407).
- CVE-2026-1207: Fixed potential SQL injection via raster lookups on PostGIS (bsc#1257405).
- CVE-2026-1285: Fixed potential denial-of-service in django.utils.text.Truncator HTML methods (bsc#1257406).
- CVE-2025-13473: Fixed username enumeration through timing difference in mod_wsgi authentication handler (bsc#1257401).
- CVE-2025-14550: Fixed potential denial-of-service via repeated headers when using ASGI (bsc#1257403).
ImportantSUSE bug 1257401SUSE bug 1257403SUSE bug 1257405SUSE bug 1257406SUSE bug 1257407SUSE bug 1257408CVE-2025-13473 at SUSECVE-2025-13473 at NVDCVE-2025-14550 at SUSECVE-2025-14550 at NVDCVE-2026-1207 at SUSECVE-2026-1207 at NVDCVE-2026-1285 at SUSECVE-2026-1285 at NVDCVE-2026-1287 at SUSECVE-2026-1287 at NVDCVE-2026-1312 at SUSECVE-2026-1312 at NVDSecurity update for trivy (Important)openSUSE Leap 16.0
This update for trivy fixes the following issues:
Changes in trivy:
- Update to version 0.69.0 (bsc#1255366, CVE-2025-64702):
* release: v0.69.0 [main] (#9886)
* chore: bump trivy-checks to v2 (#9875)
* chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.1 to 2.4.1 (#10091)
* fix(repo): return a nil interface for gitAuth if missing (#10097)
* fix(java): correctly inherit properties from parent fields for pom.xml files (#9111)
* fix(rust): implement version inheritance for Cargo mono repos (#10011)
* feat(activestate): add support ActiveState images (#10081)
* feat(vex): support per-repo tls configuration (#10030)
* refactor: allow per-request transport options override (#10083)
* chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 (#10084)
* chore(deps): bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 (#10085)
* fix(java): correctly propagate repositories from upper POMs to dependencies (#10077)
* feat(rocky): enable modular package vulnerability detection (#10069)
* chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.3.1 (#10079)
* docs: fix mistake in config file example for skip-dirs/skip-files flag (#10070)
* feat(report): add Trivy version to JSON output (#10065)
* fix(rust): add cargo workspace members glob support (#10032)
* feat: add AnalyzedBy field to track which analyzer detected packages (#10059)
* fix: use canonical SPDX license IDs from embeded licenses.json (#10053)
* docs: fix link to Docker Image Specification (#10057)
* feat(secret): add detection for Symfony default secret key (#9892)
* refactor(misconf): move common logic to base value and simplify typed values (#9986)
* fix(java): add hash of GAV+root pom file path for pkgID for packages from pom.xml files (#9880)
* feat(misconf): use Terraform plan configuration to partially restore schema (#9623)
* feat(misconf): add action block to Terraform schema (#10035)
* fix(misconf): correct typos in block and attribute names (#9993)
* test(misconf): simplify test values using *Test helpers (#9985)
* fix(misconf): safely parse rotation_period in google_kms_crypto_key (#9980)
* feat(misconf): support for ARM resources defined as an object (#9959)
* feat(misconf): support for azurerm_*_web_app (#9944)
* test: migrate private test helpers to `export_test.go` convention (#10043)
* chore(deps): bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.6.2 (#10048)
* fix(secret): improve word boundary detection for Hugging Face tokens (#10046)
* fix(go): use ldflags version for all pseudo-versions (#10037)
* chore: switch to ID from AVDID in internal and user-facing fields (#9655)
* refactor(misconf)!: use ID instead of AVDID for providers mapping (#9752)
* fix: move enum into items for array-type fields in JSON Schema (#10039)
* docs: fix incorrect documentation URLs (#10038)
* feat(sbom): exclude PEP 770 SBOMs in .dist-info/sboms/ (#10033)
* fix(docker): fix non-det scan results for images with embedded SBOM (#9866)
* chore(deps): bump the github-actions group with 11 updates (#10001)
* test: fix assertion after 2026 roll over (#10002)
* fix(vuln): skip vulns detection for CentOS Stream family without scan failure (#9964)
* fix(license): normalize licenses for PostAnalyzers (#9941)
* feat(nodejs): parse licenses from `package-lock.json` file (#9983)
* chore: update reference links to Go Wiki (#9987)
* refactor: add xslices.Map and replace lo.Map usages (#9984)
* fix(image): race condition in image artifact inspection (#9966)
* feat(flag): add JSON Schema for trivy.yaml configuration file (#9971)
* refactor(debian): use txtar format for test data (#9957)
* chore(deps): bump `golang.org/x/tools` to `v0.40.0` + `gopls` to `v0.21.0` (#9973)
* feat(rootio): Update trivy db to support usage of Severity from root.io feed (#9930)
* feat(vuln): skip vulnerability scanning for third-party packages in Debian/Ubuntu (#9932)
* docs: add info that `--file-pattern` flag doesn't disable default behaviuor (#9961)
* perf(misconf): optimize string concatenation in azure scanner (#9969)
* chore: add client option to install script (#9962)
* ci(helm): bump Trivy version to 0.68.2 for Trivy Helm Chart 0.20.1 (#9956)
* chore(deps): bump github.com/quic-go/quic-go from 0.54.1 to 0.57.0 (#9952)
* docs: update binary signature verification for sigstore bundles (#9929)
* chore(deps): bump alpine from `3.22.1` to `3.23.0` (#9935)
* chore(alpine): add EOL date for alpine 3.23 (#9934)
* feat(cloudformation): add support for Fn::ForEach (#9508)
* ci: enable `check-latest` for `setup-go` (#9931)
* feat(debian): detect third-party packages using maintainer list (#9917)
* fix(vex): add CVE-2025-66564 as not_affected into Trivy VEX file (#9924)
* feat(helm): add sslCertDir parameter (#9697)
* fix(misconf): respect .yml files when Helm charts are detected (#9912)
* feat(php): add support for dev dependencies in Composer (#9910)
* chore(deps): bump the common group across 1 directory with 9 updates (#9903)
* chore(deps): bump github.com/docker/cli from 29.0.3+incompatible to 29.1.1+incompatible in the docker group (#9859)
* fix: remove trailing tab in statefulset template (#9889)
* feat(julia): enable vulnerability scanning for the Julia language ecosystem (#9800)
* feat(misconf): initial ansible scanning support (#9332)
* feat(misconf): Update Azure Database schema (#9811)
* ci(helm): bump Trivy version to 0.68.1 for Trivy Helm Chart 0.20.0 (#9869)
* chore: update the install script (#9874)
ImportantSUSE bug 1255366CVE-2025-64702 at SUSECVE-2025-64702 at NVDCVE-2025-66564 at SUSECVE-2025-66564 at NVDSecurity update for tailscale (Important)openSUSE Leap 16.0
This update for tailscale fixes the following issues:
Changes in tailscale:
- Update to version 1.94.0:
* IS SET and NOT SET have been added as device posture operators
* India DERP Region City Name updated
* Custom DERP servers support GCP Certificate Manager
* Tailscale SSH authentication, when successful, results in LOGIN audit
messages being sent to the kernel audit subsystem
* Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket
option is supported on multi-core systems
* Tailscale Peer Relay server handshake transmission is guarded against
routing loops over Tailscale
* MagicDNS always resolves when using resolv.conf without a DNS manager
* tailscaled_peer_relay_forwarded_packets_total and
tailscaled_peer_relay_forwarded_bytes_total client metrics are available for
Tailscale Peer Relays
* Identity tokens are automatically generated for workload identities
* --audience flag added to tailscale up command to support auto generation of
ID tokens for workload identity
* tsnet nodes can host Tailscale Services
* The tailscale lock status -json command returns tailnet key authority (TKA)
data in a stable format
* Tailscale Peer Relays deliver improved throughput through monotonic time
comparison optimizations and reduced lock contention
* Tailscale Services virtual IPs are now automatically accepted by clients
across all platforms regardless of the status of the --accept-routes
feature
- Update to version 1.94.0:
* derp/derpserver: add a unique sender cardinality estimate
* syncs: add means of declare locking assumptions for debug mode
* cmd/k8s-operator: add support for taiscale.com/http-redirect
* cmd/k8s-operator fix populateTLSSecret on tests
* feature/posture: log method and full URL for posture identity requests
* k8s-operator: Fix typos in egress-pod-readiness.go
* cmd/tailscale,ipn: add Unix socket support for serve
* client/systray: change systray to start after graphical.target
* cmd/k8s-operator: warn if users attempt to expose a headless Service
* cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles
* tsnet: ensure funnel listener cleans up after itself when closed
* ipn/store/kubestore: don't load write replica certs in memory
* tsnet: allow for automatic ID token generation
- Update to version 1.92.5:
* types/persist: omit Persist.AttestationKey based on IsZero
* disable hardware attestation for kubernetes
* allow opting out of ACME order replace extension
- Update to version 1.92.4:
* nothing of importance
- Update to version 1.92.3:
* WireGuard configuration that occurs automatically in the client, no longer
results in a panic
- Update to version 1.92.2:
* cmd/derper: add GCP Certificate Manager support
- Update to version 1.92.1:
* fix LocalBackend deadlock when packet arrives during profile switch
* wgengine: fix TSMP/ICMP callback leak
- Update to version 1.92.0:
* no changelog provided
- Update to version 1.90.9:
* tailscaled no longer deadlocks during event bursts
* The client no longer hangs after wake up
- Update to version 1.90.8:
* tka: move RemoveAll() to CompactableChonk
- Update to version 1.90.7:
* wgengine/magicsock: validate endpoint.derpAddr
* wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock
* net/udprelay: replace VNI pool with selection algorithm
* feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap
* feature/relayserver: fix Shutdown() deadlock
* net/netmon: do not abandon a subscriber when exiting early
* tka: don't try to read AUMs which are partway through being written
* tka: rename a mutex to mu instead of single-letter l
* ipn/ipnlocal: use an in-memory TKA store if FS is unavailable
- Update to version 1.90.6:
* Routes no longer stall and fail to apply when updated repeatedly in a short
period of time
* Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This
affected tailnets that use Tailscale SSH recording
- Update to version 1.90.4:
* deadlock issue no longer occurs in the client when checking
for the network to be available
* tailscaled no longer sporadically panics when a
Trusted Platform Module (TPM) device is present
- Update to version 1.90.3:
* tailscaled shuts down as expected and without panic
* tailscaled starts up as expected in a no router configuration environment
- Update to version 1.90.2:
* util/linuxfw: fix 32-bit arm regression with iptables
* health: compare warnable codes to avoid errors on release branch
* feature/tpm: check TPM family data for compatibility
- Upate to version 1.90.1:
* Clients can use configured DNS resolvers for all domains
* Node keys will be renewed seamlessly
* Unnecessary path discovery packets over DERP servers are suppressed
* Node key sealing is GA (generally available) and enabled by default
- update to version 1.88.3:
* cmd/tailscale/cli: add ts2021 debug flag to set a dial plan
* control/controlhttp: simplify, fix race dialing, remove priority concept
- update to version 1.88.2:
* k8s-operator: reset service status before append
- require the minimum go version directly, in comparison to using the golang(API)
symbol
- update to version 1.88.1:
* Tailscale CLI prompts users to confirm impactful actions
* Tailscale SSH works as expected when using an IP address instead of a
hostname and MagicDNS is disabled
* fixed: Taildrive sharing when su not present
* Taildrive files remain consistently accessible
* new: Tailscale tray GUI
* DERP IPs changed for Singapore and Tokyo
- Fixing CVE-2025-58058, bsc#1248920
- update to version 1.86.5:
* cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode
- update to version 1.86.4:
* nothing of relevance
- update to version 1.86.3:
* nothing of relevance
- update to version 1.86.2:
* A deadlock issue that may have occurred in the client
* An occasional crash when establishing a new port mapping with a gateway or
firewall
- update to version 1.86.0:
* tsStateEncrypted device posture attribute for checking whether the
Tailscale client state is encrypted at rest
* Cross-site request forgery (CSRF) issue that may have resulted in a log in
error when accessing the web interface
* Recommended exit node when the previously recommended exit node is offline
* tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any
CLI commands track the recommended exit node and automatically switches to
it when available exit nodes or network conditions change
* tailscaled CLI command flag --encrypt-state encrypts the node state file on
the disk using trusted platform module (TPM)
- update to 1.84.3:
* ipn/ipnlocal: Update hostinfo to control on service config change
- update to 1.84.2:
* Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted
from stricter CLI arguments parsing introduced in Tailscale v1.84.0
- update to 1.84.1:
* net/dns: cache dns.Config for reuse when compileConfig fails
- update to 1.84.0:
* The --reason flag is added to the tailscale down command
* ReconnectAfter policy setting, which configures the maximum period of time
between a user disconnecting Tailscale and the client automatically
reconnecting
* Tailscale CLI commands throw an error if multiple of the same flag are detected
* Network connectivity issues when creating a new profile or switching
profiles while using an exit node
* DNS-over-TCP fallback works correctly with upstream servers reachable only
via the tailnet
- update to 1.82.5:
* A panic issue related to CUBIC congestion control in userspace mode is resolved.
- update to 1.82.0:
* DERP functionality within the client supports certificate pinning for
self-signed IP address certificates for those unable to use Let's Encrypt
or WebPKI certificates.
* Go is updated to version 1.24.1
* NAT traversal code uses the DERP connection that a packet arrived on as an
ultimate fallback route if no other information is available
* Captive portal detection reliability is improved on some in-flight Wi-Fi networks
* Port mapping success rate is improved
* Helsinki is added as a DERP region.
ImportantSUSE bug 1248920CVE-2025-22869 at SUSECVE-2025-22869 at NVDCVE-2025-58058 at SUSECVE-2025-58058 at NVDSecurity update for orthanc, gdcm, orthanc-authorization, orthanc-dicomweb, orthanc-gdcm, orthanc-indexer, orthanc-mysql, orthanc-neuro, orthanc-postgresql, orthanc-python, orthanc-stl, orthanc-tcia, orthanc-wsi, python-pyorthanc (Important)openSUSE Leap 16.0
This update for orthanc, gdcm, orthanc-authorization, orthanc-dicomweb, orthanc-gdcm, orthanc-indexer, orthanc-mysql, orthanc-neuro, orthanc-postgresql, orthanc-python, orthanc-stl, orthanc-tcia, orthanc-wsi, python-pyorthanc fixes the following issues:
Changes in orthanc:
- dcmtk 370 breaks TW build
- switch to lua 5.4
- patch out boost component system from framework
- version 1.12.10
' long changelog - see NEWS for details
- apply boost patch to source tree
- Stop trying to pull libboost_system-devel in all orthanc packages.
- remove libboost_system-devel for TW (removed in boost 1.89)
- version 1.12.9
* long changelog - see NEWS for details
Changes in gdcm:
- apply fix for poppler 25.10 build error
Changes in orthanc-authorization:
- version 0.10.3
* New default permissions for worklists
* New default permissions for tools/metrics-prometheus
* New default permissions for tools/generate-uid
- version 0.10.2
* New default permissions to add/delete modalities through the Rest API
https://discourse.orthanc-server.org/t/managing-modalities-using-the-rest-api-and-keycloak/6137
* New standard configuration "stl"
- remove libboost_system-devel for TW (removed in boost 1.89)-
- version 0.10.1
* Fix audit-logs export in CSV format.
* New configuration "ExtraPermissions" to ADD new permissions to
the default "Permissions" entries.
* Improved handling of "Anonymous" user profiles (when no auth-tokens
are provided): The plugin will now request the auth-service to
get an anonymous user profile even if there are no auth-tokens in the
HTTP request.
* The User profile can now contain a "groups" field if the auth-service
provides it.
* The User profile can now contain an "id" field if the auth-service
provides it.
* New experimental feature: audit-logs
- Enabled by the "EnableAuditLogs" configuration.
- Audit-logs are currently handled by the PostgreSQL plugin and can be
browsed through the route /auth/audit-logs.
- New default permission "audit-logs" to grant access to the
"/auth/audit-logs" route.
* Fix: The "server-id" field is now included in all requests sent to the
auth-service.
Changes in orthanc-dicomweb:
- version 1.22
* framework2.diff added for compatibilty with Orthanc framework <= 1.12.10
* Fixed a possible deadlock when using "WadoRsLoaderThreadsCount" > 1 when the HTTP
client disconnects while downloading the response.
* Fixed "Success: Success" errors when trying to send resources synchronously to a remote DICOMweb
server while the Orthanc job engine was busy with other tasks.
- remove libboost_system-devel for TW (removed in boost 1.89)
- version 1.21
* New configuration "WadoRsLoaderThreadsCount" to configure how many threads are loading
files from the storage when answering to a WADO-RS query. A value > 1 is meaningful
only if the storage is a distributed network storage (e.g object storage plugin).
A value of 0 means reading and writing are performed in sequence (default behaviour).
* New configuration "EnablePerformanceLogs" to display performance logs. Currently
only showing the time required to execute a WADO-RS query. For example:
WADO-RS: elapsed: 26106623 us, rate: 14.86 instances/s, 155.23Mbps
* Fix false errors logs generated e.g when OHIF requests the /dicom-web/studies/../metadata route:
"dicom-web:/Configuration.cpp:643] Unsupported return MIME type: application/dicom+json, multipart/related; type=application/octet-stream; transfer-syntax=*, will return DICOM+JSON"
Changes in orthanc-gdcm:
- version 1.8
* Prevent transcoding of DICOM images with empty
SharedFunctionalGroupsSequence (5200,9229), as this might crash GDCM.
* The built-in Orthanc transcoder being usually more stable, the default
value of the "RestrictTransferSyntaxes" configuration has been updated
to configure the GDCM plugin for J2K transfer syntaxes only since these
transfer syntaxes are currently not supported by the built-in Orthanc
transcoder.
- If "RestrictTransferSyntaxes" is not specified in your configuration,
it is now equivalent to
"RestrictTransferSyntaxes" : [
"1.2.840.10008.1.2.4.90", // JPEG 2000 Image Compression (Lossless Only)
"1.2.840.10008.1.2.4.91", // JPEG 2000 Image Compression
"1.2.840.10008.1.2.4.92", // JPEG 2000 Part 2 Multicomponent Image Compression (Lossless Only)
"1.2.840.10008.1.2.4.93" // JPEG 2000 Part 2 Multicomponent Image Compression
]
which was the recommended configuration.
- If "RestrictTransferSyntaxes" is defined but empty, the GDCM plugin will
now be used to transcode ALL transfer syntaxes (this was the default
behaviour up to version 1.7)
- remove libboost_system-devel for TW (removed in boost 1.89)
- version 1.7
* Upgrade to GDCM 3.0.24 for static builds. Fixes:
- CVE-2024-22373: https://nvd.nist.gov/vuln/detail/CVE-2024-22373
- CVE-2024-22391: https://nvd.nist.gov/vuln/detail/CVE-2024-22391
- CVE-2024-25569: https://nvd.nist.gov/vuln/detail/CVE-2024-25569
Changes in orthanc-indexer:
- remove libboost_system-devel for TW (removed in boost 1.89)
Changes in orthanc-mysql:
- remove libboost_system-devel for TW (removed in boost 1.89)
Changes in orthanc-neuro:
- remove libboost_system-devel for TW (removed in boost 1.89)
Changes in orthanc-postgresql:
- version 10.0
* update mainly providing new Reserve and Acknowledge primitives
for Queues in plugins
- remove libboost_system-devel for TW (removed in boost 1.89)
- version 9.0
* DB-scheme rev. 6 - check Orthanc book
- version 8.0
* no changelog provided
* New DB scheme
Changes in orthanc-python:
- version 7.0
* The "orthanc.pyi" stub is now excluded from the "install" step during the build
* Wrapped new SCP callbacks:
- RegisterFindCallback2()
- RegisterMoveCallback3()
- RegisterWorklistCallback2()
- RegisterStorageCommitmentScpCallback2()
* Wrapped new Queues methods:
- ReserveQueueValue()
- AcknowledgeQueueValue()
- remove libboost_system-devel for TW (removed in boost 1.89)
- remove /usr/orthanc.pyi - unneeded
- version 6.0
* The auto-generation of the Python wrapper is now part of the build,
to exploit the ORTHANC_PLUGIN_SINCE_SDK macro. This provides backward
compatibility with the SDK that is actually installed on the system
* Added Windows builder for Python 3.13
* Added Docker-based builder scripts for Debian 13 (trixie)
Changes in orthanc-stl:
- patch out libboost-system to fix build error
- remove libboost_system-devel for TW (removed in boost 1.89)
Changes in orthanc-tcia:
- version 1.3
* Replaced default base URL of TCIA REST API from
"https://services.cancerimagingarchive.net/services/v4/TCIA/query" to
"https://nbia.cancerimagingarchive.net/nbia-api/services/v4"
* Added configuration option "BaseUrl" to manually configure the base URL
* Fix for newer versions of the NBIA cart file format
* Upgrade to Orthanc framework 1.12.3
- remove libboost_system-devel for TW (removed in boost 1.89)
Changes in orthanc-wsi:
- fix build error w framework 1.12.10
- version 3.3
* OrthancWSIDicomizer:
- New option "--encoding" to specify the specific character set of DICOM instances
- Placeholder tags are now automatically inserted when the "--dataset" option
provides incomplete data, ensuring the generated DICOM instances remain valid
- The version of the DICOM-izer is available in DICOM tag "SoftwareVersions"
- ImagedVolumeWidth and ImagedVolumeHeight are swapped with respect to releases <= 3.2:
https://discourse.orthanc-server.org/t/5912
* Viewer plugin:
- Added rotation button in the viewer
- The viewer displays a label if the "description" GET parameter is provided
- Upgraded to OpenLayers 10.6.1
- remove libboost_system-devel for TW (removed in boost 1.89)
Changes in python-pyorthanc:
- version 1.22.1
* no changelog provided
ImportantCVE-2024-22373 at SUSECVE-2024-22373 at NVDCVE-2024-22391 at SUSECVE-2024-22391 at NVDCVE-2024-25569 at SUSECVE-2024-25569 at NVDSecurity update for micropython (Low)openSUSE Leap 16.0
This update for micropython fixes the following issues:
Changes in micropython:
- CVE-2026-1998: Fixed segmentation fault in `mp_map_lookup` via `mp_import_all` (bsc#1257803).
- Version 1.26.1
* esp32: update esp_tinyusb component to v1.7.6
* tools: add an environment variable MICROPY_MAINTAINER_BUILD
* esp32: add IDF Component Lockfiles to git repo
* shared/tinyusb: fix hang from new tx_overwritabe_if_not_connected flag
* shared/tinyusb/mp_usbd_cdc: rewrite USB CDC TX loop
* tools/mpremote: don't apply Espressif DTR/RTS quirk to TinyUSB CDC dev
- Fix building on single core systems
* Skip tests/thread/stress_schedule.py when single core system detected
LowSUSE bug 1257803CVE-2026-1998 at SUSECVE-2026-1998 at NVDSecurity update for htmldoc (Critical)openSUSE Leap 16.0
This update for htmldoc fixes the following issues:
Changes in htmldoc:
- CVE-2024-46478: Fixed buffer overflow when handling tabs through the parse_pre function (bsc#1232380).
- version update to 1.9.23:
* Fixed a regression in list handling that caused a crash for empty list items
(Issue #553)
* Fixed a regression in the number of rendered table of contents levels in PDF
and PostScript output (Issue #554)
- version update to 1.9.22:
* Added a "--without-http" configure option to build without CUPS HTTP/HTTPS
support (Issue #547)
* Updated HTTP/HTTPS support to work with both CUPS 2.x and 3.x.
* Updated the maximum image dimension to prevent integer overflow on 32-bit
platforms (Issue #550)
* Updated the HTML parser to correctly report the line number of errors in files
with more than 2^32-1 lines (Issue #551)
* Fixed a crash bug with certain markdown files (Issue #548)
* Fixed an unrestricted recursion bug when reading and formatting HTML (Issue #552)
- version update to 1.9.21
* Updated HTTP/HTTPS connection error reporting to include the reason.
* Updated markdown parser.
* Updated the HTTP/HTTPS connection timeout to 5 minutes (Issue #541)
* Fixed a bug in the new PDF link code (Issue #536)
* Fixed a bug in the number-up code (Issue #539)
* Fixed a regression in leading whitespace handling (Issue #540)
* Fixed a bug in numbered heading support (Issue #543)
* Fixed a bug with setting the header on the first page (Issue #544)
* Fixed paths in the HTMLDOC snap (Issue #545)
- update to 1.9.20:
* Fix a regression that caused spaces to disappear between some words
* Fix resolution of relative links within a document
- includes changes from 1.9.19:
* Add support for ‘file’ method in links
* Update markdown support code to mmd
* Fix hyperlinks to subfolders
* Fix export of UTF-8 HTML
* Fix handling of whitespace-only nodes
* Fix case sensitivity of link targets
CriticalSUSE bug 1232380CVE-2024-45508 at SUSECVE-2024-45508 at NVDCVE-2024-46478 at SUSECVE-2024-46478 at NVDSecurity update for chromium (Important)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
- more fixes for desktop file, some variables were lowercased,
further adaptions in INSTALL script (boo#1258199)
- also copy rollup into third_party/node/node_modules
- stay on llvm-10 for swiftshader but bring a similar patch
- drop use of rollup binaries and use rollup-3.x which does not
use prebuilt binaries (that fail at least on older ppc64le)
follow the approach of the debian packaging
- update/resync ppc64le patches from fedora
- fix INSTALL.sh again to replace the tags in desktop file,
appdata and manpage (boo#1258199)
- Chromium 145.0.7632.75:
* CVE-2026-2441: Use after free in CSS (boo#1258185)
- Chromium 145.0.7632.67:
* Revert a change in url_fixer that may have caused crashes
- Chromium 145.0.7632.45 (boo#1258116)
* jpeg-xl support has been readded
* CVE-2026-2313: Use after free in CSS
* CVE-2026-2314: Heap buffer overflow in Codecs
* CVE-2026-2315: Inappropriate implementation in WebGPU
* CVE-2026-2316: Insufficient policy enforcement in Frames
* CVE-2026-2317: Inappropriate implementation in Animation
* CVE-2026-2318: Inappropriate implementation in PictureInPicture
* CVE-2026-2319: Race in DevTools
* CVE-2026-2320: Inappropriate implementation in File input
* CVE-2026-2321: Use after free in Ozone
* CVE-2026-2322: Inappropriate implementation in File input
* CVE-2026-2323: Inappropriate implementation in Downloads
ImportantSUSE bug 1258116SUSE bug 1258185SUSE bug 1258199CVE-2026-2313 at SUSECVE-2026-2313 at NVDCVE-2026-2314 at SUSECVE-2026-2314 at NVDCVE-2026-2315 at SUSECVE-2026-2315 at NVDCVE-2026-2316 at SUSECVE-2026-2316 at NVDCVE-2026-2317 at SUSECVE-2026-2317 at NVDCVE-2026-2318 at SUSECVE-2026-2318 at NVDCVE-2026-2319 at SUSECVE-2026-2319 at NVDCVE-2026-2320 at SUSECVE-2026-2320 at NVDCVE-2026-2321 at SUSECVE-2026-2321 at NVDCVE-2026-2322 at SUSECVE-2026-2322 at NVDCVE-2026-2323 at SUSECVE-2026-2323 at NVDCVE-2026-2441 at SUSECVE-2026-2441 at NVDSecurity update for python-Authlib (Moderate)openSUSE Leap 16.0
This update for python-Authlib fixes the following issues:
Changes in python-Authlib:
- CVE-2025-68158: Fixed 1-click account takeover in applications that use the Authlib library (bsc#1256414)
ModerateSUSE bug 1256414CVE-2025-68158 at SUSECVE-2025-68158 at NVDSecurity update for chromium (Important)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
- Chromium 145.0.7632.109 (boo#1258438):
* CVE-2026-2648: Heap buffer overflow in PDFium
* CVE-2026-2649: Integer overflow in V8
* CVE-2026-2650: Heap buffer overflow in Media
ImportantSUSE bug 1258438CVE-2026-2648 at SUSECVE-2026-2648 at NVDCVE-2026-2649 at SUSECVE-2026-2649 at NVDCVE-2026-2650 at SUSECVE-2026-2650 at NVDSecurity update for mosquitto (Critical)openSUSE Leap 16.0
This update for mosquitto fixes the following issues:
Changes in mosquitto:
- update to 2.0.23 (boo#1258671)
* Fix handling of disconnected sessions for `per_listener_settings
true`
* Check return values of openssl *_get_ex_data() and
*_set_ex_data() to prevent possible crash. This could occur only
in extremely unlikely situations
* Check return value of openssl ASN1_string_[get0_]data()
functions for NULL. This prevents a crash in case of incorrect
certificate handling in openssl
* Fix potential crash on startup if a malicious/corrupt
persistence file from mosquitto 1.5 or earlier is loaded
* Limit auto_id_prefix to 50 characters
- Update to version 2.0.22
Broker
* Bridge: Fix idle_timeout never occurring for lazy bridges.
* Fix case where max_queued_messages = 0 was not treated as
unlimited.
* Fix --version exit code and output.
* Fix crash on receiving a $CONTROL message over a bridge, if
per_listener_settings is set true and the bridge is carrying
out topic remapping.
* Fix incorrect reference clock being selected on startup on
Linux. Closes #3238.
* Fix reporting of client disconnections being incorrectly
attributed to "out of memory".
* Fix compilation when using WITH_OLD_KEEPALIVE.
* Fix problems with secure websockets.
* Fix crash on exit when using WITH_EPOLL=no.
* Fix clients being incorrectly expired when they have
keepalive == max_keepalive. Closes #3226, #3286.
Dynamic security plugin
* Fix mismatch memory free when saving config which caused
memory tracking to be incorrect.
Client library
* Fix C++ symbols being removed when compiled with link time
optimisation.
* TLS error handling was incorrectly setting a protocol error
for non-TLS errors. This would cause the mosquitto_loop_start()
thread to exit if no broker was available on the first
connection attempt. This has been fixed. Closes #3258.
* Fix linker errors on some architectures using cmake.
- Update to version 2.0.21
Broker
* Fix clients sending a RESERVED packet not being quickly
disconnected.
* Fix bind_interface producing an error when used with an
interface that has an IPv6 link-local address and no other
IPv6 addresses.
* Fix mismatched wrapped/unwrapped memory alloc/free in
properties.
* Fix allow_anonymous false not being applied in local only mode.
* Add retain_expiry_interval option to fix expired retained
message not being removed from memory if they are not
subscribed to.
* Produce an error if invalid combinations of
cafile/capath/certfile/keyfile are used.
* Backport keepalive checking from develop to fix problems in
current implementation.
Client library
* Fix potential deadlock in mosquitto_sub if -W is used.
Apps
* mosquitto_ctrl dynsec now also allows -i to specify a clientid
as well as -c. This matches the documentation which states -i.
Tests
* Fix 08-ssl-connect-cert-auth-expired and
08-ssl-connect-cert-auth-revoked tests when under load.
- systemd service: Wait till the network got setup to avoid
startup failure.
CriticalSUSE bug 1232635SUSE bug 1232636SUSE bug 1258671CVE-2024-10525 at SUSECVE-2024-10525 at NVDCVE-2024-3935 at SUSECVE-2024-3935 at NVDSecurity update for openQA, os-autoinst, openQA-devel-container (Important)openSUSE Leap 16.0
This update for openQA, os-autoinst, openQA-devel-container fixes the following issues:
Changes in openQA:
- Update to version 5.1771422749.560a3b26:
* fix(mcp): set navbar check expression to read-only
* feat: support inverted result filters in /tests/overview
* fix(test): Enable helm install-chart test again
* git subrepo pull (merge) --force external/os-autoinst-common
* feat: Make allowed hosts for SCENARIO_DEFINITIONS_YAML_FILE configurable
* test: Consider everything under `lib/OpenQA/Shared/` covered
* fix: Provide specific error message if job was removed `enqueue_…_track`
* refactor: Remove useless error message in `enqueue_and_keep_track`
* test: Cover case of successful executing in `enqueue_and_keep_track`
* refactor: Simplify error handling of `enqueue_and_keep_track`
* test: Cover error handling of `enqueue_and_keep_track`
* test: Consider shared session controller fully covered
* refactor: Avoid duplications in sessions controller
* refactor: Use signatures in session controller code
* test: Cover error handling in case of a bad CRSF token
* test: Cover test route for session
* fix(worker): reject jobs explicitly when worker is stopping
* feat: Remove workaround for codecov and gpg
* feat: Switch to Leap 16 in Helm charts
* feat: Switch to Leap 16.0 in openqa_data container
* feat: Replace all Leap 15.6 with 16.0 in docs and scripts
* test: Cover showing special image when backend has terminated
* fix: Use new apachectl command
* Update openQA containers to Leap 16.0
* test: Extend tests for controller handling live view
* refactor: Move throttling into its own function
* feat(throttling): throttle jobs resources based on parameters size
* refactor: Avoid repeated use of `$t->app->minion` in gru tasks tests
* feat: Allow archiving jobs with infinite important storage durations
* feat: Flag jobs without results as archived for consistency
* feat: Remove one corner case preventing jobs from being archived
- Update to version 5.1770718745.ce2072d3:
* feat(ui): use clickable test overview summary counts for quick filtering
* build(Makefile): fix uninterruptable tests
* docs: Mention caveats of `…_cleanup_max_free_percentage` setting
* test(25-cache-service): fix race conditions
* test(ui/21-admin-needles): properly wait for modal dialog and deletion
* test(ui/13-admin): properly wait for API key deletion
* test(40-openqa-clone-job): properly isolate from system config
* test(15-asset): bump timeout to current runtime
* chore: fix CVE-2026-25547 (boo#1257852) by overriding minimatch
* build(deps-dev): bump @eslint from 9.36.0 to 9.38.0
* fix(eslint): correct style to be eslint-9.38 compliant
* build(deps-dev): bump @eslint-community/regexpp from 4.12.1 to 4.12.2
* build(deps-dev): bump @eslint/config-array from 0.21.0 to 0.21.1
* build(deps-dev): bump @eslint/object-schema from 2.1.6 to 2.1.7
* refactor: Improve variable names in function to determine expired jobs
* test: Improve name of subtest for archiving
* test: Verify that archiving works regardless of logs/results present
* Dependency cron 2026-02-06
* Bump js-yaml from 4.1.0 to 4.1.1
* build(deps): bump ace-builds from 1.43.3 to 1.43.4
- Update to version 5.1770308102.12dfd0e4:
* fix: Configure sudoers correctly in Leap 16
* Also use devel:openQA/16.0 in dependency bot workflow
* test: Consider all controller code covered
* refactor: Remove unused "group connect" endpoints
* test: Cover `openqa_jobs_by_worker` field of InfluxDB endpoint
* test: Cover all cases of search of audit log table
* refactor: Simplify function to render audit log index page
* test: Add test for `eventid` parameter of audit log page
* test: Cover remaining lines of `Asset.pm`
- Update to version 5.1769644379.ef069e9d:
Changes in os-autoinst:
- Update to version 5.1771353921.c8005c9:
* git subrepo pull (merge) --force external/os-autoinst-common
* style: Fix crop.py style issues
* workaround: Remove "get_mempolicy" warning from qemu-img output
* parse_extra_log: Allow passing additional args to upload_logs
* refactor: Distinguish tests by the script path in `loadtest`
* refactor: Simplify approach for avoiding redefine warnings
- Update to version 5.1770715824.6a80a85:
* style: Fix crop.py style issues
* workaround: Remove "get_mempolicy" warning from qemu-img output
* parse_extra_log: Allow passing additional args to upload_logs
* refactor: Distinguish tests by the script path in `loadtest`
* refactor: Simplify approach for avoiding redefine warnings
* test: Allow running tests with `Test::Warnings<0.033`
* test: Format test of `loadtestdir` in a more compact way
- Update to version 5.1770127521.c249fe9:
* refactor: Distinguish tests by the script path in `loadtest`
* refactor: Simplify approach for avoiding redefine warnings
* test: Allow running tests with `Test::Warnings<0.033`
* test: Format test of `loadtestdir` in a more compact way
* test: Use `ENABLE_MODERN_PERL_FEATURES=1` in test suite
* feat: Allow enabling strict/warnings/signatures globally
* fix: Improve wrong comment about enablement of modern Perl features
Changes in openQA-devel-container:
- Update to version 5.1771422749.560a3b26b:
* Update to latest openQA version
ImportantSUSE bug 1257852CVE-2026-25547 at SUSECVE-2026-25547 at NVDSecurity update for gimp (Low)openSUSE Leap 16.0
This update for gimp fixes the following issues:
Changes in gimp:
- CVE-2026-2239: Fixed a heap buffer overflow in psd-util.c (bsc#1257959).
LowSUSE bug 1257959CVE-2026-2239 at SUSECVE-2026-2239 at NVDSecurity update for chromium (Important)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
- Chromium 145.0.7632.116 (boo#1258733):
* CVE-2026-3061: Out of bounds read in Media
* CVE-2026-3062: Out of bounds read and write in Tint
* CVE-2025-3063: Inappropriate implementation in DevTools
ImportantSUSE bug 1258733CVE-2025-3063 at SUSECVE-2025-3063 at NVDCVE-2026-3061 at SUSECVE-2026-3061 at NVDCVE-2026-3062 at SUSECVE-2026-3062 at NVDSecurity update for gitea-tea (Moderate)openSUSE Leap 16.0
This update for gitea-tea fixes the following issues:
Changes in gitea-tea:
- update to 0.12.0:
* New Features
- Add tea actions commands for managing workflow runs and
workflows in #880, #796
- Add tea api subcommand for arbitrary API calls not covered by
existing commands in #879
- Add repository webhook management commands in #798
- Add JSON output support for single PR view in #864
- Add JSON output and file redirection for issue detail view in
#841
- Support creating AGit flow pull requests in #867
* Bug Fixes
- Fix authentication via environment variables when specifying
repo argument in #809
- Fix issue detail view ignoring --owner flag in #899
- Fix PR create crash in #823
- Fix TTY prompt handling in #897
- Fix termenv OSC RGBA handling in #907
- Fix labels delete command and --id flag type in #865
- Fix delete repo command description in #858
- Fix pagination flags for secrets list, webhooks list, and
pull requests list in #853, #852,
- #851
- Enable git worktree support and improve PR create error
handling in #850
- Only prompt for SSH passphrase when necessary in #844
- Only prompt for login confirmation when no default login is
set in #839
- Skip token uniqueness check when using SSH authentication in
#898
- Require non-empty token in GetLoginByToken in #895
- Fix config file permissions to remove group read/write in
#856
* Improvements
- Add file locking for safe concurrent access to config file in
#881
- Improve error messages throughout the CLI in #871
- Send consistent HTTP request headers in #888
- Revert requiring HTTP/HTTPS login URLs; restore SSH as a
login method in #891
- Refactor context into dedicated subpackages in #873, #888
- General code cleanup and improvements in #869, #870
- Add test coverage for login matching in #820
* Build & Dependencies
- Build with Go 1.25 in #886
- Build for Windows aarch64
- Update Gitea SDK version in #868
- Update Nix flake in #872
- Update dependencies including lipgloss v2, urfave/cli v3.6.2,
go-git v5.16.5, and various Go modules in #849, #875, #876,
#878, #884, #885, #900, #901, #904, #905
- Update CI actions (checkout v6, setup-go v6) in #882, #883
ModerateCVE-2025-47911 at SUSECVE-2025-47911 at NVDCVE-2025-58190 at SUSECVE-2025-58190 at NVDSecurity update for freerdp2 (Important)openSUSE Leap 16.0
This update for freerdp2 fixes the following issues:
Changes in freerdp2:
- Multiple CVE fixes:
CVE-2026-24491, bsc#1257981, CVE-2026-24675, bsc#1257982,
CVE-2026-24676, bsc#1257983, CVE-2026-24679, bsc#1257986,
CVE-2026-24681, bsc#1257988, CVE-2026-24682, bsc#1257989,
CVE-2026-24683, bsc#1257990, CVE-2026-24684, bsc#1257991,
CVE-2026-22852, bsc#1256718, CVE-2026-22854, bsc#1256720,
CVE-2026-22856, bsc#1256722, CVE-2026-22859, bsc#1256725,
CVE-2026-23530, bsc#1256940, CVE-2026-23531, bsc#1256941,
CVE-2026-23532, bsc#1256942, CVE-2026-23534, bsc#1256944.
- Fix build issue in h264_ffmpeg.c (ffmpeg 7).
- Add upstream fixes (picked from Debian) (boo#1231317)
ImportantSUSE bug 1219049SUSE bug 1231317SUSE bug 1256718SUSE bug 1256720SUSE bug 1256722SUSE bug 1256725SUSE bug 1256940SUSE bug 1256941SUSE bug 1256942SUSE bug 1256944SUSE bug 1257981SUSE bug 1257982SUSE bug 1257983SUSE bug 1257986SUSE bug 1257988SUSE bug 1257989SUSE bug 1257990SUSE bug 1257991CVE-2024-22211 at SUSECVE-2024-22211 at NVDCVE-2026-22852 at SUSECVE-2026-22852 at NVDCVE-2026-22854 at SUSECVE-2026-22854 at NVDCVE-2026-22856 at SUSECVE-2026-22856 at NVDCVE-2026-22859 at SUSECVE-2026-22859 at NVDCVE-2026-23530 at SUSECVE-2026-23530 at NVDCVE-2026-23531 at SUSECVE-2026-23531 at NVDCVE-2026-23532 at SUSECVE-2026-23532 at NVDCVE-2026-23534 at SUSECVE-2026-23534 at NVDCVE-2026-24491 at SUSECVE-2026-24491 at NVDCVE-2026-24675 at SUSECVE-2026-24675 at NVDCVE-2026-24676 at SUSECVE-2026-24676 at NVDCVE-2026-24679 at SUSECVE-2026-24679 at NVDCVE-2026-24681 at SUSECVE-2026-24681 at NVDCVE-2026-24682 at SUSECVE-2026-24682 at NVDCVE-2026-24683 at SUSECVE-2026-24683 at NVDCVE-2026-24684 at SUSECVE-2026-24684 at NVDSecurity update for MozillaThunderbird (Moderate)openSUSE Leap 16.0
This update for MozillaThunderbird fixes the following issues:
Mozilla Thunderbird 140.4:
* changed: Account Hub is now disabled by default for second
email account
* changed: Flatpak runtime has been updated to Freedesktop SDK
24.08
* fixed: Users could not read mail signed with OpenPGP v6 and
PQC keys
* fixed: Image preview in Insert Image dialog failed with CSP
error for web resources
* fixed: Emptying trash on exit did not work with some
providers
* fixed: Thunderbird could crash when applying filters
* fixed: Users were unable to override expired mail server
certificate
* fixed: Opening Website header link in RSS feed incorrectly
re-encoded URL parameters
* fixed: Security fixes
MFSA 2025-85 (bsc#1251263):
* CVE-2025-11708
Use-after-free in MediaTrackGraphImpl::GetInstance()
* CVE-2025-11709
Out of bounds read/write in a privileged process triggered by
WebGL textures
* CVE-2025-11710
Cross-process information leaked due to malicious IPC
messages
* CVE-2025-11711
Some non-writable Object properties could be modified
* CVE-2025-11712
An OBJECT tag type attribute overrode browser behavior on web
resources without a content-type
* CVE-2025-11713
Potential user-assisted code execution in “Copy as cURL”
command
* CVE-2025-11714
Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
* CVE-2025-11715
Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
ESR 140.4, Firefox 144 and Thunderbird 144
ModerateSUSE bug 1247774SUSE bug 1251263CVE-2025-11708 at SUSECVE-2025-11708 at NVDCVE-2025-11709 at SUSECVE-2025-11709 at NVDCVE-2025-11710 at SUSECVE-2025-11710 at NVDCVE-2025-11711 at SUSECVE-2025-11711 at NVDCVE-2025-11712 at SUSECVE-2025-11712 at NVDCVE-2025-11713 at SUSECVE-2025-11713 at NVDCVE-2025-11714 at SUSECVE-2025-11714 at NVDCVE-2025-11715 at SUSECVE-2025-11715 at NVDSecurity update for python-joserfc (Important)openSUSE Leap 16.0
This update for python-joserfc fixes the following issues:
Changes in python-joserfc:
- CVE-2026-27932: unbounded PBKDF2 iteration count can lead to a denial of service (bsc#1259154)
ImportantSUSE bug 1259154CVE-2026-27932 at SUSECVE-2026-27932 at NVDSecurity update for roundcubemail (Important)openSUSE Leap 16.0
This update for roundcubemail fixes the following issues:
Changes to roundcubemail:
Update to 1.6.13:
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
+ Fix CSS injection vulnerability reported by CERT Polska (boo#1258052,
CVE-2026-26079).
+ Fix remote image blocking bypass via SVG content reported by nullcathedral
(boo#1257909, CVE-2026-25916).
This version is considered stable and we recommend to update all productive
installations of Roundcube 1.6.x with it. Please do backup your data
before updating!
CHANGELOG
+ Managesieve: Fix handling of string-list format values for date
tests in Out of Office (#10075)
+ Fix CSS injection vulnerability reported by CERT Polska.
+ Fix remote image blocking bypass via SVG content reported by nullcathedral.
Update to 1.6.12:
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
+ Fix Cross-Site-Scripting vulnerability via SVG's animate tag
reported by Valentin T., CrowdStrike (boo#1255308, CVE-2025-68461).
+ Fix Information Disclosure vulnerability in the HTML style
sanitizer reported by somerandomdev (boo#1255306, CVE-2025-68460).
This version is considered stable and we recommend to update all
productive installations of Roundcube 1.6.x with it.
+ Support IPv6 in database DSN (#9937)
+ Don't force specific error_reporting setting
+ Fix compatibility with PHP 8.5 regarding array_first()
+ Remove X-XSS-Protection example from .htaccess file (#9875)
+ Fix "Assign to group" action state after creation of a first group (#9889)
+ Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
+ Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
+ Fix parsing of inline styles that aren't well-formatted (#9948)
+ Fix Cross-Site-Scripting vulnerability via SVG's animate tag
+ Fix Information Disclosure vulnerability in the HTML style sanitizer
Update to 1.6.11
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
* Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.
- CHANGELOG
* Managesieve: Fix match-type selector (remove unsupported options) in delete header action (#9610)
* Improve installer to fix confusion about disabling SMTP authentication (#9801)
* Fix PHP warning in index.php (#9813)
* OAuth: Fix/improve token refresh
* Fix dark mode bug where wrong colors were used for blockquotes in HTML mail preview (#9820)
* Fix HTML message preview if it contains floating tables (#9804)
* Fix removing/expiring redis/memcache records when using a key prefix
* Fix bug where a wrong SPECIAL-USE folder could have been detected, if there were more than one per-type (#9781)
* Fix a default value and documentation of password_ldap_encodage option (#9658)
* Remove mobile/floating Create button from the list in Settings > Folders (#9661)
* Fix Delete and Empty buttons state while creating a folder (#9047)
* Fix connecting to LDAP using ldapi:// URI (#8990)
* Fix cursor position on "below the quote" reply in HTML mode (#8700)
* Fix bug where attachments with content type of application/vnd.ms-tnef were not parsed (#7119)
Update to 1.6.10:
This is the next service release to update the stable version 1.6.
* IMAP: Partial support for ANNOTATE-EXPERIMENT-1 extension (RFC 5257)
* OAuth: Support standard authentication with short-living password received with OIDC token (#9530)
* Fix PHP warnings (#9616, #9611)
* Fix whitespace handling in vCard line continuation (#9637)
* Fix current script state after initial scripts creation in managesieve_kolab_master mode
* Fix rcube_imap::get_vendor() result (and PHP warning) on Zimbra server (#9650)
* Fix regression causing inline SVG images to be missing in mail preview (#9644)
* Fix plugin "virtuser_file" to handle backward slashes in username (#9668)
* Fix PHP fatal error when parsing some malformed BODYSTRUCTURE responses (#9689)
* Fix insert_or_update() and reading database server config on PostgreSQL (#9710)
* Fix Oauth issues with use_secure_urls=true (#9722)
* Fix handling of binary mail parts (e.g. PDF) encoded with quoted-printable (#9728)
* Fix links in comments and config to https:// where available (#9759, #9756)
* Fix decoding of attachment names encoded using both RFC2231 and RFC2047 standards (#9725)
ImportantSUSE bug 1255306SUSE bug 1255308SUSE bug 1257909SUSE bug 1258052CVE-2025-68460 at SUSECVE-2025-68460 at NVDCVE-2025-68461 at SUSECVE-2025-68461 at NVDCVE-2026-25916 at SUSECVE-2026-25916 at NVDCVE-2026-26079 at SUSECVE-2026-26079 at NVDSecurity update for chromium (Important)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
- Chromium 145.0.7632.159 (boo#1259213)
* CVE-2026-3536: Integer overflow in ANGLE
* CVE-2026-3537: Object lifecycle issue in PowerVR
* CVE-2026-3538: Integer overflow in Skia
* CVE-2026-3539: Object lifecycle issue in DevTools
* CVE-2026-3540: Inappropriate implementation in WebAudio
* CVE-2026-3541: Inappropriate implementation in CSS
* CVE-2026-3542: Inappropriate implementation in WebAssembly
* CVE-2026-3543: Inappropriate implementation in V8
* CVE-2026-3544: Heap buffer overflow in WebCodecs
* CVE-2026-3545: Insufficient data validation in Navigation
ImportantSUSE bug 1259213CVE-2026-3536 at SUSECVE-2026-3536 at NVDCVE-2026-3537 at SUSECVE-2026-3537 at NVDCVE-2026-3538 at SUSECVE-2026-3538 at NVDCVE-2026-3539 at SUSECVE-2026-3539 at NVDCVE-2026-3540 at SUSECVE-2026-3540 at NVDCVE-2026-3541 at SUSECVE-2026-3541 at NVDCVE-2026-3542 at SUSECVE-2026-3542 at NVDCVE-2026-3543 at SUSECVE-2026-3543 at NVDCVE-2026-3544 at SUSECVE-2026-3544 at NVDCVE-2026-3545 at SUSECVE-2026-3545 at NVDSecurity update for python-PyPDF2 (Important)openSUSE Leap 16.0
This update for python-PyPDF2 fixes the following issues:
Changes in python-PyPDF2:
- CVE-2026-27628: Fixed infinite loop when loading circular /Prev entries in cross-reference streams (bsc#1258940)
- CVE-2026-27888: Fixed issue where manipulated FlateDecode XFA streams can exhaust RAM (bsc#1258934)
- CVE-2025-55197: Fixed denial of service via craft PDF (bsc#1248089)
- CVE-2026-27024: Fixed infinite loop when processing TreeObject (bsc#1258691)
- CVE-2026-27025: Fixed long runtimes/large memory usage for large /ToUnicode streams (bsc#1258692)
- CVE-2026-27026: Fixed long runtimes for malformed FlateDecode streams (bsc#1258693)
- Convert to pip-based build
ImportantSUSE bug 1248089SUSE bug 1258691SUSE bug 1258692SUSE bug 1258693SUSE bug 1258934SUSE bug 1258940CVE-2025-55197 at SUSECVE-2025-55197 at NVDCVE-2026-27024 at SUSECVE-2026-27024 at NVDCVE-2026-27025 at SUSECVE-2026-27025 at NVDCVE-2026-27026 at SUSECVE-2026-27026 at NVDCVE-2026-27628 at SUSECVE-2026-27628 at NVDCVE-2026-27888 at SUSECVE-2026-27888 at NVDSecurity update for python-lxml_html_clean (Moderate)openSUSE Leap 16.0
This update for python-lxml_html_clean fixes the following issues:
Changes in python-lxml_html_clean:
- CVE-2026-28348: improper keywords checking can allow external CSS loading (bsc#1259378)
- CVE-2026-28350: lack of base tag handling can allow the hijacking of the resolution of relative URLs (bsc#1259379)
ModerateSUSE bug 1259378SUSE bug 1259379CVE-2026-28348 at SUSECVE-2026-28348 at NVDCVE-2026-28350 at SUSECVE-2026-28350 at NVDSecurity update for python-PyPDF2 (Moderate)openSUSE Leap 16.0
This update for python-PyPDF2 fixes the following issues:
Changes in python-PyPDF2:
- CVE-2026-28804: Denial of Service via crafted PDF with ASCIIHexDecode filter (bsc#1259404)
- Update sources with osc run download_files
ModerateSUSE bug 1259404CVE-2026-28804 at SUSECVE-2026-28804 at NVDSecurity update for osc, obs-scm-bridge (Moderate)openSUSE Leap 16.0
This update for osc, obs-scm-bridge fixes the following issues:
Changes in osc:
- 1.24.0
- Command-line:
- Add '--target-owner' option to 'git-obs repo fork' command
- Add '--self' parameter to fix 'no matching parent repo' error message in 'git-obs pr create'
- Fix 'osc aggregatepac' for scmsync packages
- Fix 'osc build' to retrieve buildconfig from git package's cache
- Fix 'osc token' error handling for project wide trigger
- Fix string formatting for id in obs-request.xml in 'git-obs pr dump'
- Library:
- Consolidate build types in build.py and commandline.py
- Fix build.get_build_type() by comparing binary_type only if specified
- Make use of queryconfig tool configurable and consistent
- Fix how get_request_collection() filters the projects and packages
- Support copying packages from an scmsync source, when target exists
- Add timestamps to the DEBUG output
- Update new project template
- 1.23.0
- Command-line:
- Add '--target-owner' option to 'git-obs pr create' to specify the target owner explicitly
- Add '--target-branch' option to 'git-obs staging search' command
- Added 'git-obs staging search' command to find project PRs with referenced package PRs that have all been approved
- Change 'git-obs pr dump' to produce directories that match the specified pull request IDs
- Change 'git-obs pr dump' to write STATUS file
- Properly error out on invalid 'PR:' references in 'git-obs pr dump'
- Fix 'git-obs pr create' when the source repo is not a fork
- Fix 'git-obs api' command when server returns 'null'
- Fix 'osc build --alternative-project=...' when there's no .osc in the current directory
- Fix argument and store handling in 'osc results' command
- Library:
- Add Manifest.get_package_paths() method that lists all paths to existings packages in a project
- Fix Manifest class to handle loading empty YAML files or strings
- Fix working with meta during git rebase by determining the current branch from rebase head
- Fix handling local branch when fetching remote
- Move get_label_ids() from PullRequest to Repo class
- Change GitStore not to require apiurl anymore
- Fix storing last_buildroot for git packages
- Store the last buildroot only if there's a store detected
- Fix BuildRoot so it acts as a tuple and the individual values are accessible via indexes
- Make PullReqest.parse_id() more permissive by accepting trailing whitespaces
- Fix 'missingok' argument in server_diff()
- Fix gitea_api.PullRequest ordering methods
- Add return to gitea_api.Branch.list()
- PKGBUILD changes
* Remove redundant packages from makedepends. If a package depends
on something, it implicitly makedepends on it as well
* Add python-ruamel-yaml dependency
* Build and install man pages
* Add python-argparse-manpage and python-sphinx to makedepends for
building man pages
* Add check() to run the test suite
* Add checkdepends for test suite dependencies
* Add optdepends as an equivalent to RPM's Recommends, making it
easier for users to find packages needed for optional features
* Use $pkgname variable across the script
* Install shell completion files
* Bump pkgrel
- 1.22.0
- Command-line:
- Add 'git-obs staging' commands
- Add '--gitea-fork-org' option to 'osc fork' command
- Add '--git-branch' option to 'osc fork' command
- Add 'DELETE' to 'git-obs api' allowed methods
- Add commit messages as commented lines to the template in 'git-obs pr create'
- Add filtering by label to 'git-obs pr list'
- Properly handle fork mismatch in 'osc fork'
- Change 'osc build' to build from any git repo if '--alternative-project' is specified
- Fix 'osc service' for git based packages
- Fix 'git-obs pr dump' to skip the dump if the target has the same updated_at timestamp as the pull request in Gitea
- Fix 'git-obs pr dump' to do case insensitive check on owner and repo
- Fix retrieving 'arch' argument in 'osc buildlog'
- Library:
- Add 'status' to the output of gitea_api.Git.get_submodules()
- Add 'remote' argument to gitea_api.Repo.clone_or_update()
- Add gitea_api.common.TemporaryDirectory class that supports 'delete' argument on python 3.6+
- Add gitea_api.GitDiffGenerator class for creating submodule diffs without a git checkout
- Add 'depth' argument to gitea_api.Repo.clone() and clone_or_update()
- Add gitea_api.StagingPullRequestWrapper class for handling staging
- Add gitea_api.PullRequest.get_host_owner_repo_number() method
- Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting 'dest' argument
- Warn if the git package doesn't have the same branch as the parent project
- Extend gitea_api.PullRequest with methods that work with 'PR:' references
- Support setting labels in gitea_api.PullRequest.create()
- Fix gitea_api to use pagination instead of limit -1 everywhere
- Remove duplicate, unused PullRequestReview class from gitea_api.pr
- Move clone_or_update() from 'git-obs pr dump' command to gitea_api.Repo
- Change gitea_api.Repo.clone_or_update() to take 'ssh_private_key_path' argument
- Improve performance of gitea_api.IssueTimelineEntry by listing and caching requests instead of fetching them one by one
- Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting 'help' argument
- Change gitea_api.Repo.clone() to stop borrowing objects when 'reference' or 'reference_if_able' is used
- Fix the resulting dictionary in gitea_api.PullRequest._get_label_ids()
- Make gitea_api.RepoExists exception more helpful by giving a hint to fork under a different name
- Use server_diff() instead of server_diff_noex() to exit with a non-zero return code
- Return preinstallimage.info and allow podman to use preinstallimage
- 1.21.0
- Command-line:
- Modify osc subcommands to error out if they don't work with git
- Add 'git-obs meta' commands for managing the local metadata
- Add 'git-obs meta info' command for printing resolved metadata about the current checkout
- Add -b/--branch option to 'git-obs repo clone' command
- Add 'git-obs pr dump' command to store pull request information on disk
- Add 'git-obs --quiet' option (that mutes printing gitea settings now)
- Automatially pull meta after 'git-obs repo clone'
- Change 'git-obs pr review interactive' to write 'merge ok' comment instead of scheduling a merge
- Mute stderr when creating a worktree in 'git-obs pr review interactive'
- Change 'git-obs -G' to accept url to select a gitea login entry
- Support substitutions in 'osc build --root'
- Fix crash in 'osc build' when 'build_repositories' in store was None
- Fix filtering by reviewers in 'git-obs pr list'
- Update 'osc rq show' command to include history comments in verbose mode
- Library:
- Refactor GitStore
- Migrate git_scm.Store over to gitea_api.Git
- Store buildinfo and buildconfig files in GitStore's cache instead directly in the repo
- Move code from 'git-obs meta pull' command to GitStore.pull()
- Improve GitStore.pull() to support reading project from project.build
- Rephrase the error message about detached HEAD in GitStore
- Improve GitStore's error messages by adding instructions on how to fix missing metadata
- Be more permissive when loading parent project_store in GitStore
- Fix loading _manifest in a project git
- Fix git store to check if all the required fields are present
- Derive package name from topdir if a package is part of a project checkout
- Change 'git-obs pr review interactive' to run pager process as a context manager
- Change obs_api.TarDiff to spawn a process extracting archives as a context manager
- Change 'commit' argument in gitea_api.Git.reset() to optional
- Add gitea_api.Git.get_owner_repo_from_url() staticmethod
- Add gitea_api.Git.urljoin() static method
- Fix gitea_api.Git.get_branch_head() to raise a proper exception if the HEAD cannot be retrieved
- Fix gitea_api.Git to work with the current remote instead of 'origin'
- Fix get_store() to throw the exception from git store if .osc directory is not present
- Introduce GitObsRuntimeError exception and use it where appropriate
- Fix tardiff by removing directories with shutil.rmtree() and files by os.unlink()
- Add 'quiet' option to gitea_api.Git.switch()
- Mute stderr in git_obs.Git.lfs_cat_file()
- Treat None flavor as "" in multibuild resolve
- Make Token.triggered_at optional as it's not available in the oficially released OBS code
- Add BaseModel.from_string() and BaseModel.to_string() methods
- Add BaseModel.from_file() and BaseModel.to_file() methods
- Fix BaseModel to initialize from a dictionary via __init__ instead of setattr
- Docs:
- Update docs for the new git metadata store
- Update list of recommended gitea permissions in git-obs-quickstart
- Spec:
- Install git-obs-metadata man page
- 1.20.0
- Command-line:
- Fix 'osc fork' command to use the right tracking branch
- Fix 'osc blt' command by checking if the working copy is a package
- Make 'osc buildlog' work outside of osc package directory
- Add 'git-obs pr close' and 'git-obs pr reopen' commands
- Add 'close' option to 'git-obs pr review interactive'
- Change 'git-obs pr review interactive' to work with all archives, not only those in Git LFS
- Fix checkout of the base branch in 'git-obs pr review interactive' command
- Library:
- Support _manifest file in git store
- Allow pull request IDs in '<owner>/<repo>!<number>' format
- Properly handle deleted users and teams in the git-obs timeline
- Handle situations when there's 'None' among timeline entries
- Skip binary files in gitea_api.PullRequest.get_patch()
- Change get_user_input(), add support for vertically printed list of answers
- Spec:
- Provide git-obs
- 1.19.1
- Command-line:
- Use OSC_PACKAGE_CACHE_DIR env var instead of deprecated OSC_PACKAGECACHEDIR
- Connection:
- Check for both upper and lowercase versions of HTTP_PROXY and HTTPS_PROXY env vars
- Library:
- Add 'trackingbranch' field to ScmsyncObsinfo model
- Revert "Return None if GitStore cannot determine apiurl"
- Throw a proper exception when 'apiurl' argument of 'makeurl()' is empty
- Move code setting apiurl from store to 'osc.conf.get_config()'
- Simplify 'osc.commandline.Osc.get_api_url()' to return the value from 'self.options'
- Remove 'osc.commandline.Osc.post_argparse()' because it's no longer used
- Fix unit tests to use the new code path to run osc
- Fix osc.gitea_api.dt_sanitize() by replacing dateutil with datetime
- 1.19.0
- Command-line:
- Add 'git-obs pr cancel-scheduled-merge' command
- Add timeline to 'git-obs pr review interactive'
- Add '--timeline' option to 'git-obs pr get'
- Fix 'git-obs pr search' by using pagination to retrieve all results
- Extend '--message' option in git-obs subcommands with the '-m' short option
- Add a different message for scheduled merges in 'git-obs pr merge' command
- Library:
- Add 'conn' parameter to gitea_api.common.GiteaModel
- Add gitea_api.Connection.scheme attribute
- Add gitea_api.PullRequest.merge_commit property
- Add gitea_api.PullRequest.get_owner_repo_number()
- Add gitea_api.common.dt_sanitize() for sanitizing datetime strings
- Handle missing head repo in the PullRequest properties
- Return None if GitStore cannot determine apiurl
- Remove extra newline from store files
- Fix the 'Move remaining imports in osc.babysitter into try-except block' change by preserving the order of handling the exceptions
- Spec:
- Use primary_python to define runtime requires matching the shebang lines
- Provide %{use_python_pkg}-osc for all pythons and python3-osc for primary_python
- Add conflict with obs-scm-bridge < 0.7.3
- 1.18.0
- Command-line:
- Add 'git-obs pr comment [--message=...]' command
- Add 'git-obs pr show-patch' command
- Add '--reviewer' option to 'git-obs pr review {approve,decline,interactive}' to support group reviews via group review bot
- Update 'git-obs pr review interactive' to return non-zero return codes for 'exit' and 'skip' actions
- Make 'osc results --show-excluded' work in a project context
- Add '--no-pager' global option
- Fix 'osc fork' by copying whole query part to the new scmsync url
- Fix 'osc buildinfo' for git packages by handing the 'build_repositories' files by store objects
- Fix crash in 'git-obs pr get --patch'
- Fix git-obs to exit with 130 on keyboard interrupt
- Fix --sccache help typo in 'osc build' command
- Connection:
- Don't retry requests on 504 Gateway Timeout
- Library:
- If a devel project is not specified, try reading it from a mapping from URL set in OBS:GitDevelProjectMap project attribute
- Improve detection of packages and projects in git
- scmsync_obsinfo: Pass correct revision to obs-scm-bridge
- Add obs_api.Request.search() method
- Raise an exception if obs-scm-bridge fails
- Fix obs_scm.Package.get_pulled_srcmd5() returning an empty string
- Fix git store to support non-default remote
- Extend 'gitea_api.User.get()' to take 'username' parameter
- Move get_editor() and related functions from command-line module to gitea_api.common
- Migrate subcommands from using Store() to get_store() that is git aware
- Make imports lazy to imporove osc load times
Changes in obs-scm-bridge:
- use the system default python version (boo#1247410)
- 0.7.4
* syntax fix
- 0.7.3
* fix .gitsubmodule parser to handle space and tabs mixed
- package /etc/obs/service directories
- 0.7.2
* Improved error reporting of invalid files in package subdirs
* Introducing a mechanic to limit asset handling
- 0.7.1
* export trackingbranch to scmsync.obsinfo
- 0.7.0
* supporting _manifest file as successor of _subdirs
* record configured branch of submodules in package scmsync url
* stay on the configured branch of a submodule on checkout
- 0.6.3
* Allow ssh:// scm urls as used by osc
* project mode: avoid unecessary changes in package meta url
* code cleanup
- fix dependency (it is python3-PyYAML)
- fix missing dependency to PyYAML
- 0.6.2
* Make project mode always look for _config in the top dir, also
when using subdirs.
- 0.6.1
* new noobsinfo query parameter
(can be used to hide git informations in sources, binaries
won't contain them either then).
- 0.6.0
* project mode: switching to to track package sources using
git sha sums instead of md5sum via download_assets
- 0.5.4
* fixed support of subdir parameter usage on project level
* Fix handling of projectscmsync in the package xml writers
- 0.5.3
* Switch to ssh url when using the bridge via osc
- 0.5.2
* Don't overwrite files from git, but complain instead with
an error. For example _scmsync.obsinfo file must not be part
of the git tree. boo#1230469 CVE-2024-22038
- 0.5.1
* Don't generate _scmsync.obsinfo outside of OBS source server
import use case (eg. no more for osc co)
* Enforce python 3.11 requirement
* Fix export of _scmsync.obsinfo in project mode
* Fix submodule detection
* EXPERIMENTAL: support multiple package subdirs via _subdirs
file. This syntax will change!
(not documented on purpose therefore atm)
* Using git credential manager
* Report some errors as transient, so that OBS can re-try
ModerateSUSE bug 1230469SUSE bug 1247410CVE-2024-22038 at SUSECVE-2024-22038 at NVDSecurity update for chromium (Critical)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
- Chromium 146.0.7680.80:
* CVE-2026-3909: Out of bounds write in Skia (boo#1259659)
- Chromium 146.0.7680.75 (released 2026-03-12) (boo#1259648)
* CVE-2026-3910: Inappropriate implementation in V8.
- Chromium 146.0.7680.71 (released 2026-03-11) (boo#1259530)
* CVE-2026-3913: Heap buffer overflow in WebML
* CVE-2026-3914: Integer overflow in WebML
* CVE-2026-3915: Heap buffer overflow in WebML
* CVE-2026-3916: Out of bounds read in Web Speech
* CVE-2026-3917: Use after free in Agents
* CVE-2026-3918: Use after free in WebMCP
* CVE-2026-3919: Use after free in Extensions
* CVE-2026-3920: Out of bounds memory access in WebML
* CVE-2026-3921: Use after free in TextEncoding
* CVE-2026-3922: Use after free in MediaStream
* CVE-2026-3923: Use after free in WebMIDI
* CVE-2026-3924: Use after free in WindowDialog
* CVE-2026-3925: Incorrect security UI in LookalikeChecks
* CVE-2026-3926: Out of bounds read in V8
* CVE-2026-3927: Incorrect security UI in PictureInPicture
* CVE-2026-3928: Insufficient policy enforcement in Extensions
* CVE-2026-3929: Side-channel information leakage in ResourceTiming
* CVE-2026-3930: Unsafe navigation in Navigation
* CVE-2026-3931: Heap buffer overflow in Skia
* CVE-2026-3932: Insufficient policy enforcement in PDF
* CVE-2026-3934: Insufficient policy enforcement in ChromeDriver
* CVE-2026-3935: Incorrect security UI in WebAppInstalls
* CVE-2026-3936: Use after free in WebView
* CVE-2026-3937: Incorrect security UI in Downloads
* CVE-2026-3938: Insufficient policy enforcement in Clipboard
* CVE-2026-3939: Insufficient policy enforcement in PDF
* CVE-2026-3940: Insufficient policy enforcement in DevTools
* CVE-2026-3941: Insufficient policy enforcement in DevTools
* CVE-2026-3942: Incorrect security UI in PictureInPicture
CriticalSUSE bug 1259530SUSE bug 1259648SUSE bug 1259659CVE-2026-3909 at SUSECVE-2026-3909 at NVDCVE-2026-3910 at SUSECVE-2026-3910 at NVDCVE-2026-3913 at SUSECVE-2026-3913 at NVDCVE-2026-3914 at SUSECVE-2026-3914 at NVDCVE-2026-3915 at SUSECVE-2026-3915 at NVDCVE-2026-3916 at SUSECVE-2026-3916 at NVDCVE-2026-3917 at SUSECVE-2026-3917 at NVDCVE-2026-3918 at SUSECVE-2026-3918 at NVDCVE-2026-3919 at SUSECVE-2026-3919 at NVDCVE-2026-3920 at SUSECVE-2026-3920 at NVDCVE-2026-3921 at SUSECVE-2026-3921 at NVDCVE-2026-3922 at SUSECVE-2026-3922 at NVDCVE-2026-3923 at SUSECVE-2026-3923 at NVDCVE-2026-3924 at SUSECVE-2026-3924 at NVDCVE-2026-3925 at SUSECVE-2026-3925 at NVDCVE-2026-3926 at SUSECVE-2026-3926 at NVDCVE-2026-3927 at SUSECVE-2026-3927 at NVDCVE-2026-3928 at SUSECVE-2026-3928 at NVDCVE-2026-3929 at SUSECVE-2026-3929 at NVDCVE-2026-3930 at SUSECVE-2026-3930 at NVDCVE-2026-3931 at SUSECVE-2026-3931 at NVDCVE-2026-3932 at SUSECVE-2026-3932 at NVDCVE-2026-3934 at SUSECVE-2026-3934 at NVDCVE-2026-3935 at SUSECVE-2026-3935 at NVDCVE-2026-3936 at SUSECVE-2026-3936 at NVDCVE-2026-3937 at SUSECVE-2026-3937 at NVDCVE-2026-3938 at SUSECVE-2026-3938 at NVDCVE-2026-3939 at SUSECVE-2026-3939 at NVDCVE-2026-3940 at SUSECVE-2026-3940 at NVDCVE-2026-3941 at SUSECVE-2026-3941 at NVDCVE-2026-3942 at SUSECVE-2026-3942 at NVDSecurity update for python-Django (Moderate)openSUSE Leap 16.0
This update for python-Django fixes the following issues:
Changes in python-Django:
- CVE-2026-25674: Fixed race condition which can lead to potential incorrect permissions on newly created file system objects (bsc#1259142)
ModerateSUSE bug 1259142CVE-2026-25674 at SUSECVE-2026-25674 at NVDSecurity update for krb5-appl (Critical)openSUSE Leap 16.0
This update for krb5-appl fixes the following issues:
Changes in krb5-appl:
- CVE-2026-32746: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd LINEMODE (bsc#1259691)
CriticalSUSE bug 1259691CVE-2026-32746 at SUSECVE-2026-32746 at NVDSecurity update for python-PyPDF2 (Moderate)openSUSE Leap 16.0
This update for python-PyPDF2 fixes the following issues:
Changes in python-PyPDF2:
- CVE-2025-31826: Fixed denial of service due to excessive memory consumption via crafted PDF (bsc#1259508).
ModerateSUSE bug 1259508CVE-2026-31826 at SUSECVE-2026-31826 at NVDSecurity update for micropython (Moderate)openSUSE Leap 16.0
This update for micropython fixes the following issues:
Changes in micropython:
- Build with mbedtls-3.6.5 instead of bundled 3.6.2 to fix CVE-2025-59438
Version 1.26.0:
* Added machine.I2CTarget for creating I2C target devices on multiple ports.
* New MCU support: STM32N6xx (800 MHz, ML accel) & ESP32-C2 (WiFi + BLE).
* Major float accuracy boost (~28% → ~98%), constant folding in compiler.
* Optimized native/Viper emitters; reduced heap use for slices.
* Time functions standardized (1970–2099); new boards across ESP32, SAMD, STM32, Zephyr.
* ESP32: ESP-IDF 5.4.2, flash auto-detect, PCNT class, LAN8670 PHY.
* RP2: compressed errors, better lightsleep, hard IRQ timers.
* Zephyr v4.0.0: PWM, SoftI2C/SPI, BLE runtime services, boot.py/main.py support.
* mpremote adds fs tree, improved df, portable config paths.
* Updated lwIP, LittleFS, libhydrogen, stm32lib; expanded hardware/CI tests.
ModerateCVE-2025-59438 at SUSECVE-2025-59438 at NVDSecurity update for MozillaThunderbird (Important)openSUSE Leap 16.0
This update for MozillaThunderbird fixes the following issues:
Changes in MozillaThunderbird:
- Mozilla Thunderbird 140.8.1 ESR
* Add mail.openpgp.load_untested_gpgme_version to load untested
GPGME version
- Mozilla Thunderbird 140.8.0 ESR
MFSA 2026-17 (boo#1258568)
* CVE-2026-2757 (bmo#2001637)
Incorrect boundary conditions in the WebRTC: Audio/Video
component
* CVE-2026-2758 (bmo#2009608)
Use-after-free in the JavaScript: GC component
* CVE-2026-2759 (bmo#2010933)
Incorrect boundary conditions in the Graphics: ImageLib
component
* CVE-2026-2760 (bmo#2011062)
Sandbox escape due to incorrect boundary conditions in the
Graphics: WebRender component
* CVE-2026-2761 (bmo#2011063)
Sandbox escape in the Graphics: WebRender component
* CVE-2026-2762 (bmo#2011649)
Integer overflow in the JavaScript: Standard Library
component
* CVE-2026-2763 (bmo#2012018)
Use-after-free in the JavaScript Engine component
* CVE-2026-2764 (bmo#2012608)
JIT miscompilation, use-after-free in the JavaScript Engine:
JIT component
* CVE-2026-2765 (bmo#2013562)
Use-after-free in the JavaScript Engine component
* CVE-2026-2766 (bmo#2013583)
Use-after-free in the JavaScript Engine: JIT component
* CVE-2026-2767 (bmo#2013741)
Use-after-free in the JavaScript: WebAssembly component
* CVE-2026-2768 (bmo#2014101)
Sandbox escape in the Storage: IndexedDB component
* CVE-2026-2769 (bmo#2014550)
Use-after-free in the Storage: IndexedDB component
* CVE-2026-2770 (bmo#2014585)
Use-after-free in the DOM: Bindings (WebIDL) component
* CVE-2026-2771 (bmo#2014593)
Undefined behavior in the DOM: Core & HTML component
* CVE-2026-2772 (bmo#2014827)
Use-after-free in the Audio/Video: Playback component
* CVE-2026-2773 (bmo#2014832)
Incorrect boundary conditions in the Web Audio component
* CVE-2026-2774 (bmo#2014883)
Integer overflow in the Audio/Video component
* CVE-2026-2775 (bmo#2015199)
Mitigation bypass in the DOM: HTML Parser component
* CVE-2026-2776 (bmo#2015266)
Sandbox escape due to incorrect boundary conditions in the
Telemetry component in External Software
* CVE-2026-2777 (bmo#2015305)
Privilege escalation in the Messaging System component
* CVE-2026-2778 (bmo#2016358)
Sandbox escape due to incorrect boundary conditions in the
DOM: Core & HTML component
* CVE-2026-2779 (bmo#1164141)
Incorrect boundary conditions in the Networking: JAR
component
* CVE-2026-2780 (bmo#2007829)
Privilege escalation in the Netmonitor component
* CVE-2026-2781 (bmo#2009552)
Integer overflow in the Libraries component in NSS
* CVE-2026-2782 (bmo#2010743)
Privilege escalation in the Netmonitor component
* CVE-2026-2783 (bmo#2010943)
Information disclosure due to JIT miscompilation in the
JavaScript Engine: JIT component
* CVE-2026-2784 (bmo#2012984)
Mitigation bypass in the DOM: Security component
* CVE-2026-2785 (bmo#2013549)
Invalid pointer in the JavaScript Engine component
* CVE-2026-2786 (bmo#2013612)
Use-after-free in the JavaScript Engine component
* CVE-2026-2787 (bmo#2014560)
Use-after-free in the DOM: Window and Location component
* CVE-2026-2788 (bmo#2014824)
Incorrect boundary conditions in the Audio/Video: GMP
component
* CVE-2026-2789 (bmo#2015179)
Use-after-free in the Graphics: ImageLib component
* CVE-2026-2790 (bmo#2008426)
Same-origin policy bypass in the Networking: JAR component
* CVE-2026-2791 (bmo#2015220)
Mitigation bypass in the Networking: Cache component
* CVE-2026-2792 (bmo#2008912, bmo#2010050, bmo#2010275,
bmo#2012331)
Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird
ESR 140.8, Firefox 148 and Thunderbird 148
* CVE-2026-2793 (bmo#2015196, bmo#2016423, bmo#2016498)
Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR
140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148
- Mozilla Thunderbird 140.7.2 ESR
MFSA 2026-11 (boo#1258231)
* CVE-2026-2447 (bmo#2014390)
Heap buffer overflow in libvpx
- Mozilla Thunderbird 140.7.1 ESR
MFSA 2026-08 (bsc#1257397)
* CVE-2026-0818 (bmo#1881530)
CSS-based exfiltration of the content from partially
encrypted emails when allowing remote content
- Support using system GnuPG with gpgme 2, boo#1253718
- Mozilla Thunderbird 140.7.0 ESR
MFSA 2026-05 (bsc#1256340)
* CVE-2026-0877 (bmo#1999257)
Mitigation bypass in the DOM: Security component
* CVE-2026-0878 (bmo#2003989)
Sandbox escape due to incorrect boundary conditions in the
Graphics: CanvasWebGL component
* CVE-2026-0879 (bmo#2004602)
Sandbox escape due to incorrect boundary conditions in the
Graphics component
* CVE-2026-0880 (bmo#2005014)
Sandbox escape due to integer overflow in the Graphics
component
* CVE-2026-0882 (bmo#1924125)
Use-after-free in the IPC component
* CVE-2025-14327 (bmo#1970743)
Spoofing issue in the Downloads Panel component
* CVE-2026-0883 (bmo#1989340)
Information disclosure in the Networking component
* CVE-2026-0884 (bmo#2003588)
Use-after-free in the JavaScript Engine component
* CVE-2026-0885 (bmo#2003607)
Use-after-free in the JavaScript: GC component
* CVE-2026-0886 (bmo#2005658)
Incorrect boundary conditions in the Graphics component
* CVE-2026-0887 (bmo#2006500)
Clickjacking issue, information disclosure in the PDF Viewer
component
* CVE-2026-0890 (bmo#2005081)
Spoofing issue in the DOM: Copy & Paste and Drag & Drop
component
* CVE-2026-0891 (bmo#1964722, bmo#2000981, bmo#2003100,
bmo#2003278)
Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird
ESR 140.7, Firefox 147 and Thunderbird 147
ImportantSUSE bug 1253718SUSE bug 1256340SUSE bug 1257397SUSE bug 1258231SUSE bug 1258568CVE-2025-14327 at SUSECVE-2025-14327 at NVDCVE-2026-0818 at SUSECVE-2026-0818 at NVDCVE-2026-0877 at SUSECVE-2026-0877 at NVDCVE-2026-0878 at SUSECVE-2026-0878 at NVDCVE-2026-0879 at SUSECVE-2026-0879 at NVDCVE-2026-0880 at SUSECVE-2026-0880 at NVDCVE-2026-0882 at SUSECVE-2026-0882 at NVDCVE-2026-0883 at SUSECVE-2026-0883 at NVDCVE-2026-0884 at SUSECVE-2026-0884 at NVDCVE-2026-0885 at SUSECVE-2026-0885 at NVDCVE-2026-0886 at SUSECVE-2026-0886 at NVDCVE-2026-0887 at SUSECVE-2026-0887 at NVDCVE-2026-0890 at SUSECVE-2026-0890 at NVDCVE-2026-0891 at SUSECVE-2026-0891 at NVDCVE-2026-2447 at SUSECVE-2026-2447 at NVDCVE-2026-2757 at SUSECVE-2026-2757 at NVDCVE-2026-2758 at SUSECVE-2026-2758 at NVDCVE-2026-2759 at SUSECVE-2026-2759 at NVDCVE-2026-2760 at SUSECVE-2026-2760 at NVDCVE-2026-2761 at SUSECVE-2026-2761 at NVDCVE-2026-2762 at SUSECVE-2026-2762 at NVDCVE-2026-2763 at SUSECVE-2026-2763 at NVDCVE-2026-2764 at SUSECVE-2026-2764 at NVDCVE-2026-2765 at SUSECVE-2026-2765 at NVDCVE-2026-2766 at SUSECVE-2026-2766 at NVDCVE-2026-2767 at SUSECVE-2026-2767 at NVDCVE-2026-2768 at SUSECVE-2026-2768 at NVDCVE-2026-2769 at SUSECVE-2026-2769 at NVDCVE-2026-2770 at SUSECVE-2026-2770 at NVDCVE-2026-2771 at SUSECVE-2026-2771 at NVDCVE-2026-2772 at SUSECVE-2026-2772 at NVDCVE-2026-2773 at SUSECVE-2026-2773 at NVDCVE-2026-2774 at SUSECVE-2026-2774 at NVDCVE-2026-2775 at SUSECVE-2026-2775 at NVDCVE-2026-2776 at SUSECVE-2026-2776 at NVDCVE-2026-2777 at SUSECVE-2026-2777 at NVDCVE-2026-2778 at SUSECVE-2026-2778 at NVDCVE-2026-2779 at SUSECVE-2026-2779 at NVDCVE-2026-2780 at SUSECVE-2026-2780 at NVDCVE-2026-2781 at SUSECVE-2026-2781 at NVDCVE-2026-2782 at SUSECVE-2026-2782 at NVDCVE-2026-2783 at SUSECVE-2026-2783 at NVDCVE-2026-2784 at SUSECVE-2026-2784 at NVDCVE-2026-2785 at SUSECVE-2026-2785 at NVDCVE-2026-2786 at SUSECVE-2026-2786 at NVDCVE-2026-2787 at SUSECVE-2026-2787 at NVDCVE-2026-2788 at SUSECVE-2026-2788 at NVDCVE-2026-2789 at SUSECVE-2026-2789 at NVDCVE-2026-2790 at SUSECVE-2026-2790 at NVDCVE-2026-2791 at SUSECVE-2026-2791 at NVDCVE-2026-2792 at SUSECVE-2026-2792 at NVDCVE-2026-2793 at SUSECVE-2026-2793 at NVDSecurity update for python-Authlib (Critical)openSUSE Leap 16.0
This update for python-Authlib fixes the following issues:
Changes in python-Authlib:
- CVE-2026-27962: JWS `deserialize_compact()` allows for signature bypass by
accepting user-controlled embedded JWK as verification key (bsc#1259738)
- CVE-2026-28490: cryptographic padding oracle in JWE RSA1_5 key management
algorithm (bsc#1259736)
- CVE-2026-28498: fail-open in behavior OIDC hash validation allows for bypass
mandatory integrity protections (bsc#1259737)
CriticalSUSE bug 1259736SUSE bug 1259737SUSE bug 1259738CVE-2026-27962 at SUSECVE-2026-27962 at NVDCVE-2026-28490 at SUSECVE-2026-28490 at NVDCVE-2026-28498 at SUSECVE-2026-28498 at NVDSecurity update for python-simpleeval (Important)openSUSE Leap 16.0
This update for python-simpleeval fixes the following issues:
Changes in python-simpleeval:
- CVE-2026-32640: Objects (including modules) can leak dangerous modules
through to direct access inside the sandbox (bsc#1259685)
ImportantSUSE bug 1259685CVE-2026-32640 at SUSECVE-2026-32640 at NVDSecurity update for mumble (Low)openSUSE Leap 16.0
This update for mumble fixes the following issues:
Changes in mumble:
- CVE-2025-71264: (opus) incorrect size calculations allow for an
out-of-bounds array access and can lead to a client crash (boo#1259721)
- Update to version 1.5.857:
* fixes for undesired ACL behavior
* Client bug fixes: UI, memory leaks, audio mute/volume behavior
LowSUSE bug 1259721CVE-2025-71264 at SUSECVE-2025-71264 at NVDSecurity update for chromium (Important)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
- Chromium 146.0.7680.153 (boo#1259964):
* CVE-2026-4439: Out of bounds memory access in WebGL
* CVE-2026-4440: Out of bounds read and write in WebGL
* CVE-2026-4441: Use after free in Base
* CVE-2026-4442: Heap buffer overflow in CSS
* CVE-2026-4443: Heap buffer overflow in WebAudio
* CVE-2026-4444: Stack buffer overflow in WebRTC
* CVE-2026-4445: Use after free in WebRTC
* CVE-2026-4446: Use after free in WebRTC
* CVE-2026-4447: Inappropriate implementation in V8
* CVE-2026-4448: Heap buffer overflow in ANGLE
* CVE-2026-4449: Use after free in Blink
* CVE-2026-4450: Out of bounds write in V8
* CVE-2026-4451: Insufficient validation of untrusted input in Navigation
* CVE-2026-4452: Integer overflow in ANGLE
* CVE-2026-4453: Integer overflow in Dawn
* CVE-2026-4454: Use after free in Network
* CVE-2026-4455: Heap buffer overflow in PDFium
* CVE-2026-4456: Use after free in Digital Credentials API
* CVE-2026-4457: Type Confusion in V8
* CVE-2026-4458: Use after free in Extensions
* CVE-2026-4459: Out of bounds read and write in WebAudio
* CVE-2026-4460: Out of bounds read in Skia
* CVE-2026-4461: Inappropriate implementation in V8
* CVE-2026-4462: Out of bounds read in Blink
* CVE-2026-4463: Heap buffer overflow in WebRTC
* CVE-2026-4464: Integer overflow in ANGLE
ImportantSUSE bug 1259964CVE-2026-4439 at SUSECVE-2026-4439 at NVDCVE-2026-4440 at SUSECVE-2026-4440 at NVDCVE-2026-4441 at SUSECVE-2026-4441 at NVDCVE-2026-4442 at SUSECVE-2026-4442 at NVDCVE-2026-4443 at SUSECVE-2026-4443 at NVDCVE-2026-4444 at SUSECVE-2026-4444 at NVDCVE-2026-4445 at SUSECVE-2026-4445 at NVDCVE-2026-4446 at SUSECVE-2026-4446 at NVDCVE-2026-4447 at SUSECVE-2026-4447 at NVDCVE-2026-4448 at SUSECVE-2026-4448 at NVDCVE-2026-4449 at SUSECVE-2026-4449 at NVDCVE-2026-4450 at SUSECVE-2026-4450 at NVDCVE-2026-4451 at SUSECVE-2026-4451 at NVDCVE-2026-4452 at SUSECVE-2026-4452 at NVDCVE-2026-4453 at SUSECVE-2026-4453 at NVDCVE-2026-4454 at SUSECVE-2026-4454 at NVDCVE-2026-4455 at SUSECVE-2026-4455 at NVDCVE-2026-4456 at SUSECVE-2026-4456 at NVDCVE-2026-4457 at SUSECVE-2026-4457 at NVDCVE-2026-4458 at SUSECVE-2026-4458 at NVDCVE-2026-4459 at SUSECVE-2026-4459 at NVDCVE-2026-4460 at SUSECVE-2026-4460 at NVDCVE-2026-4461 at SUSECVE-2026-4461 at NVDCVE-2026-4462 at SUSECVE-2026-4462 at NVDCVE-2026-4463 at SUSECVE-2026-4463 at NVDCVE-2026-4464 at SUSECVE-2026-4464 at NVDSecurity update for freeciv (Moderate)openSUSE Leap 16.0
This update for freeciv fixes the following issues:
Changes in freeciv:
- freeciv 3.2.4:
* CVE-2026-33250: Fix a vulnerability allowing remote crashing
of the server (boo#1260036)
* SDL2 client: Fix crash on selecting nation style or nation
- includes changes from version 3.2.3:
* Restore server to sane state after savegame loading failures
* Assert unit goto tile validity rather than outright crashing
* Improvements to AI players
* Client UI tweaks and bug fixes
* translation updates
- freeciv 3.2.2, a compatible general bugfix release:
* Fix backward compatibility in loading unit actions from a savegame
* Fix crashes after continuing game from a savegame
* Fix an error after player is added mid-game
* Fix various crashes in client, and client UI tweaks
- freeciv 3.2.1, a compatible general bugfix release:
* Fixes for units carrying goods
* Fix no city being considered capital for a turn after savegame
loading
* Corrected what situations make it impossible to airlift a unit
* Fix culture victory with very high values of culture
* Client UI and crash fixes
ModerateSUSE bug 1248258SUSE bug 1260036CVE-2026-33250 at SUSECVE-2026-33250 at NVDSecurity update for chromium (Important)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
- Chromium 146.0.7680.164 (boo#1260376)
* CVE-2026-4673: Heap buffer overflow in WebAudio
* CVE-2026-4674: Out of bounds read in CSS
* CVE-2026-4675: Heap buffer overflow in WebGL
* CVE-2026-4676: Use after free in Dawn
* CVE-2026-4677: Out of bounds read in WebAudio
* CVE-2026-4678: Use after free in WebGPU
* CVE-2026-4679: Integer overflow in Fonts
* CVE-2026-4680: Use after free in FedCM
ImportantSUSE bug 1260376CVE-2026-4673 at SUSECVE-2026-4673 at NVDCVE-2026-4674 at SUSECVE-2026-4674 at NVDCVE-2026-4675 at SUSECVE-2026-4675 at NVDCVE-2026-4676 at SUSECVE-2026-4676 at NVDCVE-2026-4677 at SUSECVE-2026-4677 at NVDCVE-2026-4678 at SUSECVE-2026-4678 at NVDCVE-2026-4679 at SUSECVE-2026-4679 at NVDCVE-2026-4680 at SUSECVE-2026-4680 at NVDSecurity update for gimp (Important)openSUSE Leap 16.0
This update for gimp fixes the following issues:
Changes in gimp:
- CVE-2026-4150: Fixed PSD file parsing integer overflow vulnerability (bsc#1259979)
= CVE-2026-4151: Fixed ANI file parsing integer overflow vulnerability (bsc#1259983)
- CVE-2026-4153: Fixed PSP file parsing heap-based buffer overflow vulnerability (bsc#1259984)
- CVE-2026-4154: Fixed XPM file parsing integer overflow vulnerability (bsc#1259986)
ImportantSUSE bug 1259979SUSE bug 1259983SUSE bug 1259984SUSE bug 1259986CVE-2026-4150 at SUSECVE-2026-4150 at NVDCVE-2026-4151 at SUSECVE-2026-4151 at NVDCVE-2026-4153 at SUSECVE-2026-4153 at NVDCVE-2026-4154 at SUSECVE-2026-4154 at NVDSecurity update for python-dynaconf (Important)openSUSE Leap 16.0
This update for python-dynaconf fixes the following issues:
Changes in python-dynaconf:
- CVE-2026-33154: Server-Side Template Injection in the @Jinja resolver (bsc#1260063)
ImportantSUSE bug 1260063CVE-2026-33154 at SUSECVE-2026-33154 at NVDSecurity update for python-PyPDF2 (Moderate)openSUSE Leap 16.0
This update for python-PyPDF2 fixes the following issues:
Changes in python-PyPDF2:
- CVE-2026-33123: Fixed excessive resource consumption when processing specially
crafted PDF due to inefficient decoding of array-based streams (bsc#1259992)
ModerateSUSE bug 1259992CVE-2026-33123 at SUSECVE-2026-33123 at NVDSecurity update for tinyproxy (Important)openSUSE Leap 16.0
This update for tinyproxy fixes the following issues:
Changes in tinyproxy:
- CVE-2026-3945: Fixed denial of service by unauthenticated remote attacker (boo#1261024)
- Update to release 1.11.3
* conf: add BasicAuthRealm feature
* basic auth: fix error status 401 vs 407
* tinyproxy.conf.5: explain what a site_spec looks like
* tinyproxy.conf.5: add an IPv6 example to allow/deny section
* reqs: fix integer overflow in port number processing
ImportantSUSE bug 1261024CVE-2026-3945 at SUSECVE-2026-3945 at NVDSecurity update for chromium (Important)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
- Chromium 146.0.7680.177 (boo#1261249)
* CVE-2026-5273: Use after free in CSS
* CVE-2026-5272: Heap buffer overflow in GPU
* CVE-2026-5274: Integer overflow in Codecs
* CVE-2026-5275: Heap buffer overflow in ANGLE
* CVE-2026-5276: Insufficient policy enforcement in WebUSB
* CVE-2026-5277: Integer overflow in ANGLE
* CVE-2026-5278: Use after free in Web MIDI
* CVE-2026-5279: Object corruption in V8
* CVE-2026-5280: Use after free in WebCodecs
* CVE-2026-5281: Use after free in Dawn
* CVE-2026-5282: Out of bounds read in WebCodecs
* CVE-2026-5283: Inappropriate implementation in ANGLE
* CVE-2026-5284: Use after free in Dawn
* CVE-2026-5285: Use after free in WebGL
* CVE-2026-5286: Use after free in Dawn
* CVE-2026-5287: Use after free in PDF
* CVE-2026-5288: Use after free in WebView
* CVE-2026-5289: Use after free in Navigation
* CVE-2026-5290: Use after free in Compositing
* CVE-2026-5291: Inappropriate implementation in WebGL
* CVE-2026-5292: Out of bounds read in WebCodecs
ImportantSUSE bug 1261249CVE-2026-5272 at SUSECVE-2026-5272 at NVDCVE-2026-5273 at SUSECVE-2026-5273 at NVDCVE-2026-5274 at SUSECVE-2026-5274 at NVDCVE-2026-5275 at SUSECVE-2026-5275 at NVDCVE-2026-5276 at SUSECVE-2026-5276 at NVDCVE-2026-5277 at SUSECVE-2026-5277 at NVDCVE-2026-5278 at SUSECVE-2026-5278 at NVDCVE-2026-5279 at SUSECVE-2026-5279 at NVDCVE-2026-5280 at SUSECVE-2026-5280 at NVDCVE-2026-5281 at SUSECVE-2026-5281 at NVDCVE-2026-5282 at SUSECVE-2026-5282 at NVDCVE-2026-5283 at SUSECVE-2026-5283 at NVDCVE-2026-5284 at SUSECVE-2026-5284 at NVDCVE-2026-5285 at SUSECVE-2026-5285 at NVDCVE-2026-5286 at SUSECVE-2026-5286 at NVDCVE-2026-5287 at SUSECVE-2026-5287 at NVDCVE-2026-5288 at SUSECVE-2026-5288 at NVDCVE-2026-5289 at SUSECVE-2026-5289 at NVDCVE-2026-5290 at SUSECVE-2026-5290 at NVDCVE-2026-5291 at SUSECVE-2026-5291 at NVDCVE-2026-5292 at SUSECVE-2026-5292 at NVDSecurity update for osslsigncode (Critical)openSUSE Leap 16.0
This update for osslsigncode fixes the following issues:
Changes in osslsigncode:
- Update to 2.13 (bsc#1260680, CVE-2025-70888):
* fixed integer overflows when processing APPX compressed data
streams
* fixed double-free vulnerabilities in APPX file processing
* fixed multiple memory corruption issues in PE page hash
computation
- Changes from 2.12:
* fixed a buffer overflow while extracting message digests
- Changes from 2.11:
* added keyUsage validation for signer certificate
* added printing CRL details during signature verification
* implemented a workaround for CRL servers returning the
HTTP Content-Type header other than application/pkix-crl
* fixed HTTP keep-alive handling
* fixed macOS compiler and linker flags
* fixed undefined BIO_get_fp() behavior with
BIO_FLAGS_UPLINK_INTERNAL
- update to 2.10:
* added JavaScript signing
* added PKCS#11 provider support (requires OpenSSL 3.0+)
* added support for providers without specifying
"-pkcs11module" option
* (OpenSSL 3.0+, e.g., for the upcoming CNG provider)
* added compatibility with the CNG engine version 1.1 or later
* added the "-engineCtrl" option to control hardware and CNG
engines
* added the '-blobFile' option to specify a file containing the
blob content
* improved unauthenticated blob support (thanks to Asger Hautop
Drewsen)
* improved UTF-8 handling for certificate subjects and issuers
* fixed support for multiple signerInfo contentType OIDs (CTL
and Authenticode)
* fixed tests for python-cryptography >= 43.0.0
- update to version 2.9:
* added a 64 bit long pseudo-random NONCE in the TSA request
* missing NID_pkcs9_signingTime is no longer an error
* added support for PEM-encoded CRLs
* fixed the APPX central directory sorting order
* added a special "-" file name to read the passphrase from
stdin
* used native HTTP client with OpenSSL 3.x, removing libcurl
dependency
* added '-login' option to force a login to PKCS11 engines
* added the "-ignore-crl" option to disable fetching and
verifying CRL Distribution Points
* changed error output to stderr instead of stdout
* various testing framework improvements
* various memory corruption fixes
- update to version 2.8:
* Microsoft PowerShell signing sponsored by Cisco Systems, Inc.
* fixed setting unauthenticated attributes (Countersignature,
Unauthenticated
* Data Blob) in a nested signature
* added the "-index" option to verify a specific signature or
modify its unauthenticated attributes
* added CAT file verification
* added listing the contents of a CAT file with the "-verbose"
option
* added the new "extract-data" command to extract a PKCS#7 data
content to be signed with "sign" and attached with "attach-signature"
* added PKCS9_SEQUENCE_NUMBER authenticated attribute support
* added the "-ignore-cdp" option to disable CRL Distribution
Points (CDP) online verification
* unsuccessful CRL retrieval and verification changed into a
critical error the "-p" option modified to also use to
configured proxy to connect CRL Distribution Points
* added implicit allowlisting of the Microsoft Root Authority
serial number 00C1008B3C3C8811D13EF663ECDF40
* added listing of certificate chain retrieved from the
signature in case of verification failure
CriticalSUSE bug 1260680CVE-2025-70888 at SUSECVE-2025-70888 at NVDSecurity update for chromium (Moderate)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Chromium 142.0.7444.134 (boo#1253089):
* CVE-2025-12725: Out of bounds write in WebGPU
* CVE-2025-12726: Inappropriate implementation in Views
* CVE-2025-12727: Inappropriate implementation in V8
* CVE-2025-12728: Inappropriate implementation in Omnibox
* CVE-2025-12729: Inappropriate implementation in Omnibox
ModerateSUSE bug 1253089CVE-2025-12725 at SUSECVE-2025-12725 at NVDCVE-2025-12726 at SUSECVE-2025-12726 at NVDCVE-2025-12727 at SUSECVE-2025-12727 at NVDCVE-2025-12728 at SUSECVE-2025-12728 at NVDCVE-2025-12729 at SUSECVE-2025-12729 at NVDSecurity update for mapserver (Moderate)openSUSE Leap 16.0
This update for mapserver fixes the following issues:
Changes in mapserver:
- Update to release 8.6.1
* msSLDParseRasterSymbolizer: fix potential heap buffer overflow
[boo#1260869] [CVE-2026-33721]
* GetFeatureInfo with IDENTIFY CLASSAUTO: take into account
SYMBOL.ANCHORPOINT
* WCS 2.0: fix issue when input raster in a rotated pole lon/lat
CRS with lon_0?> 180
* UVRaster: fix WMS-Time support on layers with TILEINDEX
pointing to a shapefile
* WMS GetCapabilities response: use group title and abstract when
using wms_layer_group instead of GROUP
- Update to release 8.6.0
* Add `CONNECTIONTYPE RASTERLABEL`
* Set `MS_LEGEND_KEYSIZE_MAX` to 1000
* Add 4 new `COMPOSITE.COMPOP` blending operations
* Allow encryption key files to use paths relative to a mapfile
* Allow `use_default_extent_for_getfeature` to be used for OGC
Features API and PostGIS
* Allow append of additional query parameters for OGCAPI
* New MapServer index page
* WMS `GetFeatureInfo`: add options to precisely identify points
through their symbols
* Add `FALLBACK` parameter for the `CLASS` object, to be applied
if none of the previously defined classes has been applied
ModerateSUSE bug 1260869CVE-2026-33721 at SUSECVE-2026-33721 at NVDSecurity update for aws-c-event-stream (Important)openSUSE Leap 16.0
This update for aws-c-event-stream fixes the following issues:
Changes in aws-c-event-stream:
- CVE-2026-5190: Fixed a out-of-bounds write caused by crafted event-stream messages (bsc#1261298)
ImportantSUSE bug 1261298CVE-2026-5190 at SUSECVE-2026-5190 at NVDSecurity update for certbot (Important)openSUSE Leap 16.0
This update for certbot fixes the following issues:
This update adds the certbot stack. (python modules: ConfigArgParse, acme, certbot, certbot-nginx, josepy, pyRFC3339).
ImportantSecurity update for chromium (Important)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
Chromium 142.0.7444.175 (boo#1253698):
* CVE-2025-13223: Type Confusion in V8
* CVE-2025-13224: Type Confusion in V8
ImportantSUSE bug 1253698CVE-2025-13223 at SUSECVE-2025-13223 at NVDCVE-2025-13224 at SUSECVE-2025-13224 at NVDSecurity update for MozillaThunderbird (Important)openSUSE Leap 16.0
This update for MozillaThunderbird fixes the following issues:
Changes in MozillaThunderbird:
Mozilla Thunderbird 140.5.0 ESR
MFSA 2025-91 (bsc#1253188):
* CVE-2025-13012
Race condition in the Graphics component
* CVE-2025-13016
Incorrect boundary conditions in the JavaScript: WebAssembly
component
* CVE-2025-13017
Same-origin policy bypass in the DOM: Notifications component
* CVE-2025-13018
Mitigation bypass in the DOM: Security component
* CVE-2025-13019
Same-origin policy bypass in the DOM: Workers component
* CVE-2025-13013
Mitigation bypass in the DOM: Core & HTML component
* CVE-2025-13020
Use-after-free in the WebRTC: Audio/Video component
* CVE-2025-13014
Use-after-free in the Audio/Video component
* CVE-2025-13015
Spoofing issue in Thunderbird
* fixed: Could not drag and drop ICS file to Today Pane
* fixed: With Thunderbird closed, clicking a 'mailto:' link to
send signed message failed
* fixed: Upgrade from 128.x->140.x broke authentication for
@att.net using Yahoo backend
Mozilla Thunderbird 140.4.0 ESR
* Account Hub is now disabled by default for second email account
* Users could not read mail signed with OpenPGP v6 and PQC keys
* Image preview in Insert Image dialog failed with CSP error for web resources
* Emptying trash on exit did not work with some providers
* Thunderbird could crash when applying filters
* Users were unable to override expired mail server certificate
* Opening Website header link in RSS feed incorrectly re-encoded
URL parameters
Mozilla Thunderbird 140.3.1 ESR:
* several bugfixes listed here
https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes
-------------------------------------------------------------------
ImportantSUSE bug 1253188CVE-2025-13012 at SUSECVE-2025-13012 at NVDCVE-2025-13013 at SUSECVE-2025-13013 at NVDCVE-2025-13014 at SUSECVE-2025-13014 at NVDCVE-2025-13015 at SUSECVE-2025-13015 at NVDCVE-2025-13016 at SUSECVE-2025-13016 at NVDCVE-2025-13017 at SUSECVE-2025-13017 at NVDCVE-2025-13018 at SUSECVE-2025-13018 at NVDCVE-2025-13019 at SUSECVE-2025-13019 at NVDCVE-2025-13020 at SUSECVE-2025-13020 at NVDSecurity update for chromium (Moderate)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Chromium 141.0.7390.107:
* CVE-2025-11756: Use after free in Safe Browsing (boo#1252013)
ModerateSUSE bug 1252013CVE-2025-11756 at SUSECVE-2025-11756 at NVDSecurity update for helmfile (Important)openSUSE Leap 16.0
This update for helmfile fixes the following issues:
Changes in helmfile:
Update to version 1.1.9:
* feat: update strategy for reinstall by @simbou2000 in #2019
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3
from 1.88.7 to 1.89.0 by @dependabot[bot] in #2239
* Fix: Handle empty helmBinary in base files with environment
values by @Copilot in #2237
Update to version 1.1.8:
* build(deps): bump github.com/hashicorp/go-getter from 1.8.0 to
1.8.1 by @dependabot[bot] in #2194
* fix typos in both comment and error message by @d-fal in #2199
* cleanup disk in release ci by @yxxhero in #2203
* Migrate AWS SDK from v1 to v2 to resolve deprecation warnings
by @Copilot in #2202
* build(deps): bump github.com/helmfile/vals from 0.42.1 to 0.42.2
by @dependabot[bot] in #2200
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
1.88.2 to 1.88.3 by @dependabot[bot] in #2206
* Bump Alpine to 3.22 in Dockerfile by @orishamir in #2205
* build(deps): bump github.com/aws/aws-sdk-go-v2/config from
1.31.10 to 1.31.12 by @dependabot[bot] in #2207
* Add yq to Dockerfile by @orishamir in #2208
* fix: skip chartify for build command jsonPatches by @sstarcher
in #2212
* build(deps): bump github.com/hashicorp/go-getter from 1.8.1 to
1.8.2 by @dependabot[bot] in #2210
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
1.88.3 to 1.88.4 by @dependabot[bot] in #2213
* build(deps): bump golang.org/x/term from 0.35.0 to 0.36.0 by
@dependabot[bot] in #2214
* Avoid fetching same chart/version multiple times by @Copilot
in #2197
* build(deps): bump github.com/helmfile/vals from 0.42.2 to
0.42.4 by @dependabot[bot] in #2217
* docs: add zread badge to README by @yxxhero in #2219
* Bump helm-diff to v3.13.1 by @Copilot in #2223
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
1.88.4 to 1.88.5 by @dependabot[bot] in #2226
* build(deps): bump github.com/aws/aws-sdk-go-v2/config from
1.31.12 to 1.31.13 by @dependabot[bot] in #2225
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
1.88.5 to 1.88.6 by @dependabot[bot] in #2230
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
1.88.6 to 1.88.7 by @dependabot[bot] in #2232
* build(deps): bump github.com/aws/aws-sdk-go-v2/config from
1.31.13 to 1.31.15 by @dependabot[bot] in #2233
* Fix helmBinary and kustomizeBinary being ignored when using
bases by @Copilot in #2228
Update to version 1.1.7:
What's Changed
* fix pflag error by @zhaque44 in #2164
* build(deps): bump actions/setup-go from 5 to 6 by
@dependabot[bot] in #2166
* build(deps): bump github.com/hashicorp/go-getter from 1.7.9 to
1.7.10 by @dependabot[bot] in #2165
* build(deps): bump github.com/spf13/pflag from 1.0.9 to 1.0.10
by @dependabot[bot] in #2163
* Add helm diff installation to README by @nwneisen in #2170
* build(deps): bump github.com/hashicorp/go-getter from 1.7.10
to 1.8.0 by @dependabot[bot] in #2175
* build(deps): bump golang.org/x/term from 0.34.0 to 0.35.0 by
@dependabot[bot] in #2174
* build(deps): bump github.com/zclconf/go-cty from 1.16.4 to
1.17.0 by @dependabot[bot] in #2173
* Fix panic when helm isn't installed by @nwneisen in #2169
* build(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 by
@dependabot[bot] in #2172
* ci: update minikube and kubernetes versions by @yxxhero in #2181
* build(deps): bump k8s.io/apimachinery from 0.34.0 to 0.34.1 by
@dependabot[bot] in #2180
* Remove deprecated --wait-retries flag support to fix Helm
compatibility error by @Copilot in #2179
* build(deps): bump go.yaml.in/yaml/v2 from 2.4.2 to 2.4.3 by
@dependabot[bot] in #2183
* build: update Helm to v3.19.0 across all components by @yxxhero
in #2187
* build: update helm-diff plugin to v3.13.0 by @yxxhero in #2189
* feat: Implement caching for pulling OCI charts by @mustdiechik
in #2171
* build(deps): bump github.com/helmfile/chartify from 0.24.7 to
0.25.0 by @dependabot[bot] in #2190
- Update to version 1.1.6:
What's Changed
* build(deps): bump github.com/hashicorp/go-getter from 1.7.8 to
1.7.9 by @dependabot[bot] in #2139
* build(deps): bump github.com/zclconf/go-cty from 1.16.3 to
1.16.4 by @dependabot[bot] in #2145
* build: update helm to v3.18.6 by @yxxhero in #2144
* build(deps): bump github.com/stretchr/testify from 1.10.0 to
1.11.0 by @dependabot[bot] in #2150
* Add missing --timeout flag to helmfile sync command with
documentation by @Copilot in #2148
* Fix enableDNS flag missing in diff command and refactor
duplicate logic by @Copilot in #2147
* build(deps): bump github.com/stretchr/testify from 1.11.0 to
1.11.1 by @dependabot[bot] in #2151
* build(deps): bump github.com/ulikunitz/xz from 0.5.10 to 0.5.14
by @dependabot[bot] in #2154
* Bump github.com/ulikunitz/xz from v0.5.14 to v0.5.15 by @Copilot
in #2159
* build(deps): bump github.com/helmfile/vals from 0.42.0 to
0.42.1 by @dependabot[bot] in #2161
* build(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.9
by @dependabot[bot] in #2160
* build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1
by @dependabot[bot] in #2162
* Fix error propagation in helmfile diff when Kubernetes is
unreachable by @Copilot in #2149
- Update to version 1.1.5:
What's Changed
* build(deps): bump actions/checkout from 4 to 5 by
@dependabot[bot] in #2128
* Update recommended Helm versions in init.go and run.sh by
@yxxhero in #2129
* Add comprehensive .github/copilot-instructions.md for coding
agents by @Copilot in #2131
* refactor(state): extract getMissingFileHandler method for
clarity by @yxxhero in #2133
* Fix parseHelmVersion to handle helm versions without 'v'
prefix by @Copilot in #2132
* build(deps): bump k8s.io/apimachinery from 0.33.3 to 0.33.4
by @dependabot[bot] in #2136
* build(deps): bump github.com/helmfile/chartify from 0.24.6 to
0.24.7 by @dependabot[bot] in #2135
- Update to version 1.1.4:
What's Changed
* build(deps): bump github.com/helmfile/vals from 0.41.2 to
0.41.3 by @dependabot[bot] in #2100
* build(deps): bump k8s.io/apimachinery from 0.33.2 to 0.33.3
by @dependabot[bot] in #2101
* fix: update Helm version to v3.17.4 in CI and init.go by
@yxxhero in #2102
* build(deps): bump github.com/spf13/pflag from 1.0.6 to 1.0.7
by @dependabot[bot] in #2104
* feat(state): add missingFileHandlerConfig and related logic
by @yxxhero in #2105
* refactor(filesystem): add CopyDir method and optimize Fetch
function by @yxxhero in #2111
* Allow caching of remote files to be disabled by @jess-sol in
#2112
* refactor(yaml): switch yaml library import paths from gopkg.in
to go.yaml.in by @yxxhero in #2114
* build(deps): bump actions/download-artifact from 4 to 5 by
@dependabot[bot] in #2121
* build(deps): bump golang.org/x/term from 0.33.0 to 0.34.0 by
@dependabot[bot] in #2123
- Update to version 1.1.3:
What's Changed
* build: update Helm to v3.18.3 and related dependencies by
@yxxhero in #2082
* Expose release version as .Release.ChartVersion for templating
by @Simske in #2080
* build(deps): bump github.com/helmfile/chartify from 0.24.3 to
0.24.4 by @dependabot[bot] in #2083
* build(deps): bump k8s.io/apimachinery from 0.33.1 to 0.33.2
by @dependabot[bot] in #2086
* build(deps): bump github.com/helmfile/chartify from 0.24.4 to
0.24.5 by @dependabot[bot] in #2087
* build(deps): bump github.com/Masterminds/semver/v3 from 3.3.1
to 3.4.0 by @dependabot[bot] in #2089
* build(deps): bump github.com/hashicorp/hcl/v2 from 2.23.0 to
2.24.0 by @dependabot[bot] in #2092
* build: update Helm and plugin versions to v3.18.4 and v3.12.3
by @yxxhero in #2093
* docs: update status section with May 2025 release information
by @yxxhero in #2096
* build(deps): bump golang.org/x/sync from 0.15.0 to 0.16.0 by
@dependabot[bot] in #2099
* build(deps): bump golang.org/x/term from 0.32.0 to 0.33.0 by
@dependabot[bot] in #2098
- Update to version 1.1.2:
What's Changed
* build(deps): bump github.com/helmfile/chartify from 0.24.2 to
0.24.3 by @dependabot in #2065
* build: update Helm to v3.18.2 and adjust related configurations
by @yxxhero in #2064
* build(deps): bump github.com/helmfile/vals from 0.41.1 to
0.41.2 by @dependabot in #2067
* build(deps): bump golang.org/x/sync from 0.14.0 to 0.15.0
by @dependabot in #2068
* fix-insecure-flag by @anontrex in #2072
* build(deps): bump github.com/cloudflare/circl from 1.4.0 to
1.6.1 by @dependabot in #2074
* fix: update helm-diff to version 3.12.2 in CI and Dockerfiles
by @yxxhero in #2073
* fix: TestToYaml not working with 32-bit architectures by
@ProbstDJakob in #2075
- Update to version 1.1.1:
What's Changed
* Update README.md by @mumoshu in #2046
* build(deps): bump github.com/helmfile/vals from 0.41.0 to
0.41.1 by @dependabot in #2048
* build(helm) update to v3.18.0 by @yxxhero in #2044
* build(deps): bump github.com/helmfile/chartify from 0.23.0 to
0.24.1 by @dependabot in #2049
* build: update Helm and plugin versions in CI and Dockerfiles
by @yxxhero in #2059
- Update to version 1.1.0:
What's Changed
* chore: fix typo in create_test.go by @sadikkuzu in #2025
* build(deps): bump golangci/golangci-lint-action from 7 to 8 by
@dependabot in #2029
* build(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 by
@dependabot in #2028
* build(deps): bump github.com/helmfile/chartify from 0.22.0 to
0.23.0 by @dependabot in #2027
* chore: remove test data files by @yxxhero in #2026
* build(deps): bump golang.org/x/term from 0.31.0 to 0.32.0 by
@dependabot in #2033
* build(deps): bump github.com/helmfile/vals from 0.40.1 to
0.41.0 by @dependabot in #2032
* build(deps): bump dario.cat/mergo from 1.0.1 to 1.0.2 by
@dependabot in #2035
* feat(tmpl): enhance ToYaml test with multiple scenarios by
@yxxhero in #2031
* [sops, age] update to have SSH key support with sops by
@itscaro in #2036
* feat(yaml): add JSON style encoding option to NewEncoder by
@yxxhero in #2038
* refactor(yaml): upgrade from gopkg.in/yaml.v2 to v3 by @yxxhero
in #2039
* Update readme & documentation with 2025 status of helmfile
project by @zhaque44 in #2040
* build(deps): bump k8s.io/apimachinery from 0.33.0 to 0.33.1 by
@dependabot in #2041
* build(deps): bump github.com/zclconf/go-cty from 1.16.2 to
1.16.3 by @dependabot in #2043
- Update to version 1.0.0:
PLEASE READ
https://github.com/helmfile/helmfile/blob/main/docs/proposals/towards-1.0.md
What's Changed:
* build(deps): bump github.com/helmfile/vals from 0.39.0 to 0.39.1
by @dependabot in #1926
* Bump kubectl to current version (1.32.1) by @DerDaku in #1924
* build(deps): bump github.com/goccy/go-yaml from 1.15.21 to 1.15.22
by @dependabot in #1925
* build: update Helm to v3.17.1 and related dependencies by
@yxxhero in #1928
* build(deps): bump k8s.io/apimachinery from 0.32.1 to 0.32.2 by
@dependabot in #1931
* feat: inject cli state values (--state-values-set) into environment
templating context by @Vince-Chenal in #1917
* docs: add skipSchemaValidation to index.md and update related
structs by @yxxhero in #1935
* refactor(state): optimize HelmState flags handling by @yxxhero
in #1937
* Update vals package to v0.39.2 by @aditmeno in #1938
* build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by
@dependabot in #1940
* build(deps): bump github.com/goccy/go-yaml from 1.15.22 to 1.15.23
by @dependabot in #1941
* build(deps): bump github.com/helmfile/chartify from 0.20.8 to
0.20.9 by @dependabot in #1942
* feat: colorized DELETED by @yurrriq in #1944
* feat(docs): add proposal to remove charts and delete subcommands
by @yxxhero in #1936
* build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
by @dependabot in #1945
* build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to
4.0.5 by @dependabot in #1946
* build: update golang version to 1.24 and golangci-lint to
v1.64.5 by @yxxhero in #1949
* build(deps): bump github.com/helmfile/vals from 0.39.2 to 0.39.3
by @dependabot in #1951
* build(deps): bump github.com/helmfile/chartify from 0.20.9 to
0.21.0 by @dependabot in #1950
* build(deps): bump golang.org/x/sync from 0.11.0 to 0.12.0 by
@dependabot in #1955
* build(deps): bump jinja2 from 3.1.5 to 3.1.6 in /docs by
@dependabot in #1956
* Don't warn if this and the needed release set installed: false
by @jayme-github in #1958
* build(deps): bump golang.org/x/term from 0.29.0 to 0.30.0 by
@dependabot in #1959
* Remove all v0.x references by @yxxhero in #1919
* build(deps): bump k8s.io/apimachinery from 0.32.2 to 0.32.3
by @dependabot in #1960
* build(deps): bump golang.org/x/net from 0.35.0 to 0.36.0 by
@dependabot in #1961
* build(deps): bump github.com/helmfile/vals from 0.39.3 to 0.39.4
by @dependabot in #1962
* build: update Helm to v3.17.2 and related dependencies by
@yxxhero in #1965
* build: update yaml.v3 dependency and remove colega/go-yaml-yaml
by @yxxhero in #1929
* build(deps): bump github.com/containerd/containerd from 1.7.24
to 1.7.27 by @dependabot in #1966
* build(deps): bump github.com/goccy/go-yaml from 1.15.23 to
1.16.0 by @dependabot in #1967
* build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to
5.2.2 by @dependabot in #1969
* build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to
4.5.2 by @dependabot in #1970
* build(deps): bump golangci/golangci-lint-action from 6 to 7
by @dependabot in #1975
* build(deps): bump github.com/helmfile/vals from 0.39.4 to
0.40.0 by @dependabot in #1978
* build(deps): bump github.com/helmfile/chartify from 0.21.0 to
0.21.1 by @dependabot in #1979
* docs(fix): correct typo in 'tier=fronted' to 'tier=frontend'
by @yxxhero in #1980
* feat: add labels for helm release by @yxxhero in #1046
* build(deps): bump github.com/helmfile/vals from 0.40.0 to
0.40.1 by @dependabot in #1981
* build(deps): bump github.com/goccy/go-yaml from 1.16.0 to 1.17.1
by @dependabot in #1982
* fix: Check needs with context and namespace by @aarnq in #1986
* build(deps): bump golang.org/x/sync from 0.12.0 to 0.13.0 by
@dependabot in #1991
* build(deps): bump golang.org/x/term from 0.30.0 to 0.31.0 by
@dependabot in #1990
* fix(state): enhance error message for missing .gotmpl extension
in helmfile v1 by @yxxhero in #1989
* build(deps): bump github.com/helmfile/chartify from 0.21.1 to
0.22.0 by @dependabot in #1996
* build: update Helm plugin versions in CI and Dockerfiles by
@yxxhero in #1995
* build: update Helm to v3.17.3 and update related Dockerfiles
by @yxxhero in #1993
* build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 by
@dependabot in #2010
* feat: add helmfile archive configuration in goreleaser by
@yxxhero in #2000
* docs: add more complex examples section in README by @yxxhero
in #2013
* Feat: setting reuseValues flag in release by @blaskoa in #2004
* build(deps): bump k8s.io/apimachinery from 0.32.3 to 0.32.4 by
@dependabot in #2016
* build(deps): bump github.com/aws/aws-sdk-go from 1.55.6 to
1.55.7 by @dependabot in #2015
* chore: support parsing any type with fromYaml by @ProbstDJakob
in #2017
* build(deps): bump k8s.io/apimachinery from 0.32.4 to 0.33.0 by
@dependabot in #2018
* feat: add --take-ownership flag to helm diff and related config
by @yxxhero in #1992
- Update to version 0.171.0:
* feat: execute templates against postRendererHooks by @allanger
in #1839
* build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6
by @dependabot in #1897
* build(deps): bump github.com/goccy/go-yaml from 1.15.15 to
1.15.16 by @dependabot in #1901
* build(deps): bump github.com/goccy/go-yaml from 1.15.16 to
1.15.17 by @dependabot in #1905
* Use a regex to match --state-values-set-string arguments
by @gllb in #1902
* build(deps): bump golang.org/x/sync from 0.10.0 to 0.11.0
by @dependabot in #1911
* Chartify v0.20.8 update by @scodeman in #1908
* cleanup: remove all about v0.x by @yxxhero in #1903
* build(deps): bump golang.org/x/term from 0.28.0 to 0.29.0
by @dependabot in #1913
* chore: update babel to resolve CVEs by @zhaque44 in #1916
* remove deprecated charts.yaml by @yxxhero in #1437
* Revert "cleanup: remove all about v0.x" by @yxxhero in #1918
* build(deps): bump github.com/goccy/go-yaml from 1.15.17 to
1.15.19 by @dependabot in #1920
* build(deps): bump github.com/goccy/go-yaml from 1.15.19 to
1.15.20 by @dependabot in #1921
* feat: Add support for --wait-retries flag. by @connyay in #1922
* build: update go-yaml to v1.15.21 by @yxxhero in #1923
- Update to version 0.170.1:
* build(deps): bump github.com/goccy/go-yaml from 1.15.14 to
1.15.15 by @dependabot in #1882
* build(deps): bump github.com/hashicorp/go-slug from 0.15.0 to
0.16.3 by @dependabot in #1886 (CVE-2025-0377)
* Ensure 'helm repo add' is also not pollute on helmfile template
by @baurmatt in #1887
* build(deps): bump github.com/zclconf/go-cty from 1.16.1 to
1.16.2 by @dependabot in #1888
* fix: using correct option for takeOwnership flag by @blaskoa
in #1892
* fix typo in docs by @adamab48 in #1889
- Update to version 0.170.0:
* build(deps): bump github.com/goccy/go-yaml from 1.15.6 to 1.15.7
by @dependabot in #1818
* build(deps): bump golang.org/x/term from 0.26.0 to 0.27.0 by
@dependabot in #1817
* chore(doc): fix the indent of the selector usage sample yaml by
@Ladicle in #1819
* feat(state): add support for setString in ReleaseSpec and
HelmState by @yxxhero in #1821
* build(deps): bump github.com/goccy/go-yaml from 1.15.7 to 1.15.8
by @dependabot in #1822
* test(state): add TestHelmState_setStringFlags for setStringFlags
method by @yxxhero in #1823
* build(deps): bump k8s.io/apimachinery from 0.31.3 to 0.31.4 by
@dependabot in #1826
* build(deps): bump golang.org/x/crypto from 0.29.0 to 0.31.0 by
@dependabot in #1828
* build(deps): bump github.com/goccy/go-yaml from 1.15.8 to
1.15.9 by @dependabot in #1831
* build(deps): bump k8s.io/apimachinery from 0.31.4 to 0.32.0 by
@dependabot in #1830
* feat: updating sops version to 3.9.2 by @zhaque44 in #1834
* build(deps): bump github.com/goccy/go-yaml from 1.15.9 to
1.15.10 by @dependabot in #1835
* build(deps): bump helm.sh/helm/v3 from 3.16.3 to 3.16.4 by
@dependabot in #1836
* build: update Helm version to v3.16.4 in CI and Dockerfiles by
@yxxhero in #1837
* build(deps): bump github.com/goccy/go-yaml from 1.15.10 to
1.15.11 by @dependabot in #1838
* build(deps): bump filippo.io/age from 1.2.0 to 1.2.1 by
@dependabot in #1840
* build(deps): bump github.com/goccy/go-yaml from 1.15.11 to
1.15.12 by @dependabot in #1843
* build: update helm-diff to v3.9.13 in Dockerfiles and init.go
by @yxxhero in #1841
* build(deps): bump github.com/helmfile/chartify from 0.20.4 to
0.20.5 by @dependabot in #1845
* build(deps): bump github.com/goccy/go-yaml from 1.15.12 to
1.15.13 by @dependabot in #1844
* build(deps): bump jinja2 from 3.1.4 to 3.1.5 in /docs by
@dependabot in #1846
* CVE-2024-45338: updating golang.org/x/net: to version: v0.33.0
by @zhaque44 in #1849
* build(deps): bump github.com/zclconf/go-cty from 1.15.1 to
1.16.0 by @dependabot in #1851
* build(deps): bump golang.org/x/term from 0.27.0 to 0.28.0
by @dependabot in #1852
* update sops versions to 3.9.3 by @zhaque44 in #1861
* build(deps): bump github.com/hashicorp/go-getter from 1.7.6
to 1.7.7 by @dependabot in #1862
* feat: add --take-ownership flag to apply and sync commands by
@yxxhero in #1863
* fix: ensure plain http is supported across all helmfile
commands by @purpleclay in #1858
* fix: ensure development versions of charts can be used across
helmfile commands by @purpleclay in #1865
* build(deps): bump github.com/helmfile/chartify from 0.20.5 to
0.20.6 by @dependabot in #1866
* update kubectl version (1.30) to stay up to date with new
releases by @zhaque44 in #1867
* build(deps): bump github.com/zclconf/go-cty from 1.16.0 to
1.16.1 by @dependabot in #1870
* build(deps): bump github.com/hashicorp/go-getter from 1.7.7 to
1.7.8 by @dependabot in #1869
* feat: Add "--no-hooks" to helmfile template by @jwlai in #1813
* update helm and k8s versions in ci, dockerfiles, and go.mod by
@yxxhero in #1872
* build(deps): bump github.com/helmfile/vals from 0.38.0 to 0.39.0
by @dependabot in #1876
* build(deps): bump k8s.io/apimachinery from 0.32.0 to 0.32.1 by
@dependabot in #1873
* build(deps): bump github.com/goccy/go-yaml from 1.15.13 to
1.15.14 by @dependabot in #1874
* build: update helm-diff to v3.9.14 in Dockerfiles and init.go
by @yxxhero in #1877
- Update to version 0.169.2:
* build(deps): bump github.com/helmfile/vals from 0.37.6 to 0.37.7
by @dependabot in #1747
* build(deps): bump k8s.io/apimachinery from 0.31.1 to 0.31.2 by
@dependabot in #1754
* Reset extra args before running 'dependency build' by @baurmatt
in #1751
* Introducing Helmfile Guru on Gurubase.io by @kursataktas in #1748
* feat: add skip json schema validation during the install /upgrade
of a Chart by @zhaque44 in #1737
* fix(maputil): prevent nil value overwrite by @ban11111 in #1755
* build(deps): bump github.com/goccy/go-yaml from 1.12.0 to
1.13.0 by @dependabot in #1759
* fix: this url doesn't work anymore by @zekena2 in #1760
* build(deps): bump github.com/goccy/go-yaml from 1.13.0 to
1.13.1 by @dependabot in #1762
* build(deps): bump github.com/goccy/go-yaml from 1.13.1 to
1.13.2 by @dependabot in #1763
* build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to
4.5.1 by @dependabot in #1767
* build(deps): bump github.com/helmfile/vals from 0.37.7 to
0.37.8 by @dependabot in #1764
* build(deps): bump github.com/goccy/go-yaml from 1.13.2 to
1.13.4 by @dependabot in #1765
* fix(integration-tests): read correct minikube status (#1768)
by @ceriath in #1769
* build(deps): bump github.com/goccy/go-yaml from 1.13.4 to
1.13.5 by @dependabot in #1770
* Add integration tests for #1749 by @baurmatt in #1766
* fix: update acme chart URL in input.yaml by @yxxhero in #1773
* build(deps): bump github.com/goccy/go-yaml from 1.13.5 to
1.13.6 by @dependabot in #1771
* build(deps): bump golang.org/x/sync from 0.8.0 to 0.9.0 by
@dependabot in #1775
* build(deps): bump golang.org/x/term from 0.25.0 to 0.26.0
by @dependabot in #1774
* Revive dead badge links by @eggplants in #1776
* feat: refactor label creation in state.go by @yxxhero in #1758
* docs: Add Gurubase badge to README-zh_CN by @yxxhero in #1777
* build(deps): bump github.com/goccy/go-yaml from 1.13.6 to
1.13.9 by @dependabot in #1781
* build(deps): bump github.com/goccy/go-yaml from 1.13.9 to
1.14.0 by @dependabot in #1782
* build(deps): bump github.com/goccy/go-yaml from 1.14.0 to
1.14.3 by @dependabot in #1788
* build(deps): bump helm.sh/helm/v3 from 3.16.2 to 3.16.3 by
@dependabot in #1786
* fix: update helm-diff to version 3.9.12 in CI and Dockerfiles
by @yxxhero in #1792
* build: update Helm version to v3.16.3 in CI and Dockerfiles
by @yxxhero in #1791
* feat: add HELMFILE_INTERACTIVE env var to enable interactive
mode by @thevops in #1787
* build(deps): bump github.com/hashicorp/hcl/v2 from 2.22.0 to
2.23.0 by @dependabot in #1793
* build(deps): bump github.com/Masterminds/semver/v3 from 3.3.0
to 3.3.1 by @dependabot in #1795
* chore: update with testify/assert assertion and table driven
tests for fs.go by @zhaque44 in #1794
* build(deps): bump k8s.io/apimachinery from 0.31.2 to 0.31.3
by @dependabot in #1798
* build(deps): bump github.com/stretchr/testify from 1.9.0 to
1.10.0 by @dependabot in #1800
* build(deps): bump github.com/goccy/go-yaml from 1.14.3 to
1.15.0 by @dependabot in #1804
* build(deps): bump github.com/goccy/go-yaml from 1.15.0 to
1.15.1 by @dependabot in #1807
* build(deps): bump github.com/zclconf/go-cty from 1.15.0 to
1.15.1 by @dependabot in #1806
* update example chart URL in remote-secrets doc by @daveneeley
in #1809
* build(deps): bump github.com/goccy/go-yaml from 1.15.1 to
1.15.3 by @dependabot in #1811
* build(deps): bump github.com/goccy/go-yaml from 1.15.3 to
1.15.6 by @dependabot in #1812
* fix: inject global values in Chartify by @xabufr in #1805
* build(deps): bump github.com/helmfile/vals from 0.37.8 to
0.38.0 by @dependabot in #1814
* build(deps): bump github.com/helmfile/chartify from 0.20.3 to
0.20.4 by @dependabot in #1815
* build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0 by
@dependabot in #1816
- Update to version 0.169.1:
* feat: update sops version to 3.9.1 by @zhaque44 in #1742
* chore: improve test assertions and descriptions for file
download test by @zhaque44 in #1745
* feat: add 'hide-notes' flag to helm in sync and apply commands
by @yxxhero in #1746
ImportantCVE-2024-45338 at SUSECVE-2024-45338 at NVDCVE-2025-0377 at SUSECVE-2025-0377 at NVDSecurity update for pnpm (Moderate)openSUSE Leap 16.0
This update for pnpm fixes the following issues:
Changes in pnpm:
- update to 10.22.0:
* Minor Changes
- Added support for trustPolicyExclude #10164.
You can now list one or more specific packages or versions
that pnpm should allow to install, even if those packages
don't satisfy the trust policy requirement. For example:
trustPolicy: no-downgrade
trustPolicyExclude:
- chokidar@4.0.3
- webpack@4.47.0 || 5.102.1
- Allow to override the engines field on publish by the
publishConfig.engines field.
* Patch Changes
- Don't crash when two processes of pnpm are hardlinking the
contents of a directory to the same destination
simultaneously #10179.
- update to 10.21.0:
* Minor Changes
- Node.js Runtime Installation for Dependencies. Added support
for automatic Node.js runtime installation for dependencies.
pnpm will now install the Node.js version required by a
dependency if that dependency declares a Node.js runtime in
the "engines" field. For example:
{
"engines": {
"runtime": {
"name": "node",
"version": "^24.11.0",
"onFail": "download"
}
}
}
If the package with the Node.js runtime dependency is a CLI
app, pnpm will bind the CLI app to the required Node.js
version. This ensures that, regardless of the globally
installed Node.js instance, the CLI will use the compatible
version of Node.js.
If the package has a postinstall script, that script will be
executed using the specified Node.js version.
Related PR: #10141
- Added a new setting: trustPolicy.
When set to no-downgrade, pnpm will fail installation if a
package’s trust level has decreased compared to previous
releases — for example, if it was previously published by a
trusted publisher but now only has provenance or no trust
evidence.
This helps prevent installing potentially compromised
versions of a package.
Related issue: #8889.
- Added support for pnpm config get globalconfig to retrieve
the global config file path #9977.
* Patch Changes
- When a user runs pnpm update on a dependency that is not
directly listed in package.json, none of the direct
dependencies should be updated #10155.
- Don't crash when two processes of pnpm are hardlinking the
contents of a directory to the same destination
simultaneously #10160.
- Setting gitBranchLockfile and related settings via
pnpm-workspace.yaml should work #9651.
- update to 10.20.0:
* Minor Changes
- Support --all option in pnpm --help to list all commands
#8628.
* Patch Changes
- When the latest version doesn't satisfy the maturity
requirement configured by minimumReleaseAge, pick the highest
version that is mature enough, even if it has a different
major version #10100.
- create command should not verify patch info.
- Set managePackageManagerVersions to false, when switching to
a different version of pnpm CLI, in order to avoid subsequent
switches #10063.
- update to 10.19.0:
* Minor Changes
- You can now allow specific versions of dependencies to run
postinstall scripts. onlyBuiltDependencies now accepts
package names with lists of trusted versions. For example:
Related PR: #10104.
onlyBuiltDependencies:
- nx@21.6.4 || 21.6.5
- esbuild@0.25.1
- Added support for exact versions in minimumReleaseAgeExclude
#9985.
You can now list one or more specific versions that pnpm
should allow to install, even if those versions don’t satisfy
the maturity requirement set by minimumReleaseAge. For
example:
minimumReleaseAge: 1440
minimumReleaseAgeExclude:
- nx@21.6.5
- webpack@4.47.0 || 5.102.1
- update to 10.18.3:
* Patch Changes
- Fix a bug where pnpm would infinitely recurse when using
verifyDepsBeforeInstall: install and pre/post install scripts
that called other pnpm scripts #10060.
- Fixed scoped registry keys (e.g., @scope:registry) being
parsed as property paths in pnpm config get when
--location=project is used #9362.
- Remove pnpm-specific CLI options before passing to npm
publish to prevent "Unknown cli config" warnings #9646.
- Fixed EISDIR error when bin field points to a directory
#9441.
- Preserve version and hasBin for variations packages #10022.
- Fixed pnpm config set --location=project incorrectly handling
keys with slashes (auth tokens, registry settings) #9884.
- When both pnpm-workspace.yaml and .npmrc exist, pnpm config
set --location=project now writes to pnpm-workspace.yaml
(matching read priority) #10072.
- Prevent a table width error in pnpm outdated --long #10040.
- Sync bin links after injected dependencies are updated by
build scripts. This ensures that binaries created during
build processes are properly linked and accessible to
consuming projects #10057.
- update to 10.18.2:
* Patch Changes
- pnpm outdated --long should work #10040.
- Replace ndjson with split2. Reduce the bundle size of pnpm
CLI #10054.
- pnpm dlx should request the full metadata of packages, when
minimumReleaseAge is set #9963.
- pnpm version switching should work when the pnpm home
directory is in a symlinked directory #9715.
- Fix EPIPE errors when piping output to other commands #10027.
- update to 10.18.1:
* Patch Changes
- Don't print a warning, when --lockfile-only is used #8320.
- pnpm setup creates a command shim to the pnpm executable.
This is needed to be able to run pnpm self-update on Windows
#5700.
- When using pnpm catalogs and running a normal pnpm install,
pnpm produced false positive warnings for "skip adding to the
default catalog because it already exists". This warning now
only prints when using pnpm add --save-catalog as originally
intended.
- update to 10.18.0:
* Minor Changes
- Added network performance monitoring to pnpm by implementing
warnings for slow network requests, including both metadata
fetches and tarball downloads.
Added configuration options for warning thresholds:
fetchWarnTimeoutMs and fetchMinSpeedKiBps.
Warning messages are displayed when requests exceed time
thresholds or fall below speed minimums
Related PR: #10025.
* Patch Changes
- Retry filesystem operations on EAGAIN errors #9959.
- Outdated command respects minimumReleaseAge configuration
#10030.
- Correctly apply the cleanupUnusedCatalogs configuration when
removing dependent packages.
- Don't fail with a meaningless error when scriptShell is set
to false #8748.
- pnpm dlx should not fail when minimumReleaseAge is set
#10037.
- update to 10.17.1:
* Patch Changes
- When a version specifier cannot be resolved because the versions
don't satisfy the minimumReleaseAge setting, print this
information out in the error message #9974.
- Fix state.json creation path when executing pnpm patch in a
workspace project #9733.
- When minimumReleaseAge is set and the latest tag is not mature
enough, prefer a non-deprecated version as the new latest #9987.
- update to 10.17:
* Minor Changes
- The minimumReleaseAgeExclude setting now supports patterns.
For instance:
minimumReleaseAge: 1440
minimumReleaseAgeExclude:
- "@eslint/*"
* Patch Changes
- Don't ignore the minimumReleaseAge check, when the package is
requested by exact version and the packument is loaded from
cache #9978.
- When minimumReleaseAge is set and the active version under a
dist-tag is not mature enough, do not downgrade to a
prerelease version in case the original version wasn't a
prerelease one #9979.
- update to 10.16.1:
* Patch Changes
- The full metadata cache should be stored not at the same
location as the abbreviated metadata. This fixes a bug where
pnpm was loading the abbreviated metadata from cache and
couldn't find the "time" field as a result #9963.
- Forcibly disable ANSI color codes when generating patch diff
#9914.
- update to 10.16:
* Minor Changes
- There have been several incidents recently where popular
packages were successfully attacked. To reduce the risk of
installing a compromised version, we are introducing a new
setting that delays the installation of newly released
dependencies. In most cases, such attacks are discovered
quickly and the malicious versions are removed from the
registry within an hour.
- The new setting is called minimumReleaseAge. It specifies the
number of minutes that must pass after a version is published
before pnpm will install it. For example, setting
minimumReleaseAge: 1440 ensures that only packages released
at least one day ago can be installed.
- If you set minimumReleaseAge but need to disable this
restriction for certain dependencies, you can list them under
the minimumReleaseAgeExclude setting. For instance, with the
following configuration pnpm will always install the latest
version of webpack, regardless of its release time:
minimumReleaseAgeExclude:
- webpack
- Added support for finders #9946.
In the past, pnpm list and pnpm why could only search for
dependencies by name (and optionally version). For example:
pnpm why minimist
prints the chain of dependencies to any installed instance of
minimist:
verdaccio 5.20.1
├─┬ handlebars 4.7.7
│ └── minimist 1.2.8
└─┬ mv 2.1.1
└─┬ mkdirp 0.5.6
└── minimist 1.2.8
What if we want to search by other properties of a
dependency, not just its name? For instance, find all
packages that have react@17 in their peer dependencies?
This is now possible with "finder functions". Finder
functions can be declared in .pnpmfile.cjs and invoked with
the --find-by=<function name> flag when running pnpm list or
pnpm why.
Let's say we want to find any dependencies that have React 17
in peer dependencies. We can add this finder to our
.pnpmfile.cjs:
module.exports = {
finders: {
react17: (ctx) => {
return ctx.readManifest().peerDependencies?.react === "^17.0.0";
},
},
};
Now we can use this finder function by running:
pnpm why --find-by=react17
pnpm will find all dependencies that have this React in peer
dependencies and print their exact locations in the
dependency graph.
@apollo/client 4.0.4
├── @graphql-typed-document-node/core 3.2.0
└── graphql-tag 2.12.6
It is also possible to print out some additional information
in the output by returning a string from the finder. For
example, with the following finder:
module.exports = {
finders: {
react17: (ctx) => {
const manifest = ctx.readManifest();
if (manifest.peerDependencies?.react === "^17.0.0") {
return `license: ${manifest.license}`;
}
return false;
},
},
};
Every matched package will also print out the license from
its package.json:
@apollo/client 4.0.4
├── @graphql-typed-document-node/core 3.2.0
│ license: MIT
└── graphql-tag 2.12.6
license: MIT
* Patch Changes
- Fix deprecation warning printed when executing pnpm with
Node.js 24 #9529.
- Throw an error if nodeVersion is not set to an exact semver
version #9934.
- pnpm publish should be able to publish a .tar.gz file #9927.
- Canceling a running process with Ctrl-C should make pnpm run
return a non-zero exit code #9626.
- update to 10.15.1:
* Patch Changes
- Fix .pnp.cjs crash when importing subpath #9904.
- When resolving peer dependencies, pnpm looks whether the peer
dependency is present in the root workspace project's
dependencies. This change makes it so that the peer
dependency is correctly resolved even from aliased npm-hosted
dependencies or other types of dependencies #9913.
- update to 10.15.0:
* Minor Changes
- Added the cleanupUnusedCatalogs configuration. When set to
true, pnpm will remove unused catalog entries during
installation #9793.
- Automatically load pnpmfiles from config dependencies that
are named @*/pnpm-plugin-* #9780.
- pnpm config get now prints an INI string for an object value
#9797.
- pnpm config get now accepts property paths (e.g. pnpm config
get catalog.react, pnpm config get .catalog.react, pnpm
config get
'packageExtensions["@babel/parser"].peerDependencies["@babel/types"]'),
and pnpm config set now accepts dot-leading or subscripted
keys (e.g. pnpm config set .ignoreScripts true).
- pnpm config get --json now prints a JSON serialization of
config value, and pnpm config set --json now parses the input
value as JSON.
* Patch Changes
- Semi-breaking. When automatically installing missing peer
dependencies, prefer versions that are already present in the
direct dependencies of the root workspace package #9835.
- When executing the pnpm create command, must verify whether
the node version is supported even if a cache already exists
#9775.
- When making requests for the non-abbreviated packument, add
*/* to the Accept header to avoid getting a 406 error on AWS
CodeArtifact #9862.
- The standalone exe version of pnpm works with glibc 2.26
again #9734.
- Fix a regression in which pnpm dlx pkg --help doesn't pass
--help to pkg #9823.
- update to 10.14.0:
* Minor Changes
- Added support for JavaScript runtime installation
(Related PR: #9755.)
Declare Node.js, Deno, or Bun in devEngines.runtime (inside
package.json) and let pnpm download and pin it automatically.
Usage example:
{
"devEngines": {
"runtime": {
"name": "node",
"version": "^24.4.0",
"onFail": "download" // we only support the "download" value for now
}
}
}
How it works:
- pnpm install resolves your specified range to the latest
matching runtime version.
- The exact version (and checksum) is saved in the lockfile.
- Scripts use the local runtime, ensuring consistency across
environments.
Why this is better:
- This new setting supports also Deno and Bun (vs. our
Node-only settings useNodeVersion and
executionEnv.nodeVersion)
- Supports version ranges (not just a fixed version).
- The resolved version is stored in the pnpm lockfile, along
with an integrity checksum for future validation of the
Node.js content's validity.
- It can be used on any workspace project (like
executionEnv.nodeVersion). So, different projects in a
workspace can use different runtimes.
- For now devEngines.runtime setting will install the runtime
locally, which we will improve in future versions of pnpm
by using a shared location on the computer.
- Add --cpu, --libc, and --os to pnpm install, pnpm add, and
pnpm dlx to customize supportedArchitectures via the CLI
#7510.
* Patch Changes
- Fix a bug in which pnpm add downloads packages whose libc
differ from pnpm.supportedArchitectures.libc.
- The integrities of the downloaded Node.js artifacts are
verified #9750.
- Allow dlx to parse CLI flags and options between the dlx
command and the command to run or between the dlx command and
-- #9719.
- pnpm install --prod should removing hoisted dev dependencies
#9782.
- Fix an edge case bug causing local tarballs to not re-link
into the virtual store. This bug would happen when changing
the contents of the tarball without renaming the file and
running a filtered install.
- Fix a bug causing pnpm install to incorrectly assume the
lockfile is up to date after changing a local tarball that
has peers dependencies.
- update to 10.13.1:
* Patch Changes
- Run user defined pnpmfiles after pnpmfiles of plugins.
- update to 10.13.0:
* Minor Changes
- Added the possibility to load multiple pnpmfiles. The pnpmfile
setting can now accept a list of pnpmfile locations #9702.
- pnpm will now automatically load the pnpmfile.cjs file from any
config dependency named @pnpm/plugin-* or pnpm-plugin-* #9729.
- The order in which config dependencies are initialized should
not matter — they are initialized in alphabetical order. If a
specific order is needed, the paths to the pnpmfile.cjs files in
the config dependencies can be explicitly listed using the
pnpmfile setting in pnpm-workspace.yaml.
* Patch Changes
- When patching dependencies installed via pkg.pr.new, treat them
as Git tarball URLs #9694.
- Prevent conflicts between local projects' config and the global
config in dangerouslyAllowAllBuilds, onlyBuiltDependencies,
onlyBuiltDependenciesFile, and neverBuiltDependencies #9628.
- Sort keys in pnpm-workspace.yaml with deep #9701.
- The pnpm rebuild command should not add pkgs included in
ignoredBuiltDependencies to ignoredBuilds in
node_modules/.modules.yaml #9338.
- Replaced shell-quote with shlex for quoting command arguments
#9381.
- update to 10.12.4:
* Patch Changes
- Fix pnpm licenses command for local dependencies #9583.
- Fix a bug in which pnpm ls --filter=not-exist --json prints
nothing instead of an empty array #9672.
- Fix a deadlock that sometimes happens during peer dependency
resolution #9673.
- Running pnpm install after pnpm fetch should hoist all
dependencies that need to be hoisted.
- Fixes a regression introduced in v10.12.2 by #9648; resolves
#9689.
- update to 10.12.3:
* Patch Changes
- Restore hoisting of optional peer dependencies when installing
with an outdated lockfile. Regression introduced in v10.12.2 by
#9648; resolves #9685.
- update to 10.12.2:
* Patch Changes
- Fixed hoisting with enableGlobalVirtualStore set to true #9648.
- Fix the --help and -h flags not working as expected for the pnpm
create command.
- The dependency package path output by the pnpm licenses list
--json command is incorrect.
- Fix a bug in which pnpm deploy fails due to overridden
dependencies having peer dependencies causing
ERR_PNPM_OUTDATED_LOCKFILE #9595.
- update to 10.12.1 (10.2.0 was yanked):
* Minor Changes
- Experimental. Added support for global virtual stores. When
enabled, node_modules contains only symlinks to a central
virtual store, rather to node_modules/.pnpm. By default, this
central store is located at <store-path>/links (you can find
the store path by running pnpm store path).
In the central virtual store, each package is hard linked
into a directory whose name is the hash of its dependency
graph. This allows multiple projects on the system to symlink
shared dependencies from this central location, significantly
improving installation speed when a warm cache is available.
This is conceptually similar to how NixOS manages packages,
using dependency graph hashes to create isolated and
reusable package directories.
To enable the global virtual store, set
enableGlobalVirtualStore: true in your root
pnpm-workspace.yaml, or globally via:
pnpm config -g set enable-global-virtual-store true
NOTE: In CI environments, where caches are typically cold,
this setting may slow down installation. pnpm automatically
disables the global virtual store when running in CI.
Related PR: #8190
- The pnpm update command now supports updating catalog:
protocol dependencies and writes new specifiers to
pnpm-workspace.yaml.
- A new catalogMode setting is available for controlling if and
how dependencies are added to the default catalog. It can be
configured to several modes:
- strict: Only allows dependency versions from the catalog.
Adding a dependency outside the catalog's version range
will cause an error.
- prefer: Prefers catalog versions, but will fall back to
direct dependencies if no compatible version is found.
- manual (default): Does not automatically add dependencies
to the catalog.
- Added two new CLI options (--save-catalog and
--save-catalog-name=<name>) to pnpm add to save new
dependencies as catalog entries. catalog: or catalog:<name>
will be added to package.json and the package specifier will
be added to the catalogs or catalog[<name>] object in
pnpm-workspace.yaml #9425.
- Semi-breaking. The keys used for side-effects caches have
changed. If you have a side-effects cache generated by a
previous version of pnpm, the new version will not use it and
will create a new cache instead #9605.
- Added a new setting called ci for explicitly telling pnpm if
the current environment is a CI or not.
* Patch Changes
- Sort versions printed by pnpm patch using semantic versioning
rules.
- Improve the way the error message displays mismatched
specifiers. Show differences instead of 2 whole objects
#9598.
- Revert #9574 to fix a regression #9596.
- update to 10.11.1:
* Patch Changes
- Fix an issue in which pnpm deploy --legacy creates unexpected
directories when the root package.json has a workspace
package as a peer dependency #9550.
- Dependencies specified via a URL that redirects will only be
locked to the target if it is immutable, fixing a regression
when installing from GitHub releases. (#9531)
- Installation should not exit with an error if
strictPeerDependencies is true but all issues are ignored by
peerDependencyRules #9505.
- Use pnpm_config_ env variables instead of npm_config_ #9571.
- Fix a regression (in v10.9.0) causing the --lockfile-only
flag on pnpm update to produce a different pnpm-lock.yaml
than an update without the flag.
- Let pnpm deploy work in repos with overrides when
inject-workspace-packages=true #9283.
- Fixed the problem of path loss caused by parsing URL address.
Fixes a regression shipped in pnpm v10.11 via #9502.
- pnpm -r --silent run should not print out section #9563.
- update to 10.11.0:
* Minor Changes
- A new setting added for pnpm init to create a package.json
with type=module, when init-type is module. Works as a flag
for the init command too #9463.
- Added support for Nushell to pnpm setup #6476.
- Added two new flags to the pnpm audit command, --ignore and
--ignore-unfixable #8474.
Ignore all vulnerabilities that have no solution:
> pnpm audit --ignore-unfixable
Provide a list of CVE's to ignore those specifically, even if
they have a resolution.
> pnpm audit --ignore=CVE-2021-1234 --ignore=CVE-2021-5678
- Added support for recursively running pack in every project
of a workspace #4351.
Now you can run pnpm -r pack to pack all packages in the
workspace.
* Patch Changes
- pnpm version management should work, when
dangerouslyAllowAllBuilds is set to true #9472.
- pnpm link should work from inside a workspace #9506.
- Set the default workspaceConcurrency to
Math.min(os.availableParallelism(), 4) #9493.
- Installation should not exit with an error if
strictPeerDependencies is true but all issues are ignored by
peerDependencyRules #9505.
- Read updateConfig from pnpm-workspace.yaml #9500.
- Add support for recursive pack
- Remove url.parse usage to fix warning on Node.js 24 #9492.
- pnpm run should be able to run commands from the workspace
root, if ignoreScripts is set tot true #4858.
- update to 10.10.0:
* Allow loading the preResolution, importPackage, and fetchers
hooks from local pnpmfile.
* Fix cd command, when shellEmulator is true #7838.
* Sort keys in pnpm-workspace.yaml #9453.
* Pass the npm_package_json environment variable to the
executed scripts #9452.
* Fixed a mistake in the description of the --reporter=silent
option.
- update to 10.9.0:
* Minor Changes
- Added support for installing JSR packages. You can now
install JSR packages using the following syntax:
add jsr:<pkg_name>
or with a version range:
pnpm add jsr:<pkg_name>@<range>
For example, running:
pnpm add jsr:@foo/bar
will add the following entry to your package.json:
{
"dependencies": {
"@foo/bar": "jsr:^0.1.2"
}
}
When publishing, this entry will be transformed into a format
compatible with npm, older versions of Yarn, and previous
pnpm versions:
{
"dependencies": {
"@foo/bar": "npm:@jsr/foo__bar@^0.1.2"
}
}
Related issue: #8941.
Note: The @jsr scope defaults to https://npm.jsr.io/ if the
@jsr:registry setting is not defined.
- Added a new setting, dangerouslyAllowAllBuilds, for
automatically running any scripts of dependencies without the
need to approve any builds. It was already possible to allow
all builds by adding this to pnpm-workspace.yaml:
neverBuiltDependencies: []
dangerouslyAllowAllBuilds has the same effect but also allows
to be set globally via:
pnpm config set dangerouslyAllowAllBuilds true
It can also be set when running a command:
pnpm install --dangerously-allow-all-builds
* Patch Changes
- Fix a false negative in verifyDepsBeforeRun when nodeLinker
is hoisted and there is a workspace package without
dependencies and node_modules directory #9424.
- Explicitly drop verifyDepsBeforeRun support for nodeLinker:
pnp. Combining verifyDepsBeforeRun and nodeLinker: pnp will
now print a warning.
- udate to 10.8.1:
* Patch Changes
- Removed bright white highlighting, which didn't look good on
some light themes #9389.
- If there is no pnpm related configuration in package.json,
onlyBuiltDependencies will be written to pnpm-workspace.yaml
file #9404.
- The patch file path saved by the pnpm patch-commit and
patch-remove commands should be a relative path #9403.
- update to 10.8:
* Minor Changes
Experimental. A new hook is supported for updating
configuration settings. The hook can be provided via
.pnpmfile.cjs. For example:
module.exports = {
hooks: {
updateConfig: (config) => ({
...config,
nodeLinker: "hoisted",
}),
},
};
Now you can use the pnpm add command with the --config flag
to install new configurational dependencies #9377.
* Patch Changes
- Do not hang indefinitely, when there is a glob that starts
with !/ in pnpm-workspace.yaml. This fixes a regression
introduced by #9169.
- pnpm audit --fix should update the overrides in
pnpm-workspace.yaml.
- pnpm link should update overrides in pnpm-workspace.yaml, not
in package.json #9365.
- update to 10.7.1:
* Patch Changes
- pnpm config set should convert the settings to their correct
type before adding them to pnpm-workspace.yaml #9355.
- pnpm config get should read auth related settings via npm CLI
#9345.
- Replace leading ~/ in a path in .npmrc with the home directory
#9217.
- update to 10.7:
* Minor Changes
- pnpm config get and list also show settings set in
pnpm-workspace.yaml files #9316.
- It should be possible to use env variables in
pnpm-workspace.yaml setting names and value.
- Add an ability to patch dependencies by version ranges. Exact
versions override version ranges, which in turn override
name-only patches. Version range * is the same as name-only,
except that patch application failure will not be ignored.
For example:
patchedDependencies:
foo: patches/foo-1.patch
foo@^2.0.0: patches/foo-2.patch
foo@2.1.0: patches/foo-3.patch
The above configuration would apply patches/foo-3.patch to
foo@2.1.0, patches/foo-2.patch to all foo versions which
satisfy ^2.0.0 except 2.1.0, and patches/foo-1.patch to the
remaining foo versions.
[!WARNING]
The version ranges should not overlap. If you want to
specialize a sub range, make sure to exclude it from the
other keys. For example:
# pnpm-workspace.yaml
patchedDependencies:
# the specialized sub range
'foo@2.2.0-2.8.0': patches/foo.2.2.0-2.8.0.patch
# the more general patch, excluding the sub range above
'foo@>=2.0.0 <2.2.0 || >2.8.0': 'patches/foo.gte2.patch
In most cases, however, it's sufficient to just define an
exact version to override the range.
- pnpm config set --location=project saves the setting to a
pnpm-workspace.yaml file if no .npmrc file is present in the
directory #9316.
- Rename pnpm.allowNonAppliedPatches to
pnpm.allowUnusedPatches. The old name is still supported but
it would print a deprecation warning message.
- Add pnpm.ignorePatchFailures to manage whether pnpm would
ignore patch application failures.
- If ignorePatchFailures is not set, pnpm would throw an
error when patches with exact versions or version ranges
fail to apply, and it would ignore failures from name-only
patches.
- If ignorePatchFailures is explicitly set to false, pnpm
would throw an error when any type of patch fails to apply.
- If ignorePatchFailures is explicitly set to true, pnpm
would print a warning when any type of patch fails to
apply.
* Patch Changes
- Remove dependency paths from audit output to prevent
out-of-memory errors #9280.
- update to 10.6.5:
* Patch Changes
- Remove warnings after having explicitly approved no builds
#9296.
- When installing different dependency packages, should retain
the ignoredBuilds field in the .modules.yaml file #9240.
- Fix usages of the catalog: protocol in injected local
workspace packages. This previously errored with
ERR_PNPM_SPEC_NOT_SUPPORTED_BY_ANY_RESOLVER. #8715
- Setting workspace-concurrency to less than or equal to 0
should work #9297.
- update to 10.6.4:
* Patch Changes
- Fix pnpm dlx with --allow-build flag #9263.
- Invalid Node.js version in use-node-version should not cause
pnpm itself to break #9276.
- The max amount of workers running for linking packages from
the store has been reduced to 4 to achieve optimal results
#9286. The workers are performing many file system
operations, so increasing the number of CPUs doesn't help
performance after some point.
- update to 10.6.3:
* Patch Changes
- pnpm install --prod=false should not crash, when executed in
a project with a pnpm-workspace.yaml file #9233. This fixes
regression introduced via #9211.
- Add the missing node-options config to recursive run #9180.
- Removed a branching code path that only executed when
dedupe-peer-dependents=false. We believe this internal
refactor will not result in behavior changes, but we expect
it to make future pnpm versions behave more consistently for
projects that override dedupe-peer-dependents to false. There
should be less unique bugs from turning off
dedupe-peer-dependents.
See details in #9259.
- update to 10.6.2:
* Patch Changes
- pnpm self-update should always update the version in the
packageManager field of package.json.
- Fix running pnpm CLI from pnpm CLI on Windows when the CLI is
bundled to an executable #8971.
- pnpm patch-commit will now use the same filesystem as the
store directory to compare and create patch files.
- Don't show info output when --loglevel=error is used.
- peerDependencyRules should be set in pnpm-workspace.yaml to
take effect.
- update to 10.6.1:
* Patch Changes
- The pnpm CLI process should not stay hanging, when --silent
reporting is used.
- When --loglevel is set to error, don't show installation
summary, execution time, and big tarball download progress.
- Don't ignore pnpm.patchedDependencies from package.json
#9226.
- When executing the approve-builds command, if package.json
contains onlyBuiltDependencies or ignoredBuiltDependencies,
the selected dependency package will continue to be written
into package.json.
- When a package version cannot be found in the package
metadata, print the registry from which the package was
fetched.
- update to 10.6.0:
* Minor Changes
- pnpm-workspace.yaml can now hold all the settings that .npmrc
accepts. The settings should use camelCase #9211.
pnpm-workspace.yaml example:
verifyDepsBeforeRun: install
optimisticRepeatInstall: true
publicHoistPattern:
- "*types*"
- "!@types/react"
- Projects using a file: dependency on a local tarball file
(i.e. .tgz, .tar.gz, .tar) will see a performance improvement
during installation. Previously, using a file: dependency on
a tarball caused the lockfile resolution step to always run.
The lockfile will now be considered up-to-date if the tarball
is unchanged.
* Patch Changes
- pnpm self-update should not leave a directory with a broken
pnpm installation if the installation fails.
- fast-glob replace with tinyglobby to reduce the size of the
pnpm CLI dependencies #9169.
- pnpm deploy should not remove fields from the deployed
package's package.json file #9215.
- pnpm self-update should not read the pnpm settings from the
package.json file in the current working directory.
- Fix pnpm deploy creating a package.json without the imports
and license field #9193.
- pnpm update -i should list only packages that have newer
versions #9206.
- Fix a bug causing entries in the catalogs section of the
pnpm-lock.yaml file to be removed when
dedupe-peer-dependents=false on a filtered install. #9112
- update to 10.5.2:
* The pnpm config set command should change the global .npmrc
file by default.
This was a regression introduced by #9151 and shipped in pnpm
v10.5.0.
- update to 10.5.1:
* Throw an error message if a pnpm-workspaces.yaml or
pnpm-workspaces.yml file is found instead of a
pnpm-workspace.yaml #9170.
* Fix the update of pnpm-workspace.yaml by the pnpm
approve-builds command #9168.
* Normalize generated link paths in package.json #9163
* Specifying overrides in pnpm-workspace.yaml should work.
* pnpm dlx should ignore settings from the package.json file in
the current working directory #9178.
- update to 10.5.0:
* The pnpm.* settings from package.json can now be specified in
the pnpm-workspace.yaml file instead #9121.
* Added support for automatically syncing files of injected
workspace packages after pnpm run #9081. Use the sync-injected
-deps-after-scripts setting to specify which scripts build
the workspace package. This tells pnpm when syncing is needed.
The setting should be defined in a .npmrc file at the root of
the workspace.
* The packages field in pnpm-workspace.yaml became optional.
* pnpm link with no parameters should work as if --global is
specified #9151
* Allow scope registry CLI option without --config. prefix such
as --@scope:registry=https://scope.example.com/npm #9089
* pnpm link <path> should calculate relative path from the root
of the workspace directory #9132
* Fix a bug causing catalog snapshots to be removed from the
pnpm-lock.yaml file when using --fix-lockfile and --filter. #8639
* Fix a bug causing catalog protocol dependencies to not re-
resolve on a filtered install #8638
- update to 10.4.1:
* Throws an error when the value provided by the --allow-build
option overlaps with the pnpm.ignoredBuildDependencies list #9105.
* Print pnpm's version after the execution time at the end of the console output.
* Print warning about ignored builds of dependencies on repeat install #9106.
* Setting init-package-manager should work.
- includes 10.4.0:
* pnpm approve-builds --global works now for allowing
dependencies of globally installed packages to run
postinstall scripts.
* The pnpm add command now supports a new flag, --allow-build,
which allows building the specified dependencies.
* pnpm approve-builds should work after two consecutive pnpm install runs #9083.
* Fix instruction for updating pnpm with corepack #9101.
* The pnpm version specified by packageManager cannot start with v.
- update to 10.3.0:
* Added a new setting called strict-dep-builds. When enabled,
the installation will exit with a non-zero exit code if any
dependencies have unreviewed build scripts (aka postinstall scripts) #9071.
* Fix a false negative of verify-deps-before-run after pnpm
install --production|--no-optional #9019.
* Print the warning about blocked installation scripts at the
end of the installation output and make it more prominent.
- update to 10.2.1:
* Don't read a package from side-effects cache if it isn't
allowed to be built #9042.
* pnpm approve-builds should work, when executed from a
subdirectory of a workspace #9042.
* pnpm deploy --legacy should work without injected dependencies
* Add information about how to deploy without "injected
dependencies" to the "pnpm deploy" error message.
- includes 10.2.0:
* Packages executed via pnpm dlx and pnpm create are allowed to
be built (run postinstall scripts) by default.
* Quote args for scripts with shell-quote to support new lines
(on POSIX only) #8980.
* Fix a bug in which pnpm deploy fails to read the correct
projectId when the deploy source is the same as the workspace directory #9001.
* Proxy settings should be respected, when resolving Git-hosted
dependencies #6530.
* Prevent overrides from adding invalid version ranges to
peerDependencies by keeping the peerDependencies and
overriding them with prod dependencies #8978.
* Sort the package names in the "pnpm.onlyBuiltDependencies"
list saved by pnpm approve-builds.
- update to 10.1.0:
* Added a new command for printing the list of dependencies
with ignored build scripts: pnpm ignored-builds #8963.
* Added a new command for approving dependencies for running
scripts during installation: pnpm approve-builds #8963.
* Added a new setting called optimistic-repeat-install. When
enabled, a fast check will be performed before proceeding to
installation. This way a repeat install or an install on a
project with everything up-to-date becomes a lot faster. But
some edge cases might arise, so we keep it disabled by
default for now #8977.
* Added a new field "pnpm.ignoredBuiltDependencies" for
explicitly listing packages that should not be built. When a
package is in the list, pnpm will not print an info message
about that package not being built #8935.
* Verify that the package name is valid when executing the
publish command.
* When running pnpm install, the preprepare and postprepare
scripts of the project should be executed #8989.
* Allow workspace: and catalog: to be part of wider version
range in peerDependencies.
* pnpm deploy should inherit the pnpm object from the root
package.json #8991.
* Make sure that the deletion of a node_modules in a sub-
project of a monorepo is detected as out-of-date #8959.
* Fix infinite loop caused by lifecycle scripts using pnpm to
execute other scripts during pnpm install with
verify-deps-before-run=install #8954.
* Replace strip-ansi with the built-in util.
stripVTControlCharacters #9009.
* Do not print patched dependencies as ignored dependencies
that require a build #8952.
- update to 10.0.0:
* Lifecycle scripts of dependencies are not executed during
installation by default! This is a breaking change aimed at
increasing security. In order to allow lifecycle scripts of
specific dependencies, they should be listed in the pnpm
onlyBuiltDependencies field of package.json #8897
* The pnpm link command now adds overrides to the root package.json. #8653
* Secure hashing with SHA256
* Configuration updates
* Changes to the global store
* The # character is now escaped in directory names within
node_modules/.pnpm. #8557
* Running pnpm add --global pnpm or pnpm add --global @pnpm/exe
now fails with an error message, directing you to use pnpm
self-update instead. #8728
* Dependencies added via a URL now record the final resolved
URL in the lockfile, ensuring that any redirects are fully
captured. #8833
* The pnpm deploy command now only works in workspaces that
have inject-workspace-packages=true. This limitation is
introduced to allow us to create a proper lockfile for the
deployed project using the workspace lockfile.
* Removed conversion from lockfile v6 to v9. If you need v6-to-
v9 conversion, use pnpm CLI v9.
* pnpm test now passes all parameters after the test keyword
directly to the underlying script. This matches the behavior
of pnpm run test. Previously you needed to use the -- prefix. #8619
* node-gyp updated to version 11.
* pnpm deploy now tries creating a dedicated lockfile from a
shared lockfile for deployment. It will fallback to
deployment without a lockfile if there is no shared lockfile
or force-legacy-deploy is set to true.
* Added support for a new type of dependencies called
"configurational dependencies". These dependencies are
installed before all the other types of dependencies (befor
"dependencies", "devDependencies", "optionalDependencies").
* New verify-deps-before-run setting. This setting controls how
pnpm checks node_modules before running scripts #8836
* On repeated installs, pnpm performs a quick check to ensure
node_modules is up to date. #8838
* pnpm add integrates with default workspace catalog: #8640
* pnpm dlx now resolves packages to their exact versions and
uses these exact versions for cache keys. This ensures pnpm
dlx always installs the latest requested packages #8811
* No node_modules validation on certain commands. Commands that
should not modify node_modules (e.g., pnpm install --lockfile-
only) no longer validate or purge node_modules. #8657
* for full changes, see https://github.com/pnpm/pnpm/releases/tag/v10.0.0
- update to 9.15.3:
* Fixed the Regex used to find the package manifest during
packing #8938.
* pnpm update --filter <pattern> --latest <pkg> should only
change the specified package for the specified workspace, when
dedupe-peer-dependents is set to true #8877.
* Exclude .DS_Store file at patch-commit #8922.
* Fix a bug in which pnpm patch is unable to bring back old patch
without specifying @version suffix #8919.
- update to 9.15.2:
* Fixed publish/pack error with workspace dependencies with
relative paths #8904. It was broken in v9.4.0 (398472c).
* Use double quotes in the command suggestion by pnpm patch on
Windows #7546.
* Do not fall back to SSH, when resolving a git-hosted package if
git ls-remote works via HTTPS #8906.
* Improve how packages with blocked lifecycle scripts are
reported during installation. Always print the list of ignored
scripts at the end of the output. Include a hint about how to
allow the execution of those packages.
- update to version 9.15.1:
* pnpm remove should not link dependencies from the workspace,
when link-workspace-packages is set to false #7674
* Installation with hoisted node_modules should not fail, when
a dependency has itself in its own peer dependencies #8854
- update to version 9.15.0:
* Metadata directory version bumped to force fresh cache after
we shipped a fix to the metadata write function. This change
is backward compatible as install doesn't require a metadata cache
* pnpm update --global should not crash if there are no any
global packages installed #7898
* Fix an exception when running pnpm update --interactive if
catalogs are used.
- update to version 9.14.4:
* Don't ever save mutated metadata to the metadata cache
- includes 9.14.3:
* Some commands should ignore the packageManager field check of
package.json #7959
- update to version 9.14.2:
pnpm publish --json should work #8788
- includes 9.14.1:
* Added support for pnpm pack --json to print packed tarball
and contents in JSON format #8765
* pnpm exec should print a meaningful error message when no
command is provided #8752
* pnpm setup should remove the CLI from the target location
before moving the new binary #8173
* Fix ERR_PNPM_TARBALL_EXTRACT error while installing a
dependency from GitHub having a slash in branch name #7697
* Don't crash if the use-node-version setting is used and the
system has no Node.js installed #8769
* Convert settings in local .npmrc files to their correct types.
For instance, child-concurrency should be a number, not a string #5075
* pnpm should fail if a project requires a different package
manager even if manage-package-manager-versions is set to true
* pnpm init should respect the --dir option #8768
- includes 9.14.0:
* chore: use verify-deps-before-run
* fix(init): --dir option should be respected (#8768)
* feat: support json format output in pnpm pack (#8765)
* fix: pnpm exec should specify command (#8774)
* fix: proper types of settings in local .npmrc files (#8775)
* fix: ERR_PNPM_TARBALL_EXTRACT when the URL's hash contains a slash
* fix: the CLI should fail if a different package manager is
required by the project
* fix: ETXTBSY error on running setup (#8780)
* feat: add linux-riscv64 build (#8779)
* fix: remove link to X from update notifier (#8773)
* docs: update sponsors
* fix: upgrade cross-sapwn (#8782)
* fix: don't crash when use-node-version is set and there is no node.js
* docs: update changesets
- update to version 9.13.2:
* Detection of circular peer dependencies should not crash with
aliased dependencies #8759. Fixes a regression introduced in
the previous version.
* Fix race condition of symlink creations caused by multiple
parallel dlx processes.
- update to version 9.13.1:
* Fixed some edge cases where resolving circular peer
dependencies caused a dead lock #8720
- update to version 9.13.0:
* The self-update now accepts a version specifier to install a
specific version of pnpm.
* Fix Cannot read properties of undefined (reading 'name') that
is printed while trying to render the missing peer
dependencies warning message #8538
- update to version 9.12.3:
* Don't purge node_modules, when typing "n" in the prompt that
asks whether to remove node_modules before installation #8655
* Fix a bug causing pnpm to infinitely spawn itself when manage-
package-manager-versions=true is set and the .tools directory is corrupt
* Use crypto.hash, when available, for improved performance #8629
* Fixed a race condition in temporary file creation in the
store by including worker thread ID in filename. Previously,
multiple worker threads could attempt to use the same
temporary file. Temporary files now include both process ID
and thread ID for uniqueness #8703
* All commands should read settings from the package.json at
the root of the workspace #8667
* When manage-package-manager-versions is set to true, errors
spawning a self-managed version of pnpm will now be shown
(instead of being silent)
* Pass the find command to npm, it is an alias for npm search
- includes 9.12.2:
* When checking whether a file in the store has executable
permissions, the new approach checks if at least one of the
executable bits (owner, group, and others) is set to 1.
Previously, a file was incorrectly considered executable only
when all the executable bits were set to 1. This fix ensures
that files with any executable permission, regardless of the
user class, are now correctly identified as executable #8546
ModerateCVE-2021-1234 at SUSECVE-2021-1234 at NVDCVE-2021-5678 at SUSECVE-2021-5678 at NVDSecurity update for rnp (Moderate)openSUSE Leap 16.0
This update for rnp fixes the following issues:
- update to 0.18.1:
* CVE-2025-13470: PKESK (public-key encrypted) session keys were
generated as all-zero, allowing trivial decryption of messages
encrypted with public keys only (boo#1253957, CVE-2025-13402)
ModerateSUSE bug 1253957CVE-2025-13402 at SUSECVE-2025-13402 at NVDCVE-2025-13470 at SUSECVE-2025-13470 at NVDSecurity update for trivy (Important)openSUSE Leap 16.0
This update for trivy fixes the following issues:
Changes in trivy:
Update to version 0.67.2 (bsc#1250625, CVE-2025-11065, bsc#1248897, CVE-2025-58058):
* fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow [backport: release/v0.67] (#9638)
* fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#9631)
* fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#9629)
* fix: add `buildInfo` for `BlobInfo` in `rpc` package [backport: release/v0.67] (#9615)
* fix(vex): don't use reused BOM [backport: release/v0.67] (#9612)
* fix(vex): don't suppress vulns for packages with infinity loop (#9465)
* fix(aws): use `BuildableClient` insead of `xhttp.Client` (#9436)
* refactor(misconf): replace github.com/liamg/memoryfs with internal mapfs and testing/fstest (#9282)
* docs: clarify inline ignore limitations for resource-less checks (#9537)
* fix(k8s): disable parallel traversal with fs cache for k8s images (#9534)
* fix(misconf): handle tofu files in module detection (#9486)
* feat(seal): add seal support (#9370)
* docs: fix modules path and update code example (#9539)
* fix: close file descriptors and pipes on error paths (#9536)
* feat: add documentation URL for database lock errors (#9531)
* fix(db): Dowload database when missing but metadata still exists (#9393)
* feat(cloudformation): support default values and list results in Fn::FindInMap (#9515)
* fix(misconf): unmark cty values before access (#9495)
* feat(cli): change --list-all-pkgs default to true (#9510)
* fix(nodejs): parse workspaces as objects for package-lock.json files (#9518)
* refactor(fs): use underlyingPath to determine virtual files more reliably (#9302)
* refactor: remove google/wire dependency and implement manual DI (#9509)
* chore(deps): bump the aws group with 6 updates (#9481)
* chore(deps): bump the common group across 1 directory with 24 updates (#9507)
* fix(misconf): wrap legacy ENV values in quotes to preserve spaces (#9497)
* docs: move info about `detection priority` into coverage section (#9469)
* feat(sbom): added support for CoreOS (#9448)
* fix(misconf): strip build metadata suffixes from image history (#9498)
* feat(cyclonedx): preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439)
* docs: Fix typo in terraform docs (#9492)
* feat(redhat): add os-release detection for RHEL-based images (#9458)
* ci(deps): add 3-day cooldown period for Dependabot updates (#9475)
* refactor: migrate from go-json-experiment to encoding/json/v2 (#9422)
* fix(vuln): compare `nuget` package names in lower case (#9456)
* chore: Update release flow to include chocolatey (#9460)
* docs: document eol supportability (#9434)
* docs(report): add nuanses about secret/license scanner in summary table (#9442)
* ci: use environment variables in GitHub Actions for improved security (#9433)
* chore: bump Go to 1.24.7 (#9435)
* fix(nodejs): use snapshot string as `Package.ID` for pnpm packages (#9330)
* ci(helm): bump Trivy version to 0.66.0 for Trivy Helm Chart 0.18.0 (#9425)
Update to version 0.66.0 (bsc#1248937, CVE-2025-58058):
* chore(deps): bump the aws group with 7 updates (#9419)
* refactor(secret): clarify secret scanner messages (#9409)
* fix(cyclonedx): handle multiple license types (#9378)
* fix(repo): sanitize git repo URL before inserting into report metadata (#9391)
* test: add HTTP basic authentication to git test server (#9407)
* fix(sbom): add support for `file` component type of `CycloneDX` (#9372)
* fix(misconf): ensure module source is known (#9404)
* ci: migrate GitHub Actions from version tags to SHA pinning (#9405)
* fix: create temp file under composite fs dir (#9387)
* chore(deps): bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#9403)
* refactor: switch to stable azcontainerregistry SDK package (#9319)
* chore(deps): bump the common group with 7 updates (#9382)
* refactor(misconf): migrate from custom Azure JSON parser (#9222)
* fix(repo): preserve RepoMetadata on FS cache hit (#9389)
* refactor(misconf): use atomic.Int32 (#9385)
* chore(deps): bump the aws group with 6 updates (#9383)
* docs: Fix broken link to "Built-in Checks" (#9375)
* fix(plugin): don't remove plugins when updating index.yaml file (#9358)
* fix: persistent flag option typo (#9374)
* chore(deps): bump the common group across 1 directory with 26 updates (#9347)
* fix(image): use standardized HTTP client for ECR authentication (#9322)
* refactor: export `systemFileFiltering` Post Handler (#9359)
* docs: update links to Semaphore pages (#9352)
* fix(conda): memory leak by adding closure method for `package.json` file (#9349)
* feat: add timeout handling for cache database operations (#9307)
* fix(misconf): use correct field log_bucket instead of target_bucket in gcp bucket (#9296)
* fix(misconf): ensure ignore rules respect subdirectory chart paths (#9324)
* chore(deps): bump alpine from 3.21.4 to 3.22.1 (#9301)
* feat(terraform): use .terraform cache for remote modules in plan scanning (#9277)
* chore: fix some function names in comment (#9314)
* chore(deps): bump the aws group with 7 updates (#9311)
* docs: add explanation for how to use non-system certificates (#9081)
* chore(deps): bump the github-actions group across 1 directory with 2 updates (#8962)
* fix(misconf): preserve original paths of remote submodules from .terraform (#9294)
* refactor(terraform): make Scan method of Terraform plan scanner private (#9272)
* fix: suppress debug log for context cancellation errors (#9298)
* feat(secret): implement streaming secret scanner with byte offset tracking (#9264)
* fix(python): impove package name normalization (#9290)
* feat(misconf): added audit config attribute (#9249)
* refactor(misconf): decouple input fs and track extracted files with fs references (#9281)
* test(misconf): remove BenchmarkCalculate using outdated check metadata (#9291)
* refactor: simplify Detect function signature (#9280)
* ci(helm): bump Trivy version to 0.65.0 for Trivy Helm Chart 0.17.0 (#9288)
* fix(fs): avoid shadowing errors in file.glob (#9286)
* test(misconf): move terraform scan tests to integration tests (#9271)
* test(misconf): drop gcp iam test covered by another case (#9285)
* chore(deps): bump to alpine from `3.21.3` to `3.21.4` (#9283)
Update to version 0.65.0:
* fix(cli): ensure correct command is picked by telemetry (#9260)
* feat(flag): add schema validation for `--server` flag (#9270)
* chore(deps): bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible (#9274)
* ci: skip undefined labels in discussion triage action (#9175)
* feat(repo): add git repository metadata to reports (#9252)
* fix(license): handle WITH operator for `LaxSplitLicenses` (#9232)
* chore: add modernize tool integration for code modernization (#9251)
* fix(secret): add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#9253)
* chore: implement process-safe temp file cleanup (#9241)
* fix: prevent graceful shutdown message on normal exit (#9244)
* fix(misconf): correctly parse empty port ranges in google_compute_firewall (#9237)
* feat: add graceful shutdown with signal handling (#9242)
* chore: update template URL for brew formula (#9221)
* test: add end-to-end testing framework with image scan and proxy tests (#9231)
* refactor(db): use `Getter` interface with `GetParams` for trivy-db sources (#9239)
* ci: specify repository for `gh cache delete` in canary worklfow (#9240)
* ci: remove invalid `--confirm` flag from `gh cache delete` command in canary builds (#9236)
* fix(misconf): fix log bucket in schema (#9235)
* chore(deps): bump the common group across 1 directory with 24 updates (#9228)
* ci: move runner.os context from job-level env to step-level in canary workflow (#9233)
* chore(deps): bump up Trivy-kubernetes to v0.9.1 (#9214)
* feat(misconf): added logging and versioning to the gcp storage bucket (#9226)
* fix(server): add HTTP transport setup to server mode (#9217)
* chore: update the rpm download Update (#9202)
* feat(alma): add AlmaLinux 10 support (#9207)
* fix(nodejs): don't use prerelease logic for compare npm constraints (#9208)
* fix(rootio): fix severity selection (#9181)
* fix(sbom): merge in-graph and out-of-graph OS packages in scan results (#9194)
* fix(cli): panic: attempt to get os.Args[1] when len(os.Args) < 2 (#9206)
* fix(misconf): correctly adapt azure storage account (#9138)
* feat(misconf): add private ip google access attribute to subnetwork (#9199)
* feat(report): add CVSS vectors in sarif report (#9157)
* fix(terraform): `for_each` on a map returns a resource for every key (#9156)
* fix: supporting .egg-info/METADATA in python.Packaging analyzer (#9151)
* chore: migrate protoc setup from Docker to buf CLI (#9184)
* ci: delete cache after artifacts upload in canary workflow (#9177)
* refactor: remove aws flag helper message (#9080)
* ci: use gh pr view to get PR number for forked repositories in auto-ready workflow (#9183)
* ci: add auto-ready-for-review workflow (#9179)
* feat(image): add Docker context resolution (#9166)
* ci: optimize golangci-lint performance with cache-based strategy (#9173)
* feat: add HTTP request/response tracing support (#9125)
* fix(aws): update amazon linux 2 EOL date (#9176)
* chore: Update release workflow to trigger version updates (#9162)
* chore(deps): bump helm.sh/helm/v3 from 3.18.3 to 3.18.4 (#9164)
* fix: also check `filepath` when removing duplicate packages (#9142)
* chore: add debug log to show image source location (#9163)
* docs: add section on customizing default check data (#9114)
* chore(deps): bump the common group across 1 directory with 9 updates (#9153)
* docs: partners page content updates (#9149)
* chore(license): add missed spdx exceptions: (#9147)
* docs: trivy partners page updates (#9133)
* fix: migrate from `*.list` to `*.md5sums` files for `dpkg` (#9131)
* ci(helm): bump Trivy version to 0.64.1 for Trivy Helm Chart 0.16.1 (#9135)
* feat(sbom): add SHA-512 hash support for CycloneDX SBOM (#9126)
* fix(misconf): skip rewriting expr if attr is nil (#9113)
* fix(license): add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping (#9116)
* fix(cli): Add more non-sensitive flags to telemetry (#9110)
* fix(alma): parse epochs from rpmqa file (#9101)
* fix(rootio): check full version to detect `root.io` packages (#9117)
* chore: drop FreeBSD 32-bit support (#9102)
* fix(sbom): use correct field for licenses in CycloneDX reports (#9057)
* fix(secret): fix line numbers for multiple-line secrets (#9104)
* feat(license): observe pkg types option in license scanner (#9091)
* ci(helm): bump Trivy version to 0.64.0 for Trivy Helm Chart 0.16.0 (#9107)
- (CVE-2025-53547, bsc#1246151)
- Update to version 0.64.1 (bsc#1243633, CVE-2025-47291,
(bsc#1246730, CVE-2025-46569):
* fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#9127)
* fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124)
* fix(rootio): check full version to detect `root.io` packages [backport: release/v0.64] (#9120)
* fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119)
* docs(python): fix type with METADATA file name (#9090)
* feat: reject unsupported artifact types in remote image retrieval (#9052)
* chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#9088)
* refactor(misconf): rewrite Rego module filtering using functional filters (#9061)
* feat(terraform): add partial evaluation for policy templates (#8967)
* feat(vuln): add Root.io support for container image scanning (#9073)
* feat(sbom): add manufacturer field to CycloneDX tools metadata (#9019)
* fix(cli): add some values to the telemetry call (#9056)
* feat(ubuntu): add end of life date for Ubuntu 25.04 (#9077)
* refactor: centralize HTTP transport configuration (#9058)
* test: include integration tests in linting and fix all issues (#9060)
* chore(deps): bump the common group across 1 directory with 26 updates (#9063)
* feat(java): dereference all maven settings.xml env placeholders (#9024)
* fix(misconf): reduce log noise on incompatible check (#9029)
* fix(misconf): .Config.User always takes precedence over USER in .History (#9050)
* chore(deps): update Docker to v28.2.2 and fix compatibility issues (#9037)
* docs(misconf): simplify misconfiguration docs (#9030)
* fix(misconf): move disabled checks filtering after analyzer scan (#9002)
* docs: add PR review policy for maintainers (#9032)
* fix(sbom): remove unnecessary OS detection check in SBOM decoding (#9034)
* test: improve and extend tests for iac/adapters/arm (#9028)
* chore: bump up Go version to 1.24.4 (#9031)
* feat(cli): add version constraints to annoucements (#9023)
* fix(misconf): correct Azure value-to-time conversion in AsTimeValue (#9015)
* feat(ubuntu): add eol date for 20.04-ESM (#8981)
* fix(report): don't panic when report contains vulns, but doesn't contain packages for `table` format (#8549)
* fix(nodejs): correctly parse `packages` array of `bun.lock` file (#8998)
* refactor: use strings.SplitSeq instead of strings.Split in for-loop (#8983)
* docs: change --disable-metrics to --disable-telemetry in example (#8999) (#9003)
* feat(misconf): add OpenTofu file extension support (#8747)
* refactor(misconf): set Trivy version by default in Rego scanner (#9001)
* docs: fix assets with versioning (#8996)
* docs: add partners page (#8988)
* chore(alpine): add EOL date for Alpine 3.22 (#8992)
* fix: don't show corrupted trivy-db warning for first run (#8991)
* Update installation.md (#8979)
* feat(misconf): normalize CreatedBy for buildah and legacy docker builder (#8953)
* chore(k8s): update comments with deprecated command format (#8964)
* chore: fix errors and typos in docs (#8963)
* fix: Add missing version check flags (#8951)
* feat(redhat): Add EOL date for RHEL 10. (#8910)
* fix: Correctly check for semver versions for trivy version check (#8948)
* refactor(server): change custom advisory and vulnerability data types fr… (#8923)
* ci(helm): bump Trivy version to 0.63.0 for Trivy Helm Chart 0.15.0 (#8946)
* fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942)
* chore(deps): Bump trivy-checks (#8934)
* fix(julia): add `Relationship` field support (#8939)
* feat(minimos): Add support for MinimOS (#8792)
* feat(alpine): add maintainer field extraction for APK packages (#8930)
* feat(echo): Add Echo Support (#8833)
* fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924)
* fix(wolfi): support new APK database location (#8937)
* feat(k8s): get components from namespaced resources (#8918)
* refactor(cloudformation): remove unused ScanFile method from Scanner (#8927)
* refactor(terraform): remove result sorting from scanner (#8928)
* feat(misconf): Add support for `Minimum Trivy Version` (#8880)
* docs: improve skipping files documentation (#8749)
* feat(cli): Add available version checking (#8553)
* feat(nodejs): add a bun.lock analyzer (#8897)
* feat: terraform parser option to set current working directory (#8909)
* perf(secret): only match secrets of meaningful length, allow example strings to not be matched (#8602)
* feat(misconf): export raw Terraform data to Rego (#8741)
* refactor(terraform): simplify AllReferences method signature in Attribute (#8906)
* fix: check post-analyzers for StaticPaths (#8904)
* feat: add Bottlerocket OS package analyzer (#8653)
* feat(license): improve work text licenses with custom classification (#8888)
* chore(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to 2.1.1 (#8901)
* chore(deps): bump the common group across 1 directory with 9 updates (#8887)
* refactor(license): simplify compound license scanning (#8896)
* feat(license): Support compound licenses (licenses using SPDX operators) (#8816)
* fix(k8s): use in-memory cache backend during misconfig scanning (#8873)
* feat(nodejs): add bun.lock parser (#8851)
* feat(license): improve work with custom classification of licenses from config file (#8861)
* fix(cli): disable `--skip-dir` and `--skip-files` flags for `sbom` command (#8886)
* fix: julia parser panicing (#8883)
* refactor(db): change logic to detect wrong DB (#8864)
* fix(cli): don't use allow values for `--compliance` flag (#8881)
* docs(misconf): Reorganize misconfiguration scan pages (#8206)
* fix(server): add missed Relationship field for `rpc` (#8872)
* feat: add JSONC support for comments and trailing commas (#8862)
* fix(vex): use `lo.IsNil` to check `VEX` from OCI artifact (#8858)
* feat(go): support license scanning in both GOPATH and vendor (#8843)
* fix(redhat): save contentSets for OS packages in fs/vm modes (#8820)
* fix: filter all files when processing files installed from package managers (#8842)
* feat(misconf): add misconfiguration location to junit template (#8793)
* docs(vuln): remove OSV for Python from data sources (#8841)
* chore: add an issue template for maintainers (#8838)
* chore: enable staticcheck (#8815)
* ci(helm): bump Trivy version to 0.62.1 for Trivy Helm Chart 0.14.1 (#8836)
* feat(license): scan vendor directory for license for go.mod files (#8689)
* docs(java): Update info about dev deps in gradle lock (#8830)
* chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the common group (#8822)
* fix(java): exclude dev dependencies in gradle lockfile (#8803)
* fix: octalLiteral from go-critic (#8811)
* fix(redhat): trim invalid suffix from content_sets in manifest parsing (#8818)
* chore(deps): bump the common group across 1 directory with 10 updates (#8817)
* fix: use-any from revive (#8810)
* fix: more revive rules (#8814)
* docs: change in java.md: fix the Trity -to-> Trivy typo (#8813)
* fix(misconf): check if for-each is known when expanding dyn block (#8808)
* ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0 (#8802)
- Update to version 0.62.1 (bsc#1239225, CVE-2025-22868,
bsc#1241724, CVE-2025-22872):
* chore(deps): bump the common group across 1 directory with 10 updates [backport: release/v0.62] (#8831)
* fix(misconf): check if for-each is known when expanding dyn block [backport: release/v0.62] (#8826)
* fix(redhat): trim invalid suffix from content_sets in manifest parsing [backport: release/v0.62] (#8824)
* feat(nodejs): add root and workspace for `yarn` packages (#8535)
* fix: unused-parameter rule from revive (#8794)
* chore(deps): Update trivy-checks (#8798)
* fix: early-return, indent-error-flow and superfluous-else rules from revive (#8796)
* fix(k8s): remove using `last-applied-configuration` (#8791)
* refactor(misconf): remove unused methods from providers (#8781)
* refactor(misconf): remove unused methods from iac types (#8782)
* fix(misconf): filter null nodes when parsing json manifest (#8785)
* fix: testifylint last issues (#8768)
* fix(misconf): perform operations on attribute safely (#8774)
* refactor(ubuntu): update time handling for fixing time (#8780)
* chore(deps): bump golangci-lint to v2.1.2 (#8766)
* feat(image): save layers metadata into report (#8394)
* feat(misconf): convert AWS managed policy to document (#8757)
* chore(deps): bump the docker group across 1 directory with 3 updates (#8762)
* ci(helm): bump Trivy version to 0.61.1 for Trivy Helm Chart 0.13.1 (#8753)
* ci(helm): create a helm branch for patches from main (#8673)
* fix(terraform): hcl object expressions to return references (#8271)
* chore(terraform): option to pass in instanced logger (#8738)
* ci: use `Skitionek/notify-microsoft-teams` instead of `aquasecurity` fork (#8740)
* chore(terraform): remove os.OpenPath call from terraform file functions (#8737)
* chore(deps): bump the common group across 1 directory with 23 updates (#8733)
* feat(rust): add root and workspace relationships/package for `cargo` lock files (#8676)
* refactor(misconf): remove module outputs from parser.EvaluateAll (#8587)
* fix(misconf): populate context correctly for module instances (#8656)
* fix(misconf): check if metadata is not nil (#8647)
* refactor(misconf): switch to x/json (#8719)
* fix(report): clean buffer after flushing (#8725)
* ci: improve PR title validation workflow (#8720)
* refactor(flag): improve flag system architecture and extensibility (#8718)
* fix(terraform): `evaluateStep` to correctly set `EvalContext` for multiple instances of blocks (#8555)
* refactor: migrate from `github.com/aquasecurity/jfather` to `github.com/go-json-experiment/json` (#8591)
* feat(misconf): support auto_provisioning_defaults in google_container_cluster (#8705)
* ci: use `github.event.pull_request.user.login` for release PR check workflow (#8702)
* refactor: add hook interface for extended functionality (#8585)
* fix(misconf): add missing variable as unknown (#8683)
* docs: Update maintainer docs (#8674)
* ci(vuln): reduce github action script injection attack risk (#8610)
* fix(secret): ignore .dist-info directories during secret scanning (#8646)
* fix(server): fix redis key when trying to delete blob (#8649)
* chore(deps): bump the testcontainers group with 2 updates (#8650)
* test: use `aquasecurity` repository for test images (#8677)
* chore(deps): bump the aws group across 1 directory with 5 updates (#8652)
* fix(k8s): skip passed misconfigs for the summary report (#8684)
* fix(k8s): correct compare artifact versions (#8682)
* chore: update Docker lib (#8681)
* refactor(misconf): remove unused terraform attribute methods (#8657)
* feat(misconf): add option to pass Rego scanner to IaC scanner (#8369)
* chore: typo fix to replace `rego` with `repo` on the RepoFlagGroup options error output (#8643)
* docs: Add info about helm charts release (#8640)
* ci(helm): bump Trivy version to 0.61.0 for Trivy Helm Chart 0.13.0 (#8638)
Update to version 0.61.1 (bsc#1239385, CVE-2025-22869, bsc#1240466, CVE-2025-30204):
* fix(k8s): skip passed misconfigs for the summary report [backport: release/v0.61] (#8748)
* fix(k8s): correct compare artifact versions [backport: release/v0.61] (#8699)
* test: use `aquasecurity` repository for test images [backport: release/v0.61] (#8698)
* fix(misconf): Improve logging for unsupported checks (#8634)
* feat(k8s): add support for controllers (#8614)
* fix(debian): don't include empty licenses for `dpkgs` (#8623)
* fix(misconf): Check values wholly prior to evalution (#8604)
* chore(deps): Bump trivy-checks (#8619)
* fix(k8s): show report for `--report all` (#8613)
* chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#8597)
* refactor: rename scanner to service (#8584)
* fix(misconf): do not skip loading documents from subdirectories (#8526)
* refactor(misconf): get a block or attribute without calling HasChild (#8586)
* fix(misconf): identify the chart file exactly by name (#8590)
* test: use table-driven tests in Helm scanner tests (#8592)
* refactor(misconf): Simplify misconfig checks bundle parsing (#8533)
* chore(deps): bump the common group across 1 directory with 10 updates (#8566)
* fix(misconf): do not use cty.NilVal for non-nil values (#8567)
* docs(cli): improve flag value display format (#8560)
* fix(misconf): set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548)
* docs: remove slack (#8565)
* fix: use `--file-patterns` flag for all post analyzers (#7365)
* docs(python): Mention pip-compile (#8484)
* feat(misconf): adapt aws_opensearch_domain (#8550)
* feat(misconf): adapt AWS::EC2::VPC (#8534)
* docs: fix a broken link (#8546)
* fix(fs): check postAnalyzers for StaticPaths (#8543)
* refactor(misconf): remove unused methods for ec2.Instance (#8536)
* feat(misconf): adapt aws_default_security_group (#8538)
* feat(fs): optimize scanning performance by direct file access for known paths (#8525)
* feat(misconf): adapt AWS::DynamoDB::Table (#8529)
* style: Fix MD syntax in self-hosting.md (#8523)
* perf(misconf): retrieve check metadata from annotations once (#8478)
* feat(misconf): Add support for aws_ami (#8499)
* fix(misconf): skip Azure CreateUiDefinition (#8503)
* refactor(misconf): use OPA v1 (#8518)
* fix(misconf): add ephemeral block type to config schema (#8513)
* perf(misconf): parse input for Rego once (#8483)
* feat: replace TinyGo with standard Go for WebAssembly modules (#8496)
* chore: replace deprecated tenv linter with usetesting (#8504)
* fix(spdx): save text licenses into `otherLicenses` without normalize (#8502)
* chore(deps): bump the common group across 1 directory with 13 updates (#8491)
* chore: use go.mod for managing Go tools (#8493)
* ci(helm): bump Trivy version to 0.60.0 for Trivy Helm Chart 0.12.0 (#8494)
* fix(sbom): improve logic for binding direct dependency to parent component (#8489)
* chore(deps): remove missed replace of `trivy-db` (#8492)
* chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 directory (#8490)
* chore(deps): update Go to 1.24 and switch to go-version-file (#8388)
* docs: add abbreviation list (#8453)
* chore(terraform): assign *terraform.Module 'parent' field (#8444)
* feat: add report summary table (#8177)
* chore(deps): bump the github-actions group with 3 updates (#8473)
* refactor(vex): improve SBOM reference handling with project standards (#8457)
* ci: update GitHub Actions cache to v4 (#8475)
* feat: add `--vuln-severity-source` flag (#8269)
* fix(os): add mapping OS aliases (#8466)
* chore(deps): bump the aws group across 1 directory with 7 updates (#8468)
* chore(deps): Bump trivy-checks to v1.7.1 (#8467)
* refactor(report): write tables after rendering all results (#8357)
* docs: update VEX documentation index page (#8458)
* fix(db): fix case when 2 trivy-db were copied at the same time (#8452)
* feat(misconf): render causes for Terraform (#8360)
* fix(misconf): fix incorrect k8s locations due to JSON to YAML conversion (#8073)
* feat(cyclonedx): Add initial support for loading external VEX files from SBOM references (#8254)
* chore(deps): update go-rustaudit location (#8450)
* fix: update all documentation links (#8045)
* chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#8443)
* chore(deps): bump the common group with 6 updates (#8411)
* fix(k8s): add missed option `PkgRelationships` (#8442)
* fix(sbom): add SBOM file's filePath as Application FilePath if we can't detect its path (#8346)
* feat(go): fix parsing main module version for go >= 1.24 (#8433)
* refactor(misconf): make Rego scanner independent of config type (#7517)
* fix(image): disable AVD-DS-0007 for history scanning (#8366)
* fix(server): secrets inspectation for the config analyzer in client server mode (#8418)
* chore: remove mockery (#8417)
* test(server): replace mock driver with memory cache in server tests (#8416)
* test: replace mock with memory cache and fix non-deterministic tests (#8410)
* test: replace mock with memory cache in scanner tests (#8413)
* test: use memory cache (#8403)
* fix(spdx): init `pkgFilePaths` map for all formats (#8380)
* chore(deps): bump the common group across 1 directory with 11 updates (#8381)
* docs: correct Ruby documentation (#8402)
* chore: bump `mockery` to update v2.52.2 version and rebuild mock files (#8390)
* fix: don't use `scope` for `trivy registry login` command (#8393)
* fix(go): merge nested flags into string for ldflags for Go binaries (#8368)
* chore(terraform): export module path on terraform modules (#8374)
* fix(terraform): apply parser options to submodule parsing (#8377)
* docs: Fix typos in documentation (#8361)
* docs: fix navigate links (#8336)
* ci(helm): bump Trivy version to 0.59.1 for Trivy Helm Chart 0.11.1 (#8354)
* ci(spdx): add `aqua-installer` step to fix `mage` error (#8353)
* chore: remove debug prints (#8347)
* fix(misconf): do not log scanners when misconfig scanning is disabled (#8345)
* fix(report): remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports (#8344)
* chore(deps): bump Go to `v1.23.5` (#8341)
* fix(python): add `poetry` v2 support (#8323)
* chore(deps): bump the github-actions group across 1 directory with 4 updates (#8331)
* fix(misconf): ecs include enhanced for container insights (#8326)
* fix(sbom): preserve OS packages from multiple SBOMs (#8325)
* ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0 (#8311)
* (bsc#1237618, CVE-2025-27144)
Update to version 0.59.1:
* fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)
* chore(deps): bump Go to `v1.23.5` [backport: release/v0.59] (#8343)
* fix(python): add `poetry` v2 support [backport: release/v0.59] (#8335)
* fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)
Update to version 0.59.0:
* feat(image): return error early if total size of layers exceeds limit (#8294)
* chore(deps): Bump trivy-checks (#8310)
* chore(terraform): add accessors to underlying raw hcl values (#8306)
* fix: improve conversion of image config to Dockerfile (#8308)
* docs: replace short codes with Unicode emojis (#8296)
* feat(k8s): improve artifact selections for specific namespaces (#8248)
* chore: update code owners (#8303)
* fix(misconf): handle heredocs in dockerfile instructions (#8284)
* fix: de-duplicate same `dpkg` packages with different filePaths from different layers (#8298)
* chore(deps): bump the aws group with 7 updates (#8299)
* chore(deps): bump the common group with 12 updates (#8301)
* chore: enable int-conversion from perfsprint (#8194)
* feat(fs): use git commit hash as cache key for clean repositories (#8278)
* fix(spdx): use the `hasExtractedLicensingInfos` field for licenses that are not listed in the SPDX (#8077)
* chore: use require.ErrorContains when possible (#8291)
* feat(image): prevent scanning oversized container images (#8178)
* chore(deps): use aqua forks for `github.com/liamg/jfather` and `github.com/liamg/iamgo` (#8289)
* fix(fs): fix cache key generation to use UUID (#8275)
* fix(misconf): correctly handle all YAML tags in K8S templates (#8259)
* feat: add support for registry mirrors (#8244)
* chore(deps): bump the common group across 1 directory with 29 updates (#8261)
* refactor(license): improve license expression normalization (#8257)
* feat(misconf): support for ignoring by inline comments for Dockerfile (#8115)
* feat: add a examples field to check metadata (#8068)
* chore(deps): bump alpine from 3.20.0 to 3.21.0 in the docker group across 1 directory (#8196)
* ci: add workflow to restrict direct PRs to release branches (#8240)
* fix(suse): SUSE - update OSType constants and references for compatility (#8236)
* ci: fix path to main dir for canary builds (#8231)
* chore(secret): add reported issues related to secrets in junit template (#8193)
* refactor: use trivy-checks/pkg/specs package (#8226)
* ci(helm): bump Trivy version to 0.58.1 for Trivy Helm Chart 0.10.0 (#8170)
* fix(misconf): allow null values only for tf variables (#8112)
* feat(misconf): support for ignoring by inline comments for Helm (#8138)
* fix(redhat): check `usr/share/buildinfo/` dir to detect content sets (#8222)
* chore(alpine): add EOL date for Alpine 3.21 (#8221)
* fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207)
* fix(misconf): disable git terminal prompt on tf module load (#8026)
* chore: remove aws iam related scripts (#8179)
* docs: Updated JSON schema version 2 in the trivy documentation (#8188)
* refactor(python): use once + debug for `License acquired from METADATA...` logs (#8175)
* refactor: use slices package instead of custom function (#8172)
* chore(deps): bump the common group with 6 updates (#8162)
* feat(python): add support for uv dev and optional dependencies (#8134)
* feat(python): add support for poetry dev dependencies (#8152)
* fix(sbom): attach nested packages to Application (#8144)
* docs(vex): use debian minor version in examples (#8166)
* refactor: add generic Set implementation (#8149)
* chore(deps): bump the aws group across 1 directory with 6 updates (#8163)
* fix(python): skip dev group's deps for poetry (#8106)
* fix(sbom): use root package for `unknown` dependencies (if exists) (#8104)
* chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` (#8140)
* chore(vex): suppress CVE-2024-45338 (#8137)
* feat(python): add support for uv (#8080)
* chore(deps): bump the docker group across 1 directory with 3 updates (#8127)
* chore(deps): bump the common group across 1 directory with 14 updates (#8126)
* chore: bump go to 1.23.4 (#8123)
* test: set dummy value for NUGET_PACKAGES (#8107)
* chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` (#8105)
* chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#8103)
* fix: wasm module test (#8099)
* fix: CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088)
* chore(vex): suppress CVE-2024-45337 (#8101)
* fix(license): always trim leading and trailing spaces for licenses (#8095)
* fix(sbom): scan results of SBOMs generated from container images are missing layers (#7635)
* fix(redhat): correct rewriting of recommendations for the same vulnerability (#8063)
* fix: enable err-error and errorf rules from perfsprint linter (#7859)
* chore(deps): bump the aws group across 1 directory with 6 updates (#8074)
* perf: avoid heap allocation in applier findPackage (#7883)
* fix: Updated twitter icon (#7772)
* docs(k8s): add a note about multi-container pods (#7815)
* feat: add `--distro` flag to manually specify OS distribution for vulnerability scanning (#8070)
* fix(oracle): add architectures support for advisories (#4809)
* fix: handle `BLOW_UNKNOWN` error to download DBs (#8060)
* feat(misconf): generate placeholders for random provider resources (#8051)
* fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type (#8052)
* fix(flag): skip hidden flags for `--generate-default-config` command (#8046)
* fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props (#8050)
* feat(nodejs): respect peer dependencies for dependency tree (#7989)
* ci(helm): bump Trivy version to 0.58.0 for Trivy Helm Chart 0.10.0 (#8038)
* fix: respect GITHUB_TOKEN to download artifacts from GHCR (#7580)
* chore(deps): bump github.com/moby/buildkit from 0.17.2 to 0.18.0 in the docker group (#8029)
* fix(misconf): use log instead of fmt for logging (#8033)
* docs: add commercial content (#8030)
- Update to version 0.58.2 (
bsc#1234512, CVE-2024-45337,
bsc#1235265, CVE-2024-45338,
bsc#1232948, CVE-2024-51744):
* fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
* fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
* fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)
* fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)
* fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)
* fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)
* chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)
* chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136)
* fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)
* fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)
* fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)
* chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)
* fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)
* fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119)
* fix(misconf): wrap AWS EnvVar to iac types (#7407)
* chore(deps): Upgrade trivy-checks (#8018)
* refactor(misconf): Remove unused options (#7896)
* docs: add terminology page to explain Trivy concepts (#7996)
* feat: add `workspaceRelationship` (#7889)
* refactor(sbom): simplify relationship generation (#7985)
* chore: remove Go checks (#7907)
* docs: improve databases documentation (#7732)
* refactor: remove support for custom Terraform checks (#7901)
* docs: fix dead links (#7998)
* docs: drop AWS account scanning (#7997)
* fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)
* fix(cli): Handle empty ignore files more gracefully (#7962)
* fix(misconf): load full Terraform module (#7925)
* fix(misconf): properly resolve local Terraform cache (#7983)
* refactor(k8s): add v prefix for Go packages (#7839)
* test: replace Go checks with Rego (#7867)
* feat(misconf): log causes of HCL file parsing errors (#7634)
* chore(deps): bump the aws group across 1 directory with 7 updates (#7991)
* chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)
* chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)
* chore: downgrade the failed block expand message to debug (#7964)
* fix(misconf): do not erase variable type for child modules (#7941)
* feat(go): construct dependencies of `go.mod` main module in the parser (#7977)
* feat(go): construct dependencies in the parser (#7973)
* feat: add cvss v4 score and vector in scan response (#7968)
* docs: add `overview` page for `others` (#7972)
* fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)
* feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)
* chore(deps): bump the common group with 4 updates (#7949)
* feat(oracle): add `flavors` support (#7858)
* fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)
* chore(deps): Bump up trivy-checks to v1.3.0 (#7959)
* fix(k8s): check all results for vulnerabilities (#7946)
* ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)
* feat(secret): Add built-in secrets rules for Private Packagist (#7826)
* docs: Fix broken links (#7900)
* docs: fix mistakes/typos (#7942)
* feat: Update registry fallbacks (#7679)
* fix(alpine): add `UID` for removed packages (#7887)
* chore(deps): bump the aws group with 6 updates (#7902)
* chore(deps): bump the common group with 6 updates (#7904)
* fix(debian): infinite loop (#7928)
* fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912)
* docs: add note about temporary podman socket (#7921)
* docs: combine trivy.dev into trivy docs (#7884)
* test: change branch in spdx schema link to check in integration tests (#7935)
* docs: add Headlamp to the Trivy Ecosystem page (#7916)
* fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898)
* chore(k8s): enhance k8s scan log (#6997)
* fix(terraform): set null value as fallback for missing variables (#7669)
* fix(misconf): handle null properties in CloudFormation templates (#7813)
* fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)
* chore(deps): bump the common group across 1 directory with 20 updates (#7876)
* chore: bump containerd to v2.0.0 (#7875)
* fix: Improve version comparisons when build identifiers are present (#7873)
* feat(k8s): add default commands for unknown platform (#7863)
* chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)
* refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)
* test: save `containerd` image into archive and use in tests (#7816)
* chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)
* chore: bump golangci-lint to v1.61.0 (#7853)
Update to version 0.57.1:
* feat: Update registry fallbacks [backport: release/v0.57] (#7944)
* fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939)
* test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)
* release: v0.57.0 [main] (#7710)
* chore: lint `errors.Join` (#7845)
* feat(db): append errors (#7843)
* docs(java): add info about supported scopes (#7842)
* docs: add example of creating whitelist of checks (#7821)
* chore(deps): Bump trivy-checks (#7819)
* fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)
* fix(k8s): skip resources without misconfigs (#7797)
* fix(sbom): use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)
* fix(cli): add config name to skip-policy-update alias (#7820)
* fix(helm): properly handle multiple archived dependencies (#7782)
* refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)
* fix(k8s)!: support k8s multi container (#7444)
* fix(k8s): support kubernetes v1.31 (#7810)
* docs: add Windows install instructions (#7800)
* ci(helm): auto public Helm chart after PR merged (#7526)
* feat: add end of life date for Ubuntu 24.10 (#7787)
* feat(report): update gitlab template to populate operating_system value (#7735)
* feat(misconf): Show misconfig ID in output (#7762)
* feat(misconf): export unresolvable field of IaC types to Rego (#7765)
* refactor(k8s): scan config files as a folder (#7690)
* fix(license): fix license normalization for Universal Permissive License (#7766)
* fix: enable usestdlibvars linter (#7770)
* fix(misconf): properly expand dynamic blocks (#7612)
* feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)
* fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)
* refactor(misconf): simplify k8s scanner (#7717)
* feat(parser): ignore white space in pom.xml files (#7747)
* test: use forked images (#7755)
* fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541)
* fix(misconf): check if property is not nil before conversion (#7578)
* fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)
* feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)
* test: define constants for test images (#7739)
* docs: add note about disabled DS016 check (#7724)
* feat(misconf): public network support for Azure Storage Account (#7601)
* feat(cli): rename `trivy auth` to `trivy registry` (#7727)
* docs: apt-transport-https is a transitional package (#7678)
* refactor(misconf): introduce generic scanner (#7515)
* fix(cli): `clean --all` deletes only relevant dirs (#7704)
* feat(cli): add `trivy auth` (#7664)
* fix(sbom): add options for DBs in private registries (#7660)
* docs(report): fix reporting doc format (#7671)
* fix(repo): `git clone` output to Stderr (#7561)
* fix(redhat): include arch in PURL qualifiers (#7654)
* fix(report): Fix invalid URI in SARIF report (#7645)
* docs(report): Improve SARIF reporting doc (#7655)
* fix(db): fix javadb downloading error handling (#7642)
* feat(cli): error out when ignore file cannot be found (#7624)
Update to version 0.56.2:
* fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)
* fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)
- Update to version 0.51.1 (bsc#1227010, CVE-2024-3817):
ImportantSUSE bug 1227010SUSE bug 1232948SUSE bug 1234512SUSE bug 1235265SUSE bug 1237618SUSE bug 1239225SUSE bug 1239385SUSE bug 1240466SUSE bug 1241724SUSE bug 1243633SUSE bug 1246151SUSE bug 1246730SUSE bug 1248897SUSE bug 1248937SUSE bug 1250625CVE-2024-3817 at SUSECVE-2024-3817 at NVDCVE-2024-45337 at SUSECVE-2024-45337 at NVDCVE-2024-45338 at SUSECVE-2024-45338 at NVDCVE-2024-51744 at SUSECVE-2024-51744 at NVDCVE-2025-11065 at SUSECVE-2025-11065 at NVDCVE-2025-21613 at SUSECVE-2025-21613 at NVDCVE-2025-21614 at SUSECVE-2025-21614 at NVDCVE-2025-22868 at SUSECVE-2025-22868 at NVDCVE-2025-22869 at SUSECVE-2025-22869 at NVDCVE-2025-22872 at SUSECVE-2025-22872 at NVDCVE-2025-27144 at SUSECVE-2025-27144 at NVDCVE-2025-30204 at SUSECVE-2025-30204 at NVDCVE-2025-46569 at SUSECVE-2025-46569 at NVDCVE-2025-47291 at SUSECVE-2025-47291 at NVDCVE-2025-53547 at SUSECVE-2025-53547 at NVDCVE-2025-58058 at SUSECVE-2025-58058 at NVDSecurity update for gitea-tea (Moderate)openSUSE Leap 16.0
This update for gitea-tea fixes the following issues:
Changes in gitea-tea:
- update to 0.11.1:
* 61d4e57 Fix Pr Create crash (#823)
* 4f33146 add test for matching logins (#820)
* 08b8398 Update README.md (#819)
- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input (boo#1251663)
- CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents (boo#1251471)
- update to 0.11.0:
* Fix yaml output single quote (#814)
* generate man page (#811)
* feat: add validation for object-format flag in repo create
command (#741)
* Fix release version (#815)
* update gitea sdk to v0.22 (#813)
* don't fallback login directly (#806)
* Check duplicated login name in interact mode when creating new
login (#803)
* Fix bug when output json with special chars (#801)
* add debug mode and update readme (#805)
* update go.mod to retract the wrong tag v1.3.3 (#802)
* revert completion scripts removal (#808)
* Remove pagination from context (#807)
* Continue auth when failed to open browser (#794)
* Fix bug (#793)
* Fix tea login add with ssh public key bug (#789)
* Add temporary authentication via environment variables (#639)
* Fix attachment size (#787)
* deploy image when tagging (#792)
* Add Zip URL for release list (#788)
* Use bubbletea instead of survey for interacting with TUI (#786)
* capitalize a few items
* rm out of date comparison file
* README: Document logging in to gitea (#790)
* remove autocomplete command (#782)
* chore(deps): update ghcr.io/devcontainers/features/git-lfs
docker tag to v1.2.5 (#773)
* replace arch package url (#783)
* fix: Reenable -p and --limit switches (#778)
- Update to 0.10.1+git.1757695903.cc20b52:
- feat: add validation for object-format flag in repo create
command (see gh#openSUSE/openSUSE-git#60)
- Fix release version
- update gitea sdk to v0.22
- don't fallback login directly
- Check duplicated login name in interact mode when creating
new login
- Fix bug when output json with special chars
- add debug mode and update readme
- update go.mod to retract the wrong tag v1.3.3
- revert completion scripts removal
- Remove pagination from context
- Continue auth when failed to open browser
- Fix bug
- Fix tea login add with ssh public key bug
- Add temporary authentication via environment variables
- Fix attachment size
- deploy image when tagging
- Add Zip URL for release list
- Use bubbletea instead of survey for interacting with TUI
- capitalize a few items
- rm out of date comparison file
- README: Document logging in to gitea
- remove autocomplete command
- chore(deps): update ghcr.io/devcontainers/features/git-lfs
docker tag to v1.2.5
- replace arch package url
- fix: Reenable `-p` and `--limit` switches
ModerateSUSE bug 1251471SUSE bug 1251663CVE-2025-47911 at SUSECVE-2025-47911 at NVDCVE-2025-58190 at SUSECVE-2025-58190 at NVDSecurity update for tcpreplay (Important)openSUSE Leap 16.0
This update for tcpreplay fixes the following issues:
- update to 4.5.2:
* features added since 4.4.4
- fix/recalculate header checksum for ipv6-frag
- IPv6 frag checksum support
- AF_XDP socket support
- tcpreplay -w (write into a pcap file)
- tcpreplay --fixhdrlen
- --include and --exclude options
- SLL2 support
- Haiku support
* security fixes reported for 4.4.4 fixed in 4.5.2
- CVE-2023-4256 / bsc#1218249
- CVE-2023-43279 / bsc#1221324
- CVE-2024-3024 / bsc#1222131 (likely)
- CVE-2024-22654 / bsc#1243845
- CVE-2025-9157 / bsc#1248322
- CVE-2025-9384 / bsc#1248595
- CVE-2025-9385 / bsc#1248596
- CVE-2025-9386 / bsc#1248597
- CVE-2025-9649 / bsc#1248964
- CVE-2025-51006 / bsc#1250356
ImportantSUSE bug 1218249SUSE bug 1221324SUSE bug 1222131SUSE bug 1243845SUSE bug 1247919SUSE bug 1248322SUSE bug 1248595SUSE bug 1248596SUSE bug 1248597SUSE bug 1248964SUSE bug 1250356CVE-2023-4256 at SUSECVE-2023-4256 at NVDCVE-2023-43279 at SUSECVE-2023-43279 at NVDCVE-2024-22654 at SUSECVE-2024-22654 at NVDCVE-2024-3024 at SUSECVE-2024-3024 at NVDCVE-2025-51006 at SUSECVE-2025-51006 at NVDCVE-2025-8746 at SUSECVE-2025-8746 at NVDCVE-2025-9157 at SUSECVE-2025-9157 at NVDCVE-2025-9384 at SUSECVE-2025-9384 at NVDCVE-2025-9385 at SUSECVE-2025-9385 at NVDCVE-2025-9386 at SUSECVE-2025-9386 at NVDCVE-2025-9649 at SUSECVE-2025-9649 at NVDSecurity update for redis (Critical)openSUSE Leap 16.0
This update for redis fixes the following issues:
- Updated to 8.2.3 (boo#1252996 CVE-2025-62507)
* https://github.com/redis/redis/releases/tag/8.2.3
- Security fixes
- (CVE-2025-62507) Bug in `XACKDEL` may lead to stack overflow
and potential RCE
- Bug fixes
- `HGETEX`: A missing `numfields` argument when `FIELDS` is
used can lead to Redis crash
- An overflow in `HyperLogLog` with 2GB+ entries may result in
a Redis crash
- Cuckoo filter - Division by zero in Cuckoo filter insertion
- Cuckoo filter - Counter overflow
- Bloom filter - Arbitrary memory read/write with invalid
filter
- Bloom filter - Out-of-bounds access with empty chain
- Top-k - Out-of-bounds access
- Bloom filter - Restore invalid filter [We thank AWS security
for responsibly disclosing the security bug]
- Updated to 8.2.2 (boo#1250995)
* https://github.com/redis/redis/releases/tag/8.2.2
* Fixed Lua script may lead to remote code execution (CVE-2025-49844).
* Fixed Lua script may lead to integer overflow (CVE-2025-46817).
* Fixed Lua script can be executed in the context of another user
(CVE-2025-46818).
* Fixed LUA out-of-bound read (CVE-2025-46819).
* Fixed potential crash on Lua script or streams and HFE defrag.
* Fixed potential crash when using ACL rules.
* Added VSIM: new EPSILON argument to specify maximum distance.
* Added SVS-VAMANA: allow use of BUILD_INTEL_SVS_OPT flag.
* Added RESP3 serialization performance.
* Added INFO SEARCH: new SVS-VAMANA metrics.
- Updated to 8.2.1
* https://github.com/redis/redis/releases/tag/8.2.1
- Bug fixes
* #14240 INFO KEYSIZES - potential incorrect histogram updates
on cluster mode with modules
* #14274 Disable Active Defrag during flushing replica
* #14276 XADD or XTRIM can crash the server after loading RDB
* #Q6601 Potential crash when running FLUSHDB (MOD-10681)
* Performance and resource utilization
* Query Engine - LeanVec and LVQ proprietary Intel
optimizations were removed from Redis Open Source
* #Q6621 Fix regression in INFO (MOD-10779)
CriticalSUSE bug 1250995SUSE bug 1252996CVE-2025-46817 at SUSECVE-2025-46817 at NVDCVE-2025-46818 at SUSECVE-2025-46818 at NVDCVE-2025-46819 at SUSECVE-2025-46819 at NVDCVE-2025-49844 at SUSECVE-2025-49844 at NVDCVE-2025-62507 at SUSECVE-2025-62507 at NVDSecurity update for shadowsocks-v2ray-plugin, v2ray-core (Important)openSUSE Leap 16.0
This update for shadowsocks-v2ray-plugin, v2ray-core fixes the following issues:
Changes in shadowsocks-v2ray-plugin:
- Update version to 5.25.0
* Update v2ray-core to v5.25.0
- Add update-vendor.patch, update v2ray-core to v5.33.0 (boo#1243954 and CVE-2025-297850)
Changes in v2ray-core:
- Fix CVE-2025-47911 and boo#1251404
* Add fix-CVE-2025-47911.patch
* Update golang.org/x/net to 0.45.0 in vendor
- Update version to 5.38.0
* TLSMirror Connection Enrollment System
* Add TLSMirror Sequence Watermarking
* LSMirror developer preview protocol is now a part of mainline V2Ray
* proxy dns with NOTIMP error
* Add TLSMirror looks like TLS censorship resistant transport protocol
as a developer preview transport
* proxy dns with NOTIMP error
* fix false success from SOCKS server when Dispatch() fails
* HTTP inbound: Directly forward plain HTTP 1xx response header
* add a option to override domain used to query https record
* Fix bugs
* Update vendor
- Update version to 5.33.0
* bump github.com/quic-go/quic-go from 0.51.0 to 0.52.0(boo#1243946 and CVE-2025-297850)
* Update other vendor source
- Update version to 5.31.0
* Add Dns Proxy Response TTL Control
* Fix call newError Base with a nil value error
* Update vendor (boo#1235164)
- Update version to 5.29.3
* Enable restricted mode load for http protocol client
* Correctly implement QUIC sniffer when handling multiple initial packets
* Fix unreleased cache buffer in QUIC sniffing
* A temporary testing fix for the buffer corruption issue
* QUIC Sniffer Restructure
- Update version to 5.22.0
* Add packetEncoding for Hysteria
* Add ECH Client Support
* Add support for parsing some shadowsocks links
* Add Mekya Transport
* Fix bugs
ImportantSUSE bug 1235164SUSE bug 1243946SUSE bug 1243954SUSE bug 1251404CVE-2025-297850 at SUSECVE-2025-297850 at NVDCVE-2025-47911 at SUSECVE-2025-47911 at NVDSecurity update for bash-git-prompt (Moderate)openSUSE Leap 16.0
This update for bash-git-prompt fixes the following issues:
- CVE-2025-61659: Fixed an issue where predictable files in /tmp were used for a copy of the git index (bsc#1247489)
ModerateSUSE bug 1247489CVE-2025-61659 at SUSECVE-2025-61659 at NVDSecurity update for act (Important)openSUSE Leap 16.0
This update for act fixes the following issues:
- CVE-2025-47913: Prevent panic in embedded golang.org/x/crypto/ssh/agent client when
receiving unexpected message types for key listing or signing requests (boo#1253608)
ImportantSUSE bug 1253608CVE-2025-47913 at SUSECVE-2025-47913 at NVDSecurity update for git-bug (Important)openSUSE Leap 16.0
This update for git-bug fixes the following issues:
Changes in git-bug:
- Revendor to include fixed version of depending libraries:
- GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade
golang.org/x/crypto to v0.43.0
- GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
github.com/go-viper/mapstructure/v2 to v2.4.0
- GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
- GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade
github.com/cloudflare/circl to v1.6.1
- GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade
golang.org/x/crypto/ssh to v0.45.0
- GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade
golang.org/x/crypto/ssh/agent to v0.45.0
- Revendor to include golang.org/x/net/html v 0.45.0 to prevent
possible DoS by various algorithms with quadratic complexity
when parsing HTML documents (bsc#1251463, CVE-2025-47911 and
bsc#1251664, CVE-2025-58190).
Update to version 0.10.1:
- cli: ignore missing sections when removing configuration (ddb22a2f)
Update to version 0.10.0:
- bridge: correct command used to create a new bridge (9942337b)
- web: simplify header navigation (7e95b169)
- webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
- BREAKING CHANGE: dev-infra: remove gokart (89b880bd)
Update to version 0.10.0:
- bridge: correct command used to create a new bridge (9942337b)
- web: simplify header navigation (7e95b169)
- web: remark upgrade + gfm + syntax highlighting (6ee47b96)
Update to version 0.9.0:
- completion: remove errata from string literal (aa102c91)
- tui: improve readability of the help bar (23be684a)
Update to version 0.8.1+git.1746484874.96c7a111:
* docs: update install, contrib, and usage documentation (#1222)
* fix: resolve the remote URI using url.*.insteadOf (#1394)
* build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)
* chore: gofmt simplify gitlab/export_test.go (#1392)
* fix: checkout repo before setting up go environment (#1390)
* feat: bump to go v1.24.2 (#1389)
* chore: update golang.org/x/net (#1379)
* fix: use -0700 when formatting time (#1388)
* fix: use correct url for gitlab PATs (#1384)
* refactor: remove depdendency on pnpm for auto-label action (#1383)
* feat: add action: auto-label (#1380)
* feat: remove lifecycle/frozen (#1377)
* build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)
* feat: support new exclusion label: lifecycle/pinned (#1375)
* fix: refactor how gitlab title changes are detected (#1370)
* revert: "Create Dependabot config file" (#1374)
* refactor: rename //:git-bug.go to //:main.go (#1373)
* build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)
* fix: set GitLastTag to an empty string when git-describe errors (#1355)
* chore: update go-git to v5@masterupdate_mods (#1284)
* refactor: Directly swap two variables to optimize code (#1272)
* Update README.md Matrix link to new room (#1275)
- Update to version 0.8.0+git.1742269202.0ab94c9:
* deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)
- Update golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494,
CVE-2025-22869).
- Add missing Requires to completion subpackages.
Update to version 0.8.0+git.1733745604.d499b6e:
* fix typos in docs (#1266)
* build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)
- bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, bsc#1234565).
ImportantSUSE bug 1234565SUSE bug 1239494SUSE bug 1251463SUSE bug 1251664SUSE bug 1253506SUSE bug 1253930SUSE bug 1254084CVE-2024-45337 at SUSECVE-2024-45337 at NVDCVE-2025-22869 at SUSECVE-2025-22869 at NVDCVE-2025-47911 at SUSECVE-2025-47911 at NVDCVE-2025-47913 at SUSECVE-2025-47913 at NVDCVE-2025-47914 at SUSECVE-2025-47914 at NVDCVE-2025-58181 at SUSECVE-2025-58181 at NVDCVE-2025-58190 at SUSECVE-2025-58190 at NVDSecurity update for python-Django (Important)openSUSE Leap 16.0
This update for python-Django fixes the following issues:
- CVE-2025-64459: Fixed a potential SQL injection via `_connector` keyword argument in `QuerySet` and `Q` objects (bsc#1252926)
- CVE-2025-13372,CVE-2025-64460: Fixed Denial of Service in 'django.core.serializers.xml_serializer.getInnerText()' (bsc#1254437)
ImportantSUSE bug 1252926SUSE bug 1254437CVE-2025-13372 at SUSECVE-2025-13372 at NVDCVE-2025-64459 at SUSECVE-2025-64459 at NVDCVE-2025-64460 at SUSECVE-2025-64460 at NVDSecurity update for exim (Moderate)openSUSE Leap 16.0
This update for exim fixes the following issues:
- CVE-2025-53881: Fixed a potential security issue with logfile rotation (bsc#1246457)
ModerateSUSE bug 1246457CVE-2025-53881 at SUSECVE-2025-53881 at NVDSecurity update for hauler (Important)openSUSE Leap 16.0
This update for hauler fixes the following issues:
- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,
bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,
bsc#1248937, CVE-2025-58058):
* bump github.com/containerd/containerd (#474)
* another fix to tests for new tests (#472)
* fixed typo in testdata (#471)
* fixed/cleaned new tests (#470)
* trying a new way for hauler testing (#467)
* update for cosign v3 verify (#469)
* added digests view to info (#465)
* bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)
* update oras-go to v1.2.7 for security patches (#464)
* update cosign to v3.0.2+hauler.1 (#463)
* fixed homebrew directory deprecation (#462)
* add registry logout command (#460)
- Update to version 1.3.0:
* bump the go_modules group across 1 directory with 2 updates (#455)
* upgraded versions/dependencies/deprecations (#454)
* allow loading of docker tarballs (#452)
* bump the go_modules group across 1 directory with 2 updates (#449)
- update to 1.2.5 (bsc#1246722, CVE-2025-46569):
* Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in
the go_modules group across 1 directory (CVE-2025-46569)
* deprecate auth from hauler store copy
* Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the
go_modules group across 1 directory
* Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0
in the go_modules group across 1 directory
* upgraded go and dependencies versions
- Update to version 1.2.5:
* upgraded go and dependencies versions (#444)
* Bump github.com/go-viper/mapstructure/v2 (#442)
* bump github.com/cloudflare/circl (#441)
* deprecate auth from hauler store copy (#440)
* Bump github.com/open-policy-agent/opa (#438)
- update to 1.2.4 (CVE-2025-22872, bsc#1241804):
* Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules
group across 1 directory
* minor tests updates
- Update to version 1.2.3:
* formatting and flag text updates
* add keyless signature verification (#434)
* bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)
* add --only flag to hauler store copy (for images) (#429)
* fix tlog verification error/warning output (#428)
- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):
* cleanup new tlog flag typos and add shorthand (#426)
* default public transparency log verification to false to be airgap friendly but allow override (#425)
* bump github.com/golang-jwt/jwt/v4 (#423)
* bump the go_modules group across 1 directory with 2 updates (#422)
* bump github.com/go-jose/go-jose/v3 (#417)
* bump github.com/go-jose/go-jose/v4 (#415)
* clear default manifest name if product flag used with sync (#412)
* updates for v1.2.0 (#408)
* fixed remote code (#407)
* added remote file fetch to load (#406)
* added remote and multiple file fetch to sync (#405)
* updated save flag and related logs (#404)
* updated load flag and related logs [breaking change] (#403)
* updated sync flag and related logs [breaking change] (#402)
* upgraded api update to v1/updated dependencies (#400)
* fixed consts for oci declarations (#398)
* fix for correctly grabbing platform post cosign 2.4 updates (#393)
* use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)
* Bump the go_modules group across 1 directory with 2 updates (#385)
* replace mholt/archiver with mholt/archives (#384)
* forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)
* cleaned up registry and improved logging (#378)
* Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)
- bump net/html dependencies (bsc#1235332, CVE-2024-45338)
- Update to version 1.1.1:
* fixed cli desc for store env var (#374)
* updated versions for go/k8s/helm (#373)
* updated version flag to internal/flags (#369)
* renamed incorrectly named consts (#371)
* added store env var (#370)
* adding ignore errors and retries for continue on error/fail on error (#368)
* updated/fixed hauler directory (#354)
* standardize consts (#353)
* removed cachedir code (#355)
* removed k3s code (#352)
* updated dependencies for go, helm, and k8s (#351)
* [feature] build with boring crypto where available (#344)
* updated workflow to goreleaser builds (#341)
* added timeout to goreleaser workflow (#340)
* trying new workflow build processes (#337)
* improved workflow performance (#336)
* have extract use proper ref (#335)
* yet another workflow goreleaser fix (#334)
* even more workflow fixes (#333)
* added more fixes to github workflow (#332)
* fixed typo in hauler store save (#331)
* updates to fix build processes (#330)
* added integration tests for non hauler tarballs (#325)
* bump: golang >= 1.23.1 (#328)
* add platform flag to store save (#329)
* Update feature_request.md
* updated/standardize command descriptions (#313)
* use new annotation for 'store save' manifest.json (#324)
* enable docker load for hauler tarballs (#320)
* bump to cosign v2.2.3-carbide.3 for new annotation (#322)
* continue on error when adding images to store (#317)
* Update README.md (#318)
* fixed completion commands (#312)
* github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311)
* pages: enable go install hauler.dev/go/hauler (#310)
* Create CNAME
* pages: initial workflow (#309)
* testing and linting updates (#305)
* feat-273: TLS Flags (#303)
* added list-repos flag (#298)
* fixed hauler login typo (#299)
* updated cobra function for shell completion (#304)
* updated install.sh to remove github api (#293)
* fix image ref keys getting squashed when containing sigs/atts (#291)
* fix missing versin info in release build (#283)
* bump github.com/docker/docker in the go_modules group across 1 directory (#281)
* updated install script (`install.sh`) (#280)
* fix digest images being lost on load of hauls (Signed). (#259)
* feat: add readonly flag (#277)
* fixed makefile for goreleaser v2 changes (#278)
* updated goreleaser versioning defaults (#279)
* update feature_request.md (#274)
* updated old references
* updated actions workflow user
* added dockerhub to github actions workflow
* removed helm chart
* added debug container and workflow
* updated products flag description
* updated chart for release
* fixed workflow errors/warnings
* fixed permissions on testdata
* updated chart versions (will need to update again)
* last bit of fixes to workflow
* updated unit test workflow
* updated goreleaser deprecations
* added helm chart release job
* updated github template names
* updated imports (and go fmt)
* formatted gitignore to match dockerignore
* formatted all code (go fmt)
* updated chart tests for new features
* Adding the timeout flag for fileserver command
* Configure chart commands to use helm clients for OCI and private registry support
* Added some documentation text to sync command
* Bump golang.org/x/net from 0.17.0 to 0.23.0
* fix for dup digest smashing in cosign
* removed vagrant scripts
* last bit of updates and formatting of chart
* updated hauler testdata
* adding functionality and cleaning up
* added initial helm chart
* removed tag in release workflow
* updated/fixed image ref in release workflow
* updated/fixed platforms in release workflow
* updated/cleaned github actions (#222)
* Make Product Registry configurable (#194)
* updated fileserver directory name (#219)
* fix logging for files
* add extra info for the tempdir override flag
* tempdir override flag for load
* deprecate the cache flag instead of remove
* switch to using bci-golang as builder image
* fix: ensure /tmp for hauler store load
* added the copy back for now
* remove copy at the image sync not needed with cosign update
* removed misleading cache flag
* better logging when adding to store
* update to v2.2.3 of our cosign fork
* add: dockerignore
* add: Dockerfile
* Bump google.golang.org/protobuf from 1.31.0 to 1.33.0
* Bump github.com/docker/docker
* updated and added new logos
* updated github files
ImportantSUSE bug 1235332SUSE bug 1241184SUSE bug 1241804SUSE bug 1246722SUSE bug 1248937SUSE bug 1251516SUSE bug 1251651SUSE bug 1251891CVE-2024-0406 at SUSECVE-2024-0406 at NVDCVE-2024-45338 at SUSECVE-2024-45338 at NVDCVE-2025-11579 at SUSECVE-2025-11579 at NVDCVE-2025-22872 at SUSECVE-2025-22872 at NVDCVE-2025-46569 at SUSECVE-2025-46569 at NVDCVE-2025-47911 at SUSECVE-2025-47911 at NVDCVE-2025-58058 at SUSECVE-2025-58058 at NVDCVE-2025-58190 at SUSECVE-2025-58190 at NVDSecurity update for chromium (Important)openSUSE Leap 16.0
This update for chromium fixes the following issues:
- Chromium 143.0.7499.109 (boo#1254776):
* CVE-2025-14372: Use after free in Password Manager
* CVE-2025-14373: Inappropriate implementation in Toolbar
* third issue with an exploit is known to exist in the wild
ImportantSUSE bug 1254776CVE-2025-14372 at SUSECVE-2025-14372 at NVDCVE-2025-14373 at SUSECVE-2025-14373 at NVDSecurity update for cheat (Important)openSUSE Leap 16.0
This update for cheat fixes the following issues:
- Security:
* CVE-2025-47913: Fix client process termination (bsc#1253593)
* CVE-2025-58181: Fix potential unbounded memory consumption (bsc#1253922)
* CVE-2025-47914: Fix panic due to an out of bounds read (bsc#1254051)
* Replace golang.org/x/crypto=golang.org/x/crypto@v0.45.0
* Replace golang.org/x/net=golang.org/x/net@v0.47.0
* Replace golang.org/x/sys=golang.org/x/sys@v0.38.0
- Packaging improvements:
* Drop Requires: golang-packaging. The recommended Go toolchain
dependency expression is BuildRequires: golang(API) >= 1.x or
optionally the metapackage BuildRequires: go
* Use BuildRequires: golang(API) >= 1.19 matching go.mod
* Build PIE with pattern that may become recommended procedure:
%%ifnarch ppc64 GOFLAGS="-buildmode=pie" %%endif go build
A go toolchain buildmode default config would be preferable
but none exist at this time.
* Drop mod=vendor, go1.14+ will detect vendor dir and auto-enable
* Remove go build -o output binary location and name. Default
binary has the same name as package of func main() and is
placed in the top level of the build directory.
* Add basic %check to execute binary --help
- Packaging improvements:
* Service go_modules replace dependencies with CVEs
* Replace github.com/cloudflare/circl=github.com/cloudflare/circl@v1.6.1
Fix GO-2025-3754 GHSA-2x5j-vhc8-9cwm
* Replace golang.org/x/net=golang.org/x/net@v0.36.0
Fixes GO-2025-3503 CVE-2025-22870
* Replace golang.org/x/crypto=golang.org/x/crypto@v0.35.0
Fixes GO-2023-2402 CVE-2023-48795 GHSA-45x7-px36-x8w8
Fixes GO-2025-3487 CVE-2025-22869
* Replace github.com/go-git/go-git/v5=github.com/go-git/go-git/v5@v5.13.0
Fixes GO-2025-3367 CVE-2025-21614 GHSA-r9px-m959-cxf4
Fixes GO-2025-3368 CVE-2025-21613 GHSA-v725-9546-7q7m
* Service tar_scm set mode manual from disabled
* Service tar_scm create archive from git so we can exclude
vendor directory upstream committed to git. Committed vendor
directory contents have build issues even after go mod tidy.
* Service tar_scm exclude dir vendor
* Service set_version set mode manual from disabled
* Service set_version remove param basename not needed
ImportantSUSE bug 1247629SUSE bug 1253593SUSE bug 1253922SUSE bug 1254051CVE-2023-48795 at SUSECVE-2023-48795 at NVDCVE-2025-21613 at SUSECVE-2025-21613 at NVDCVE-2025-21614 at SUSECVE-2025-21614 at NVDCVE-2025-22869 at SUSECVE-2025-22869 at NVDCVE-2025-22870 at SUSECVE-2025-22870 at NVDCVE-2025-47913 at SUSECVE-2025-47913 at NVDCVE-2025-47914 at SUSECVE-2025-47914 at NVDCVE-2025-58181 at SUSECVE-2025-58181 at NVDSecurity update for chromium (Important)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
Chromium 143.0.7499.146 (boo#1255115):
* CVE-2025-14765: Use after free in WebGPU
* CVE-2025-14766: Out of bounds read and write in V8
* CVE-2025-14174: Out of bounds memory access in ANGLE
ImportantSUSE bug 1255115CVE-2025-14174 at SUSECVE-2025-14174 at NVDCVE-2025-14765 at SUSECVE-2025-14765 at NVDCVE-2025-14766 at SUSECVE-2025-14766 at NVDRecommended update for trivy (Moderate)openSUSE Leap 16.0
This update for trivy fixes the following issues:
- Update to version 0.68.2:
* release: v0.68.2 [release/v0.68] (#9950)
* fix(deps): bump alpine from `3.22.1` to `3.23.0` [backport: release/v0.68] (#9949)
* ci: enable `check-latest` for `setup-go` [backport: release/v0.68] (#9946)
ModerateSUSE bug 1251363SUSE bug 1251547SUSE bug 1253512SUSE bug 1253786SUSE bug 1253977CVE-2025-47911 at SUSECVE-2025-47911 at NVDCVE-2025-47913 at SUSECVE-2025-47913 at NVDCVE-2025-47914 at SUSECVE-2025-47914 at NVDCVE-2025-58181 at SUSECVE-2025-58181 at NVDCVE-2025-58190 at SUSECVE-2025-58190 at NVDSecurity update for chromium (Important)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
- Chromium 143.0.7499.192 (boo#1256067):
* CVE-2026-0628: Insufficient policy enforcement in WebView tag
- Chromium 143.0.7499.169 (stable released 2025-12-18)
* no cve listed yet
ImportantSUSE bug 1256067CVE-2026-0628 at SUSECVE-2026-0628 at NVDSecurity update for matio (Important)openSUSE Leap 16.0
This update for matio fixes the following issues:
- update to version 1.5.29:
* Fix printing rank-1-variable in Mat_VarPrint
* Fix array index out of bounds in Mat_VarPrint when printing
UTF-8 character data (boo#1239678, CVE-2025-2337)
* Fix heap-based buffer overflow in strdup_vprintf
(boo#1239677, CVE-2025-2338)
* Changed Mat_VarPrint to print all values of rank-2-variable
* Several other fixes, for example for access violations in
Mat_VarPrint
- Update to version 1.5.28:
* Fixed bug writing MAT_T_INT8/MAT_T_UINT8 encoded character
array to compressed v5 MAT file (regression of v1.5.12).
* Fixed bug reading all-zero sparse array of v4 MAT file
(regression of v1.5.18).
* Updated C99 snprintf.c.
* CMake: Enabled testing.
* Several other fixes, for example for access violations in
Mat_VarPrint.
ImportantSUSE bug 1239677SUSE bug 1239678CVE-2025-2337 at SUSECVE-2025-2337 at NVDCVE-2025-2338 at SUSECVE-2025-2338 at NVDSecurity update for warewulf4 (Important)openSUSE Leap 16.0
This update for warewulf4 fixes the following issues:
Changes in warewulf4:
- Update to version 4.6.4:
* v4.6.4 release updates
* Convert disk booleans from wwbool to *bool which allows bools in
disk to be set to false via command line (bsc#1248768)
* Update NetworkManager Overlay
* Disable ipv4 in NetworkManager if no address or route is specified
* fix(wwctl): Create overlay edit tempfile in tmpdir
* Add default for systemd name for warewulf in warewulf.conf
* Atomic overlay file application in wwclient
* Simpler names for overlay methods
* Fix warewulfd api behavior when deleting distribution overlay
- Update to version 4.6.3:
* v4.6.3 release
* IPv6 iPXE support
* Fix a syntax error in the RPM specfile
* Fix a race condition in wwctl overlay edit
* Fixed handling of comma-separated mount options in `fstab` and `ignition` overlays
* Move reexec.Init() to beginning of wwctl
* Add documentation for using tmpfs to distribute across numa nodes
* added warewuld configure option
* Fix wwctl upgrade nodes to handle kernel argument lists (bsc#1227686 bsc#1227465)
* Address copilot review from #1945
* Refactor wwapi tests for proper isolation
* Bugfix: cloning a site overlay when parent dir does not exist
* Clone to a site overlay when adding files in wwapi
* Consolidated createOverlayFile and updateOverlayFile to addOverlayFile
* Support for creating and updating overlay file in wwapi
* Only return overlay files that refer to a path within the overlay
* add overlay file deletion support
* DELETE /api/overlays/{id}?force=true can delete overlays in use
* Restore idempotency of PUT /api/nodes/{id}
* Simplify overlay mtime api and add tests
* add node overlay buildtime
* Improved netplan support
* Rebuild overlays for discovered nodes
* Restrict userdocs from building during pr when not modified
* Update to v4.6.2 GitHub release notes
ImportantSUSE bug 1227465SUSE bug 1227686SUSE bug 1246082SUSE bug 1248768SUSE bug 1248906CVE-2025-58058 at SUSECVE-2025-58058 at NVDSecurity update for wget2 (Important)openSUSE Leap 16.0
This update for wget2 fixes the following issues:
Changes in wget2:
- Update to release 2.2.1
* Fix file overwrite issue with metalink [CVE-2025-69194 bsc#1255728]
* Fix remote buffer overflow in get_local_filename_real()
[CVE-2025-69195 bsc#1255729]
* Fix a redirect/mirror regression from 400713ca
* Use the local system timestamp when requested via
--no-use-server-timestamps
* Prevent file truncation with --no-clobber
* Improve messages about why URLs are not being followed
* Fix metalink with -O/--output-document
* Fix sorting of metalink mirrors by priority
* Add --show-progress to improve backwards compatibility to wget
* Fix buffer overflow in wget_iri_clone() after
wget_iri_set_scheme()
* Allow 'no_' prefix in config options
* Use libnghttp2 for HTTP/2 testing
* Set exit status to 8 on 403 response code
* Fix convert-links
* Fix --server-response for HTTP/1.1
- Update to release 2.2.0
* Don't truncate file when -c and -O are combined
* Don't log URI userinfo to logs
* Fix downloading multiple files via HTTP/2
* Support connecting with HTTP/1.0 proxies
* Ignore 1xx HTTP responses for HTTP/1.1
* Disable TCP Fast Open by default
* Fix segfault when OCSP response is missing
* Add libproxy support
ImportantSUSE bug 1255728SUSE bug 1255729CVE-2025-69194 at SUSECVE-2025-69194 at NVDCVE-2025-69195 at SUSECVE-2025-69195 at NVDSecurity update for MozillaThunderbird (Important)openSUSE Leap 16.0
This update for MozillaThunderbird fixes the following issues:
Changes in MozillaThunderbird:
- Mozilla Thunderbird 140.6.0 ESR
MFSA 2025-96 (bsc#1254551)
* CVE-2025-14321 (bmo#1992760)
Use-after-free in the WebRTC: Signaling component
* CVE-2025-14322 (bmo#1996473)
Sandbox escape due to incorrect boundary conditions in the
Graphics: CanvasWebGL component
* CVE-2025-14323 (bmo#1996555)
Privilege escalation in the DOM: Notifications component
* CVE-2025-14324 (bmo#1996840)
JIT miscompilation in the JavaScript Engine: JIT component
* CVE-2025-14325 (bmo#1998050)
JIT miscompilation in the JavaScript Engine: JIT component
* CVE-2025-14328 (bmo#1996761)
Privilege escalation in the Netmonitor component
* CVE-2025-14329 (bmo#1997018)
Privilege escalation in the Netmonitor component
* CVE-2025-14330 (bmo#1997503)
JIT miscompilation in the JavaScript Engine: JIT component
* CVE-2025-14331 (bmo#2000218)
Same-origin policy bypass in the Request Handling component
* CVE-2025-14333 (bmo#1966501, bmo#1997639)
Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird
ESR 140.6, Firefox 146 and Thunderbird 146
ImportantSUSE bug 1254551CVE-2025-14321 at SUSECVE-2025-14321 at NVDCVE-2025-14322 at SUSECVE-2025-14322 at NVDCVE-2025-14323 at SUSECVE-2025-14323 at NVDCVE-2025-14324 at SUSECVE-2025-14324 at NVDCVE-2025-14325 at SUSECVE-2025-14325 at NVDCVE-2025-14328 at SUSECVE-2025-14328 at NVDCVE-2025-14329 at SUSECVE-2025-14329 at NVDCVE-2025-14330 at SUSECVE-2025-14330 at NVDCVE-2025-14331 at SUSECVE-2025-14331 at NVDCVE-2025-14333 at SUSECVE-2025-14333 at NVDSecurity update for chromium (Moderate)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Chromium 141.0.7390.122:
* CVE-2025-12036: Inappropriate implementation in V8 (boo#1252402)
ModerateSUSE bug 1252402CVE-2025-12036 at SUSECVE-2025-12036 at NVDSecurity update for chromium (Moderate)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
- Chromium 144.0.7559.59 (boo#1256614)
* CVE-2026-0899: Out of bounds memory access in V8
* CVE-2026-0900: Inappropriate implementation in V8
* CVE-2026-0901: Inappropriate implementation in Blink
* CVE-2026-0902: Inappropriate implementation in V8
* CVE-2026-0903: Insufficient validation of untrusted input in Downloads
* CVE-2026-0904: Incorrect security UI in Digital Credentials
* CVE-2026-0905: Insufficient policy enforcement in Network
* CVE-2026-0906: Incorrect security UI
* CVE-2026-0907: Incorrect security UI in Split View
* CVE-2026-0908: Use after free in ANGLE
- use noopenh264 where available
ModerateSUSE bug 1256614CVE-2026-0899 at SUSECVE-2026-0899 at NVDCVE-2026-0900 at SUSECVE-2026-0900 at NVDCVE-2026-0901 at SUSECVE-2026-0901 at NVDCVE-2026-0902 at SUSECVE-2026-0902 at NVDCVE-2026-0903 at SUSECVE-2026-0903 at NVDCVE-2026-0904 at SUSECVE-2026-0904 at NVDCVE-2026-0905 at SUSECVE-2026-0905 at NVDCVE-2026-0906 at SUSECVE-2026-0906 at NVDCVE-2026-0907 at SUSECVE-2026-0907 at NVDCVE-2026-0908 at SUSECVE-2026-0908 at NVDSecurity update for gimp (Important)openSUSE Leap 16.0
This update for gimp fixes the following issues:
Changes in gimp:
Update to 3.0.6:
- Security:
- During development, we received reports from the Zero Day
Initiative of potential security issues with some of our file
import plug-ins. While these issues are very unlikely to
occur with real files, developers like Jacob Boerema and Alx
Sa proactively improved security for those imports.
The resolved reports are:
- ZDI-CAN-27793
- ZDI-CAN-27823
- ZDI-CAN-27836
- ZDI-CAN-27878
- ZDI-CAN-27863
- ZDI-CAN-27684
- Core:
- Many false-positive build warnings have been cleaned out (and
proper issues fixed).
- Various crashes fixed.
- When creating a layer mask from the layer's alpha, but the
layer has no alpha, simply fill the mask with complete
opacity instead of a completely transparent layer.
- Various core infrastructure code reviewed, cleaned up,
refactored and improved, in drawable, layer and filter
handling code, tree view code, and more.
- GIMP_ICONS_LIKE_A_BOSS environment variable is not working
anymore (because "gtk-menu-images" and "gtk-button-images"
have been deprecated in GTK3 and removed in GTK4) and was
therefore removed.
- Lock Content now shows as an undo step.
- Add alpha channel for certain transforms.
- Add alpha channel on filter merge, when necessary.
- Filters can now be applied non-destructively on channels.
- Improved Photoshop brush support.
- After deleting a palette entry, the next entry is
automatically selected. This allows easily deleting several
entries in a row, among other usage.
- Resize image to layers irrespective to selections.
- Improved in-GUI release notes' demo script language:
- We can now set a button value to click it: "toolbox:text,
tool-options:outline=1, tool-options:outline-direction"
- Color selector's module names can be used as identifiers:
"color-editor,color-editor:CMYK=1,color-editor:total-ink-coverage"
- Fixed Alpha to Selection on single layers with no
transparency.
- Various code is slowly ported to newer code, preparing for
GTK4 port (in an unplanned future step):
- Using g_set_str() (optionally redefining it in our core
code to avoid bumping the GLib minimum requirement).
- Start using GListModel in various pieces of code, in
particular getting rid of more and more usage of
GtkTreeView when possible (as it will be deprecated with
GTK4).
- New GimpRow class for all future row widgets.
- Use more of G_DECLARE_DERIVABLE_TYPE and
G_DECLARE_FINAL_TYPE where relevant.
- New GimpContainerListView using a GtkListBox.
- New GimpRowSeparator, GimpRowSettings, GimpRowFilter and
GimpRowDrawableFilter widgets.
- (Experimental) GEX Format was updated.
- Palette import:
- Set alpha value for image palette imports.
- Fix Lab & CMYK ACB palette import.
- Add palette format filters to import dialog, making it more
apparent what palette formats are supported, and giving the
ability to hide irrelevant files.
- Improved filter actions' sensitivity to make sure they are
set insensitive when relevant. In particular filters which
cannot be run non-destructively (e.g. filters with aux
inputs, non-interactive filters and GEGL Graph) must be
insensitive when trying to run them on group layers.
- Fix bad axis centering on zoom out.
- Export better SVG when exporting paths.
- Tools:
- Text tool: make sure the default color is only changed when
the user confirms the color change.
- Foreground Selection tool: do not create a selection when no
strokes has been made. In particular this removes the
unnecessary delay which happened when switching to another
tool without actually stroking anything.
- All Transform tools: transform boundaries for preview is now
multi-layers aware.
- (Experimental) Seamless Clone tool: made to work again,
though it is still too slow to get out of Playground.
- Graphical User Interface:
- Various improvements to window management:
- Keep-Above windows are set with the Utility hint.
- Utility windows are not made transient to a parent.
- Transient factory dialogs follow the active display,
ensuring that new image windows would not hide your toolbox
and dock windows.
- Various CSS improvements for styling of the interface. Some
theme leaks were also fixed.
- New toggle button in Brushes and Fonts dockable, allowing
brush and font previews to optionally follow the color theme.
For instance, when using a dark theme, the brush and font
previews could be drawn on the theme background, using the
theme foreground colors. By default, these data previews are
still drawn as black on white.
- Palette grid is now drawn with the theme's background color.
- Consistent naming patterns on human-facing options (first
word only capitalized).
- About dialog:
- We will now display the date and time of the last check in
a "Up to date as of <date> at <time>" string, differing
from the "Last checked on <date> at <time>" string. The
former will be used to indicate that GIMP is indeed
up-to-date whereas the latter when a new version was
released and that you should update.
- We now respect the system time/date format on macOS and
Windows.
- The search popup won't pop up without an image.
- Better zoom step algorithm for data previews in container
popup (e.g. the brush popup in paint Tool Options).
- Disable animation in the Input Controller, Preferences and
Welcome dialogs for stack transition when animation are
disabled in system settings.
- Fixed crosshair hotspot on Windows (crosshair cursor for
brushes was offset with a non-100% display scale factor).
- Debug/CRITICAL dialog:
- Make sure it is non-modal.
- Follow the theme mode under Windows.
- While loading images, all widgets in the file dialog are made
insensitive, except for the Cancel button and the progress
bar.
- Both grid and list views can now zoom via scroll and zoom
gestures (it used to only work in list views).
- Pop an error message up on startup when GIO modules to read
HTTPS links are not found and that we therefore fail to load
the remote gimp_versions.json file. With the AppImage package
in particular, we depend on an environment daemon which
cannot be shipped in the package. So the next best thing is
to warn people and tell them what they should install to get
version checks.
- Welcome dialog:
- The "Community Tutorials" link is now shown after the
"Documentation" link.
- The "Learn more" link in Release Notes tab leads to the
actual release news for this version.
- Plug-ins:
- PDF export: do not draw disabled layer masks.
- Jigsaw: the plug-in can now draw on transparent layers.
- Various file format fixes and improvements: JPEG 2000 import,
TIFF import, DDS import, SVG import, PSP import, FITS export,
ICNS import, Dicom import, WBMP import, Farbfeld import, XWD
import, ILBM import.
- Sphere Designer: use spin scale instead of spin entries (the
latter is unusable with little horizontal space).
- Animation Play: frames are shown again in the playback
progress bar.
- Vala Goat Exercise: ignoring C warning in this Vala plug-in
as it is generated code and we cannot control it.
- file-gih: brush pipe selection modes now have nice,
translatable names.
- Metadata viewer: port from GtkTreeView to GtkListBox.
- File Raw Data: reduce Raw Data load dialogue height by moving
to a 2-column layout.
- SVG import: it is now possible to break aspect ratio with
specific width/height arguments, when calling the PDB
procedure non-interactively (from other plug-ins).
- Print: when run through a portal print dialog, the "Image
Settings" will be exposed as a secondary dialog, outputted
after the portal dialog, instead of a tab on the main print
dialog (because it is not possible to tweak the print dialog
when it is created by a portal). This will bring back usable
workflow of printing with GIMP when run in a sandbox (e.g.
Flatpak or Snap).
- Recompose: fixed for YCbCr decomposed images.
- Fixed vulnerabilities: ZDI-CAN-27684, ZDI-CAN-27863,
ZDI-CAN-27878, ZDI-CAN-27836, ZDI-CAN-27823, ZDI-CAN-27793.
- C Source and HTML export can now be run non-interactively too
(e.g. from other plug-ins).
- Map Object: fix missing spin boxes.
- Small Tiles: fix display lag.
- CVE-2025-10925: Fix GIMP ILBM file parsing stack-based buffer overflow remote code
execution vulnerability. (ZDI-25-914, ZDI-CAN-27793, bsc#1250501)
- CVE-2025-10922: Fix GIMP DCM file parsing heap-based buffer overflow remote code
execution vulnerability. (ZDI-25-911, ZDI-CAN-27863, bsc#1250497)
- CVE-2025-10920: Prevent overflow attack by checking if output >= max, not just
output > max. (ZDI-25-909, ZDI-CAN-27684, bsc#1250495)
- CVE-2025-10924: Fix integer overflow while parsing FF files. (bsc#1250499)
- CVE-2025-2760: A vulnerability allows remote attackers to execute arbitrary
code on affected installations of GIMP. The specific flaw exists
within parsing of XWD files. An integer overflow happens before
allocating a buffer. This fixed in GIMP 3.0.0.
https://www.gimp.org/news/2025/03/16/gimp-3-0-released
(bsc#1241690)
ImportantSUSE bug 1241690SUSE bug 1250495SUSE bug 1250497SUSE bug 1250499SUSE bug 1250501CVE-2025-10920 at SUSECVE-2025-10920 at NVDCVE-2025-10922 at SUSECVE-2025-10922 at NVDCVE-2025-10924 at SUSECVE-2025-10924 at NVDCVE-2025-10925 at SUSECVE-2025-10925 at NVDCVE-2025-2760 at SUSECVE-2025-2760 at NVDSecurity update for go-sendxmpp (Moderate)openSUSE Leap 16.0
This update for go-sendxmpp fixes the following issues:
Changes in go-sendxmpp:
- Update to 0.15.1:
Added
* Add XEP-0359 Origin-ID to messages (requires go-xmpp >= v0.2.18).
Changed
* HTTP upload: Ignore timeouts on disco IQs as some components do
not reply.
- Upgrades the embedded golang.org/x/net to 0.46.0
* Fixes: bsc#1251461, CVE-2025-47911: various algorithms with
quadratic complexity when parsing HTML documents
* Fixes: bsc#1251677, CVE-2025-58190: excessive memory consumption
by 'html.ParseFragment' when processing specially crafted input
- Update to 0.15.0:
Added:
* Add flag --verbose to show debug information.
* Add flag --recipients to specify recipients by file.
* Add flag --retry-connect to try after a waiting time if the connection fails.
* Add flag --retry-connect-max to specify the amount of retry attempts.
* Add flag --legacy-pgp for using XEP-0027 PGP encryption with Ox keys.
* Add support for punycode domains.
Changed:
* Update gopenpgp library to v3.
* Improve error detection for MUC joins.
* Don't try to connect to other SRV record targets if error contains 'auth-failure'.
* Remove support for old SSDP version (via go-xmpp v0.2.15).
* Http-upload: Stop checking other disco items after finding upload component.
* Increase default TLS version to 1.3.
- bsc#1241814 (CVE-2025-22872): This update includes golang.org/x/net/html 0.43.0
- Update to 0.14.1:
* Use prettier date format for error messages.
* Update XEP-0474 to version 0.4.0 (requires go-xmpp >= 0.2.10).
- Update to 0.14.0:
Added:
* Add --fast-invalidate to allow invalidating the FAST token.
Changed:
* Don't create legacy Ox private key directory in ~/.local/share/go-sendxmpp/oxprivkeys.
* Delete legacy Ox private key directory if it's empty.
* Show proper error if saved FAST mechanism isn't usable with current TLS version (requires go-xmpp >= 0.2.9).
* Print debug output to stdout, not stderr (requires go-xmpp >= 0.2.9).
* Show RECV: and SEND: prefix for debug output (requires go-xmpp >= 0.2.9).
* Delete stored fast token if --fast-invalidate and --fast-off are set.
* Show error when FAST creds are stored but non-FAST mechanism is requested.
- Update to 0.13.0:
Added:
* Add --anonymous to support anonymous authentication (requires go-xmpp >= 0.2.8).
* Add XEP-0480: SASL Upgrade Tasks support (requires go-xmpp >= 0.2.8).
* Add support for see-other-host stream error (requires go-xmpp >= 0.2.8).
Changed:
* Don't automatically try other auth mechanisms if FAST authentication fails.
- Update to 0.12.1:
Changed:
* Print error instead of quitting if a message of type error is received.
* Allow upload of multiple files.
Added:
* Add flag --suppress-root-warning to suppress the warning when go-sendxmpp is used by the root user.
- Update to 0.12.0:
Added:
* Add possibility to look up direct TLS connection endpoint via hostmeta2 (requires xmppsrv >= 0.3.3).
* Add flag --allow-plain to allow PLAIN authentication (requires go-xmpp >= 0.2.5).
Changed:
* Disable PLAIN authentication per default.
* Disable PLAIN authentication after first use of a SCRAM auth mechanism (overrides --allow-plain) (requires
go-xmpp >= 0.2.5).
- Update to 0.11.4:
* Fix bug in SCRAM-SHA-256-PLUS (via go-xmpp >= 0.2.4).
- Update to 0.11.3:
* Add go-xmpp library version to --version output (requires go-xmpp >= 0.2.2).
* Fix XEP-0474: SASL SCRAM Downgrade Protection hash calculation bug (via go-xmpp >= v0.2.3).
* [gocritic]: Improve code quality.
ModerateSUSE bug 1241814SUSE bug 1251461SUSE bug 1251677CVE-2025-22872 at SUSECVE-2025-22872 at NVDCVE-2025-47911 at SUSECVE-2025-47911 at NVDCVE-2025-58190 at SUSECVE-2025-58190 at NVDSecurity update for ffmpeg-4 (Important)openSUSE Leap 16.0
This update for ffmpeg-4 fixes the following issues:
- CVE-2025-63757: Fixed swscale/output: Fix integer overflow in yuv2ya16_X_c_template() (bsc#1255392).
ImportantSUSE bug 1255392CVE-2025-63757 at SUSECVE-2025-63757 at NVDSecurity update for python-weasyprint (Important)openSUSE Leap 16.0
This update for python-weasyprint fixes the following issues:
Changes in python-weasyprint:
- CVE-2025-68616: Fixed a server-side request forgery in default fetcher (boo#1256936).
ImportantSUSE bug 1256936CVE-2025-68616 at SUSECVE-2025-68616 at NVDSecurity update for coredns (Important)openSUSE Leap 16.0
This update for coredns fixes the following issues:
Changes in coredns:
- fix CVE-2025-68156 bsc#1255345
- fix CVE-2025-68161 bsc#1256411
- Update to version 1.14.0:
* core: Fix gosec G115 integer overflow warnings
* core: Add regex length limit
* plugin/azure: Fix slice init length
* plugin/errors: Add optional show_first flag to consolidate directive
* plugin/file: Fix for misleading SOA parser warnings
* plugin/kubernetes: Rate limits to api server
* plugin/metrics: Implement plugin chain tracking
* plugin/sign: Report parser err before missing SOA
* build(deps): bump github.com/expr-lang/expr from 1.17.6 to 1.17.7
- Update to version 1.13.2:
* core: Add basic support for DoH3
* core: Avoid proxy unnecessary alloc in Yield
* core: Fix usage of sync.Pool to save an alloc
* core: Fix data race with sync.RWMutex for uniq
* core: Prevent QUIC reload panic by lazily initializing the listener
* core: Refactor/use reflect.TypeFor
* plugin/auto: Limit regex length
* plugin/cache: Remove superfluous allocations in item.toMsg
* plugin/cache: Isolate metadata in prefetch goroutine
* plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil
packages
* plugin/dnstap: Better error handling (redial & logging) when Dnstap is busy
* plugin/file: Performance finetuning
* plugin/forward: Disallow NOERROR in failover
* plugin/forward: Added support for per-nameserver TLS SNI
* plugin/forward: Prevent busy loop on connection err
* plugin/forward: Add max connect attempts knob
* plugin/geoip: Add ASN schema support
* plugin/geoip: Add support for subdivisions
* plugin/kubernetes: Fix kubernetes plugin logging
* plugin/multisocket: Cap num sockets to prevent OOM
* plugin/nomad: Support service filtering
* plugin/rewrite: Pre-compile CNAME rewrite regexp
* plugin/secondary: Fix reload causing secondary plugin goroutine to leak
- Update to version 1.13.1:
* core: Avoid string concatenation in loops
* core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes
* plugin/sign: Reject invalid UTF‑8 dbfile token
- Update to version 1.13.0:
* core: Export timeout values in dnsserver.Server
* core: Fix Corefile infinite loop on unclosed braces
* core: Fix Corefile related import cycle issue
* core: Normalize panics on invalid origins
* core: Rely on dns.Server.ShutdownContext to gracefully stop
* plugin/dnstap: Add bounds for plugin args
* plugin/file: Fix data race in tree Elem.Name
* plugin/forward: No failover to next upstream when receiving SERVFAIL or
REFUSED response codes
* plugin/grpc: Enforce DNS message size limits
* plugin/loop: Prevent panic when ListenHosts is empty
* plugin/loop: Avoid panic on invalid server block
* plugin/nomad: Add a Nomad plugin
* plugin/reload: Prevent SIGTERM/reload deadlock
- fix CVE-2025-58063 bsc#1249389
- Update to version 1.12.4:
* bump deps
* fix(transfer): goroutine leak on axfr err (#7516)
* plugin/etcd: fix import order for ttl test (#7515)
* fix(grpc): check proxy list length in policies (#7512)
* fix(https): propagate HTTP request context (#7491)
* fix(plugin): guard nil lookups across plugins (#7494)
* lint: add missing prealloc to backend lookup test (#7510)
* fix(grpc): span leak on error attempt (#7487)
* test(plugin): improve backend lookup coverage (#7496)
* lint: enable prealloc (#7493)
* lint: enable durationcheck (#7492)
* Add Sophotech to adopters list (#7495)
* plugin: Use %w to wrap user error (#7489)
* fix(metrics): add timeouts to metrics HTTP server (#7469)
* chore(ci): restrict token permissions (#7470)
* chore(ci): pin workflow dependencies (#7471)
* fix(forward): use netip package for parsing (#7472)
* test(plugin): improve test coverage for pprof (#7473)
* build(deps): bump github.com/go-viper/mapstructure/v2 (#7468)
* plugin/file: fix label offset problem in ClosestEncloser (#7465)
* feat(trace): migrate dd-trace-go v1 to v2 (#7466)
* test(multisocket): deflake restart by using a fresh port and coordinated cleanup (#7438)
* chore: update Go version to 1.24.6 (#7437)
* plugin/header: Remove deprecated syntax (#7436)
* plugin/loadbalance: support prefer option (#7433)
* Improve caddy.GracefulServer conformance checks (#7416)
- Update to version 1.12.3:
* chore: Minor changes to `Dockerfile` (#7428)
* Properly create hostname from IPv6 (#7431)
* Bump deps
* fix: handle cached connection closure in forward plugin (#7427)
* plugin/test: fix TXT record comparison for multi-chunk vs multiple records
* plugin/file: preserve case in SRV record names and targets per RFC 6763
* fix(auto/file): return REFUSED when no next plugin is available (#7381)
* Port to AWS Go SDK v2 (#6588)
* fix(cache): data race when refreshing cached messages (#7398)
* fix(cache): data race when updating the TTL of cached messages (#7397)
* chore: fix docs incompatibility (#7390)
* plugin/rewrite: Add EDNS0 Unset Action (#7380)
* add args: startup_timeout for kubernetes plugin (#7068)
* [plugin/cache] create a copy of a response to ensure original data is never
modified
* Add support for fallthrough to the grpc plugin (#7359)
* view: Add IPv6 example match (#7355)
* chore: enable more rules from revive (#7352)
* chore: enable early-return and superfluous-else from revive (#7129)
* test(plugin): improve tests for auto (#7348)
* fix(proxy): flaky dial tests (#7349)
* test: add t.Helper() calls to test helper functions (#7351)
* fix(kubernetes): multicluster DNS race condition (#7350)
* lint: enable wastedassign linter (#7340)
* test(plugin): add tests for any (#7341)
* Actually invoke make release -f Makefile.release during test (#7338)
* Keep golang to 1.24.2 due to build issues in 1.24.3 (#7337)
* lint: enable protogetter linter (#7336)
* lint: enable nolintlint linter (#7332)
* fix: missing intrange lint fix (#7333)
* perf(kubernetes): optimize AutoPath slice allocation (#7323)
* lint: enable intrange linter (#7331)
* feat(plugin/file): fallthrough (#7327)
* lint: enable canonicalheader linter (#7330)
* fix(proxy): avoid Dial hang after Transport stopped (#7321)
* test(plugin): add tests for pkg/rand (#7320)
* test(dnsserver): add unit tests for gRPC and QUIC servers (#7319)
* fix: loop variable capture and linter (#7328)
* lint: enable usetesting linter (#7322)
* test: skip certain network-specific tests on non-Linux (#7318)
* test(dnsserver): improve core/dnsserver test coverage (#7317)
* fix(metrics): preserve request size from plugins (#7313)
* fix: ensure DNS query name reset in plugin.NS error path (#7142)
* feat: enable plugins via environment during build (#7310)
* fix(plugin/bind): remove zone for link-local IPv4 (#7295)
* test(request): improve coverage across package (#7307)
* test(coremain): Add unit tests (#7308)
* ci(test-e2e): add Go version setup to workflow (#7309)
* kubernetes: add multicluster support (#7266)
* chore: Add new maintainer thevilledev (#7298)
* Update golangci-lint (#7294)
* feat: limit concurrent DoQ streams and goroutines (#7296)
* docs: add man page for multisocket plugin (#7297)
* Prepare for the k8s api upgrade (#7293)
* fix(rewrite): truncated upstream response (#7277)
* fix(plugin/secondary): make transfer property mandatory (#7249)
* plugin/bind: remove macOS bug mention in docs (#7250)
* Remove `?bla=foo:443` for `POST` DoH (#7257)
* Do not interrupt querying readiness probes for plugins (#6975)
* Added `SetProxyOptions` function for `forward` plugin (#7229)
- Backported quic-go PR #5094: Fix parsing of ifindex from packets
to ensure compatibility with big-endian architectures
(see quic-go/quic-go#4978, coredns/coredns#6682).
- Update to version 1.12.1:
* core: Increase CNAME lookup limit from 7 to 10 (#7153)
* plugin/kubernetes: Fix handling of pods having DeletionTimestamp set
* plugin/kubernetes: Revert "only create PTR records for endpoints with
hostname defined"
* plugin/forward: added option failfast_all_unhealthy_upstreams to return
servfail if all upstreams are down
* bump dependencies, fixing bsc#1239294 and bsc#1239728
- Update to version 1.12.0:
* New multisocket plugin - allows CoreDNS to listen on multiple sockets
* bump deps
- Update to version 1.11.4:
* forward plugin: new option next, to try alternate upstreams when receiving
specified response codes upstreams on (functions like the external plugin
alternate)
* dnssec plugin: new option to load keys from AWS Secrets Manager
* rewrite plugin: new option to revert EDNS0 option rewrites in responses
- Update to version 1.11.3+git129.387f34d:
* fix CVE-2024-51744 (https://bugzilla.suse.com/show_bug.cgi?id=1232991)
build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#6955)
* core: set cache-control max-age as integer, not float (#6764)
* Issue-6671: Fixed the order of plugins. (#6729)
* `root`: explicit mark `dnssec` support (#6753)
* feat: dnssec load keys from AWS Secrets Manager (#6618)
* fuzzing: fix broken oss-fuzz build (#6880)
* Replace k8s.io/utils/strings/slices by Go stdlib slices (#6863)
* Update .go-version to 1.23.2 (#6920)
* plugin/rewrite: Add "revert" parameter for EDNS0 options (#6893)
* Added OpenSSF Scorecard Badge (#6738)
* fix(cwd): Restored backwards compatibility of Current Workdir (#6731)
* fix: plugin/auto: call OnShutdown() for each zone at its own OnShutdown() (#6705)
* feature: log queue and buffer memory size configuration (#6591)
* plugin/bind: add zone for link-local IPv6 instead of skipping (#6547)
* only create PTR records for endpoints with hostname defined (#6898)
* fix: reverter should execute the reversion in reversed order (#6872)
* plugin/etcd: fix etcd connection leakage when reload (#6646)
* kubernetes: Add useragent (#6484)
* Update build (#6836)
* Update grpc library use (#6826)
* Bump go version from 1.21.11 to 1.21.12 (#6800)
* Upgrade antonmedv/expr to expr-lang/expr (#6814)
* hosts: add hostsfile as label for coredns_hosts_entries (#6801)
* fix TestCorefile1 panic for nil handling (#6802)
ImportantSUSE bug 1239294SUSE bug 1239728SUSE bug 1249389SUSE bug 1255345SUSE bug 1256411CVE-2024-51744 at SUSECVE-2024-51744 at NVDCVE-2025-58063 at SUSECVE-2025-58063 at NVDCVE-2025-68156 at SUSECVE-2025-68156 at NVDCVE-2025-68161 at SUSECVE-2025-68161 at NVDSecurity update for gimp (Important)openSUSE Leap 16.0
This update for gimp fixes the following issues:
Changes in gimp:
- CVE-2025-14422: Fixed PNM File Parsing Integer Overflow (bsc#1255293)
- CVE-2025-14423: Fixed LBM File Parsing Stack-based Buffer Overflow (bsc#1255294)
- CVE-2025-14424: Fixed XCF File Parsing Use-After-Free (bsc#1255295)
- CVE-2025-14425: Fixed JP2 File Parsing Heap-based Buffer Overflow(bsc#1255296)
ImportantSUSE bug 1255293SUSE bug 1255294SUSE bug 1255295SUSE bug 1255296CVE-2025-14422 at SUSECVE-2025-14422 at NVDCVE-2025-14423 at SUSECVE-2025-14423 at NVDCVE-2025-14424 at SUSECVE-2025-14424 at NVDCVE-2025-14425 at SUSECVE-2025-14425 at NVDSecurity update for chromium (Moderate)openSUSE Leap 16.0
This update for chromium fixes the following issues:
Changes in chromium:
- Chromium 144.0.7559.96 (boo#1257011)
* CVE-2026-1220: Race in V8
- update INSTALL.sh to handle the addded tags in the desktop file (boo#1256938)
ModerateSUSE bug 1256938SUSE bug 1257011CVE-2026-1220 at SUSECVE-2026-1220 at NVDSecurity update for sbctl (Moderate)openSUSE Leap 16.0
This update for sbctl fixes the following issues:
Changes in sbctl:
- Upgrade the embedded golang.org/x/net to 0.46.0
* Fixes: bsc#1251399, CVE-2025-47911: various algorithms with
quadratic complexity when parsing HTML documents
* Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption
by 'html.ParseFragment' when processing specially crafted input
- Update to version 0.18:
* logging: fixup new go vet warning
* workflows: add cc for cross compile
* workflow: add sudo to apt
* workflow: add pcsclite to ci
* workflow: try enable cgo
* go.mod: update golang.org/x/ dependencies
* fix: avoid adding bogus Country attribute to subject DNs
* sbctl: only store file if we did actually sign the file
* installkernel: add post install hook for Debian's traditional installkernel
* CI: missing libpcsclite pkg
* workflows: add missing depends and new pattern keyword
* Add yubikey example for create keys to the README
* Initial yubikey backend keytype support
* verify: ensure we pass args in correct order
- bsc#1248949 (CVE-2025-58058):
Bump xz to 0.5.14
- Update to version 0.17:
* Ensure we don't wrongly compare input/output files when signing
* Added --json supprt to sbctl verify
* Ensure sbctl setup with no arguments returns a helpful output
* Import latest Microsoft keys for KEK and db databases
* Ensure we print the path of the file when encountering an invalid PE file
* Misc fixups in tests
* Misc typo fixes in prints
- Update to version 0.16:
* Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is
present
* Fixed a bug where sbctl would abort if the TPM eventlog
contains the same byte multiple times
* Fixed a landlock bug where enroll-keys --export did not work
* Fixed a bug where an ESP mounted to multiple paths would not be
detected
* Exporting keys without efivars present work again
* sbctl sign will now use the saved output path if the signed
file is enrolled
* enroll-keys --append will now work without --force.
- Updates from version 0.15.4:
* Fixed an issue where sign-all did not report a non-zero exit
code when something failed
* Fixed and issue where we couldn't write to a file with landlock
* Fixed an issue where --json would print the human readable
output and the json
* Fixes landlock for UKI/bundles by disabling the sandbox feature
* Some doc fixups that mentioned /usr/share/
ModerateSUSE bug 1248949SUSE bug 1251399SUSE bug 1251609CVE-2025-47911 at SUSECVE-2025-47911 at NVDCVE-2025-58058 at SUSECVE-2025-58058 at NVDCVE-2025-58190 at SUSECVE-2025-58190 at NVDRecommended update for hauler (Moderate)openSUSE Leap 16.0
This update for hauler fixes the following issues:
Changes in hauler:
- Update to version 1.4.1 (bsc#1256546, CVE-2026-22772):
* fixed typos for containerd imports (#493)
* fix and support containerd imports of `hauls` (#492)
* bump github.com/sigstore/fulcio (#489)
- Update to version 1.4.0:
* added/updated logging for `serve` and `remove` (#487)
* added/fixed helm chart images/dependencies features (#485)
* more experimental feature updates (#486)
* add experimental notes (#483)
* updated tempdir flag to store persistent flags (#484)
* delete artifacts from store (#473)
* path rewrites (#475)
* updated/fixed workflow dependency versions (#478)
- Update to version 1.3.2:
* bump to latest cosign fork release (#481)
* Bump golang.org/x/crypto in the go_modules group across 1 directory (#476)
ModerateSUSE bug 1256546CVE-2026-22772 at SUSECVE-2026-22772 at NVDgo1.25go1.25-docgo1.25-libstdgo1.25-raceopenSUSE-releasego1.24go1.24-docgo1.24-libstdgo1.24-racekeylime-configkeylime-firewalldkeylime-logrotatekeylime-registrarkeylime-tenantkeylime-tpm_cert_storekeylime-verifierpython313-keylimeImageMagickImageMagick-config-7-SUSEImageMagick-config-7-upstream-limitedImageMagick-config-7-upstream-openImageMagick-config-7-upstream-secureImageMagick-config-7-upstream-websafeImageMagick-develImageMagick-docImageMagick-extralibMagick++-7_Q16HDRI5libMagick++-devellibMagickCore-7_Q16HDRI10libMagickWand-7_Q16HDRI10perl-PerlMagickgrub2grub2-arm64-efigrub2-arm64-efi-blsgrub2-arm64-efi-debuggrub2-arm64-efi-extrasgrub2-branding-upstreamgrub2-commongrub2-i386-pcgrub2-i386-pc-debuggrub2-i386-pc-extrasgrub2-powerpc-ieee1275grub2-powerpc-ieee1275-debuggrub2-powerpc-ieee1275-extrasgrub2-s390x-emugrub2-s390x-emu-debuggrub2-s390x-emu-extrasgrub2-snapper-plugingrub2-systemd-sleep-plugingrub2-x86_64-efigrub2-x86_64-efi-blsgrub2-x86_64-efi-debuggrub2-x86_64-efi-extrasgrub2-x86_64-xengrub2-x86_64-xen-debuggrub2-x86_64-xen-extraslibopenssl-3-devellibopenssl-3-fips-providerlibopenssl-3-fips-provider-x86-64-v3libopenssl3libopenssl3-x86-64-v3openssl-3openssl-3-docqemuqemu-SLOFqemu-accel-qtestqemu-armqemu-audio-alsaqemu-audio-dbusqemu-audio-jackqemu-audio-ossqemu-audio-paqemu-audio-pipewireqemu-audio-spiceqemu-block-curlqemu-block-dmgqemu-block-iscsiqemu-block-nfsqemu-block-rbdqemu-block-sshqemu-chardev-baumqemu-chardev-spiceqemu-docqemu-extraqemu-guest-agentqemu-headlessqemu-hw-display-qxlqemu-hw-display-virtio-gpuqemu-hw-display-virtio-gpu-pciqemu-hw-display-virtio-vgaqemu-hw-s390x-virtio-gpu-ccwqemu-hw-usb-hostqemu-hw-usb-redirectqemu-hw-usb-smartcardqemu-imgqemu-ipxeqemu-ivshmem-toolsqemu-ksmqemu-langqemu-linux-userqemu-microvmqemu-ppcqemu-pr-helperqemu-s390xqemu-seabiosqemu-skibootqemu-spiceqemu-toolsqemu-ui-cursesqemu-ui-dbusqemu-ui-gtkqemu-ui-openglqemu-ui-spice-appqemu-ui-spice-coreqemu-vgabiosqemu-vhost-user-gpuqemu-vmsr-helperqemu-x86cluster-md-kmp-64kbcluster-md-kmp-defaultcluster-md-kmp-rtdlm-kmp-64kbdlm-kmp-defaultdlm-kmp-rtdtb-allwinnerdtb-alteradtb-amazondtb-amddtb-amlogicdtb-apmdtb-appledtb-armdtb-broadcomdtb-caviumdtb-exynosdtb-freescaledtb-hisilicondtb-lgdtb-marvelldtb-mediatekdtb-nvidiadtb-qcomdtb-renesasdtb-rockchipdtb-socionextdtb-sprddtb-xilinxgfs2-kmp-64kbgfs2-kmp-defaultgfs2-kmp-rtkernel-64kbkernel-64kb-extrakernel-64kb-optionalkernel-defaultkernel-default-basekernel-default-extrakernel-default-optionalkernel-default-vdsokernel-docskernel-docs-htmlkernel-kvmsmallkernel-kvmsmall-vdsokernel-macroskernel-obs-buildkernel-obs-qakernel-rtkernel-rt-extrakernel-rt-optionalkernel-rt-vdsokernel-sourcekernel-source-vanillakernel-symskernel-zfcpdumpkselftests-kmp-64kbkselftests-kmp-defaultkselftests-kmp-rtocfs2-kmp-64kbocfs2-kmp-defaultocfs2-kmp-rtfontforgefontforge-develfontforge-doclibmariadbd-devellibmariadbd19mariadbmariadb-benchmariadb-clientmariadb-errormessagesmariadb-galeramariadb-rpm-macrosmariadb-testmariadb-toolspython313-saltpython313-salt-testsuitesaltsalt-apisalt-bash-completionsalt-cloudsalt-docsalt-fish-completionsalt-mastersalt-minionsalt-proxysalt-sshsalt-standalone-formulas-configurationsalt-syndicsalt-transactional-updatesalt-zsh-completionlibipa_hbac-devellibipa_hbac0libnfsidmap-ssslibsss_certmap-devellibsss_certmap0libsss_idmap-devellibsss_idmap0libsss_nss_idmap-devellibsss_nss_idmap0python3-ipa_hbacpython3-sss-murmurpython3-sss_nss_idmappython3-sssd-configsssdsssd-adsssd-cifs-idmap-pluginsssd-dbussssd-ipasssd-kcmsssd-krb5sssd-krb5-commonsssd-ldapsssd-proxysssd-toolssssd-winbind-idmapvalkeyvalkey-compat-redisvalkey-develavahiavahi-autoipdavahi-compat-howl-develavahi-compat-mDNSResponder-develavahi-langavahi-utilsavahi-utils-gtklibavahi-client3libavahi-common3libavahi-core7libavahi-devellibavahi-glib-devellibavahi-glib1libavahi-gobject-devellibavahi-gobject0libavahi-libevent1libavahi-qt6-1libavahi-qt6-devellibavahi-ui-gtk3-0libdns_sdlibhowl0python3-avahi-gtkpython313-avahitypelib-1_0-Avahi-0_6MozillaFirefoxMozillaFirefox-branding-upstreamMozillaFirefox-develMozillaFirefox-translations-commonMozillaFirefox-translations-otherpython313-tornado6libmicrohttpd-devellibmicrohttpd12libpng16-16libpng16-16-x86-64-v3libpng16-compat-devellibpng16-compat-devel-x86-64-v3libpng16-devellibpng16-devel-x86-64-v3libpng16-toolsgio-branding-upstreamglib2-develglib2-devel-staticglib2-docglib2-langglib2-tests-develglib2-toolslibgio-2_0-0libgirepository-2_0-0libglib-2_0-0libgmodule-2_0-0libgobject-2_0-0libgthread-2_0-0typelib-1_0-GIRepository-3_0typelib-1_0-GLib-2_0typelib-1_0-GLibUnix-2_0typelib-1_0-GModule-2_0typelib-1_0-GObject-2_0typelib-1_0-Gio-2_0hawk2python313-uvpython313-uv-bash-completionpython313-uv-fish-completionpython313-uv-zsh-completionsquiddirmngrgpg2gpg2-langgpg2-tpmapache2apache2-develapache2-eventapache2-manualapache2-preforkapache2-utilsapache2-workercurlcurl-fish-completioncurl-zsh-completionlibcurl-devellibcurl-devel-doclibcurl4haproxytomcattomcat-admin-webappstomcat-docs-webapptomcat-el-3_0-apitomcat-embedtomcat-javadoctomcat-jsp-2_3-apitomcat-jsvctomcat-libtomcat-servlet-4_0-apitomcat-webappsbindbind-docbind-modules-bdbhptbind-modules-genericbind-modules-ldapbind-modules-mysqlbind-modules-perlbind-modules-sqlite3bind-utilserlangerlang-debuggererlang-debugger-srcerlang-dialyzererlang-dialyzer-srcerlang-diametererlang-diameter-srcerlang-docerlang-epmderlang-eterlang-et-srcerlang-jinterfaceerlang-jinterface-srcerlang-observererlang-observer-srcerlang-reltoolerlang-reltool-srcerlang-srcerlang-wxerlang-wx-srcalloycpp-httplib-devellibcpp-httplib0_22dockerdocker-bash-completiondocker-buildxdocker-fish-completiondocker-rootless-extrasdocker-zsh-completioncargo-ccargo1.91cargo1.92rust1.91rust1.91-srcrust1.92rust1.92-srcWebKitGTK-4.0-langWebKitGTK-4.1-langWebKitGTK-6.0-langlibjavascriptcoregtk-4_0-18libjavascriptcoregtk-4_1-0libjavascriptcoregtk-6_0-1libwebkit2gtk-4_0-37libwebkit2gtk-4_1-0libwebkitgtk-6_0-4typelib-1_0-JavaScriptCore-4_0typelib-1_0-JavaScriptCore-4_1typelib-1_0-JavaScriptCore-6_0typelib-1_0-WebKit-6_0typelib-1_0-WebKit2-4_0typelib-1_0-WebKit2-4_1typelib-1_0-WebKit2WebExtension-4_0typelib-1_0-WebKit2WebExtension-4_1typelib-1_0-WebKitWebProcessExtension-6_0webkit-jsc-4webkit-jsc-4.1webkit-jsc-6.0webkit2gtk-4_0-injected-bundleswebkit2gtk-4_1-injected-bundleswebkit2gtk3-develwebkit2gtk3-minibrowserwebkit2gtk3-soup2-develwebkit2gtk3-soup2-minibrowserwebkit2gtk4-develwebkit2gtk4-minibrowserwebkitgtk-6_0-injected-bundleslibvmtools-devellibvmtools0open-vm-toolsopen-vm-tools-containerinfoopen-vm-tools-desktopopen-vm-tools-salt-minionopen-vm-tools-sdmppodmanpodman-dockerpodman-remotepodmanshlibpcap-devellibpcap-devel-staticlibpcap1gdk-pixbuf-loader-libheiflibheif-aomlibheif-dav1dlibheif-devellibheif-ffmpeglibheif-jpeglibheif-openjpeglibheif-rav1elibheif-svtenclibheif1buildahlibpython3_13-1_0libpython3_13-1_0-x86-64-v3libpython3_13t1_0python313python313-basepython313-base-x86-64-v3python313-cursespython313-dbmpython313-develpython313-docpython313-doc-devhelppython313-idlepython313-nogilpython313-nogil-basepython313-nogil-cursespython313-nogil-dbmpython313-nogil-develpython313-nogil-idlepython313-nogil-testsuitepython313-nogil-tkpython313-nogil-toolspython313-testsuitepython313-tkpython313-toolspython313-x86-64-v3erlang-rabbitmq-clientrabbitmq-serverrabbitmq-server-bash-completionrabbitmq-server-pluginsrabbitmq-server-zsh-completiongdk-pixbuf-develgdk-pixbuf-langgdk-pixbuf-query-loadersgdk-pixbuf-thumbnailerlibgdk_pixbuf-2_0-0typelib-1_0-GdkPixbuf-2_0typelib-1_0-GdkPixdata-2_0python313-virtualenvpython-marshmallow-docpython313-marshmallowpython313-urllib3python313-pyasn1busyboxbusybox-staticbusybox-warewulf3python313-jaraco.contextapache2-mod_php8php8php8-bcmathphp8-bz2php8-calendarphp8-cliphp8-ctypephp8-curlphp8-dbaphp8-develphp8-domphp8-embedphp8-enchantphp8-exifphp8-fastcgiphp8-ffiphp8-fileinfophp8-fpmphp8-fpm-apachephp8-ftpphp8-gdphp8-gettextphp8-gmpphp8-iconvphp8-intlphp8-ldapphp8-mbstringphp8-mysqlphp8-odbcphp8-opcachephp8-opensslphp8-pcntlphp8-pdophp8-pgsqlphp8-pharphp8-posixphp8-readlinephp8-shmopphp8-snmpphp8-soapphp8-socketsphp8-sodiumphp8-sqlitephp8-sysvmsgphp8-sysvsemphp8-sysvshmphp8-testphp8-tidyphp8-tokenizerphp8-xmlreaderphp8-xmlwriterphp8-xslphp8-zipphp8-zlibflake-pilotflake-pilot-firecrackerflake-pilot-firecracker-dracut-netstartflake-pilot-firecracker-guestvm-toolsflake-pilot-podmancockpit-subscriptionspython313-FontToolspython313-h2xkbcompxkbcomp-develucode-amdpython313-python-multipartjava-21-openjdkjava-21-openjdk-demojava-21-openjdk-develjava-21-openjdk-headlessjava-21-openjdk-javadocjava-21-openjdk-jmodsjava-21-openjdk-srccloud-initcloud-init-config-susecloud-init-docpostgresql16postgresql16-contribpostgresql16-develpostgresql16-docspostgresql16-llvmjitpostgresql16-llvmjit-develpostgresql16-plperlpostgresql16-plpythonpostgresql16-pltclpostgresql16-serverpostgresql16-server-develpostgresql16-testlibecpg6libpq5postgresqlpostgresql-contribpostgresql-develpostgresql-docspostgresql-llvmjitpostgresql-llvmjit-develpostgresql-plperlpostgresql-plpythonpostgresql-pltclpostgresql-serverpostgresql-server-develpostgresql-testpostgresql13-pgauditpostgresql13-pgvectorpostgresql14-pgauditpostgresql14-pgvectorpostgresql15-pgauditpostgresql15-pgvectorpostgresql16-pgauditpostgresql16-pgvectorpostgresql17postgresql17-contribpostgresql17-develpostgresql17-docspostgresql17-llvmjitpostgresql17-llvmjit-develpostgresql17-pgauditpostgresql17-pgvectorpostgresql17-plperlpostgresql17-plpythonpostgresql17-pltclpostgresql17-serverpostgresql17-server-develpostgresql17-testpostgresql18postgresql18-contribpostgresql18-develpostgresql18-devel-minipostgresql18-docspostgresql18-llvmjitpostgresql18-llvmjit-develpostgresql18-pgauditpostgresql18-pgvectorpostgresql18-plperlpostgresql18-plpythonpostgresql18-pltclpostgresql18-serverpostgresql18-server-develpostgresql18-testelemental-registerelemental-supportelemental-toolkitcross-aarch64-glibc-develcross-ppc64le-glibc-develcross-riscv64-glibc-develcross-s390x-glibc-develglibcglibc-develglibc-devel-staticglibc-extraglibc-gconv-modules-extraglibc-htmlglibc-i18ndataglibc-infoglibc-langglibc-localeglibc-locale-baseglibc-profileglibc-utilsjava-17-openjdkjava-17-openjdk-demojava-17-openjdk-develjava-17-openjdk-headlessjava-17-openjdk-javadocjava-17-openjdk-jmodsjava-17-openjdk-srcctdbctdb-pcp-pmdaldb-toolslibldb-devellibldb2python3-ldbsambasamba-ad-dcsamba-ad-dc-libssamba-cephsamba-clientsamba-client-libssamba-dcerpcsamba-develsamba-docsamba-dsdb-modulessamba-gpupdatesamba-ldb-ldapsamba-libssamba-libs-python3samba-python3samba-testsamba-toolsamba-winbindsamba-winbind-libsopenvpnopenvpn-auth-pam-pluginopenvpn-developenvpn-down-root-pluginjasperlibjasper-devellibjasper7libunbound8python3-unboundunboundunbound-anchorunbound-develunbound-muninlibudisks2-0libudisks2-0-devellibudisks2-0_btrfslibudisks2-0_lsmlibudisks2-0_lvm2typelib-1_0-UDisks-2_0udisks2udisks2-bash-completionudisks2-docsudisks2-langudisks2-zsh-completionlibsoup-3_0-0libsoup-devellibsoup-langtypelib-1_0-Soup-3_0java-25-openjdkjava-25-openjdk-demojava-25-openjdk-develjava-25-openjdk-headlessjava-25-openjdk-javadocjava-25-openjdk-jmodsjava-25-openjdk-srcpython313-filelocklibtiff-devellibtiff-devel-docslibtiff6tifftiff-docscluster-md-kmp-azuredlm-kmp-azuregfs2-kmp-azurekernel-azurekernel-azure-extrakernel-azure-optionalkernel-azure-vdsokselftests-kmp-azureocfs2-kmp-azurepython313-wheeldpdkdpdk-develdpdk-devel-staticdpdk-docdpdk-examplesdpdk-toolslibdpdk-25libwireshark18libwiretap15libwsutil16wiresharkwireshark-develwireshark-ui-qtlibexslt0libxslt-devellibxslt-toolslibxslt1cupscups-clientcups-configcups-ddkcups-devellibcups2libcupsimage2golang-github-prometheus-prometheuslibxml2-2libxml2-devellibxml2-doclibxml2-toolspython313-libxml2python313-maturincockpitcockpit-bridgecockpit-develcockpit-doccockpit-firewalldcockpit-kdumpcockpit-networkmanagercockpit-packagekitcockpit-selinuxcockpit-storagedcockpit-systemcockpit-wscockpit-ws-selinuxcockpit-packagesxorg-x11-serverxorg-x11-server-Xvfbxorg-x11-server-extraxorg-x11-server-sdkxorg-x11-server-sourcexorg-x11-server-wrapperpython313-pippython313-pip-wheellibopenjp2-7libopenjp2-7-x86-64-v3openjpeg2openjpeg2-developenjpeg2-devel-docpython313-Brotlipython313-aiohttpcargo1.93rust1.93rust1.93-srckeplerpatchopenCryptokiopenCryptoki-64bitopenCryptoki-develcorepack22nodejs22nodejs22-develnodejs22-docsnpm22expatlibexpat-devellibexpat1cockpit-machineswicked2nmcockpit-reposlibIex-3_2-31libIex-3_2-31-x86-64-v3libIlmThread-3_2-31libIlmThread-3_2-31-x86-64-v3libOpenEXR-3_2-31libOpenEXR-3_2-31-x86-64-v3libOpenEXRCore-3_2-31libOpenEXRCore-3_2-31-x86-64-v3libOpenEXRUtil-3_2-31libOpenEXRUtil-3_2-31-x86-64-v3openexropenexr-developenexr-docdocker-stabledocker-stable-bash-completiondocker-stable-buildxdocker-stable-fish-completiondocker-stable-rootless-extrasdocker-stable-zsh-completionpostgresql14postgresql14-contribpostgresql14-develpostgresql14-docspostgresql14-llvmjitpostgresql14-llvmjit-develpostgresql14-plperlpostgresql14-plpythonpostgresql14-pltclpostgresql14-serverpostgresql14-server-develpostgresql14-testpostgresql15postgresql15-contribpostgresql15-develpostgresql15-docspostgresql15-llvmjitpostgresql15-llvmjit-develpostgresql15-plperlpostgresql15-plpythonpostgresql15-pltclpostgresql15-serverpostgresql15-server-develpostgresql15-testautogenautooptslibopts25python313-urllib3_17zipcontainerized-data-importer-apicontainerized-data-importer-clonercontainerized-data-importer-controllercontainerized-data-importer-importercontainerized-data-importer-manifestscontainerized-data-importer-operatorcontainerized-data-importer-uploadproxycontainerized-data-importer-uploadserverobs-service-cdi_containers_metakubevirt-container-diskkubevirt-manifestskubevirt-pr-helper-confkubevirt-sidecar-shimkubevirt-testskubevirt-virt-apikubevirt-virt-controllerkubevirt-virt-exportproxykubevirt-virt-exportserverkubevirt-virt-handlerkubevirt-virt-launcherkubevirt-virt-operatorkubevirt-virt-synchronization-controllerkubevirt-virtctlobs-service-kubevirt_containers_metalibsoup-2_4-1libsoup2-devellibsoup2-langtypelib-1_0-Soup-2_4fluidsynthfluidsynth-devellibfluidsynth3ongres-scramongres-scram-clientongres-scram-javadocpython313-azure-corerhinorhino-demorhino-enginerhino-javadocrhino-runtimeassertj-coreassertj-core-javadocgo1.25-opensslgo1.25-openssl-docgo1.25-openssl-racego1.24-opensslgo1.24-openssl-docgo1.24-openssl-racecockpit-podmanshimvirtiofsdhelmhelm-bash-completionhelm-fish-completionhelm-zsh-completiongstreamergstreamer-develgstreamer-devtoolsgstreamer-devtools-develgstreamer-docsgstreamer-langgstreamer-plugins-badgstreamer-plugins-bad-chromaprintgstreamer-plugins-bad-develgstreamer-plugins-bad-langgstreamer-plugins-basegstreamer-plugins-base-develgstreamer-plugins-base-langgstreamer-plugins-goodgstreamer-plugins-good-extragstreamer-plugins-good-gtkgstreamer-plugins-good-jackgstreamer-plugins-good-langgstreamer-plugins-good-qtqml6gstreamer-plugins-libavgstreamer-plugins-rsgstreamer-plugins-uglygstreamer-plugins-ugly-langgstreamer-rtsp-server-develgstreamer-transcodergstreamer-transcoder-develgstreamer-utilslibgstadaptivedemux-1_0-0libgstallocators-1_0-0libgstanalytics-1_0-0libgstapp-1_0-0libgstaudio-1_0-0libgstbadaudio-1_0-0libgstbasecamerabinsrc-1_0-0libgstcodecparsers-1_0-0libgstcodecs-1_0-0libgstcuda-1_0-0libgstdxva-1_0-0libgstfft-1_0-0libgstgl-1_0-0libgstinsertbin-1_0-0libgstisoff-1_0-0libgstmpegts-1_0-0libgstmse-1_0-0libgstpbutils-1_0-0libgstphotography-1_0-0libgstplay-1_0-0libgstplayer-1_0-0libgstreamer-1_0-0libgstriff-1_0-0libgstrtp-1_0-0libgstrtsp-1_0-0libgstrtspserver-1_0-0libgstsctp-1_0-0libgstsdp-1_0-0libgsttag-1_0-0libgsttranscoder-1_0-0libgsturidownloader-1_0-0libgstva-1_0-0libgstvalidate-1_0-0libgstvideo-1_0-0libgstvulkan-1_0-0libgstwayland-1_0-0libgstwebrtc-1_0-0libgstwebrtcnice-1_0-0typelib-1_0-CudaGst-1_0typelib-1_0-Gst-1_0typelib-1_0-GstAllocators-1_0typelib-1_0-GstAnalytics-1_0typelib-1_0-GstApp-1_0typelib-1_0-GstAudio-1_0typelib-1_0-GstBadAudio-1_0typelib-1_0-GstCodecs-1_0typelib-1_0-GstCuda-1_0typelib-1_0-GstDxva-1_0typelib-1_0-GstGL-1_0typelib-1_0-GstGLEGL-1_0typelib-1_0-GstGLWayland-1_0typelib-1_0-GstGLX11-1_0typelib-1_0-GstInsertBin-1_0typelib-1_0-GstMpegts-1_0typelib-1_0-GstMse-1_0typelib-1_0-GstPbutils-1_0typelib-1_0-GstPlay-1_0typelib-1_0-GstPlayer-1_0typelib-1_0-GstRtp-1_0typelib-1_0-GstRtsp-1_0typelib-1_0-GstRtspServer-1_0typelib-1_0-GstSdp-1_0typelib-1_0-GstTag-1_0typelib-1_0-GstTranscoder-1_0typelib-1_0-GstVa-1_0typelib-1_0-GstValidate-1_0typelib-1_0-GstVideo-1_0typelib-1_0-GstVulkan-1_0typelib-1_0-GstVulkanWayland-1_0typelib-1_0-GstVulkanXCB-1_0typelib-1_0-GstWebRTC-1_0freerdpfreerdp-develfreerdp-proxyfreerdp-proxy-pluginsfreerdp-sdlfreerdp-serverfreerdp-waylandlibfreerdp-server-proxy3-3libfreerdp3-3librdtk0-0libuwac0-0libwinpr3-3rdtk0-develuwac0-develwinpr-develcJSON-devellibcjson1keakea-develkea-dockea-hookslibkea-asiodns62libkea-asiolink88libkea-cc82libkea-cfgrpt3libkea-config83libkea-cryptolink64libkea-d2srv63libkea-database76libkea-dhcp109libkea-dhcp_ddns68libkea-dhcpsrv130libkea-dns71libkea-eval84libkea-exceptions45libkea-hooks119libkea-http87libkea-log-interprocess3libkea-log75libkea-mysql88libkea-pgsql88libkea-process90libkea-stats53libkea-tcp33libkea-util-io12libkea-util101python3-keago1.26go1.26-docgo1.26-libstdgo1.26-raceamazon-ssm-agentkeylime-ima-policyrust-keylimeocamlocaml-compiler-libsocaml-compiler-libs-develocaml-ocamldococaml-runtimeocaml-sourcesnpguestlibsnmp40net-snmpnet-snmp-develperl-SNMPpython313-net-snmpsnmp-mibslibjxl-devellibjxl-toolslibjxl0_11libjxl0_11-x86-64-v3cosigncosign-bash-completioncosign-fish-completioncosign-zsh-completionlibprotobuf-lite28_3_0libprotobuf28_3_0libprotoc28_3_0libutf8_range-28_3_0protobuf-develprotobuf-javaprotobuf-java-bomprotobuf-java-javadocprotobuf-java-parentpython313-protobufgdk-pixbuf-loader-rsvglibrsvg-2-2librsvg-develrsvg-convertrsvg-thumbnailertypelib-1_0-Rsvg-2_0libpoppler-cpp2libpoppler-devellibpoppler-glib-devellibpoppler-glib8libpoppler-qt5-1libpoppler-qt5-devellibpoppler-qt6-3libpoppler-qt6-devellibpoppler148poppler-toolstypelib-1_0-Poppler-0_18libsodium-devellibsodium26ucode-intelgvimvimvim-datavim-data-commonvim-smallxxdpython313-orjsonharfbuzz-develharfbuzz-toolslibharfbuzz-cairo0libharfbuzz-gobject0libharfbuzz-icu0libharfbuzz-subset0libharfbuzz0typelib-1_0-HarfBuzz-0_0exiv2exiv2-langlibexiv2-28libexiv2-28-x86-64-v3libexiv2-devellibnghttp2-14libnghttp2-develnghttp2tomcat11tomcat11-admin-webappstomcat11-doctomcat11-docs-webapptomcat11-el-6_0-apitomcat11-embedtomcat11-jsp-4_0-apitomcat11-jsvctomcat11-libtomcat11-servlet-6_1-apitomcat11-webapps389-ds389-ds-devel389-ds-snmplib389libsvrcore0python313-blackpython313-pyOpenSSLffmpeg-7ffmpeg-7-libavcodec-develffmpeg-7-libavdevice-develffmpeg-7-libavfilter-develffmpeg-7-libavformat-develffmpeg-7-libavutil-develffmpeg-7-libpostproc-develffmpeg-7-libswresample-develffmpeg-7-libswscale-devellibavcodec61libavdevice61libavfilter10libavformat61libavutil59libpostproc58libswresample5libswscale8python313-ldappython313-PyJWTfetchmailfetchmailconfnet-toolsnet-tools-deprecatednet-tools-langdocker-composeGraphicsMagickGraphicsMagick-devellibGraphicsMagick++-Q16-12libGraphicsMagick++-devellibGraphicsMagick-Q16-3libGraphicsMagick3-configlibGraphicsMagickWand-Q16-2perl-GraphicsMagickrunctomcat10tomcat10-admin-webappstomcat10-doctomcat10-docs-webapptomcat10-el-5_0-apitomcat10-embedtomcat10-jsp-3_1-apitomcat10-jsvctomcat10-libtomcat10-servlet-6_0-apitomcat10-webappsgnutlslibgnutls-devellibgnutls-devel-doclibgnutls30libgnutlsxx-devellibgnutlsxx30postgresql13postgresql13-contribpostgresql13-develpostgresql13-docspostgresql13-llvmjitpostgresql13-llvmjit-develpostgresql13-plperlpostgresql13-plpythonpostgresql13-pltclpostgresql13-serverpostgresql13-server-develpostgresql13-testgnome-online-accountsgnome-online-accounts-develgnome-online-accounts-langgvfsgvfs-backend-afcgvfs-backend-goagvfs-backend-gphotogvfs-backend-sambagvfs-backendsgvfs-fusegvfs-langlibgoa-1_0-0libgoa-backend-1_0-2typelib-1_0-Goa-1_0libkea-cc83libkea-config84libkea-dhcpsrv131libkea-hooks121libkea-process91libkea-util102himmelblauhimmelblau-qr-greeterhimmelblau-sshd-confighimmelblau-ssolibnss_himmelblau2pam-himmelblaupython313-Pillowpython313-Pillow-tkperl-XML-ParserdnsdistlibXvnc-devellibXvnc1tigervnctigervnc-selinuxtigervnc-x11vncxorg-x11-Xvncxorg-x11-Xvnc-javaxorg-x11-Xvnc-modulexorg-x11-Xvnc-novncpython313-cbor2libtasn1-6libtasn1-devellibtasn1-toolslibsystemd0libudev1systemdsystemd-bootsystemd-containersystemd-develsystemd-docsystemd-experimentalsystemd-homedsystemd-journal-remotesystemd-langsystemd-networkdsystemd-portablesystemd-resolvedsystemd-testsuiteudevtartar-backup-scriptstar-doctar-langtar-rmttar-testsliblasso-develliblasso3python3-lassomysql-connector-javaxwaylandxwayland-devellibvirtlibvirt-clientlibvirt-client-qemulibvirt-daemonlibvirt-daemon-commonlibvirt-daemon-config-networklibvirt-daemon-config-nwfilterlibvirt-daemon-driver-networklibvirt-daemon-driver-nodedevlibvirt-daemon-driver-nwfilterlibvirt-daemon-driver-qemulibvirt-daemon-driver-secretlibvirt-daemon-driver-storagelibvirt-daemon-driver-storage-corelibvirt-daemon-driver-storage-disklibvirt-daemon-driver-storage-iscsilibvirt-daemon-driver-storage-iscsi-directlibvirt-daemon-driver-storage-logicallibvirt-daemon-driver-storage-mpathlibvirt-daemon-driver-storage-scsilibvirt-daemon-hookslibvirt-daemon-locklibvirt-daemon-loglibvirt-daemon-plugin-lockdlibvirt-daemon-proxylibvirt-daemon-qemulibvirt-devellibvirt-doclibvirt-libslibvirt-nsslibvirt-ssh-proxywireshark-plugin-libvirtdovecot24dovecot24-backend-mysqldovecot24-backend-pgsqldovecot24-backend-sqlitedovecot24-develdovecot24-ftsdovecot24-fts-flatcurvedovecot24-fts-solropensshopenssh-askpass-gnomeopenssh-cavsopenssh-clientsopenssh-commonopenssh-helpersopenssh-serveropenssh-server-config-rootloginstrongswanstrongswan-docstrongswan-fipsstrongswan-ipsecstrongswan-mysqlstrongswan-nmstrongswan-sqlitelibmozjs-128-0mozjs128mozjs128-develbinutilsbinutils-develbpftoolbpftool-bash-completioncross-aarch64-binutilscross-arm-binutilscross-avr-binutilscross-bpf-binutilscross-epiphany-binutilscross-hppa-binutilscross-hppa64-binutilscross-i386-binutilscross-ia64-binutilscross-loongarch64-binutilscross-m68k-binutilscross-mips-binutilscross-ppc-binutilscross-ppc64-binutilscross-ppc64le-binutilscross-pru-binutilscross-riscv64-binutilscross-rx-binutilscross-s390-binutilscross-s390x-binutilscross-sparc-binutilscross-sparc64-binutilscross-spu-binutilscross-x86_64-binutilscross-xtensa-binutilsgprofnglibctf-nobfd0libctf0chromedriverchromiumMozillaThunderbirdMozillaThunderbird-openpgp-librnpMozillaThunderbird-translations-commonMozillaThunderbird-translations-otherlibpainter0librfxencode0xrdpxrdp-develgimpgimp-develgimp-extension-goat-excercisesgimp-langgimp-plugin-aagimp-plugin-python3gimp-valalibgimp-3_0-0libgimpui-3_0-0python313-Djangotrivytailscaletailscale-bash-completiontailscale-fish-completiontailscale-zsh-completiongdcmgdcm-applicationsgdcm-develgdcm-exampleslibgdcm3_0libsocketxx1_2orthancorthanc-authorizationorthanc-develorthanc-dicomweborthanc-docorthanc-gdcmorthanc-indexerorthanc-mysqlorthanc-neuroorthanc-postgresqlorthanc-pythonorthanc-sourceorthanc-stlorthanc-tciaorthanc-wsipython3-gdcmpython313-pyorthancmicropythonmpremotempy-toolshtmldocpython313-Authliblibmosquitto1libmosquittopp1mosquittomosquitto-clientsmosquitto-developenQAopenQA-auto-updateopenQA-bootstrapopenQA-clientopenQA-commonopenQA-continuous-updateopenQA-developenQA-docopenQA-local-dbopenQA-mcpopenQA-muninopenQA-python-scriptsopenQA-single-instanceopenQA-single-instance-nginxopenQA-workeros-autoinstos-autoinst-develos-autoinst-ipmi-depsos-autoinst-openvswitchos-autoinst-qemu-kvmos-autoinst-qemu-x86os-autoinst-s390-depsos-autoinst-swtpmgitea-teagitea-tea-bash-completiongitea-tea-zsh-completionfreerdp2freerdp2-develfreerdp2-proxyfreerdp2-serverlibfreerdp2-2libwinpr2-2winpr2-develpython313-joserfcroundcubemailpython313-PyPDF2python313-lxml_html_cleanobs-scm-bridgeosckrb5-appl-clientskrb5-appl-serverspython313-simpleevalmumblemumble-serverfreecivfreeciv-gtk3freeciv-gtk4freeciv-langfreeciv-qtfreeciv-sdl2python313-dynaconftinyproxyosslsigncodelibjavamapscriptlibmapserver2mapservermapserver-develperl-mapscriptphp-mapscriptngpython313-mapserveraws-c-event-stream-devellibaws-c-event-stream1python313-ConfigArgParsepython313-acmepython313-certbotpython313-certbot-nginxpython313-josepypython313-pyRFC3339helmfilehelmfile-bash-completionhelmfile-fish-completionhelmfile-zsh-completionpnpmpnpm-bash-completionpnpm-fish-completionpnpm-zsh-completionlibrnp0rnprnp-develtcpreplayredisgolang-github-teddysun-v2ray-plugingolang-github-v2fly-v2ray-coreshadowsocks-v2ray-pluginv2ray-corebash-git-promptactgit-buggit-bug-bash-completiongit-bug-fish-completiongit-bug-zsh-completioneximeximoneximstats-htmlhaulercheatlibmatio-devellibmatio13matio-toolswarewulf4warewulf4-dracutwarewulf4-manwarewulf4-overlaywarewulf4-overlay-rke2warewulf4-overlay-slurmwarewulf4-reference-doclibwget4wget2wget2-develgo-sendxmppffmpeg-4ffmpeg-4-libavcodec-develffmpeg-4-libavdevice-develffmpeg-4-libavfilter-develffmpeg-4-libavformat-develffmpeg-4-libavresample-develffmpeg-4-libavutil-develffmpeg-4-libpostproc-develffmpeg-4-libswresample-develffmpeg-4-libswscale-develffmpeg-4-private-devellibavcodec58_134libavdevice58_13libavfilter7_110libavformat58_76libavresample4_0libavutil56_70libpostproc55_9libswresample3_9libswscale5_9python313-weasyprintcorednscoredns-extrassbctl(aarch64|ppc64le|s390x|x86_64)0:1.25.5-160000.1.1(aarch64|x86_64)0:1.25.5-160000.1.116.0(aarch64|ppc64le|s390x|x86_64)0:1.24.11-160000.1.1(aarch64|x86_64)0:1.24.11-160000.1.1(noarch)0:7.13.0+40-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:7.1.2.0-160000.4.1(noarch)0:7.1.2.0-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:2.12-160000.3.1(noarch)0:2.12-160000.3.1(s390x)0:2.12-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:3.5.0-160000.4.1(x86_64)0:3.5.0-160000.4.1(noarch)0:3.5.0-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:10.0.7-160000.1.1(noarch)0:10.0.7-160000.1.1(noarch)0:10.0.71.16.3_3_g3d33c746-160000.1.1(x86_64)0:10.0.7-160000.1.1(aarch64)0:6.12.0-160000.8.1(aarch64|ppc64le|s390x|x86_64)0:6.12.0-160000.8.1(aarch64|x86_64)0:6.12.0-160000.8.1(aarch64|ppc64le|x86_64)0:6.12.0-160000.8.1.160000.2.5(x86_64)0:6.12.0-160000.8.1(noarch)0:6.12.0-160000.8.1(aarch64|ppc64le|x86_64)0:6.12.0-160000.8.1(s390x)0:6.12.0-160000.8.1(aarch64|ppc64le|s390x|x86_64)0:20230101-160000.3.1(noarch)0:20230101-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:11.8.5-160000.1.1(noarch)0:11.8.5-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3006.0-160000.3.1(noarch)0:3006.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:2.9.5-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:8.0.6-160000.1.1(noarch)0:8.0.6-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:0.8-160000.3.1(noarch)0:0.8-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:140.6.0-160000.1.1(noarch)0:140.6.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:6.5-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.0.1-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.6.44-160000.3.1(x86_64)0:1.6.44-160000.3.1(noarch)0:2.84.4-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.84.4-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.7.0+git.1742310530.bfcd0e2c-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:0.7.18-160000.3.1(noarch)0:0.7.18-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:6.12-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:2.5.5-160000.3.1(noarch)0:2.5.5-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:2.4.63-160000.3.1(noarch)0:2.4.63-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:8.14.1-160000.4.1(noarch)0:8.14.1-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:3.2.0+git0.e134140d2-160000.3.1(noarch)0:9.0.111-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:9.20.15-160000.1.1(noarch)0:9.20.15-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:140.7.0-160000.1.1(noarch)0:140.7.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:27.1.3-160000.3.1(aarch64|ppc64le|x86_64)0:27.1.3-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.12.1-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:0.22.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:28.5.1_ce-160000.4.1(noarch)0:28.5.1_ce-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:0.29.0-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:0.10.15-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.91.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.92.0-160000.1.1(noarch)0:1.91.0-160000.1.1(noarch)0:1.92.0-160000.1.1(noarch)0:2.50.4-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.50.4-160000.1.1(aarch64|x86_64)0:13.0.5-160000.1.1(x86_64)0:13.0.5-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:5.4.2-160000.3.1(noarch)0:5.4.2-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.10.5-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:1.19.7-160000.3.1(aarch64|x86_64)0:1.19.7-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.24.12-160000.1.1(aarch64|x86_64)0:1.24.12-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.39.5-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.13.11-160000.1.1(x86_64)0:3.13.11-160000.1.1(ppc64le|s390x|x86_64)0:3.13.11-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:4.1.5-160000.1.1(noarch)0:4.1.5-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.6.44-160000.4.1(x86_64)0:1.6.44-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:2.42.12-160000.3.1(noarch)0:2.42.12-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.25.6-160000.1.1(aarch64|x86_64)0:1.25.6-160000.1.1(noarch)0:20.29.3-160000.3.1(noarch)0:3.20.2-160000.3.1(noarch)0:2.5.0-160000.3.1(noarch)0:0.6.1-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.37.0-160000.4.1(aarch64|x86_64)0:1.37.0-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:9.20.18-160000.1.1(noarch)0:9.20.18-160000.1.1(noarch)0:5.3.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:0.8-160000.4.1(noarch)0:0.8-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:8.4.16-160000.1.1(noarch)0:8.4.16-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.1.22-160000.1.1(noarch)0:3.1.22-160000.1.1(noarch)0:12.1-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:7.1.2.0-160000.5.1(noarch)0:7.1.2.0-160000.5.1(noarch)0:4.53.1-160000.3.1(noarch)0:4.2.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.4.7-160000.3.1(noarch)0:20251203-160000.1.1(noarch)0:0.0.20-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:21.0.10.0-160000.1.1(noarch)0:21.0.10.0-160000.1.1(noarch)0:2.5.0-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:25.1.3-160000.2.1(aarch64|ppc64le|s390x|x86_64)0:16.11-160000.1.1(noarch)0:16.11-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:18.1-160000.1.2(noarch)0:18-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.5.3-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:0.8.1-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.6.3-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.7.1-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:16.1-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:17.7-160000.1.1(noarch)0:17.7-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:17.1-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:18.1-160000.1.1(noarch)0:18.1-160000.1.2(aarch64|ppc64le|s390x|x86_64)0:18.0-160000.3.1(aarch64|x86_64)0:1.8.1-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.3.2-160000.1.1(noarch)0:2.40-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:2.40-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:17.0.18.0-160000.1.1(noarch)0:17.0.18.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:4.22.5+git.431.dc5a539f124-160000.1.1(aarch64|x86_64)0:4.22.5+git.431.dc5a539f124-160000.1.1(noarch)0:4.22.5+git.431.dc5a539f124-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.5.5-160000.4.1(noarch)0:2.5.5-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:2.6.10-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:4.2.8-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.24.1-160000.1.1(noarch)0:1.24.1-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.12.2-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.10.1-160000.3.1(noarch)0:2.10.1-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:3.6.5-160000.3.1(noarch)0:3.6.5-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:25.0.2.0-160000.1.1(noarch)0:25.0.2.0-160000.1.1(noarch)0:3.18.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:4.7.1-160000.1.1(noarch)0:4.7.1-160000.1.1(aarch64)0:6.12.0-160000.9.1(aarch64|x86_64)0:6.12.0-160000.9.1(aarch64|ppc64le|s390x|x86_64)0:6.12.0-160000.9.1(x86_64)0:6.12.0-160000.9.1(aarch64|ppc64le|x86_64)0:6.12.0-160000.9.1.160000.2.6(noarch)0:6.12.0-160000.9.1(aarch64|ppc64le|x86_64)0:6.12.0-160000.9.1(s390x)0:6.12.0-160000.9.1(noarch)0:0.45.1-160000.3.1(aarch64|ppc64le|x86_64)0:24.11.4-160000.1.1(noarch)0:24.11.4-160000.1.1(noarch)0:2.84.4-160000.2.1(aarch64|ppc64le|s390x|x86_64)0:2.84.4-160000.2.1(aarch64|ppc64le|s390x|x86_64)0:4.4.13-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.5.0-160000.5.1(x86_64)0:3.5.0-160000.5.1(noarch)0:3.5.0-160000.5.1(aarch64|ppc64le|s390x|x86_64)0:1.1.43-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:2.4.16-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.5.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.13.8-160000.3.1(noarch)0:2.13.8-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.8.7-160000.3.1(noarch)0:12.1-160000.2.1(aarch64|ppc64le|s390x|x86_64)0:340-160000.4.1(noarch)0:340-160000.4.1(noarch)0:3-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:3.6.5-160000.4.1(noarch)0:3.6.5-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:21.1.15-160000.3.1(noarch)0:25.0.1-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:2.5.3-160000.3.1(x86_64)0:2.5.3-160000.3.1(noarch)0:2.5.3-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.1.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:3.11.16-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.93.0-160000.1.1(noarch)0:1.93.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:0.11.3-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.25.7-160000.1.1(aarch64|x86_64)0:1.25.7-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.24.13-160000.1.1(aarch64|x86_64)0:1.24.13-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.7.6-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:3.26.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:20251009-160000.1.1(noarch)0:20251009-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:22.22.0-160000.1.1(noarch)0:22.22.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.7.1-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:3.5.0-160000.2.1(aarch64|ppc64le|s390x|x86_64)0:354-160000.1.1(noarch)0:354-160000.1.1(noarch)0:346-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.4.1-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:28.5.1_ce-160000.5.1(noarch)0:28.5.1_ce-160000.5.1(aarch64|ppc64le|s390x|x86_64)0:0.29.0-160000.5.1(noarch)0:4.7-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:140.7.1-160000.1.1(noarch)0:140.7.1-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.2.2-160000.3.1(x86_64)0:3.2.2-160000.3.1(noarch)0:3.2.2-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:3.13.12-160000.1.1(x86_64)0:3.13.12-160000.1.1(ppc64le|s390x|x86_64)0:3.13.12-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:24.0.9_ce-160000.3.1(noarch)0:24.0.9_ce-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:0.25.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:14.21-160000.1.1(noarch)0:14.21-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:15.16-160000.1.1(noarch)0:15.16-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:5.18.16-160000.3.1(noarch)0:1.26.20-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:25.01-160000.1.1(x86_64)0:1.64.0-160000.1.1(aarch64|x86_64)0:1.7.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.74.3-160000.3.1(noarch)0:2.74.3-160000.3.1(aarch64)0:6.12.0-160000.26.1(aarch64|x86_64)0:6.12.0-160000.26.1(aarch64|ppc64le|s390x|x86_64)0:6.12.0-160000.26.1(x86_64)0:6.12.0-160000.26.1(aarch64|ppc64le|x86_64)0:6.12.0-160000.26.1.160000.2.7(noarch)0:6.12.0-160000.26.1(aarch64|ppc64le|x86_64)0:6.12.0-160000.26.1(s390x)0:6.12.0-160000.26.1(aarch64|ppc64le|s390x|x86_64)0:3.2.12+git0.6011f448e-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.3.5-160000.3.1(noarch)0:3.1-160000.3.1(noarch)0:1.32.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:0.22.0-160000.4.1(noarch)0:1.7.15.1-160000.1.1(noarch)0:3.27.7-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:5.4.2-160000.4.1(noarch)0:5.4.2-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:2.7.1-160000.4.1(noarch)0:117-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.1.43-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:2.13.8-160000.4.1(noarch)0:2.13.8-160000.4.1(aarch64|x86_64)0:16.1-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.12.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:3.19.1-160000.1.1(noarch)0:3.19.1-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.26.7-160000.1.1(noarch)0:1.26.7-160000.1.1(ppc64le|s390x|x86_64)0:1.26.7-160000.1.1(aarch64|x86_64)0:1.26.7+git0.6ab75814-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:0.7.18-160000.4.1(noarch)0:0.7.18-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:7.1.2.0-160000.6.1(noarch)0:7.1.2.0-160000.6.1(aarch64|ppc64le|s390x|x86_64)0:3.22.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.7.19-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.0.1-160000.1.1(noarch)0:3.0.1-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.26.1-160000.1.1(aarch64|x86_64)0:1.26.1-160000.1.1(noarch)0:9.0.115-160000.1.1(aarch64|x86_64)0:3.3.2299.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:2.74.3-160000.4.1(noarch)0:2.74.3-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:10.0.8-160000.1.1(noarch)0:10.0.8-160000.1.1(noarch)0:10.0.81.16.3_3_g3d33c746-160000.1.1(x86_64)0:10.0.8-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:0.2.8+116-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:140.8.0-160000.1.1(noarch)0:140.8.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:24.0.9_ce-160000.4.1(noarch)0:24.0.9_ce-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:0.25.0-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:140.5.0-160000.1.1(noarch)0:140.5.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:4.14.2-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:1.8.7-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:1.6.44-160000.5.1(x86_64)0:1.6.44-160000.5.1(x86_64)0:0.10.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:5.9.4-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:3.6.6-160000.1.1(noarch)0:3.6.6-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:0.11.2-160000.1.1(x86_64)0:0.11.2-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.0.5-160000.1.1(noarch)0:3.0.5-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.37.0-160000.5.1(aarch64|x86_64)0:1.37.0-160000.5.1(aarch64|ppc64le|s390x|x86_64)0:17.9-160000.1.1(noarch)0:17.9-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:28.3-160000.3.1(noarch)0:28.3-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:5.28.3-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:2.60.2-160000.1.1(noarch)0:2.60.2-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:25.04.0-160000.4.1(noarch)0:7.14.0+0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.0.20-160000.3.1(x86_64)0:20260210-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.26.7-160000.2.1(noarch)0:1.26.7-160000.2.1(aarch64|ppc64le|s390x|x86_64)0:9.2.0110-160000.1.1(noarch)0:9.2.0110-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:8.14.1-160000.5.1(noarch)0:8.14.1-160000.5.1(aarch64|ppc64le|s390x|x86_64)0:7.1.2.0-160000.7.1(noarch)0:7.1.2.0-160000.7.1(aarch64|ppc64le|s390x|x86_64)0:25.04.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:6.5-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:3.10.15-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:18.3-160000.1.1(noarch)0:18.3-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:11.4.5-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:0.28.8-160000.1.1(noarch)0:0.28.8-160000.1.1(x86_64)0:0.28.8-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3006.0-160000.4.1(noarch)0:3006.0-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:1.64.0-160000.3.1(noarch)0:11.0.18-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.0.6~git249.6688af9b2-160000.1.1(aarch64)0:6.12.0-160000.27.1(aarch64|x86_64)0:6.12.0-160000.27.1(aarch64|ppc64le|s390x|x86_64)0:6.12.0-160000.27.1(x86_64)0:6.12.0-160000.27.1(aarch64|ppc64le|x86_64)0:6.12.0-160000.27.1.160000.2.8(noarch)0:6.12.0-160000.27.1(aarch64|ppc64le|x86_64)0:6.12.0-160000.27.1(s390x)0:6.12.0-160000.27.1(noarch)0:25.1.0-160000.3.1(noarch)0:0.6.1-160000.4.1(noarch)0:25.0.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:7.1.2-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.4.4-160000.3.1(noarch)0:2.12.1-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:6.5.2-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:3.2.2-160000.5.1(x86_64)0:3.2.2-160000.5.1(noarch)0:3.2.2-160000.5.1(aarch64|ppc64le|s390x|x86_64)0:2.10-160000.3.1(noarch)0:2.10-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:2.33.1-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:140.9.0-160000.1.1(noarch)0:140.9.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.3.45-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.3.3-160000.1.1(noarch)0:10.1.52-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.8.10-160000.2.1(noarch)0:3.8.10-160000.2.1(aarch64|ppc64le|s390x|x86_64)0:16.13-160000.1.1(noarch)0:16.13-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.7.1-160000.5.1(aarch64|ppc64le|s390x|x86_64)0:13.23-160000.1.1(noarch)0:13.23-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.58.0-160000.1.1(noarch)0:3.58.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.59.90-160000.1.1(noarch)0:1.59.90-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.11.3-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.0.3-160000.1.1(noarch)0:3.0.3-160000.1.1(aarch64|x86_64)0:2.3.8+git0.dec3693-160000.1.1(noarch)0:2.3.8+git0.dec3693-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:11.3.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:2.470.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.9.11-160000.1.1(noarch)0:4.7-160000.2.1(aarch64|ppc64le|s390x|x86_64)0:1.15.0-160000.3.1(noarch)0:1.15.0-160000.3.1(aarch64|ppc64le|x86_64)0:1.15.0-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:1.6.44-160000.6.1(x86_64)0:1.6.44-160000.6.1(aarch64|ppc64le|s390x|x86_64)0:5.6.5-160000.4.1(noarch)0:4-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:4.21.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:257.13-160000.1.1(aarch64|x86_64)0:257.13-160000.1.1(noarch)0:257.13-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:1.35-160000.3.1(noarch)0:1.35-160000.3.1(aarch64)0:6.12.0-160000.6.1(aarch64|ppc64le|s390x|x86_64)0:6.12.0-160000.6.1(aarch64|x86_64)0:6.12.0-160000.6.1(aarch64|ppc64le|x86_64)0:6.12.0-160000.6.1.160000.2.4(x86_64)0:6.12.0-160000.6.1(noarch)0:6.12.0-160000.6.1(aarch64|ppc64le|x86_64)0:6.12.0-160000.6.1(s390x)0:6.12.0-160000.6.1(aarch64|ppc64le|s390x|x86_64)0:2.8.2-160000.3.1(noarch)0:9.3.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:8.14.1-160000.3.1(noarch)0:8.14.1-160000.3.1(aarch64)0:6.12.0-160000.7.1(aarch64|ppc64le|s390x|x86_64)0:6.12.0-160000.7.1(aarch64|x86_64)0:6.12.0-160000.7.1(x86_64)0:6.12.0-160000.7.1(noarch)0:6.12.0-160000.7.1(aarch64|ppc64le|x86_64)0:6.12.0-160000.7.1(s390x)0:6.12.0-160000.7.1(aarch64|ppc64le|s390x|x86_64)0:24.1.6-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:11.4.0-160000.3.1(noarch)0:11.4.0-160000.3.1(noarch)0:11.0.13-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:2.4.2-160000.1.1(aarch64|x86_64)0:0.9.23+git.0.9776141-160000.1.1(noarch)0:0.9.23+git.0.9776141-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:10.0p2-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:21.0.9.0-160000.1.1(noarch)0:21.0.9.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:17.0.17.0-160000.1.1(noarch)0:17.0.17.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:6.0.1-160000.3.1(noarch)0:6.0.1-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:5.6.5-160000.3.1(aarch64|ppc64le|s390x|x86_64)0:128.14.0-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:3.2.2-160000.4.1(x86_64)0:3.2.2-160000.4.1(noarch)0:3.2.2-160000.4.1(aarch64|ppc64le|s390x|x86_64)0:2.45-160000.1.1(aarch64|ppc64le|s390x|x86_64)0:7.5.0-160000.2.3(ppc64le|s390x|x86_64)0:2.45-160000.1.1(aarch64|s390x|x86_64)0:2.45-160000.1.1(aarch64|ppc64le|x86_64)0:2.45-160000.1.1(aarch64|ppc64le|s390x)0:2.45-160000.1.1(aarch64|x86_64)0:2.45-160000.1.1(aarch64|ppc64le|x86_64)0:141.0.7390.76-bp160.1.1(aarch64|ppc64le|x86_64)0:140.3.0-bp160.1.1(aarch64|ppc64le|x86_64)0:144.0.7559.109-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:0.9.26-bp160.2.1(aarch64|ppc64le|x86_64)0:3.0.8-bp160.1.1(noarch)0:3.0.8-bp160.1.1(noarch)0:5.2.4-bp160.3.1(aarch64|ppc64le|x86_64)0:144.0.7559.132-bp160.1.1(noarch)0:5.2.4-bp160.5.1(aarch64|ppc64le|s390x|x86_64)0:0.69.0-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:1.94.1-bp160.1.1(noarch)0:1.94.1-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:3.0.24-bp160.2.1(aarch64|ppc64le|s390x|x86_64)0:1.12.10-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:0.10.3-bp160.1.1(noarch)0:1.12.10-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:1.22-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:1.8-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:1.0-bp160.2.1(aarch64|ppc64le|s390x|x86_64)0:5.2-bp160.2.1(aarch64|ppc64le|s390x|x86_64)0:1.1-bp160.2.1(aarch64|ppc64le|s390x|x86_64)0:10.0-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:7.0-bp160.1.1(aarch64|ppc64le|x86_64)0:1.2-bp160.2.1(aarch64|ppc64le|s390x|x86_64)0:1.3-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:3.3-bp160.1.1(noarch)0:1.22.1-bp160.1.1(aarch64|x86_64)0:1.26.1-bp160.1.1(noarch)0:1.26.1-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:1.9.23-bp160.1.1(aarch64|ppc64le|x86_64)0:145.0.7632.75-bp160.1.1(noarch)0:1.5.2-bp160.2.1(aarch64|ppc64le|x86_64)0:145.0.7632.109-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:2.0.23-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:5.1771422749.560a3b26-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:5.1771353921.c8005c9-bp160.1.1(x86_64)0:5.1771353921.c8005c9-bp160.1.1(aarch64|ppc64le|x86_64)0:3.0.8-bp160.2.1(noarch)0:3.0.8-bp160.2.1(aarch64|ppc64le|x86_64)0:145.0.7632.116-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:0.12.0-bp160.1.1(noarch)0:0.12.0-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:2.11.7-bp160.2.1(aarch64|ppc64le|s390x|x86_64)0:140.4.0-bp160.1.1(noarch)0:1.1.0-bp160.2.1(noarch)0:1.6.13-bp160.1.1(aarch64|ppc64le|x86_64)0:145.0.7632.159-bp160.1.1(noarch)0:2.11.1-bp160.2.1(noarch)0:0.4.2-bp160.2.1(noarch)0:2.11.1-bp160.3.1(noarch)0:0.7.4-bp160.1.1(noarch)0:1.24.0-bp160.1.1(aarch64|ppc64le|x86_64)0:146.0.7680.80-bp160.1.1(noarch)0:5.2.4-bp160.6.1(aarch64|ppc64le|s390x|x86_64)0:1.0.3-bp160.2.1(noarch)0:2.11.1-bp160.4.1(aarch64|x86_64)0:1.26.0-bp160.1.1(noarch)0:1.26.0-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:140.8.1-bp160.1.1(noarch)0:1.5.2-bp160.3.1(noarch)0:0.9.13-bp160.2.1(aarch64|ppc64le|s390x|x86_64)0:1.5.857-bp160.1.1(aarch64|ppc64le|x86_64)0:146.0.7680.153-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:3.2.4-bp160.1.1(noarch)0:3.2.4-bp160.1.1(aarch64|ppc64le|x86_64)0:146.0.7680.164-bp160.1.1(aarch64|ppc64le|x86_64)0:3.0.8-bp160.3.1(noarch)0:3.0.8-bp160.3.1(noarch)0:3.2.5-bp160.2.1(noarch)0:2.11.1-bp160.5.1(aarch64|ppc64le|s390x|x86_64)0:1.11.3-bp160.1.1(aarch64|ppc64le|x86_64)0:146.0.7680.177-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:2.13-bp160.1.1(aarch64|ppc64le|x86_64)0:142.0.7444.59-bp160.1.1(aarch64|ppc64le|x86_64)0:8.6.1-bp160.1.1(aarch64|ppc64le|x86_64)0:0.4.2-bp160.2.1(noarch)0:1.7-bp160.1.1(noarch)0:5.1.0-bp160.1.1(noarch)0:2.2.0-bp160.1.1(noarch)0:2.0.1-bp160.1.1(aarch64|ppc64le|x86_64)0:142.0.7444.162-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:140.5.0-bp160.1.1(aarch64|ppc64le|x86_64)0:141.0.7390.107-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:1.1.9-bp160.1.1(noarch)0:1.1.9-bp160.1.1(noarch)0:10.22.0-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:0.18.1-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:0.66.0-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:0.11.1-bp160.1.1(noarch)0:0.11.1-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:4.5.2-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:8.2.3-bp160.1.1(noarch)0:5.25.0-bp160.1.1(noarch)0:5.40.0-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:5.25.0-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:5.40.0-bp160.1.1(noarch)0:2.7.1-bp160.2.1(aarch64|ppc64le|s390x|x86_64)0:0.2.64-bp160.2.1(aarch64|ppc64le|s390x|x86_64)0:0.10.1-bp160.1.1(noarch)0:0.10.1-bp160.1.1(noarch)0:5.2.4-bp160.4.1(aarch64|ppc64le|s390x|x86_64)0:4.98.2-bp160.2.1(aarch64|x86_64)0:1.3.1-bp160.1.1(aarch64|ppc64le|x86_64)0:143.0.7499.40-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:4.4.2-bp160.2.1(aarch64|ppc64le|x86_64)0:143.0.7499.146-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:0.68.2-bp160.1.1(aarch64|ppc64le|x86_64)0:143.0.7499.192-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:1.5.29-bp160.1.1(aarch64|x86_64)0:4.6.4-bp160.1.1(noarch)0:4.6.4-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:2.2.1-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:140.6.0-bp160.1.1(aarch64|ppc64le|x86_64)0:141.0.7390.122-bp160.1.1(aarch64|ppc64le|x86_64)0:144.0.7559.59-bp160.1.1(aarch64|ppc64le|x86_64)0:3.0.6-bp160.1.1(noarch)0:3.0.6-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:0.15.1-bp160.1.1(aarch64|ppc64le|s390x|x86_64)0:4.4.5-bp160.2.1(noarch)0:65.1-bp160.2.1(aarch64|ppc64le|x86_64)0:1.14.0-bp160.1.1(noarch)0:1.14.0-bp160.1.1(aarch64|ppc64le|x86_64)0:3.0.6-bp160.2.1(noarch)0:3.0.6-bp160.2.1(aarch64|ppc64le|x86_64)0:144.0.7559.96-bp160.1.1(aarch64|x86_64)0:0.18-bp160.1.1(aarch64|x86_64)0:1.4.1-bp160.1.1