- Updated to 2.84 state (bsc#1258002)
  - Removed:
  - Baltimore CyberTrust Root
  - CommScope Public Trust ECC Root-01
  - CommScope Public Trust ECC Root-02
  - CommScope Public Trust RSA Root-01
  - CommScope Public Trust RSA Root-02
  - DigiNotar Root CA
  - Added:
  - e-Szigno TLS Root CA 2023
  - OISTE Client Root ECC G1
  - OISTE Client Root RSA G1
  - OISTE Server Root ECC G1
  - OISTE Server Root RSA G1
  - SwissSign RSA SMIME Root CA 2022 - 1
  - SwissSign RSA TLS Root CA 2022 - 1
  - TrustAsia SMIME ECC Root CA
  - TrustAsia SMIME RSA Root CA
  - TrustAsia TLS ECC Root CA
  - TrustAsia TLS RSA Root CA

- Places a hard cap on the amount of mechanisms that can be specified and
  encoded in the payload. (bcs#1253904, CVE-2025-58181)
  * 0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch

- Fix spec file for SLFO 1.1 target
  glibc-gconv-modules-extra does not exist in SLFO 1.1

- Fix upstream merge README

- Fixed ramdisk sysroot generator
  Do not use a custom _dev name and stick with the UUID representation
  of the disk image in RAM after deployment. Former versions of udev
  did not create a by-uuid device representation which now seems to
  have changed. This then leads to the device name RamDisk_rootfs
  not being created the and respective .device unit times out.
  In addition the timer unit for the standard device representation
  changed to infinity. This fixes bsc#1254116

- Delete workflows conflicting with upstream

- Fixed spec file requires
  The package requirement for binutils was set to TW (>=1650)
  only but is also required for SLES16/Leap16 which is 1600
  This commit fixes the condition to match with all required
  distributions and fixes bsc#1253637

- Bump version: 10.2.32 → 10.2.33

- Run grub mkconfig with os-prober disabled
  Set GRUB_DISABLE_OS_PROBER=true to the caller environment
  such that it gets consumed via /etc/grub.d/30_os-prober
  This Fixes #2883

- Fixed typo in documentation
  Invalid XML syntax, missing end tag. This Fixes #2882

- References #2474 and #2475 poweroff instead of halt on oem shutdown

- Fix rawhide integration test
  The package shim-ia32 got dropped

- Add test for profiled overlays
  kiwi supports overlay files per profile, but we didn't had a
  proper integration test for it. This commit adds one

- Mount proc when needed
  Using cp -a might lookup in proc/self/.. under certain conditions.
  Make sure to mount proc for config/function that might trigger
  this condition. This Fixes #2876

- Update test-image-custom-partitions test build
  Fix patch files to match with new dracut module dirs

- Update dracut version compat runtime check
  Update check_dracut_module_versions_compatible_to_kiwi to match
  with new dracut module dirs which have changed due to recommended
  dracut module ordering for out-of-tree modules.

- Fix dracut Makefile install target
  module dir names have changed due to recommended dracut
  module ordering for out-of-tree modules.

- Update pacman spec to dract changed module dirs
  Follow up change for the fix of the recommended dracut
  module ordering for out-of-tree modules.

- Update spec file due to dract changed module dirs
  Follow up change for the fix of the recommended dracut
  module ordering for out-of-tree modules.

- Follow the recommended dracut module ordering for out-of-tree modules
  In dracut release v108 or later the recommended ordering
  for out out of tree modules is 50-59 range. The following is a section from dracut documentation:
  > Not using the 50-59 range for out of tree dracut modules will likely
  > lead to unintended errors in the initramfs generation process as your
  > dracut module will either run too early or too late in the generation process.
  > You have been warned.

- Fix agama integration test
  Disable no longer existing agama-auto.service

- Fixed agama integration test
  nothing provides agama-auto anymore

- Update SLFO integration test
  Make sure ps tool is installed

- Fix exclude list for live image builds
  When specifying a filesystem attribute for a live image build,
  the rootfs gets build directly into this filesystem instead of
  being a squashfs wraped ext4 which is the default layout for
  compatibility reasons. In this direct filesystem mode the
  exclude list was not passed along to the filesystem creation
  and causes unwanted metadata to be part of the final image.
  This Fixes #2873

- Fix test-image-custom-partitions integration test
  Same fix as for the Tumbleweed test now also applied
  to the Leap test. Patching of the new root device did
  no longer apply

- Fix test-image-custom-partitions integration test
  Patching of the new root device did no longer apply

- Bump version: 10.2.31 → 10.2.32

- fix: resize for raid device, ensure vars like kiwi_RaidDev are loaded before setting disk variable

- Do not clobber initialize method
  There was a method named initialize defined and implemented
  differently in the dracut modules kiwi-lib and kiwi-repart.
  kiwi-lib is expected to be shared code across all kiwi dracut
  modules. However if one module redefines a method of the
  same name which is used in another module and expected to
  work differently there, this is evil. This commit cleans
  up the name conflict and names the kiwi library init function
  as lib_initialize. All dracut code that is expected to make
  use of this method has been adopted too.

- Skip kiwi-repart module in install ISOs
  In case the kiwi-repart module is explicitly requested in a
  dracut.conf file and the image is also configured to build an
  install ISO image this leads the install ISO to contain the
  kiwi-repart module as well which is unwanted. This commit
  explicitly omits the kiwi-repart when creating the initrd
  for the install image

- Skip repart when booting install/live iso

- Update leap test-image-disk integration test
  Add test for alternative volume ID in install ISO

- Bump version: 10.2.30 → 10.2.31

- Consolidate device lock into its own method
  Add set_device_lock method which uses udevadm lock preferable
  but also supports an flock fallback in case there is no lock
  command provided via systemd/udev

- Fix bug in shell condition
  The shell code test ... || warn A; warn B will always
  print the warning for B despite the test result. This lead
  to the warning message "Settings from the kiwi description will be ignored"
  to be printed always. This commit fixes it with a clean if/then
  condition

- Fix documentation rendering
  There was an indentation bug which caused the docs to
  render wrong. This commit fixes it

- solver/repository: Handle zstd-compressed metadata files
  `_create_solvables` assumes metadata files are gzip-compressed,
  but modern Fedora ones are not, they are zstd-compressed.
  Signed-off-by: Adam Williamson <awilliam@redhat.com>

- uri: If we fail to resolve the metalink URI, log it
  It's rather useful to know *what* the URI is when something goes
  wrong, after all.
  Signed-off-by: Adam Williamson <awilliam@redhat.com>

- Bump version: 10.2.29 → 10.2.30

- Fix repartitioning with parted
  parted does locking itself already. Wrapping it in udevadm lock results
  in a deadlock, breaking boot.

- Update test-image-disk-simple integration test
  Update slfo/test-image-disk-simple. Add more space for
  flake testing and add a user to test flakes for non root

- Catch potential exceptions from pathlib.Path.mkdir
  Creating a directory can fail, we should catch this error
  instead of ending up in a stack trace

- memalign-overflow-check.patch: memalign: reinstate alignment overflow
  check (CVE-2026-0861, bsc#1256766, BZ #33796)
- nss-dns-getnetbyaddr.patch: resolv: Fix NSS DNS backend for getnetbyaddr
  (CVE-2026-0915, bsc#1256822, BZ #33802)
- wordexp-wrde-reuse.patch: posix: Reset wordexp_t fields with WRDE_REUSE
  (CVE-2025-15281, bsc#1257005, BZ #33814)

- regcomp-double-free.patch: posix: Fix double-free after allocation
  failure in regcomp (CVE-2025-8058, bsc#1246965, BZ #33185)

- added patches
  CVE-2026-25646: Heap buffer overflow vulnerability in png_set_dither/png_set_quantize (bsc#1258020)
  * libpng16-CVE-2026-25646.patch

- security update
- added patches
  CVE-2025-28162 [bsc#1257364], memory leaks when running `pngimage`
  CVE-2025-28164 [bsc#1257365], memory leaks when running `pngimage`
  * libpng16-CVE-2025-28162,28164.patch

- security update
- added patches
  CVE-2026-22695 [bsc#1256525], Heap buffer over-read in png_image_finish_read
  * libpng16-CVE-2026-22695.patch
  CVE-2026-22801 [bsc#1256526], Integer truncation causing heap buffer over-read in png_image_write_*
  * libpng16-CVE-2026-22801.patch

- Security fixes:
  * CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request() (bsc#1258049)
  * CVE-2026-0965: Possible Denial of Service when parsing unexpected
    configuration files (bsc#1258045)
  * CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054)
  * CVE-2026-0967: Specially crafted patterns could cause DoS (bsc#1258081)
  * CVE-2026-0968: OOB Read in sftp_parse_longname() (bsc#1258080)
  * Add patches:
  - libssh-CVE-2026-0964-scp-Reject-invalid-paths-received-thro.patch
  - libssh-CVE-2026-0965-config-Do-not-attempt-to-read-non-regu.patch
  - libssh-CVE-2026-0966-misc-Avoid-heap-buffer-underflow-in-ss.patch
  - libssh-CVE-2026-0966-tests-Test-coverage-for-ssh_get_hexa.patch
  - libssh-CVE-2026-0966-doc-Update-guided-tour-to-use-SHA256-f.patch
  - libssh-CVE-2026-0967-match-Avoid-recursive-matching-ReDoS.patch
  - libssh-CVE-2026-0968-sftp-Sanitize-input-handling-in-sftp_p.patch

n/a

n/a

n/a

n/a

n/a

n/a