- 000release-packages:SL-Micro-release
-
n/a
- cloud-netconfig:ec2
-
- Update to version 1.18
+ Fix issue with link-local address routing (bsc#1258730)
- Update to version 1.17
+ Do not set broadcast address explicitly (bsc#1258406)
- cockpit
-
- Update dependencies to fix bsc#1258641/CVE-2026-26996
- crypto-policies
-
- Add PQC support for OpenSSH (bsc#1258311, bsc#1259825)
* Enable and prioritize sntrup761x25519-sha512 for OpenSSH by default
* Add crypto-policies-OpenSSH-PQC.patch
- freetype2
-
- update to 2.14.2
- Important changes
* Several changes related to LCD filtering are implemented to
achieve better performance and encourage sound practices.
+ Instead of blanket LCD filtering over the entire bitmap, it
is now applied only to non-zero spans using direct rendering.
This speeds up the ClearType-like rendering by more than 40%
at sizes above 32 ppem.
+ Setting the filter weights with FT_Face_Properties is no
longer supported. The default and light filters are optimized
to work with any face.
+ The legacy libXft LCD filter algorithm is no longer provided.
- Important bug fixes
* A bunch of potential security problems have been found
(bsc#1259118, CVE-2026-23865). All users should update.
* The italic angle in `PS_FontInfo` is now stored as a fixed-point
value in degrees for all Type 1 fonts and their derivatives,
consistent with CFF fonts and common practices. The broken
underline position and thickness values are fixed for CFF fonts.
- Miscellaneous
* The `x` field in the `FT_Span` structure is now unsigned.
* Demo program `ftgrid` got an option `-m` to select a start
character to display.
* Similarly, demo program `ftmulti` got an option `-m` to select a
text string for rendering.
* Option `-d` in the demo program `ttdebug` is now called `-a`,
expecting a comma-separated list of axis values. The user
interface is also slightly improved.
* The `ftinspect` demo program can now be compiled with Qt6, too.
- update to 2.14.1:
* The auto-hinter got new abilities. It can now better separate
diacritic glyphs from base glyphs at small sizes by
artificially moving diacritics up (or down) if necessary
* Tilde accent glyphs get vertically stretched at small sizes so
that they don't degenerate to horizontal lines.
* Diacritics directly attached to a base glyph (like the ogonek in
character 'ę') no longer distort the shape of the base glyph
* The TrueType instruction interpreter was optimized to
produce a 15% gain in the glyph loading speed.
* Handling of Variation Fonts is now considerably faster
* TrueType and CFF glyph loading speed has been improved by 5-10%
on modern 64-bit platforms as a result of better handling of
fixed-point multiplication.
* The BDF driver now loads fonts 75% faster.
- package FTL.TXT and GPLv2.TXT [bsc#1252148]
- nghttp2
-
- added patches
CVE-2026-27135: assertion failure due to missing state validation can lead to DoS (bsc#1259845)
* nghttp2-CVE-2026-27135.patch
- python311:base
-
- Fix changelog
- Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch
ensuring that `SourcelessFileLoader` uses `io.open_code` when
opening `.pyc` files (bsc#1259240, CVE-2026-2297).
- Update to 3.11.15:
- Security
- gh-144125: BytesGenerator will now refuse to serialize
(write) headers that are unsafely folded or delimited; see
verify_generated_headers. (Contributed by Bas Bloemsaat and
Petr Viktorin in gh-121650) (bsc#1257181, CVE-2026-1299).
- gh-143935: Fixed a bug in the folding of comments when
flattening an email message using a modern email policy.
Comments consisting of a very long sequence of non-foldable
characters could trigger a forced line wrap that omitted
the required leading space on the continuation line,
causing the remainder of the comment to be interpreted as
a new header field. This enabled header injection with
carefully crafted inputs (bsc#1257029 CVE-2025-11468).
- gh-143925: Reject control characters in data: URL media
types (bsc#1257046, CVE-2025-15282).
- gh-143919: Reject control characters in http.cookies.Morsel
fields and values (bsc#1257031, CVE-2026-0672).
- gh-143916: Reject C0 control characters within
wsgiref.headers.Headers fields, values, and parameters
(bsc#1257042, CVE-2026-0865).
- gh-142145: Remove quadratic behavior in xml.minidom node ID
cache clearing. In order to do this without breaking
existing users, we also add the ownerDocument attribute to
xml.dom.minidom elements and attributes created by directly
instantiating the Element or Attr class. Note that this way
of creating nodes is not supported; creator functions like
xml.dom.Document.documentElement() should be used instead
(bsc#1254997, CVE-2025-12084).
- gh-137836: Add support of the “plaintext” element, RAWTEXT
elements “xmp”, “iframe”, “noembed” and “noframes”, and
optionally RAWTEXT element “noscript” in
html.parser.HTMLParser.
- gh-136063: email.message: ensure linear complexity for
legacy HTTP parameters parsing. Patch by Bénédikt Tran.
- gh-136065: Fix quadratic complexity in
os.path.expandvars() (bsc#1252974, CVE-2025-6075).
- gh-119451: Fix a potential memory denial of service in the
http.client module. When connecting to a malicious server,
it could cause an arbitrary amount of memory to be
allocated. This could have led to symptoms including
a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes
(CVE-2025-13836, bsc#1254400).
- gh-119452: Fix a potential memory denial of service in the
http.server module. When a malicious user is connected to
the CGI server on Windows, it could cause an arbitrary
amount of memory to be allocated. This could have led to
symptoms including a MemoryError, swapping, out of memory
(OOM) killed processes or containers, or even system
crashes.
- gh-119342: Fix a potential memory denial of service in the
plistlib module. When reading a Plist file received from
untrusted source, it could cause an arbitrary amount of
memory to be allocated. This could have led to symptoms
including a MemoryError, swapping, out of memory (OOM)
killed processes or containers, or even system crashes
(bsc#1254401, CVE-2025-13837).
- Library
- gh-144833: Fixed a use-after-free in ssl when SSL_new()
returns NULL in newPySSLSocket(). The error was reported
via a dangling pointer after the object had already been
freed.
- gh-144363: Update bundled libexpat to 2.7.4
- gh-90949: Add SetAllocTrackerActivationThreshold() and
SetAllocTrackerMaximumAmplification() to xmlparser objects
to prevent use of disproportional amounts of dynamic memory
from within an Expat parser. Patch by Bénédikt Tran.
- Core and Builtins
- gh-120384: Fix an array out of bounds crash in
list_ass_subscript, which could be invoked via some
specificly tailored input: including concurrent
modification of a list object, where one thread assigns
a slice and another clears it.
- gh-120298: Fix use-after free in list_richcompare_impl
which can be invoked via some specificly tailored evil
input.
Remove upstreamed patches:
- CVE-2025-11468-email-hdr-fold-comment.patch
- CVE-2025-12084-minidom-quad-search.patch
- CVE-2025-13836-http-resp-cont-len.patch
- CVE-2025-13837-plistlib-mailicious-length.patch
- CVE-2025-6075-expandvars-perf-degrad.patch
- CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15282-urllib-ctrl-chars.patch
- libsolv
-
- respect the "default" attribute in environment optionlist in
the comps parser
- support suse namespace deps in boolean dependencies [bsc#1258193]
- support for the Elbrus2000 (e2k) architecture
- support language() suse namespace rewriting
- bump version to 0.7.36
- sqlite3
-
- Update to version 3.51.3:
* Fix the WAL-reset database corruption bug:
https://sqlite.org/wal.html#walresetbug
* Other minor bug fixes.
- Update to version 3.51.2:
* bsc#1259619, CVE-2025-70873: zipfile extension may disclose
uninitialized heap memory during inflation.
* Fix an obscure deadlock in the new broken-posix-lock detection
logic.
* Fix multiple problems in the EXISTS-to-JOIN optimization.
* Other minor bug fixes.
- Update to version 3.51.1:
* Fix incorrect results from nested EXISTS queries caused by the
optimization in item 6b in the 3.51.0 release.
* Fix a latent bug in fts5vocab virtual table, exposed by new
optimizations in the 3.51.0 release
- Changes in version 3.51.0:
* New macros in sqlite3.h:
- SQLITE_SCM_BRANCH → the name of the branch from which the
source code is taken.
- SQLITE_SCM_TAGS → space-separated list of tags on the source
code check-in.
- SQLITE_SCM_DATETIME → ISO-8601 date and time of the source
code check-in.
* Two new JSON functions, jsonb_each() and jsonb_tree() work the
same as the existing json_each() and json_tree() functions
except that they return JSONB for the "value" column when the
"type" is 'array' or 'object'.
* The carray and percentile extensions are now built into the
amalgamation, though they are disabled by default and must be
activated at compile-time using the -DSQLITE_ENABLE_CARRAY
and/or -DSQLITE_ENABLE_PERCENTILE options, respectively.
* Enhancements to TCL Interface:
- Add the -asdict flag to the eval command to have it set the
row data as a dict instead of an array.
- User-defined functions may now break to return an SQL NULL.
* CLI enhancements:
- Increase the precision of ".timer" to microseconds.
- Enhance the "box" and "column" formatting modes to deal with
double-wide characters.
- The ".imposter" command provides read-only imposter tables
that work with VACUUM and do not require the --unsafe-testing
option.
- Add the --ifexists option to the CLI command-line option and
to the .open command.
- Limit columns widths set by the ".width" command to 30,000 or
less, as there is not good reason to have wider columns, but
supporting wider columns provides opportunity to malefactors.
* Performance enhancements:
- Use fewer CPU cycles to commit a read transaction.
- Early detection of joins that return no rows due to one or
more of the tables containing no rows.
- Avoid evaluation of scalar subqueries if the result of the
subquery does not change the result of the overall expression.
- Faster window function queries when using
"BETWEEN :x FOLLOWING AND :y FOLLOWING" with a large :y.
* Add the PRAGMA wal_checkpoint=NOOP; command and the
SQLITE_CHECKPOINT_NOOP argument for sqlite3_wal_checkpoint_v2().
* Add the sqlite3_set_errmsg() API for use by extensions.
* Add the sqlite3_db_status64() API, which works just like the
existing sqlite3_db_status() API except that it returns 64-bit
results.
* Add the SQLITE_DBSTATUS_TEMPBUF_SPILL option to the
sqlite3_db_status() and sqlite3_db_status64() interfaces.
* In the session extension add the sqlite3changeset_apply_v3()
interface.
* For the built-in printf() and the format() SQL function, omit
the leading '-' from negative floating point numbers if the '+'
flag is omitted and the "#" flag is present and all displayed
digits are '0'. Use '%#f' or similar to avoid outputs like
'-0.00' and instead show just '0.00'.
* Improved error messages generated by FTS5.
* Enforce STRICT typing on computed columns.
* Improved support for VxWorks
* JavaScript/WASM now supports 64-bit WASM. The canonical builds
continue to be 32-bit but creating one's own 64-bit build is
now as simple as running "make".
* Improved resistance to database corruption caused by an
application breaking Posix advisory locks using close().
- systemd
-
- Import commit a943e3ce2f655b8509038e31f03f5ded18f24683
a943e3ce2f machined: reject invalid class types when registering machines (bsc#1259650 CVE-2026-4105)
71593f77db udev: fix review mixup
73a89810b4 udev-builtin-net-id: print cescaped bad attributes
0f360bfdc0 udev-builtin-net_id: do not assume the current interface name is ethX
40905232e2 udev: ensure tag parsing stays within bounds
7bce9026e3 udev: ensure there is space for trailing NUL before calling sprintf
d018ac1ea3 udev: check for invalid chars in various fields received from the kernel (bsc#1259697)
- Import commit aef6e11921f8c46a2b7ee8cfab024c9c641d74d8
aef6e11921 core/cgroup: avoid one unnecessary strjoina()
cc7426f38a sd-json: fix off-by-one issue when updating parent for array elements
26a748f727 core: validate input cgroup path more prudently (bsc#1259418 CVE-2026-29111)
99d8308fde core/dbus-manager: propagate meaningful dbus errors from EnqueueMarkedJobs
- Name libsystemd-{shared,core} based on the major version of systemd and the
package release number (bsc#1228081 bsc#1256427)
This way, both the old and new versions of the shared libraries will be
present during the update. This should prevent issues during package updates
when incompatible changes are introduced in the new versions of the shared
libraries.
- Import commit 8bbac1d508acb8aa4e7262f47c7f4076b8350f72
8bbac1d508 detect-virt: bare-metal GCE only for x86 and i386 (bsc#1254293)
- libzypp
-
- Fix preloader not caching packages from arch specific subrepos
(bsc#1253740)
- Deprioritize invalid mirrors (fixes openSUSE/zypper#636)
- version 17.38.5 (35)
- Fix Product::referencePackage lookup (bsc#1259311)
Use a provided autoproduct() as hint to the package name of the
release package. It might be that not just multiple versions of
the same release package provide the same product version, but
also different release packages.
- version 17.38.4 (35)
- specfile: on fedora use %{_prefix}/share as zyppconfdir if
%{_distconfdir} is undefined (fixes #693)
This will set '-DZYPPCONFDIR=%{zyppconfdir}' for cmake.
- Fall back to a writable location when precaching packages
without root (bsc#1247948)
- version 17.38.3 (35)
- python-PyJWT
-
- Add CVE-2026-32597_crit-header.patch to validate the crit
(Critical) Header Parameter defined in RFC 7515 (bsc#1259616,
CVE-2026-32597).
- python-pyOpenSSL
-
- CVE-2026-27459: large cookie value can lead to a buffer overflow (bsc#1259808)
Add patch CVE-2026-27459.patch
- CVE-2026-27448: unhandled exception can result in connection not being cancelled (bsc#1259804)
Add patch CVE-2026-27448.patch
- python311
-
- Fix changelog
- Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch
ensuring that `SourcelessFileLoader` uses `io.open_code` when
opening `.pyc` files (bsc#1259240, CVE-2026-2297).
- Update to 3.11.15:
- Security
- gh-144125: BytesGenerator will now refuse to serialize
(write) headers that are unsafely folded or delimited; see
verify_generated_headers. (Contributed by Bas Bloemsaat and
Petr Viktorin in gh-121650) (bsc#1257181, CVE-2026-1299).
- gh-143935: Fixed a bug in the folding of comments when
flattening an email message using a modern email policy.
Comments consisting of a very long sequence of non-foldable
characters could trigger a forced line wrap that omitted
the required leading space on the continuation line,
causing the remainder of the comment to be interpreted as
a new header field. This enabled header injection with
carefully crafted inputs (bsc#1257029 CVE-2025-11468).
- gh-143925: Reject control characters in data: URL media
types (bsc#1257046, CVE-2025-15282).
- gh-143919: Reject control characters in http.cookies.Morsel
fields and values (bsc#1257031, CVE-2026-0672).
- gh-143916: Reject C0 control characters within
wsgiref.headers.Headers fields, values, and parameters
(bsc#1257042, CVE-2026-0865).
- gh-142145: Remove quadratic behavior in xml.minidom node ID
cache clearing. In order to do this without breaking
existing users, we also add the ownerDocument attribute to
xml.dom.minidom elements and attributes created by directly
instantiating the Element or Attr class. Note that this way
of creating nodes is not supported; creator functions like
xml.dom.Document.documentElement() should be used instead
(bsc#1254997, CVE-2025-12084).
- gh-137836: Add support of the “plaintext” element, RAWTEXT
elements “xmp”, “iframe”, “noembed” and “noframes”, and
optionally RAWTEXT element “noscript” in
html.parser.HTMLParser.
- gh-136063: email.message: ensure linear complexity for
legacy HTTP parameters parsing. Patch by Bénédikt Tran.
- gh-136065: Fix quadratic complexity in
os.path.expandvars() (bsc#1252974, CVE-2025-6075).
- gh-119451: Fix a potential memory denial of service in the
http.client module. When connecting to a malicious server,
it could cause an arbitrary amount of memory to be
allocated. This could have led to symptoms including
a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes
(CVE-2025-13836, bsc#1254400).
- gh-119452: Fix a potential memory denial of service in the
http.server module. When a malicious user is connected to
the CGI server on Windows, it could cause an arbitrary
amount of memory to be allocated. This could have led to
symptoms including a MemoryError, swapping, out of memory
(OOM) killed processes or containers, or even system
crashes.
- gh-119342: Fix a potential memory denial of service in the
plistlib module. When reading a Plist file received from
untrusted source, it could cause an arbitrary amount of
memory to be allocated. This could have led to symptoms
including a MemoryError, swapping, out of memory (OOM)
killed processes or containers, or even system crashes
(bsc#1254401, CVE-2025-13837).
- Library
- gh-144833: Fixed a use-after-free in ssl when SSL_new()
returns NULL in newPySSLSocket(). The error was reported
via a dangling pointer after the object had already been
freed.
- gh-144363: Update bundled libexpat to 2.7.4
- gh-90949: Add SetAllocTrackerActivationThreshold() and
SetAllocTrackerMaximumAmplification() to xmlparser objects
to prevent use of disproportional amounts of dynamic memory
from within an Expat parser. Patch by Bénédikt Tran.
- Core and Builtins
- gh-120384: Fix an array out of bounds crash in
list_ass_subscript, which could be invoked via some
specificly tailored input: including concurrent
modification of a list object, where one thread assigns
a slice and another clears it.
- gh-120298: Fix use-after free in list_richcompare_impl
which can be invoked via some specificly tailored evil
input.
Remove upstreamed patches:
- CVE-2025-11468-email-hdr-fold-comment.patch
- CVE-2025-12084-minidom-quad-search.patch
- CVE-2025-13836-http-resp-cont-len.patch
- CVE-2025-13837-plistlib-mailicious-length.patch
- CVE-2025-6075-expandvars-perf-degrad.patch
- CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15282-urllib-ctrl-chars.patch
- suseconnect-ng
-
- Regressions found during QA test runs:
- Ignore product in announce call (bsc#1257490)
- Registration to SMT server with failed (bsc#1257625)
- tar
-
- Fix bsc#1246399 / CVE-2025-45582.
- Add patch:
* CVE-2025-45582.patch
- Add tar-fix-deletion-from-archive.patch
* Fixes tar creating invalid tarballs when used with --delete (bsc#1246607)
* Add makeinfo build requirement, needed after the addition of the patch
- vim
-
* Update Vim to version 9.2.0110 (from 9.2.0045).
* Specifically, this fixes bsc#1259051 / CVE-2026-28417.
- zypper
-
- Report download progress for command line rpms (fixes #613)
- Hint to '-vv ref' to see the mirrors used to download the
metadata (bsc#1257882)
- Service: Allow "zypper ls SERVICE ..." to test whether a
service with this alias is defined (bsc#1252744)
The command prints an abstract of all services passed on the
command line. It returns 3-ZYPPER_EXIT_ERR_INVALID_ARGS if some
argument does not name an existing service.
- Keep repo data when updating the service settings (bsc#1252744)
- info: Enhance pattern content table (bsc#1158038)
Alternatives (multiple packages providing the same requirement)
are now listed as a single entry in the content table. The entry
shows either the installed package which satisfies the
requirement or the requirement itself as type 'Provides'.
Listing all potential alternatives was miss leading, especially
if the alternatives were mutual exclusive. It looked like an
installed pattern had not-installed requirements and it was not
possible to install all requirements at the same time.
- version 1.14.95